CN112671580A - QAR data management method based on block chain technology - Google Patents
QAR data management method based on block chain technology Download PDFInfo
- Publication number
- CN112671580A CN112671580A CN202011545224.2A CN202011545224A CN112671580A CN 112671580 A CN112671580 A CN 112671580A CN 202011545224 A CN202011545224 A CN 202011545224A CN 112671580 A CN112671580 A CN 112671580A
- Authority
- CN
- China
- Prior art keywords
- data
- organization
- network
- identity
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000005516 engineering process Methods 0.000 title claims abstract description 16
- 238000013523 data management Methods 0.000 title claims abstract description 15
- 230000008520 organization Effects 0.000 claims abstract description 99
- 238000007726 management method Methods 0.000 claims abstract description 43
- 238000012545 processing Methods 0.000 claims abstract description 29
- 238000013461 design Methods 0.000 claims abstract description 16
- 238000002955 isolation Methods 0.000 claims abstract description 10
- 230000007246 mechanism Effects 0.000 claims abstract description 10
- 238000010276 construction Methods 0.000 claims abstract description 7
- 230000008569 process Effects 0.000 claims abstract description 6
- 238000003860 storage Methods 0.000 claims description 31
- 230000003993 interaction Effects 0.000 claims description 16
- 238000013500 data storage Methods 0.000 claims description 12
- 239000004744 fabric Substances 0.000 claims description 12
- 238000011161 development Methods 0.000 claims description 10
- 238000013475 authorization Methods 0.000 claims description 8
- 238000012163 sequencing technique Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000006870 function Effects 0.000 claims description 4
- 230000008676 import Effects 0.000 claims description 4
- 238000004519 manufacturing process Methods 0.000 claims description 4
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 238000012790 confirmation Methods 0.000 claims description 2
- 238000009826 distribution Methods 0.000 claims description 2
- 238000005457 optimization Methods 0.000 claims description 2
- 238000004806 packaging method and process Methods 0.000 abstract description 4
- 230000004927 fusion Effects 0.000 abstract description 3
- 238000012937 correction Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A QAR data management method based on block chain technology relates to block chain technology and aviation information management. The architecture comprises a resource layer, a network layer and an application layer from bottom to top; different organizations undertake different tasks in the network layer design, even if a private key for identity authentication of a certain organization is leaked, the certificate issued by a CA in the middle of the organization is only influenced, and meanwhile, a more flexible and fine-grained sensitive data protection mechanism is adopted, so that the influence of coarse-grained modes such as channel isolation on the network performance is avoided; the resource layer ensures the safety of data through a data processing module to the correction division and packaging mode of the data and an identity authentication mechanism of an identity management module, and introduces IPFS to further reduce the network pressure of the block chain; the application layer directly faces to users with different authorities under each organization, and data sharing among the organizations is achieved. The problems of data fusion, equipment safety, information protection and multi-subject cooperation in the construction process of the QAR data management system are effectively solved.
Description
Technical Field
The invention relates to the field of block chain technology and aviation information management, in particular to a QAR data management method based on the block chain technology.
Background
The rapid development of modern civil aviation industry puts higher requirements on the safety of aviation information storage, and the aviation information storage technology is long-standing as an important means for guaranteeing air traffic safety. In addition, effective data analysis is carried out on the basis of massive aviation information to find out factors influencing aviation safety, the value of deeply mining data back is also concerned, but the factors are all established on the basis of safe and credible aviation information.
The traditional aviation information management mode can be mostly classified into the following modes, one mode is to realize the safe storage of data, each aviation enterprise builds a special data management system, and the collected data is stored in a local database, so that the problems of data island and difficult data sharing among different organizations can be caused; secondly, a credible centralized mechanism is introduced for facilitating data sharing, and is responsible for data collection and management, and the centralized mechanism is not transparent enough to a data provider, so that certain hidden dangers can be brought to the privacy of the data, and the intentional and unintentional damage or attack of internal personnel can not be effectively dealt with; in addition, if the data is stored in a third-party trust authority such as a cloud platform, resource waste and transmission delay may be caused, because even if the data providing organization internal personnel accesses the data, the data needs to access the cloud, and frequent remote data transmission may cause certain delay and resource waste, which results in higher data maintenance and platform construction costs.
Aiming at the hidden danger that data is falsified in the existing centralized aviation information storage mode, and a block chain is used as a novel decentralized infrastructure and a distributed computing paradigm, the invention provides a method for managing QAR data by means of a super financial book Fabric platform design structure and adapting to the current QAR data, and the problems possibly existing in a storage and data isolation mechanism designed in the prior art are effectively solved by adopting a block chain technology and setting a reasonable block chain network structure according to different organization authorities.
Disclosure of Invention
The invention aims to solve the problems of unreliable data, single-point failure and difficult data sharing among different organizations caused by the fact that a centralized storage architecture is generally adopted in an aviation information storage method designed in the prior art, and provides a QAR data management method based on a block chain technology.
The management architecture of the invention comprises a resource layer, a network layer and an application layer from bottom to top:
the resource layer is a bottom gateway server device for providing data resources, physical equipment with certain storage and calculation capacity is used as a gateway server, different data fields in original QAR data are processed, and further upward transmission of data is completed by applying for identity authentication to an intermediate CA of a specific organization of the network layer and interacting with a block chain network node under the organization;
the network layer is a block chain network which is established by means of a multi-organization cooperation and data sharing under a super book Fabric platform and is used as a storage unit for uploading collected data of a resource layer and a source layer for accessing data of a client side of data sharing under a distributed network. The account book structure and the chain codes deployed in endorsement nodes and accounting nodes of different organizations complete business logic of data storage and data access, intermediate CA (certificate authority) of different organizations complete authority control and identity authentication of different organization nodes, a message queue Raft is used for providing sequencing service and a Gossip protocol is used for completing optimization of block chain network performance, and consensus communication and data distribution among the nodes are guaranteed;
the application layer is a client established for the web application framework and comprises three layers of data processing, service logic and a data interface, and the functions of data query, equipment management, chain code management and user authority management in a user authority range are completed by operating the interaction of the Fabric SDK and the block chain network chain code.
The invention relates to a QAR data management method based on a block chain technology, which comprises the following steps:
step 1: establishing a alliance chain and an IPFS network between different organization network servers by using the super account book Fabric;
in step 1, the alliance chain and IPFS network construction comprises network structure design, chain code design, intermediate CA development and account book content design; the network structure is designed to be deployed by multiple servers in a production environment, multiple organizations comprise the same data sharing channel, corresponding endorsements and confirmation peer nodes are arranged under each organization, and a Raft sequencing mechanism is adopted; the chain code is designed as an important means for isolating sensitive data among organizations, channel data isolation in a coarse-grained mode with poor dynamic performance is abandoned, a finer-grained sensitive equipment data encryption authorization scheme is designed, the authorization mode is changed only by updating the chain code or a secret key, and the network pressure of a block chain is reduced; the intermediate CA is developed into each organization CA node issued by the root CA node, different organization users access the organization intermediate CA node to realize information registration and identity registration, obtain legal certificates and private keys and send the legal certificates and private keys to the MSP component for verification and management, and each organization administrator has the authority to register and register the equipment through the intermediate CA; the account book content is designed to be a storage format of peer node data in a channel, and a key value pair format is adopted, wherein keys are < organization ID, flight ID and data field ID >, and vlaue is a series of JSON nested format data stored under the keys and comprises data date and IPFS file address; the IPFS network is used to store blocks of raw QAR data fields that are processed and packed by the resource layer, further reducing blockchain network stress.
In step 1, the specific steps of building a federation chain and building an IPFS network between different organization network servers by using the hyper book Fabric are as follows:
(1) different organizations divide different tasks in the network layer design, and even if a private key for identity authentication of a certain organization is leaked, the certificate issued by the middle CA of the organization is only influenced through the development of the middle CA;
(2) the account book design in the network adopts a key value pair format, wherein key is < organization ID, flight ID and data field ID >, and vlaue is a series of JSON nested format data stored under key, including data date and IPFS file address.
(3) The specific method for adopting a fine-grained data isolation and authorization mode for sensitive data fields comprises the following steps: as shown in fig. 2, the org1 is required to authorize sensitive data fields to be viewed by formal users under org2, which other organization users in the same channel cannot view; firstly, after the data passes through IPFS, when the corresponding stored hash value is linked up, a symmetric encryption mode of org1 is adopted to generate a ciphertext, and the ciphertext 1 is linked up; secondly, encrypting the symmetric encryption key by using a public key of Org2 in an asymmetric encryption mode to generate ciphertext 2 and chaining, wherein the asymmetric encryption public key is obtained from a block chain network state database; and finally, when an official user under Org2 views the field data of the corresponding sensitive equipment, after identity verification, the private key of Org2 is used and the chain code is called to decrypt a symmetric key of corresponding Org1, and the symmetric key is used for decrypting a ciphertext to obtain a plaintext with a hash value and returning the plaintext to the application layer.
Step 2: the data providing organization realizes the interaction with the network layer IPFS and the block chain network through a resource layer gateway server, and completes the processing and chaining of the original QAR data;
in step 2, the processing of the original QAR data is completed mainly by using the identity management module in the front-end and back-end programs of the gateway server to complete identity registration for the user under the current organization by using the identity of the administrator and store the returned identity certificate in the local database; a user of a data providing organization imports a QAR data file of an original database system into the system through a front-end program and a back-end program of a gateway server, a data processing module corrects some abnormal values and missing values in original data by adopting a mean value difference complementing method, and divides and format-converts according to flight IDs and different data field IDs.
The resource layer gateway server is an intra-organization device with certain computing and storing capacity, does not belong to a block chain network node, is used as an interface for interaction between the organization and the block chain network, is mainly used for running front and back end programs to complete importing and processing original QAR data, and mainly comprises a data processing module and an identity management module;
the specific method for completing uplink of the processed QAR data by the resource layer gateway server through interaction with the network layer IPFS and the block chain network comprises the following steps:
(1) and when the number of the data fields reaches a preset value, the packed data block is sent to the IPFS network, a data storage hash value is returned, different data field information is obtained from the identity management module, whether the data fields are sensitive data or not is judged, and if yes, a symmetric key is further obtained from the identity management module to encrypt the storage hash value. The sensitive data field list can be changed through a client program of the gateway server and stored in the identity management module, and meanwhile, the sensitive data field list can also be synchronized in an application layer back-end database;
(2) when the symmetric key generated by the administrator through the client program setting of the gateway server changes, the org1 symmetric key needs to be obtained from the identity management module again during data uplink, and ciphertext 2 uplink after encryption by using the public key of org2 is required;
(3) the data processing module processes the formatted data according to the branch business logic in the chain code and the format requirement of the account book, packages and signs the processed uploaded data by using the SDK, packages the data into a transaction proposal and sends the transaction proposal to an endorsement node in the channel;
(4) and the data processing module sends the returned data transaction hash value to the application layer server through an http request and stores the data transaction hash value in a Web application back-end database.
And step 3: and developing Web application by utilizing the Fabric SDK and the Web application development framework to complete data sharing and authority control among organizations.
In step 3, the Web application mainly completes functions of user management, data query, chain code management and the like within the user authority range; the application can be divided into three types of users, one type is a common user, the second type is a formal user, the third type is an organization administrator, the common user needs the organization administrator to apply identity information to the middle CA of the organization for the common user to become the formal user and then has the right to check data, and meanwhile, an identity information table used for storing information returned by the CA node is associated with the user table; the formal user or the organization administrator who obtains the data query authority sends different types of requests through the client according to the organization ID, the flight ID and the data field ID, and after the requests are identified through the Web Server, the Web Server obtains the corresponding transaction hash value from the database, and realizes the interaction with the chain code through the Fabric SDK so as to obtain the data storage hash value, and finally, the corresponding data is queried in the IPFS according to the data storage hash value and returned to the client. For the inquiry of the field identified as sensitive data, firstly, after obtaining the transaction hash, obtaining a ciphertext 1 encrypted by a data providing organization symmetric key pair storage hash through interaction with a chain code, the Web Server initiates a transaction proposal again according to a data object requested by a user to obtain a ciphertext 2 encrypted by the data providing organization symmetric key pair data query organization public key, then the Web Server decrypts the ciphertext 2 by using a data query organization private key to provide the organization symmetric key, and finally decrypts the storage hash from the ciphertext 1 by the symmetric key and queries real data block information from an IPFS and returns the real data block information.
The working principle of the invention is given below:
the block chain network built based on the hyper book Fabric is an alliance chain formed by organization negotiation with different authorities according to actual needs, and in order to improve the expansibility of the Fabric CA in a production environment and the safety of each organization, each organization has an intermediate CA which belongs to a root CA and is respectively responsible for generating public and private keys and certificates of an orderer sequencing organization and each peer node organization.
In order to relieve storage pressure brought by data synchronization data of each endorsement node and a bookkeeping node in a channel in the actual service requirement for data uploading of a large number of gateway devices and rich query requests of client users, the users store identity information acquired after successful application and registration of an intermediate CA in a corresponding organization in a local gateway server, and the gateway server with certain resource storage and calculation power completes identity proxy; the CouchDB state database is started, database indexes are automatically added when chain code initialization and upgrading are achieved, and meanwhile paging query is adopted to relieve channel pressure and improve data query efficiency when a user requests data query through a client web application. In addition, the resource layer data processing module only packages and uploads the data to the IPFS network to store real data after the data volume of a certain data field reaches a certain preset value, and uploads the returned storage hash value to the block chain network to further reduce the storage pressure of the block chain network.
In the aspect of privacy protection, a data provider and a data inquirer are divided into different organizations, such as org1 and org2, and when data of sensitive equipment needs to be uplinked by org1, users under org2 in the same channel can view the data and other organizations cannot view the data by adopting a finer-grained data encryption and authorization mode. The specific mode is that after the sensitive data field of the original QAR data imported by the org1 reaches a certain amount, the sensitive data field is processed by the data processing module and the hash value is returned from the IPFS for storage, the hash value is uplinked by using the symmetric key of the org1, and the symmetric key is uplinked after being encrypted by the public key of the asymmetric encryption mode of the org2 acquired from the network layer. When a user needs to query the sensitive data field under org2, the chain code level execution logic firstly judges whether the requesting user is organized by data org2, if so, the ciphertext 1 and the ciphertext 2 corresponding to the data field are returned so as to decrypt the symmetric key of org1 of the encrypted data, finally, the corresponding storage hash is decrypted through the symmetric key and returned to the Web Server, and the real data is obtained in the IPFS through the Web Server and returned to the client to complete data sharing.
Compared with the prior art, the invention has the beneficial effects that:
the invention realizes the negotiation and construction of enterprise-level alliance chain with authority control among different organizations by utilizing the non-tamper property of the block chain data structure and the block chain network decentralized mechanism, different organizations undertake different tasks, even if the identity authentication private key of one organization is leaked, the certificate issued by the CA in the middle of the organization is only influenced, and meanwhile, a more flexible and fine-grained sensitive data isolation mechanism is adopted. Finally, the network pressure of the block chain is reduced through a resource layer equipment data packaging processing mode, an identity certificate management mode and an IPFS (internet protocol file system), and the problems of data fusion, equipment safety, information protection and multi-body cooperation in the construction process of the QAR data management system are effectively solved.
Drawings
FIG. 1 is a schematic flow chart of an embodiment of the present invention;
FIG. 2 is a timing diagram of the uploading of sensitive data fields of org1 according to the present invention;
FIG. 3 is a timing diagram of a client org2 user sensitive data field query in accordance with the present invention.
Detailed Description
The following examples will further illustrate the present invention with reference to the accompanying drawings.
According to fig. 1, the present invention mainly divides an application layer, a network layer, and a resource layer. Different organizations undertake different tasks in the network layer design, even if a private key for identity authentication of a certain organization is leaked, the certificate issued by a CA in the middle of the organization is only influenced, and meanwhile, a more flexible and fine-grained sensitive data protection mechanism is adopted, so that the influence of coarse-grained modes such as channel isolation on the network performance is avoided; the resource layer completes the correction division and packaging of data through the data processing module, the identity management module is mainly responsible for guaranteeing the safety of data for user information management and data key management under organization, and IPFS is introduced to further reduce the network pressure of the block chain; the application layer directly faces to users with different authorities under each organization, and data sharing among the organizations is achieved.
The QAR data management method based on the block chain technology specifically comprises the following steps:
the method comprises the following steps: establishing a alliance chain and an IPFS network between different organization network servers by using the super account book Fabric; firstly, different organizations divide different tasks in the network layer design, and the development of the intermediate CA ensures that even if a certain organization identity authentication private key is leaked, the certificate issued by the intermediate CA of the organization is only influenced; secondly, the account book in the network is designed in a key value pair format, wherein keys are organization IDs, flight IDs and data field IDs, and vlaue is a series of JSON nested format data stored under the keys and comprises corresponding equipment field data, data dates and IPFS file addresses, namely, the hash is stored. The specific method for adopting a fine-grained data isolation and authorization mode for the sensitive data field comprises the following steps: as shown in fig. 2, the org1 is required to authorize sensitive data fields to be viewed by formal users under org2, which other organization users in the same channel cannot view; firstly, after the data passes through IPFS, when the corresponding stored hash value is linked up, a symmetric encryption mode of org1 is adopted to generate a ciphertext, and the ciphertext 1 is linked up; secondly, encrypting the symmetric encryption key by using a public key of Org2 in an asymmetric encryption mode to generate ciphertext 2 and chaining, wherein the asymmetric encryption public key is obtained from a block chain network state database; and finally, when an official user under Org2 views the field data of the corresponding sensitive equipment, after identity verification, the private key of Org2 is used and the chain code is called to decrypt a symmetric key of corresponding Org1, and the symmetric key is used for decrypting a ciphertext to obtain a plaintext with a hash value and returning the plaintext to the application layer.
Step two: the data sharing organization realizes interaction with a network layer IPFS and a block chain network through a resource layer gateway server to complete the processing and uploading of the original QAR data; as shown in fig. 2, first, a data processing module under Org1 divides and corrects a data field according to flight ID and data type, stores the data field in a local database, counts the number of the current data of the field, and immediately packs the data to store in an IPFS when the data size reaches a predefined data size; secondly, acquiring the identity information of the equipment from an identity management module, and combining the flight ID, the stored hash value, the data date and other information into a product meeting the requirements of the network layer account book design; and finally, sending a transaction proposal, obtaining a transaction hash value by the uplink of the data, and storing the transaction hash value in a Web Server back-end database through an http request. And if the data field of the uploading device is judged to be a sensitive field, processing the storage hash by adopting the method in the first step.
Step three: and developing Web application by utilizing the Fabric SDK and the Web application development framework to realize data sharing and authority control among organizations. The common user needs to have authority to check data after an organization administrator applies identity information to the CA in the middle of the organization to become a formal user, and meanwhile, the identity information table is associated with the user table; when the user who acquires the authority inquires data, whether a storage hash address of the data field ID and the data date exists or not is judged through interaction with the chain code according to information such as organization ID, flight ID, data field ID and transaction hash, and if the storage hash address exists, the IPFS is continuously inquired to acquire the original data and the original data is returned to the application layer. For the query of the sensitive data field, as shown in fig. 3, firstly, after obtaining the transaction hash, obtaining a corresponding ciphertext 1 through interaction with the chain code, the Web Server initiates a transaction proposal again according to the data object requested by the user to obtain a ciphertext 2, secondly, the Web Server decrypts the ciphertext 2 by using an org2 private key to obtain an org1 symmetric key, and finally, decrypts the ciphertext 1 by using the symmetric key to obtain a storage hash, and queries the real data block information from the IPFS and returns the information.
Specific examples are given below.
The embodiment comprises the following steps:
the method comprises the following steps: and (4) building a alliance chain and an IPFS network between different organization network servers by using the hyper book Fabric.
1) And completing multi-server deployment and building of the Fabric network under the production environment according to the network structure design.
a) The blockchain network comprises 1 channel for sharing data, a group of orderer nodes for ordering services, 4 Peer nodes belonging to Org1 and Org2 organization in a domain, 2 CA nodes, the member of Org1 provides data, and the member of Org2 acquires data.
b) And configuring a docker container which is depended by the operation of each node, completing the establishment of the Fabric environment, and starting the corresponding mirror image service by using the docker-compound to complete the deployment.
2) The intermediate CA is developed using the fabric-CA-server service and certificates are issued by different organizational users.
a) And each component and user in the designed network generate a certificate, and the certificate is stored in a directory corresponding to the node domain name to complete corresponding yaml file writing.
b) The root CA issues certificates for the two organizations respectively to complete identity authentication.
c) A configuration file such as orderer0.yaml of each orderer is prepared, and note that certificate paths of corresponding nodes are set therein, and core.yaml of peer nodes of each organization are the same.
4) Creating a configx.yaml file, configuring domain names and port services of various organizations in the alliance, setting corresponding blocks and sequencing information, generating a created block and a channel configuration block.
a) And copying the directories of the corresponding files generated by the nodes to the machine where the corresponding nodes are located.
b) Creating a configx.yaml file, configuring information such as a federation organization node block, and generating a created block file by using a configxgen.
c) The configxgen was used to generate the channel file and two organised org1mspanchors.tx and org2mspanchors.tx files.
5) And creating a channel and adding each organization peer node into the channel to build an interactive network.
a) A channel configuration block mychannel block is created in the Admin @ org1. example.com directory and copied into Admin @ org2. example.com.
b) Each peer is added to the channel under Admin users of both organizations respectively and the anchor peer of each organization is designated for external communication.
6) The ledger structure is designed, and the couchDB is used as a state database.
a) The world state in the account book is stored in a state database in a key value pair mode, wherein the original data is corrected and divided to organize ID, flight ID and data field ID to form key, and value is composed of corresponding field numerical values, timestamps and IPFS file addresses, namely key value pairs in JSON format for storing hash.
b) And enabling the CouchDB to serve as a state database for storing JSON format data and rich queries.
7) And writing a user chain code by using a go language, and installing an instantiation chain code.
a) Compiling and identifying transaction objects, storing and inquiring public keys of different organizations, uploading and inquiring common and sensitive service data and other branch service logic chain codes.
b) By adopting a fine-grained data isolation scheme, taking the example that org1 shares sensitive equipment data to org2, wherein for uploading sensitive data fields, user identities and transaction objects need to be distinguished, the chain code logic is to firstly acquire the latest public key of org2 stored in a chain in advance and finish uploading ciphertext 1 data after being symmetrically encrypted by org1, and then return the transaction hash and the org2 organization public key to the gateway server.
c) Chain codes are packaged and signed with the Admin identity of org1, installation and instantiation of the chain codes are switched in each peer, and signed-demo-pack.out is copied to Admin @ org2. example.com for installation once.
Step two: the data sharing organization realizes the interaction with the network layer IPFS and the block chain network through the resource layer gateway server, and completes the processing and uploading of the original QAR data.
1) And the back-end program of the gateway server realizes automatic import and processing of QAR data of the original database system.
a) A request is sent by the identity management module in the gateway server client program to register an identity for the user via an administrator identity to the intermediate CA1 of org1.
b) And the intermediate CA performs user identity authentication after receiving the request, generates an identity certificate for the user after the request passes the authentication, and returns the identity certificate to the identity management module. And the identity management module stores the returned identity certificate in a local database.
c) The user of the data sharing organization org1 imports the QAR data files of the original database system into the system through the client program of the gateway server.
d) And a data processing module of a gateway server back-end program corrects some abnormal values and missing values in the original data by adopting a mean value difference compensation method, and performs division and format conversion according to flight IDs and different data field IDs.
2) And the gateway server back-end program realizes the storage and chaining of the processed data through the interaction with the IPFS and the chain code.
a) As shown in fig. 1, when the number of the data field reaches the preset value, the packed data block is sent to the IPFS network, and a data storage hash value is returned, where the preset value is the number of data generated in one flight phase of a single flight.
b) And acquiring different data field information from the identity management module, judging whether the data field is sensitive data, and if so, further acquiring a symmetric key from the identity management module to encrypt the stored hash value. The sensitive data field list can be changed through a client program of the gateway server and stored in the identity management module, and meanwhile, the sensitive data field list can also be synchronized in an application layer back-end database.
c) When the symmetric key set by the administrator through the client program of the gateway server changes, the data chaining needs to obtain the org1 symmetric key from the identity management module again and use the public key of the org2 to encrypt the ciphertext 2 uplink.
d) And the data processing module processes the formatted data according to the branch service logic in the chain code and the format requirement of the account book, performs packaging signature on the processed uploaded data by using the SDK, packages the signed data into a transaction proposal and sends the transaction proposal to the endorsement node in the channel.
e) And the data processing module sends the returned data transaction hash value to the application layer server through an http request and stores the data transaction hash value in a Web application back-end database.
Step three: and developing Web application by utilizing the Fabric SDK and the Web application development framework to complete data sharing and authority control among organizations.
1) The application layer is directly oriented to users with different authorities and is divided into common users, formal users and organization administrators.
a) The org2 user registers personal information including user name, password and the organization to which the user belongs through the Web Client, and the Web Server completes user registration and stores the information in the database user table.
b) The user successfully registered in the Web Client only has basic information for checking the operation state of the blockchain network as a common user, and further submits an application for obtaining the permission for checking the operation data of the equipment.
c) The organization administrator can manage the users under the organization, and when the organization administrator approves that the newly registered users become formal users, the organization administrator applies for identity information for the users from the CA node at the same time. The identity card returned by the CA node is stored in the identity information table and is associated with the user table in the database.
2) The data query request is executed.
a) As shown in fig. 3, a formal user or an organization administrator sends different types of requests through a client, first, queries whether the requests are sensitive data from a back-end database, and simultaneously, a Web Server queries user identity information and a corresponding transaction hash value from the database in an associated manner.
b) And the Web Server realizes interaction with the chain code through the Fabric SDK so as to obtain a data storage hash value, and if the data storage hash value is a common data query, corresponding data is queried in the IPFS according to the data storage hash value and returned to the client.
c) If the sensitive data is queried, a transaction proposal is initiated to obtain a ciphertext 2 according to a data object requested by a user, and an org1 symmetric key is decrypted by an org private key so as to analyze the real data block information.
The invention effectively solves the problems of data fusion, information protection and multi-subject cooperation in the construction process of the aviation information management system by using the block chain technology.
Claims (7)
1. A QAR data management method based on block chain technology is characterized in that a management framework comprises a resource layer, a network layer and an application layer from bottom to top:
the resource layer is a bottom gateway server device for providing data resources, physical equipment with certain storage and calculation capacity is used as a gateway server, different data fields in original QAR data are processed, and further upward transmission of data is completed by applying for identity authentication to an intermediate CA of a specific organization of the network layer and interacting with a block chain network node under the organization;
the network layer is a block chain network which is established by means of a multi-organization cooperation and data sharing under a super book Fabric platform and is used as a storage unit for uploading collected data of a resource layer and a source layer for accessing data of a client side of data sharing under a distributed network; the account book structure and the chain codes deployed in endorsement nodes and accounting nodes of different organizations complete business logic of data storage and data access, intermediate CA (certificate authority) of different organizations complete authority control and identity authentication of different organization nodes, a message queue Raft is used for providing sequencing service and a Gossip protocol is used for completing optimization of block chain network performance, and consensus communication and data distribution among the nodes are guaranteed;
the application layer is a client established for a web application framework, comprises three layers of data processing, service logic and a data interface, and completes the functions of data query, equipment management, chain code management and user authority management in a user authority range by operating the interaction of the Fabric SDK and the block chain network chain code;
the QAR data management method based on the block chain technology specifically comprises the following steps:
the method comprises the following steps: establishing a alliance chain and an IPFS network between different organization network servers by using the super account book Fabric;
step two: the data providing organization realizes the interaction with the network layer IPFS and the block chain network through a resource layer gateway server, and completes the processing and chaining of the original QAR data;
step three: and developing Web application by utilizing the Fabric SDK and the Web application development framework to complete data sharing and authority control among organizations.
2. The method of QAR data management based on blockchain technology as claimed in claim 1, wherein in step 1, the alliance chain and IPFS network construction includes network structure design, chain code design, intermediate CA development and ledger content design; the network structure is designed to be deployed by multiple servers in a production environment, multiple organizations comprise the same data sharing channel, corresponding endorsements and confirmation peer nodes are arranged under each organization, and a Raft sequencing mechanism is adopted; the chain code is designed as an important means for isolating sensitive data among organizations, channel data isolation in a coarse-grained mode with poor dynamic performance is abandoned, a finer-grained sensitive equipment data encryption authorization scheme is designed, the authorization mode is changed only by updating the chain code or a secret key, and the network pressure of a block chain is reduced; the intermediate CA is developed into each organization CA node issued by the root CA node, different organization users access the organization intermediate CA node to realize information registration and identity registration, obtain legal certificates and private keys and send the legal certificates and private keys to the MSP component for verification and management, and each organization administrator has the authority to register and register the equipment through the intermediate CA; the account book content is designed to be a storage format of peer node data in a channel, and a key value pair format is adopted, wherein keys are < organization ID, flight ID and data field ID >, and vlaue is a series of JSON nested format data stored under the keys and comprises data date and IPFS file address; the IPFS network is used to store blocks of raw QAR data fields that are processed and packed by the resource layer, further reducing blockchain network stress.
3. The method as claimed in claim 1, wherein in step 1, the specific steps of building a federation chain and an IPFS network between different organization web servers by using the hyper-ledger Fabric include:
(1) different organizations divide different tasks in the network layer design, and even if a private key for identity authentication of a certain organization is leaked, the certificate issued by the middle CA of the organization is only influenced through the development of the middle CA;
(2) the account book design in the network adopts a key value pair format, wherein key is < organization ID, flight ID and data field ID >, and vlaue is a series of JSON nested format data stored under key, including data date and IPFS file address;
(3) the specific method for adopting a fine-grained data isolation and authorization mode for sensitive data fields comprises the following steps: requiring the org1 to authorize sensitive data fields to be viewed by formal users under org2, which other organizational users in the same channel cannot view; firstly, after the data passes through IPFS, when the corresponding stored hash value is linked up, a symmetric encryption mode of org1 is adopted to generate a ciphertext, and the ciphertext 1 is linked up; secondly, encrypting the symmetric encryption key by using a public key of Org2 in an asymmetric encryption mode to generate ciphertext 2 and chaining, wherein the asymmetric encryption public key is obtained from a block chain network state database; and finally, when an official user under Org2 views the field data of the corresponding sensitive equipment, after identity verification, the private key of Org2 is used and the chain code is called to decrypt a symmetric key of corresponding Org1, and the symmetric key is used for decrypting a ciphertext to obtain a plaintext with a hash value and returning the plaintext to the application layer.
4. The method as claimed in claim 1, wherein in step 2, the processing of the original QAR data is completed mainly by an identity management module in a gateway server front-end program, using an administrator identity to complete identity registration for the user currently under the organization and storing the returned identity certificate in a local database; a user of a data providing organization imports a QAR data file of an original database system into the system through a front-end program and a back-end program of a gateway server, a data processing module corrects some abnormal values and missing values in original data by adopting a mean value difference complementing method, and divides and format-converts according to flight IDs and different data field IDs.
5. The method as claimed in claim 1, wherein in step 2, the resource layer gateway server is an intra-organization device with certain computing and storage capabilities, which does not belong to a node of the blockchain network, and serves as an interface for the organization to interact with the blockchain network, and is mainly used to run a relay program to complete data acquisition and processing for the underlying device, and mainly includes a data processing module and an identity management module.
6. The method as claimed in claim 1, wherein in step 2, the resource layer gateway server performs uplink of the processed QAR data by interacting with the network layer IPFS and the blockchain network by:
(1) when the number of the data fields reaches a preset value, the packed data blocks are sent to an IPFS network, a data storage hash value is returned, different data field information is obtained from the identity management module, whether the data fields are sensitive data or not is judged, if yes, a symmetric key is further obtained from the identity management module to encrypt the storage hash value; the sensitive data field list can be changed through a client program of the gateway server and stored in the identity management module, and meanwhile, the sensitive data field list can also be synchronized in an application layer back-end database;
(2) when the symmetric key generated by the administrator through the client program setting of the gateway server changes, the org1 symmetric key needs to be obtained from the identity management module again during data uplink, and ciphertext 2 uplink after encryption by using the public key of org2 is required;
(3) the data processing module processes the formatted data according to the branch business logic in the chain code and the format requirement of the account book, packages and signs the processed uploaded data by using the SDK, packages the data into a transaction proposal and sends the transaction proposal to an endorsement node in the channel;
(4) and the data processing module sends the returned data transaction hash value to the application layer server through an http request and stores the data transaction hash value in a Web application back-end database.
7. The QAR data management method based on block chain technology as claimed in claim 1, wherein in step 3, said Web application mainly completes the functions of user management, data query, chain code management, etc. within the user authority range; the application can be divided into three types of users, one type is a common user, the second type is a formal user, the third type is an organization administrator, the common user needs the organization administrator to apply identity information to the middle CA of the organization for the common user to become the formal user and then has the right to check data, and meanwhile, an identity information table used for storing information returned by the CA node is associated with the user table; the formal user or an organization administrator who obtains the data query authority sends different types of requests through a client according to organization ID, flight ID and data field ID, and after the requests are identified through a Web Server, the Web Server obtains corresponding transaction hash values from a database, and realizes interaction with chain codes through Fabric SDK so as to obtain data storage hash values, and finally queries corresponding data in IPFS according to the data storage hash values and returns the data to the client; for the inquiry of a field identified as sensitive data, firstly, after obtaining a transaction hash, obtaining a ciphertext 1 encrypted by a data providing organization symmetric key pair storage hash through interaction with a chain code, a Web Server initiates a transaction proposal again according to a data object requested by a user to obtain a ciphertext 2 encrypted by the data providing organization symmetric key pair data inquiry organization public key, then the Web Server decrypts the ciphertext 2 by using a data inquiry organization private key to provide the organization symmetric key, and finally decrypts the storage hash from the ciphertext 1 by using the symmetric key, inquires real data block information from an IPFS and returns the real data block information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011545224.2A CN112671580B (en) | 2020-12-23 | 2020-12-23 | QAR data management method based on blockchain technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011545224.2A CN112671580B (en) | 2020-12-23 | 2020-12-23 | QAR data management method based on blockchain technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112671580A true CN112671580A (en) | 2021-04-16 |
| CN112671580B CN112671580B (en) | 2023-11-24 |
Family
ID=75409605
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011545224.2A Active CN112671580B (en) | 2020-12-23 | 2020-12-23 | QAR data management method based on blockchain technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671580B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556049A (en) * | 2020-04-26 | 2020-08-18 | 苏州鸿链信息科技有限公司 | Block chain privacy protection method based on group isolation of consensus nodes |
| CN113259340A (en) * | 2021-05-10 | 2021-08-13 | 中国联合网络通信集团有限公司 | Block chain data processing method and device and electronic equipment |
| CN113572618A (en) * | 2021-08-10 | 2021-10-29 | 东北大学 | Fabric and IPFS combined decentralized storage system and data storage method thereof |
| CN114430350A (en) * | 2022-04-01 | 2022-05-03 | 南京智人云信息技术有限公司 | Network security communication system based on block chain intelligent contract |
| CN114844652A (en) * | 2022-06-07 | 2022-08-02 | 湛宗标 | Cloud authentication service system based on block chain and big data mining method |
| CN115277059A (en) * | 2022-06-10 | 2022-11-01 | 广州大学 | Airplane archive authority management control method based on block chain |
| CN115640597A (en) * | 2022-09-09 | 2023-01-24 | 南京审计大学 | Audit data validity verification method facing block chain low storage overhead |
| CN116432207A (en) * | 2023-06-07 | 2023-07-14 | 国网福建省电力有限公司 | Power data authority hierarchical management method based on blockchain |
| CN117372019A (en) * | 2023-12-01 | 2024-01-09 | 青岛民航凯亚系统集成有限公司 | Civil aviation airport settlement system and method based on blockchain platform alliance chain |
| CN117390659A (en) * | 2023-12-13 | 2024-01-12 | 江苏量界数据科技有限公司 | Authority control method based on distributed data calculation |
| CN117688088A (en) * | 2023-11-24 | 2024-03-12 | 浙江工业大学 | Distributed data trusted storage method based on block chain in cloud side environment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110012015A (en) * | 2019-04-09 | 2019-07-12 | 中国科学院沈阳计算技术研究所有限公司 | A kind of internet of things data sharing method and system based on block chain |
| CN110233868A (en) * | 2019-04-20 | 2019-09-13 | 北京工业大学 | A kind of edge calculations data safety and method for secret protection based on Fabric |
| CN111539750A (en) * | 2020-04-27 | 2020-08-14 | 中山大学 | Commodity traceability system based on block chain and big data technology |
-
2020
- 2020-12-23 CN CN202011545224.2A patent/CN112671580B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110012015A (en) * | 2019-04-09 | 2019-07-12 | 中国科学院沈阳计算技术研究所有限公司 | A kind of internet of things data sharing method and system based on block chain |
| CN110233868A (en) * | 2019-04-20 | 2019-09-13 | 北京工业大学 | A kind of edge calculations data safety and method for secret protection based on Fabric |
| CN111539750A (en) * | 2020-04-27 | 2020-08-14 | 中山大学 | Commodity traceability system based on block chain and big data technology |
Non-Patent Citations (1)
| Title |
|---|
| 张弘: "基于区块链的物联网管理系统设计与实现", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556049B (en) * | 2020-04-26 | 2021-12-10 | 苏州鸿链信息科技有限公司 | Block chain privacy protection method based on group isolation of consensus nodes |
| CN111556049A (en) * | 2020-04-26 | 2020-08-18 | 苏州鸿链信息科技有限公司 | Block chain privacy protection method based on group isolation of consensus nodes |
| CN113259340B (en) * | 2021-05-10 | 2023-02-24 | 中国联合网络通信集团有限公司 | Block chain data processing method and device and electronic equipment |
| CN113259340A (en) * | 2021-05-10 | 2021-08-13 | 中国联合网络通信集团有限公司 | Block chain data processing method and device and electronic equipment |
| CN113572618A (en) * | 2021-08-10 | 2021-10-29 | 东北大学 | Fabric and IPFS combined decentralized storage system and data storage method thereof |
| CN114430350A (en) * | 2022-04-01 | 2022-05-03 | 南京智人云信息技术有限公司 | Network security communication system based on block chain intelligent contract |
| CN114844652A (en) * | 2022-06-07 | 2022-08-02 | 湛宗标 | Cloud authentication service system based on block chain and big data mining method |
| CN114844652B (en) * | 2022-06-07 | 2024-05-03 | 北京信洋睿连科技有限公司 | Cloud authentication service system based on block chain and big data mining method |
| CN115277059A (en) * | 2022-06-10 | 2022-11-01 | 广州大学 | Airplane archive authority management control method based on block chain |
| CN115277059B (en) * | 2022-06-10 | 2023-05-12 | 广州大学 | Control method for aircraft archive authority management based on blockchain |
| CN115640597A (en) * | 2022-09-09 | 2023-01-24 | 南京审计大学 | Audit data validity verification method facing block chain low storage overhead |
| CN116432207A (en) * | 2023-06-07 | 2023-07-14 | 国网福建省电力有限公司 | Power data authority hierarchical management method based on blockchain |
| CN116432207B (en) * | 2023-06-07 | 2023-09-22 | 国网福建省电力有限公司 | Power data authority hierarchical management method based on blockchain |
| CN117688088A (en) * | 2023-11-24 | 2024-03-12 | 浙江工业大学 | Distributed data trusted storage method based on block chain in cloud side environment |
| CN117372019A (en) * | 2023-12-01 | 2024-01-09 | 青岛民航凯亚系统集成有限公司 | Civil aviation airport settlement system and method based on blockchain platform alliance chain |
| CN117372019B (en) * | 2023-12-01 | 2024-03-12 | 青岛民航凯亚系统集成有限公司 | Civil aviation airport settlement system and method based on blockchain platform alliance chain |
| CN117390659A (en) * | 2023-12-13 | 2024-01-12 | 江苏量界数据科技有限公司 | Authority control method based on distributed data calculation |
| CN117390659B (en) * | 2023-12-13 | 2024-04-02 | 江苏量界数据科技有限公司 | Authority control method based on distributed data calculation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112671580B (en) | 2023-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112671580B (en) | QAR data management method based on blockchain technology | |
| EP3843364B1 (en) | Method, device, and apparatus for processing cloud service in cloud system | |
| CN108270780B (en) | Multi-center digital identity management method in heterogeneous network environment | |
| CN111371561B (en) | Alliance block chain data access control method based on CP-ABE algorithm | |
| CN110572398B (en) | Block chain network control method, device, equipment and storage medium | |
| CN110543525B (en) | Block chain network control method, device, equipment and storage medium | |
| WO2020143470A1 (en) | Method for issuing digital certificate, digital certificate issuing center, and medium | |
| US9246888B2 (en) | Systems and methods for secure communication over an unsecured communication channel | |
| CN112417037A (en) | Block chain construction method for distributed identity authentication in industrial field | |
| US9369494B2 (en) | Techniques for establishing a trusted cloud service | |
| CN112217793B (en) | Cross-system trust management system suitable for power Internet of things | |
| CN102377788A (en) | Single sign-on (SSO) system and single sign-on (SSO) method | |
| CN103023920A (en) | Virtual machine safety protection method and virtual machine safety protection device | |
| CN103581143A (en) | User authority authentication method, system, client side and server side | |
| CN102714653B (en) | For the system and method for accessing private digital content | |
| WO2023221719A1 (en) | Data processing method and apparatus, computer device, and readable storage medium | |
| Song et al. | Smart contract-based trusted content retrieval mechanism for NDN | |
| KR101597035B1 (en) | Software Registration and Processing Method Using Hybrid Cloud-Based ICT Service System and Method thereof | |
| CN113452519B (en) | Key synchronization method and device, computer equipment and storage medium | |
| CN106060032B (en) | User data integration and reassignment method and system | |
| CN101662657B (en) | User login method of internet protocol television IPTV and system thereof | |
| CN109753824B (en) | Distributed electronic signature method and system | |
| CN104065612A (en) | User management method and device and unified user management system | |
| CN114760333B (en) | Electric power internet of things data trusted exchange method and system based on alliance chain identification service | |
| CN116684097A (en) | Node management method and related products |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |