CN113364735B - Data cross-link access control method, system, equipment and terminal under multi-link scene - Google Patents
Data cross-link access control method, system, equipment and terminal under multi-link scene Download PDFInfo
- Publication number
- CN113364735B CN113364735B CN202110486731.1A CN202110486731A CN113364735B CN 113364735 B CN113364735 B CN 113364735B CN 202110486731 A CN202110486731 A CN 202110486731A CN 113364735 B CN113364735 B CN 113364735B
- Authority
- CN
- China
- Prior art keywords
- data
- chain
- access
- cross
- domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of data access control, and discloses a data cross-link access control method, a system, equipment and a terminal under a multi-link scene, wherein the data cross-link access control method under the multi-link scene comprises the following steps: the method comprises a registration stage, data uploading, data chaining, data access, record chaining access and data acquisition. The invention can meet the data cross-chain access control requirement under the multi-chain-oriented scene, and provides a cross-chain access control scheme aiming at the problems of insufficient performance and capacity of a block chain technology under a single-chain framework and the asset exchange and information exchange requirements of the traditional technology which can not meet or realize complex cross-block chain service. The invention allows asset exchange, data sharing and contract calling among heterogeneous chains under a multi-chain scene; the deployment architecture can be flexibly organized according to scene guidance, has the core function characteristics of a universal cross-chain transmission protocol and a heterogeneous transaction verification engine, and provides reliable bottom-layer technical support for service block chain business safety management and block chain Internet formation.
Description
Technical Field
The invention belongs to the technical field of data access control, and particularly relates to a data cross-link access control method, system, device and terminal under a multi-link scene.
Background
Currently, the current blockchain application and underlying technology platform present a hundred flowers in a neat state, but each chain in the mainstream blockchain application is still mostly an independent and vertical closed system. In business application scenarios with increasingly complex business forms, a unified interconnection mechanism is lacked among chains, which greatly limits the mobility of digital asset value on block chains, and the cross-chain requirement comes from this.
The cross-chaining refers to the realization of the credible interoperation of different accounts by connecting relatively independent block chain systems. The cross-chain can be broadly divided into digital asset exchange and information exchange depending on the content it exchanges. In the aspect of digital asset exchange, the current asset exchange is mainly completed by a centralized exchange, the centralized exchange mode is neither safe, regular nor transparent, but decentralized asset exchange modes such as Uniswap, currve, susishswap and the like also appear in the industry, but most of the current decentralized asset exchanges can only realize the exchange of different contract assets on the same block chain, the decentralized exchange of cross-chain digital assets is still not perfect, and actually, the information exchange is still in a mutually isolated state.
On the other hand, the block chaining technique has the problems of poor performance and insufficient capacity in the single-chain architecture. Single strand is limited by decentralization, scalability and security tradeoffs, and it is difficult to support high transaction throughput low latency business scenario applications. In addition, as the running time of the blockchain increases, the storage capacity of the blockchain will gradually increase, and the speed of data increase will even exceed the upper limit of the capacity of the single-chain storage medium, so the multi-layer multi-chain architecture for realizing multi-chain cooperation by the cross-chain technology is a desirable way to solve the performance bottleneck of the blockchain. Therefore, a method, a system, a device and a terminal for controlling data cross-link access in a multi-link scenario are needed.
Through the above analysis, the problems and defects of the prior art are as follows:
(1) the centralized switching approach is neither secure, regular nor transparent.
(2) Most of the current decentralized asset transactions can only realize the exchange of different contract assets on the same block chain, and the decentralized exchange of cross-chain digital assets is still imperfect and is still in a mutually isolated state.
(3) The information exchange is more complex due to the data synchronization between chains and the corresponding cross-chain call, so that the communication barrier between each block chain application is very high, and the information sharing on the chains cannot be effectively carried out.
(4) The block chain technology has the problems of poor performance, insufficient capacity and the like under a single chain architecture, and the single chain is limited by the balance of decentralization, expandability and safety and is difficult to support the application of a business scene with high transaction throughput and low delay.
(5) As the operation time of the blockchain increases, the storage capacity of the blockchain also gradually increases, and the data growth speed even exceeds the upper limit of the capacity of the single-chain storage medium, which greatly limits the healthy development of the blockchain technology.
The difficulty in solving the above problems and defects is:
(1) the verification problem of the cross-chain transaction is how to confirm that the block for recording the transaction occurrence is sufficiently confirmed, namely the data consistency problem among all distributed networks in the transaction;
(2) the atomicity problem of the cross-chain transaction, how to manage each sub-transaction in the cross-chain transaction to ensure the complete atomicity of the whole cross-chain transaction, namely, the cross-chain transaction only has two states to complete or fail;
(3) the problem of protocol adaptation between different block chains, how to adapt between block chains adopting different architectures and protocols, needs to design a data structure, naming specifications, a communication mode and the like which can be compatible with various heterogeneous block chains in a cross-chain protocol.
The significance of solving the problems and the defects is as follows: by solving the problems, the data cross-chain access control scheme under the multi-chain scene is combined with the technical characteristics of block chain decentralization, traceability, non-falsification and the like to construct a highly-extensible, high-robustness and easily-upgraded block chain cross-chain platform, a communication hub is provided for decentralization application, trusted data assets on a support chain efficiently flow, block chain service safety management is served, and reliable bottom-layer technical support is provided for formation of a block chain internet. The safety, flexibility and reliability of cross-chain transaction are guaranteed.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a data cross-link access control method, system, equipment and terminal in a multi-link scene.
The invention is realized in this way, a data cross-link access control method under a multi-link scene, the data cross-link access control method under the multi-link scene comprises the following steps:
step one, a registration stage: the user or the equipment of the Internet of things in each domain performs identity registration and authentication in the respective home domain to acquire identity attribute information, so that the data of each user or the Internet of things is stored in a classified manner, and access control is facilitated;
step two, data uploading: uploading the encrypted data to a server for storage, generating a random file key k by a data owner DO, executing a symmetric encryption algorithm AES (advanced encryption System) to encrypt plaintext data M by using the key k to generate a ciphertext C, uploading the ciphertext C to the server for storage, and simultaneously recording metadata information of the data M;
step three, data uplink: the user can conveniently search the existing data of the server, the data owner DO sets the data access structure policy tree T, the CP-ABE algorithm encryption key k is executed by combining the access policy to generate a ciphertext ET (k) of the symmetric encryption key of the file, and the metadata information, the access policy and the ET (k) generation block in the second step are updated to the data information chain;
step four, data access: the access control is realized through the relay link, and a data requester DU initiates a data access request in a domain D1 where the data requester DU is located; if the cross-domain data is involved, D1 applies for access to the domain D2 where the data is located through calling a relay chain in a cross-chain manner; d2 judges the applicant, if the judgment is successful, D1 transmits the ciphertext data to DU;
step five, accessing the record uplink: recording the access condition of the data, and after the access control judgment in the step four is finished, the domain where the data is located uplinks the access request and the relevant information of the result for subsequent inquiry and audit;
step six, data acquisition: and decrypting by the user to obtain data, decrypting ET (k) in a data information chain by the DU by using a CP-ABE algorithm to obtain a file key k, and decrypting the ciphertext C by using k through an AES algorithm to obtain plaintext data M.
Further, in the second step, the data M metadata information includes a hash value, an upload field, a file size, an upload time, and an owner.
Further, in step two, the data cross-chain call includes:
(1) when cross-link access is carried out, the application chain A is in a state that the domain D1 sends a cross-link access request to the application chain B of the autonomous domain D2;
(2) the application chain A calls the relay chain to perform cross-chain access, the relay chain performs identity authentication and validity confirmation on the access chain, and the domain D1 attribute is mapped into the domain D2 attribute through attribute mapping, so that the requester acquires the domain D2 attribute;
(3) the relay chain generates a public and private key pair issued by the D2 according to the mapped D2 attribute set, distributes the public and private key pair to a data requester, and forwards a call request to an application chain B;
(4) the application chain B transmits the ciphertext data message to the data requestor.
Further, in the second step and the sixth step, the CP-ABE algorithm includes:
(1) system initialization algorithm (1) τ ) → (PK, MK): inputting a security parameter tau, and outputting a system public key PK and a master key MK;
(2) key generation algorithm (PK, MK, S) → (SK): inputting an attribute set S, a master key MK and a public key PK, and outputting a user private key SK;
(3) encryption algorithm (PK, M, AS) → (CT): inputting a plaintext M to be encrypted, a public key PK and an access structure AS, and outputting a ciphertext CT containing an access strategy;
(4) decryption algorithm (PK, SK, CT) → (M): and inputting a ciphertext CT containing the access policy AS, a public key PK and a private key SK generated by the attribute set, and if the attribute set S meets the access policy, successfully decrypting the plaintext M by the user.
Further, the data cross-chain access control method in the multi-chain scenario further includes data cross-domain access, where the data cross-domain access includes:
(1) completing attribute mapping among all cloud organizations in a block chain network, and maintaining an attribute mapping table by a cross-chain service management platform;
(2) the user registers identity, and automatically generates a user public and private key pair and user attributes;
(3) a data owner DO generates a random file key k, a symmetric encryption algorithm is executed by using the key k to encrypt plaintext data M to generate a ciphertext C, the ciphertext C is uploaded to an autonomous domain, and metadata information of the data M is recorded; wherein the data M metadata information includes: the method comprises the following steps that a field FileAddr where data are located, a data keyword set key and a hash value hash of an encrypted file are obtained;
(4) the DO sets the strategy tree T of the data access structure, and invokes a cross-chain service management platform attribute mapping interface to complete the mapping expansion of each inter-domain attribute;
(5) the DO executes the CP-ABE algorithm encryption key k to generate an ET (k), the metadata information, the access strategy and the ET (k) are generated into a block, and the generated file information is subjected to chain linking through a consensus algorithm;
(6) the data user DU can search all data information under multiple domains through the file information link FIC and call the cross-link interface to initiate a data access request;
(7) automatically querying a data access strategy and user attributes through a file information chain FIC and a relay chain by the cross-link service management platform, carrying out access judgment, and if the DU attributes match the strategy, turning to the step (9); otherwise, refusing to access, and ending the process;
(8) transmitting a data ciphertext C to the DU by the domain where the target link is located;
(9) the DU first obtains a file key k by decrypting et (k) in the data information chain, and then obtains plaintext data by decrypting ciphertext C using k.
Further, the data cross-link access control method under the multi-link scene further comprises a knowledge mechanism Raft updating block based on multi-cloud consensus, and when a new proposal initiated by a user exists in the system, the bookkeeping right of the current block chain is mastered by the leader node, so that the follower node works specifically; wherein the block update comprises:
(1) the follower sends the proposal behavior to the leader node;
(2) the leader node verifies the digital signature of the certificate, packs the received digital certificate and the operation type into a block after the verification is passed, and broadcasts the block to all follower nodes;
(3) the follower node returns a response to the leader node after verifying the block content;
(4) and after the leader node obtains more than half of the node responses, informing all follower nodes to confirm writing in the block, and informing the follower nodes of the nodes in each domain to update the block chain to complete the account book update.
Another object of the present invention is to provide a data cross-link access control system under a multi-link scenario, which applies the data cross-link access control method under the multi-link scenario, and the data cross-link access control system under the multi-link scenario includes:
the user module consists of a user entity, is an actual participant of data calling and is used for user identity registration, data access and data uploading;
the multi-chain autonomous module consists of a plurality of service autonomous domains D and is used for being responsible for user identity registration and attribute issuance, generating and distributing a key for attribute encryption and recording data information at the same time, and each domain has a data information chain and an access record chain which are independently maintained;
the data storage module consists of a cloud service provider CSP with strong computing capacity and large storage capacity and other Internet of things equipment and is used for being responsible for data storage and downloading services.
Further, the user module includes an authentication unit for user identity registration and attribute assignment, an operation unit for uploading, downloading, modifying and the like of data according to user operation requirements, and an access record chain ARC for recording an access request of a user and a corresponding result.
The access record chain ARC comprises a data access user DU, a domain D where the access user is located, data access time FileTime, a domain FileAddr where the data is located and an access result AccessResult.
The multi-chain autonomous module comprises a consensus mechanism which enables all nodes in a domain to achieve consensus by adopting a Raft protocol, a relay chain which is used for performing cross-chain calling and inter-domain differentiated attribute mapping, and a file information chain FIC which is used for maintaining meta information of data uploaded by a data owner DO.
The file information chain FIC comprises a field FileAddr where data is located, a data keyword set Keywords, a hash value hash of an encrypted file and a ciphertext ET (k) of a file symmetric encryption key used by a user for encrypting the file after being encrypted by an attribute base CP-ABE.
And the data storage module is used for storing the data which is encrypted and uploaded by the data owner DO, receiving the request of the data visitor DU and providing ciphertext downloading service.
It is a further object of the invention to provide a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of:
(1) a registration stage: the method comprises the steps that identity registration and authentication are carried out on users or Internet of things equipment in each domain in respective home domains of the users or the Internet of things equipment, and identity attribute information is obtained;
(2) data uploading: a data owner DO generates a random file key k, a symmetric encryption algorithm AES is executed by using the key k to encrypt plaintext data M to generate a ciphertext C, the ciphertext C is uploaded to a server side to be stored, and meanwhile metadata information of the data M is recorded;
(3) data uplink: the data owner DO sets the data access structure policy tree T, executes the CP-ABE algorithm encryption key k to generate ET (k) by combining the access policy, and updates the metadata information, the access policy and the ET (k) generation block in the second step to the data information chain;
(4) data access: the data requester DU initiates a data access request in the located domain D1; if the cross-domain data is involved, D1 applies for access to the domain D2 where the data is located through calling a relay chain in a cross-chain manner; d2 judges the applicant, if the judgment is successful, D1 transmits the ciphertext data to DU;
(5) access to the record uplink: after the access control judgment in the fourth step is finished, the domain where the data is located records the access request and the related information of the result in an uplink manner for subsequent inquiry and audit;
(6) data acquisition: DU uses CP-ABE algorithm to decrypt ET (k) in data information chain to obtain file key k, then uses k to decrypt ciphertext C by AES algorithm to obtain plaintext data M.
Another objective of the present invention is to provide an information data processing terminal, where the information data processing terminal is configured to implement the data cross-link access control system in the multi-link scenario.
By combining all the technical schemes, the invention has the advantages and positive effects that: the data cross-link access control method under the multi-link scene can meet the data cross-link access control requirement under the multi-link scene, and a cross-link access control scheme is provided aiming at the problems that the block link technology has insufficient performance and capacity under a single-link framework and the requirements of asset exchange and information exchange of complex cross-block link services cannot be met or realized by the traditional technology. The invention allows asset exchange, data sharing and contract calling among heterogeneous chains under a multi-chain scene. The deployment architecture can be flexibly organized according to scene guidance, and the method has the characteristics of a universal cross-chain transmission protocol and a heterogeneous transaction verification engine core function, and ensures the safety, flexibility and reliability of cross-chain transactions. The scheme provides a communication hub for decentralized application, supports high-efficiency flow of trusted data assets on the chain, and provides reliable bottom-layer technical support for service block chain business safety management and formation of a block chain Internet.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a data cross-chain access control method in a multi-chain scenario according to an embodiment of the present invention.
Fig. 2 is a cross-chain access flowchart of a data cross-chain access control method according to an embodiment of the present invention.
FIG. 3 is a block diagram of a data cross-link access control system in a multi-link scenario according to an embodiment of the present invention;
in the figure: 1. a user module; 2. a multi-chain autonomous module; 3. and a data storage module.
Fig. 4 is a schematic diagram of a structure of a data cross-chain access control system in a multi-chain scenario according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of cross-domain attribute mapping of a data cross-chain access control method according to an embodiment of the present invention.
Fig. 6 is a cross-chain call flow diagram of a data cross-chain access control method according to an embodiment of the present invention.
Fig. 7 is a CP-ABE schematic diagram of a data cross-link access control method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
In view of the problems in the prior art, the present invention provides a method, a system, a device and a terminal for controlling data cross-link access in a multi-link scenario, and the present invention is described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the method for controlling data cross-link access in a multi-link scenario provided in an embodiment of the present invention includes the following steps:
s101, a registration stage: the method comprises the steps that a user or Internet of things equipment in each domain performs identity registration and authentication in the home domain of the user or the Internet of things equipment to acquire identity attribute information;
s102, data uploading: a data owner DO generates a random file key k, a symmetric encryption algorithm AES is executed by using the key k to encrypt plaintext data M to generate a ciphertext C, the ciphertext C is uploaded to a server to be stored, and metadata information of the data M is recorded;
s103, data uplink: the data owner DO sets the data access structure strategy tree T, executes a CP-ABE algorithm encryption key k by combining an access strategy to generate a ciphertext ET (k) of a file symmetric encryption key, and updates the metadata information, the access strategy and an ET (k) generation block in the S102 to a data information chain;
s104, data access: the data requester DU initiates a data access request in the located domain D1; if the cross-domain data is involved, D1 cross-link applies for access to the domain D2 where the data is located by calling a relay link; d2 judges the applicant, if the judgment is successful, D1 transmits the ciphertext data to DU;
s105, accessing the record uplink: after the access control judgment in the S104 is finished, the domain where the data is located records the access request and the related information of the result in an uplink manner for subsequent inquiry and audit;
s106, data acquisition: DU uses CP-ABE algorithm to decrypt ET (k) in data information chain to obtain file key k, then uses k to decrypt ciphertext C by AES algorithm to obtain plaintext data M.
A cross-chain access flow chart of the data cross-chain access control method provided by the embodiment of the present invention is shown in fig. 2.
As shown in fig. 3, the system for controlling data cross-link access in a multi-link scenario provided in an embodiment of the present invention includes:
the user module 1 is composed of user entities, is an actual participant of data calling, and is used for user identity registration, data access and data uploading;
the multi-chain autonomous module 2 consists of a plurality of service autonomous domains D and is used for being responsible for user identity registration and attribute issuance, generating and distributing keys for attribute encryption and simultaneously recording data information, and each domain has a data information chain and an access record chain which are independently maintained;
and the data storage module 3 consists of a cloud service provider CSP with powerful computing capacity and large storage capacity and other Internet of things equipment and is used for being responsible for data storage and downloading services.
A schematic diagram of a structure of a data cross-link access control system in a multi-link scenario provided by the embodiment of the present invention is shown in fig. 4.
The technical solution of the present invention is further described below with reference to examples.
Example 1
The data cross-chain access control system provided by the embodiment of the invention comprises:
the user module composed of user entities is the actual participant of data call, and is used for user identity registration, data access and data upload.
The multi-chain autonomous module composed of a plurality of autonomous domains (domains, D) is responsible for user identity registration and attribute issuance, key generation and distribution for attribute encryption, and data information is recorded at the same time, and each domain has a data information chain and an access record chain which are independently maintained.
The data storage module is composed of a Cloud Service Provider (CSP) with strong computing capacity and large storage capacity and other Internet of things equipment and is responsible for data storage and downloading services.
The user module provided by the embodiment of the invention comprises an authentication unit for user identity registration and attribute distribution, an operation unit for uploading, downloading, modifying and the like of data according to the operation requirements of the user, and an access record chain ARC for recording the access request of the user and the corresponding result.
Further, the access record chain ARC includes a data access user DU, a domain D where the access user is located, data access time FileTime, a domain FileAddr where the data is located, and an access result.
The multi-chain autonomous module provided by the embodiment of the invention comprises a consensus mechanism which adopts a Raft protocol to enable all nodes to achieve consensus and a file information chain FIC which is used for maintaining the meta information of data uploaded by a data owner DO.
The file information chain FIC provided by the embodiment of the invention mainly comprises a field FileAddr where data is located, a data keyword set Keywords, hash value hash of an encrypted file and a ciphertext ET (k) of a file symmetric encryption key used by a user encrypted file after being encrypted by an attribute base CP-ABE.
The data storage module provided by the embodiment of the invention stores data encrypted and uploaded by a Data Owner (DO), receives a request of a data visitor (DU), and provides a ciphertext downloading service.
Example 2
As shown in fig. 5, a cross-domain attribute mapping diagram of the data cross-chain access control method provided by the embodiment of the present invention is shown. In the model, each domain adopts an attribute-based encryption CP-ABE based on a ciphertext strategy to perform data access control, the resource attributes of each domain are divided into general attributes and mapping attributes, and the general attributes represent general attributes with universality, such as name, gender, age and the like, in each domain; the mapping attribute represents a local attribute which is only applicable to the local domain and needs to be subjected to attribute mapping when the domain crossing calling is carried out. When data cross-link access is carried out, the chain where the data is located completes the mapping of the strategy attribute through the relay chain. When a user in any autonomous domain D1 sends a cross-link access request to the autonomous domain D2, the attribute in the autonomous domain D2 can be mapped to the domain D1 through the attribute mapping, so that the user in the domain D1 can obtain the attribute in the domain D2, and further access operation can be performed on some resources in the domain D2.
FIG. 6 is a flow diagram of a data cross-chain access call of the present invention. The specific working process is as follows:
step one, when the domain D1 where the application chain A is located sends a cross-chain access request to the application chain B of the autonomous domain D2;
step two, the application chain A carries out cross-chain access by calling a relay chain, the relay chain carries out identity authentication and validity confirmation on the access chain, and the attribute of the domain D1 is mapped into the attribute of the domain D2 through attribute mapping, so that a requester obtains the attribute of the domain D2;
step three, the relay chain generates a public and private key pair issued by D2 according to the mapped D2 attribute set, distributes the public and private key pair to a data requester, and forwards a call request to an application chain B;
and step four, the application chain B transmits the ciphertext data information to the data requester.
Fig. 7 is a schematic diagram of CP-ABE principle of a data cross-link access control method according to an embodiment of the present invention. The method comprises the following specific steps:
step one, a system initialization algorithm (1) τ ) → (PK, MK): inputting a security parameter tau, and outputting a system public key PK and a master key MK;
step two, key generation algorithm (PK, MK, S) → (SK): inputting an attribute set S, a master key MK and a public key PK, and outputting a user private key SK;
step three, encryption algorithm (PK, M, AS) → (CT): inputting a plaintext M to be encrypted, a public key PK and an access structure AS, and outputting a ciphertext CT containing an access strategy;
step four, decryption algorithm (PK, SK, CT) → (M): and inputting a ciphertext CT containing an access policy AS, a public key PK and a private key SK generated by the attribute set, and if the attribute set S meets the access policy, successfully decrypting the plaintext M by the user.
In summary, the data cross-link access control system can meet the data cross-link access requirement in a multi-link-oriented scene, and a cross-link access control scheme is provided for solving the problems of insufficient performance and capacity of a block link technology in a single-link architecture and solving the asset exchange and information exchange requirements of a complex cross-block-link service which cannot be met or realized by the traditional technology. And the method allows asset exchange, data sharing and contract calling among heterogeneous chains in a multi-chain scene. The deployment architecture can be flexibly organized according to scene guidance, and the method has the characteristics of a universal cross-link transmission protocol and a heterogeneous transaction verification engine core function, and ensures the safety, flexibility and reliability of cross-link transactions. The scheme provides a communication hub for decentralized application, supports high-efficiency flow of trusted data assets on the chain, and provides reliable bottom-layer technical support for service block chain business safety management and block chain Internet formation.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When used in whole or in part, can be implemented in a computer program product that includes one or more computer instructions. When loaded or executed on a computer, cause the flow or functions according to embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.)). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.
Claims (9)
1. A data cross-link access control method under a multi-link scene is characterized by comprising the following steps:
a registration stage: the method comprises the steps that a user or Internet of things equipment in each domain performs identity registration and authentication in the home domain of the user or the Internet of things equipment to acquire identity attribute information;
and (3) data uploading: a data owner DO generates a random file key k, a symmetric encryption algorithm AES is executed by using the key k to encrypt plaintext data M to generate a ciphertext C, the ciphertext C is uploaded to a server side to be stored, and meanwhile metadata information of the data M is recorded;
data uplink: the data owner DO sets the data access structure strategy tree T, executes a CP-ABE algorithm encryption key k to generate an ET (k) by combining an access strategy, and updates the metadata information, the access strategy and an ET (k) generation block to a data information chain;
data access: the data requestor DU initiates a data access request in the domain D1; if the cross-domain data is involved, D1 cross-link applies for access to the domain D2 where the data is located by calling a relay link; d2 judges the applicant, if the judgment is successful, D2 transmits the ciphertext data to DU;
access to the record uplink: after the access control judgment is finished, the domain where the data is located records the access request and the related information uplink of the result for subsequent inquiry and audit;
data acquisition: the DU decrypts ET (k) in the data information chain by using a CP-ABE algorithm to obtain a file key k, and then decrypts the ciphertext C by using k through an AES algorithm to obtain plaintext data M;
the data cross-chain calling comprises the following steps:
(1) when cross-link access is carried out, the application chain A is in a state that the domain D1 sends a cross-link access request to the application chain B of the autonomous domain D2;
(2) the application chain A calls the relay chain to perform cross-chain access, the relay chain performs identity authentication and validity confirmation on the access chain, and the domain D1 attribute is mapped into the domain D2 attribute through attribute mapping, so that the requester acquires the domain D2 attribute;
(3) the relay chain generates a public and private key pair issued by D2 according to the mapped D2 attribute set, distributes the public and private key pair to a data requester, and forwards a call request to an application chain B;
(4) the application chain B transmits the ciphertext data message to the data requestor.
2. The method for controlling data cross-chain access in a multi-chain scenario according to claim 1, wherein the data M metadata information includes a hash value, an upload domain, a file size, an upload time, and an owner.
3. The method for controlling data cross-chain access in a multi-chain scenario according to claim 1, wherein the CP-ABE algorithm includes:
(1) system initialization algorithm (1) τ ) → (PK, MK): inputting a security parameter tau, and outputting a system public key PK and a master key MK;
(2) key generation algorithm (PK, MK, S) → (SK): inputting an attribute set S, a master key MK and a public key PK, and outputting a user private key SK;
(3) encryption algorithm (PK, M, AS) → (CT): inputting a plaintext M to be encrypted, a public key PK and an access structure AS, and outputting a ciphertext CT containing an access strategy;
(4) decryption algorithm (PK, SK, CT) → (M): and inputting a ciphertext CT containing an access strategy AS, a public key PK generated by the attribute set and a private key SK, and if the attribute set S meets the access strategy, successfully decrypting the plaintext M by the user.
4. The method for controlling data cross-chain access in a multi-chain scenario according to claim 1, wherein the method for controlling data cross-chain access in a multi-chain scenario further comprises data cross-domain access, and the data cross-domain access comprises:
(1) completing attribute mapping among all cloud organizations in a block chain network, and maintaining an attribute mapping table by a cross-chain service management platform;
(2) the user registers identity, and automatically generates a user public and private key pair and user attributes;
(3) a data owner DO generates a random file key k, a symmetric encryption algorithm is executed by using the key k to encrypt plaintext data M, a ciphertext C is generated and uploaded to an autonomous domain, and metadata information of the data M is recorded; wherein the data M metadata information includes: the method comprises the following steps that a field FileAddr where data are located, a data keyword set key and a hash value hash of an encrypted file are obtained;
(4) the DO sets the strategy tree T of the data access structure, and invokes a cross-chain service management platform attribute mapping interface to complete the mapping expansion of each inter-domain attribute;
(5) the DO executes the CP-ABE algorithm encryption key k to generate an ET (k), the metadata information, the access strategy and the ET (k) are generated into a block, and the generated file information is uplinked through a consensus algorithm;
(6) the data user DU can retrieve all data information under multiple domains through a file information link FIC and call a cross-link interface to initiate a data access request;
(7) automatically querying a data access strategy and user attributes through a file information chain FIC and a relay chain by the cross-link service management platform, carrying out access judgment, and if the DU attributes match the strategy, turning to the step (9); otherwise, access is refused, and the process is ended;
(8) transmitting a data ciphertext C to the DU by the domain where the target link is located;
(9) the DU first obtains a file key k by decrypting et (k) in the data information chain, and then obtains plaintext data by decrypting ciphertext C using k.
5. The method for controlling data cross-chain access in a multi-chain scene according to claim 1, further comprising a knowledge mechanism Raft update block based on multi-cloud consensus, wherein when a new proposal initiated by a user is in the system, the follower node specifically works because the accounting right of the current block chain is mastered by the leader node; wherein the block update comprises:
(1) the follower sends the proposal behavior to the leader node;
(2) the leader node verifies the digital signature of the certificate, packs the received digital certificate and the operation type into a block after the verification is passed, and broadcasts the block to all the follower nodes;
(3) the follower node returns a response to the leader node after verifying the block content;
(4) and after the leader node obtains more than half of the node responses, informing all follower nodes to confirm writing in the block, and informing the follower nodes of the nodes in each domain to update the block chain to complete the account book update.
6. A data cross-chain access control system under a multi-chain scene for implementing the data cross-chain access control method under the multi-chain scene according to any one of claims 1 to 5, wherein the data cross-chain access control system under the multi-chain scene comprises:
the user module consists of user entities, is an actual participant of data calling, and is used for registering user identities, accessing data and uploading data;
the multi-chain autonomous module consists of a plurality of service autonomous domains D and is used for being responsible for user identity registration and attribute issuance, generating and distributing a key for attribute encryption and simultaneously recording data information, and each domain has a data information chain and an access record chain which are independently maintained;
the data storage module consists of a cloud service provider CSP with strong computing capacity and large storage capacity and other Internet of things equipment and is used for being responsible for data storage and downloading services.
7. The system according to claim 6, wherein the user module includes an authentication unit for user identity registration and attribute assignment, an operation unit for uploading, downloading, modifying and the like of data according to user operation requirements, and an access record chain ARC for recording an access request of a user and a corresponding result;
the access record chain ARC comprises a data access user DU, a domain D where the access user is located, data access time FileTime, a domain FileAddr where the data is located and an access result AccessResult;
the multi-chain autonomous module comprises a consensus mechanism which adopts a Raft protocol to enable all nodes in a domain to achieve consensus, a relay chain which is used for performing cross-chain calling and inter-domain differentiated attribute mapping, and a file information chain FIC which is used for maintaining meta-information of data uploaded by a data owner DO;
the file information chain FIC comprises a field FileAddr where data are located, a data keyword set Keywords, a hash value hash of an encrypted file and a ciphertext ET (k) of a file symmetric encryption key used by a user encrypted file after being encrypted by an attribute base CP-ABE;
and the data storage module is used for storing the data which is encrypted and uploaded by the data owner DO, receiving the request of the data visitor DU and providing ciphertext downloading service.
8. A computer device, characterized in that the computer device comprises a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to carry out the steps of:
(1) a registration stage: the method comprises the steps that a user or Internet of things equipment in each domain performs identity registration and authentication in the home domain of the user or the Internet of things equipment to acquire identity attribute information;
(2) and (3) data uploading: a data owner DO generates a random file key k, a symmetric encryption algorithm AES is executed by using the key k to encrypt plaintext data M to generate a ciphertext C, the ciphertext C is uploaded to a server to be stored, and metadata information of the data M is recorded;
(3) data uplink: the data owner DO sets the data access structure policy tree T, executes the CP-ABE algorithm encryption key k to generate ET (k) by combining the access policy, and updates the metadata information, the access policy and the ET (k) generation block in the second step to the data information chain;
(4) data access: the data requester DU initiates a data access request in the located domain D1; if the cross-domain data is involved, D1 cross-link applies for access to the domain D2 where the data is located by calling a relay link; d2 judges the applicant, if the judgment is successful, D2 transmits the ciphertext data to DU;
(5) access to the record uplink: after the access control judgment in the fourth step is finished, the domain where the data is located records the access request and the related information of the result in an uplink manner for subsequent inquiry and audit;
(6) data acquisition: the DU decrypts ET (k) in the data information chain by using a CP-ABE algorithm to obtain a file key k, and then decrypts the ciphertext C by using k through an AES algorithm to obtain plaintext data M;
the data cross-chain calling comprises the following steps:
(1) when cross-link access is carried out, the application chain A is in a state that the domain D1 sends a cross-link access request to the application chain B of the autonomous domain D2;
(2) the application chain A carries out cross-chain access by calling the relay chain, the relay chain carries out identity authentication and validity confirmation on the access chain, and the attribute of the domain D1 is mapped into the attribute of the domain D2 through attribute mapping, so that a requester obtains the attribute of the domain D2;
(3) the relay chain generates a public and private key pair issued by the D2 according to the mapped D2 attribute set, distributes the public and private key pair to a data requester, and forwards a call request to an application chain B;
(4) the application chain B transmits the ciphertext data message to the data requestor.
9. An information data processing terminal, characterized in that the information data processing terminal is used for implementing the data cross-link access control system in the multi-link scenario as claimed in any one of claims 6 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110486731.1A CN113364735B (en) | 2021-05-01 | 2021-05-01 | Data cross-link access control method, system, equipment and terminal under multi-link scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110486731.1A CN113364735B (en) | 2021-05-01 | 2021-05-01 | Data cross-link access control method, system, equipment and terminal under multi-link scene |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113364735A CN113364735A (en) | 2021-09-07 |
| CN113364735B true CN113364735B (en) | 2022-08-19 |
Family
ID=77525723
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110486731.1A Active CN113364735B (en) | 2021-05-01 | 2021-05-01 | Data cross-link access control method, system, equipment and terminal under multi-link scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113364735B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113722285B (en) * | 2021-11-03 | 2022-02-11 | 江苏荣泽信息科技股份有限公司 | Multi-chain-based cross-chain distributed file storage and verification system |
| CN113837760B (en) * | 2021-11-25 | 2022-08-26 | 腾讯科技(深圳)有限公司 | Data processing method, data processing device, computer equipment and storage medium |
| CN114374700B (en) * | 2022-01-10 | 2024-05-03 | 之江实验室 | Trusted identity management method supporting wide area collaboration based on master-slave multiple chains |
| CN114465730A (en) * | 2022-01-10 | 2022-05-10 | 浙商银行股份有限公司 | Internet of things equipment mutual authentication method and device based on block chain technology |
| CN114528346B (en) * | 2022-01-27 | 2023-01-13 | 中科大数据研究院 | Method for sharing transaction of multi-source heterogeneous data assets by depending on block chain |
| CN114531305B (en) * | 2022-04-23 | 2022-07-19 | 东南大学 | Block chain cross-chain supervision method for chain management |
| CN114553604B (en) * | 2022-04-26 | 2022-07-08 | 南京邮电大学 | Internet of things terminal node access control method |
| CN114745198A (en) * | 2022-05-05 | 2022-07-12 | 杭州云象网络技术有限公司 | File management method, system and device based on block chaining operation and maintenance management |
| CN114866328A (en) * | 2022-05-23 | 2022-08-05 | 南京理工大学 | Block chain-based cross-domain access control method and system in edge computing environment |
| CN116800435B (en) * | 2023-08-21 | 2023-12-19 | 成都信息工程大学 | Access control method, system and storage medium based on zero knowledge proof and cross-chain |
| CN117914627A (en) * | 2024-03-15 | 2024-04-19 | 北方健康医疗大数据科技有限公司 | Data element circulation system based on DMZ network architecture |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112487443A (en) * | 2020-11-11 | 2021-03-12 | 昆明理工大学 | Energy data fine-grained access control method based on block chain |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112003889B (en) * | 2020-07-10 | 2022-11-08 | 南京邮电大学 | Distributed cross-link system and cross-link information interaction and system access control method |
| CN112532591B (en) * | 2020-11-06 | 2022-03-11 | 西安电子科技大学 | Cross-domain access control method, system, storage medium, computer equipment and terminal |
| CN112287029B (en) * | 2020-11-17 | 2023-05-16 | 北京物资学院 | Block chain multi-chain cross-chain system and implementation mechanism thereof |
| CN112637189B (en) * | 2020-12-18 | 2022-06-24 | 重庆大学 | Multi-layer block chain cross-domain authentication method in application scene of Internet of things |
-
2021
- 2021-05-01 CN CN202110486731.1A patent/CN113364735B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112487443A (en) * | 2020-11-11 | 2021-03-12 | 昆明理工大学 | Energy data fine-grained access control method based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113364735A (en) | 2021-09-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113364735B (en) | Data cross-link access control method, system, equipment and terminal under multi-link scene | |
| US11995618B2 (en) | Blockchain network interaction controller | |
| CN113132103B (en) | Data cross-domain security sharing system and method | |
| US11240213B2 (en) | Resource obtaining, distribution, and download method and apparatus, device, and storage medium | |
| CN109829326B (en) | Cross-domain authentication and fair audit de-duplication cloud storage system based on block chain | |
| CN112686668B (en) | Alliance chain crossing system and method | |
| WO2022121538A1 (en) | Data synchronization method and system based on blockchain, and related device | |
| US11303431B2 (en) | Method and system for performing SSL handshake | |
| CN106790420B (en) | A kind of more session channel method for building up and system | |
| US20090100261A1 (en) | Method and system for mediation of authentication within a communication network | |
| CN112738239B (en) | Block chain-based cross-network security data sharing method and system | |
| WO2007064169A1 (en) | Method and apparatus for transmitting message in heterogeneous federated environment, and method and apparatus for providing service using the message | |
| CN113901505B (en) | Data sharing method and device, electronic equipment and storage medium | |
| CN105847853A (en) | Video content distribution method and device | |
| US20180196948A1 (en) | Distributed and decentralized clound storage system and method thereof | |
| CN114880698B (en) | Database access method and apparatus, computing device and computer program product | |
| CN113486082B (en) | Outsourcing data access control system based on block chain | |
| CN114172730A (en) | Chain-crossing method and intermediate system for combining file block chains on chain and under chain | |
| CN111914272B (en) | Encryption retrieval method and system for origin data in mobile edge computing environment | |
| WO2023221719A1 (en) | Data processing method and apparatus, computer device, and readable storage medium | |
| CN108809631B (en) | Quantum key service management system and method | |
| WO2024092929A1 (en) | Cross-domain data authorization method and apparatus, and electronic device | |
| WO2022227799A1 (en) | Device registration method and apparatus, and computer device and storage medium | |
| US9071569B1 (en) | System, method, and computer program for content metadata and authorization exchange between content providers and service providers | |
| CN114448633A (en) | File encryption method and device based on quantum key, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |