CN112822016B - Method for data authorization on block chain and block chain network - Google Patents
Method for data authorization on block chain and block chain network Download PDFInfo
- Publication number
- CN112822016B CN112822016B CN202110098715.5A CN202110098715A CN112822016B CN 112822016 B CN112822016 B CN 112822016B CN 202110098715 A CN202110098715 A CN 202110098715A CN 112822016 B CN112822016 B CN 112822016B
- Authority
- CN
- China
- Prior art keywords
- key
- block
- ciphertext
- user node
- private
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Abstract
The invention provides a method for carrying out data authorization on a block chain and a block chain network, wherein the method comprises the following steps: the first user node initiates an authorization request for a first block of the second user node to generate a second block; when the second user node retrieves the second block, generating a negotiation key according to the second exclusive private key, the second random private key, the first exclusive public key and the first random public key of the second user node when the authorization request is granted; the second user node obtains the ciphertext in the first block, and decrypts to obtain private data; the second user node encrypts the private data by using the negotiation key to generate a fourth ciphertext, and generates a third block by the second exclusive public key, the second random public key and the fourth ciphertext; the first user node retrieves the second block and the third block from the blockchain, and decrypts the fourth ciphertext according to the content in the second block and the third block to obtain private data. The invention realizes reliable and safe data authorization between two user nodes.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method for performing data authorization on a blockchain and a blockchain network.
Background
The blockchain has the characteristics of distributed, decentralised, tamper-proof and the like. Because of the nature of blockchain construction, each node stores all of the blockdata that theoretically can be viewed by the user. When using blockchains for data storage and data exchange of sensitive data, the authority of a user to view the data needs to be verified and authorized, and the user can only view the authorized data. Meanwhile, because of the unique tamper-proof property of the blockchain, the processes of authorizing requests and data authorization are recorded on the blockchain, so that trace and trace of operations such as user request authorization, authorization operation, data query and the like can be realized. Thus, how to construct a method of data authorization and exchange on a blockchain is an essential requirement when a blockchain is specifically applied.
Disclosure of Invention
Accordingly, the present invention is directed to a method for performing data authorization on a blockchain and a blockchain network, which meet the above-mentioned needs.
A first embodiment of the present invention provides a method of data authorization on a blockchain, comprising:
the first user node initiates an authorization request for a first block generated by the second user node, and generates a second block according to the authorization request; the first block comprises a first ciphertext and a second ciphertext, and the first ciphertext is generated by encrypting a randomly generated secret key by a second exclusive public key of a second user node; the second ciphertext is generated by encrypting private data of a second user node by the key; the second block comprises the number of the first block, a first exclusive public key of the first user node, a first random public key generated randomly and a third ciphertext; the third ciphertext is obtained by encrypting a first random private key corresponding to the first random public key by a first exclusive public key;
when the second user node searches the second block on the blockchain network, feeding back the authorization request, and generating a negotiation key according to a second exclusive private key of the second user node, a second random private key generated randomly, a first exclusive public key in the second block and the first random public key when the authorization request is agreed;
the second user node retrieves and acquires the ciphertext in the first block on the block chain network, and decrypts the first ciphertext and the second ciphertext by using a second user private key to acquire the private data;
the second user node encrypts the private data by using the negotiation key to generate a fourth ciphertext, and takes the second exclusive public key, the second random public key and the fourth ciphertext as transaction data to generate a third block, and then the third block is stored on a block chain;
the first user node retrieves the second block and the third block from the blockchain, and decrypts a fourth ciphertext in the third block according to the contents in the second block and the third block to obtain the private data.
Preferably, the first ciphertext is generated by SM2 encrypting the key by the second exclusive public key; and the second ciphertext is generated by carrying out SM4 encryption on private data of the second user node by the key.
Preferably, the third ciphertext is generated by SM2 encrypting the first random private key by the first exclusive public key; the first random public key and the first random private key, the second random public key and the second random private key are a pair of key pairs randomly generated by an SM2 algorithm; and is different in each authorization request.
Preferably, the negotiation key is generated by a second exclusive private key, a second random private key, a first exclusive public key and a first random public key in a third block, performing key exchange calculation by using a key exchange protocol of an SM2 algorithm, and then using a KDF function.
Preferably, the second user node retrieves and obtains the ciphertext in the first block on the blockchain network, and decrypts the first ciphertext and the second ciphertext by using a second user private key to obtain the private data specifically includes:
the second user node searches a first block on a block chain and acquires data of a first ciphertext and a second ciphertext in the first block;
the second user node uses the second exclusive private key to perform SM2 decryption on the first ciphertext to obtain the key;
and the second user node uses the secret key to perform SM4 decryption on the second ciphertext to obtain the private data.
Preferably, the fourth ciphertext is generated by the second user node performing SM4 encryption on the private data using the negotiation key.
Preferably, the first user node retrieves the second block and the third block from the blockchain, and decrypts a fourth ciphertext in the third block according to contents in the second block and the third block to obtain the private data, which specifically includes:
the first user node searches a second block and a third block on the block chain and acquires data in the two blocks;
the first user node uses the first exclusive private key to decrypt the third ciphertext in the second block by SM2, and a first random private key is obtained;
the first user node uses a first exclusive private key and a first random private key, and uses a second exclusive public key and a second random public key in a third block, uses a key exchange protocol of an SM2 algorithm to perform key exchange calculation, and uses a KDF function to generate the negotiation key;
and the first user node uses the negotiation key to decrypt the fourth ciphertext in the third block by SM4 to obtain the private data.
Preferably, the method further comprises:
and ending the authorization flow when the second user node does not agree with the authorization request.
The embodiment of the invention also provides a blockchain network, which comprises a plurality of user nodes for realizing communication through a point-to-point network, wherein the user nodes comprise a first user node and a second user node; wherein:
the first user node is used for initiating an authorization request for a first block generated by the second user node and generating a second block according to the authorization request; the first block comprises a first ciphertext and a second ciphertext, and the first ciphertext is generated by encrypting a randomly generated secret key by a second exclusive public key of a second user node; the second ciphertext is generated by encrypting private data of a second user node by the key; the second block comprises the number of the first block, a first exclusive public key of the first user node, a first random public key generated randomly and a third ciphertext; the third ciphertext is obtained by encrypting a first random private key corresponding to the first random public key by a first exclusive public key;
the second user node is configured to, when the second block is retrieved on the blockchain network, feed back the authorization request, and generate a negotiation key according to a second exclusive private key of the second user node, a second random private key generated randomly, a first exclusive public key in the second block, and the first random public key when the authorization request is granted;
the second user node is also used for retrieving and obtaining the ciphertext in the first block on the block chain network, and decrypting the first ciphertext and the second ciphertext by using a second user private key to obtain the private data;
the second user node is further configured to encrypt the private data according to the negotiation key to generate a fourth ciphertext, and store the third block generated by using the second exclusive public key, the second random public key and the fourth ciphertext as transaction data on a blockchain;
the first user node is further configured to retrieve the second block and the third block from the blockchain, and decrypt a fourth ciphertext in the third block according to contents in the second block and the third block, so as to obtain the private data.
Preferably, the second user node is specifically configured to:
using a second exclusive private key and a second random private key, and a first exclusive public key and a first random public key in a second block, using a key exchange protocol of an SM2 algorithm to perform key exchange calculation, and using a KDF function to generate the negotiation key;
searching a first block on a block chain, and acquiring data of a first ciphertext and a second ciphertext in the first block;
performing SM2 decryption on the first ciphertext by using a second exclusive private key to obtain the key;
performing SM4 decryption on the second ciphertext by using the secret key to obtain the private data;
and carrying out SM4 encryption on the private data by using the negotiation key to generate a fourth ciphertext, and storing the second exclusive public key, the second random public key and the fourth ciphertext serving as transaction data to generate a third block on a block chain.
Preferably, the first user node is specifically configured to:
retrieving a second block and a third block on the blockchain, and acquiring data in the two blocks;
performing SM2 decryption on the third ciphertext in the second block by using the first exclusive private key to obtain a first random private key;
using a first exclusive private key and a first random private key, and a second exclusive public key and a second random public key in a third block, using a key exchange protocol of an SM2 algorithm to perform key exchange calculation, and using a KDF function to generate the negotiation key;
and performing SM4 decryption on the fourth ciphertext in the third block by using the negotiation key to obtain the private data.
In the above embodiment, the process of sharing the private data D from the second user to the first user node through the key exchange mechanism between the first user node and the second user node is implemented. As long as the private keys of the first user node and the second user node are not revealed, the plaintext of the private data D cannot be obtained even if the third party node obtains the ciphertext of all the blocks in the data exchange process. Meanwhile, because the whole data exchange process is stored on the blockchain, the data exchange process can be traced back and forensic.
Furthermore, three methods are adopted in this embodiment to improve the security of the SM4 key:
(1) The SM4 key is randomly generated in a one-time-pad manner. When data are required to be encrypted, the encrypted secret key is randomly generated, so that even the same data, the encrypted ciphertext is different repeatedly, and the difficulty of decrypting the secret key is increased;
(2) For private data of a user, when the SM4 key is required to be stored on a blockchain, the SM2 algorithm is used for encrypting the SM4 key by using the private public key of the user, so that decryption can be ensured only by using the private key of the user;
(3) For the data which needs to be subjected to data exchange, the negotiation key K generated by key exchange by using the private keys of the users of the data exchange party is used as an SM4 key, so that the SM4 key and various private keys are not stored on a blockchain or transmitted in a network, and various public keys are stored and transmitted in the network.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some examples of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart illustrating a method for data authorization on a blockchain according to a first embodiment of the present invention.
Fig. 2 is a schematic diagram of a blockchain network provided by a second embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, based on the embodiments of the invention, which are apparent to those of ordinary skill in the art without inventive faculty, are intended to be within the scope of the invention. Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, based on the embodiments of the invention, which are apparent to those of ordinary skill in the art without inventive faculty, are intended to be within the scope of the invention.
Referring to fig. 1, a first embodiment of the present invention provides a method for performing data authorization on a blockchain, comprising:
s101, a first user node initiates an authorization request for a first block generated by a second user node, and generates a second block according to the authorization request.
In this embodiment, the first user node and the second user node are located in a blockchain network, and the blockchain network generally includes a plurality of nodes that implement communication connection in a peer-to-peer network, where the nodes are peer-to-peer nodes, so as to implement decentralization.
In this embodiment, in particular, when the first user node wants to view the private data of the second user node, the second user node encrypts the private data into the first block and uploads the first block to the blockchain network.
Specifically, the second user node generates the first block by:
firstly, a second user node randomly generates a 128-bit key KA as an SM4 algorithm key used at this time;
then, the second user node encrypts the key KA by using its own second private public key, generating a first ciphertext C10.
The SM2 algorithm is totally called as an SM2 elliptic curve public key cryptographic algorithm, and is a public key cryptographic algorithm which is designed independently in China. The SM2 algorithm is different from the RSA algorithm in that the SM2 algorithm is based on a discrete logarithm problem of a point group on an elliptic curve, and compared with the RSA algorithm, the SM2 password strength of 256 bits is higher than that of 2048 bits.
Next, the second user node encrypts the private data D using the key KA, SM4, and generates a ciphertext second ciphertext C11.
The SM4 algorithm is totally called as an SM4 block cipher algorithm, and is a block symmetric cipher algorithm which is designed independently in China. The basic condition for ensuring the security of a symmetric cryptographic algorithm is that it has a sufficient key length, and the SM4 algorithm has the same key length and packet length as the AES algorithm, both of which are 128 bits, and thus is higher in security than the 3DES algorithm.
Finally, the second user node generates a first block by using the first ciphertext C10 and the second ciphertext C11 as transaction data, and stores the first block on a blockchain, wherein the first block number is denoted as H1.
In this embodiment, it should be noted that, for each node in the blockchain network, it has a pair of exclusive asymmetric key pairs, that is, one exclusive public key and one exclusive private key, where the exclusive public key is generally public, and the exclusive private key is visible only to the user node to which it belongs.
In this embodiment, when the first user node initiates the authorization request, a corresponding second block H2 is generated, where the second block H2 includes the number H1 of the first block, the first private public key of the first user node itself, the first random public key generated randomly, and the third ciphertext C20; the third ciphertext C20 is obtained by SM2 encrypting a first random private key that corresponds to the first random public key using a first private public key.
Wherein the first random public key and the first random private key are both a pair of key pairs randomly generated by SM2 algorithm and are different in each authorization request.
And S102, when the second user node searches the second block on the blockchain network, feeding back the authorization request, and generating a negotiation key according to a second exclusive private key of the second user node, a randomly generated second random private key, a first exclusive public key in the second block and the first random public key when the authorization request is agreed.
In this embodiment, if a second user node retrieves the second chunk H2 in the blockchain network, it may respond to the second chunk H2 as if it were authorized or not authorized. If the second user node does not agree with the authorization, ending the authorization flow. If the second user node agrees to the authorization, it generates a negotiation key K according to the second private key of the second user node itself, a second random private key generated randomly, the first private public key in the second block H2, and the first random public key.
The negotiation key K is generated by a second exclusive private key, a second random private key, a first exclusive public key and a first random public key in a second block H2, performing key exchange calculation by using a key exchange protocol of an SM2 algorithm, and then using a KDF function.
Wherein, the key generation function KDF generates the negotiation key K according to the algorithm given by the GMT 0003.3-2012.4.3.
And S103, the second user node retrieves and acquires the ciphertext in the first block on the block chain network, and decrypts the first ciphertext and the second ciphertext by using a second user private key to acquire the private data.
Specifically, the second user node first retrieves the first block H1 from the blockchain, obtains a first ciphertext and a second ciphertext in the first block H1, then decrypts the first ciphertext C10 by using a second exclusive private key to obtain the key KA, and finally decrypts the second ciphertext C11 by using the key KA to obtain the private data D.
And S104, the second user node encrypts the private data according to the negotiation key to generate a fourth ciphertext, and the second exclusive public key, the second random public key and the fourth ciphertext are used as transaction data to generate a third block, and then the third block is stored on a block chain.
Specifically, the second user node firstly encrypts the private data D by using the negotiation key K to generate a fourth ciphertext C30, and then uses the second exclusive public key, the second random public key and the fourth ciphertext C30 as transaction data to generate a third block H3, and stores the third block H3 in a blockchain.
S105, the first user node retrieves the second block and the third block from the block chain, and decrypts the fourth ciphertext in the third block according to the contents in the second block and the third block to obtain the private data.
Specifically:
first, the first user node searches a second block H2 and a third block H3 on a block chain, and acquires data in the two blocks;
then, the first user node uses the first exclusive private key to perform SM2 decryption on the third ciphertext C20 in the second block H2, and obtains a first random private key.
Then, the first user node uses the first exclusive private key and the first random private key, and uses the second exclusive public key and the second random public key in the third block H3 to perform key exchange calculation by using a key exchange protocol of the SM2 algorithm, and uses a KDF function to generate the negotiation key K.
Finally, the first user node uses the negotiation key K to decrypt SM4 from the fourth ciphertext C30 in the third block H3, and obtains the private data D.
The process of sharing the private data D from the second user node to the first user node via the key exchange mechanism is thus completed between the first user node and the second user node. As long as the private keys of the first user node and the second user node are not revealed, the plaintext of the private data D cannot be obtained even if the third party node obtains the ciphertext of all the blocks in the data exchange process. Meanwhile, because the whole data exchange process is stored on the blockchain, the data exchange process can be traced back and forensic.
Further, since only one key is required for the symmetric encryption algorithm, the same key is used for encryption and decryption. The security of the transaction data is thus dependent on whether the key is compromised. For this reason, three methods are adopted simultaneously in this embodiment to improve the security of the SM4 key:
(1) The SM4 key is randomly generated in a one-time-pad manner. When data are required to be encrypted, the encrypted secret key is randomly generated, so that even the same data, the encrypted ciphertext is different repeatedly, and the difficulty of decrypting the secret key is increased;
(2) For private data of a user, when the SM4 key is required to be stored on a blockchain, the SM2 algorithm is used for encrypting the SM4 key by using the private public key of the user, so that decryption can be ensured only by using the private key of the user;
(3) For the data which needs to be subjected to data exchange, the negotiation key K generated by key exchange by using the private keys of the users of the data exchange party is used as an SM4 key, so that the SM4 key and various private keys are not stored on a blockchain or transmitted in a network, and various public keys are stored and transmitted in the network.
The second embodiment of the present invention also provides a blockchain network, which includes a plurality of user nodes that implement communication through a point-to-point network, the user nodes including a first user node a and a second user node B; wherein:
the first user node A is used for initiating an authorization request for a first block generated by the second user node B and generating a second block according to the authorization request; the first block comprises a first ciphertext and a second ciphertext, and the first ciphertext is generated by encrypting a randomly generated secret key by a second exclusive public key of a second user node; the second ciphertext is generated by encrypting private data of a second user node by the key; the second block comprises the number of the first block, a first exclusive public key of the first user node, a first random public key generated randomly and a third ciphertext; the third ciphertext is obtained by encrypting a first random private key corresponding to the first random public key by a first exclusive public key;
the second user node B is configured to, when the second block is retrieved on the blockchain network, feed back the authorization request, and generate a negotiation key according to a second exclusive private key of the second user node, a second random private key generated randomly, a first exclusive public key in the second block, and the first random public key when the authorization request is granted;
the second user node B is also used for searching and obtaining the ciphertext in the first block on the block chain network, and decrypting the first ciphertext and the second ciphertext by using a second exclusive private key to obtain the private data;
the second user node B is further configured to encrypt the private data according to the negotiation key to generate a fourth ciphertext, and store the third block generated by using the second exclusive public key, the second random public key and the fourth ciphertext as transaction data on a blockchain;
the first user node a is further configured to retrieve the second block and the third block from the blockchain, and decrypt a fourth ciphertext in the third block according to contents in the second block and the third block, so as to obtain the private data.
Preferably, the second user node B is specifically configured to:
using a second exclusive private key and a second random private key, and a first exclusive public key and a first random public key in a second block, using a key exchange protocol of an SM2 algorithm to perform key exchange calculation, and using a KDF function to generate the negotiation key;
searching a first block on a block chain, and acquiring data of a first ciphertext and a second ciphertext in the first block;
performing SM2 decryption on the first ciphertext by using a second exclusive private key to obtain the key;
performing SM4 decryption on the second ciphertext by using the secret key to obtain the private data;
and carrying out SM4 encryption on the private data by using the negotiation key to generate a fourth ciphertext, and storing the second exclusive public key, the second random public key and the fourth ciphertext serving as transaction data to generate a third block on a block chain.
Preferably, the first user node a is specifically configured to:
retrieving a second block and a third block on the blockchain, and acquiring data in the two blocks;
performing SM2 decryption on the third ciphertext in the second block by using the first exclusive private key to obtain a first random private key;
using a first exclusive private key and a first random private key, and a second exclusive public key and a second random public key in a third block, using a key exchange protocol of an SM2 algorithm to perform key exchange calculation, and using a KDF function to generate the negotiation key;
and performing SM4 decryption on the fourth ciphertext in the third block by using the negotiation key to obtain the private data.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus and method embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present invention may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, an electronic device, a network device, or the like) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of data authorization on a blockchain, comprising:
the first user node initiates an authorization request for a first block generated by the second user node, and generates a second block according to the authorization request; the first block comprises a first ciphertext and a second ciphertext, and the first ciphertext is generated by encrypting a randomly generated secret key by a second exclusive public key of a second user node; the second ciphertext is generated by encrypting private data of a second user node by the key; the second block comprises the number of the first block, a first exclusive public key of the first user node, a first random public key generated randomly and a third ciphertext; the third ciphertext is obtained by encrypting a first random private key corresponding to the first random public key by a first exclusive public key;
when the second user node searches the second block on the blockchain network, feeding back the authorization request, and generating a negotiation key according to a second exclusive private key of the second user node, a second random private key generated randomly, a first exclusive public key in the second block and the first random public key when the authorization request is agreed;
the second user node retrieves and acquires the ciphertext in the first block on the block chain network, and decrypts the first ciphertext and the second ciphertext by using a second user private key to acquire the private data;
the second user node encrypts the private data according to the negotiation key to generate a fourth ciphertext, and the second exclusive public key, the second random public key and the fourth ciphertext are used as transaction data to generate a third block and then stored on a block chain;
the first user node retrieves the second block and the third block from the blockchain, and decrypts a fourth ciphertext in the third block according to the contents in the second block and the third block to obtain the private data.
2. The method of data authorization on a blockchain of claim 1, wherein the first ciphertext is generated by SM2 encrypting the key with the second proprietary public key; and the second ciphertext is generated by carrying out SM4 encryption on private data of the second user node by the key.
3. The method of data authorization on a blockchain of claim 1, wherein the third ciphertext is generated by SM2 encryption of the first random private key by a first private public key; the first random public key and the first random private key, the second random public key and the second random private key are a pair of key pairs randomly generated by an SM2 algorithm; and is different in each authorization request.
4. The method of claim 1, wherein the negotiation key is generated from a second proprietary private key and a second random private key, and a first proprietary public key and a first random public key in a third block, using a key exchange protocol of SM2 algorithm for key exchange computation, and using a KDF function.
5. The method for performing data authorization on a blockchain according to claim 1, wherein the second user node retrieves ciphertext in a first block on a blockchain network, and decrypts the first ciphertext and the second ciphertext using a second user private key to obtain the private data specifically comprises:
the second user node searches a first block on a block chain and acquires data of a first ciphertext and a second ciphertext in the first block;
the second user node uses the second exclusive private key to perform SM2 decryption on the first ciphertext to obtain the key;
and the second user node uses the secret key to perform SM4 decryption on the second ciphertext to obtain the private data.
6. The method of data authorization on a blockchain of claim 1, wherein the fourth ciphertext is generated by a second user node SM4 encrypting the private data using the negotiation key.
7. The method of claim 1, wherein the first user node retrieves the second block and the third block from the blockchain, and decrypts a fourth ciphertext in the third block based on content in the second block and the third block to obtain the private data, and the method specifically comprises:
the first user node searches a second block and a third block on the block chain and acquires data in the two blocks;
the first user node uses the first exclusive private key to decrypt the third ciphertext in the second block by SM2, and a first random private key is obtained;
the first user node uses a first exclusive private key and a first random private key, and uses a second exclusive public key and a second random public key in a third block, uses a key exchange protocol of an SM2 algorithm to perform key exchange calculation, and uses a KDF function to generate the negotiation key;
and the first user node uses the negotiation key to decrypt the fourth ciphertext in the third block by SM4 to obtain the private data.
8. A blockchain network comprising a plurality of user nodes that communicate over a point-to-point network, the user nodes comprising a first user node and a second user node; wherein:
the first user node is used for initiating an authorization request for a first block generated by the second user node and generating a second block according to the authorization request; the first block comprises a first ciphertext and a second ciphertext, and the first ciphertext is generated by encrypting a randomly generated secret key by a second exclusive public key of a second user node; the second ciphertext is generated by encrypting private data of a second user node by the key; the second block comprises the number of the first block, a first exclusive public key of the first user node, a first random public key generated randomly and a third ciphertext; the third ciphertext is obtained by encrypting a first random private key corresponding to the first random public key by a first exclusive public key;
the second user node is configured to, when the second block is retrieved on the blockchain network, feed back the authorization request, and generate a negotiation key according to a second exclusive private key of the second user node, a second random private key generated randomly, a first exclusive public key in the second block, and the first random public key when the authorization request is granted;
the second user node is also used for retrieving and obtaining the ciphertext in the first block on the block chain network, and decrypting the first ciphertext and the second ciphertext by using a second user private key to obtain the private data;
the second user node is further configured to encrypt the private data with the negotiation key to generate a fourth ciphertext, and store the third block with the second exclusive public key, the second random public key and the fourth ciphertext as transaction data to a blockchain;
the first user node is further configured to retrieve the second block and the third block from the blockchain, and decrypt a fourth ciphertext in the third block according to contents in the second block and the third block, so as to obtain the private data.
9. The blockchain network of claim 8, wherein the second user node is specifically configured to:
using a second exclusive private key and a second random private key, and a first exclusive public key and a first random public key in a second block, using a key exchange protocol of an SM2 algorithm to perform key exchange calculation, and using a KDF function to generate the negotiation key;
searching a first block on a block chain, and acquiring data of a first ciphertext and a second ciphertext in the first block;
performing SM2 decryption on the first ciphertext by using a second exclusive private key to obtain the key;
performing SM4 decryption on the second ciphertext by using the secret key to obtain the private data;
and carrying out SM4 encryption on the private data by using the negotiation key to generate a fourth ciphertext, and storing the second exclusive public key, the second random public key and the fourth ciphertext serving as transaction data to generate a third block on a block chain.
10. The blockchain network of claim 8, wherein the first user node is specifically configured to:
retrieving a second block and a third block on the blockchain, and acquiring data in the two blocks;
performing SM2 decryption on the third ciphertext in the second block by using the first exclusive private key to obtain a first random private key;
using a first exclusive private key and a first random private key, and a second exclusive public key and a second random public key in a third block, using a key exchange protocol of an SM2 algorithm to perform key exchange calculation, and using a KDF function to generate the negotiation key;
and performing SM4 decryption on the fourth ciphertext in the third block by using the negotiation key to obtain the private data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110098715.5A CN112822016B (en) | 2021-01-25 | 2021-01-25 | Method for data authorization on block chain and block chain network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110098715.5A CN112822016B (en) | 2021-01-25 | 2021-01-25 | Method for data authorization on block chain and block chain network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112822016A CN112822016A (en) | 2021-05-18 |
| CN112822016B true CN112822016B (en) | 2023-04-28 |
Family
ID=75859163
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110098715.5A Active CN112822016B (en) | 2021-01-25 | 2021-01-25 | Method for data authorization on block chain and block chain network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112822016B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114401102A (en) * | 2021-11-29 | 2022-04-26 | 南威软件股份有限公司 | HTTP request parameter encryption scheme based on cryptographic algorithm |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102017578A (en) * | 2008-05-09 | 2011-04-13 | 高通股份有限公司 | Network helper for authentication between a token and verifiers |
| WO2018076365A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Key negotiation method and device |
| CN111404950A (en) * | 2020-03-23 | 2020-07-10 | 腾讯科技(深圳)有限公司 | Information sharing method and device based on block chain network and related equipment |
| CN111431713A (en) * | 2020-03-27 | 2020-07-17 | 财付通支付科技有限公司 | Private key storage method and device and related equipment |
| CN112116472A (en) * | 2020-09-18 | 2020-12-22 | 上海计算机软件技术开发中心 | Block chain cross-chain transaction model and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102009059893A1 (en) * | 2009-12-21 | 2011-06-22 | Siemens Aktiengesellschaft, 80333 | Apparatus and method for securing a negotiation of at least one cryptographic key between devices |
-
2021
- 2021-01-25 CN CN202110098715.5A patent/CN112822016B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102017578A (en) * | 2008-05-09 | 2011-04-13 | 高通股份有限公司 | Network helper for authentication between a token and verifiers |
| WO2018076365A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Key negotiation method and device |
| CN111404950A (en) * | 2020-03-23 | 2020-07-10 | 腾讯科技(深圳)有限公司 | Information sharing method and device based on block chain network and related equipment |
| CN111431713A (en) * | 2020-03-27 | 2020-07-17 | 财付通支付科技有限公司 | Private key storage method and device and related equipment |
| CN112116472A (en) * | 2020-09-18 | 2020-12-22 | 上海计算机软件技术开发中心 | Block chain cross-chain transaction model and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112822016A (en) | 2021-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7634659B2 (en) | Roaming hardware paired encryption key generation | |
| US10979221B2 (en) | Generation of keys of variable length from cryptographic tables | |
| CN113259329B (en) | Method and device for data careless transmission, electronic equipment and storage medium | |
| EP2361462B1 (en) | Method for generating an encryption/decryption key | |
| US20030123667A1 (en) | Method for encryption key generation | |
| CN105743645B (en) | Stream code key generating means, method and data encryption, decryption method based on PUF | |
| US20140355757A1 (en) | Encryption / decryption of data with non-persistent, non-shared passkey | |
| CA2548229A1 (en) | Enabling stateless server-based pre-shared secrets | |
| EP3476078B1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
| CA2548356A1 (en) | Avoiding server storage of client state | |
| WO1990009009A1 (en) | Data carrier and data communication apparatus using the same | |
| CN103237040A (en) | Storage method, storage server and storage client | |
| CN112804205A (en) | Data encryption method and device and data decryption method and device | |
| CN109543443A (en) | User data management, device, equipment and storage medium based on block chain | |
| CN112532580B (en) | Data transmission method and system based on block chain and proxy re-encryption | |
| CN104158880A (en) | User-end cloud data sharing solution | |
| WO2014078951A1 (en) | End-to-end encryption method for digital data sharing through a third party | |
| CN103236934A (en) | Method for cloud storage security control | |
| US20050141718A1 (en) | Method of transmitting and receiving message using encryption/decryption key | |
| CN112822016B (en) | Method for data authorization on block chain and block chain network | |
| CN112528309A (en) | Data storage encryption and decryption method and device | |
| CN116015874A (en) | User privacy anti-theft system based on blockchain | |
| KR101793528B1 (en) | Certificateless public key encryption system and receiving terminal | |
| Pushpa | Enhancing Data Security by Adapting Network Security and Cryptographic Paradigms | |
| KR100763464B1 (en) | Method of exchanging secret key for secured communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 361000 one of 504, No. 18, guanri Road, phase II, software park, Xiamen, Fujian Applicant after: XIAMEN YILIANZHONG YIHUI TECHNOLOGY CO.,LTD. Address before: Room 504, No.18, guanri Road, phase II, software park, Xiamen City, Fujian Province, 361000 Applicant before: XIAMEN YILIANZHONG YIHUI TECHNOLOGY CO.,LTD. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |