CN112084536B - Key storage method and device based on blockchain - Google Patents

Key storage method and device based on blockchain Download PDF

Info

Publication number
CN112084536B
CN112084536B CN202010904192.4A CN202010904192A CN112084536B CN 112084536 B CN112084536 B CN 112084536B CN 202010904192 A CN202010904192 A CN 202010904192A CN 112084536 B CN112084536 B CN 112084536B
Authority
CN
China
Prior art keywords
organization
key
block
private key
blockchain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010904192.4A
Other languages
Chinese (zh)
Other versions
CN112084536A (en
Inventor
黎原
徐欣
毛雨萌
马国斌
穆瑾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202010904192.4A priority Critical patent/CN112084536B/en
Publication of CN112084536A publication Critical patent/CN112084536A/en
Application granted granted Critical
Publication of CN112084536B publication Critical patent/CN112084536B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Abstract

The application provides a key storage method and device based on a blockchain, which relate to the technical field of blockchains and can avoid leakage of private keys so as to ensure the security of encrypted documents. The method comprises the following steps: first a first key pair comprising a first public key and a second key pair comprising a second public key and a second private key are obtained. The first key pair corresponds to a first organization, the second key pair corresponds to a second organization, and the authority level of the first organization is higher than that of the second organization. And storing the first public key and the second public key into a first block for storing shared data of each organization including the first organization and the second organization, and storing the second private key into a second block for storing data of the first organization after encrypting the second private key by adopting the first public key.

Description

Key storage method and device based on blockchain
Technical Field
The present disclosure relates to the field of blockchain technologies, and in particular, to a blockchain-based key storage method and device.
Background
Currently, when paperless office work is implemented in an enterprise or a government department, different keys are used for encrypting different documents when the documents are transmitted or stored in order to ensure information security.
However, when the document is encrypted in the above manner, since all the documents are encrypted with different keys, the user must inevitably notify the user of the private key through the internet or the like a plurality of times after the document is encrypted, and the user can decrypt the document for viewing. The private key may be revealed in the process of transmitting the private key for many times, so that the security of the document cannot be ensured.
Disclosure of Invention
The method and the device for storing the secret key based on the blockchain can avoid leakage of the private key, so that safety of an encrypted document is guaranteed.
In order to achieve the above purpose, the present application adopts the following technical scheme:
in a first aspect, the present application provides a blockchain-based key storage method, by first obtaining a first key pair including a first public key and a second key pair including a second public key and a second private key. The first key pair corresponds to a first organization, the second key pair corresponds to a second organization, and the authority level of the first organization is higher than that of the second organization. And storing the first public key and the second public key into a first block for storing shared data of each organization including the first organization and the second organization, and storing the second private key into a second block for storing data of the first organization after encrypting the second private key by adopting the first public key.
In the blockchain-based key storage method, the same key pair is acquired for the same organization, so that users of the same organization can encrypt documents by adopting the same key pair, and the users of the same organization do not need to transmit private keys when transmitting the documents each time. In addition, the private key of the second organization with lower authority level is stored in the second block for storing the data of the first organization with higher authority level, so that the first organization with high authority level can decrypt the encrypted file of the second organization by checking the data stored in the second block, and the transmission of the private key among different authority levels is avoided. Due to the non-repairable nature of the blockchain itself, it is ensured that the second private key stored in the second block and the first public key and the second public key stored in the first block are not tampered with. Therefore, the key storage method based on the blockchain does not need to transmit the private key in the form of Internet and the like, and leakage of the private key can be avoided. Therefore, the encryption document is encrypted by adopting the key pair stored by the key storage method based on the blockchain, so that the security of the encryption document can be ensured.
In a second aspect, the present application provides a blockchain-based key storage device, including an acquisition module and a storage module. The acquisition module is used for acquiring the first key pair and the second key pair. The first key pair corresponds to a first organization, the second key pair corresponds to a second organization, and the authority level of the first organization is higher than that of the second organization; the first key pair includes a first public key and the second key pair includes a second public key and a second private key. The storage module is used for storing the first public key and the second public key acquired by the acquisition module into the first block, and storing the second private key acquired by the acquisition module into the second block after being encrypted by the first public key. The first block is used for storing shared data of each organization including a first organization and a second organization, and the second block is used for storing data of the first organization.
In a third aspect, the present application provides a blockchain-based key storage device, including a processor and a memory, where the processor is configured to couple with the memory, read and execute instructions in the memory, to implement the blockchain-based key storage method provided in the first aspect.
Optionally, the blockchain-based key storage may further include a memory for storing program instructions and data of the blockchain-based key storage. Further optionally, the blockchain-based key storage may further include a transceiver for performing the step of transceiving data, signaling or information, e.g., obtaining the first key pair and the second key pair, under control of a processor of the blockchain-based key storage.
Alternatively, the blockchain-based key storage device may be a server, or may be a part of a device in a server, for example, may be a system-on-chip in a server. The server is configured to support the blockchain-based key storage to implement the functions involved in the first aspect, e.g., to receive, transmit or process data and/or information involved in the blockchain-based key storage method described above. The chip system includes a chip, and may also include other discrete devices or circuit structures.
In a fourth aspect, the present application provides a computer readable storage medium having instructions stored therein which, when executed by a computer, implement a blockchain-based key storage method as provided in the first aspect.
In a fifth aspect, the present application provides a computer program product comprising computer instructions which, when run on a computer, cause the computer to perform the blockchain-based key storage method of the first aspect.
It should be noted that the above-mentioned computer instructions may be stored in whole or in part on a computer-readable storage medium. The computer readable storage medium may be packaged with the processor of the blockchain-based key storage device or may be packaged separately from the processor of the blockchain-based key storage device, which is not limited in this application.
The description of the second, third, fourth and fifth aspects of the present application may refer to the detailed description of the first aspect; also, the advantageous effects described in the second aspect, the third aspect, the fourth aspect, and the fifth aspect may refer to the advantageous effect analysis of the first aspect, and are not described herein.
In this application, the names of the above-described blockchain-based key storage devices do not constitute limitations on the devices or function modules themselves, which may appear under other names in an actual implementation. Insofar as the function of each device or function module is similar to the present invention, it is within the scope of the claims of the present application and the equivalents thereof.
These and other aspects of the present application will be more readily apparent from the following description.
Drawings
Fig. 1 is a schematic flow chart of a key storage method based on blockchain according to an embodiment of the present application;
FIG. 2 is a flowchart of another method for storing a blockchain-based key according to an embodiment of the present disclosure;
FIG. 3 is a tree diagram for representing relationships of various organizational rights hierarchies according to an embodiment of the present application;
FIG. 4 is a tree diagram for representing the relationship of various organizational rights hierarchies according to the embodiment of the present application;
FIG. 5 is a tree diagram for representing the relationship of various organizational rights hierarchies according to the embodiment of the present application;
FIG. 6 is a tree diagram for representing the relationship of various organizational rights hierarchies according to the embodiment of the present application;
FIG. 7 is a tree diagram for representing the relationship of various organizational rights hierarchies according to the embodiment of the present application;
FIG. 8 is a tree diagram for representing the relationship of various organizational rights hierarchies according to the embodiment of the present application;
FIG. 9 is a tree diagram for representing the relationship of various organizational rights hierarchies according to the embodiment of the present application;
FIG. 10 is a tree diagram for representing the relationship of various organizational rights hierarchies according to the embodiment of the present application;
FIG. 11 is a schematic diagram of a block chain based key storage device according to an embodiment of the present disclosure;
fig. 12 is a schematic structural diagram of another block chain-based key storage device according to an embodiment of the present application.
Detailed Description
The block chain-based key storage method and device provided by the embodiment of the application are described in detail below with reference to the accompanying drawings.
The term "and/or" is herein merely an association relationship describing an associated object, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone.
The terms "first" and "second" and the like in the description and in the drawings are used for distinguishing between different objects or for distinguishing between different processes of the same object and not for describing a particular sequential order of objects.
Furthermore, references to the terms "comprising" and "having" and any variations thereof in the description of the present application are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or apparatus.
It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
In the description of the present application, unless otherwise indicated, the meaning of "a plurality" means two or more.
Currently, when paperless office work is implemented in an enterprise or a government department, different keys are used for encrypting different documents when the documents are transmitted or stored in order to ensure information security.
However, when the document is encrypted in the above manner, since all the documents are encrypted with different keys, the user must inevitably notify the user of the private key through the internet or the like a plurality of times after the document is encrypted, and the user can decrypt the document for viewing. The private key may be revealed in the process of transmitting the private key for many times, so that the security of the document cannot be ensured.
Aiming at the problems in the prior art, the embodiment of the application provides a key storage method based on a blockchain, which can acquire different key pairs for different organizations and store the key pairs corresponding to the organizations into corresponding blocks in the blockchain according to authority levels of the organizations. Thus, when a user needs to encrypt a certain document, the document can be encrypted by adopting the public key corresponding to the organization where the user is located and then stored in the block corresponding to the organization where the user is located. Because the block chain is not repairable, the files stored in each block can be prevented from being tampered, so that the safety of the files can be ensured.
The blockchain-based key storage method provided by the embodiment of the invention can be applied to a blockchain-based key storage device, and the blockchain-based key storage device can be a physical machine (such as a server) or a Virtual Machine (VM) deployed on the physical machine. In an exemplary embodiment, when the blockchain-based key storage method provided in the embodiments of the present application is executed by a server, the server may be one server or may be a server cluster formed by a plurality of servers, which is not limited in this embodiment of the present application.
Referring to fig. 1, a blockchain-based key storage method provided in an embodiment of the present application includes:
s101, a key storage device based on a block chain acquires a first key pair and a second key pair.
Wherein the first key pair corresponds to a first organization and the second key pair corresponds to a second organization.
It may be understood that, in the embodiment of the present application, an organization may be all staff members including a certain department in a certain enterprise, may be an administrator of a certain department in a certain enterprise, may be all members including a certain project group in a certain enterprise, or may be a group leader of a certain project group in a certain enterprise, which is not limited in this application. Of course, in practical applications, the organization in the embodiments of the present application may also be other organizations with authority levels.
It should be noted that, in the embodiment of the present application, the authority level of the first organization is higher than the authority level of the second organization. Illustratively, the second organization may be all members of a certain project team in a certain enterprise, and correspondingly, the first organization may be the team leader of that project team.
In one possible implementation, the blockchain-based key storage device carries a computer program for randomly generating a key pair, and the blockchain-based key storage device executes the computer program for randomly generating the key pair to randomly generate the first key pair and the second key pair. Wherein the first key pair comprises a first public key and a first private key and the second key pair comprises a second public key and a second private key.
In one possible implementation, the first key pair and the second key pair may be obtained from a first server, which may have a computer program loaded therein that randomly generates the key pair, based on a blockchain-based key store. The first server executes a computer program that randomly generates a key pair, which may randomly generate a first key pair and a second key pair, and then send to a blockchain-based key store.
Of course, in practical applications, the blockchain-based key storage device may also acquire the first key pair and the second key pair in other manners, which is not limited in this application.
It should be further noted that, in the specific application, the blockchain-based key storage device according to the embodiment of the present application may store the corresponding key pair by using a preset storage manner after obtaining the corresponding key pair for each organization. For example, the blockchain-based key storage device may store the corresponding key pair in a predetermined storage manner after acquiring the first key pair for the first organization. In one possible implementation, the first organization may record the first key pair in a text record. Of course, in practical applications, each organization may record the key pair acquired by the blockchain-based key storage device in other manners, which is not limited in this application.
S102, the first public key and the second public key are stored in the first block by the key storage device based on the blockchain, and the second private key is stored in the second block after being encrypted by the first public key.
It should be noted that, in implementation of the embodiment of the present application, the blockchain-based key storage device may create a private blockchain to implement storage of a key and a file, where the first block and the second block are two different blocks on the private blockchain.
The first block is used for storing shared data of each organization including a first organization and a second organization, and the second block is used for storing data of the first organization.
In one possible implementation, after the second private key is encrypted with the first public key and stored in the second block in the blockchain-based key storage device, the first organization may view the encrypted file of the second organization. For example, the second organization may encrypt the file a with the second public key and store the encrypted file a in the fourth block. The fourth block is used for storing data of the second organization. Since the second organization knows the second private key, the second organization can decrypt the file a encrypted with the second public key using the second private key, thereby obtaining the right to refer to the file a. In addition, since the second private key encrypted by the first public key is stored in the second block for storing the data of the first organization, and the first organization knows the first private key, the first organization can decrypt the file in which the second private key encrypted by the first public key is located by using the first private key. In this way, the first organization can obtain the second private key, further, the first organization can decrypt the file a encrypted by the second public key by using the second private key, and the first organization can obtain the authority to refer to the file a.
In the blockchain-based key storage method, the same key pair is acquired for the same organization, so that users of the same organization can encrypt documents by adopting the same key pair, and the users of the same organization do not need to transmit private keys when transmitting the documents each time. In addition, the private key of the second organization with lower authority level is stored in the second block for storing the data of the first organization with higher authority level, so that the first organization with high authority level can decrypt the encrypted file of the second organization by checking the data stored in the second block, and the transmission of the private key among different authority levels is avoided. Due to the non-repairable nature of the blockchain itself, it is ensured that the second private key stored in the second block and the first public key and the second public key stored in the first block are not tampered with. Therefore, the key storage method based on the blockchain does not need to transmit the private key in the form of Internet and the like, and leakage of the private key can be avoided. Therefore, the encryption document is encrypted by adopting the key pair stored by the key storage method based on the blockchain, so that the security of the encryption document can be ensured.
When each organization (such as each department or each project group) of a certain enterprise stores a key and a file by adopting the blockchain-based key storage method provided by the embodiment of the present application, if the enterprise has newly added an organization, the enterprise user may trigger the blockchain-based key storage device to re-acquire the key pair for the newly added organization through a first trigger operation, and the blockchain-based key storage device may determine a storage block of a private key in the key pair according to the authority level of the organization in the enterprise. The first triggering operation may be any operation that a user controls the blockchain-based key storage device to run a program instruction to obtain a key pair through triggering equipment such as a terminal.
Therefore, optionally, as shown in fig. 2, the blockchain-based key storage method provided in the embodiment of the present application further includes: S103-S105:
s103, the third key pair is acquired by the key storage device based on the block chain.
Wherein the third key pair corresponds to a third organization, the third key pair comprising a third public key and a third private key.
Specifically, the manner in which the blockchain-based key storage device obtains the third key pair is the same as the manner in which the first key pair and the second key pair are obtained, and reference may be made to the foregoing related description, which is not repeated here.
S104, the third public key is stored in the first block by the key storage device based on the block chain.
S105, determining the authority level of the third organization by the key storage device based on the blockchain, and determining the storage block of the third private key according to the authority level of the third organization.
In one possible implementation, the blockchain-based key store may store a rights hierarchy table for each organization, and the blockchain-based key store may determine the rights hierarchy for a third organization from the rights hierarchy table. When the authority level relationship of each organization changes, the user can update the authority level table stored in the block chain-based key storage device through a second trigger operation. The second triggering operation may be any operation that the user controls the blockchain-based key storage device to run a program instruction to update the authority level table through triggering a terminal and other devices.
In one possible implementation, when the blockchain-based key storage device determines that the authority level of the third organization is higher than the authority level of the first organization, and the authority level of the third organization is the highest authority level, the blockchain-based key storage device may encrypt the first private key and the third private key with the third public key and store the encrypted first private key and the third private key in the third block. The third block is used for storing data of a third organization.
As shown in fig. 3, a tree diagram is provided in which the authority level of the third organization is higher than that of the first organization. Wherein node A represents a first organization, node B represents a second organization, and node C represents a third organization. Because the first private key is encrypted by the third public key and then stored in the third block by the key storage device based on the block chain, and the third organization knows the third private key, when the third organization is implemented, the third organization can decrypt the file where the first private key encrypted by the third public key is located by using the third private key to acquire the first private key. So that the third organization can decrypt the file encrypted by the first organization with the first public key using the first private key. Further, the third organization may decrypt the file where the second private key encrypted by the first public key is located by the second organization using the first private key, so as to view the file encrypted by the second organization. Therefore, the third organization corresponding to the C node with the highest authority level can view not only the contents in the third block for storing the data of the third organization, but also the contents in the second block for storing the data of the first organization and the contents in the fourth block for storing the data of the second organization. And the first organization corresponding to the a node may view the content in the second chunk for storing data of the first organization and the content in the fourth chunk for storing data of the second organization. The second organization to which the node B corresponds may view the content in the fourth chunk for storing data of the second organization.
In this embodiment, for the authority levels of the organizations shown in fig. 3, the blockchain-based key storage device encrypts the third private key of the third organization with the third public key and stores the encrypted third private key in the third block for storing the data of the third organization. In practical application, since the third organization is the current highest authority level, the third private key may not be stored in the third block, and the third organization may store the third key pair by adopting a preset storage manner.
In one possible implementation, when the blockchain-based key storage device determines that the authority level of the third organization is higher than the authority level of the second organization and lower than the authority level of the first organization, then the blockchain-based key storage device may encrypt the third private key with the first public key and store the third private key in the second block, and encrypt the second private key with the third public key and store the second private key in the third block.
As shown in fig. 4, a tree diagram is provided in which the third organization's rights level is higher than the second organization's rights level and lower than the first organization's rights level. Wherein node A represents a first organization, node B represents a second organization, and node C represents a third organization. The first organization corresponding to the a node may view not only the content in the second block for storing the data of the first organization, but also the content in the third block for storing the data of the third organization and the content in the fourth block for storing the data of the second organization. And the third organization corresponding to the C node may view the content in the third block for storing the data of the third organization, and may also view the content in the fourth block for storing the data of the second organization. The second organization to which the node B corresponds may view the content in the fourth chunk for storing data of the second organization. The specific analysis process is similar to the analysis process of the authority level relationship corresponding to the tree diagram shown in fig. 3, and will not be described here again.
In one possible implementation, when the blockchain-based key storage device determines that the authority level of the third organization is lower than the authority level of the second organization, the third private key is encrypted with the second public key and stored in the fourth block.
As shown in fig. 5, a tree diagram is provided in which the rights level of the third organization is lower than the rights level of the second organization. Wherein node A represents a first organization, node B represents a second organization, and node C represents a third organization. The first organization corresponding to the a node may view not only the content in the second block for storing the data of the first organization, but also the content in the third block for storing the data of the third organization and the content in the fourth block for storing the data of the second organization. And a second organization corresponding to the node B may view the content in the fourth chunk for storing data of the second organization and the content in the third chunk for storing data of the third organization. A third organization corresponding to the C node may view content in a third chunk for storing data of the third organization. The specific analysis process is similar to the analysis process of the authority level relationship corresponding to the tree diagram shown in fig. 3, and will not be described here again.
In one possible implementation, when the blockchain-based key storage determines that the authority level of the third organization is the same as the authority level of the second organization, the third private key is encrypted with the first public key and stored in the second block.
As shown in fig. 6, a tree diagram is provided in which the rights hierarchy of the third organization is the same as the rights hierarchy of the second organization. Wherein node A represents a first organization, node B represents a second organization, and node C represents a third organization. The first organization corresponding to the a node may view not only the content in the second block for storing the data of the first organization, but also the content in the third block for storing the data of the third organization and the content in the fourth block for storing the data of the second organization. The second organization corresponding to the node B may only view the content in the fourth chunk for storing data of the second organization. A third organization corresponding to a C node of the same privilege level as the B node may only view the content in a third chunk for storing data of the third organization. The specific analysis process is similar to the analysis process of the authority level relationship corresponding to the tree diagram shown in fig. 3, and will not be described here again.
Optionally, when each item group of a certain enterprise stores a key and a file by adopting the blockchain-based key storage method provided by the embodiment of the present application, if a certain item group ends, an enterprise user may trigger the blockchain-based key storage device to delete data stored in a block corresponding to the item group (corresponding to an organization in the embodiment of the present application) through a third triggering operation. The third triggering operation may be any operation that the user controls the blockchain-based key storage device to operate the program instruction to obtain the deletion data through triggering equipment such as a terminal.
In one possible implementation, taking the authority level relationship of each organization represented by the tree diagram shown in fig. 5 as an example, when the blockchain-based key storage device determines to delete the data stored in the fourth chunk (corresponding to the second organization), the second private key may be used to decrypt the data stored in the fourth chunk. And then, the key storage device based on the blockchain encrypts the data stored in the decrypted fourth block by adopting the first public key, stores the encrypted data in the second block, and re-encrypts the data stored in the fourth block by adopting the random key. Finally, the key storage device based on the blockchain re-acquires a fourth key pair comprising a fourth private key and a fourth public key for a third organization, stores the fourth public key into the first block, encrypts the fourth private key by the first public key and stores the encrypted fourth private key into the second block. Since the random key does not correspond to any organization, the data stored in the fourth block is deleted, and the tree diagram shown in fig. 5 is changed to the tree diagram shown in fig. 7.
It can be appreciated that the method for storing the key based on the blockchain is not limited to the relationship between the authority levels of the organizations represented by the tree diagrams shown in fig. 3 to 6, and in practical application, the authority levels of the organizations are more complex. In order to more clearly illustrate the blockchain-based key storage method provided in the embodiments of the present application, a specific detailed description will be given below taking, as an example, a relationship of authority levels of each organization represented by a tree diagram shown in fig. 8.
An enterprise has 10 organizations in total, as shown in fig. 8, a D node represents a D organization, an E node represents an E organization, an F node represents an F organization, a G node represents a G organization, an H node represents an H organization, an I node represents an I organization, a J node represents a J organization, a K node represents a K organization, an L node represents an L organization, and an M node represents an M organization. The blockchain-based key storage device may obtain key pairs corresponding to respective organizations, respectively, and determine a block for storing data of the respective organizations and a public block for storing shared data of the respective organizations on the created private blockchain. The blockchain-based key store may store public keys of organizations in a common block.
It can be seen that, the authority layer of the E organization is higher than that of the H organization, the I organization and the J organization, and the blockchain-based key storage device may encrypt the private key of the H organization, the private key of the I organization and the private key of the J organization by using the public key of the E organization, and store the encrypted private key into a block for storing data of the E organization. The authority layer of the F organization is higher than that of the K organization, and the private key of the K organization can be encrypted by the public key of the F organization and then stored in a block for storing data of the F organization by the key storage device based on the blockchain. The authority layer of the G organization is higher than that of the L organization and the M organization, and the secret key storage device based on the blockchain can encrypt the secret key of the L organization and the secret key of the M organization by adopting the public key of the G organization and then store the secret key into a block for storing data of the G organization. In addition, the authority layer of the D organization is higher than that of the E organization, the F organization and the G organization, and the key storage device based on the blockchain can encrypt the private key of the E organization, the private key of the F organization and the private key of the G organization by adopting the public key of the D organization respectively and then store the encrypted private key into a block for storing the data of the D organization. Thus, the D organization can check the encrypted files of the E organization, the F organization and the G organization, can check the encrypted files of the subordinate hierarchy H organization, the I organization and the J organization of the E organization after further acquiring the private key of the E organization, can check the encrypted files of the subordinate hierarchy K organization of the F organization after further acquiring the private key of the F organization, and can check the encrypted files of the subordinate hierarchy L organization and the M organization of the G organization after further acquiring the private key of the G organization. The E organization can view the encrypted files of the subordinate hierarchy H organization, the I organization and the J organization, the F organization can view the encrypted files of the subordinate hierarchy K organization, and the G organization can view the encrypted files of the subordinate hierarchy L organization and the M organization.
If an N organization and an O organization are newly added in the enterprise, the key storage device based on the blockchain may obtain a key pair for the N organization and the O organization, store the obtained two public keys into a public block, and determine a block for storing the N organization data and a block for storing the O organization data on the created private blockchain, respectively. And then, determining authority levels of the N organization and the O organization by a key storage device based on the blockchain, and determining storage blocks of a private key of the N organization and a private key of the O organization according to the determined authority levels.
Illustratively, when the blockchain-based key store determines that the authority level of the N organization is higher than that of the E organization and F organization but lower than that of the D organization, the authority level of the O organization is higher than that of the G organization but lower than that of the D organization, i.e., the authority level relationships of the respective organizations correspond to the tree diagram shown in fig. 9. The key storage device based on the blockchain can encrypt the private key of the E organization and the private key of the F organization by adopting the public key of the N organization and then store the private key of the N organization into a block for storing data of the N organization, encrypt the private key of the N organization by adopting the public key of the D organization and then store the private key of the G organization into the block for storing data of the O organization, encrypt the private key of the O organization by adopting the public key of the D organization and then store the private key of the O organization into the block for storing data of the D organization.
Illustratively, when the blockchain-based key storage determines that the authority level of the N organization is higher than that of the E organization and F organization and not lower than that of the D organization, the authority level of the O organization is higher than that of the G organization but not lower than that of the D organization, that is, the authority level relationship of the respective organizations corresponds to the tree diagram shown in fig. 10. The key storage device based on the blockchain can encrypt the private key of the E organization and the private key of the F organization by adopting the public key of the N organization and then store the private key of the G organization into a block for storing the data of the O organization, and encrypt the private key of the G organization by adopting the public key of the O organization and then store the private key of the G organization into the block for storing the data of the O organization.
In summary, according to the blockchain-based key storage method provided by the application, according to the authority level of each organization, the key pair corresponding to each organization is stored in the corresponding block in the blockchain, so that each organization can encrypt the document by adopting the corresponding key pair and then store the document in the corresponding block of each organization, and the document and the key pair are not transmitted in other modes such as the internet. Because the block chain is not repairable, the files stored in each block can be prevented from being tampered, and the security of document storage is further ensured by adopting a key pair form to carry out asymmetric encryption.
As shown in fig. 11, an embodiment of the present application further provides a blockchain-based key storage device, including: an acquisition module 31 and a storage module 32.
Wherein the obtaining module 31 executes S101 in the above-described method embodiment, and the storing module 32 executes S102 in the above-described method embodiment.
Specifically, the obtaining module 31 is configured to obtain the first key pair and the second key pair. The first key pair corresponds to a first organization, the second key pair corresponds to a second organization, and the authority level of the first organization is higher than that of the second organization. The first key pair includes a first public key and the second key pair includes a second public key and a second private key.
The storage module 32 is configured to store the first public key and the second public key acquired by the acquisition module 31 into the first block, and store the second private key acquired by the acquisition module 31 into the second block after encrypting the second private key with the first public key. The first block is used for storing shared data of each organization including a first organization and a second organization, and the second block is used for storing data of the first organization.
Optionally, the apparatus further comprises a determination module. The obtaining module 31 is further configured to obtain a third key pair, where the third key pair corresponds to a third organization. The third key pair includes a third public key and a third private key. The storage module 32 is configured to store the third public key acquired by the acquisition module 31 into the first block. The determining module is configured to determine a permission level of the third organization, and determine the storage block of the third private key acquired by the acquiring module 31 according to the permission level of the third organization.
Optionally, the first key pair further includes a first private key, and the determining module is specifically configured to: when it is determined that the authority level of the third organization is higher than the authority level of the first organization and the authority level of the third organization is the highest authority level, the first private key and the third private key acquired by the acquisition module 31 are encrypted by adopting the third public key and then stored in the third block; the third block is for storing data of a third organization.
Optionally, the determining module is specifically further configured to: when it is determined that the authority level of the third organization is higher than the authority level of the second organization and lower than the authority level of the first organization, the third private key acquired by the acquisition module 31 is encrypted by the first public key and then stored in the second block, and the second private key acquired by the acquisition module 31 is encrypted by the third public key and then stored in the third block.
Optionally, the determining module is specifically further configured to: when it is determined that the authority level of the third organization is the same as the authority level of the second organization, the third private key acquired by the acquisition module 31 is encrypted by the first public key and then stored in the second block.
Optionally, the determining module is specifically further configured to: when the authority level of the third organization is lower than that of the second organization, the third private key acquired by the acquisition module 31 is encrypted by the second public key and then stored in the fourth block; the fourth block is for storing data of the second organization.
Optionally, the apparatus further comprises a processing module, when determining to delete the data stored in the fourth block, the processing module is configured to: decrypting the data stored in the fourth block by using the second private key acquired by the acquisition module 31; the decrypted data stored in the fourth block is encrypted by the first public key and then stored in the second block through the storage module 32, and the data stored in the fourth block is re-encrypted by the random key; re-acquiring, by the acquisition module 31, a fourth key pair for the third organization, the fourth key pair comprising a fourth private key and a fourth public key; the fourth public key is stored in the first block through the storage module 32, and the fourth private key acquired by the acquisition module 31 is encrypted by the first public key and then stored in the second block.
Optionally, the storage module 32 is further configured to store program code of the blockchain-based key storage device, and the like.
As shown in fig. 12, the embodiment of the present application further provides a blockchain-based key storage device, including a memory 41, a processor 42, a bus 43, and a communication interface 44; the memory 41 is used for storing computer-executable instructions, and the processor 42 is connected with the memory 41 through the bus 43; when the blockchain-based key storage is running, processor 42 executes computer-executable instructions stored by memory 41 to cause the blockchain-based key storage to perform the blockchain-based key storage method as provided by the embodiments described above.
In a particular implementation, as one embodiment, the processors 42 (42-1 and 42-2) may include one or more central processing units (central processing unit, CPU), such as CPU0 and CPU1 shown in FIG. 12. And as one example, the blockchain-based key storage may include a plurality of processors 42, such as processor 42-1 and processor 42-2 shown in fig. 12. Each of these processors 42 may be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). The processor 42 herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The memory 41 may be, but is not limited to, a read-only memory 41 (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (compact disc read-only memory) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 41 may be stand alone and be coupled to the processor 42 via a bus 43. Memory 41 may also be integrated with processor 42.
In a specific implementation, the memory 41 is used for storing data in the application and computer-executable instructions corresponding to executing a software program of the application. The processor 42 may perform various functions of the blockchain-based key storage by running or executing software programs stored in the memory 41 and invoking data stored in the memory 41.
The communication interface 44 uses any transceiver-like device for communicating with other devices or communication networks, such as a control system, a radio access network (radio access network, RAN), a wireless local area network (wireless local area networks, WLAN), etc. The communication interface 44 may include a receiving unit to implement a receiving function and a transmitting unit to implement a transmitting function.
Bus 43 may be an industry standard architecture (industry standard architecture, ISA) bus, an external device interconnect (peripheral component interconnect, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The bus 43 may be classified into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 12, but not only one bus or one type of bus.
As an example, in connection with fig. 11, the function implemented by the acquisition module in the blockchain-based key storage is the same as the function implemented by the receiving unit in fig. 12, the function implemented by the processing module in the blockchain-based key storage is the same as the function implemented by the processor in fig. 12, and the function implemented by the storage module in the blockchain-based key storage is the same as the function implemented by the memory in fig. 12.
The explanation of the related content in this embodiment may refer to the above method embodiment, and will not be repeated here.
From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above. The specific working processes of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which are not described herein.
The present application also provides a computer-readable storage medium, in which instructions are stored, which when executed by a computer, cause the computer to perform the blockchain-based key storage method provided by the above embodiments.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a RAM, a ROM, an erasable programmable read-only memory (erasable programmable read only memory, EPROM), a register, a hard disk, an optical fiber, a CD-ROM, an optical storage device, a magnetic storage device, or any suitable combination of the foregoing, or any other form of computer readable storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an application specific integrated circuit (application specific integrated circuit, ASIC). In the context of the present application, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (16)

1. A blockchain-based key storage method, comprising:
acquiring a first key pair and a second key pair; the first key pair corresponds to a first organization, the second key pair corresponds to a second organization, and the authority level of the first organization is higher than that of the second organization; the first key pair comprises a first public key, and the second key pair comprises a second public key and a second private key;
storing the first public key and the second public key into a first block, encrypting the second private key by adopting the first public key, and storing the encrypted second private key into a second block; the first block is used for storing shared data of each organization including the first organization and the second organization, and the second block is used for storing data of the first organization.
2. The blockchain-based key storage method of claim 1, further comprising:
Acquiring a third key pair, wherein the third key pair corresponds to a third organization; the third key pair includes a third public key and a third private key;
storing the third public key in the first block;
and determining the authority level of the third organization, and determining the storage block of the third private key according to the authority level of the third organization.
3. The blockchain-based key storage method of claim 2, wherein the first key pair further includes a first private key, the determining the authority level of the third organization, and determining the storage block of the third private key according to the authority level of the third organization, comprises:
when the authority level of the third organization is higher than the authority level of the first organization and the authority level of the third organization is the highest authority level, encrypting the first private key and the third private key by adopting the third public key and storing the encrypted first private key and the encrypted third private key into a third block; the third block is for storing data of the third organization.
4. The blockchain-based key storage method of claim 3, wherein the determining the authority level of the third organization and determining the storage block of the third private key according to the authority level of the third organization includes:
When the authority level of the third organization is higher than the authority level of the second organization and lower than the authority level of the first organization, the third private key is encrypted by the first public key and then stored in the second block, and the second private key is encrypted by the third public key and then stored in the third block.
5. The blockchain-based key storage method of claim 4, wherein the determining the authority level of the third organization and determining the storage block of the third private key according to the authority level of the third organization includes:
and when the authority level of the third organization is determined to be the same as that of the second organization, encrypting the third private key by adopting the first public key, and storing the encrypted third private key into the second block.
6. The blockchain-based key storage method of claim 5, wherein the determining the authority level of the third organization and determining the storage block of the third private key according to the authority level of the third organization includes:
when the authority level of the third organization is lower than that of the second organization, encrypting the third private key by adopting a second public key and storing the encrypted third private key into a fourth block; the fourth block is for storing data of the second organization.
7. The blockchain-based key storage method of claim 6, wherein when determining to delete the fourth blockstored data, the method further comprises:
decrypting the data stored in the fourth block by adopting the second private key;
encrypting the decrypted data stored in the fourth block by adopting the first public key, storing the encrypted data into the second block, and re-encrypting the data stored in the fourth block by adopting a random key;
re-acquiring a fourth key pair for the third organization, the fourth key pair comprising a fourth private key and a fourth public key;
and storing the fourth public key into the first block, encrypting the fourth private key by adopting the first public key, and storing the encrypted fourth private key into the second block.
8. A blockchain-based key storage device, comprising:
the acquisition module is used for acquiring the first key pair and the second key pair; the first key pair corresponds to a first organization, the second key pair corresponds to a second organization, and the authority level of the first organization is higher than that of the second organization; the first key pair comprises a first public key, and the second key pair comprises a second public key and a second private key;
The storage module is used for storing the first public key and the second public key acquired by the acquisition module into a first block, encrypting the second private key acquired by the acquisition module by adopting the first public key and storing the encrypted second private key into a second block; the first block is used for storing shared data of each organization including the first organization and the second organization, and the second block is used for storing data of the first organization.
9. The blockchain-based key storage device of claim 8, further comprising a determination module;
the obtaining module is further configured to obtain a third key pair, where the third key pair corresponds to a third organization; the third key pair includes a third public key and a third private key;
the storage module is used for storing the third public key acquired by the acquisition module into the first block;
the determining module is configured to determine a permission level of the third organization, and determine, according to the permission level of the third organization, the storage block of the third private key acquired by the acquiring module.
10. The blockchain-based key storage device of claim 9, wherein the first key pair further includes a first private key, the determining module being specifically configured to:
When the authority level of the third organization is higher than the authority level of the first organization and the authority level of the third organization is the highest authority level, the first private key and the third private key acquired by the acquisition module are encrypted by adopting the third public key and then stored in a third block; the third block is for storing data of the third organization.
11. The blockchain-based key storage device of claim 10, wherein the determining module is further specifically configured to:
when it is determined that the authority level of the third organization is higher than the authority level of the second organization and lower than the authority level of the first organization, the third private key acquired by the acquisition module is encrypted by the first public key and then stored in the second block, and the second private key acquired by the acquisition module is encrypted by the third public key and then stored in the third block.
12. The blockchain-based key storage device of claim 11, wherein the determining module is further specifically configured to:
and when the authority level of the third organization is determined to be the same as that of the second organization, encrypting the third private key acquired by the acquisition module by adopting the first public key, and storing the encrypted third private key into the second block.
13. The blockchain-based key storage device of claim 12, wherein the determining module is further specifically configured to:
when the authority level of the third organization is lower than that of the second organization, the third private key acquired by the acquisition module is encrypted by adopting a second public key and then stored in a fourth block; the fourth block is for storing data of the second organization.
14. The blockchain-based key storage device of claim 13, further comprising a processing module to, when it is determined to delete the fourth block stored data:
decrypting the data stored in the fourth block by adopting the second private key acquired by the acquisition module;
the decrypted data stored in the fourth block is encrypted by the first public key and then stored in the second block through the storage module, and the data stored in the fourth block is re-encrypted by the random key;
re-acquiring a fourth key pair for the third organization by the acquisition module, wherein the fourth key pair comprises a fourth private key and a fourth public key;
and storing the fourth public key into the first block through the storage module, and storing the fourth private key acquired by the acquisition module into the second block after being encrypted by the first public key.
15. A key storage device based on a block chain, which is characterized by comprising a memory, a processor, a bus and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through the bus;
when the blockchain-based key storage is running, a processor executes the computer-executable instructions stored by the memory to cause the blockchain-based key storage to perform the blockchain-based key storage method of any of claims 1-7.
16. A computer readable storage medium having instructions stored therein which, when executed by a computer, cause the computer to perform the blockchain-based key storage method of any of claims 1-7.
CN202010904192.4A 2020-09-01 2020-09-01 Key storage method and device based on blockchain Active CN112084536B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010904192.4A CN112084536B (en) 2020-09-01 2020-09-01 Key storage method and device based on blockchain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010904192.4A CN112084536B (en) 2020-09-01 2020-09-01 Key storage method and device based on blockchain

Publications (2)

Publication Number Publication Date
CN112084536A CN112084536A (en) 2020-12-15
CN112084536B true CN112084536B (en) 2023-07-21

Family

ID=73732849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010904192.4A Active CN112084536B (en) 2020-09-01 2020-09-01 Key storage method and device based on blockchain

Country Status (1)

Country Link
CN (1) CN112084536B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785506B (en) * 2022-06-17 2022-10-28 杭州天谷信息科技有限公司 Electronic contract signing method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101099330A (en) * 2005-02-07 2008-01-02 三星电子株式会社 Key management method using hierarchical node topology, and method of registering and deregistering user using the same
CN101490687A (en) * 2006-07-07 2009-07-22 桑迪士克股份有限公司 Control system and method using identity objects
CN110224814A (en) * 2019-06-27 2019-09-10 深圳前海微众银行股份有限公司 A kind of block chain data sharing method and device
CN110798315A (en) * 2019-11-11 2020-02-14 腾讯科技(深圳)有限公司 Data processing method and device based on block chain and terminal
CN111104686A (en) * 2019-09-10 2020-05-05 腾讯科技(深圳)有限公司 Block chain network control method, device, equipment and storage medium
CN111431713A (en) * 2020-03-27 2020-07-17 财付通支付科技有限公司 Private key storage method and device and related equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101099330A (en) * 2005-02-07 2008-01-02 三星电子株式会社 Key management method using hierarchical node topology, and method of registering and deregistering user using the same
CN101490687A (en) * 2006-07-07 2009-07-22 桑迪士克股份有限公司 Control system and method using identity objects
CN110224814A (en) * 2019-06-27 2019-09-10 深圳前海微众银行股份有限公司 A kind of block chain data sharing method and device
CN111104686A (en) * 2019-09-10 2020-05-05 腾讯科技(深圳)有限公司 Block chain network control method, device, equipment and storage medium
CN110798315A (en) * 2019-11-11 2020-02-14 腾讯科技(深圳)有限公司 Data processing method and device based on block chain and terminal
CN111431713A (en) * 2020-03-27 2020-07-17 财付通支付科技有限公司 Private key storage method and device and related equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
区块链技术在文档管理中的应用与研究;王伟康;中国优秀硕士学位论文全文数据库 信息科技辑;第三-五章 *

Also Published As

Publication number Publication date
CN112084536A (en) 2020-12-15

Similar Documents

Publication Publication Date Title
CN108632284B (en) User data authorization method, medium, device and computing equipment based on block chain
US11088846B2 (en) Key rotating trees with split counters for efficient hardware replay protection
US11239994B2 (en) Techniques for key provisioning in a trusted execution environment
US8850593B2 (en) Data management using a virtual machine-data image
US9037870B1 (en) Method and system for providing a rotating key encrypted file system
US9088538B2 (en) Secure network storage
US20170104736A1 (en) Secure data storage on a cloud environment
US10180806B2 (en) Information processing apparatus, information processing method, and recording medium
KR101224677B1 (en) Method and computer-readable medium for generating usage rights for an item based upon access rights
KR102174032B1 (en) Access management method, information processing apparatus, program, and recording medium
CN105378749A (en) Data protection for organizations on computing devices
EP2962209A1 (en) System and method for conflict-free cloud storage encryption
US11087017B1 (en) Systems, methods, and computer-readable media for utilizing anonymous sharding techniques to protect distributed data
CA3083722C (en) Re-encrypting data on a hash chain
Song et al. A cloud secure storage mechanism based on data dispersion and encryption
CN108108633B (en) Data file and access method, device and equipment thereof
CN105635320A (en) Method and equipment for calling configuration information
CA2773293A1 (en) Multiple independent encryption domains
CA3143383A1 (en) Cryptographic key orchestration between trusted containers in a multi-node cluster
CN112084536B (en) Key storage method and device based on blockchain
CN114398623A (en) Method for determining security policy
CN107566499B (en) Data synchronization method, device and system
CN112995109B (en) Data encryption system, data encryption method, data processing device and electronic equipment
US9973339B1 (en) Anonymous cloud data storage and anonymizing non-anonymous storage
US9135449B2 (en) Apparatus and method for managing USIM data using mobile trusted module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant