CN112926082A - Information processing method and device based on block chain - Google Patents
Information processing method and device based on block chain Download PDFInfo
- Publication number
- CN112926082A CN112926082A CN202110171119.5A CN202110171119A CN112926082A CN 112926082 A CN112926082 A CN 112926082A CN 202110171119 A CN202110171119 A CN 202110171119A CN 112926082 A CN112926082 A CN 112926082A
- Authority
- CN
- China
- Prior art keywords
- information
- user
- node
- access
- blockchain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000010365 information processing Effects 0.000 title claims description 20
- 238000003672 processing method Methods 0.000 title description 12
- 238000000034 method Methods 0.000 claims abstract description 51
- 238000012545 processing Methods 0.000 claims description 7
- 238000012795 verification Methods 0.000 abstract description 8
- 238000013475 authorization Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 13
- 239000004744 fabric Substances 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
Abstract
The method encrypts sensitive information and stores the encrypted sensitive information in a block chain, and the sensitive information can be decrypted only through a specified node; when a user accesses sensitive information, firstly, whether the user has the authority to access the sensitive information is determined through authority verification, if yes, the decrypted sensitive information is obtained from a designated node and returned to the user, and if not, error information is returned or encrypted information is obtained from other nodes and returned to the user; in addition, user access to sensitive information is also recorded and stored to the blockchain. Therefore, the encrypted sensitive information can be safely shared and wholly tracked and managed by using the characteristics that the block chain data can not be tampered and traced, an authorized user can directly obtain the plaintext information of the sensitive information through the nodes of the block chain, and illegal access can be traced and traced.
Description
Technical Field
The present application relates to the field of information processing, and in particular, to an information processing method and apparatus based on a block chain.
Background
With the increasing degree of digitalization of various information and the continuous development of internet technology, the dissemination and sharing of various information are easier. In the process of information spreading and sharing, how to ensure the information security of sensitive information such as personal privacy and national security becomes an increasingly prominent problem.
The blockchain has the characteristics of decentralization, non-tampering and the like, and is particularly suitable for storing some important information, but the information on the blockchain is often recorded in each node and shared by users on the blockchain, so that the application of blockchain technology in storing sensitive information is limited.
Disclosure of Invention
The applicant creatively provides an information processing method and device based on a block chain.
According to a first aspect of embodiments of the present application, there is provided an information processing method based on a block chain, the method including: acquiring an information access request sent by a user, wherein first information corresponding to the information access request is in a ciphertext form and is stored in a block chain; determining whether a user has the right to access corresponding information, if so, acquiring second information from a first-class node on the block chain, wherein the second information is the first information decrypted by the first-class node, and if not, acquiring third information, and the third information is error information or the first information acquired from the second-class node on the block chain; storing the access record to a blockchain; and sending the second information or the third information to the user.
According to an embodiment of the present application, acquiring the second information from the first type node on the blockchain includes: sending the information access request to a first type node, and decrypting the first information by the first type node to obtain second information; and receiving second information returned by the first type node.
According to an embodiment of the present application, determining whether a user has a right to access corresponding information includes: acquiring identity authentication information of a user; and determining whether the user has the right to access the corresponding information according to the security policy and the identity authentication information.
According to an embodiment of the present application, before determining whether the user has the right to access the corresponding information according to the security policy and the identity authentication information, the method further includes: and establishing a security policy corresponding to the user identity authentication information.
According to an embodiment of the present application, storing an access record to a blockchain includes: acquiring user information for sending an information access request; generating an access record according to the user information and the information access request; the access record is stored to the blockchain.
According to an embodiment of the present application, the method further comprises: acquiring fourth information to be stored; encrypting fourth information to be stored by the first class node to obtain first information; the first information is stored to a blockchain.
According to an embodiment of the application, the first information is in a form of a ciphertext obtained by encrypting with a key, the key is stored on the first-class node, and the second information is the first information decrypted by the key on the first-class node.
According to an embodiment of the present application, before obtaining the key from the first-class node, the method further includes: determining a first type of node according to the first configuration information; the key is stored to the first type node.
According to an embodiment of the present application, the method further comprises: determining at least one node from the nodes of the blockchain; establishing configuration information and determining at least one node as a first type node; and allocating private data set storage space for the first type of nodes, wherein the private data set storage space is used for storing the keys.
According to a second aspect of embodiments of the present application, an information processing apparatus based on a block chain, the apparatus comprising: the information access request acquisition module is used for acquiring an information access request sent by a user, and first information corresponding to the information access request is in a ciphertext form and is stored in a block chain; the information acquisition module is used for determining whether a user has the authority of accessing corresponding information, if so, acquiring second information from a first-class node on the block chain, wherein the second information is the first information decrypted by the first-class node, and if not, acquiring third information which is error information or the first information acquired from the second-class node on the block chain; the access record storage module is used for storing the access record to the block chain; and the information returning module is used for sending the second information or the third information to the user.
The embodiment of the application provides an information processing method and device based on a block chain, wherein sensitive information is stored in the block chain after being encrypted, and the sensitive information can be decrypted only in a specified node; when a user accesses sensitive information, firstly, whether the user has the authority to access the sensitive information is determined through authority verification, if yes, the decrypted sensitive information is obtained from a designated node and returned to the user, and if not, error information is returned or encrypted information is obtained from other nodes and returned to the user; in addition, user access to sensitive information is also recorded and stored to the blockchain.
Therefore, the sensitive information can be safer through information encryption, and the encrypted sensitive information is subjected to shared storage and whole-course tracking management by using the characteristics that the block chain data is not falsifiable and traceable; in the embodiment of the application, the nodes of the block chain are divided into two types of nodes, the first type of nodes can decrypt the encrypted information to obtain the decrypted information, and the second type of nodes cannot decrypt the encrypted information and only can obtain the encrypted information. Therefore, when the user passing the authority verification can directly obtain the decryption information through the first type node, the decryption process is simplified, and the user not passing the authority verification only obtains error information or obtains the encryption information from the second type node. Therefore, illegal access can be prevented, and operations such as updating and inquiring of sensitive information are guaranteed to be carried out under authorization.
And the access record of the user accessing the sensitive information is stored in the block chain, so that the access record data can be safe, credible and not tampered, and the whole-process tracking of the access record can be conveniently carried out.
It is to be understood that the implementation of the present application does not require all of the above-described advantages to be achieved, but rather that certain technical solutions may achieve certain technical effects, and that other embodiments of the present application may also achieve other advantages not mentioned above.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present application will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the present application are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
in the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Fig. 1 is a schematic flow chart illustrating an implementation of an embodiment of an information processing method based on a block chain according to the present application;
FIG. 2 is a schematic diagram of a system architecture and information interaction of another embodiment of the block chain-based information processing method according to the present application;
fig. 3 is a schematic structural diagram of an embodiment of an information processing apparatus based on a block chain according to the present application.
Detailed Description
In order to make the objects, features and advantages of the present application more obvious and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
Fig. 1 shows an implementation flow of an information processing method based on a block chain in an embodiment of the present application. Referring to fig. 1, an embodiment of the present application provides an information processing method based on a block chain, where the method includes: operation 110, acquiring an information access request sent by a user, where a first information corresponding to the information access request is in a ciphertext form and is stored in a block chain; operation 120, determining whether the user has the right to access the corresponding information, if so, obtaining second information from the first type node on the blockchain, where the second information is the first information decrypted by the first type node, and if not, obtaining third information, where the third information is error information or the first information obtained from the second type node on the blockchain; operation 130, store the access record to the blockchain; in operation 140, the second information or the third information is sent to the user.
In operation 110, the information access request includes a variety of operations, such as view, change, and delete. The information requested by the information access request sent by the user is typically sensitive information, i.e., data that can only be viewed by people with access to the sensitive information, such as electronic medical records, payroll, personal educational experiences, resident income check reports, social assistance information, and the like. The sensitive information is stored on the block chain in a ciphertext form, namely first information, so that the authenticity and the effectiveness of the data can be ensured by utilizing the characteristic that the data of the block chain cannot be tampered, the safety and the reliability of the sensitive information can be ensured, the sensitive information can be shared through a shared account book in time, and information leakage can not be caused.
Although, for a person with access right to sensitive information, if only information in the form of ciphertext can be obtained, other encryption and decryption systems must be used for support, which causes much inconvenience.
To this end, in operation 120, the embodiment of the present application introduces an authorization check and sensitive information decryption process into the process of accessing the blockchain information, and decrypts the first information in the form of the ciphertext through the first type node on the blockchain. Therefore, the maintenance cost of a plurality of sets of systems can be further saved, and the user operation can be greatly simplified. However, this operation can only be opened for users with access rights to sensitive information, and different processing is required for other users. Therefore, it is necessary to perform the permission check in the re-operation 120 to ensure that only the user with the access permission of the sensitive information can obtain the decrypted sensitive information.
In addition, in order to ensure absolute safety, reliability and credibility of the sensitive information, the nodes on the block chain are further divided into a first type of node and a second type of node, wherein the first type of node and the second type of node are both nodes of the block chain and share a set of account book, and the sensitive information stored on the account book is in an encrypted ciphertext form, namely the first information. Only the first type of node can decrypt the sensitive information in the form of the ciphertext and return the decrypted plaintext information, while the second type of node cannot decrypt the sensitive information in the form of the ciphertext and can only store and return the sensitive information in the form of the ciphertext.
On one hand, when consensus is executed, credibility and non-tamper property of information can be ensured, and the first class of nodes are prevented from modifying an account book in a serial way; on the other hand, it can also be used to handle information access without authorization checking.
In operation 120, determining whether the user has the right to access the corresponding information may employ any existing or applicable authorization checking method, and may even be integrated with an existing authorization checking system as long as the authorization result is obtained.
When the result of the authorization check shows that the user has the authority of accessing the sensitive information, the user request can be forwarded to the first type of node, the first type of node decrypts the sensitive information in the form of the ciphertext, namely the first information, to obtain the second information, and the second information is the sensitive information which can be directly viewed after decryption.
When the user does not have the right to access the corresponding information, the following steps can be performed: and directly returning unauthorized error information (third information) or forwarding an information access request of a user to a second type node of the block chain, so that the user without access authority can only obtain information in a ciphertext form (at the moment, the third information is the first information) but cannot obtain decrypted information (the second information). In this way, it can be ensured that only users having the right to access the corresponding information can obtain the plaintext information of the sensitive information, i.e. the second information.
In addition, if the illegal user cannot obtain the plaintext information, the illegal user may send a large amount of information access requests for information attack by replacing the user or authorizing the information. These information attacks consume a large amount of system processing power and affect the normal processing of information access requests. If the illegal user cannot be found and positioned in time, corresponding measures cannot be taken to prevent the illegal user from information attack.
Therefore, in operation 130, the access record is stored in the blockchain to form data that cannot be tampered and traced, so that access tracking and information analysis are performed to find and locate an illegal user, and a corresponding measure is taken in time to organize the illegal user to perform information attack.
Wherein accessing the record at a minimum comprises: user information for sending the information access request and information requested by the information access request. The user information may include user identification, user network IP, and other information that may help locate an illegal user.
Then, for the user with information access right, the decrypted sensitive information can be returned through operation 140; for the user without information access right, an error message or the first information, i.e. the third information, obtained from the second type node may be returned through operation 140.
Therefore, the sensitive information can be safer through information encryption, and the encrypted sensitive information is subjected to shared storage and whole-course tracking management by using the characteristics that the block chain data is not falsifiable and traceable; in the embodiment of the application, the nodes of the block chain are divided into two types of nodes, so that the first type of nodes can decrypt the encrypted information to obtain the decrypted information, and the second type of nodes cannot decrypt the encrypted information and only can obtain the encrypted information. Therefore, when the user passing the authority verification can directly obtain the decryption information through the first class node, the decryption process is simplified, and the user not passing the authority verification only obtains error information or encryption information obtained from the second class node. Therefore, illegal access can be prevented, and operations such as updating and inquiring of sensitive information are guaranteed to be performed under the authorization of the data owner.
And the access record of the user accessing the sensitive information is stored in the block chain, so that the access record data can be safe, credible and not tampered, and the whole-process tracking of the access record can be conveniently carried out.
It should be noted that the embodiment shown in fig. 1 is only one basic embodiment of the block chain-based information processing method of the present application, and further refinement and expansion can be performed by an implementer on the basis of the embodiment.
According to an embodiment of the present application, acquiring the second information from the first type node on the blockchain includes: sending the information access request to a first type node, and decrypting the first information by the first type node to obtain second information; and receiving second information returned by the first type node.
The information access request is sent to the first type node, decrypted by the first type node, and returned second information is received from the first type node, so that the decryption process is limited to the first type node, and a black box process is formed, and the security is higher.
In particular, the first information may be decrypted by executing a blockchain intelligence contract stored on the first type of node.
According to an embodiment of the present application, determining whether a user has a right to access corresponding information includes: acquiring identity authentication information of a user; and determining whether the user has the right to access the corresponding information according to the security policy and the identity authentication information.
The identity authentication information mainly refers to validated effective information that can identify the identity of the user, which is obtained through identity authentication, for example, a user ID, a role that the user has, and a group in which the user is located.
The security policy is a rule that allows which users to perform which operations on which information under which conditions. Typically, these security policies are pre-established and may be stored in any suitable data storage system in any suitable information format.
When the identity authentication information of the user is obtained, the identity authentication information can be obtained by self-identity authentication of the user, and can also be obtained from a third-party identity authentication system. Then, the security policy matched with the user identity can be obtained from the security policy pre-established by the root according to the identity authentication information, and whether the user has the right to access the corresponding information is further determined through the matched security policy.
According to an embodiment of the present application, before determining whether the user has the right to access the corresponding information according to the security policy and the identity authentication information, the method further includes: and establishing a security policy corresponding to the user identity authentication information.
According to the available user identity authentication information, a security policy corresponding to the user identity authentication information is established, and after the user identity authentication information is obtained, the security policy matched with the user identity authentication information can be found more quickly, so that the computational complexity of the security policy is simplified, and the processing time of authorization verification is shortened.
According to an embodiment of the present application, storing an access record to a blockchain includes: acquiring user information for sending an information access request; generating an access record according to the user information and the information access request; the access record is stored to the blockchain.
The user information is information that can identify and locate a user, such as a user ID or a user IP address, and the information can be obtained through a process of user identity authentication or through a network address sent by a request.
Specifically, when the access record is stored in the blockchain and stored in the blockchain, the access record can be uploaded to the blockchain by directly calling an interface provided by the blockchain, and then the access record is stored in the shared account book through consensus.
According to an embodiment of the present application, the method further comprises: acquiring fourth information to be stored; encrypting fourth information to be stored by the first class node to obtain first information; the first information is stored to a blockchain.
The fourth information is sensitive information to be stored, and may be original information or updated information. Usually, the encryption and decryption of information is the reverse process, in which some corresponding data is used, such as paired encryption and decryption keys, symmetric or asymmetric encryption and decryption algorithms, etc. Therefore, the encryption process of the information is also preferably performed by the first type node.
When the first information storage value block chain is used, the fourth information can be sent to the first type node, the encrypted information can be obtained from the first type node, and then the access record is stored in the block chain by a similar method of storing the access record; or the fourth information can be sent to the first-class node, and the fourth information is encrypted by the first-class node and then directly stored in the block chain.
According to an embodiment of the application, the first information is in a form of a ciphertext obtained by encrypting with a key, the key is stored on the first-class node, and the second information is the first information decrypted by the key on the first-class node.
The key is used for encrypting and decrypting the sensitive information, and the storage position of the key can be controlled to control which nodes can encrypt and decrypt the sensitive information.
According to an embodiment of the present application, before obtaining the key from the first-class node, the method further includes: determining a first type of node according to the first configuration information; the key is stored to the first type node.
The first configuration information is a configuration information of the blockchain, and is used to specify which nodes are configuration information of the first type of nodes, for example, the superhedger Fabric blockchain provides configuration options for the configurable private data set nodes. Reading this configuration information makes it possible to determine which nodes are nodes of the first type and to store the keys to the nodes of the first type. The sensitive information can then be encrypted and decrypted by the key.
In addition, in order to ensure the security and effectiveness of the key, the key used for encryption and decryption is updated regularly. Therefore, after the key update, the key information stored in the first-class node also needs to be updated.
If a plurality of nodes in the blockchain are all first-class nodes, the key needs to be stored in each node of the first-class nodes when the key is stored in the first-class nodes.
According to an embodiment of the present application, the method further comprises: determining at least one node from the nodes of the blockchain; establishing configuration information and determining at least one node as a first type node; and allocating private data set storage space for the first type of nodes, wherein the private data set storage space is used for storing the keys.
At least one node may be determined from the nodes of the blockchain as a first type node when establishing the configuration information. When the first type node is determined, any node may be selected from a blockchain with a strict access control (e.g., a private network), or a node with a strict information access control may be selected from the blockchain, so as to ensure the security of the key.
Theoretically, the more the number of the first-class nodes is, the better the method is, on one hand, the processing capacity of the user information access request can be shared, and on the other hand, the trueness and the credibility of the information can be ensured.
Then, since the key is private data that cannot be shared with other nodes, a private data set storage space needs to be created for the first-class node to store the key for encrypting and decrypting sensitive information.
The above embodiments are exemplary illustrations of how to further refine and expand on the basis of the basic embodiment shown in fig. 1, and an implementer may combine various implementations in the above embodiments to form a new embodiment according to specific implementation conditions and needs, so as to achieve a more ideal implementation effect.
Fig. 2 shows a system architecture and information interaction diagram of another embodiment of the present application. The embodiment integrates various implementation modes of the above embodiments, and finally forms an optimized and new embodiment.
As shown in fig. 2, in the blockchain system applied in this embodiment, a user accesses information stored in a blockchain through a blockchain client 20.
Specifically, a user first sends an information access request to the blockchain client 20, the blockchain client 20 filters and screens the information access request sent by the user, only valid and legal information access requests are sent to nodes (for example, the node 21, the node 22, and the node 23) in the blockchain, and then information obtained by the blockchain is returned to the user, so that the information processing amount of the blockchain is greatly reduced, and the information security of the blockchain can be further ensured.
It is assumed that the blockchain shown in fig. 2 is implemented by a Hyperhedger Fabric blockchain, in which an electronic medical record of a patient is stored, and the electronic medical record is stored in nodes of the blockchain, for example, in the node 21, the node 22, and the node 23, in the form of ciphertext sensitive information obtained by encrypting a key.
Before receiving user access information, configuring the nodes 21 and 22 as first-class nodes for setting the private data sets through configuration options of a HyperLegendr Fabric blockchain private data set, and allocating private data set storage spaces for the nodes 21 and 22.
And then, storing the key for encrypting and decrypting the electronic medical record to the first type nodes, namely the node 21 and the node 22, through an interface provided by the HyperLegger Fabric blockchain. In this way, besides the ciphertext sensitive information and the sensitive access record, the first-class node also stores private data including a key; and the node 23 is used as a second type node and only stores ciphertext sensitive information and sensitive access records without key data.
Therefore, in the blockchain system, only the ciphertext sensitive information and the sensitive information access record are shared, and the key is used as private data of the first type node and is not shared to the second type node.
Then, the blockchain client 20 sends the newly generated patient medical record or the updated electronic medical record to the first type node (node 21 or node 22), and the first type node encrypts and stores the electronic medical record into the shared book of the blockchain through consensus.
Assuming that doctor a sends a request to the blockchain through the outpatient service system at this time, and wants to acquire the electronic medical record of patient a stored in the blockchain, the blockchain client 20 mainly performs the following steps after receiving the request to access the electronic medical record:
first, the blockchain client 20 obtains the identity authentication information of the doctor a, and then prompts the doctor a to allow the patient B to swipe the medical card to obtain the authorization of the patient B (the authorization condition defined in the security policy, that is, under what condition the patient B can access), and after the authorization of the user B obtained through the medical card of the patient B, the authorization result indicates that the doctor a is an authorized user having an electronic medical record for accessing the patient B;
the blockchain client 20 then sends the information access request to the first type of node according to the load balancing distribution policy: the node 21 or the node 22 queries the electronic medical record ciphertext sensitive information of the patient B from the first-class node, decrypts the ciphertext sensitive information by using a key stored in the private data set through executing an intelligent contract to obtain a plaintext electronic medical record, and then returns the plaintext electronic medical record to the block chain client 20;
meanwhile, the blockchain client 20 generates an access record similar to that "the doctor a gets the authorization of the patient B and accesses the electronic medical record of the patient B" according to the user information of "the doctor a" and the information access request of "the electronic medical record of the patient B", and uploads the access record to the blockchain through a data upload interface provided by the blockchain, and the blockchain stores the information into a shared book of the blockchain by performing consensus and synchronizes to the node 21, the node 23 and the node 23 so as to track the information at a later date;
after that, when the blockchain client 20 receives the plaintext information of the electronic medical record returned by the node 21 or the node 22, the plaintext information of the electronic medical record of the patient B is returned to the doctor a.
Suppose that doctor A again wants to view patient C's electronic medical record, but patient C is not present and cannot swipe the medical card. At this time, if the authorization check fails, the blockchain client 20 also generates an access record similar to "doctor a wants to access the electronic medical record of patient C, but does not obtain authorization" and stores the access record in the blockchain; then return an error message like "no doctor card information received within the specified time, authorization failed, and no access to the patient's electronic medical record", and no longer send any request to the first type node.
Assuming that the information security supervisor E wants to check the latest information access record, and then sends a request for checking the sensitive information access record to the blockchain client 20, after receiving the request and performing authorization verification to obtain an authorized result, the blockchain client 20 forwards the request to any node of the blockchain according to the load balancing distribution policy, and assuming that the request is sent to the node 23 this time, the node 23 returns the minge information access record stored in the node 23.
It should be noted that the embodiment shown in fig. 2 is also only an exemplary illustration of the information processing method based on the block chain in the present application, and is not limited to the implementation or application scenario of the embodiment in the present application, and an implementer may apply any applicable implementation to any applicable application scenario according to specific implementation needs and implementation conditions.
Further, according to a second aspect of the embodiments of the present application, there is also provided an information processing apparatus based on a block chain, as shown in fig. 3, where the apparatus 30 includes: an information access request obtaining module 301, configured to obtain an information access request sent by a user, where first information corresponding to the information access request is in a ciphertext form and is stored in a block chain; an information obtaining module 302, configured to determine whether a user has an authority to access corresponding information, and if the user has the authority to access corresponding information, obtain second information from a first type node on the blockchain, where the second information is first information decrypted by the first type node, and if the user does not have the authority, obtain third information, where the third information is error information or first information obtained from the second type node on the blockchain; an access record storage module 303, configured to store an access record to the block chain; and an information returning module 304, configured to send the second information or the third information to the user.
According to an embodiment of the present application, the information obtaining module 302 includes: the information sending submodule is used for sending the information access request to the first class node, and the first class node decrypts the first information to obtain second information; and the information receiving submodule is used for receiving the second information returned by the first type node.
According to an embodiment of the present application, the information obtaining module 302 includes: the identity authentication information acquisition submodule is used for acquiring identity authentication information of a user; and the authority checking submodule is used for determining whether the user has the authority to access the corresponding information according to the security policy and the identity authentication information.
According to an embodiment of the present application, the apparatus 30 further includes: and the security policy establishing module is used for establishing a security policy corresponding to the user identity authentication information.
According to an embodiment of the present application, the access record storage module 303 includes: the user information acquisition submodule is used for acquiring user information for sending the information access request; the access record generation submodule is used for generating an access record according to the user information and the information access request; and the access record storage submodule is used for storing the access record to the block chain.
According to an embodiment of the present application, the apparatus 30 further includes: the fourth information acquisition module is used for acquiring fourth information to be stored; the first information acquisition module is used for encrypting fourth information to be stored by the first class node to obtain first information; and the first information storage module is used for storing the first information to the block chain.
According to an embodiment of the present application, the apparatus 30 further includes: the first type node determining module is used for determining a first type node according to the first configuration information; and the key storage module is used for storing the key to the first-class node.
According to an embodiment of the present application, the apparatus 30 further includes: a node selection module for determining at least one node from the nodes of the blockchain; the configuration information establishing module is used for establishing configuration information and determining at least one node as a first type node; and the private data set storage space distribution module is used for distributing a private data set storage space for the first class of nodes, and the private data set storage space is used for storing the key.
Here, it should be noted that: the above description of the embodiment of the information processing apparatus based on the block chain is similar to that of the foregoing method embodiment, and has similar beneficial effects to the foregoing method embodiment, and therefore, the description is omitted here for brevity. For technical details that have not been disclosed in the present application for describing embodiments of the information processing apparatus based on blockchains, please refer to the description of the foregoing method embodiments of the present application for understanding, and therefore, for brevity, will not be described again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of a unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another device, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media capable of storing program codes, such as a removable storage medium, a Read Only Memory (ROM), a magnetic disk, and an optical disk.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof that contribute to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a removable storage medium, a ROM, a magnetic disk, an optical disk, or the like, which can store the program code.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method of block chain based information processing, the method comprising:
acquiring an information access request sent by a user, wherein first information corresponding to the information access request is in a ciphertext form and is stored in a block chain;
determining whether the user has the authority to access the first information, if so, acquiring second information from a first-class node on the block chain, wherein the second information is the first information decrypted by the first-class node, and if not, acquiring third information, and the third information is error information or the first information acquired from the second-class node on the block chain;
storing an access record in the block chain;
and sending the second information or the third information to the user.
2. The method of claim 1, wherein the obtaining second information from a first type of node on the blockchain comprises:
sending the information access request to the first type node, and decrypting the first information by the first type node to obtain second information;
receiving the second information returned by the first type node.
3. The method of claim 1, the determining whether the user has permission to access the first information, comprising:
acquiring identity authentication information of the user;
and determining whether the user has the authority to access the first information according to the security policy and the identity authentication information.
4. The method of claim 3, prior to said determining whether the user has permission to access the first information based on a security policy and the identity authentication information, the method further comprising:
and establishing a security policy corresponding to the user identity authentication information.
5. The method of claim 1, the storing an access record in the blockchain, comprising:
acquiring user information for sending the information access request;
generating the access record according to the user information and the information access request;
storing the access record to the blockchain.
6. The method of claim 1, further comprising:
acquiring fourth information to be stored;
encrypting the fourth information to be stored by the first class node to obtain the first information;
storing the first information to the blockchain.
7. The method according to any one of claims 1 to 6, wherein the first information is in the form of ciphertext encrypted using a key, the key being stored on the node of the first type, and the second information is the first information decrypted by the key on the node of the first type.
8. The method of claim 7, prior to said obtaining the key from the first class node, the method further comprising:
determining the first type of node according to first configuration information;
storing the key to the first type node.
9. The method of claim 8, further comprising:
determining at least one node from the nodes of the blockchain;
establishing configuration information to determine the at least one node as the first type node;
and allocating a private data set storage space for the first class of nodes, wherein the private data set storage space is used for storing the secret key.
10. An apparatus for processing block chain-based information, the apparatus comprising:
the information access request acquisition module is used for acquiring an information access request sent by a user, wherein first information corresponding to the information access request is in a ciphertext form and is stored in a block chain;
an information obtaining module, configured to determine whether the user has an authority to access the first information, and if the user has the authority, obtain second information from a first type node in the blockchain, where the second information is the first information decrypted by the first type node, and if the user does not have the authority, obtain third information, where the third information is error information or first information obtained from the second type node in the blockchain;
the access record storage module is used for storing the access record in the block chain;
and the information returning module is used for sending the second information or the third information to the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110171119.5A CN112926082A (en) | 2021-02-08 | 2021-02-08 | Information processing method and device based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110171119.5A CN112926082A (en) | 2021-02-08 | 2021-02-08 | Information processing method and device based on block chain |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112926082A true CN112926082A (en) | 2021-06-08 |
Family
ID=76171204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110171119.5A Pending CN112926082A (en) | 2021-02-08 | 2021-02-08 | Information processing method and device based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112926082A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113378225A (en) * | 2021-06-24 | 2021-09-10 | 平安普惠企业管理有限公司 | Online sensitive data acquisition method and device, electronic equipment and storage medium |
| CN113591105A (en) * | 2021-06-29 | 2021-11-02 | 论客科技(广州)有限公司 | Big data analysis method, device and system based on block chain |
| CN115314502A (en) * | 2022-07-12 | 2022-11-08 | 地心引力(武汉)科技有限公司 | Data tracing and encrypting method and system based on block chain technology |
| CN116723042A (en) * | 2023-07-12 | 2023-09-08 | 北汽蓝谷信息技术有限公司 | Data packet security protection method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108023894A (en) * | 2017-12-18 | 2018-05-11 | 苏州优千网络科技有限公司 | Visa information system and its processing method based on block chain |
| CN110602088A (en) * | 2019-09-11 | 2019-12-20 | 北京京东振世信息技术有限公司 | Block chain-based right management method, block chain-based right management device, block chain-based right management equipment and block chain-based right management medium |
| CN111191288A (en) * | 2019-12-30 | 2020-05-22 | 中电海康集团有限公司 | Block chain data access authority control method based on proxy re-encryption |
| CN111783075A (en) * | 2020-06-28 | 2020-10-16 | 平安普惠企业管理有限公司 | Authority management method, device and medium based on secret key and electronic equipment |
-
2021
- 2021-02-08 CN CN202110171119.5A patent/CN112926082A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108023894A (en) * | 2017-12-18 | 2018-05-11 | 苏州优千网络科技有限公司 | Visa information system and its processing method based on block chain |
| CN110602088A (en) * | 2019-09-11 | 2019-12-20 | 北京京东振世信息技术有限公司 | Block chain-based right management method, block chain-based right management device, block chain-based right management equipment and block chain-based right management medium |
| CN111191288A (en) * | 2019-12-30 | 2020-05-22 | 中电海康集团有限公司 | Block chain data access authority control method based on proxy re-encryption |
| CN111783075A (en) * | 2020-06-28 | 2020-10-16 | 平安普惠企业管理有限公司 | Authority management method, device and medium based on secret key and electronic equipment |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113378225A (en) * | 2021-06-24 | 2021-09-10 | 平安普惠企业管理有限公司 | Online sensitive data acquisition method and device, electronic equipment and storage medium |
| CN113591105A (en) * | 2021-06-29 | 2021-11-02 | 论客科技(广州)有限公司 | Big data analysis method, device and system based on block chain |
| CN115314502A (en) * | 2022-07-12 | 2022-11-08 | 地心引力(武汉)科技有限公司 | Data tracing and encrypting method and system based on block chain technology |
| CN116723042A (en) * | 2023-07-12 | 2023-09-08 | 北汽蓝谷信息技术有限公司 | Data packet security protection method and system |
| CN116723042B (en) * | 2023-07-12 | 2024-01-26 | 北汽蓝谷信息技术有限公司 | Data packet security protection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10275603B2 (en) | Containerless data for trustworthy computing and data services | |
| US9141822B2 (en) | Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method | |
| US8689347B2 (en) | Cryptographic control for mobile storage means | |
| JP5639660B2 (en) | Confirmable trust for data through the wrapper complex | |
| US10599830B2 (en) | System and method for controlled decentralized authorization and access for electronic records | |
| KR101687945B1 (en) | Identity-based encryption of data items for secure access thereto | |
| CN112926082A (en) | Information processing method and device based on block chain | |
| US20100095118A1 (en) | Cryptographic key management system facilitating secure access of data portions to corresponding groups of users | |
| US20090092252A1 (en) | Method and System for Identifying and Managing Keys | |
| KR100656402B1 (en) | Method and apparatus for the secure digital contents distribution | |
| EP2786292A1 (en) | Methods and devices for securing keys for a non-secured, distributed environment with applications to virtualization and cloud-computing security and management | |
| EP2513804A2 (en) | Trustworthy extensible markup language for trustworthy computing and data services | |
| WO2006112899A1 (en) | Method and apparatus for encrypting and decrypting data in a database table | |
| US20240048367A1 (en) | Distributed anonymized compliant encryption management system | |
| Abouali et al. | Blockchain framework for secured on-demand patient health records sharing | |
| Nagaty | Mobile health care on a secured hybrid cloud | |
| JP5494171B2 (en) | File management system, storage server, client, file management method and program | |
| CN112995109B (en) | Data encryption system, data encryption method, data processing device and electronic equipment | |
| Adlam et al. | Applying Blockchain Technology to Security-Related Aspects of Electronic Healthcare Record Infrastructure | |
| Abouali et al. | Patient full control over secured medical records transfer framework based on blockchain | |
| US20230239304A1 (en) | User device configuration | |
| US20220201084A1 (en) | Encryption of proxy session activity data using user-provided encryption keys | |
| Menon et al. | Preserving Privacy of Patients With Disabilities in the Smart Healthcare Systems | |
| Keoh et al. | Secure spontaneous emergency access to personal health record | |
| Vinnarasi et al. | E-Health Security on Could Computing and its Challenges |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |