CN112084527A

CN112084527A - Data storage and acquisition method, device, equipment and medium

Info

Publication number: CN112084527A
Application number: CN202010830460.2A
Authority: CN
Inventors: 丁林润; 李春欢; 孟宏文; 陆东东; 胡新松; 于耀
Original assignee: China Unionpay Co Ltd
Current assignee: China Unionpay Co Ltd
Priority date: 2020-08-18
Filing date: 2020-08-18
Publication date: 2020-12-15
Anticipated expiration: 2040-08-18
Also published as: CN112084527B

Abstract

The invention discloses a data storage and acquisition method, device, equipment and medium. The data storage method comprises the following steps: acquiring a target data item identifier corresponding to target user data and a target authentication mode corresponding to the target data item identifier; generating a target certificate according to the target data item identification and the target authentication mode; in the block chain account book, inquiring a target storage space corresponding to a target identity; and storing the target certificate in the target storage space. According to the embodiment of the invention, the user data can be disclosed to a limited extent based on the preset authentication mode, so that the disclosure of the user privacy is avoided.

Description

Data storage and acquisition method, device, equipment and medium

Technical Field

The invention belongs to the technical field of block chains, and particularly relates to a data storage and acquisition method, device, equipment and medium.

Background

Currently, when a user transacts services on a service platform such as an Application (App) or a website, the user needs to register an account on the service platform first and then transact the services.

When a user registers an account on a service platform, the service platform generally requires the user to set an account password and fill in user data such as identity information of the user. After the service platform obtains the account password and the user data set by the user, the service platform usually stores the user data in the platform server. Once the account name and the password of the service platform are revealed, user data in the platform server can be revealed, and then user privacy is revealed, which causes troubles to users.

Disclosure of Invention

Embodiments of the present invention provide a data storage and acquisition method, apparatus, device, and medium, which can disclose user data to a limited extent based on a preset authentication manner, thereby avoiding disclosure of user privacy.

In a first aspect, an embodiment of the present invention provides a data storage method, including:

acquiring a target data item identifier corresponding to target user data and a target authentication mode corresponding to the target data item identifier;

generating a target certificate according to the target data item identification and the target authentication mode;

in the block chain account book, inquiring a target storage space corresponding to a target identity;

and storing the target certificate in the target storage space.

In a second aspect, an embodiment of the present invention provides a data acquisition method, including:

in the block chain account book, inquiring a target storage space corresponding to a target identity; wherein, at least one certificate is stored in the target storage space;

in at least one certificate, inquiring a target certificate corresponding to the target data item identifier; the target certificate comprises a target data item identifier and a target authentication mode corresponding to the target data item identifier;

acquiring a target authentication mode in the target certificate;

and acquiring target user data corresponding to the target data item identifier according to the target authentication mode.

In a third aspect, an embodiment of the present invention provides a data storage device, including:

the first acquisition module is used for acquiring a target data item identifier corresponding to target user data and a target authentication mode corresponding to the target data item identifier;

the first generation module is used for generating a target certificate according to the target data item identification and the target authentication mode;

the first query module is used for querying a target storage space corresponding to the target identity in the block chain account book;

and the first storage module is used for storing the target certificate into the target storage space.

In a fourth aspect, an embodiment of the present invention provides a data acquisition apparatus, including:

the second query module is used for querying a target storage space corresponding to the target identity in the block chain account book; wherein, at least one certificate is stored in the target storage space;

the third query module is used for querying a target certificate corresponding to the target data item identifier in the at least one certificate; the target certificate comprises a target data item identifier and a target authentication mode corresponding to the target data item identifier;

the second acquisition module is used for acquiring a target authentication mode in the target certificate;

and the third acquisition module is used for acquiring the target user data corresponding to the target data item identifier according to the target authentication mode.

In a fifth aspect, an embodiment of the present invention provides a computing device, including: a processor and a memory storing computer program instructions;

the processor, when executing the computer program instructions, implements a data storage method as described in the first aspect or a data acquisition method as described in the second aspect.

In a sixth aspect, the present invention provides a computer-readable storage medium, where the computer-readable storage medium stores thereon computer program instructions, and the computer program instructions, when executed by a processor, implement the data storage method according to the first aspect or the data acquisition method according to the second aspect.

According to the data storage and acquisition method, the data storage and acquisition device and the data storage and acquisition medium, after the target data item identification corresponding to the target user data and the target authentication mode corresponding to the target data item identification are acquired, the target certificate is generated according to the target data item identification and the target authentication mode, the target storage space corresponding to the target identity identification is inquired in the block chain book, so that the target certificate is stored in the target storage space, therefore, when the target certificate is uploaded, the authentication mode can be preset for the target user data corresponding to the target data item identification in the target certificate, limited disclosure can be carried out on the target user data by using the preset target authentication mode, and further the leakage of user privacy is avoided.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

FIG. 1 is a block chain system according to an embodiment of the present invention;

FIG. 2 is a block chain system according to another embodiment of the present invention;

FIG. 3 is a flow chart of a data storage method according to an embodiment of the present invention;

FIG. 4 is an interface schematic of a credential provisioning interface provided by one embodiment of the present invention;

FIG. 5 is an interface schematic of an authorization interface provided by one embodiment of the invention;

FIG. 6 is a flow chart illustrating a data acquisition method according to an embodiment of the present invention;

FIG. 7 is a schematic structural diagram of a data storage device according to an embodiment of the present invention;

FIG. 8 is a schematic structural diagram of a data acquisition device according to an embodiment of the present invention;

fig. 9 is a schematic hardware structure diagram of a computing device according to an embodiment of the present invention.

Detailed Description

Features and exemplary embodiments of various aspects of the present invention will be described in detail below, and in order to make objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

In order to solve the above problem, an embodiment of the present invention provides a blockchain system, which can disclose user data between different blockchain nodes to a limited extent, so as to avoid disclosure of user privacy.

Fig. 1 is a schematic structural diagram of a blockchain system according to an embodiment of the present invention.

As shown in fig. 1, the blockchain system includes an issuer server 110 and an acquirer server 120, and the issuer server 110 and the acquirer server 120 may access the blockchain 130 through intelligent contracts, respectively. Wherein the blockchain 130 may be a federation chain.

Issuer server 110 may be a server for data issuers and acquirer server 120 may be a server for data acquirers. The server may be a device having storage and computing functions, such as a cloud server or a server cluster.

The data issuer and the data acquirer can be different APP, website and other service platforms. Optionally, the business platform may include at least one of a financial business platform, a banking business platform, and a card organization business platform.

The data issuer can share user data to the data acquirer in a limited way through the block chain 130, and controllable and limited disclosure of user data dominated by the user is achieved. Optionally, the user data may include user privacy data, and the user privacy data may include at least one of a user mobile phone number, a user mailbox, a user identification number, and a user total. Optionally, the user data may also include other data related to the user, which is not limited herein.

Specifically, the work engineering of the blockchain system shown in fig. 1 is as follows:

the issuer server 110 may generate a credential according to the acquired data item identifier and the authentication method after acquiring the data item identifier corresponding to at least one piece of user data and the authentication method corresponding to each data item identifier, and query a storage space corresponding to the identity identifier of the user to which the user data belongs in the blockchain ledger of the blockchain 130, and then store the credential in the queried storage space.

The acquirer server 120 may query, in the blockchain ledger, a storage space corresponding to an identity of a user to which the user data belongs, where the storage space may store at least one credential, and then query, in the at least one credential, a credential including a data item identifier corresponding to the user data to be acquired and an authentication manner corresponding to the data item identifier, acquire an authentication manner corresponding to the data item identifier in the credential, and further acquire the user data to be acquired according to the authentication manner corresponding to the data item identifier.

Therefore, in the embodiment of the present invention, when uploading the credential, the issuer server 110 may preset an authentication manner for the user data corresponding to the data item identifier in the credential, so that when the acquirer server 120 acquires the user data, the preset authentication manner is used to disclose the user data to a limited extent, and thus not only sharing of the user privacy data between the data issuer and the data acquirer can be performed, but also controllable and limited information disclosure of the user privacy data that is dominant by the user can be achieved, and leakage of the user privacy is avoided.

Fig. 2 is a schematic structural diagram of a blockchain system according to another embodiment of the present invention.

As shown in fig. 2, the blockchain system includes an issuer server 110, an acquirer server 120, and an electronic device 140, and the issuer server 110 and the acquirer server 120 may access the blockchain 130 through intelligent contracts, respectively. Wherein the blockchain 130 may be a federation chain.

It should be noted that the issuer server 110 and the acquirer server 120 shown in fig. 2 are similar to the issuer server 110 and the acquirer server 120 shown in fig. 1, and are not described herein again.

The electronic device 140 may be installed with APP 1 corresponding to the service platform a to which the issuer server 110 belongs and APP 2 corresponding to the service platform B to which the acquirer server 120 belongs, and the electronic device 140 may be in communication connection with the issuer server 110 and the acquirer server 120, respectively.

The user may perform an account login operation or an account registration operation within APP 1 through the electronic device 140, so that the issuer server 110 generates an identification of the user and feeds back the generated identification to the electronic device 140. The electronic device 140 may display the identity of the user in the application interface of APP 1, the user may set an authentication manner corresponding to the user data to be stored in the blockchain 130 in APP 1, the electronic device 140 may receive the authentication manner corresponding to the user data set by the user and the data item identifier corresponding to the user data, and then send the data item identifier and the authentication manner corresponding to the data item identifier to the issuer server 110, so that the issuer server 110 generates a credential by using the data item identifier and the authentication manner, and stores the credential in a storage space corresponding to the identity of the user.

The user may perform an account login operation in APP 2 through the electronic device 140, so that the acquirer server 120 generates an identifier of the user and feeds back the generated identifier to the electronic device 140. Electronic device 140 may display the identity of the user in an application interface of APP 2, the user may input a data item identifier corresponding to the user data to be acquired in APP 2, electronic device 140 may receive the data item identifier input by the user, and then send the identity and the data item identifier to acquirer server 120, so that acquirer server 120 queries, in a storage space corresponding to the identity in the block chain book, an authentication manner corresponding to the data item identifier, and acquires the user data to be acquired according to the authentication manner corresponding to the data item identifier.

In some embodiments, the APPs installed by the electronic devices 140 all have the same Software Development Kit (SDK) located therein. The electronic device 140 may communicate with the issuer server 110 via the SDK within APP 1, in turn, causing the issuer server 110 to access the smart contracts of the blockchain 130 to store the credentials into the queried memory space. Electronic device 140 may communicate with acquirer server 120 through the SDK within APP 2, in turn, causing acquirer server 120 to access the smart contracts of blockchain 130 to obtain credentials from within the memory space.

Fig. 3 is a flowchart illustrating a data storage method according to an embodiment of the present invention.

In some embodiments of the invention, the method shown in fig. 3 may be performed by a data storage node of a blockchain system, for example, the data storage node may be the issuer server 110 shown in fig. 1 and 2.

As shown in fig. 3, the data storage method may include the following steps.

S310, acquiring a target data item identification corresponding to the target user data and a target authentication mode corresponding to the target data item identification.

In the embodiment of the present invention, the target user data may be user data selected by the user for data sharing. The user data may include user privacy data, which may include at least one of a user phone number, a user mailbox, a user identification number, and a user total.

In the embodiment of the present invention, each piece of user data may respectively correspond to one data item identifier, each data item identifier may be used to characterize a data item to which the corresponding piece of user data belongs, and one data item identifier may be a string of character strings. Therefore, the target data item identifier corresponding to the target user data may be a data item identifier corresponding to user data selected by the user for data sharing.

In the embodiment of the invention, each data item needing to be put in the certificate can be set with an authentication mode, and the authentication mode is a protection mode for data. The target authentication mode corresponding to the target data item identifier may be an authentication mode selected by the user for the target user data.

The authentication mode can be any one of public, public after authentication, encrypted storage and zero-knowledge proof.

Specifically, the disclosure means that user data is directly stored in a blockchain account book, and a data acquisition node can directly acquire plaintext user data. The post-authentication disclosure means that user data is stored in the data storage node, and the data acquisition node can acquire plaintext user data from the data storage node after finishing specified authentication. Encrypted save means that the user data is stored in the data storage node, and the data obtaining node may negotiate a key with the data storage node and obtain the encrypted user data from the data storage node. The zero-knowledge proof means that the user data is stored in the data storage node, and the data acquisition node can acquire the profile information of the user data.

It should be noted that the data acquisition node may be the acquirer server 120 shown in fig. 1 and 2.

In some embodiments of the present invention, the data storage node may directly receive a target data item identifier corresponding to target user data sent by the electronic device and a target authentication manner corresponding to the target data item identifier.

In other embodiments of the present invention, before S310, the data storage method may further include:

and receiving a certificate storage request sent by the target electronic equipment.

Accordingly, S310 may specifically include:

responding to the certificate storage request, and analyzing the certificate storage request to obtain certificate storage request information; the credential storage request information comprises a target data item identifier and a target authentication mode.

Specifically, after receiving a credential storage request sent by the target electronic device, the data storage node may parse the credential storage request to obtain a target data item identifier corresponding to the target user data and a target authentication manner corresponding to the target data item identifier.

In some embodiments, the target electronic device may display a credential setting interface, and the user may select the target user data and the target authentication manner corresponding to the target user data in the credential setting interface, so that the electronic device obtains the target data item identifier corresponding to the target user data and the target authentication manner corresponding to the target data item identifier.

FIG. 4 is an interface diagram illustrating a credential provisioning interface provided by one embodiment of the present invention. As shown in fig. 4, the target electronic device may display a credential setting interface of APP 1, where the credential setting interface may include a plurality of data item names 401, a selection control 402 corresponding to each data item name 401, and an authentication mode option 403 corresponding to each data line name 401. The data item name 401 displayed on the credential setting interface is a name corresponding to a data item to which user data stored in a background server of APP 1 belongs, and the background server of APP 1 is a data storage node. Each selection control 402 can be used to control whether the user data corresponding to the corresponding data item name 401 is data-shared, and if the selection control 402 is in an open state, the user data corresponding to the corresponding data item name 401 is data-shared and is used as target user data; if the selection control 402 is in the closed state, the user data corresponding to the corresponding data item name 401 is not shared.

Specifically, the plurality of data item names 401 may include "nickname", "mobile phone number", "mailbox", "identification number", and "total amount of assets", and the authentication method options 403 may include "open", "open after authentication", "encrypted save", and "zero knowledge proof".

The user can select target user data based on the data item names 401 and select a target authentication mode corresponding to the target user data based on the authentication mode options 403 in the credential setting interface, the user can set the selection controls 402 corresponding to the "mobile phone number", "mailbox", "identification number" and "total amount of assets" in the multiple data item names 401 to be in an open state respectively, set the authentication mode option 403 corresponding to the "mobile phone number" to be "open", set the authentication mode option 403 corresponding to the "mailbox" to be "open after authentication", set the authentication mode option 403 corresponding to the "identification number" to be "encrypted for storage", and set the authentication mode option 403 corresponding to the "total amount of assets" to be "zero knowledge proof".

Therefore, the target electronic device may receive the data item identifier corresponding to the data item name 401 and the authentication mode option 403 corresponding to the data item name 401, which are selected by the user, and then use the data item identifier corresponding to the data item name 401 as the target data item identifier, and use the authentication mode option 403 corresponding to the data item name 401 as the target authentication mode corresponding to the target data item identifier.

Therefore, the user can set a protection strategy of the privacy data of the user, controllable and limited information disclosure can be realized on different entities, and the vision that my privacy is dominant is realized.

S320, generating a target certificate according to the target data item identification and the target authentication mode;

in some embodiments of the present invention, the data storage node may first generate a credential version number according to a preset version number generation algorithm and generate a credential serial number according to a preset serial number algorithm, and then generate the target credential according to an issuer identifier of a target data issuer to which the data storage node belongs, the credential version number, the credential serial number, a target data item identifier, and a target authentication manner.

In some embodiments, the target electronic device may directly send the target identity, or may also carry the target identity in the credential storage request, that is, the credential storage request information may also include the target identity.

The data storage node can also generate the target certificate according to the issuer identification, the public key corresponding to the target identity identification, the signature corresponding to the target identity identification, the certificate version number, the certificate serial number, the target data item identification and the target authentication mode.

In other embodiments, when the target authentication mode of the target user data is public, the target electronic device may further directly send the target user data to the data storage node or carry the target user data in the credential storage request, that is, the credential storage request information may further include the target user data. The data storage node can also generate a target certificate according to the issuer identification, the public key corresponding to the target identity identification, the signature corresponding to the target identity identification, the certificate version number, the certificate serial number, the target data item identification, the target user data and the target authentication mode, so as to directly upload the target user data to the block chain account book.

In still other embodiments, in a case that the target authentication manner of the target user data is post-authentication publishing, encrypted saving, and zero-knowledge proof, the data storage node may further generate the target credential according to the issuer identifier, the public key corresponding to the target identity identifier, the signature corresponding to the target identity identifier, the access entry of the data storage node, the credential version number, the credential serial number, the target data item identifier, the target user data, and the target authentication manner, so as to directly upload the access entry of the data storage node to the block chain ledger, thereby enabling the data acquisition node to access the data storage node through the access entry to acquire the target user data.

Therefore, the target user data can be dispersedly stored in the background server to which the credible related entity account belongs, and the personal privacy data of the user is not directly aggregated and stored in one place, so that the leakage of the user privacy can be further avoided.

S330, in the block chain account book, inquiring a target storage space corresponding to the target identity.

In some embodiments of the present invention, the data storage node may use the target identity as the index information, and query, in the block chain ledger, a target storage space corresponding to the target identity.

And S340, storing the target certificate into the target storage space.

In some embodiments of the present invention, the data storage node may store the target credential in the target storage space to associate the target credential with the target identity.

In some embodiments of the present invention, the data storage node may first sign the target credential by using a private key corresponding to the target identity, and then store the target credential in the target storage space.

In some embodiments of the present invention, before S340, the data storage method may further include:

determining a third transaction type corresponding to the target voucher;

and generating third transaction information according to the third transaction type and the target certificate.

Correspondingly, S340 may specifically include:

and initiating consensus on the third transaction information so as to store the third transaction information into the target storage space.

Wherein the third transaction type may be a credential creation type. The data storage node can acquire a target certificate identifier, transaction creation time and transaction creation date corresponding to the target certificate, generate third transaction information according to the certificate creation type, the transaction creation time, the transaction creation date, the target certificate identifier and the target certificate, sign the third transaction information by using a private key corresponding to the target identity identifier, and initiate consensus on the third transaction information to store the third transaction information into the target storage space.

After the consensus on the third transaction information is initiated, each node of the blockchain may first determine whether the data storage node has the authority to store the transaction information corresponding to the credential creation type, and perform the consensus on the third transaction information when it is determined that the data storage node has the authority to store the transaction information corresponding to the credential creation type.

After the target credential is uploaded to the block chain ledger, the user can complete authentication of the target identity on any data acquisition node, and view all stored credentials under the target identity through the data acquisition node.

In the embodiment of the invention, after the target data item identification corresponding to the target user data and the target authentication mode corresponding to the target data item identification are obtained, the target certificate can be generated according to the target data item identification and the target authentication mode, and the target storage space corresponding to the target identity identification is inquired in the block chain book so as to store the target certificate in the target storage space, so that the authentication mode can be preset for the target user data corresponding to the target data item identification in the target certificate when the target certificate is uploaded, the preset target authentication mode is utilized to disclose the target user data in a limited way, and further the leakage of the user privacy can be avoided.

In another embodiment of the present invention, in order to further protect the user privacy, after S340, the data storage method may further include:

acquiring a first data item identifier; the first data item identification is a data item identification corresponding to the first user data, and the first user data is user data authorized to the target data acquirer;

generating target authorization information according to the first data item identifier and the target data acquirer;

and storing the target authorization information into the target storage space.

In some embodiments, the data storage node may obtain a data item identifier corresponding to user data that is selected by a user and that may be authorized to a target data acquirer, that is, the data storage node may obtain a first data item identifier, and then obtain an acquirer identifier corresponding to the target data acquirer, to generate target authorization information according to the first data item identifier and the acquirer identifier corresponding to the target data acquirer, and query, in the blockchain ledger, a target storage space corresponding to the target identity identifier, and then store the target authorization information into the target storage space, so as to notify the target data acquirer of the user data that can be acquired through the first data item identifier in the target authorization information.

In some embodiments of the present invention, before obtaining the first data item identification, the data storage method may further include:

receiving a first acquisition request sent by an acquirer server corresponding to a target data acquirer;

responding to the first acquisition request, and analyzing the first acquisition request to obtain first acquisition request information; the first acquisition request information comprises a target data acquirer;

generating an authorization request according to a target data acquirer;

sending an authorization request to a target electronic device; wherein the authorization request is used for enabling the target electronic equipment to feed back the first data item identification;

the obtaining of the first data item identifier may specifically include:

and receiving the first data item identification fed back by the target electronic equipment.

Specifically, if the data obtaining node is the obtaining server corresponding to the target data obtaining party, the obtaining server sends a first obtaining request for requesting the data storage node to store the target authorization information into the target storage space to the data storage node when the obtaining server obtains the target user information corresponding to the target credential for the first time. The data storage node may analyze the first acquisition request after acquiring the first acquisition request, to obtain first acquisition request information including an acquirer identifier corresponding to the target data acquirer, then generate an authorization request according to the acquirer identifier corresponding to the target data acquirer, and send an authorization request for enabling the target electronic device to feed back the first data item identifier to the target electronic device.

After receiving the authorization request, the target electronic device may display an authorization interface, the user may select first user data authorized to the target data acquirer in the authorization interface, and the electronic device may acquire a first data item identifier corresponding to the first user data.

Fig. 5 is an interface diagram of an authorization interface provided by an embodiment of the invention. As shown in fig. 5, the target electronic device may display an authorization interface of APP 1, and the authorization interface may include a plurality of data item names 501 and an authorization switch control 502 corresponding to each data item name 501. The data item name 501 displayed on the authorization interface is a name corresponding to a data item to which the user data corresponding to the target credential belongs. Each authorization switch control 502 may be configured to control whether user data corresponding to the corresponding data item name 501 is authorized to the target data acquirer, and if the authorization switch control 502 is in an on state, authorize the user data corresponding to the corresponding data item name 501 to the target data acquirer, and use the user data as first user data; if the authorization switch control 502 is in the off state, the user data corresponding to the corresponding data item name 501 is not authorized to the target data acquirer.

With continued reference to fig. 5, the plurality of data item names 501 may include "phone number", "mailbox", "identification number", and "total amount of assets".

The user can select first user data in the authorization interface based on the data item names 501, and the user can set the authorization switch controls 502 corresponding to the "mobile phone number" and the "identity card number" in the plurality of data item names 501 to be in an on state respectively, and set the "mailbox" and the "total amount of assets" in the plurality of data item names 501 to be in an off state respectively.

Therefore, the target electronic device may receive the data item identifier corresponding to the data item name 501 selected by the user, and further use the data item identifier corresponding to the data item name 501 as the first data item identifier.

Therefore, the user can set different authorization authorities of the privacy data of the user to different data acquirers, controllable and limited information disclosure can be realized to different entities, and the vision of my privacy owner is further realized.

In other embodiments, the authorization interface may further display an acquirer name corresponding to the target data acquirer, so that the user can clearly know the authorization object, and the user experience is improved.

In some embodiments of the present invention, before storing the target authorization information into the target storage space, the data storage method may further include:

determining a first transaction type corresponding to the target authorization information;

and generating first transaction information according to the first transaction type and the target authorization information.

Correspondingly, storing the target authorization information into the target storage space may specifically include:

and initiating consensus on the first transaction information so as to store the first transaction information into the target storage space.

Wherein the first transaction type may be a credential authorization type. The data storage node can obtain a target certificate identifier, transaction creation time and transaction creation date corresponding to the target authorization information, generate first transaction information according to the certificate authorization type, the transaction creation time, the transaction creation date, the target certificate identifier and the target authorization information, sign the first transaction information by using a private key corresponding to the target identity identifier, and initiate consensus on the first transaction information so as to store the first transaction information into the target storage space.

After the consensus on the first transaction information is initiated, each node of the blockchain may first determine whether the data storage node has the authority to store the transaction information corresponding to the credential authorization type, and perform the consensus on the first transaction information when it is determined that the data storage node has the authority to store the transaction information corresponding to the credential authorization type.

After the target authorization information is uploaded to the block chain ledger book, the user can finish the authentication of the target identity on any data acquisition node, and check all stored certificates and authorization conditions of different data acquirers under the target identity through the data acquisition node.

In other embodiments of the present invention, after the first transaction information is stored in the target storage space, the user may further change the first user data authorized to the target data acquirer through an authorization interface displayed in the target electronic device, and after the target electronic device receives a new first data item identifier corresponding to the new first user data, the new target authorization information may be generated based on the new first data item identifier and the target data acquirer, and the new target authorization information is stored in the target storage space, so as to modify the authorization right.

In some further embodiments of the present invention, in a case where the user creates the target identity for the first time, before receiving the credential storage request of the target electronic device, the data storage method may further include:

receiving a second acquisition request sent by the target electronic equipment; the second acquisition request is generated according to the target mnemonic character under the condition that the target electronic equipment receives the target mnemonic character and the target authentication information corresponding to the target mnemonic character;

responding to the second acquisition request, and analyzing the second acquisition request to obtain second acquisition request information; wherein the second acquisition request information comprises a target mnemonic character;

generating a target identity corresponding to the target mnemonic character according to the target mnemonic character;

and sending the target identity to the target electronic equipment.

Specifically, the target electronic device may display an account registration interface of the application program corresponding to the data storage node, and the user may input the target mnemonic and the target authentication information corresponding to the target mnemonic in the account registration interface.

Wherein, the target mnemonic can be a favorite string of characters which is easy to remember for the user. Such as birthday, phone number, mailbox, identification number, or favorite name, etc. The target authentication information may be a login password set by the user. The login password can be a password corresponding to any authentication mode. For example, the authentication mode may be fingerprint authentication, and the password may be user fingerprint information. For another example, the authentication method may be password authentication, and the password may be a character string. For another example, the authentication method may be face authentication, and the password may be face information of the user.

After the user inputs the target mnemonic and the target authentication information, the target electronic device may store the target mnemonic and the target authentication information into its secure element, and generate a second acquisition request according to the target mnemonic, and then transmit the second acquisition request to the data storage node.

The data storage node may parse the second acquisition request after acquiring the second acquisition request to obtain a target mnemonic symbol in the second acquisition request information, then generate a target identity corresponding to the target mnemonic symbol according to the target mnemonic symbol, and send the target identity to the target electronic device, so that the target electronic device generates the credential storage request according to the target identity.

In some embodiments of the present invention, generating the target identity corresponding to the target mnemonic according to the target mnemonic may specifically include:

generating a target public key according to the target mnemonic character;

and converting the marked public key into a target identity by using a preset character conversion algorithm.

Specifically, the data storage node may first generate a private key and a public key corresponding to the target mnemonic by using a preset public key generation algorithm, where the private key and the public key are also the private key and the public key corresponding to the target identity, and then convert the public key into the unique target identity according to a preset character conversion algorithm.

Therefore, in the embodiment of the invention, the protection strategy of the private data of the user can be set through an identifier of the aggregated trusted identity certificate, so that the user can register an account everywhere, and even if the same password is set, the private data still realizes controllable protection.

In other embodiments of the present invention, the second obtaining request may further be an obtaining request generated according to the target mnemonic and the identification authentication manner corresponding to the target authentication information, and the second obtaining request information further includes the identification authentication manner corresponding to the target authentication information.

Correspondingly, after generating the target identity identifier corresponding to the target mnemonic according to the target mnemonic, the data storage method may further include:

determining a space entrance of a target storage space corresponding to the target identity;

determining the type of the mnemonic character corresponding to the target mnemonic character;

generating identification creating information according to the type of the mnemonic symbol corresponding to the target mnemonic symbol, the identification authentication mode corresponding to the target authentication information and the space entrance of the target storage space;

and storing the identification creating information into the target storage space.

Specifically, the data storage node may generate identifier creation information according to the type of the mnemonic corresponding to the target mnemonic, the authentication entry corresponding to the identifier authentication mode corresponding to the target authentication information, and the space entry of the target storage space, and store the identifier creation information into the target storage space, so as to store the authentication entry and the space entry of the target storage space corresponding to the target identity identifier on the block chain ledger.

In the embodiment of the invention, because the space entry of the target storage space corresponding to the target identity is stored on the block chain book, the data storage node can find the space entry based on the target identity and then find the target storage space based on the space entry, thereby realizing the index of the target storage space. Since the authentication entry is stored in the blockchain account book, when the data acquisition node acquires data, if the authentication mode is public after authentication, the specified authentication mode for acquiring the user data can be directly determined based on the authentication entry.

In further embodiments of the present invention, before storing the identifier creation information into the target storage space, the data storage method may further include:

determining a second transaction type corresponding to the identification creation information;

and generating second transaction information according to the second transaction type and the identification creating information.

Accordingly, storing the identifier creation information into the target storage space may specifically include:

and initiating consensus on the second transaction information to store the first transaction information into the target storage space.

Wherein the second transaction type may be an identity creation type. The data storage node can acquire transaction creation time and transaction creation date, generate second transaction information according to the identifier creation type, the transaction creation time, the transaction creation date and the identifier creation information, sign the second transaction information by using a private key corresponding to the target identity identifier, and initiate consensus on the second transaction information to store the second transaction information into the target storage space.

After the consensus on the second transaction information is initiated, each node of the blockchain may first determine whether the data storage node has the authority to store the transaction information corresponding to the identifier creation type, and perform the consensus on the first transaction information in case that the data storage node is determined to have the authority to store the transaction information corresponding to the identifier creation type.

After the identifier creation information is uploaded to the block chain ledger book, the user can complete authentication of the target identity identifier on any data acquisition node, and view the identifier creation information through the data acquisition node.

In some further embodiments of the present invention, in a case where the user has created the target identity, before receiving the credential storage request of the target electronic device, the data storage method may further include:

receiving a third acquisition request sent by the target electronic equipment; the third obtaining request is an obtaining request generated by the target electronic equipment according to the target mnemonic character under the condition that the target verification information corresponding to the target mnemonic character is the same as the target authentication information corresponding to the target mnemonic character;

responding to the third acquisition request, and analyzing the third acquisition request to obtain third acquisition request information; wherein the third acquisition request information comprises a target mnemonic character;

and sending the target identity to the target electronic equipment.

Specifically, the target electronic device may display an account login interface of the application program corresponding to the data storage node, and the user may input the target mnemonic and the target verification information corresponding to the target mnemonic in the account login interface.

The target authentication information may be an authentication password input by the user. The verification password can be a password corresponding to any verification mode. The verification mode corresponding to the target verification information is the same as the verification mode corresponding to the target authentication information.

After the user inputs the target mnemonic character and the target verification information, the target electronic device may compare the target verification information with the target authentication information corresponding to the target mnemonic character stored in the secure element of the target electronic device, and generate a third acquisition request according to the target mnemonic character under the condition that it is determined that the target verification information corresponding to the target mnemonic character is the same as the target authentication information corresponding to the target mnemonic character, and then send the third acquisition request to the data storage node.

The data storage node may parse the third acquisition request after acquiring the third acquisition request to obtain a target mnemonic character in the third acquisition request information, then generate a target identity corresponding to the target mnemonic character according to the target mnemonic character, and send the target identity to the target electronic device, so that the target electronic device generates the credential storage request according to the target identity.

It should be noted that, the method for generating the target identity identifier corresponding to the target mnemonic according to the target mnemonic has been described above, and is not described herein again.

Fig. 6 is a flowchart illustrating a data acquisition method according to an embodiment of the present invention.

In some embodiments of the present invention, the method shown in fig. 6 may be performed by a data acquisition node of a blockchain system, for example, the data acquisition node may be the acquirer server 120 shown in fig. 1 and 2.

As shown in fig. 6, the data acquisition method may include the following steps.

S610, inquiring a target storage space corresponding to a target identity in a block chain account book; wherein at least one credential is stored in the target storage space.

In the embodiment of the present invention, the data obtaining node may use the target identity as the index information, and query the target storage space corresponding to the target identity in the block chain ledger.

In the embodiment of the present invention, at least one credential may be stored in the target storage space, and each credential may include at least one data item identifier and an authentication manner corresponding to each data item identifier.

In some embodiments of the present invention, before S610, the data obtaining node may directly receive the target identity and the target data item identity sent by the electronic device.

In this embodiment of the present invention, before S610, the data storage method may further include:

and receiving a fourth acquisition request sent by the target electronic equipment.

Responding to the fourth acquisition request, and analyzing the fourth acquisition request to obtain fourth acquisition request information; wherein the fourth obtaining request information comprises the target identity and the target data item identifier.

Specifically, after receiving a fourth acquisition request sent by the target electronic device, the data acquisition node may parse the fourth acquisition request to obtain a target identity and a target data item identifier in the fourth acquisition request.

In the embodiment of the present invention, the target data item identifier may be a data item identifier corresponding to the target user data. The target user data may be user data selected by the user for data sharing, and at this time, the target data item identifier may be a data item identifier corresponding to the user data selected by the user for data sharing.

S620, in at least one certificate, inquiring a target certificate corresponding to the target data item identification.

The target certificate comprises a target data item identification and a target authentication mode corresponding to the target data item identification.

Specifically, the data obtaining node may traverse the content of each credential, and then query, in at least one credential, a target credential including a target data item identifier, where the target credential may store the target data item identifier and a target authentication manner corresponding to the target data item identifier.

S630, obtaining the target authentication mode in the target certificate.

In the embodiment of the present invention, after querying the target credential, the data obtaining node may read the target authentication manner corresponding to the target data item identifier from the content of the target credential.

And S640, acquiring target user data corresponding to the target data item identifier according to the target authentication mode.

In the embodiment of the present invention, the data obtaining node may obtain the target user data corresponding to the target data item identifier based on the authentication processes corresponding to different authentication manners.

When the target authentication mode is public, the data acquisition node may directly read the target user data corresponding to the target data item identifier in the content of the target credential.

When the target authentication mode is public after authentication, the data acquisition node may read an authentication entry in the content of the target credential, and send the authentication entry to the target electronic device, so that the target electronic device displays an authentication interface corresponding to the authentication mode to which the authentication entry belongs, the user may input target verification information corresponding to the target identity in the authentication interface for authentication, after confirming that the user authentication is passed, the target electronic device may feed back authentication passing information to the data acquisition node, the data acquisition node may acquire an access entry of the data storage node corresponding to the target credential, and then send a sixth acquisition request to the data storage node according to the access entry of the data storage node, so that the data storage node feeds back target user data in response to the sixth acquisition request.

When the target authentication mode is public after authentication, the data obtaining node may read an access entry of the data storage node corresponding to the target credential from the content of the target credential, and send a seventh obtaining request to the data storage node according to the access entry of the data storage node. The data storage node may respond to the seventh acquisition request, analyze the seventh acquisition request, obtain a target identity identifier, a target data item identifier, an access entry of the data acquisition node, a requester public key certificate, a random number, and the like in the seventh acquisition request information, generate a process key according to a preset key agreement mechanism by using the issuer public key certificate, the requester public key certificate, and the random number, encrypt target user data corresponding to the target data item identifier by using the process key, and feed back the encrypted target user data, the issuer public key certificate, and the random number to the data acquisition node according to the access entry of the data acquisition node. The data acquisition node may obtain the original target user data by using the requester public key certificate, the issuer public key certificate, and the random number production process key according to the preset key agreement mechanism after receiving the encrypted target user data, and by using the process key to encrypt the encrypted target user data.

Under the condition that the target authentication mode is zero knowledge proof, the data acquisition node can read the access entry of the data storage node corresponding to the target certificate in the content of the target certificate and perform zero knowledge proof interaction with the data storage node according to the access entry of the data storage node, so that the data storage node feeds back the profile information of the target user data corresponding to the target data item identifier.

In some embodiments of the present invention, after S640, the data acquiring method may further include:

and sending the target user data to the target electronic equipment so as to enable the target electronic equipment to display the target user data.

In the embodiment of the invention, a target storage space corresponding to a target identity identifier can be inquired in a block chain account book, and in at least one credential stored in the target storage space, a target credential including a target data item identifier and a target authentication mode corresponding to the target data item identifier is inquired, and a target authentication mode in the target credential is acquired, and further target user data corresponding to the target data item identifier is acquired according to the target authentication mode.

In another embodiment of the present invention, in order to further protect the privacy of the user, a plurality of authorization information may be stored in the target storage space.

Before S640, the data acquiring method may further include:

inquiring target authorization information corresponding to a target data acquirer in the plurality of authorization information; the target authorization information comprises a first data item identifier, the first data item identifier is a data item identifier corresponding to first user data, and the first user data is user data which is authorized to a target data acquirer by a target data issuer corresponding to a target certificate;

a first data item identifier in the target authorization information is obtained.

Accordingly, S640 may specifically include:

and under the condition that the target data item identification exists in the first data item identification, acquiring the target user data according to the target authentication mode.

In some embodiments, first, the data acquisition node may acquire, within the target storage space, target authorization information stored in association with an acquirer identifier of the target data acquirer and a credential identifier of the target credential, and acquire a first data item identifier in the target authorization information. Since the first data item identifier is the data item identifier corresponding to the user data authorized by the target data issuer corresponding to the target credential to the target data acquirer, the data acquisition node may determine the user data having the acquisition right based on the first data item identifier. Then, the data obtaining node may determine whether the target data item identifier exists in the first data item identifier, and if the target data item identifier exists in the first data item identifier, the data obtaining node may obtain the target user data according to the target authentication manner.

Therefore, in the embodiment of the invention, the data acquisition permission of the data acquisition node can be further limited based on the authorization information, so as to further protect the privacy of the user.

In other embodiments of the present invention, the target credential may further include an access portal of the target data issuer.

Accordingly, in a case where the data acquisition node acquires the target credential for the first time, before querying, among the plurality of authorization information, target authorization information associated with the target data acquirer, the data acquisition method may further include:

acquiring a target data issuer in the target certificate;

sending a first acquisition request to an issuer server corresponding to a target data issuer; the first acquisition request is used for requesting the storage of the target authorization information in the target storage space.

Specifically, the data obtaining node may obtain an access entry of a target data issuer in the target credential when the data obtaining node obtains the target credential for the first time, and then send a first obtaining request for requesting to store the target authorization information into the target storage space to an issuer server corresponding to the target data issuer according to the access entry of the target data issuer, so that the issuer server realizes uploading of the target authorization information.

In another implementation manner of the present invention, before receiving the fourth obtaining request sent by the target electronic device, the data obtaining method may further include:

receiving a fifth acquisition request sent by the target electronic equipment; the fifth obtaining request is an obtaining request generated by the target electronic equipment according to the target mnemonic character under the condition that the target verification information corresponding to the target mnemonic character is the same as the target authentication information corresponding to the target mnemonic character;

responding to the fifth acquisition request, and analyzing the fifth acquisition request to obtain fifth acquisition request information; wherein the fifth acquisition request information comprises a target mnemonic character;

and sending the target identity to the target electronic equipment.

Specifically, the target electronic device may display an account login interface of the application program corresponding to the data obtaining node, and the user may input the target mnemonic symbol and the target verification information corresponding to the target mnemonic symbol in the account login interface.

After the user inputs the target mnemonic character and the target verification information, the target electronic device may compare the target verification information with the target authentication information corresponding to the target mnemonic character stored in the secure element of the target electronic device, and generate a fifth acquisition request according to the target mnemonic character under the condition that it is determined that the target verification information corresponding to the target mnemonic character is the same as the target authentication information corresponding to the target mnemonic character, and then send the fifth acquisition request to the data acquisition node.

The data obtaining node may analyze the fifth obtaining request after obtaining the fifth obtaining request, to obtain a target mnemonic character in the fifth obtaining request information, then generate a target identity corresponding to the target mnemonic character according to the target mnemonic character, and send the target identity to the target electronic device, so that the target electronic device generates a fourth obtaining request according to the target identity.

generating a target public key according to the target mnemonic character;

and converting the target public key into the target identity by using a preset character conversion algorithm.

In another implementation manner of the present invention, to further protect the privacy of the user, before S610, the data obtaining method may further include:

in the block chain account book, inquiring a target data item list corresponding to a target data acquirer; the target data item list comprises a second data item identifier, the second data item identifier is a data item identifier corresponding to second user data, and the second user data is user data meeting the data acquisition requirement of a target data acquirer.

Accordingly, S610 may specifically include:

in the case that the target data item identification exists within the second data item identification, the target storage space is queried in the blockchain ledger.

Wherein, the data acquisition requirement can be determined according to the degree or degree of accessible user privacy data defined by the authorized institution. After the authority defines the level or degree of the accessible user privacy data of the target data acquirer, the accessible user data item of the target data acquirer can be determined, the data item identifier corresponding to the accessible user data item is used as a second data item identifier, a target data item list is generated according to the second data item identifier, and the target data item list is uploaded to the block chain ledger.

Specifically, the data acquisition node may first query, in the blockchain ledger, a target data item list corresponding to an acquirer identifier of the target data acquirer, and determine whether the target data item identifier exists in a second data item identifier in the target data item list, and if the target data item identifier exists in the second data item identifier, query, in the blockchain ledger, a target storage space, and acquire, based on at least one credential in the target storage space, target user data corresponding to the target data item identifier.

Therefore, in the embodiment of the invention, the user data available to the data acquisition node can be further limited by using the data acquisition requirement, so that the privacy of the user is further protected.

In summary, in the embodiment of the present invention, sharing of the personal privacy data of the user may be performed between different nodes of the blockchain, so as to implement controllable and limited information disclosure of the personal privacy data dominated by the user.

Fig. 7 is a schematic structural diagram of a data storage device according to an embodiment of the present invention.

In some embodiments of the present invention, the apparatus shown in fig. 7 may be a data storage node of a blockchain system, for example, the data storage node may be the issuer server 110 shown in fig. 1 and 2.

As shown in fig. 7, the data storage device 700 may include a first acquisition module 710, a first generation module 720, a first query module 730, and a first storage module 740.

The first obtaining module 710 may be configured to obtain a target data item identifier corresponding to the target user data and a target authentication manner corresponding to the target data item identifier.

The first generating module 720 may be configured to generate the target credential according to the target data item identification and the target authentication manner.

The first query module 730 may be configured to query the target storage space corresponding to the target id in the blockchain ledger.

The first storage module 740 may be used to store the target credential into the target storage space.

In some embodiments of the present invention, the data storage device 700 may further include a fourth obtaining module, a second generating module, and a second storing module.

The fourth obtaining module may be configured to obtain the first data item identifier; the first data item identification is the data item identification corresponding to the first user data, and the first user data is the user data authorized to the target data acquirer.

The second generating module may be configured to generate the target authorization information according to the first data item identifier and the target data acquirer.

The second storage module may be configured to store the target authorization information in the target storage space.

In some embodiments of the present invention, the data storage device 700 may further include a first receiving module, a first parsing module, a third generating module, and a first sending module.

The first receiving module may be configured to receive a first obtaining request sent by a obtaining server corresponding to a target data obtaining party.

The first analysis module may be configured to respond to the first acquisition request, and analyze the first acquisition request to obtain first acquisition request information; the first obtaining request information comprises a target data obtaining party.

The third generating module may be configured to generate the authorization request based on the target data acquirer.

The first sending module may be configured to send an authorization request to the target electronic device; wherein the authorization request is used for the target electronic device to feed back the first data item identification.

Correspondingly, the fourth obtaining module may be specifically configured to receive the first data item identifier fed back by the target electronic device.

In some embodiments of the present invention, the data storage device 700 may further include a first determining module and a fourth generating module.

The first determining module may be configured to determine a first transaction type corresponding to the target authorization information.

The fourth generating module may be configured to generate the first transaction information according to the first transaction type and the target authorization information.

Correspondingly, the second storage module may be specifically configured to initiate consensus on the first transaction information, so as to store the first transaction information into the target storage space.

In some embodiments of the present invention, the data storage device 700 may further include a second receiving module. The second receiving module may be configured to receive a credential storage request sent by the target electronic device.

Correspondingly, the first obtaining module 710 may be specifically configured to respond to the credential storage request, and parse the credential storage request to obtain credential storage request information; the credential storage request information comprises a target data item identifier and a target authentication mode.

In some embodiments of the present invention, the data storage device 700 may further include a third receiving module, a second parsing module, a fifth generating module, and a second sending module.

The third receiving module may be configured to receive a second obtaining request sent by the target electronic device; the second obtaining request is an obtaining request generated by the target electronic equipment according to the target mnemonic character under the condition that the target electronic equipment receives the target mnemonic character and the target authentication information corresponding to the target mnemonic character.

The second analysis module may be configured to respond to the second acquisition request, and analyze the second acquisition request to obtain second acquisition request information; wherein the second acquisition request information comprises a target mnemonic.

The fifth generating module may be configured to generate a target identity corresponding to the target mnemonic according to the target mnemonic.

The second sending module may be configured to send the target identity to the target electronic device.

In some embodiments of the present invention, the second obtaining request may further be an obtaining request generated according to the target mnemonic and an identification authentication manner corresponding to the target authentication information, and the second obtaining request information may further include the identification authentication manner corresponding to the target authentication information.

In some embodiments of the present invention, the data storage device 700 may further include a second determination module, a third determination module, a sixth generation module, and a third storage module.

The second determination module may be configured to determine a space entry of the target storage space corresponding to the target identity.

The third determination module may be configured to determine a type of mnemonic corresponding to the target mnemonic.

The sixth generating module may be configured to generate the identifier creating information according to the type of the mnemonic corresponding to the target mnemonic, the identifier authentication method corresponding to the target authentication information, and the space entry of the target storage space.

The third storage module may be configured to store the identification creation information in the target storage space.

In some embodiments of the present invention, the data storage device 700 may further include a fourth determination module and a seventh generation module.

The fourth determination module may be configured to determine a second transaction type corresponding to the identification creation information.

The seventh generating module may be to generate the second transaction information according to the second transaction type and the identification creation information.

Correspondingly, the third storage module may be specifically configured to initiate consensus on the second transaction information, so as to store the first transaction information into the target storage space.

In some embodiments of the present invention, the data storage device 700 may further include a fourth receiving module, a third parsing module, an eighth generating module, and a third sending module.

The fourth receiving module may be configured to receive a third obtaining request sent by the target electronic device; the third obtaining request is an obtaining request generated by the target electronic device according to the target mnemonic character under the condition that the target verification information corresponding to the target mnemonic character is the same as the target authentication information corresponding to the target mnemonic character.

The third analysis module may be configured to respond to the third acquisition request, and analyze the third acquisition request to obtain third acquisition request information; wherein the third acquisition request information comprises a target mnemonic.

The eighth generating module may be configured to generate a target identity corresponding to the target mnemonic according to the target mnemonic.

The third sending module may be configured to send the target identity to the target electronic device.

In some embodiments of the present invention, the fifth generating module and the eighth generating module may be specifically configured to: generating a target public key according to the target mnemonic character; and converting the target public key into the target identity by using a preset character conversion algorithm.

In some embodiments of the present invention, the data storage device 700 may further include a fifth determining module and a ninth generating module.

The fifth determining module may be configured to determine a third transaction type corresponding to the target credential.

The ninth generating module may be to generate third transaction information based on the third transaction type and the target credential.

Accordingly, the first storage module 740 may be specifically configured to initiate consensus on the third transaction information, so as to store the third transaction information into the target storage space.

It should be noted that the data storage device 700 shown in fig. 7 may execute each step in the method embodiment shown in fig. 3, and implement each process and effect in the method embodiment shown in fig. 3, which is not described herein again.

Fig. 8 is a schematic structural diagram of a data acquisition apparatus according to an embodiment of the present invention.

In some embodiments of the present invention, the apparatus shown in fig. 8 may be a data acquisition node of a blockchain system, for example, the data acquisition node may be the acquirer server 120 shown in fig. 1 and 2.

As shown in fig. 8, the data acquisition apparatus 800 may include a second query module 810, a third query module 820, a second acquisition module 830, and a third acquisition module 840.

The second query module 810 may be configured to query, in the blockchain ledger, a target storage space corresponding to the target identity; wherein at least one credential is stored in the target storage space.

The third query module 820 may be configured to query the at least one credential for the target data item to identify the corresponding target credential; the target certificate comprises a target data item identification and a target authentication mode corresponding to the target data item identification.

The second obtaining module 830 may be configured to obtain a target authentication manner in the target credential.

The third obtaining module 840 may be configured to obtain the target user data corresponding to the target data item identifier according to the target authentication manner.

In some embodiments of the present invention, a plurality of authorization information may be further stored in the target storage space;

accordingly, the data acquisition apparatus 800 may further include a fourth query module and a fifth acquisition module.

The fourth query module may be configured to query, among the multiple authorization information, target authorization information corresponding to the target data acquirer; the target authorization information comprises a first data item identifier, the first data item identifier is a data item identifier corresponding to first user data, and the first user data is user data authorized to a target data acquirer by a target data issuer corresponding to the target certificate.

The fifth obtaining module may be configured to obtain the first data item identifier in the target authorization information.

Accordingly, the third obtaining module 840 may be specifically configured to obtain the target user data according to the target authentication manner when the target data item identifier exists in the first data item identifier.

In some embodiments of the invention, the target credential may also include a target data issuer.

Accordingly, the data acquiring apparatus 800 may further include a sixth acquiring module and a fourth sending module.

The sixth obtaining module may be configured to obtain the target data issuer in the target credential.

The fourth sending module may be configured to send the first obtaining request to an issuer server corresponding to the target data issuer; the first acquisition request is used for requesting the storage of the target authorization information in the target storage space.

In some embodiments of the present invention, the data obtaining apparatus 800 may further include a fifth receiving module and a fourth parsing module.

The fifth receiving module may be configured to receive a fourth obtaining request sent by the target electronic device.

The fourth analyzing module may be configured to respond to the fourth obtaining request, and analyze the fourth obtaining request to obtain fourth obtaining request information; wherein the fourth obtaining request information comprises the target identity and the target data item identifier.

Accordingly, the data obtaining apparatus 800 may further include a fifth sending module, and the fifth sending module may be configured to send the target user data to the target electronic device.

In some embodiments of the present invention, the data obtaining apparatus 800 may further include a sixth receiving module, a fifth parsing module, a tenth generating module, and a sixth sending module.

The sixth receiving module may be configured to receive a fifth obtaining request sent by the target electronic device; the fifth obtaining request is an obtaining request generated by the target electronic device according to the target mnemonic character under the condition that the target verification information corresponding to the target mnemonic character is the same as the target authentication information corresponding to the target mnemonic character.

The fifth analyzing module may be configured to respond to the fifth obtaining request, and analyze the fifth obtaining request to obtain fifth obtaining request information; wherein the fifth acquisition request information includes a target mnemonic.

The tenth generating module may be configured to generate a target identity corresponding to the target mnemonic according to the target mnemonic.

The sixth sending module may be configured to send the target identity to the target electronic device.

In some embodiments of the present invention, the tenth generating module may be specifically configured to: generating a target public key according to the target mnemonic character; and converting the target public key into the target identity by using a preset character conversion algorithm.

In some embodiments of the present invention, the data obtaining apparatus 800 may further include a fifth query module, where the fifth query module may be configured to query, in the blockchain ledger, a target data item list corresponding to the target data acquirer; the target data item list comprises a second data item identifier, the second data item identifier is a data item identifier corresponding to second user data, and the second user data is user data meeting the data acquisition requirement of a target data acquirer.

Accordingly, the third query module 820 may be specifically configured to query the target storage space in the blockchain ledger if the target data item identification exists within the second data item identification.

It should be noted that the data obtaining apparatus 800 shown in fig. 8 may perform each step in the method embodiment shown in fig. 7, and implement each process and effect in the method embodiment shown in fig. 7, which is not described herein again.

Fig. 9 is a schematic diagram illustrating a hardware structure of a computing device according to an embodiment of the present invention.

The computing device may include a processor 901 and a memory 902 that stores computer program instructions.

Specifically, the processor 1001 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured as one or more Integrated circuits implementing an embodiment of the present invention.

Memory 902 may include mass storage for data or instructions. By way of example, and not limitation, memory 902 may include a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, tape, or Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 902 may include removable or non-removable (or fixed) media, where appropriate. The memory 902 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In a particular embodiment, the memory 902 is a non-volatile solid-state memory. In a particular embodiment, the memory 902 includes Read Only Memory (ROM). Where appropriate, the ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory or a combination of two or more of these.

The processor 901 realizes any one of the data storage method and the data acquisition method in the above embodiments by reading and executing computer program instructions stored in the memory 902.

In one example, the computing device can also include a communication interface 903 and a bus 910. As shown in fig. 9, the processor 901, the memory 902, and the communication interface 903 are connected via a bus 910 to complete communication with each other.

The communication interface 903 is mainly used for implementing communication between modules, apparatuses, units and/or devices in the embodiments of the present invention.

The bus 910 includes hardware, software, or both to couple the components of the computing device to one another. By way of example, and not limitation, a bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hypertransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus or a combination of two or more of these. Bus 910 can include one or more buses, where appropriate. Although specific buses have been described and shown in the embodiments of the invention, any suitable buses or interconnects are contemplated by the invention.

The computing device may execute the data storage method in the embodiments of the present invention, thereby implementing the data storage method and apparatus described in conjunction with fig. 3 and 7. The computing device may further execute the data acquisition method in the embodiment of the present invention, so as to implement the data acquisition method and apparatus described in conjunction with fig. 6 and 8.

In addition, in combination with the data storage method and the data acquisition method in the above embodiments, embodiments of the present invention may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the data storage methods and data retrieval methods of the above embodiments.

It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.

The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.

It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.

As described above, only the specific embodiments of the present invention are provided, and it can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the module and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. It should be understood that the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present invention, and these modifications or substitutions should be covered within the scope of the present invention.

Claims

1. A method of data storage, comprising:

and storing the target certificate in the target storage space.

2. The method of claim 1, wherein after storing the target credential into the target storage space, the method further comprises:

acquiring a first data item identifier; the first data item identification is a data item identification corresponding to first user data, and the first user data is user data authorized to the target data acquirer;

and storing the target authorization information into the target storage space.

3. The method of claim 2, wherein prior to said obtaining a first data item identification, the method further comprises:

receiving a first acquisition request sent by an acquirer server corresponding to the target data acquirer;

responding to the first acquisition request, and analyzing the first acquisition request to obtain first acquisition request information; wherein the first acquisition request information includes the target data acquirer;

generating an authorization request according to the target data acquirer;

sending the authorization request to a target electronic device; wherein the authorization request is used for the target electronic device to feed back the first data item identification;

wherein the obtaining the first data item identifier includes:

receiving the first data item identification fed back by the target electronic equipment.

4. The method of claim 2, wherein prior to storing the target authorization information in the target storage space, the method further comprises:

generating first transaction information according to the first transaction type and the target authorization information;

wherein the storing the target authorization information into the target storage space includes:

5. The method of claim 1, wherein before the obtaining of the target data item identifier corresponding to the target user data and the target authentication manner corresponding to the target data item identifier, the method further comprises:

receiving a certificate storage request sent by target electronic equipment;

the acquiring of the target data item identifier corresponding to the target user data and the target authentication mode corresponding to the target data item identifier includes:

responding to the certificate storage request, and analyzing the certificate storage request to obtain certificate storage request information; wherein the credential storage request information includes the target data item identification and the target authentication mode.

6. The method of claim 5, wherein prior to the receiving the credential storage request of the target electronic device, the method further comprises:

receiving a second acquisition request sent by the target electronic equipment; the second obtaining request is an obtaining request generated by the target electronic equipment according to a target mnemonic character under the condition that the target electronic equipment receives the target mnemonic character and target authentication information corresponding to the target mnemonic character;

responding to the second acquisition request, and analyzing the second acquisition request to obtain second acquisition request information; wherein the second acquisition request information comprises the target mnemonic character;

generating the target identity corresponding to the target mnemonic character according to the target mnemonic character;

and sending the target identity to the target electronic equipment.

7. The method according to claim 6, wherein the second acquisition request is an acquisition request generated according to the target mnemonic and an identification authentication manner corresponding to the target authentication information, and the second acquisition request information further includes the identification authentication manner corresponding to the target authentication information;

after the target identity identifier corresponding to the target mnemonic character is generated according to the target mnemonic character, the method includes:

determining a space entrance of the target storage space corresponding to the target identity;

8. The method of claim 7, wherein prior to storing the identity creation information in the target storage space, the method further comprises:

determining a second transaction type corresponding to the identification creating information;

generating second transaction information according to the second transaction type and the identification creating information;

wherein the storing the identifier creation information into the target storage space comprises:

9. The method of claim 5, wherein prior to the receiving the credential storage request of the target electronic device, the method further comprises:

receiving a third acquisition request sent by the target electronic equipment; the third obtaining request is an obtaining request generated by the target electronic device according to the target mnemonic character under the condition that the target verification information corresponding to the target mnemonic character is the same as the target authentication information corresponding to the target mnemonic character;

responding to the third acquisition request, and analyzing the third acquisition request to obtain third acquisition request information; wherein the third acquisition request information comprises the target mnemonic character;

and sending the target identity to the target electronic equipment.

10. The method according to claim 6 or 9, wherein the generating the target identity corresponding to the target mnemonic according to the target mnemonic comprises:

generating a target public key according to the target mnemonic character;

11. The method of claim 1, wherein prior to storing the target credential within the target storage space, the method further comprises:

determining a third transaction type corresponding to the target voucher;

generating third transaction information according to the third transaction type and the target voucher;

wherein the storing the target credential into the target storage space comprises:

12. A method of data acquisition, comprising:

in the block chain account book, inquiring a target storage space corresponding to a target identity; wherein at least one credential is stored in the target storage space;

in the at least one certificate, inquiring a target certificate corresponding to the target data item identification; the target certificate comprises a target data item identification and a target authentication mode corresponding to the target data item identification;

acquiring the target authentication mode in the target certificate;

13. The method of claim 12, wherein the target storage space further stores therein a plurality of authorization information;

before obtaining the target user data corresponding to the target data item identifier according to the target authentication manner, the method further includes:

inquiring target authorization information corresponding to a target data acquirer in the plurality of authorization information; the target authorization information comprises a first data item identifier, the first data item identifier is a data item identifier corresponding to first user data, and the first user data is user data which is authorized to the target data acquirer by a target data issuer corresponding to the target certificate;

acquiring the first data item identifier in the target authorization information;

the obtaining of the target user data corresponding to the target data item identifier according to the target authentication manner includes:

14. The method of claim 13, wherein the target credential further comprises the target data issuer;

wherein, before querying the target authorization information associated with the target data acquirer in the plurality of authorization information, the method further comprises:

acquiring the target data issuer in the target certificate;

sending a first acquisition request to an issuer server corresponding to the target data issuer; the first obtaining request is used for requesting to store the target authorization information into the target storage space.

15. The method of claim 12, wherein before querying the target storage space corresponding to the target id in the blockchain ledger, the method further comprises:

receiving a fourth acquisition request sent by the target electronic equipment;

responding to the fourth acquisition request, and analyzing the fourth acquisition request to obtain fourth acquisition request information; the fourth acquisition request information comprises a target identity and a target data item identifier;

after obtaining the target user data corresponding to the target data item identifier according to the target authentication manner, the method further includes:

and sending the target user data to the target electronic equipment.

16. The method of claim 15, wherein prior to receiving the fourth acquisition request sent by the target electronic device, the method further comprises:

receiving a fifth acquisition request sent by the target electronic equipment; the fifth obtaining request is an obtaining request generated by the target electronic device according to the target mnemonic character under the condition that the target verification information corresponding to the target mnemonic character is the same as the target authentication information corresponding to the target mnemonic character;

responding to the fifth acquisition request, and analyzing the fifth acquisition request to obtain fifth acquisition request information; wherein the fifth acquisition request information includes the target mnemonic;

and sending the target identity to the target electronic equipment.

17. The method of claim 16, wherein the generating the target identity corresponding to the target mnemonic according to the target mnemonic comprises:

generating a target public key according to the target mnemonic character;

18. The method of claim 12, wherein before querying the target storage space corresponding to the target id in the blockchain ledger, the method further comprises:

in the block chain account book, inquiring a target data item list corresponding to a target data acquirer; the target data item list comprises a second data item identifier, the second data item identifier is a data item identifier corresponding to second user data, and the second user data is user data meeting the data acquisition requirement of a target data acquirer;

wherein, in the block chain account book, querying a target storage space corresponding to the target identity includes:

querying the target storage space in the blockchain ledger if the target data item identification is present within the second data item identification.

19. A data storage device comprising:

20. A data acquisition apparatus comprising:

the second query module is used for querying a target storage space corresponding to the target identity in the block chain account book; wherein at least one credential is stored in the target storage space;

the third query module is used for querying a target certificate corresponding to the target data item identifier in the at least one certificate; the target certificate comprises a target data item identification and a target authentication mode corresponding to the target data item identification;

the second acquisition module is used for acquiring the target authentication mode in the target certificate;

21. A computing device, comprising: a processor and a memory storing computer program instructions;

the processor, when executing the computer program instructions, implements a data storage method as claimed in any one of claims 1-11 or a data acquisition method as claimed in any one of claims 12-18.

22. A computer readable storage medium having computer program instructions stored thereon which, when executed by a processor, implement a data storage method as claimed in any one of claims 1 to 11 or a data acquisition method as claimed in any one of claims 12 to 18.