CN112307116A

CN112307116A - Data access control method, device and equipment based on block chain

Info

Publication number: CN112307116A
Application number: CN202010979263.7A
Authority: CN
Inventors: 栗鸿宇
Original assignee: Beijing Wodong Tianjun Information Technology Co Ltd
Current assignee: Beijing Wodong Tianjun Information Technology Co Ltd
Priority date: 2020-09-17
Filing date: 2020-09-17
Publication date: 2021-02-02

Abstract

The embodiment of the application provides a data access control method, a device and equipment based on a block chain, wherein the method comprises the following steps: the method comprises the steps that a first device receives a data request message sent by a second device, wherein the data request message is used for requesting to acquire first data and comprises a transaction identifier; the first equipment acquires transaction information corresponding to the transaction identification in the block chain node, wherein the transaction information is generated by the block chain node according to the access strategy corresponding to the first data and the attribute information of the second equipment; and when the first equipment determines that the second equipment has the right to access the first data according to the transaction information, the first equipment acquires the first data and sends the first data to the second equipment. The safety of the data of the Internet of things is improved.

Description

Data access control method, device and equipment based on block chain

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a device for controlling data access based on a block chain.

Background

The internet of things comprises a plurality of internet of things devices, the internet of things devices can generate various internet of things data in the running process, and the internet of things data possibly comprises privacy data of users.

The intelligent service equipment can acquire the data of the Internet of things and provide intelligent service for the user through the data of the Internet of things. However, in practical applications, the smart service device generally obtains the data of the internet of things of the user in a mandatory form, for example, the data of the internet of things of the user is obtained without the user knowing, or a protocol policy for obtaining the data of the internet of things is provided for the user, and the user can provide the smart service for the user only if the user has to agree with the protocol policy. In the process, the intelligent service equipment can easily acquire the data of the internet of things of the user, so that the security of the data of the internet of things is low.

Disclosure of Invention

The embodiment of the application provides a data access control method, a data access control device and data access control equipment based on a block chain. The safety of the data of the Internet of things is improved.

In a first aspect, an embodiment of the present application provides a data access control method based on a block chain, where the method includes:

the method comprises the steps that a first device receives a data request message sent by a second device, wherein the data request message is used for requesting to acquire first data and comprises a transaction identifier;

the first equipment acquires transaction information corresponding to the transaction identification in a block chain node, wherein the transaction information is generated by the block chain node according to an access strategy corresponding to the first data and attribute information of the second equipment;

and when the first equipment determines that the second equipment has the authority of accessing the first data according to the transaction information, the first equipment acquires the first data and sends the first data to the second equipment.

In one possible embodiment, the transaction information includes at least one of the following information: request information, first signature information, and indication information, wherein,

the request information comprises a resource position of the first data, a policy identifier of the access policy and an encrypted session key, wherein the encrypted session key is obtained by encrypting the session key by the second device through a public key;

the first signature information is obtained by encrypting the hash value of the request information by the second device through an encryption key;

the indication information is used for indicating that the second device has the right to access the first data or does not have the right to access the first data.

In a possible implementation manner, when the first device determines that the second device has the right to access the first data according to the transaction information, the first device acquires the first data, including:

the first equipment acquires indication information in the transaction information;

and when the first equipment determines that the second equipment has the authority of accessing the first data according to the indication information, the first equipment acquires the first data.

In one possible embodiment, the first device obtaining the first data includes:

the first equipment determines the identifier of the first data according to the strategy identifier;

and the first equipment acquires the first data according to the identifier of the first data.

In a possible implementation manner, the acquiring, by the first device, the first data according to the identifier of the first data includes:

if the identifier of the first data exists in the data table of the first device, the first device acquires the first data in the data table;

if the identifier of the first data does not exist in the data table of the first device, the first device acquires the first data in the internet of things device.

In a possible implementation manner, the data request message further includes second signature information, where the second signature information is obtained by encrypting, by the second device, the transaction identifier with an encryption key; before the first device acquires the first data, the method further includes:

the first equipment acquires a first hash value of the transaction identification;

the first device decrypts the second signature information through a verification secret key corresponding to the encryption secret key to obtain a second hash value;

the first device determines that the first hash value is the same as the second hash value.

In a possible implementation, the sending, by the first device, the first data to the second device includes:

the first device decrypts the encrypted session key through a private key corresponding to the public key to obtain the session key;

the first device encrypts the first data by the session key;

and the first equipment sends the encrypted first data to the second equipment.

In a second aspect, an embodiment of the present application provides a data access control method based on a block chain, including:

the second equipment sends request information and first signature information to the block chain nodes, wherein the request information and the first signature information are used for the block chain nodes to generate transaction information and transaction identification;

the second equipment acquires the transaction identification in the blockchain node;

the second equipment sends a data request message to the first equipment, wherein the data request message is used for requesting to acquire first data and comprises a transaction identifier;

and when the first device determines that the second device has the right to access the first data according to the transaction information, the second device receives the first data sent by the first device.

the request information comprises a resource position of the first data, a policy identifier and an encrypted session key, wherein the encrypted session key is obtained by encrypting the session key by the second device through a public key;

In a possible implementation manner, the request message further includes second signature information, where the second signature information is obtained by encrypting, by the second device, the transaction identifier with an encryption key.

In a third aspect, an embodiment of the present application provides a data access control method based on a block chain, including:

the method comprises the steps that a block chain node receives request information and first signature information sent by second equipment, wherein the request information is used for requesting to acquire first data;

the block chain node generates a transaction identifier and transaction information according to the request information and the first signature information;

the block chain node receives an inquiry request sent by first equipment, wherein the inquiry request comprises the transaction identifier;

and the blockchain node sends the transaction information corresponding to the transaction identifier to the first equipment, wherein the transaction information is used for the first equipment to determine whether to send the first data to the second equipment.

In one possible embodiment, the transaction information includes at least one of the following information: the request information, the first signature information, and indication information, wherein,

In one possible embodiment, the block link point generates transaction information according to the request information and the first signature information, and includes:

the block chain node acquires an access strategy corresponding to the strategy identification;

the block chain node acquires attribute information of the second device;

the block chain node generates the indication information according to the attribute information of the second device and the access policy;

the block link node determines that the transaction information includes the request information, the first signature information, and the indication information.

In a possible implementation, before the block link point generates the transaction identifier and the transaction information according to the request information and the first signature information, the method further includes:

the block chain node verifies the validity of the request information according to the request information and the first signature information;

the blockchain node determines that the request information is valid.

In a possible implementation manner, the first signature information is obtained by encrypting, by the second device, a hash value of the request information by using an encryption key;

the verifying the validity of the request information by the blockchain node according to the request information and the first signature information includes:

the block chain node acquires a first hash value of the request information;

the block chain node decrypts the first signature information through a verification secret key corresponding to the encryption secret key to obtain a second hash value;

if the first hash value is the same as the second hash value, the block chain node determines that the request information is valid; and if the first hash value is different from the second hash value, the block chain node determines that the request information is invalid.

In a fourth aspect, an embodiment of the present application provides a data access control device based on a block chain, including: a receiving module, a processing module and a sending module, wherein,

the receiving module is used for receiving a data request message sent by a second device, wherein the data request message is used for requesting to acquire first data, and the data request message comprises a transaction identifier;

the processing module is used for acquiring transaction information corresponding to the transaction identifier from the block link point, wherein the transaction information is generated by the block link point according to the access strategy corresponding to the first data and the attribute information of the second device;

the processing module is further used for acquiring the first data when the second equipment is determined to have the right to access the first data according to the transaction information;

the sending module is configured to send the first data to the second device.

In a possible implementation, the processing module is specifically configured to:

acquiring indication information in the transaction information;

and when the second equipment is determined to have the authority of accessing the first data according to the indication information, the first equipment acquires the first data.

determining the identifier of the first data according to the strategy identifier;

and acquiring the first data according to the identifier of the first data.

if the identifier of the first data exists in the data table of the first device, acquiring the first data in the data table;

and if the identifier of the first data does not exist in the data table of the first equipment, acquiring the first data in the Internet of things equipment.

In a possible implementation manner, the data request message further includes second signature information, where the second signature information is obtained by encrypting, by the second device, the transaction identifier with an encryption key; the processing module is used for:

acquiring a first hash value of the transaction identifier;

decrypting the second signature information through a verification secret key corresponding to the encryption secret key to obtain a second hash value;

determining that the first hash value is the same as the second hash value.

In a possible implementation manner, the processing module is further configured to decrypt the encrypted session key through a private key corresponding to the public key to obtain the session key; encrypting the first data by the session key;

the sending module is configured to send the encrypted first data to the second device.

In a fifth aspect, an embodiment of the present application provides a data access control device based on a block chain, including: a sending module, a processing module and a receiving module, wherein,

the sending module is used for sending request information and first signature information to the block chain nodes, wherein the request information and the first signature information are used for the block chain nodes to generate transaction information and transaction identification;

the processing module is used for acquiring the transaction identifier in the block chain node;

the sending module is further configured to send a data request message to the first device, where the data request message is used to request to acquire first data, and the data request message includes a transaction identifier;

the receiving module is used for receiving the first data sent by the first device when the first device determines that the second device has the authority to access the first data according to the transaction information.

In a sixth aspect, an embodiment of the present application provides a data access control method based on a block chain, including: a receiving module, a processing module and a sending module, wherein,

the receiving module is used for receiving request information and first signature information sent by second equipment, wherein the request information is used for requesting to acquire first data;

the processing module is used for generating a transaction identifier and transaction information according to the request information and the first signature information;

the receiving module is further configured to receive an inquiry request sent by a first device, where the inquiry request includes the transaction identifier;

the sending module is configured to send the transaction information corresponding to the transaction identifier to the first device, where the transaction information is used by the first device to determine whether to send the first data to the second device.

obtaining an access policy corresponding to the policy identifier;

acquiring attribute information of the second equipment;

generating the indication information according to the attribute information of the second device and the access policy;

determining that the transaction information includes the request information, the first signature information, and the indication information.

In a possible implementation manner, before the processing module generates the transaction identifier and the transaction information according to the request information and the first signature information, the processing module is further configured to:

verifying the validity of the request information according to the request information and the first signature information;

determining that the request information is valid.

In a possible implementation manner, the first signature information is obtained by encrypting, by the second device, a hash value of the request information by using an encryption key; the processing module is specifically configured to:

acquiring a first hash value of the request information;

decrypting the first signature information through a verification secret key corresponding to the encryption secret key to obtain a second hash value;

if the first hash value is the same as the second hash value, determining that the request information is valid; and if the first hash value is different from the second hash value, determining that the request information is invalid.

In a seventh aspect, an embodiment of the present application provides a data access control device based on a block chain, where the data access control device includes:

a memory for storing a program;

a processor for executing the program stored by the memory, the processor being configured to perform the method of any of the first aspects when the program is executed.

In an eighth aspect, an embodiment of the present application provides a data access control device based on a block chain, where the data access control device includes:

a memory for storing a program;

a processor for executing the program stored by the memory, the processor being configured to perform the method of any of the second aspects when the program is executed.

In a ninth aspect, an embodiment of the present application provides a data access control device based on a block chain, including:

a memory for storing a program;

a processor for executing the program stored by the memory, the processor being configured to perform the method of any of the third aspects when the program is executed.

In a tenth aspect, embodiments of the present application provide a computer-readable storage medium, comprising instructions, which when executed on a computer, cause the computer to perform the method according to any one of the first aspect above.

In an eleventh aspect, embodiments of the present application provide a computer-readable storage medium, including instructions, which when executed on a computer, cause the computer to perform the method according to any one of the second aspects above.

In a twelfth aspect, embodiments of the present application provide a computer-readable storage medium, including instructions, which, when executed on a computer, cause the computer to perform the method according to any one of the third aspects above.

According to the data access control method, device and equipment based on the block chain, when second equipment needs to acquire first data in first equipment, the second equipment firstly sends request information and first signature information to the block chain nodes, the block chain nodes can verify the validity of the request information according to the first signature information, when the request information is determined to be valid, the block chain nodes can judge whether the second equipment has the authority to access the first data or not according to attribute information and an access strategy of the second equipment and generate transaction information, the transaction information comprises indication information, and the indication information indicates whether the second equipment has the authority to access the first data or not. The second device may obtain the transaction identity in the blockchain node and send a data request message including the transaction identity to the first device. The first device may obtain transaction information corresponding to the transaction identifier in the blockchain node, determine whether the second device has an authority to access the first data according to the transaction information, and send the first data to the second device when it is determined that the second device has the authority to access the first data. In the process, access control can be performed on the data of the Internet of things through the block chain nodes, the situation that equipment without access authority acquires the data of the Internet of things is avoided, and the safety of data access of the Internet of things is improved.

Drawings

Fig. 1A is a schematic diagram of a system architecture according to an embodiment of the present application;

fig. 1B is a schematic structural diagram of another system provided in the embodiment of the present application;

fig. 2 is a schematic flowchart of a method for maintaining a routing table according to an embodiment of the present application;

fig. 3 is a schematic flowchart of a method for maintaining a resource directory according to an embodiment of the present application;

fig. 4 is a schematic flowchart of a data access control method based on a block chain according to an embodiment of the present application;

fig. 5 is a schematic flowchart of another block chain-based data access control method according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a data access control apparatus based on a block chain according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of another block chain-based data access control apparatus according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of another block chain-based data access control apparatus according to an embodiment of the present application;

fig. 9 is a schematic hardware structure diagram of a data access control device based on a block chain according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

For ease of understanding, fig. 1A-1B first illustrate a system architecture according to an embodiment of the present application.

Fig. 1A is a schematic diagram of a system architecture according to an embodiment of the present application. Please refer to fig. 1A, which includes an internet of things device, a sink node, a gateway, a block chain network, and an intelligent service device. One gateway and one sink node can correspond to a plurality of internet of things devices. The sink node can discover the Internet of things equipment and send address information of the Internet of things equipment to the gateway equipment so that the gateway constructs a routing table of the networking equipment. The gateway may further store device information (may also be referred to as resource information) of each internet of things device, for example, the device information may include a data type (may also be referred to as a resource type, rt), interface information (id, interface description), and a maximum data size estimate (se, size estimate) that may be provided by the internet of things device, where the maximum data size estimate is used to indicate a size of a data size that may be generated by the internet of things device within a preset time duration. The gateway device can also store data generated by each internet of things device.

The block chain network comprises a plurality of block chain nodes, and the intelligent service equipment can acquire data generated by the Internet of things equipment (hereinafter referred to as Internet of things data) through the block chain nodes and provide intelligent service for users according to the Internet of things data. In the process that the intelligent service equipment acquires the data of the Internet of things through the block chain nodes, the block chain nodes can perform identity authentication on the intelligent service equipment, and determine whether the intelligent service equipment has the authority of accessing the data of the Internet of things or not through the access strategy and the attribute information of the intelligent service equipment, so that the safety of the data of the Internet of things is ensured.

Fig. 1B is a schematic structural diagram of another system according to an embodiment of the present disclosure. On the basis of the system structure shown in fig. 1A, please refer to fig. 1B, the internet of things device may be an intelligent home internet of things device or an intelligent office internet of things device. The intelligent service device may be a device of an emergency service provider, a device of a regulatory agency, a device of a research agency, a device of a service provider based on data of the internet of things.

To facilitate understanding, concepts related to the present application are presented.

Network of the internet of things: also referred to as local internet of things networks, each local internet of things network may include one or more internet of things devices, aggregation nodes, and gateways. The sink node is connected to the gateway and functions like a network coordinator. The gateway serves as an interface for connecting an external environment and can access any resource in the local internet of things network. The gateway can have a public Internet Protocol (IP) address of the gateway, and the gateway can also be connected to the cloud, so that the intelligent service device can access Internet of things data through the cloud. The gateway manages all available information within the internet of things network, e.g., the gateway may maintain routing tables, resource tables, and data tables, etc. Each network represents an environment, such as a home, office, or school, equipped with internet of things smart devices. For example, please refer to fig. 1B, the smart home internet of things device, the sink node and the gateway connected thereto may form an internet of things network, and the smart office internet of things device, the sink node and the gateway connected thereto may form an internet of things network.

Block chain network: the block chain network comprises a plurality of block chain nodes, and the block chain nodes can perform access control on the data of the Internet of things in the gateway. The blockchain nodes may store attributes (e.g., object attributes, resource attributes, etc.) and access policies, and the blockchain nodes may determine whether a device has permission to access data based on the attributes and access policies. That is, access control of the block link point to the data of the internet of things may be referred to as Attribute-based access control (ABAC). The blockchain network may be implemented in a hyper ledger (hyper Fabric).

The Internet of things equipment: the internet of things equipment can be equipment in environments such as smart homes and intelligent office systems, and the internet of things equipment can be generated in the running process. For example, the internet of things devices may include thermometers, pressure sensors, humidity sensors, light sensors, wearable devices, and the like. The internet of things data may include temperature, pressure, humidity, images, audio, and the like.

The intelligent service equipment: the intelligent service equipment can provide intelligent service for the user through the data of the Internet of things. For example, the intelligent service device may be a medical monitoring device, and the medical monitoring device may acquire internet of things data provided by wearable devices of the users and provide intelligent medical services to the users according to the internet of things data. The intelligent service equipment can be security and protection equipment, and the security and protection equipment can acquire temperature acquired by a temperature sensor, humidity acquired by a humidity sensor, smoke concentration acquired by a smoke sensor and other internet of things data, and determine whether the indoor environment is safe or not and whether the alarm is needed or not according to the internet of things data.

The attributes are as follows: the attributes related to the embodiment of the application comprise an object attribute, a resource attribute, an environment attribute and a behavior attribute. The attributes may include: attribute name, attribute value, and attribute type. The attribute name may be represented by a character string. The attribute values may be any type of data, such as a string, number, date, etc.

Attributes may be represented as follows:

wherein, name is attribute name, t is attribute type, and val is attribute value. In actual application, the attribute values may be accessed by a point operator (.). For example, can be obtained by

Access

An attribute

The set of all possible values of (a) may be expressed as:

wherein M is_iIs that

The total number of possible values. Next, the object attribute, the resource attribute, the environment attribute, and the behavior attribute according to the embodiment of the present application will be described.

Object attributes: object properties may refer to properties of an object (e.g., data owner and data requestor). The data owner can be an owner of the internet of things equipment, and the data requester can be an owner of the intelligent service equipment. The object attributes may include the organization, title, level, etc. to which the object belongs. The object data may also include attributes of the device (e.g., internet of things device, smart service device, etc.), which may include information such as the type of device, the identification of the device, the location of the device, the object to which it belongs, etc. The collection of object properties is represented as

Wherein the content of the first and second substances,

as an object attribute, N_SubIs the total number of object attributes.

Resource attribute: the resource attributes may refer to attributes of data that the internet of things devices can provide. For example, the resource attributes may include a name, type, identifier, etc. of the internet of things data. The collection of object properties is represented as

Wherein the content of the first and second substances,

as a resource attribute, N_ResIs the total number of resource attributes.

The environment attribute is as follows: the environment attribute may include time, place, etc. information, and the collection of the environment attribute is represented as

Wherein the content of the first and second substances,

as an environmental attribute, N_EnvIs the total number of resource attributes.

Behavior attributes: behavior attributes may refer to operations that an object (e.g., data owner and data requestor) is allowed to perform. For example, the behavior attributes may include read operations, write operations, delete operations, update operations, and the like. The collection of behavior attributes is represented as

Wherein the content of the first and second substances,

as a behavior attribute N_ActIs the total number of behavior attributes.

And (3) access policy: the access policy may be a rule for accessing data of the internet of things. Each kind of data of the internet of things has a corresponding access strategy. That is, the access policy may refer to which attributes the internet of things data may be accessed by the smart service device. Optionally, the access policy may be represented by an attribute expression, where the attribute indicated by the attribute expression is: attributes that the smart device that is allowed to access the data of the internet of things has.

Optionally, for the attribute type t, an attribute expression (or becoming a policy) P corresponding to the attribute type t_tCan be expressed as follows: p_t:＝Exp(E[,E]) Where Exp is two boolean expressions concatenated with a logical relationship (e.g., with (AND), OR (OR), etc.).

Alternatively to this, the first and second parts may,

an attribute may be represented by the following boolean expression

Where Exp is two boolean expressions connected in a logical relationship (e.g., with (AND), OR (OR), etc.). ε is an attribute value

Or recursive invocation of Exp. The recursive calls may be calls to other attributes.

Optionally, the policy expression of each internet of things data may be: p ═ P_SubANDP_ResANDP_EnvANDP_ActWherein P is_SubPolicies, P, that can correspond to object attributes_ResPolicies, P, that may correspond to resource attributes_EnvPolicies, P, which may correspond to environmental attributes_ArtThe policy corresponding to the behavior attribute may be used.

The technical means shown in the present application will be described below by way of specific examples. It should be noted that the following embodiments may exist alone or in combination with each other, and description of the same or similar contents is not repeated in different embodiments.

The gateway maintains a routing table, a resource directory and a data table. For ease of understanding, the process of the gateway maintaining the routing tables, resource directories and data tables will first be described.

Fig. 2 is a schematic flowchart of a method for maintaining a routing table according to an embodiment of the present application. Referring to fig. 2, the method may include:

s201, broadcasting the discovery message by the sink node.

Optionally, the sink node may periodically broadcast the discovery message. The discovery message can be received by all internet of things devices located in the same network as the sink node.

S202, the physical network equipment sends a response message to the sink node.

The response message may include an identifier of the internet of things device and path information.

Optionally, the physical network device newly joining the internet of things sends a response message to the sink node. For example, after the internet of things device receives the discovery message, if the internet of things device does not send a response message corresponding to the discovery message to the sink node before the current time, the internet of things device sends the response message to the sink node, and if the internet of things device sends a response message corresponding to the discovery message to the sink node before the current time, the internet of things device may not send the response message to the sink node any more, so that signaling overhead may be saved.

Optionally, the path information may be a network address of the internet of things device, for example, the path information may be an IP address, a Media Access Control (MAC) address, and the like of the internet of things device.

S203, the Internet of things equipment sends the identification and the path information of the Internet of things equipment to the gateway.

And S204, updating the routing table by the gateway.

Optionally, if the current routing table does not include the identifier and the path information of the internet of things device in the response message, the identifier and the path information of the internet of things device are added to the routing table.

In the embodiment shown in fig. 2, the internet of things equipment in the internet of things can be conveniently found in the above manner, and the path information of the internet of things equipment is timely maintained.

Fig. 3 is a schematic flowchart of a method for maintaining a resource directory according to an embodiment of the present application. Referring to fig. 3, the method may include:

s301, the gateway sends a request message to the registered device.

The request message is used for requesting to acquire the resource information.

Alternatively, the registration device may store resource information (may also be referred to as device information) of the internet of things device. For example, after the internet of things device joins the internet of things, its resource information may be sent to the registered device. The resource information may include information such as a data type (which may also be referred to as a resource type, rt), interface description (id), and a maximum data size estimate (se) that the internet of things device may provide.

The gateway may send the request message to the registered device via a Uniform Resource Identifier (URI). For example, the URI may be a/well-know/core and the request message may be a GET message.

S302, the registration equipment sends the resource information to the gateway.

S303, the gateway updates the resource directory according to the resource information.

For example, the gateway may update the resource information into the current resource directory.

In the embodiment shown in fig. 3, the gateway may make the resource in the resource directory the latest resource through maintenance of the resource.

The gateway can also acquire the Internet of things data acquired by the Internet of things equipment from the Internet of things equipment in real time or periodically and store the data acquired by the Internet of things equipment.

Next, a block chain-based data access control method will be described with an embodiment shown in fig. 4.

Fig. 4 is a schematic flowchart of a data access control method based on a block chain according to an embodiment of the present application. Referring to fig. 4, the method may include:

s401, the second equipment sends request information and first signature information to the block chain node.

In this embodiment, the first device may be a gateway, and the second device may be an intelligent service device. The block link points may be endorsement nodes.

The data request message is used for requesting to acquire first data in the first equipment. The first data may be internet of things data.

Optionally, the request information includes a resource location of the first data, a policy identifier of the access policy, and an encrypted session key, where the encrypted session key is obtained by encrypting the session key by the second device through a public key.

For example, the request information Req may be: req (resource location, policy identity, C), where C is an encrypted session key, e.g., C ═ Enc (k, PK)_Ow)，PK_OWMay be the public key of the first device and the second device, and k is the session key. That is, C is through PK_OWAnd encrypting the k to obtain the session key.

First signature information_σMay be σ ═ Sig (h (req), SK_Re) Where H (Req) is the hash value of Req, SK_ReIs an encryption key. That is, the first signature information is SK pass_ReInformation obtained by encrypting h (req).

S402, generating a transaction identifier and transaction information by the block link point according to the request information and the first signature information.

Optionally, the transaction identifier is a unique identifier used for indicating the transaction.

The block link points may generate transaction information as follows: the block chain node acquires an access strategy corresponding to the strategy identifier and attribute information of the second equipment; the block chain node generates indication information according to the attribute information and the access strategy of the second equipment; the blockchain node determines that the transaction information includes request information, first signature information, and indication information.

The block chain node may determine whether the second device has an authority to access the first data according to the attribute information and the access policy of the second device, if so, the generated indication information indicates that the second device has the authority to access the first data, and if not, the generated indication information indicates that the second device does not have the authority to access the first data.

Optionally, the block link point may verify the validity of the request information according to the first signature information, and generate the transaction information and the transaction identifier after verifying that the request information is valid. This ensures the security of the transaction.

And S403, the second equipment acquires the transaction identifier in the block chain node.

Optionally, the second device may send a request message to the block link node to obtain the transaction identifier. For example, after receiving the request message of the second device, the block node may obtain the transaction identifier that was generated for the second device last time, and send the transaction identifier to the second device.

S404, the second device sends a data request message to the first device.

The data request message is used for requesting to acquire first data, and the data request message comprises a transaction identifier.

Optionally, the data request message may further include second signature information, and the second signature information is used for verifying the authenticity of the data request message by the first device.

S405, the first device obtains the transaction information corresponding to the transaction identification in the block chain node.

Optionally, the first device may send an acquisition request message to the block link point, where the acquisition request message includes the transaction identifier, and the block link point sends transaction information corresponding to the transaction identifier to the first device according to the transaction identifier.

S406, when the first device determines that the second device has the right to access the first data according to the transaction information, the first device acquires the first data.

The first device can obtain the indication information in the transaction information, and judge whether the second device has the authority of accessing the first data according to the indication information.

Optionally, if the value of the indication information is a first value (e.g., 0), it is determined that the second device has the right to access the first data, and if the value of the indication information is a second value (e.g., 1), it is determined that the second device does not have the right to access the first data.

Optionally, the first device may also perform identity authentication on the second device according to the request information and the first signature information in the transaction information, which is described in the embodiment shown in fig. 5 and is not described here again.

S407, the first device sends the first data to the second device.

In the embodiment shown in fig. 4, when the second device needs to acquire the first data in the first device, the second device first sends request information and first signature information to the block link point, the block link point may verify validity of the request information according to the first signature information, and when it is determined that the request information is valid, the block link point may determine whether the second device has an authority to access the first data according to attribute information and an access policy of the second device, and generate transaction information, where the transaction information includes indication information indicating whether the second device has the authority to access the first data. The second device may obtain the transaction identity in the blockchain node and send a data request message including the transaction identity to the first device. The first device may obtain transaction information corresponding to the transaction identifier in the blockchain node, determine whether the second device has an authority to access the first data according to the transaction information, and send the first data to the second device when it is determined that the second device has the authority to access the first data. In the process, access control can be performed on the data of the Internet of things through the block chain nodes, the situation that equipment without access authority acquires the data of the Internet of things is avoided, and the safety of data access of the Internet of things is improved.

On the basis of the embodiment shown in fig. 4, in order to ensure the security of the data of the internet of things, before the data transmission of the internet of things, the identity of the device may be verified, and the data may be encrypted, and the data access control method based on the block chain is described in detail below with reference to the embodiment shown in fig. 5. Optionally, the first device may be a gateway, and the second device may be an intelligent service device, and for convenience of description, in the embodiment shown in fig. 5, the first device is taken as the gateway, and the second device is taken as the intelligent service device for example.

Fig. 5 is a schematic flowchart of another block chain-based data access control method according to an embodiment of the present application. Referring to fig. 5, the method may include:

s501, the intelligent service equipment sends request information and first signature information to the block link points.

It should be noted that the execution process of S501 may refer to the execution process of S401, and is not described herein again.

In S501, the intelligent service device sends to the block link node: req, σ ═ Sig (h (Req), SK_Re)。

And S502, determining the validity of the request information by the block chain node through the first signature information.

The validity of the request information may be valid or invalid. For example, if the request information is tampered during transmission, the request information is invalid.

The block link point may determine the validity of the first signature information by: the block chain node acquires a first hash value of the request information, and decrypts the first signature information through a verification secret key corresponding to the encryption secret key to obtain a second hash value; if the first hash value is the same as the second hash value, determining that the request information is valid; and if the first hash value is not the same as the second hash value, determining that the request information is invalid.

For example, assuming that the request information is Req, the first hash value is h (Req). Assuming that the first signature information is sigma, the verification key corresponding to the encryption key is VK_ReThen the second hash value is Ver (σ, VK)_Re) Where Ver represents decryption. The blockchain node may determine whether H (req) is equal to Ver (σ, VK)_Re) If yes, determining that the request information is valid, otherwise, determining that the request information is invalid.

And S503, when the block link point determines that the request information is valid, the block link point generates a transaction identifier and transaction information according to the request information and the first signature information.

After the block link point generates the transaction identifier and the transaction information, the block link point correspondingly stores the transaction identifier and the transaction information to the block chain.

For example, assuming that the transaction identifier is TxID and the transaction information is Tx, the blockchain node stores TxID and Tx correspondingly onto the blockchain. Tx ═ (Req, σ, indicating information).

It should be noted that, in S503, the process of generating the transaction identifier and the transaction information by the blockchain node may be referred to as S402, which is not described herein again.

S504, the intelligent service equipment obtains the transaction identification in the block chain node.

And S505, the intelligent service equipment sends a data request message to the gateway, wherein the data request message comprises the transaction identification and the second signature information.

The second signature information is obtained by encrypting the transaction identifier through the encryption key by the intelligent service equipment. For example, the second signature information τ ═ Sig (h (txid), SK_Re) Wherein SK_ReIs an encryption key.

In S505, the smart service device sends TxID, τ ═ Sig (h (TxID), SK to the gateway_Re)。

S506, the gateway determines the validity of the data request message.

The validity of the data request message is valid or invalid. For example, if the data request message is tampered during transmission, the data request message is invalid.

The gateway may determine the validity of the data request message by: the gateway acquires a first hash value of the transaction identifier; decrypting the second signature information through a verification secret key corresponding to the encryption secret key to obtain a second hash value; and if the first hash value is the same as the second hash value, determining that the data request message is valid, otherwise, determining that the data request message is invalid.

For example, assuming the transaction identification is TxID, the first hash value is h (TxID). Assuming that the second signature information is τ, the verification key is VK_ReThen the second hash value is Ver (τ, VK)_Re). If H (TxID) and Ver (tau, VK)_Re) And if the data request message is the same as the data request message, determining that the data request message is valid, otherwise, determining that the data request message is invalid.

And S507, when the gateway determines that the data request message is valid, the gateway acquires the transaction information corresponding to the transaction identifier from the block chain node.

It should be noted that the execution process of S507 may refer to the execution process of S405, and is not described herein again.

And S508, when the gateway determines that the intelligent service equipment has the right to access the first data according to the transaction information, the first equipment acquires the session key.

It should be noted that, the process of the gateway determining whether the intelligent service device has the right to access the first data may refer to the execution process of S406, and details are not described here.

The first device may obtain the session key by: the first device obtains the encrypted session key from the transaction information, and decrypts the encrypted session key through a private key corresponding to the public key to obtain the session key.

For example, assume that the encrypted session key C ═ Enc (k, PK)_Ow) k is a session key, PK_OWIs a public key, k is Dec (C, DK)_Ow) Wherein, DK_OWTo be privateA key.

S509, the gateway device acquires the first data.

Optionally, the gateway device may obtain the policy identifier in the transaction information, determine the identifier of the first data according to the policy identifier, and obtain the first data according to the identifier of the first data. If the data table of the first device has the identifier of the first data, the first device acquires the first data from the data table; if the identifier of the first data does not exist in the data table of the first device, the first device acquires the first data from the internet of things device. For example, when the identifier of the first data does not exist in the data table of the first device, the first device may poll the internet of things device to obtain the first data.

S510, the gateway encrypts the first data through the session key.

S511, the gateway sends the encrypted first data to the intelligent service equipment.

In the embodiment shown in fig. 5, when the second device needs to acquire the first data in the first device, the second device first sends request information and first signature information to the block link point, the block link point may verify validity of the request information according to the first signature information, and when it is determined that the request information is valid, the block link point may determine whether the second device has an authority to access the first data according to attribute information and an access policy of the second device, and generate transaction information, where the transaction information includes indication information indicating whether the second device has the authority to access the first data. The second device may obtain the transaction identity in the blockchain node and send a data request message including the transaction identity and the second signature information to the first device. The first device may verify validity of the data request message according to the second signature information, and when it is determined that the data request message is valid, the first device may obtain transaction information corresponding to the transaction identifier in the blockchain node, and determine whether the second device has an authority to access the first data according to the transaction information, and when it is determined that the second device has the authority to access the first data, the first device may obtain a session key, encrypt the first data by the session key, and send the encrypted first data to the second device. In the process, access control can be performed on the data of the internet of things through the block chain nodes, the situation that equipment without access authority acquires the data of the internet of things is avoided, validity of received information is verified before data processing is performed, the data of the internet of things is transmitted in an encryption mode, and safety of data access of the internet of things is improved.

Next, the building process of the blockchain network is described: in building a blockchain network, the authority of a device to join a blockchain may be determined by a higher level organization (e.g., a hosting service provider). An organization may represent all regulatory agencies, a company providing services based on the internet of things may own its own authorized organization in the blockchain, and a research organization may also own an authorized organization. The data owner is part of an organization, for example, a smart city may play an organizational role for all smart home owners in the city. Each organization may have one or more nodes running. The data owner needs to have own running node to directly participate in the access control decision process of the data. There will be some dedicated nodes to perform the sequencing service. Nodes from different organizations together with the ordering service compose and run a blockchain.

The consensus of the super ledger structure depends mainly on the endorsement policy, since the endorsement policy specifies the nodes that need to verify whether a transaction is a valid one. The data owner may create a configuration transaction in the blockchain to repair the endorsement policy. The endorsement policy is embedded into the transaction along with the identity of all endorsement nodes. The endorsement policy establishes a logical channel between the endorsement node and the ordering service. To be submitted in a blockchain, a transaction submitted to a channel requires endorsement by the endorsement node of the channel in accordance with an endorsement policy. Different data owners will have different endorsement policies. Thus, there may be many such channels in the hyper book.

In the following, the creation process of attributes is described: in creating an attribute, the attribute may be created by name, type, and a set of allowed values. After the attributes are created, the created attributes may be assigned to different entities. The object attribute is created and assigned to a specific object by an attribute manager through a management end. Alternatively, the resource attributes may be created by the owner of the resource and assigned to a particular resource. The environmental and behavioral attributes are system-wide and can be created by a supervisory organization. The creation and assignment of attributes is handled by intelligent contract functions. For example, the name of the intelligent contract function may be AttributeMgr.

An attribute is validated after it is registered in the blockchain. The device corresponding to the creator can send a transaction request to the blockchain node, the transaction request comprises a complete attribute, and the intelligent contract function can acquire the attribute to check the semantic meaning and convert the attribute into a json object. In addition to name, type and value, some additional fields may be added to the json object, such as creator identification, organization name, etc. In the endorsement, training and verification stages, the json object is written into a key-value pair of the super ledger, called the state. The problem of attribute conflicts can also be solved. In the prior art, when two different attributes with the same name are created by two different creators, a conflict of the attribute creation process occurs. For example, the administrator attributes of organization A, unlike the administrator attributes of organization B, should allow organization A and organization B to create administrator attributes at the same time, while knowing the differences between them. The attribute manager solves this problem by creating a unique ID for each attribute before writing the attribute to the state, such as:

wherein the content of the first and second substances,

for attributes, the orgName will store the attribute in state for organization name, creatID for creator identification

The key that is an attribute is stored, and the attribute stored in the state cannot have two identical keys. This is convenientAllowing two different creators to create attributes for the same name while avoiding the same creator from creating duplicate attributes.

After creating the property, the property and its set of values may be assigned to the appropriate entity and security measures taken to avoid malicious tampering with the property, e.g., the property may be bound to the entity in an encrypted manner. In The process of attribute distribution, an attribute publisher adds an attribute to an attribute field of an X.509 Attribute Certificate (AC) according to The Internet Engineering Task Force (IETF) standard; then the creator constructs the transaction and embeds the certificate in the transaction; then the AttributeMgr intelligent contract verifies the certificate, converts the certificate into a json object and stores the json object in a state; and after the endorsement, sorting, verification stages, it is stored in the state.

In the following, the procedure of access policy management is described: both the data owner and the requester of the internet of things need to agree on an access policy. The access policy exists in the state as a key-value pair, for example, the key may be policyID ═ h (p), h (p) is the hash value of the policy, and the value is the access policy itself. The generation of the partial access policy needs to rely on meta-policies, which may be, for example, who can modify the policy, delete the policy, the validity period of the access policy, etc. When creating policies, meta-policies are included in blockchain transactions. An intelligent contract function called policymagr may be responsible for the management tasks of access policies, such as checking semantics when creating policies, modifying policies based on meta-policies, etc.

Fig. 6 is a schematic structural diagram of a data access control apparatus based on a block chain according to an embodiment of the present application. The apparatus may be provided in a gateway, and referring to fig. 6, the block chain based data access control apparatus 10 may include: a receiving module 11, a processing module 12 and a transmitting module 13, wherein,

the receiving module 11 is configured to receive a data request message sent by a second device, where the data request message is used to request to acquire first data, and the data request message includes a transaction identifier;

the processing module 12 is configured to obtain transaction information corresponding to the transaction identifier in a block link point, where the transaction information is generated by the block link point according to an access policy corresponding to the first data and attribute information of the second device;

the processing module 12 is further configured to, when it is determined that the second device has the right to access the first data according to the transaction information, obtain the first data;

the sending module 13 is configured to send the first data to the second device.

It should be noted that the apparatus provided in the embodiment of the present application may execute the technical solutions shown in the foregoing method embodiments, and the implementation principles and beneficial effects thereof are similar and will not be described herein again.

In a possible implementation, the processing module 12 is specifically configured to:

acquiring indication information in the transaction information;

and acquiring the first data according to the identifier of the first data.

In a possible implementation manner, the data request message further includes second signature information, where the second signature information is obtained by encrypting, by the second device, the transaction identifier with an encryption key; the processing module 12 is further configured to:

acquiring a first hash value of the transaction identifier;

determining that the first hash value is the same as the second hash value.

In a possible implementation manner, the processing module 12 is further configured to decrypt the encrypted session key through a private key corresponding to the public key to obtain the session key; encrypting the first data by the session key;

the sending module 13 is configured to send the encrypted first data to the second device.

Fig. 7 is a schematic structural diagram of another block chain-based data access control apparatus according to an embodiment of the present application. The apparatus may be provided in an intelligent service device. Referring to fig. 7, the block chain-based data access control device 20 may include: a sending module 21, a processing module 22 and a receiving module 23, wherein,

the sending module 21 is configured to send request information and first signature information to a block link point, where the request information and the first signature information are used by the block link point to generate transaction information and a transaction identifier;

the processing module 22 is configured to obtain the transaction identifier in the blockchain node;

the sending module 21 is further configured to send a data request message to a first device, where the data request message is used to request to obtain first data, and the data request message includes a transaction identifier;

the receiving module 23 is configured to receive the first data sent by the first device when the first device determines that the second device has the right to access the first data according to the transaction information.

Fig. 8 is a schematic structural diagram of another block chain-based data access control device according to an embodiment of the present application. The apparatus may be provided in a blockchain node. Referring to fig. 8, the block chain-based data access control device 30 may include: a receiving module 31, a processing module 32 and a transmitting module 33, wherein,

the receiving module 31 is configured to receive request information and first signature information sent by a second device, where the request information is used to request to acquire first data;

the processing module 32 is configured to generate a transaction identifier and transaction information according to the request information and the first signature information;

the receiving module 31 is further configured to receive an inquiry request sent by a first device, where the inquiry request includes the transaction identifier;

the sending module 33 is configured to send the transaction information corresponding to the transaction identifier to the first device, where the transaction information is used by the first device to determine whether to send the first data to the second device.

In a possible implementation, the processing module 32 is specifically configured to:

obtaining an access policy corresponding to the policy identifier;

acquiring attribute information of the second equipment;

In a possible implementation, before the processing module 32 generates the transaction identifier and the transaction information according to the request information and the first signature information, the processing module 32 is further configured to:

determining that the request information is valid.

In a possible implementation manner, the first signature information is obtained by encrypting, by the second device, a hash value of the request information by using an encryption key; the processing module 32 is specifically configured to:

acquiring a first hash value of the request information;

Fig. 9 is a schematic diagram of a hardware structure of a data access control device based on a block chain according to an embodiment of the present application, and as shown in fig. 9, a data access control device 40 based on a block chain according to the present embodiment includes: a processor 41 and a memory 42; wherein

A memory 42 for storing computer-executable instructions;

and a processor 41, configured to execute computer-executable instructions stored in the memory to implement the steps performed by the method for determining the click rate of the object in the foregoing embodiments. Reference may be made in particular to the description relating to the method embodiments described above.

Alternatively, the memory 42 may be separate or integrated with the processor 41.

When the memory 42 is provided separately, the block chain-based data access control device further includes a bus 43 for connecting the memory 42 and the processor 41.

Alternatively, the data access control device based on the block chain shown in fig. 9 may be a first device, a second device, or a block chain node. For example, the first device may be a gateway and the second device may be a smart services device.

It should be noted that the device provided in the embodiment of the present application may execute the technical solution shown in the foregoing method embodiment, and the implementation principle and the beneficial effect thereof are similar, and therefore details are not described here.

An embodiment of the present application further provides a computer-readable storage medium, where a computer executing instruction is stored in the computer-readable storage medium, and when a processor executes the computer executing instruction, the method for controlling data access based on a block chain is implemented as the above data access control device based on a block chain.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the modules is only one logical division, and other divisions may be realized in practice, for example, a plurality of modules may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.

The integrated module implemented in the form of a software functional module may be stored in a computer-readable storage medium. The software functional module is stored in a storage medium and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present application.

It should be understood that the Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present invention may be embodied directly in a hardware processor, or in a combination of the hardware and software modules within the processor.

The memory may comprise a high-speed RAM memory, and may further comprise a non-volatile storage NVM, such as at least one disk memory, and may also be a usb disk, a removable hard disk, a read-only memory, a magnetic or optical disk, etc.

The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, the buses in the figures of the present application are not limited to only one bus or one type of bus.

The storage medium may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.

Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims

1. A block chain-based data access control method is characterized by comprising the following steps:

2. The method of claim 1, wherein the transaction information comprises at least one of the following: request information, first signature information, and indication information, wherein,

3. The method of claim 2, wherein when the first device determines that the second device has the right to access the first data according to the transaction information, the first device obtains the first data, and comprises:

4. The method of claim 2, wherein the first device obtaining the first data comprises:

5. The method of claim 4, wherein the first device obtains the first data according to the identity of the first data, comprising:

6. The method according to any one of claims 2 to 5, wherein the data request message further includes second signature information, and the second signature information is obtained by encrypting the transaction identifier by the second device through an encryption key; before the first device acquires the first data, the method further includes:

7. The method of any of claims 2-5, wherein the first device sending the first data to the second device comprises:

the first device encrypts the first data by the session key;

and the first equipment sends the encrypted first data to the second equipment.

8. A block chain-based data access control method is characterized by comprising the following steps:

9. The method of claim 8, wherein the transaction information comprises at least one of the following: request information, first signature information, and indication information, wherein,

10. The method according to claim 8 or 9, wherein the request message further includes second signature information, and wherein the second signature information is obtained by encrypting the transaction identifier by the second device through an encryption key.

11. A block chain-based data access control method is characterized by comprising the following steps:

12. The method of claim 11, wherein the transaction information comprises at least one of: the request information, the first signature information, and indication information, wherein,

13. The method of claim 12, wherein the blockchain node generates transaction information based on the request information and the first signature information, comprising:

the block chain node acquires attribute information of the second device;

14. The method according to any of claims 11-13, wherein before the blockchain node generates a transaction identifier and transaction information based on the request information and the first signature information, further comprising:

the blockchain node determines that the request information is valid.

15. The method according to claim 14, wherein the first signature information is obtained by encrypting a hash value of the request information by the second device through an encryption key;

the block chain node acquires a first hash value of the request information;

16. A block chain-based data access control apparatus, comprising: a receiving module, a processing module and a sending module, wherein,

the sending module is configured to send the first data to the second device.

17. A block chain-based data access control apparatus, comprising: a sending module, a processing module and a receiving module, wherein,

the receiving module is used for receiving the first data sent by the first equipment when the first equipment determines that the second equipment has the authority of accessing the first data according to the transaction information.

18. A block chain-based data access control apparatus, comprising: a receiving module, a processing module and a sending module, wherein,

19. A block chain-based data access control device, comprising:

a memory for storing a program;

a processor for executing the program stored by the memory, the processor being configured to perform the method of any of claims 1 to 15 when the program is executed.

20. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 15.