CN112417482B - Data sharing system, device and method based on authority access mechanism - Google Patents

Data sharing system, device and method based on authority access mechanism Download PDF

Info

Publication number
CN112417482B
CN112417482B CN202011351336.4A CN202011351336A CN112417482B CN 112417482 B CN112417482 B CN 112417482B CN 202011351336 A CN202011351336 A CN 202011351336A CN 112417482 B CN112417482 B CN 112417482B
Authority
CN
China
Prior art keywords
data
user
blockchain
access
user device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011351336.4A
Other languages
Chinese (zh)
Other versions
CN112417482A (en
Inventor
范永开
林卫国
郭嘉明
潘耘
隋爱娜
尚文倩
董春玲
曹建香
范文庆
黄玮
虎倩
吴国栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Communication University of China
Original Assignee
Communication University of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Communication University of China filed Critical Communication University of China
Priority to CN202011351336.4A priority Critical patent/CN112417482B/en
Publication of CN112417482A publication Critical patent/CN112417482A/en
Application granted granted Critical
Publication of CN112417482B publication Critical patent/CN112417482B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a data sharing system, a device and a method based on an authority access mechanism, wherein the data sharing system at least comprises a blockchain formed by a plurality of user equipment, and the user equipment corresponding to a data owner is configured to give different access authorities to the user equipment corresponding to the data user based on the mode of updating and issuing an intelligent contract and adding an access variable in the intelligent contract, so that data is prevented from being stolen and revealed in the process of transferring qualification information of the user equipment on the blockchain. By the arrangement, data sharing is realized by using intelligent contracts and access control. The update of the intelligent contract not only can provide richer functions for the data sharing scene, but also the data owner can realize proprietary functions by updating and deploying the intelligent contract according to the need. Moreover, by adding the access variable, the invention has fine granularity access control, improves expandability, and more importantly, avoids data from being stolen and revealed.

Description

Data sharing system, device and method based on authority access mechanism
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a data sharing system, device and method based on an authority access mechanism.
Background
The data is a powerful resource, and the data sharing can effectively utilize the data to bring great positive effects to various aspects such as medical treatment, machine learning, scientific research, industry and the like, but the existing data sharing mode based on blockchain and cloud storage also has safety problems and sharing management problems.
For example, chinese patent document with publication number CN111327426a discloses a data sharing method, and related devices, apparatuses and systems, wherein the data sharing method includes: the method comprises the steps that a first node or a proxy node of the first node receives a sharing request for indicating to share target data to n nodes in a blockchain network, generates a first multi-signature address according to public keys of at least n nodes, and encrypts the target data through the first multi-signature address to obtain first transaction data; and uploading the first transaction data to a blockchain network, and after receiving the first transaction data, decrypting the first transaction data by the n nodes according to at least i private keys in the private keys of the at least n nodes to obtain target data. The patent provides a fair and supervised data sharing mode, and the data sharing process is transparent and fair, so that the safety of data can be improved. However, the sharing method provided by the patent incurs more overhead in the encryption and decryption process, and lacks management and expandability of shared data.
Furthermore, there are differences in one aspect due to understanding to those skilled in the art; on the other hand, as the inventors studied numerous documents and patents while the present invention was made, the text is not limited to details and contents of all that are listed, but it is by no means the present invention does not have these prior art features, the present invention has all the prior art features, and the applicant remains in the background art to which the rights of the related prior art are added.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention provides a data sharing system based on a right access mechanism, which at least comprises a blockchain formed by a plurality of user equipment. The user equipment corresponding to the data owner is configured to give different access rights to the user equipment corresponding to the data user based on the mode of updating and issuing the intelligent contract and adding the access variable in the intelligent contract, so that data is prevented from being stolen and revealed in the process of transferring the qualification information of the user equipment on the blockchain. While the prior art may employ powerful encryption and decryption algorithms to provide security assurance for data sharing, powerful encryption and decryption algorithms incur more overhead while lacking management and extensibility for shared data. Management, expansion, and security for shared data necessarily result in:
1. It is impractical to use the same rules to force data sharing in different scenarios;
2. different users have different rights to the same data.
The invention gives different access rights to the user equipment corresponding to the data user by updating and issuing the intelligent contract and adding the access variable in the intelligent contract. The invention utilizes smart contracts and access control to achieve data sharing. The update of the intelligent contract not only can provide richer functions for the data sharing scene, but also the data owner can realize proprietary functions by updating and deploying the intelligent contract according to the need. Moreover, by adding the access variable, the invention has fine granularity access control, improves expandability, and more importantly, avoids data from being stolen and revealed. In particular, membership information on a blockchain (user equipment) may be transferred from one entity to another. In the transmission process, a malicious node may steal, and another possibility is information leakage, that is, member information leakage caused by spoofing of an entity. In this case, the unsafe deficiencies are overcome by adding the number of access variables, such as queries or modifications, in the smart contract. For example, after a member (user device) on the blockchain successfully deploys the smart contract, the data user consumes access time each time the data user accesses the data, and when the number of accesses is zero, the data user cannot continue to access the data. At this time, if the data user wants to access the data again, it is necessary to apply for access to the data again to the data owner.
According to a preferred embodiment, the user equipment corresponding to the data owner is configured to dynamically update the access rights of the user equipment corresponding to the data user based on the information that any user equipment on the blockchain monitors the operation behavior feedback of the user equipment corresponding to the data user.
According to a preferred embodiment, the user equipment is configured to:
and carrying out encryption pretreatment on the generated original data to generate first data, and separating second data at least describing the original data attribute based on the first data. The second data is stored in the blockchain. And the first data are respectively stored in a plurality of cloud devices in a random matching mode after being segmented.
According to a preferred embodiment, the data generated by the user equipment comprises the raw data and identity information data. The user device generates an identity certificate for determining rights with respect to data based on the identity information data. The user equipment configures rights allocation information generated by the identity certificate in the blockchain based on the requirement information of the user equipment/data owner.
According to a preferred embodiment, the user device corresponding to the data user is configured to send a request to the user device corresponding to the data owner to access the data stored by the cloud device. And under the condition that the user equipment corresponding to the data owner approves the request, the user equipment corresponding to the data owner sends an identity certificate to the user equipment corresponding to the sending request so as to apply for accessing the blockchain. Any user equipment in the blockchain is configured to verify the identity certificate and corresponding authority information of the user equipment corresponding to the data user based on the information of the application access. And under the condition that the identity certificate of the user equipment corresponding to the data user is legal and the requested authority information accords with the authority information corresponding to the identity certificate, the user equipment corresponding to the data user is approved to acquire second data corresponding to the data requested to be accessed.
The invention also provides a data sharing device based on the authority access mechanism, which at least comprises user equipment. The user equipment is configured to construct a blockchain for data sharing based on an access request of the user equipment corresponding to at least one data user. The user equipment is configured to give different access rights to the user equipment corresponding to the data user based on the mode of updating and issuing the intelligent contract and adding the access variable in the intelligent contract, so that data is prevented from being stolen and revealed in the transferring process of membership information on the blockchain.
The invention also provides a data sharing device based on the authority access mechanism, which at least comprises user equipment. The user equipment is configured to construct a blockchain for data sharing based on an access request of the user equipment corresponding to at least one data user. The user equipment corresponding to the data owner is configured to dynamically update the access rights of the user equipment corresponding to the data user based on the information fed back by the operation behaviors of the user equipment corresponding to any user equipment monitoring data user on the blockchain.
The invention also provides a data sharing system based on the authority access mechanism, which at least comprises a blockchain formed by a plurality of user equipment. The user equipment is configured to give different access rights to the user equipment corresponding to the data user based on the intelligent contract. The intelligent contract is configured to dynamically update the access rights of the user equipment corresponding to the data user based on information fed back by the operation behaviors of the user equipment corresponding to any user equipment monitoring data user on the blockchain.
According to a preferred embodiment, the smart contract is configured to update the reputation of a user device corresponding to a data user based on the operational behavior of the user device recorded on the blockchain. The smart contract is configured to update access rights of the user device based on the reputation.
The invention also provides a data sharing method based on the authority access mechanism, which comprises the following steps:
user equipment corresponding to a data owner establishes a blockchain for data sharing based on an access request of the user equipment corresponding to at least one data user;
and giving different access rights to user equipment corresponding to the data user based on the mode of updating and issuing the intelligent contract and adding the access variable in the intelligent contract, thereby avoiding data from being stolen and revealed in the process of transferring the qualification information of the user equipment on the blockchain.
Drawings
FIG. 1 is a block diagram of a preferred embodiment of the data sharing system of the present invention;
FIG. 2 is a block diagram of a preferred embodiment of the data sharing system of the present invention;
FIG. 3 is a block diagram of a preferred embodiment of the data sharing apparatus of the present invention;
FIG. 4 is a block diagram of a preferred storage of first data and second data according to the present invention;
FIG. 5 is a schematic diagram of a preferred embodiment of data sharing of the data sharing system of the present invention;
FIG. 6 is a schematic diagram of a preferred embodiment of the smart contract and user device information interaction of the present invention;
FIG. 7 is a flow chart illustrating the steps of a preferred embodiment of the data sharing method of the present invention.
List of reference numerals
10: data layer 20: extraction layer 30: treatment layer
40: storage layer 50: control layer 60: application layer
70: data owner 80: data user 11: individuals
12: a plurality of individuals 13: enterprise 14: multiple enterprises
15: certificate authority 31: data slice 32: rights allocation
51: data reorganization 52: identity verification 53: access control
61: school 62: hospital 63: company (Corp)
64: research institution 65: manufacturer 100: user equipment
200: blockchain 300: cloud device 400: intelligent contract
120: raw data 111: identity certificate 121: first data
122: second data 500: encryption 600: decryption
401: updating 402: adjustment 403: feedback of
404: control 405: control strategy 406: operational behavior
407: operation record 408: reputation 409: update completion
410: registration 411: registration completion 412: mounting
413: installation completion 414: transaction 415: transaction information
416: publication 417: completion of publication
Detailed Description
The following is a detailed description with reference to fig. 1 to 7.
Preferably, the user device 100 may be a computer device, such as a mobile computing device, a notebook, a tablet, a cell phone. The user device 100 may also be a smart wearable device, such as a smart watch, smart glasses, or the like.
Preferably, the user equipment 100 may comprise a processor and a storage device. The storage device is used for storing instructions sent by the processor. The processor is configured to execute instructions stored by the memory device. Preferably, the storage means may be provided separately outside the user equipment 100. The processor may be a central processing unit (CentralProcessing Unit, CPU), general purpose processor, digital signal processor (Digital SignalProcessor, DSP), application-specific integrated circuit (ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, transistor logic device, hardware components, or any combination thereof.
Preferably, the user device 100 may carry an operating system, such as a Linux system, an Android system, an IOS operating system, and the like.
Preferably, the user equipment 100 may access heterogeneous networks such as the internet, the internet of things, a mobile network, etc. through a wired or wireless manner. The heterogeneous network includes a plurality of radio access networks therein. Different radio access networks may use different communication paths for transmission. And the same radio access technology may use different communication paths for communication. Heterogeneous networks also include wired networks, which may access the internet through a wired network interface. The wired network interface may be an RJ-45 interface of ethernet, a BNC interface of a thin coaxial cable, an AUI interface of a thick coaxial cable, an FDDI interface, an ATM interface, etc.
Preferably, the storage device may be a magnetic disk, a hard disk, an optical disk, a mobile hard disk, a solid state disk, a flash memory, etc.
Preferably, the blockchain 200 may be constructed by a plurality of user devices 100. Preferably, the blockchain 200 may include user devices 100 of the data owners 70 and user devices 100 of the data users 80. Blockchain 200 may be a public chain or a licensed chain. The license chain may be a federation chain.
Preferably, cloud device 300 may be a remote server, and may also be a cloud server. Preferably, cloud device 300 may be used for cloud computing as well as cloud storage.
Blockchain techniques describe a chain-like data structure. It uses the unidirectional nature of the hash algorithm to ensure that the history data is not easily altered. Any change to the history data affects the current hash value. Thus, it can trace back to any one history block by the hash value of the previous block, and can ensure the authenticity and integrity of the history data.
Metadata (Meta data): refers to structured data extracted from information resources to describe its features, content, and used to organize, describe, retrieve, store, manage information and knowledge resources. It should be noted that the second data 122 of the present invention may be metadata. The second data 122 includes at least a hash value of the data, a storage address of the data, and an encryption key.
Example 1
As shown in fig. 1, the present embodiment provides a data sharing system based on a rights access mechanism. The data sharing system includes at least a blockchain 200 made up of a plurality of user devices 100. User device 100 corresponding to data owner 70 is configured to grant different access rights to user device 100 corresponding to data user 80 based on the manner in which intelligent contract 400 is issued and access variables are added in intelligent contract 400, thereby avoiding data theft and leakage during transfer of user device 100 qualification information on blockchain 200. While the prior art may employ powerful encryption and decryption algorithms to provide security assurance for data sharing, powerful encryption and decryption algorithms incur more overhead while lacking management and extensibility for shared data. Management, expansion, and security for shared data necessarily result in:
1. It is impractical to use the same rules to force data sharing in different scenarios;
2. different users have different rights to the same data.
The present invention gives different access rights to the user device 100 corresponding to the data user 80 by updating the distributed smart contract 400 and adding access variables to the smart contract 400. The present invention utilizes smart contracts 400 and access control to enable data sharing. The update of the smart contract 400 may not only provide richer functionality for the data sharing scenario, but the data owner 70 may implement proprietary functionality by updating the deployment smart contract 400 as needed. Moreover, by adding the access variable, the invention has fine granularity access control, improves expandability, and more importantly, avoids data from being stolen and revealed. In particular, membership information on blockchain 200 (user device 100) may be transferred from one entity to another. It should be noted that the entity may be an individual or an enterprise. Preferably, an entity is a device that is used if it is specific to the specific hardware. During transmission, a malicious node (device) may steal, and another possibility is information leakage, i.e., member information leakage due to spoofing by an entity. In this case, the unsafe deficiencies are overcome by adding the number of access variables, such as queries or modifications, in the smart contract 400. For example, after a member (user device 100) on blockchain 200 successfully deploys smart contract 400, data user 80 consumes access time each time it accesses data, and when the number of accesses is zero, data user 80 cannot continue to access data. At this time, if the data user 80 wants to access the data again, it is necessary to apply for access to the data again to all the data 70.
Preferably, the user device 100 corresponding to the data owner 70 is configured to dynamically update the access rights of the user device 100 corresponding to the data user 80 based on any user device 100 on the blockchain 200 monitoring the information fed back by the operation behavior of the user device 100 corresponding to the data user 80. Preferably, the user device 100 corresponding to the data owner 70 dynamically updates the access rights of the user device 100 corresponding to the data user 80 through the smart contract 400. As shown in fig. 3, the smart contract 400 dynamically adjusts 402 the control policy 405 through the operation behavior 416 of the data user 80, thereby updating the access rights of the user device 100 corresponding to the data user 80. Specifically, intelligent contracts 400 are programmed and deployed on blockchain 200. Nodes on blockchain 200 are responsible for listening for access requests by data users 80. Preferably, the nodes on the blockchain 200 are user devices 100 authorized by the data owner 70. Authorization includes granting rights to data to the user device 100. Rights to data include queries, downloads, modifications, etc. Preferably, nodes on blockchain 200 control 404 the operational behavior 406 of data consumer 80 through control policies 405 on smart contract 400. Preferably, the change 403 in network behavior on blockchain 200 resulting from the operational behavior 406 of data user 80 is fed back to smart contract 400. The smart contract 400 adaptively adjusts 402 the control strategy 405 based on the information of the feedback 403. Preferably, the control strategy 405 may be adjusted by an adaptive algorithm, thereby changing the rights of the data consumer 80. Preferably, the idea of the adaptive algorithm may be to set time and operation threshold values for specific data rights, such as operation rights. The threshold crossing operation for a short period of time is recorded as a potential attack. For example, the adaptive algorithm may be built by setting a threshold number of operations per unit time. Preferably, the data owner 70 may set the number of data user 80 accesses to not more than 3 within 10 minutes. If the number of accesses by the data user 80 exceeds 3 within 10 minutes, the manner in which the data user 80 operates is considered a potential offensiveness. The smart contract 400 may record the operational behavior of the data consumer 80 and disqualify the data consumer 80 for access while turning down the data rights of the data consumer 80 when it applies for access again. Preferably, the smart contract 400 updates the operational record 407 and the reputation 408 of the data user 80 simultaneously based on the information fed back. Operation record 407 may be a history log recorded on blockchain 200. Preferably, reputation 408 may be engaged in an adaptive algorithm as a variable that modifies the permissions of data consumer 80. Through this setting method, the beneficial effect who reaches is:
As the number of entities joining blockchain 200 increases, data owners 70 often need to update smart contracts 400 as many times as needed in order to ensure fine-grained access to data when a piece of data needs to be shared with multiple entities. Even with some minor changes, the data owner 70 needs to redeploy the smart contract 400. Thus, the time and economic costs of the data owner 70 altering the smart contract 400 will increase significantly. On the other hand, the data owners 70 cannot guarantee that they are always online. If the data owner 70 has not processed the data access request, the entity requesting access will not be able to proceed to the next operation. This situation can lead to a long waiting time for the data user, resulting in a significant waste of time costs. The invention adaptively updates the authority of the data user 80 based on the intelligent contract 400, so that the blockchain 200 can automatically regulate access, i.e. the intelligent contract 400 dynamically adjusts the access control strategy according to the adaptive algorithm, maintains or updates the access authority of the entity, thereby avoiding excessive human intervention and further saving the cost. Moreover, the system records the operational behavior 406 concerning data user 80 published by data owner 70 in a historical log of blockchain 200, and none can tamper with the historical behavior recorded on blockchain 200. Meanwhile, the system updates the current credibility 408, and the credibility 408 can be involved in the calculation process of the self-adjusting algorithm to directly influence the result of modifying the authority of the data user 80. With the above arrangement, the data sharing network can dynamically adjust the access rights of the entities (data users 80) to the data according to the real-time changes on the network, i.e., blockchain 200.
Preferably, as shown in fig. 6, the information interaction between the smart contract 400 and the user equipment 100 according to the present invention is completed through the release of the smart contract 400 and the installation of the smart contract 400 by the user equipment 100. Preferably, the data owner 70 first publishes 416 a smart contract 400. Preferably, intelligent contract 400 is a chain code in a super ledger structure. After the release is successful, the smart contract 400 returns information of the release completion 417 to the data owner 70. Upon receiving the registration 410 information about the smart contract 400, the data user 80 transmits registration completion 411 information to the smart contract 400 after the registration 410 of the data user 80 is successful, and the surface registration is successful. After registration is successful, the data user 80 downloads the smart contract 400 and installs 412. The smart contract 400 sends installation completion 413 information to the data consumer 80. After the installation of the data consumer 80 is completed, the transaction 414 information may be sent to the smart contract 400, and if the access control policy 405 in the smart contract 400 is satisfied, the data consumer 80 may receive the transaction information 415 sent by the smart contract 400. If the smart contract 400 is updated 401, the data owner 70 needs to issue the smart contract of the updated 401, and after the issuance is successful, the smart contract 400 returns the information of the update completion 09 to the data owner 70. Preferably, the data user 80 needs to download and install a new version of the smart contract.
According to a preferred embodiment, the user equipment 100 is configured to:
the generated original data 120 is subjected to encryption preprocessing to generate first data 121, and second data 122 describing at least the attribute of the original data 120 is separated based on the first data 121. The second data 122 is stored in the blockchain 200. The first data 121 after being segmented is stored in the plurality of cloud devices 300 in a random matching manner. Preferably, user device 100 is configured to add access variables based on the manner in which intelligent contract 400 is added such that key data in blockchain 200 including at least second data 122 is securely read. Preferably, the key data may be core data of interest to the data owner 70, such as second data 122, operational records of other members on blockchain 200, membership information on blockchain 200, rights allocation information for members on blockchain 200, and the like. Preferably, the key data may be stored in blockchain 200 in the form of a key-value to facilitate querying by data owner 70. By the arrangement mode, the invention has the following beneficial effects:
the prior art employs storing metadata in a blockchain and storing data content in cloud device 300. In the setting mode, on one hand, only the fact that metadata is stored in the blockchain 200 to achieve decentralization is considered, and potential safety hazards of data loss, data easy to tamper, low cost for tampering metadata and the like caused by single-node faults can be avoided, so that safety is improved. However, there is no consideration that the data content after metadata separation is stored in the cloud device 300, and there is a security risk caused by centralization. On the other hand, the prior art improves security by not allowing users to modify or even delete metadata stored in blockchain 200, but does not take into account that security issues may arise during access to metadata, i.e., membership information on blockchain 200 may be transferred from one entity to another, malicious nodes may steal during transfer, or entities may be spoofed causing leakage of membership information, and thus metadata may be read insecurely only through the read-only state of metadata on blockchain 200. The first data 121 is segmented and then stored in a plurality of cloud devices 300 in a random matching mode. By the arrangement mode, the data content can be stored on one side of the cloud equipment 300 to be decentralised, and therefore the security risk of data storage of users is reduced. And user device 100 is configured to add access variables based on the manner in which intelligent contract 400 is added such that key data in blockchain 200 including at least second data 122 is securely read. By this arrangement, it is possible to avoid that the second data 122 stored on the blockchain 200 is not securely accessed due to theft and disclosure of membership information on the blockchain 200, thereby resulting in theft of data stored by the user. For example, adding access time to the smart contract 400 consumes access time each time a data visitor (entity) accesses data. When the number of accesses is zero, the entity cannot continue to access the data. If this entity wants to access again, it is necessary to re-apply the data owner for access to the data.
Preferably, the random matching of the data slices 31 of the present invention may employ a variety of algorithms as presently disclosed. Preferably, the Random matching algorithm may be a Random Walk (Random Walk), a numerical probability algorithm, a monte carlo algorithm, a Las Vegas algorithm, a Serpentis algorithm, or the like. For example, the random walk algorithm builds up several random walkers. The random walk is initialized from a certain node, after which in each step the random walk is randomly accessed to a certain neighboring node of the current node.
Preferably, as shown in fig. 4, the first data 121 generated by the raw data 120 is stored in the cloud device 300. By this arrangement, the second data 122 is stored in the blockchain, and by utilizing the traceability and immutable nature of the blockchain 200, all of the historical operating information of the key data occurring on the blockchain 200 is recorded and cannot be altered by anyone. This largely ensures the security of the second data 122.
According to a preferred embodiment, the data generated by the user equipment 100 comprises raw data 120 and identity information data. The user device 100 generates an identity certificate 111 for determining rights to data based on the identity information data. Preferably, the data-related rights may be access rights and operation rights with respect to data. The access rights may be whether the data consumer 80 can access the data. The operation authority is whether or not operations such as inquiry, download, modification, and the like can be performed after the data user 80 has access to the data. User device 100 configures the rights allocation information generated by identity certificate 111 in blockchain 200 based on the requirement information of user device 100/data owner 70.
Preferably, the second data 122 separated based on the first data 121 is stored in the blockchain 200. User device 100 is configured to locate and monitor data based on information of key data recorded in blockchain 200. Through this setting mode, all utilize the characteristic of blockchain 200 to guarantee the safety of data in the current storage scheme, nevertheless can also realize the tracking and the location of data based on the information of record key data, and then can find data and monitor the flow direction of data fast.
Preferably, as shown in fig. 5, the user equipment 100 is configured to generate the first data 121 by performing encryption preprocessing on the generated original data 120 as follows:
signing the original data 120 based on the private key of the user device 100/data owner 70;
the encryption 500 is performed based on the signed raw data 120 to generate first data 121.
Preferably, the encryption algorithm may select a symmetric encryption algorithm and an asymmetric encryption algorithm. Preferably, the present embodiment may employ a symmetric encryption algorithm. By the arrangement mode, the symmetric encryption algorithm has the characteristics of high efficiency and high strength, and compared with other encryption methods, the symmetric encryption algorithm is more suitable for personal equipment with small storage capacity and small calculation capacity.
According to a preferred embodiment, the user equipment 100 is configured to generate a plurality of data slices 31 based on the slicing of the first data 121. The data slice 31 comprises at least a first data slice section and a second data slice section for identifying whether they belong to the same original data 120. The second data slice sections of the plurality of data slices 31 do not contain identical data with respect to each other. Preferably, the data contained in the second data slice section is unique. The same data does not exist between the different second data slice sections. Preferably, there are nodes in blockchain 200 that exclusively provide data storage services. When their storage resources are used by the data owners 70 in the network, they will be rewarded by the data owners 70 through an incentive mechanism.
According to a preferred embodiment, the data generated by the user equipment 100 comprises raw data 120 and identity information data. The user device 100 generates an identity certificate 111 for determining rights to data based on the identity information data. The user device 100 configures authority allocation information generated by the identity certificate 111 in the blockchain 200 based on the requirement information of the user device 100/data owner 70, thereby realizing control of key data including at least the second data 122 information recorded on the blockchain 200. By this arrangement, the operation authority of the data user 80 can be known by the authority allocation information.
Preferably, as shown in fig. 5, the user device 100 corresponding to the data user 80 is configured to send a request to the user device 100 corresponding to the data owner 70 to access the data stored by the cloud device 300. In the case that the user device 100 corresponding to the data owner 70 approves the request, the user device 100 corresponding to the data owner 70 transmits an identity certificate 111 to the user device 100 corresponding to the transmission request to apply for access to the blockchain 200. Any user device 100 in the blockchain 200 is configured to verify the identity certificate 111 and the corresponding authority information of the user device 100 corresponding to the data user 80 based on the information applied for access, and approve the user device 100 corresponding to the data user 80 to acquire the second data 122 corresponding to the data requested for access if the identity certificate 111 of the user device 100 corresponding to the data user 80 is legal and the authority information requested by the user device corresponds to the authority information corresponding to the identity certificate 111. Preferably, after the user device 100 corresponding to the data user 80 acquires the second data 122, the encrypted first data 121 may be downloaded from the cloud device 300. Preferably, the user device 100 corresponding to the data user 80 may decrypt 600 the first data 121 from the decryption key in the second data 122, thereby obtaining the complete original data 120.
Example 2
This embodiment is a further improvement/supplement to embodiment 1, and the repeated contents are not repeated.
The present embodiment also provides a data sharing device based on the permission access mechanism, which at least includes the user equipment 100. The user device 100 is configured to construct a blockchain 200 for data sharing based on access requests of the user device 100 corresponding to at least one data user 80. User device 100 is configured to give data user 80 different access rights to the corresponding user device 100 based on the manner in which intelligent contract 400 is issued and access variables are added in intelligent contract 400, thereby avoiding data theft and leakage during transfer of membership information on blockchain 200.
Preferably, the data sharing device can be applied to the data sharing system of embodiment 1. Preferably, the user equipment 100 of this embodiment is the same as the user equipment 100 of embodiment 1, and repeated contents are not repeated.
Example 3
This embodiment is a further improvement/addition to embodiments 1, 2 and combinations thereof, and the repetition is not repeated.
As shown in fig. 3, this embodiment also provides a data sharing device based on the permission access mechanism. The data sharing arrangement comprises at least a user equipment 100. The user device 100 is configured to construct a blockchain 200 for data sharing based on access requests of the user device 100 corresponding to at least one data user 80. The user device 100 corresponding to the data owner 70 is configured to dynamically update the access rights of the user device 100 corresponding to the data user 80 based on any user device 100 on the blockchain 200 monitoring information fed back by the operation behavior of the user device 100 corresponding to the data user 80.
As shown in fig. 3, the smart contract 400 dynamically adjusts 402 the control policy 405 through the operation behavior 416 of the data user 80, thereby updating the access rights of the user device 100 corresponding to the data user 80. Specifically, intelligent contracts 400 are programmed and deployed on blockchain 200. Nodes on blockchain 200 are responsible for listening for access requests by data users 80. Preferably, the nodes on the blockchain 200 are user devices 100 authorized by the data owner 70. Authorization includes granting rights to data to the user device 100. Rights to data include queries, downloads, modifications, etc. Preferably, nodes on blockchain 200 control 404 the operational behavior 406 of data consumer 80 through control policies 405 on smart contract 400. Preferably, the change 403 in network behavior on blockchain 200 resulting from the operational behavior 406 of data user 80 is fed back to smart contract 400. The smart contract 400 adaptively adjusts 402 the control strategy 405 based on the information of the feedback 403. Preferably, the control strategy 405 may be adjusted by an adaptive algorithm, thereby changing the rights of the data consumer 80. Preferably, the idea of the adaptive algorithm may be to set time and operation threshold values for specific data rights, such as operation rights. The threshold crossing operation for a short period of time is recorded as a potential attack. For example, the adaptive algorithm may be built by setting a threshold number of operations per unit time. Preferably, the data owner 70 may set the number of data user 80 accesses to not more than 3 within 10 minutes. If the number of accesses by the data user 80 exceeds 3 within 10 minutes, the manner in which the data user 80 operates is considered a potential offensiveness. The smart contract 400 may record the operational behavior of the data consumer 80 and disqualify the data consumer 80 for access while turning down the data rights of the data consumer 80 when it applies for access again. Preferably, the smart contract 400 updates the operational record 407 and the reputation 408 of the data user 80 simultaneously based on the information fed back. Operation record 407 may be a history log recorded on blockchain 200. Preferably, reputation 408 may be engaged in an adaptive algorithm as a variable that modifies the permissions of data consumer 80. Through this setting method, the beneficial effect who reaches is:
As the number of entities joining blockchain 200 increases, data owners 70 often need to update smart contracts 400 as many times as needed in order to ensure fine-grained access to data when a piece of data needs to be shared with multiple entities. Even with some minor changes, the data owner 70 needs to redeploy the smart contract 400. Thus, the time and economic costs of the data owner 70 altering the smart contract 400 will increase significantly. On the other hand, the data owners 70 cannot guarantee that they are always online. If the data owner 70 has not processed the data access request, the entity requesting access will not be able to proceed to the next operation. This situation can lead to a long waiting time for the data user, resulting in a significant waste of time costs. The invention adaptively updates the authority of the data user 80 based on the intelligent contract 400, so that the blockchain 200 can automatically regulate access, i.e. the intelligent contract 400 dynamically adjusts the access control strategy according to the adaptive algorithm, maintains or updates the access authority of the entity, thereby avoiding excessive human intervention and further saving the cost. Moreover, the system records the operational behavior 406 concerning data user 80 published by data owner 70 in a historical log of blockchain 200, and none can tamper with the historical behavior recorded on blockchain 200. Meanwhile, the system updates the current credibility 408, and the credibility 408 can be involved in the calculation process of the self-adjusting algorithm to directly influence the result of modifying the authority of the data user 80. With the above arrangement, the data sharing network can dynamically adjust the access rights of the entities (data users 80) to the data according to the real-time changes on the network, i.e., blockchain 200.
Preferably, the data sharing device can be applied to the data sharing systems of embodiments 1 and 2. Preferably, the user equipment 100 of this embodiment is the same as the user equipment 100 of embodiments 1 and 2, and repeated descriptions are omitted.
Example 4
This embodiment is a further improvement/supplement to embodiments 1, 2, 3 and combinations thereof, and the repetition is not repeated.
The present embodiment also provides a data sharing system based on the authority access mechanism, which at least includes a blockchain 200 formed by a plurality of user devices 100. The user device 100 is configured to give different access rights to the user device 100 corresponding to the data user 80 based on the smart contract 400. The smart contract 400 is configured to dynamically update access rights of the user device 100 corresponding to the data user 80 based on any user device 100 on the blockchain 200 listening for information of operational behavior feedback of the user device 100 corresponding to the data user 80.
According to a preferred embodiment, smart contract 400 is configured to update the reputation of user device 100 for data user 80 based on the operational behavior of user device 100 recorded on blockchain 200. The smart contract 400 is configured to update the access rights of the user device 100 based on the reputation.
Preferably, the functions of each component of the data sharing system in this embodiment, such as the user device 100, the blockchain 200, and the cloud device 300, which are implemented by corresponding components in embodiments 1, 2, and 3, are the same, and repeated descriptions are omitted.
Example 5
This embodiment is an improvement and supplement to embodiments 1, 2, 3, and 4 and combinations thereof, and repeated descriptions are omitted. As shown in fig. 2, the present invention further provides a data sharing system. The data sharing system at least comprises: a data layer 10, an extraction layer 20, a processing layer 30, a storage layer 40, a control layer 50, and an application layer 60.
Preferably, the data layer 10 generates data that needs to be stored. The entity that generates the data may be person 11 and/or enterprise 13. The entity that generates the data may be a plurality of individuals 12 or a plurality of enterprises 14. Preferably, if the data owner 70 is a single entity, he has not only ownership of the data, but also data management and revenue. Preferably, if many entities work together as a data owner 70, the entities will have rights to use the data in addition to ownership. Preferably, as a commonality of data, there may be peer-to-peer or unequal relationships between entities. Peer-to-peer relationship means that any entity is co-located. The entity cannot change the rights of other people to manage data and data revenue. If the entities are in unequal relationship, different entities obtain different levels of administrative and revenue rights. And assigning corresponding levels of rights according to the value weights of the data generated by the entities and the contribution sizes of the entities in the data sharing process. Preferably, the certificate authority 15 is operable to generate an identification on behalf of the data owner 70. Preferably, the certificate authority 15 may be a data owner 70.
Preferably, the extraction layer 20 divides the data generated by the data layer 10 into two parts. One part is the original data 120 and the other part is the identity information data. Preferably, the raw data 120 may be data that the entity/user device 100 wants to share. The raw data 120 may also be data collected from all electronic devices held by each entity in the networking scenario.
Preferably, the extraction layer 20 pre-processes the raw data 120. The preprocessing may be encryption preprocessing. As shown in fig. 4, the original data 120 is signed by the private key of the data owner 70. The signed data is then encrypted into ciphertext. The identity information data is the data that the entity uses to generate the identity certificate 111. Preferably, the identity certificate 111 reflects the respective rights of the entity to the data. Preferably, the rights are unique. Preferably, when multiple entities or user devices 100 are acting as data owners 70 and the entities or user devices 100 are in peer-to-peer relationship, the entities or user devices 100 have the same rights, but the identity information of the different entities or user devices 100 still varies.
Preferably, the processing layer 30 is configured to group the first data 121 to generate a plurality of data slices 31, and separate the second data 122 describing at least the properties of the original data 120 based on the first data 121. The user equipment 100 is configured to generate a plurality of data slices 31 based on the slicing of the first data 121. The data slice 31 comprises at least a first data slice section and a second data slice section for identifying whether they belong to the same original data 120. The second data slice sections of the plurality of data slices 31 do not contain identical data with respect to each other. Preferably, the data contained in the second data slice section is unique. The same data does not exist between the different second data slice sections.
Preferably, the processing layer 30 also generates corresponding rights assignment information and configures on the blockchain 200 to control key data recorded on the blockchain 200 as required by the data owner 70.
Preferably, the storage layer 40 is used to store the second data 122 in a blockchain 200 constructed by a plurality of user devices 100 and to randomly store a plurality of data slices 31 in a plurality of cloud devices 300.
With this arrangement, the amount of data due to the plurality of data slices 31 is enormous. If stored in blockchain 200, a significant amount of data redundancy may result. Therefore, each data slice 31 is stored in the cloud device 300, and the data can be used more economically and conveniently by utilizing the capacity and performance advantages of the cloud device 300.
Preferably, the task of storing data is not completed in a single cloud device 300, but is stored separately in a plurality of cloud devices 300. Preferably, many cloud devices 300 are autonomous and do not interfere with each other. The different data slices 31 are randomly distributed according to a matching algorithm and stored in the cloud server. Preferably, it is noted that the extracted key data is recorded in the blockchain 200 database. Rights allocation 32 generated by processing layer 30 is configured on blockchain 200. By this arrangement, all of the historical operating information of the key data occurring on the blockchain 200 is recorded, and cannot be altered by anyone, using the traceability and unalterable nature of the blockchain. This largely ensures control of the shared data by the data owner. Preferably, the smart contract 400 may be automatically executed according to rules formulated in the contract, featuring automatic execution and self-verification. When data usage policies are deployed in an intelligent network that includes blockchain 200 control, it is ensured that an intelligent network that includes data usage restrictions may be used.
Preferably, between the storage layer 40 and the application layer 60 is a control layer 50. The control layer 50 handles the entities that connect the data storage device and access the data. Preferably, the control layer 50 is configured to:
invoking the intelligent contract 400 in the blockchain 200 to query rights information corresponding to the identity certificate 111 in the event that it is determined that the identity certificate 111 of the user device 100 accessing the cloud device 300 is legitimate; based on the rights information, is compared to rights information requested to access cloud device 300. Preferably, if it is determined that the authority information requested by the user device 100 accessing the cloud device 300 conforms to the authority information corresponding to the identity certificate 111 thereof, the user device 100 accessing the cloud device 300 can at least acquire the second data 122 corresponding to the data requested to be accessed. Preferably, the user device 100 accessing the cloud device 300 obtains the first data 121 from the cloud device 300 based on the second data 122. Preferably, the control layer 50 mainly implements data reorganization 51, authentication 52 and access control 53. Preferably, data user 80 first accesses blockchain 200 through authentication 52. After determining that the data user 80 is a legitimate user, the data user 80 queries for access control rights corresponding to the identity by invoking the smart contract 400. Preferably, the smart contract 400 compares entity rights with rights required for operation. If the identity of data user 80 meets the required access rights requirements, key data corresponding to the required access data may be queried from blockchain 200. Preferably, the data user 80 downloads the corresponding data slice 31 from the cloud device 300 based on the second data 122 in the key data, and performs the data reorganization 51 according to the second data 122 obtained by the query. Preferably, the data user 80 decrypts the data after the data reorganization 51 by using the key of the second data 122 to obtain the original data 120.
Preferably, the application layer 60 is used to provide services to different entities and to meet the needs of the data consumer 70. An objective function is established for the different accessing entities. Each entity in the application layer acts as a receiver of data. The entity may be a person 11 or an institution, such as a school 61, a hospital 62, a company 63, a research institution 64, or a manufacturer 65. Public institutions need to conduct real-name identity authentication and register identity information data on the blockchain 200 so as to facilitate follow-up responsibility for illicit behavior in the data sharing process by subsequent departments.
Example 6
The embodiment also provides a data sharing method based on the authority access mechanism, which comprises the following steps:
the user device 100 corresponding to the data owner 70 constructs a blockchain 200 for data sharing based on the access request of the user device 100 corresponding to the at least one data user 80;
the user device 100 corresponding to the data user 80 is given different access rights based on the manner in which the smart contract 400 is issued and the access variable is added in the smart contract 400, so that data is prevented from being stolen and revealed in the process of transferring qualification information of the user device 100 on the blockchain 200.
Preferably, the data sharing method provided in this embodiment may be implemented according to a step flowchart shown in fig. 7. The method comprises the following steps:
S100: the data that the user equipment 100 needs to store is subjected to encryption preprocessing to generate first data 121, and second data 122 describing at least the attribute of the original data 120 is separated based on the first data 121. As shown in fig. 5, the user device 100 is configured to perform encryption preprocessing on the generated original data 120 to generate first data 121 as follows:
signing the original data 120 based on the private key of the user device 100/data owner 70;
the encryption 500 is performed based on the signed raw data 120 to generate first data 121.
Preferably, the encryption algorithm may select a symmetric encryption algorithm and an asymmetric encryption algorithm. Preferably, the present embodiment may employ a symmetric encryption algorithm. By the arrangement mode, the symmetric encryption algorithm has the characteristics of high efficiency and high strength, and compared with other encryption methods, the symmetric encryption algorithm is more suitable for personal equipment with small storage capacity and small calculation capacity.
S200: the second data 122 is stored in the blockchain 200 including the user equipment 100, and the first data 121 is split and then stored in the plurality of cloud devices 300 in a random matching manner. By the arrangement mode, the invention has the following beneficial effects:
the prior art employs storing metadata in a blockchain and storing data content in cloud device 300. In the setting mode, on one hand, only the fact that metadata is stored in the blockchain 200 to achieve decentralization is considered, and potential safety hazards of data loss, data easy to tamper, low cost for tampering metadata and the like caused by single-node faults can be avoided, so that safety is improved. However, there is no consideration that the data content after metadata separation is stored in the cloud device 300, and there is a security risk caused by centralization. On the other hand, the prior art improves security by not allowing users to modify or even delete metadata stored in blockchain 200, but does not take into account that security issues may arise during access to metadata, i.e., membership information on blockchain 200 may be transferred from one entity to another, malicious nodes may steal during transfer, or entities may be spoofed causing leakage of membership information, and thus metadata may be read insecurely only through the read-only state of metadata on blockchain 200. The first data 121 is segmented and then stored in a plurality of cloud devices 300 in a random matching mode. By the arrangement mode, the data content can be stored on one side of the cloud equipment 300 to be decentralised, and therefore the security risk of data storage of users is reduced. And user device 100 is configured to add access variables based on the manner in which intelligent contract 400 is added such that key data in blockchain 200 including at least second data 122 is securely read. By this arrangement, it is possible to avoid that the second data 122 stored on the blockchain 200 is not securely accessed due to theft and disclosure of membership information on the blockchain 200, thereby resulting in theft of data stored by the user. For example, adding access time to the smart contract 400 consumes access time each time a data visitor (entity) accesses data. When the number of accesses is zero, the entity cannot continue to access the data. If this entity wants to access again, it is necessary to re-apply the data owner for access to the data.
According to a preferred embodiment, the user equipment 100 is configured to generate a plurality of data slices 31 based on the slicing of the first data 121. The data slice 31 comprises at least a first data slice section and a second data slice section for identifying whether they belong to the same original data 120. The second data slice sections of the plurality of data slices 31 do not contain identical data with respect to each other. Preferably, the data contained in the second data slice section is unique. The same data does not exist between the different second data slice sections.
S300: the user device 100 corresponding to the data user 80 is configured to send a request to the user device 100 corresponding to the data owner 70 to access the data stored by the cloud device 300. In the case that the user device 100 corresponding to the data owner 70 approves the request, the user device 100 corresponding to the data owner 70 transmits an identity certificate 111 to the user device 100 corresponding to the transmission request to apply for access to the blockchain 200. Any user device 100 in the blockchain 200 is configured to verify the identity certificate 111 and the corresponding authority information of the user device 100 corresponding to the data user 80 based on the information applied for access, and approve the user device 100 corresponding to the data user 80 to acquire the second data 122 corresponding to the data requested for access if the identity certificate 111 of the user device 100 corresponding to the data user 80 is legal and the authority information requested by the user device corresponds to the authority information corresponding to the identity certificate 111. Preferably, after the user device 100 corresponding to the data user 80 acquires the second data 122, the encrypted first data 121 may be downloaded from the cloud device 300. Preferably, the user device 100 corresponding to the data user 80 may decrypt 600 the first data 121 from the decryption key in the second data 122, thereby obtaining the complete original data 120.
According to a preferred embodiment, the data generated by the user equipment 100 comprises raw data 120 and identity information data. The user device 100 generates an identity certificate 111 for determining rights to data based on the identity information data. The user device 100 configures authority allocation information generated by the identity certificate 111 in the blockchain 200 based on the requirement information of the user device 100/data owner 70, thereby realizing control of key data including at least the second data 122 information recorded on the blockchain 200. By this arrangement, the operation authority of the data user 80 can be known by the authority allocation information.
S400: the user device 100 corresponding to the data owner 70 is configured to:
fine-grained access control is achieved to improve scalability by updating the smart contract 400 it publishes at the blockchain 200 and by enabling the user device 100 to which the data user 80 corresponds to download and install the updated smart contract 400 through the blockchain 200. Preferably, the user device 100 corresponding to the data owner 70 is configured to add access variables during the setup of the smart contract 400 to avoid theft and disclosure of membership information on the blockchain 200 during the transfer. Preferably, the access time is allocated to the user device 100 corresponding to the data user 80, and when the access time consumption is zero, the access qualification of the user device 100 corresponding to the data user 80 is released. The user device 100 corresponding to the data user 80 applies for access again to the user device 100 corresponding to the data owner 70 to acquire access qualification. By this arrangement, if it is desired to secure data security and expandability of data use, rights to the data user 80 need to be managed, at least different users need to set different rights to the same data, and different rules should be adopted in different application scenarios to acquire the data. The update of the smart contract 400 may not only provide richer functionality for the data sharing scenario, but the data owner 70 may implement proprietary functionality by updating the deployment smart contract 400 as needed. Moreover, by adding the access variable, the invention has fine granularity access control, thus improving the expandability, and more importantly, the process of transferring the blockchain membership information can be avoided through the setting of the access variable, such as the setting of the access time, and the second data 122 is stolen or leaked by a malicious node.
Preferably, as the number of entities joining blockchain 200 increases, data owners 70 often need to update smart contracts 400 as many times as needed in order to ensure fine-grained access to data when a piece of data needs to be shared with multiple entities. Even with some minor changes, the data owner 70 needs to redeploy the smart contract 400. Thus, the time and economic cost of the data owner 470 to change the smart contract 400 will increase significantly. On the other hand, the data owners 70 cannot guarantee that they are always online. If the data owner 70 has not processed the data access request, the entity requesting access will not be able to proceed to the next operation. This situation can lead to a long waiting time for the data user, resulting in a significant waste of time costs. Preferably, the smart contract 400 may be further configured to dynamically update the access rights of the user device 100 corresponding to the data user 80 based on any user device 100 on the blockchain 200 listening to the information fed back by the operation behavior of the user device 100 corresponding to the data user 80. By this arrangement, the fact that the intelligent contract 400 can automatically execute a written program code to respond when certain conditions are triggered is utilized, so that the blockchain 200 can automatically regulate access, i.e., the intelligent contract 400 dynamically adjusts the access control strategy according to the adaptive algorithm, maintains or updates the access authority of the entity, thereby not requiring excessive human intervention and further saving cost.
The present specification contains several inventive concepts, and applicant reserves the right to issue a divisional application according to each of the inventive concepts. The description of the invention encompasses multiple inventive concepts, such as "preferably," "according to a preferred embodiment," or "optionally," all means that the corresponding paragraph discloses a separate concept, and that the applicant reserves the right to filed a divisional application according to each inventive concept.
It should be noted that the above-described embodiments are exemplary, and that a person skilled in the art, in light of the present disclosure, may devise various solutions that fall within the scope of the present disclosure and fall within the scope of the present disclosure. It should be understood by those skilled in the art that the present description and drawings are illustrative and not limiting to the claims. The scope of the invention is defined by the claims and their equivalents.

Claims (10)

1. A data sharing system based on a rights access mechanism, comprising a blockchain (200) made up of a plurality of user devices (100), wherein,
the user device (100) corresponding to the data owner (70) is configured to give different access rights to the user device (100) corresponding to the data user (80) based on the manner of updating the issued smart contract (400) and adding an access variable in the smart contract (400), wherein the access variable is an access time, thereby avoiding data theft and leakage during transfer of qualification information of the user device (100) on the blockchain (200),
The intelligent contract (400) dynamically adjusts the control strategy through the operation behavior of the data user (80) so as to update the access authority of the user equipment (100) corresponding to the data user (80),
the intelligent contract (400) is programmed and deployed on the blockchain (200), nodes on the blockchain (200) are responsible for monitoring access requests of the data users (80), the nodes on the blockchain (200) are user equipment (100) authorized by a data owner (70), the nodes on the blockchain (200) control the operation behaviors of the data users (80) through control strategies on the intelligent contract (400), when changes of network behaviors on the blockchain (200) caused by the operation behaviors of the data users (80) are fed back to the intelligent contract (400), the intelligent contract (400) adaptively adjusts the control strategies based on the fed back information, and the control strategies are adjusted through the adaptive algorithm, so that the authority of the data users (80) is changed.
2. The data sharing system of claim 1, wherein the user device (100) corresponding to the data owner (70) is configured to dynamically update the access rights of the user device (100) corresponding to the data user (80) based on information fed back by the operational behavior of the user device (100) corresponding to the data user (80) being listened to by any user device (100) on the blockchain (200).
3. The data sharing system according to any of claims 1 or 2, wherein the user equipment (100) is configured to:
the generated original data (120) is subjected to encryption preprocessing to generate first data (121), and second data (122) describing the attribute of the original data (120) are separated based on the first data (121), wherein,
the second data (122) is stored in the blockchain (200), and the first data (121) is stored in a plurality of cloud devices (300) in a random matching mode after being segmented.
4. A data sharing system according to claim 3, characterized in that the data generated by the user equipment (100) comprises the raw data (120) and identity information data, wherein,
the user equipment (100) generates an identity certificate (111) for determining rights to data based on the identity information data, and configures rights allocation information generated by the identity certificate (111) in the blockchain (200) based on requirement information of the user equipment (100)/data owner (70).
5. The data sharing system of claim 4, wherein the user device (100) to which the data user (80) corresponds is configured to send a request to the user device (100) to which the data owner (70) corresponds to access data stored by the cloud device (300), wherein,
In case the user device (100) corresponding to the data owner (70) approves the request, the user device (100) corresponding to the data owner (70) sends an identity certificate (111) to the user device (100) corresponding to the sending request for applying to access the blockchain (200), wherein,
any user equipment (100) in the blockchain (200) is configured to verify an identity certificate (111) of the user equipment (100) corresponding to the data user (80) and corresponding authority information based on information applied for access, and approve second data (122) corresponding to the data requested to be accessed by the user equipment (100) corresponding to the data user (80) under the condition that the identity certificate (111) of the user equipment (100) corresponding to the data user (80) is legal and the authority information requested by the user equipment accords with the authority information corresponding to the identity certificate (111).
6. A data sharing apparatus based on a rights access mechanism, comprising a user device (100), the user device (100) being configured to build a blockchain (200) for data sharing based on an access request of the user device (100) corresponding to at least one data user (80), and to grant different access rights to the user device (100) corresponding to the data user (80) based on an update issuing a smart contract (400) and adding an access variable in the smart contract (400), thereby avoiding data theft and leakage during transfer of membership information on the blockchain (200), wherein the access variable is an access time,
The intelligent contract (400) dynamically adjusts the control strategy through the operation behavior of the data user (80) so as to update the access authority of the user equipment (100) corresponding to the data user (80),
the intelligent contract (400) is programmed and deployed on the blockchain (200), nodes on the blockchain (200) are responsible for monitoring access requests of the data users (80), the nodes on the blockchain (200) are user equipment (100) authorized by a data owner (70), the nodes on the blockchain (200) control the operation behaviors of the data users (80) through control strategies on the intelligent contract (400), when changes of network behaviors on the blockchain (200) caused by the operation behaviors of the data users (80) are fed back to the intelligent contract (400), the intelligent contract (400) adaptively adjusts the control strategies based on the fed back information, and the control strategies are adjusted through the adaptive algorithm, so that the authority of the data users (80) is changed.
7. A data sharing arrangement based on a rights access mechanism, comprising a user device (100), the user device (100) being configured to build a blockchain (200) for data sharing based on access requests of the user device (100) for at least one data user (80), wherein,
The user device (100) corresponding to the data owner (70) is configured to dynamically update the access rights of the user device (100) corresponding to the data user (80) based on any user device (100) on the blockchain (200) listening to information fed back by the operation behavior of the user device (100) corresponding to the data user (80),
the intelligent contract (400) dynamically adjusts the control strategy through the operation behavior of the data user (80) so as to update the access authority of the user equipment (100) corresponding to the data user (80),
the intelligent contract (400) is programmed and deployed on the blockchain (200), nodes on the blockchain (200) are responsible for monitoring access requests of the data users (80), the nodes on the blockchain (200) are user equipment (100) authorized by a data owner (70), the nodes on the blockchain (200) control the operation behaviors of the data users (80) through control strategies on the intelligent contract (400), when changes of network behaviors on the blockchain (200) caused by the operation behaviors of the data users (80) are fed back to the intelligent contract (400), the intelligent contract (400) adaptively adjusts the control strategies based on the fed back information, and the control strategies are adjusted through the adaptive algorithm, so that the authority of the data users (80) is changed.
8. A data sharing system based on a rights access mechanism, comprising a blockchain (200) of a plurality of user devices (100), the user devices (100) being configured to grant different access rights to the user devices (100) to which a data user (80) corresponds based on a smart contract (400), wherein,
the intelligent contract (400) is configured to dynamically update access rights of the user device (100) corresponding to the data user (80) based on information fed back by the operation behavior of the user device (100) corresponding to the data user (80) monitored by any user device (100) on the blockchain (200),
the intelligent contract (400) dynamically adjusts the control strategy through the operation behavior of the data user (80) so as to update the access authority of the user equipment (100) corresponding to the data user (80),
the intelligent contract (400) is programmed and deployed on the blockchain (200), nodes on the blockchain (200) are responsible for monitoring access requests of the data users (80), the nodes on the blockchain (200) are user equipment (100) authorized by a data owner (70), the nodes on the blockchain (200) control the operation behaviors of the data users (80) through control strategies on the intelligent contract (400), when changes of network behaviors on the blockchain (200) caused by the operation behaviors of the data users (80) are fed back to the intelligent contract (400), the intelligent contract (400) adaptively adjusts the control strategies based on the fed back information, and the control strategies are adjusted through the adaptive algorithm, so that the authority of the data users (80) is changed.
9. The data sharing system of claim 8, wherein the smart contract (400) is configured to update the reputation of the user device (100) based on the operational behavior of the user device (100) for which the data user (80) corresponds being recorded on the blockchain (200), and to update the access rights of the user device (100) based on the reputation.
10. A data sharing method based on a permission access mechanism, the data sharing method comprising:
the user equipment (100) corresponding to the data owner (70) constructs a blockchain (200) for data sharing based on the access request of the user equipment (100) corresponding to the at least one data user (80);
giving different access rights to the user device (100) to which the data user (80) corresponds based on the manner of updating the issued smart contract (400) and adding an access variable in the smart contract (400), thereby avoiding data theft and leakage during transfer of qualification information of the user device (100) on the blockchain (200), wherein the access variable is access time,
the intelligent contract (400) dynamically adjusts the control strategy through the operation behavior of the data user (80) so as to update the access authority of the user equipment (100) corresponding to the data user (80),
The intelligent contract (400) is programmed and deployed on the blockchain (200), nodes on the blockchain (200) are responsible for monitoring access requests of the data users (80), the nodes on the blockchain (200) are user equipment (100) authorized by a data owner (70), the nodes on the blockchain (200) control the operation behaviors of the data users (80) through control strategies on the intelligent contract (400), when changes of network behaviors on the blockchain (200) caused by the operation behaviors of the data users (80) are fed back to the intelligent contract (400), the intelligent contract (400) adaptively adjusts the control strategies based on the fed back information, and the control strategies are adjusted through the adaptive algorithm, so that the authority of the data users (80) is changed.
CN202011351336.4A 2020-11-25 2020-11-25 Data sharing system, device and method based on authority access mechanism Active CN112417482B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011351336.4A CN112417482B (en) 2020-11-25 2020-11-25 Data sharing system, device and method based on authority access mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011351336.4A CN112417482B (en) 2020-11-25 2020-11-25 Data sharing system, device and method based on authority access mechanism

Publications (2)

Publication Number Publication Date
CN112417482A CN112417482A (en) 2021-02-26
CN112417482B true CN112417482B (en) 2024-03-12

Family

ID=74842136

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011351336.4A Active CN112417482B (en) 2020-11-25 2020-11-25 Data sharing system, device and method based on authority access mechanism

Country Status (1)

Country Link
CN (1) CN112417482B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113486082B (en) * 2021-06-28 2023-03-28 电子科技大学 Outsourcing data access control system based on block chain
CN114329526B (en) * 2021-12-17 2024-03-26 重庆邮电大学 Data sharing access control method based on blockchain and user credibility
CN118435186A (en) * 2021-12-24 2024-08-02 华为技术有限公司 System, apparatus and method for data management
CN114297595B (en) * 2021-12-29 2024-04-19 盐城国睿信科技有限公司 Access authority control system and method for mental health system
CN117201488A (en) * 2022-05-31 2023-12-08 中国电信股份有限公司 Node management method, device, equipment and storage medium based on block chain

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111352706A (en) * 2020-02-28 2020-06-30 百度在线网络技术(北京)有限公司 Data access method, device, equipment and storage medium
CN111512658A (en) * 2017-12-19 2020-08-07 海拉有限双合股份公司 Method and system for decentralized digital authentication
CN111754350A (en) * 2020-08-28 2020-10-09 支付宝(杭州)信息技术有限公司 Method and device for parallelly acquiring serial numbers of transaction access variables in block chain

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3079322B1 (en) * 2018-03-26 2021-07-02 Commissariat Energie Atomique METHOD AND SYSTEM FOR MANAGING ACCESS TO PERSONAL DATA BY MEANS OF A SMART CONTRACT

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111512658A (en) * 2017-12-19 2020-08-07 海拉有限双合股份公司 Method and system for decentralized digital authentication
CN111352706A (en) * 2020-02-28 2020-06-30 百度在线网络技术(北京)有限公司 Data access method, device, equipment and storage medium
CN111754350A (en) * 2020-08-28 2020-10-09 支付宝(杭州)信息技术有限公司 Method and device for parallelly acquiring serial numbers of transaction access variables in block chain

Also Published As

Publication number Publication date
CN112417482A (en) 2021-02-26

Similar Documents

Publication Publication Date Title
CN112417482B (en) Data sharing system, device and method based on authority access mechanism
US10594495B2 (en) Verifying authenticity of computer readable information using the blockchain
US10735202B2 (en) Anonymous consent and data sharing on a blockchain
US10425402B2 (en) Cloud key directory for federating data exchanges
CN112417480B (en) Data storage system and method based on block chain
CA2924861C (en) Method and system for providing a secure secrets proxy
US20150271267A1 (en) Content-oriented federated object store
Alboaie et al. Private data system enabling self-sovereign storage managed by executable choreographies
US20200266971A1 (en) Re-encrypting data on a hash chain
US11089028B1 (en) Tokenization federation service
AU2014342832B2 (en) Method and system for automatically managing secret application and maintenance
CA3180144A1 (en) Method, apparatus, and computer-readable medium for secured data transfer over a decentrlaized computer network
Kim et al. Automatic, location-privacy preserving dashcam video sharing using blockchain and deep learning
Jayapandian Cloud dynamic scheduling for multimedia data encryption using tabu search algorithm
Spathoulas et al. Can Blockchain Technology Enhance Security and Privacy in the Internet of Things?
Verma et al. Secure document sharing model based on blockchain technology and attribute-based encryption
Vignesh et al. Secured Data Access and Control Abilities Management over Cloud Environment using Novel Cryptographic Principles
KR20230072257A (en) Method and system to check data retention in mydata service einvironment
Begum et al. Sandbox security model for Hadoop file system
EP3975015B1 (en) Applet package sending method and device and computer readable medium
Gattoju et al. Design of ChaApache framework for securing Hadoop application in big data
Gabillon et al. A security model for IoT networks
Praveena et al. Hybrid Cloud Data Protection Using Machine Learning Approach
Kiran Dash et al. An approach to securely store electronic health record (EHR) using blockchain with proxy re-encryption and behavioral analysis
Bhattacharjee et al. Original Research Article An efficient framework for secure data transmission using blockchain in IoT environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant