CN114124404A - Data processing method, device, server and storage medium - Google Patents

Data processing method, device, server and storage medium Download PDF

Info

Publication number
CN114124404A
CN114124404A CN202111342923.1A CN202111342923A CN114124404A CN 114124404 A CN114124404 A CN 114124404A CN 202111342923 A CN202111342923 A CN 202111342923A CN 114124404 A CN114124404 A CN 114124404A
Authority
CN
China
Prior art keywords
identifier
key
terminal
group
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111342923.1A
Other languages
Chinese (zh)
Other versions
CN114124404B (en
Inventor
任梦璇
薛淼
刘千仞
任杰
王光全
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202111342923.1A priority Critical patent/CN114124404B/en
Publication of CN114124404A publication Critical patent/CN114124404A/en
Application granted granted Critical
Publication of CN114124404B publication Critical patent/CN114124404B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data processing method, a data processing device, a server and a storage medium, relates to the technical field of communication, and solves the technical problem that a terminal in the prior art may not be capable of effectively generating a digital signature and/or storing data acquired by the terminal; since generating the digital signature is a data processing process, the efficiency of data processing can be improved. The method comprises the following steps: acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first secret key group; acquiring a first private key and a preset hash algorithm based on the identifier of the first key group; generating a target digital signature of the original data based on the original data, the preset hash algorithm and a first private key; and sending a target data group to first service equipment, wherein the target data group comprises the original data and the target digital signature, and the first service equipment is service equipment corresponding to the first application program.

Description

Data processing method, device, server and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data method, an apparatus, a server, and a storage medium.
Background
At present, a terminal may perform data encryption calculation on acquired data to generate a digital signature, and the terminal may store the acquired data and the digital signature, and then verify whether the acquired data is tampered or not based on a corresponding public key.
However, in the above method, because some terminals have limited storage capacity and computing capacity, the terminal may not be able to effectively generate a digital signature and/or store data collected by the terminal, and since generating a digital signature is a data processing process, the efficiency of data processing may be reduced, thereby affecting the accuracy of data verification.
Disclosure of Invention
The invention provides a data processing method, a data processing device, a server and a storage medium, and solves the technical problem that in the prior art, due to the fact that the storage capacity and the computing capacity of a terminal are limited, the terminal may not be capable of effectively generating a digital signature and/or storing data collected by the terminal, and the data processing efficiency is reduced.
In a first aspect, the present invention provides a data processing method, including: acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group, wherein the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application program; acquiring a first private key and a preset hash algorithm based on the identifier of the first secret key group, wherein the first private key is a private key included in the first secret key group; generating a target digital signature of the original data based on the original data, the preset hash algorithm and the first private key; and sending a target data group to first service equipment, wherein the target data group comprises the original data and the target digital signature, and the first service equipment is service equipment corresponding to the first application program.
In a second aspect, the present invention provides a data processing method, including: receiving a target data group sent by a data gateway, wherein the target data group comprises original data acquired by a first application program in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm and a first private key, the first private key is a private key included in a first private key group, the first private key group is a private key group corresponding to both an identifier of the first terminal group and an identifier of the first application program, and the first terminal group is a terminal group corresponding to the first terminal; sending a data verification account book query request to the block chain management device, wherein the data verification account book query request comprises the identifier of the first terminal group and the identifier of the first application program, and the data verification account book query request is used for requesting to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program; receiving a data verification account book query response sent by the block chain management device, wherein the data verification account book query response comprises a first public key, the first public key is a public key included in the first secret key group, and the first public key is determined by the block chain management device based on the identifier of the first terminal group and the identifier of the first application program; and determining whether the original data has abnormality or not based on the target digital signature, the first public key and the preset hash algorithm.
In a third aspect, the present invention provides a data processing method, including: receiving a key distribution request sent by a first service device, wherein the key distribution request comprises identifiers of a plurality of terminal groups and identifiers of first application programs, the terminal groups are terminal groups corresponding to the first service device, one terminal group comprises at least one terminal, the first application program is an application program corresponding to the first service device, and the key distribution request is used for requesting to distribute keys to the terminal groups; distributing key groups for the plurality of terminal groups, wherein the key group corresponding to one terminal group is a key group corresponding to both the identifier of the terminal group and the identifier of the first application program; sending a key distribution response to the first service device, wherein the key distribution response comprises identifiers of key groups corresponding to the plurality of terminal groups; storing the identifiers of the plurality of terminal groups, the identifier of the first application program and the public keys corresponding to the plurality of terminal groups into a data integrity verification account book, and sending the private keys corresponding to the plurality of terminal groups and the identifiers of the key groups corresponding to the plurality of terminal groups to a data gateway, wherein the public key corresponding to one terminal group is a public key included in the key group corresponding to both the identifier of the terminal group and the identifier of the first application program, and the private key corresponding to one terminal group is a private key included in the key group corresponding to both the identifier of the terminal group and the identifier of the first application program.
In a fourth aspect, the present invention provides a data processing apparatus comprising: the device comprises an acquisition module, a processing module and a sending module; the acquiring module is used for acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group, wherein the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application program; the obtaining module is further configured to obtain a first private key and a preset hash algorithm based on the identifier of the first secret key set, where the first private key is a private key included in the first secret key set; the processing module is used for generating a target digital signature of the original data based on the original data, the preset hash algorithm and the first private key; the sending module is configured to send a target data set to a first service device, where the target data set includes the original data and the target digital signature, and the first service device is a service device corresponding to the first application program.
In a fifth aspect, the present invention provides a data processing apparatus comprising: the device comprises a receiving module, a sending module, a processing module and a determining module; the receiving module is used for receiving a target data group sent by a data gateway, wherein the target data group comprises original data acquired by a first application program in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm and a first private key, the first private key is a private key included in a first private key group, the first private key group is a private key group corresponding to both an identifier of the first terminal group and an identifier of the first application program, and the first terminal group is a terminal group corresponding to the first terminal; the sending module is used for sending a data verification account book query request to the blockchain management device, wherein the data verification account book query request comprises the identifier of the first terminal group and the identifier of the first application program, and the data verification account book query request is used for requesting to acquire public keys corresponding to the identifier of the first terminal group and the identifier of the first application program; the receiving module is further configured to receive a data verification account book query response sent by the block chain management device, where the data verification account book query response includes a first public key, the first public key is a public key included in the first secret key group, and the first public key is determined by the block chain management device based on the identifier of the first terminal group and the identifier of the first application program; the determining module is configured to determine whether the original data is abnormal based on the target digital signature, the first public key, and the preset hash algorithm.
In a sixth aspect, the present invention provides a data processing apparatus comprising: the device comprises a receiving module, a processing module, a sending module and a storage module; the receiving module is configured to receive a key allocation request sent by a first service device, where the key allocation request includes identifiers of multiple terminal groups and identifiers of first applications, the multiple terminal groups are terminal groups corresponding to the first service device, a terminal group includes at least one terminal, the first application is an application corresponding to the first service device, and the key allocation request is used to request that keys are allocated to the multiple terminal groups; the processing module is used for allocating key groups to the plurality of terminal groups, wherein the key group corresponding to one terminal group is a key group corresponding to both the identifier of the terminal group and the identifier of the first application program; the sending module is configured to send a key distribution response to the first service device, where the key distribution response includes identifiers of key groups corresponding to the plurality of terminal groups; the storage module is used for storing the identifiers of the plurality of terminal groups, the identifier of the first application program and the public keys corresponding to the plurality of terminal groups into a data integrity verification account book; the sending module is further configured to send, to the data gateway, the respective private keys corresponding to the plurality of terminal groups and the respective identifiers of the key groups corresponding to the plurality of terminal groups, where a public key corresponding to a terminal group is a public key included in a key group corresponding to both the identifier of the terminal group and the identifier of the first application, and a private key corresponding to a terminal group is a private key included in a key group corresponding to both the identifier of the terminal group and the identifier of the first application.
In a seventh aspect, the present invention provides a server, including: a processor and a memory configured to store processor-executable instructions; wherein the processor is configured to execute the instructions to implement any of the above-described optional data processing methods of the first aspect, or to implement any of the above-described optional data processing methods of the second aspect, or to implement any of the above-described optional data processing methods of the third aspect.
In an eighth aspect, the present invention provides a computer-readable storage medium having stored thereon instructions, which, when executed by an apparatus, enable the apparatus to perform any of the above-mentioned first aspect optional data processing methods, or perform any of the above-mentioned second aspect optional data processing methods, or perform any of the above-mentioned third aspect optional data processing methods.
According to the data processing method, the data processing device, the server and the storage medium, the data gateway can acquire original data acquired by a first application program in the first terminal, the identifier of the first terminal group and the identifier of the first secret key group; the data gateway may then obtain a first private key (i.e., a private key included in the first key set) and a preset hash algorithm based on the identity of the first key set, and generate a target digital signature of the original data based on the original data, the preset hash algorithm, and the first private key. And the data gateway may send the target data set (including the original data and the target digital signature) to the first service device. In the embodiment of the present invention, a process of computing and encrypting original data (i.e., a process of generating a target digital signature) may be performed in the data gateway, and the generation of the target digital signature is generated based on a unique private key (i.e., a first private key) corresponding to both the identifier of the first terminal group and the identifier of the first application program, which may ensure that the data gateway may accurately and effectively compute and generate the digital signature. In addition, the data gateway may further send a target data group including the original data and the target digital signature to the first service device (i.e., the service device corresponding to the first application), so that the first service device may effectively verify the integrity of the original data after receiving the target data group, and may improve the accuracy of data verification.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
FIG. 1 is a block diagram of a network architecture of a data processing system according to an embodiment of the present invention;
fig. 2 is a hardware schematic diagram of a server according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of a data processing method according to an embodiment of the present invention;
fig. 4 is a schematic internal structure diagram of a data gateway according to an embodiment of the present invention;
FIG. 5 is a flow chart illustrating another data processing method according to an embodiment of the present invention;
FIG. 6 is a flow chart illustrating another data processing method according to an embodiment of the present invention;
FIG. 7 is a flow chart illustrating another data processing method according to an embodiment of the present invention;
FIG. 8 is a flow chart illustrating another data processing method according to an embodiment of the present invention;
FIG. 9 is a flow chart illustrating another data processing method according to an embodiment of the present invention;
FIG. 10 is a flow chart illustrating another data processing method according to an embodiment of the present invention;
FIG. 11 is a flow chart illustrating another data processing method according to an embodiment of the present invention;
FIG. 12 is a flow chart illustrating another data processing method according to an embodiment of the present invention;
FIG. 13 is a flow chart illustrating another data processing method according to an embodiment of the present invention;
fig. 14 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present invention;
FIG. 15 is a block diagram of another data processing apparatus according to an embodiment of the present invention;
FIG. 16 is a block diagram of another data processing apparatus according to an embodiment of the present invention;
FIG. 17 is a block diagram of another data processing apparatus according to an embodiment of the present invention;
FIG. 18 is a block diagram of another data processing apparatus according to an embodiment of the present invention;
fig. 19 is a schematic structural diagram of another data processing apparatus according to an embodiment of the present invention.
Detailed Description
Hereinafter, a data processing method, an apparatus, a server, and a storage medium according to embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Furthermore, the terms "including" and "having," and any variations thereof, as referred to in the description of the present application, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
The term "and/or" as used herein includes the use of either or both of the two methods.
In the description of the present application, the meaning of "a plurality" means two or more unless otherwise specified.
Based on the description in the background art, since the storage capacity and the computing capacity of the terminal in the prior art are limited, the terminal may not be able to effectively compute and generate the digital signature and/or store the data collected by the terminal, which may reduce the efficiency of data processing, thereby affecting the accuracy of data verification. Based on this, embodiments of the present invention provide a data processing method, an apparatus, a server, and a storage medium, where a computation encryption process of original data (i.e., a process of generating a target digital signature) may be performed in the data gateway, and the generation of the target digital signature is generated based on a unique private key (i.e., a first private key) corresponding to both an identifier of the first terminal group and an identifier of the first application program, so as to ensure that the data gateway can accurately and effectively compute and generate the digital signature, and since the digital signature can be used for integrity verification of data, the process can also ensure that the data gateway can completely store the original data, and can improve validity of data processing. In addition, the data gateway may further send a target data group including the original data and the target digital signature to the first service device (i.e., the service device corresponding to the first application), so that the first service device may effectively verify the integrity of the original data after receiving the target data group, and may improve the accuracy of data verification.
The data processing method, apparatus, server and storage medium provided in the embodiments of the present invention may be applied to a data processing system, as shown in fig. 1, where the data processing system includes a terminal 101, a service device 102, a blockchain management device 103, a data gateway 104 and a data consumer device 105. In general, in practical applications, the connections between the above-mentioned devices or service functions may be wireless connections, and fig. 1 illustrates the connections between the devices by solid lines for convenience of intuitively representing the connections between the devices.
Wherein an application (e.g., a first application) in the terminal 101 may collect raw data and send the raw data to the data gateway 104. The first application is an application installed in the terminal 101 and corresponding to the service device 102.
The business device 102 may manage the first application. In this embodiment of the present invention, the service device 102 may further receive a target data set sent by the data gateway 104, where the target data set includes the original data and a target digital signature of the original data, and the target digital signature is used to verify the integrity of the original data. Specifically, the service management device 102 may determine whether there is an anomaly in the original data based on the target digital signature, a certain public key (e.g., a first public key) obtained from the blockchain management device 103, and a preset hash algorithm.
The blockchain management device 103 may assign an identifier to the service device 102 (and/or the data consumer device 105), for example, the identifier of the service device 102 may be an identifier of an application program (i.e., the first application program) corresponding to the service device 102. In this embodiment of the present invention, the blockchain management device 103 may further receive a key allocation request sent by the service device 102, and allocate a key group to a plurality of terminal groups, where a key group corresponding to a specific terminal group is a key group corresponding to both an identifier of the terminal group and an identifier of the first application. The blockchain management device 103 may further store a data integrity verification ledger, specifically, store public keys corresponding to the plurality of terminal groups, and after receiving the data verification ledger query request sent by the service device 102, the blockchain management device 103 may obtain, based on the identifier of the first terminal group and the identifier of the first application program, a public key (i.e., a first public key) corresponding to both the identifier of the first terminal group and the identifier of the first application program from the data integrity verification ledger, and send the first public key to the service device 102.
The data gateway 104 may receive raw data collected by the terminal 101 from a first application in the terminal 101. In this embodiment of the present invention, the data gateway 104 may further store the private keys corresponding to the multiple terminal groups and the identifiers of the key groups corresponding to the multiple terminal groups, and when the data gateway 104 acquires the identifier of the first terminal group and the identifier of the first key group, the data gateway may generate a target digital signature of the original data based on the original data, the preset hash algorithm, and the first private key, and send the original data and the target digital signature to the service device 102.
Data consumer device 105 may receive an identification assigned to it by blockchain management device 103. In this embodiment of the present invention, the data consumer device 105 may further receive the target data set (including the original data and the target digital signature) sent by the data gateway 104. In particular, the data consumer device 105, after receiving the original data and the target digital signature, can determine whether there is an anomaly in the original data.
It should be noted that 1 terminal, 1 service device, 1 blockchain management device, 1 data gateway, and 1 data consumer device shown in fig. 1 are only an example in the embodiment of the present invention. The number of the above-mentioned devices is not specifically limited in the embodiments of the present invention.
In this embodiment of the present invention, the terminal 101 shown in fig. 1 may be: a mobile phone, a tablet Computer, a notebook Computer, an Ultra-mobile Personal Computer (UMPC), a netbook or a Personal Digital Assistant (PDA), an internet of things terminal (such as an inspection robot or an industrial sensor), and the like.
For example, the data gateway (e.g., data gateway 104 in fig. 1) executing the data processing method provided by the embodiment of the present invention may be a server. Fig. 2 is a schematic diagram of a hardware structure of a server according to an embodiment of the present invention. As shown in fig. 2, the server 20 includes a processor 201, a memory 202, a network interface 203, and the like.
The processor 201 is a core component of the server 20, and the processor 201 is configured to run an operating system of the server 20 and application programs (including a system application program and a third-party application program) on the server 20, so as to implement the data processing method performed by the server 20.
In this embodiment, the processor 201 may be a Central Processing Unit (CPU), a microprocessor, a Digital Signal Processor (DSP), an application-specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof, which is capable of implementing or executing various exemplary logic blocks, modules, and circuits described in connection with the disclosure of the embodiment of the present invention; a processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like.
Optionally, the processor 201 of the server 20 includes one or more CPUs, which are single-core CPUs (single-CPUs) or multi-core CPUs (multi-CPUs).
The memory 202 includes, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), an erasable programmable read-only memory (EPROM), a flash memory, an optical memory, or the like. The memory 202 holds the code for the operating system.
Optionally, the processor 201 implements the data processing method in the embodiment of the present invention by reading the instruction stored in the memory 202, or the processor 201 implements the data processing method provided in the embodiment of the present invention by using an instruction stored inside. In the case where the processor 201 implements the data processing method provided by the embodiment of the present invention by reading the execution saved in the memory, the memory stores instructions for implementing the data processing method provided by the embodiment of the present invention.
The network interface 203 is a wired interface, such as a Fiber Distributed Data Interface (FDDI) interface or a Gigabit Ethernet (GE) interface. Alternatively, the network interface 203 is a wireless interface. The network interface 203 is used for the server 20 to communicate with other devices.
The memory 202 is used for storing raw data of the first terminal, an identification of the first terminal group and an identification of the first key group. The at least one processor 201 further performs the method according to the embodiment of the present invention according to the original data of the first terminal, the identifier of the first terminal group and the identifier of the first key group stored in the memory 202. For more details of the above functions implemented by the processor 201, reference is made to the following description of various method embodiments.
Optionally, the server 20 further includes a bus, and the processor 201 and the memory 202 are connected to each other through the bus 204, or in other manners.
Optionally, the server 20 further comprises an input/output interface 205, wherein the input/output interface 205 is configured to connect to an input device, and receive a digital signature generation request input by a user through the input device. Input devices include, but are not limited to, a keyboard, a touch screen, a microphone, and the like. The input/output interface 205 is also used for connecting with an output device, and outputting the digital signature generation result (i.e. generating the target digital signature) of the processor 201. Output devices include, but are not limited to, a display, a printer, and the like.
In the embodiment of the present invention, the hardware structure of the service device (e.g., the service device 102 in fig. 1) and the hardware structure of the blockchain management device (e.g., the blockchain management device 103 in fig. 1) are similar to the hardware structure of the server 20 shown in fig. 2, and the description of the hardware structure of the service device and the hardware structure of the blockchain management device may refer to the description of the hardware structure of the server 20, which is not described in detail herein.
The data processing method, the data processing device, the server and the storage medium provided by the embodiment of the invention are applied to an application scene of data processing (specifically, calculating and generating a digital signature for data acquired by a terminal and storing the acquired data and the digital signature). When the data gateway obtains original data acquired by a first application program in the first terminal, an identifier of the first terminal group, and an identifier of the first key group, a first private key and a preset hash algorithm may be obtained based on the identifier of the first key group, a target digital signature of the original data may be generated based on the original data, the hash algorithm, and the first private key, and the original data and the target digital signature may be sent to the first service device. The calculation encryption process of the original data (i.e. the process of generating the target digital signature) can be performed in the data gateway, and the generation of the target digital signature is generated based on a unique private key (i.e. the first private key) corresponding to both the identifier of the first terminal group and the identifier of the first application program, so that the data gateway can be ensured to accurately and effectively calculate and generate the digital signature, and the process can also ensure that the data gateway can completely store the original data because the digital signature can be used for the integrity check of the data, thereby improving the effectiveness of data processing. In addition, the data gateway may further send a target data group including the original data and the target digital signature to the first service device (i.e., the service device corresponding to the first application), so that the first service device may effectively verify the integrity of the original data after receiving the target data group, and may improve the accuracy of data verification.
As shown in fig. 3, when the data processing method is applied to the data gateway 104, the data processing method provided by the embodiment of the present invention may include S101 to S104.
S101, the data gateway obtains original data collected by a first application program in the first terminal, the identifier of the first terminal group and the identifier of the first key group.
The first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application.
It should be understood that the first terminal may include (or install) a plurality of applications, the first application is one of the plurality of applications, the first application is an application corresponding to (or provided by) a certain service device (e.g., a first service device), and it may also be understood that the first service device is used for managing the first application.
It is understood that the raw data of the first terminal is specifically raw data collected by the first application installed in the first terminal, and the raw data may be environment data collected by the first application and/or log data generated by the first application, and the like. After acquiring the original data, the first terminal may want a data gateway to send the original data, so that the data gateway may acquire the original data.
In the embodiment of the present invention, one terminal group may correspond to (or include) at least one terminal, and the first terminal is one of the at least one terminal corresponding to the first terminal group.
S102, the data gateway obtains a first private key and a preset hash algorithm based on the identification of the first private key group.
The first private key is a private key included in the first key set.
It should be understood that, the data gateway may store therein identifiers of a plurality of key sets and private keys corresponding to the identifiers of the plurality of key sets, and after obtaining the identifier of the first key set, the data gateway may determine and obtain the first private key from the private keys corresponding to the identifiers of the plurality of key sets based on the identifier of the first key set.
In an implementation manner of the embodiment of the present invention, the data gateway may further obtain an identifier of the first application, and determine the first key group from the plurality of key groups based on the identifier of the first terminal group and the identifier of the first application (i.e., obtain the identifier of the first key group), so as to further obtain the first private key.
Optionally, the preset hash algorithm may be obtained by the data gateway based on the identifier of the first secret key group, that is, the preset hash algorithm is a hash algorithm corresponding to the first secret key group; the predetermined hash algorithm may also be a fixed hash algorithm, that is, the hash algorithms used by the plurality of key sets are the same.
S103, the data gateway generates a target digital signature of the original data based on the original data, a preset hash algorithm and the first private key.
Specifically, the data gateway may generate a third digest based on the original data and the preset hash algorithm, and then generate the target digital signature based on the third digest and the first private key.
S104, the data gateway sends the target data group to the first service equipment.
The target data group comprises the original data and the target digital signature, and the first service device is a service device corresponding to the first application program.
It should be understood that the data gateway sends the target data group to the first service device, so that the first service device may receive the target data group, and then the first service device may verify the obtained original data, that is, verify whether the original data has an abnormal condition, for example, determine whether the original data is tampered or not.
In an implementation manner of the embodiment of the present invention, the data gateway may further send the target data group to a certain data consumer device, so that the data consumer device may obtain the original data and the target digital signature of the original data, and determine whether the original data is abnormal.
As shown in fig. 4, the data gateway provided in the embodiment of the present invention may include an interface Ia, an interface Ib, a plug-in management module, a key management module, and a block link node module.
The interface Ia and the interface Ib are respectively configured to receive the original data sent by the first terminal and send the target data set to a first service device (or a data consumer device).
The plug-in management module may include a plurality of application plug-ins (e.g., application plug-in 1), the application plug-in 1 may be a plug-in of the first application, and the data gateway may install the plug-in of the first application in the plug-in management module. The first plug-in may receive (for example, receive through the interface Ia) original data sent by the first terminal, and generate the target digital signature by combining a private key obtained from the key management module and a preset algorithm.
The key management module may include a private key (e.g., private key 1) included in each of the plurality of private key sets and a hash algorithm (e.g., hash algorithm 1) of each of the plurality of private keys, and may further send the private key 1 and the hash algorithm 1 to the plug-in management module.
The block link node module is configured to transmit a private key included in each of a plurality of key sets (specifically, the private keys are transmitted to the key management module of the data gateway) sent by the block link management device. The block chain node module is also used for performing uplink storage on the use data of a plurality of private keys.
The technical scheme provided by the embodiment can at least bring the following beneficial effects: as can be seen from S101 to S104, the data gateway may obtain original data acquired by a first application program in the first terminal, an identifier of the first terminal group, and an identifier of the first secret key group; the data gateway may then obtain a first private key (i.e., a private key included in the first key set) and a preset hash algorithm based on the identity of the first key set, and generate a target digital signature of the original data based on the original data, the preset hash algorithm, and the first private key. And the data gateway may send the target data set (including the original data and the target digital signature) to the first service device. In the embodiment of the present invention, a process of computing and encrypting original data (i.e., a process of generating a target digital signature) may be performed in the data gateway, and the generation of the target digital signature is generated based on a unique private key (i.e., a first private key) corresponding to both the identifier of the first terminal group and the identifier of the first application program, which may ensure that the data gateway may accurately and effectively compute and generate the digital signature. In addition, the data gateway may further send a target data group including the original data and the target digital signature to the first service device (i.e., the service device corresponding to the first application), so that the first service device may effectively verify the integrity of the original data after receiving the target data group, and may improve the accuracy of data verification.
With reference to fig. 3, as shown in fig. 5, the data processing method provided in the embodiment of the present invention may further include S105-S106.
S105, the data gateway acquires the first use certificate.
The first user certificate is a key user certificate corresponding to the first secret key set.
It should be understood that the data gateway may use a key corresponding to the first usage certificate, specifically, a first private key included in the first secret key set, based on a certain secret key usage certificate (e.g., the first usage certificate).
S106, the data gateway determines whether the first use certificate is the same as the second use certificate.
The second use certificate is a key use certificate corresponding to the first application program.
It is to be understood that, a key usage certificate corresponding to an application (e.g., a first application), specifically, a key usage certificate corresponding to data collected by the first application (i.e., the above-mentioned original data), the data gateway may use a corresponding private key based on the corresponding key usage certificate (e.g., the second usage certificate) to encrypt the original data.
In the embodiment of the present invention, the data gateway may obtain the corresponding private key (that is, the private key corresponding to the key usage certificate) only when obtaining the key usage certificate that is the same as the key usage certificate corresponding to the original data, thereby completing the encryption process of the original data.
In one case, when the first usage certificate is the same as the second usage certificate, it indicates that the key usage certificate corresponding to the first secret key set is the same as the key usage certificate corresponding to the original data, and the data gateway may encrypt the original data using a private key (i.e., a first private key) included in the first secret key set to generate the target digital signature.
In another case, when the first usage certificate is different from the second usage certificate, it indicates that the key usage certificate corresponding to the first secret key set is different from the key usage certificate corresponding to the original data, and the data gateway cannot encrypt the original data using the first private key.
Continuing with fig. 5, obtaining the first private key based on the identifier of the first key includes S1021.
And S1021, when the first use certificate is the same as the second use certificate, the data gateway acquires the first private key based on the identifier of the first private key set.
In conjunction with the above description of the embodiment, it should be understood that when the first usage certificate is the same as the second usage certificate, it indicates that the key usage certificate corresponding to the first secret key set is the same as the key usage certificate corresponding to the original data, and the data gateway may obtain and use the first private key.
With reference to fig. 3, as shown in fig. 6, the data processing method according to the embodiment of the present invention further includes S107.
S107, the data gateway acquires the identifier of the first terminal and the identifier of the first application program.
Continuing with fig. 6, the acquiring the identifier of the first terminal group and the identifier of the first secret key group may specifically include S1011 to S1012.
And S1011, the data gateway sends an information acquisition request to the first service equipment.
The information obtaining request includes an identifier of the first terminal and an identifier of the first application, and the information obtaining request is used for requesting to obtain the identifier of the first terminal group and the identifier of the first key group.
S1012, the data gateway receives the information acquisition response sent by the first service device.
The information obtaining response includes an identifier of the first terminal group and an identifier of the first key group, the identifier of the first terminal group is obtained by the first service device based on the identifier of the first terminal, and the identifier of the first key group is determined by the first service device based on the identifier of the first terminal group and the identifier of the first application program.
It should be understood that, after receiving the information acquisition request sent by the data gateway, the first service device may acquire the identifier of the first terminal group based on the identifier of the first terminal included in the information acquisition request, further acquire the identifier of the first secret key group, and then send an information acquisition response to the data gateway. In this way, the data gateway may obtain the identifier of the first terminal group and the identifier of the first key group.
As shown in fig. 7, when the data processing method is applied to the service device 102 (i.e., the first service device) shown in fig. 1, the data processing method provided by the embodiment of the present invention may include S201 to S204.
S201, the first service equipment receives a target data group sent by the data gateway.
The target data group comprises original data acquired by a first application program in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm and a first private key, the first private key is a private key included in a first secret key group, the first secret key group is a secret key group corresponding to an identifier of the first terminal group and an identifier of the first application program, and the first terminal group is a terminal group corresponding to the first terminal group.
In connection with the above description of the embodiments, it should be understood that the first application program in the first terminal may send the raw data to the data gateway after collecting the raw data, and the data gateway may generate a target digital signature of the raw data in connection with the preset hash algorithm and the first private key, and send a target data set including the raw data and the target digital signature to the data gateway.
S202, the first business equipment sends a data verification account book query request to the block chain management equipment.
The data verification account book query request includes an identifier of the first terminal group and an identifier of the first application program, and the data verification account book query request is used for requesting to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program.
It should be understood that, the blockchain management device stores a data integrity verification ledger, the data integrity verification ledger includes public keys of a plurality of key sets, and after receiving the data verification ledger query request, the blockchain management device may query and acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application from the data integrity verification ledger based on the identifier of the first terminal group and the identifier of the first application.
S203, the first business equipment receives a data verification account book inquiry response sent by the block chain management equipment.
The data verification account book query response includes a first public key, where the first public key is a public key included in the first secret key group, and the first public key is determined by the blockchain management device based on the identifier of the first terminal group and the identifier of the first application program.
It is understood that a key set may include a private key and a public key. The data gateway may store private keys of a plurality of key sets, and the block chain management device (specifically, the data verification account book) may store public keys of the plurality of key sets.
S204, the first service equipment determines whether the original data is abnormal or not based on the target digital signature, the first public key and a preset Hash algorithm.
It should be understood that the preset hash algorithm in the embodiment of the present invention may also be a preset digest algorithm.
In an implementation manner of the embodiment of the present invention, for a certain data consumer device (for example, the data consumer device 105 in fig. 1), the data consumer device may also receive a target data group sent by a data gateway, and send the data verification book query request to a blockchain management device, so as to determine whether there is an abnormal condition in original data acquired by the data consumer device. The description of the data consumer device determining whether the original data has the abnormal condition is the same as or similar to the explanation of the first service device determining whether the original data has the abnormal condition, and is not repeated here.
The technical scheme provided by the embodiment can at least bring the following beneficial effects: as known from S201 to S204, the first service device may receive a target data group that includes original data acquired by a first application program in the first terminal and a target digital signature of the original data and is sent by the data gateway; then, the first business device may send a data verification account book query request to the blockchain management device, that is, request to acquire public keys corresponding to the identifier of the first terminal group and the identifier of the first application program, and receive a data verification account book query response including the first public key sent by the blockchain device; and then, the first service equipment determines whether the original data is abnormal or not based on the target digital signature, the first public key and a preset digest algorithm. In the embodiment of the invention, the first service device can acquire the original data and the target digital signature from the data gateway and acquire the corresponding public key (namely the first public key) from the block chain management device, so as to verify whether the original data is abnormal or not, thereby improving the efficiency of data processing and the accuracy of data verification.
With reference to fig. 7, as shown in fig. 8, in an implementation manner of the embodiment of the present invention, the determining whether the original data has an anomaly based on the target digital signature, the first public key, and the preset hash algorithm may specifically include S2041 to S2042.
S2041, the first business equipment generates a first abstract based on the target digital signature and the first public key, and generates a second abstract based on the original data and a preset hash algorithm.
S2042, under the condition that the first abstract is the same as the second abstract, the first business equipment determines that the original data is not abnormal.
It is understood that when the first digest is the same as the second digest, indicating that the storage of the original data is complete, i.e. the original data has not been tampered with, the first service device may determine that there is no anomaly in the original data.
Optionally, when the first digest is different from the second digest, it indicates that the original data is not completely saved, and the original data may have been tampered, i.e. there is an exception in the original data.
With reference to fig. 7, as shown in fig. 9, the data processing method provided in the embodiment of the present invention may further include S205-S206.
S205, the first service device sends a key distribution request to the blockchain management device.
The key allocation request includes identifiers of a plurality of terminal groups and an identifier of the first application, the terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, and the key allocation request is used for requesting to allocate keys to the terminal groups.
In conjunction with the description of the above embodiments, it should be understood that the first application program is an application program corresponding to the first service device. Each terminal (e.g., the first terminal) included in each of the plurality of terminal groups (e.g., the first terminal group) is a terminal in which the first application is installed.
In one aspect of the embodiment of the present invention, the first service device may divide the plurality of terminals installed with the first application program into a plurality of terminal groups according to the functional characteristics. For example, the first service device may divide the inspection robot responsible for inspection work into a terminal group, divide the sensors with the same function into a terminal group, and the like. In another case, the first service device may also divide the plurality of terminals installed with the first application into a plurality of terminal groups according to the distance (or location information) between the terminals. For example, the first service device may divide some two terminals whose distance difference is smaller than the distance threshold into one terminal group. The embodiment of the present invention does not specifically limit the manner of dividing the terminal group.
S206, the first service device receives the key distribution response sent by the block chain management device.
The key distribution response includes identifiers of key groups corresponding to the plurality of terminal groups, and the identifier of the key group corresponding to one terminal group is an identifier of the key group corresponding to both the identifier of the terminal group and the identifier of the first application.
It should be understood that the blockchain management device may receive a key allocation request sent by a plurality of service devices (including a first service device), that is, the blockchain management device needs to allocate keys not only to a plurality of terminal groups corresponding to the first service device, but also to allocate keys to terminal groups corresponding to other service devices, an identifier of a terminal group may be used to distinguish different terminal groups under the same service device, and an identifier of an application (e.g., an identifier of a first application) may be used to distinguish different service devices.
To this end, the first service device may obtain identifiers of key groups corresponding to a plurality of terminal groups corresponding to the first service device, specifically, identifiers of key groups corresponding to each of the terminal groups and an identifier of the first application, for example, identifiers of key groups corresponding to the first terminal group and the identifier of the first application (that is, identifiers of the first key groups).
With reference to fig. 7, as shown in fig. 10, the data processing method according to the embodiment of the present invention may further include S207-S210.
S207, the first service equipment receives the information acquisition request sent by the data gateway.
The information obtaining request comprises an identifier of the first terminal and an identifier of the first application program, and the information obtaining request is used for requesting to obtain the identifier of the first terminal group and the identifier of the first secret key group.
In conjunction with the description of the foregoing embodiment, it should be understood that the first terminal group is a terminal group corresponding to the first terminal (i.e., the first terminal is one of at least one terminal included in the first terminal group), the first terminal group is one of the terminal groups, and the terminal groups are terminal groups corresponding to the first service device.
S208, the first service device obtains the identifier of the first terminal group from the first corresponding relation based on the identifier of the first terminal.
The first corresponding relationship includes identifiers of a plurality of terminal groups and identifiers of terminals corresponding to the identifiers of the plurality of terminal groups.
It can be understood that the plurality of terminal groups are terminal groups corresponding to the first service device. After receiving the information acquisition request, the first service device may acquire, from the first correspondence, an identifier of the terminal group corresponding to the identifier of the first terminal based on the identifier of the first terminal included in the information acquisition request, that is, acquire the identifier of the first terminal group.
Illustratively, table 1 below is an example of a first corresponding relationship provided by an embodiment of the present invention.
As shown in table 1, the first correspondence relationship includes the identifiers of the 3 terminal groups (i.e., identifier 01, identifier 02, and identifier 03), and the identifiers of the terminals corresponding to the identifiers of the 3 terminal groups. Specifically, the identifier of the terminal corresponding to the identifier 01 includes an identifier 04, the identifier of the terminal corresponding to the identifier 02 includes an identifier 05, an identifier 06, and an identifier 07, and the identifier of the terminal corresponding to the identifier 03 includes an identifier 08 and an identifier 09.
TABLE 1
Identification of a group of terminals Identification of terminal
Mark 01 Identification 04
Identification 02 Logo 05, logo 06, logo 07
Mark 03 Mark 08 and mark 09
Assuming that the identifier of the first terminal is identifier 04, the first service device determines that the identifier of the first terminal group is identifier 01.
S209, in a case that the identifier of the key group corresponding to both the identifier of the first terminal group and the identifier of the first application exists in the second correspondence, the first service device obtains the identifier of the key group corresponding to both the identifier of the first terminal group and the identifier of the first application, and determines the obtained identifier of the key group as the identifier of the first key group.
It should be understood that the identifier of a terminal group may correspond to identifiers of a plurality of key groups, and the identifier of an application may also correspond to identifiers of a plurality of key groups. In this embodiment of the present invention, the first service device may determine, based on an identifier of a certain terminal group (for example, the first terminal group) and an identifier of a certain application program (for example, the first application program), the identifier of the first secret key group from the identifiers of the plurality of key groups stored in the second correspondence relationship.
Exemplarily, the following table 2 is an example of the second corresponding relationship provided by the embodiment of the present invention.
As shown in table 2, the identifiers of the terminal group include 3 identifiers, i.e., identifier 01, identifier 02, and identifier 03. The identifiers of the application programs include 3 identifiers, specifically an identifier 11, an identifier 12, and an identifier 13. The identities of the 4 key sets are identity 16, identity 17, identity 18 and identity 19, respectively. The identifier of the key set corresponding to each of the identifiers 01 and 11 is an identifier 16, the identifier of the key set corresponding to each of the identifiers 01 and 12 is an identifier 17, the identifier of the key set corresponding to each of the identifiers 02 and 11 is an identifier 18, and the identifier of the key set corresponding to each of the identifiers 03 and 13 is an identifier 19.
TABLE 2
Identification of a group of terminals Identification of applications Identification of key set
Mark 01 Sign 11 Sign 16
Mark 01 Sign 12 Sign 17
Identification 02 Sign 11 Sign 18
Mark 03 Sign 13 Sign 19
With reference to the example in table 1, assuming that the identifier of the first application is identifier 12, the first service device determines that the identifier of the first secret key set is identifier 17.
S210, the first service equipment sends an information acquisition response to the data gateway.
Wherein the information acquisition response includes the identifier of the first terminal group and the identifier of the first key group.
To this end, the data gateway may receive the identifier of the first terminal group and the identifier of the first key group sent by the first service device.
As shown in fig. 11, when the data processing method is applied to the blockchain management device 103 shown in fig. 1, the data processing method provided by the embodiment of the present invention may include S301 to S304.
S301, the block chain management device receives a key distribution request sent by the first service device.
The key allocation request includes identifiers of a plurality of terminal groups and identifiers of a first application program, the terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, the first application program is an application program corresponding to the first service device, and the key allocation request is used for requesting to allocate keys to the terminal groups.
S302, the blockchain management device allocates key groups to the plurality of terminal groups.
The key group corresponding to one terminal group is a key group corresponding to both the identifier of the terminal group and the identifier of the first application.
In connection with the above description of the embodiments, it should be understood that a key set includes a private key and a public key. The block chain management device allocates key groups to the plurality of terminal groups, that is, allocates private keys and public keys to the plurality of terminal groups.
Alternatively, the blockchain management device may allocate different key sets to the plurality of terminal groups, or may allocate the same key set to the plurality of terminal groups. In the embodiment of the present disclosure, the block chain device is used to allocate different key sets to the plurality of terminal sets.
S303, the blockchain management device sends a key distribution response to the first service device.
The key distribution response includes the identifier of the key group corresponding to each of the plurality of terminal groups.
In conjunction with the above description of the embodiment, it should be understood that the identifier of the key group corresponding to each terminal group in the plurality of terminal groups is an identifier of a key group corresponding to both the identifier of each terminal group and the identifier of the first application.
It is to be understood that the key allocation response is used to notify the first service device that the key group (or key) allocation corresponding to each of the plurality of terminal groups is successful. The block chain management device sends the identifier of the key group corresponding to each of the plurality of terminal groups to the first service device, so that the data gateway can obtain the identifier of the key group corresponding to each of the plurality of terminal groups (for example, the identifier of the first key group) from the first service device.
S304, the block chain management device stores the identifiers of the terminal groups, the identifier of the first application program and the public keys corresponding to the terminal groups to a data integrity verification account book, and sends the private keys corresponding to the terminal groups and the identifiers of the key groups corresponding to the terminal groups to the data gateway.
The public key corresponding to one terminal group is a public key included in a key group corresponding to both the identifier of the terminal group and the identifier of the first application program, and the private key corresponding to one terminal group is a private key included in a key group corresponding to both the identifier of the terminal group and the identifier of the first application program.
In conjunction with the description of the above embodiments, it should be understood that the plurality of terminal groups are terminal groups corresponding to the first service device, and the first application program is an application program corresponding to the first service device. The key group corresponding to each terminal group in the plurality of terminal groups is a key group corresponding to the identifier of each terminal group and the identifier of the first application program, and one key group comprises a private key and a public key.
The data integrity verification ledger is used for storing (or may include) a public key corresponding to each of the plurality of terminal groups, so that the first service device (or the data user device) may obtain a certain public key (for example, a first public key) from the blockchain management device (specifically, the data integrity verification ledger).
Optionally, the data integrity verification ledger may further include an identifier of a key set corresponding to each of the plurality of terminals.
It should be noted that the execution order of S303 and S304 is not limited by the embodiment of the present invention. For example, S303 may be performed first and then S304 may be performed, or S304 may be performed first and then S303 may be performed, or S303 and S304 may be performed simultaneously. For convenience of explanation, S303 is executed first and then S304 is executed in fig. 11.
In this embodiment of the present invention, the blockchain management device may send, to the data gateway, the respective private keys corresponding to the plurality of terminal groups and the respective identifiers of the key groups corresponding to the plurality of terminal groups, so that the data gateway may obtain the respective private keys corresponding to the plurality of terminal groups and the respective identifiers of the key groups corresponding to the plurality of terminal groups, and further complete an encryption process of the original data based on the relevant private key (for example, the first private key).
The technical scheme provided by the embodiment can at least bring the following beneficial effects: as can be seen from S301-S304, the block chain management device receives a key distribution request sent by the first service device, that is, requests to distribute keys to a plurality of terminal groups corresponding to the first service device; then the blockchain management device can allocate a key group (specifically, allocate a private key and a public key) to the plurality of terminal groups; the block chain management device may send, to the first service device, a key allocation response including identifiers of key groups corresponding to the terminal groups, so that the first service device may receive identifiers of key groups (e.g., a first key group) corresponding to identifiers of each terminal group (e.g., a first terminal group) in the terminal group and identifiers of first applications, so that the data gateway may obtain the identifier of the first key group from the first service device. The blockchain management device may store the identifiers of the plurality of terminal groups, the identifier of the first application program, and the public keys corresponding to the plurality of terminal groups in a data integrity book, so that the first service device may obtain a corresponding public key (for example, a first public key) when verifying the integrity of the original data; and the blockchain management device may further send, to the data gateway, the respective private keys corresponding to the plurality of terminal groups and the identifiers of the respective key groups corresponding to the plurality of terminal groups, so that the data gateway may encrypt the original data based on the respective private keys (i.e., the first private key) to generate the target digital signature. The method and the device can accurately and effectively distribute the key group (including the private key and the public key) for the terminal group, and issue the identification of the key group, thereby improving the transmission and processing efficiency of data, and further improving the accuracy of data encryption and data verification.
With reference to fig. 11, as shown in fig. 12, the data processing method according to the embodiment of the present invention may further include S305 to S307.
S305, the block chain management device receives a data verification account book query request sent by the first business device.
The data verification account book query request is used for requesting to acquire a public key corresponding to the identifier of the first terminal group and the identifier of the first application program, and the first terminal group is one of the plurality of terminal groups.
In conjunction with the description of the above embodiments, it should be understood that the first terminal group is a terminal group corresponding to the first terminal (i.e., the terminal that collects the original data).
S306, the block chain management device obtains public keys corresponding to the identifier of the first terminal group and the identifier of the first application program from the data integrity verification account book based on the identifier of the first terminal group and the identifier of the first application program, and determines the obtained public keys as the first public keys.
The first public key is a public key included in a first secret key set, and the first secret key set is a secret key set corresponding to both the identifier of the first terminal set and the identifier of the first application program.
In combination with the description of the above embodiment, it should be understood that the block chain management device (specifically, the data integrity verification ledger) stores key groups corresponding to identifiers of a plurality of terminal groups, and specifically, for each terminal group of the plurality of terminal groups, the data integrity verification ledger stores key groups corresponding to the identifier of each terminal group and the identifier of the first application. And because one key group comprises a public key and a private key, the private key and the public key corresponding to the identifier of each terminal group and the identifier of the first application program are stored in the data integrity verification account book, and thus the block chain management device can obtain and determine the first public key from the data integrity verification account book.
S307, the block chain management device sends a data verification account book response to the first business device.
Wherein the data validation ledger response includes the first public key.
Therefore, the first service device may obtain the first public key, that is, obtain the public key corresponding to both the identifier of the first terminal group and the identifier of the first application program, and may further complete the verification process of the original data.
As shown in fig. 13, when the data processing method is applied to the process of interaction of the respective devices in the data processing system shown in fig. 1, the data processing method may include S401 to S411.
S401, the data gateway obtains original data collected by a first application program in the first terminal, an identifier of the first terminal group and an identifier of the first key group.
The first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application.
S402, the data gateway obtains a first private key and a preset hash algorithm based on the identifier of the first private key group.
The first private key is a private key included in the first key set.
S403, the data gateway generates a target digital signature of the original data based on the original data, a preset hash algorithm and the first private key.
S404, the data gateway sends the target data group to the first service equipment.
The target data group comprises the original data and the target digital signature, and the first business device is a business device corresponding to the first application program.
S405, the first service equipment receives the target data group sent by the data gateway.
S406, the first business device sends a data verification account book query request to the block chain management device.
The data verification account book query request includes an identifier of the first terminal group and an identifier of the first application program, and the data verification account book query request is used for requesting to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program.
S407, the blockchain management device receives the data verification ledger query request sent by the first business device.
S408, the blockchain management device obtains, based on the identifier of the first terminal and the identifier of the first application, a public key corresponding to both the identifier of the first terminal group and the identifier of the first application from the data integrity book, and determines the obtained public key as the first public key.
The first public key is a public key included in a first secret key set, and the first secret key set is a secret key set corresponding to both the identifier of the first terminal set and the identifier of the first application program.
S409, the block chain management device sends a data verification account book query response to the first business device.
Wherein the data validation ledger query response includes the first public key.
S410, the first business equipment receives a data verification account book inquiry response sent by the block chain management equipment.
S411, the first service device determines whether the original data is abnormal or not based on the target digital signature, the first public key and a preset hash algorithm.
It should be noted that, for the explanation in S401 to S411, reference may be made to the description of the relevant steps in the foregoing embodiment of the present invention, and details are not described here again.
In the embodiment of the present invention, the data gateway, the first service device, the block chain management device, and the like may be divided into functional modules according to the above method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, the division of the modules in the embodiment of the present invention is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
In the case of dividing each functional module by corresponding functions, fig. 14 shows a schematic diagram of a possible structure of the data processing apparatus (specifically, the data gateway) in the foregoing embodiment, as shown in fig. 14, the data processing apparatus 30 may include: an acquisition module 301, a processing module 302 and a sending module 303.
An obtaining module 301, configured to obtain original data acquired by a first application in a first terminal, an identifier of a first terminal group, and an identifier of a first key group, where the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application.
The obtaining module 301 is further configured to obtain a first private key and a preset hash algorithm based on the identifier of the first private key set, where the first private key is a private key included in the first private key set.
A processing module 302, configured to generate a target digital signature of the original data based on the original data, the preset hash algorithm, and the first private key.
A sending module 303, configured to send a target data set to a first service device, where the target data set includes the original data and the target digital signature, and the first service device is a service device corresponding to the first application program.
Optionally, the data processing apparatus 30 further comprises a determination module 304.
The obtaining module 301 is further configured to obtain a first usage certificate, where the first usage certificate is a key usage certificate corresponding to the first secret key set.
The determining module 304 is configured to determine whether the first usage certificate is the same as a second usage certificate, where the second usage certificate is a key usage certificate corresponding to the first application.
The processing module 302 is specifically configured to obtain the first private key based on the identifier of the first key set when the first usage certificate is the same as the second usage certificate.
Optionally, the data processing apparatus 30 further comprises a receiving module 305.
The obtaining module 301 is further configured to obtain an identifier of the first terminal and an identifier of the first application.
The sending module 303 is further configured to send an information obtaining request to the first service device, where the information obtaining request includes an identifier of the first terminal and an identifier of the first application, and the information obtaining request is used to request to obtain the identifier of the first terminal group and the identifier of the first key group.
A receiving module 305, configured to receive an information obtaining response sent by the first service device, where the information obtaining response includes an identifier of the first terminal group and an identifier of the first key group, the identifier of the first terminal group is obtained by the first service device based on the identifier of the first terminal, and the identifier of the first key group is determined by the first service device based on the identifier of the first terminal group and the identifier of the first application.
In the case of an integrated unit, fig. 15 shows a schematic diagram of a possible structure of the data processing apparatus (specifically, the data gateway) in the above embodiment. As shown in fig. 15, the data processing apparatus 40 may include: a processing module 401 and a communication module 402. The processing module 401 may be used to control and manage the actions of the data processing apparatus 40. The communication module 402 may be used to support communication of the data processing apparatus 40 with other entities. Optionally, as shown in fig. 15, the data processing apparatus 40 may further include a storage module 403 for storing program codes and data of the data processing apparatus 40.
The processing module 401 may be a processor or a controller (for example, the processor 201 shown in fig. 2). The communication module 402 may be a transceiver, a transceiver circuit, a communication interface, etc. (e.g., may be the network interface 203 as shown in fig. 2 described above). The storage module 403 may be a memory (e.g., may be the memory 202 described above and shown in fig. 2).
When the processing module 401 is a processor, the communication module 402 is a transceiver, and the storage module 403 is a memory, the processor, the transceiver, and the memory may be connected by a bus. The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc.
In the case of dividing each functional module by corresponding functions, fig. 16 shows a schematic diagram of a possible structure of the data processing apparatus (specifically, the first service device) in the foregoing embodiment, as shown in fig. 16, the data processing apparatus 50 may include: a receiving module 501, a sending module 502 and a determining module 503.
The receiving module 501 is configured to receive a target data group sent by a data gateway, where the target data group includes original data acquired by a first application in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm, and a first private key, the first private key is a private key included in a first private key group, the first private key group is a private key group corresponding to both an identifier of the first terminal group and an identifier of the first application, and the first terminal group is a terminal group corresponding to the first terminal.
A sending module 502, configured to send a data verification ledger query request to the blockchain management device, where the data verification ledger query request includes the identifier of the first terminal group and the identifier of the first application, and the data verification ledger query request is used to request to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application.
The receiving module 501 is further configured to receive a data verification account book query response sent by the blockchain management device, where the data verification account book query response includes a first public key, the first public key is a public key included in the first secret key group, and the first public key is determined by the blockchain management device based on the identifier of the first terminal group and the identifier of the first application.
A determining module 503, configured to determine whether the original data has an exception based on the target digital signature, the first public key, and the preset hash algorithm.
Optionally, the data processing apparatus 50 further comprises a processing module 504.
A processing module 504 configured to generate a first digest based on the target digital signature and the first public key, and generate a second digest based on the original data and the preset hash algorithm.
The determining module 503 is specifically configured to determine that the original data has no exception when the first summary is the same as the second summary.
Optionally, the sending module 502 is further configured to send a key allocation request to the blockchain management device, where the key allocation request includes identifiers of a plurality of terminal groups and an identifier of the first application, the plurality of terminal groups are terminal groups corresponding to the first service device, and a terminal group includes at least one terminal, and the key allocation request is used to request that keys are allocated to the plurality of terminal groups.
The receiving module 501 is further configured to receive a key distribution response sent by the blockchain management device, where the key distribution response includes identifiers of key groups corresponding to the plurality of terminal groups, and an identifier of a key group corresponding to a terminal group is an identifier of a key group corresponding to both the identifier of the terminal group and the identifier of the first application.
Optionally, the data processing apparatus 50 further comprises an obtaining module 505.
The receiving module 501 is further configured to receive an information obtaining request sent by the data gateway, where the information obtaining request includes an identifier of the first terminal and an identifier of the first application, and the information obtaining request is used to request to obtain the identifier of the first terminal group and the identifier of the first key group.
An obtaining module 505, configured to obtain, based on the identifier of the first terminal, the identifier of the first terminal group from a first corresponding relationship, where the first corresponding relationship includes identifiers of multiple terminal groups and identifiers of terminals corresponding to the identifiers of the multiple terminal groups.
The obtaining module 505 is further configured to, when the identifier of the first terminal group and the identifier of the first application both correspond to identifiers of key groups in the second correspondence relationship, obtain identifiers of key groups both corresponding to identifiers of the first terminal group and identifiers of the first application.
The determining module 504 is further configured to determine the obtained identity of the key set as the identity of the first key set.
The sending module 502 is further configured to send an information obtaining response to the data gateway, where the information obtaining response includes the identifier of the first terminal group and the identifier of the first key group.
In the case of an integrated unit, fig. 17 shows a schematic diagram of a possible structure of the data processing apparatus (specifically, the first service device) in the above embodiment. As shown in fig. 17, the data processing device 60 may include: a processing module 601 and a communication module 602. The processing module 601 may be used for controlling and managing the actions of the data processing apparatus 60. The communication module 602 may be used to support communication of the data processing apparatus 60 with other entities. Optionally, as shown in fig. 17, the data processing device 60 may further include a storage module 603 for storing program codes and data of the data processing device 60.
The processing module 601 may be a processor or a controller (e.g., the processor 201 shown in fig. 2). The communication module 602 may be a transceiver, a transceiver circuit, a communication interface, etc. (e.g., may be the network interface 203 as shown in fig. 2 described above). The storage module 603 may be a memory (e.g., may be the memory 202 described above in fig. 2).
When the processing module 601 is a processor, the communication module 602 is a transceiver, and the storage module 603 is a memory, the processor, the transceiver, and the memory may be connected via a bus. The bus may be a PCI bus or an EISA bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc.
In the case of dividing each functional module by corresponding functions, fig. 18 shows a schematic diagram of a possible structure of the data processing apparatus (specifically, the above block chain management device) in the above embodiment, and as shown in fig. 18, the data processing apparatus 70 may include: a receiving module 701, a processing module 702, a sending module 703 and a storage module 704.
A receiving module 701, configured to receive a key allocation request sent by a first service device, where the key allocation request includes identifiers of multiple terminal groups and identifiers of first applications, the multiple terminal groups are terminal groups corresponding to the first service device, a terminal group includes at least one terminal, the first application is an application corresponding to the first service device, and the key allocation request is used to request that keys are allocated to the multiple terminal groups.
A processing module 702, configured to allocate key groups to the plurality of terminal groups, where a key group corresponding to a terminal group is a key group corresponding to both the identifier of the terminal group and the identifier of the first application.
A sending module 703 is configured to send a key distribution response to the first service device, where the key distribution response includes identifiers of key groups corresponding to the multiple terminal groups.
A storage module 704, configured to store the identifiers of the multiple terminal groups, the identifier of the first application, and the public keys corresponding to the multiple terminal groups into a data integrity verification ledger.
The sending module 703 is further configured to send, to the data gateway, the respective private keys corresponding to the multiple terminal groups and the respective identifiers of the key groups corresponding to the multiple terminal groups, where a public key corresponding to a terminal group is a public key included in a key group corresponding to both the identifier of the terminal group and the identifier of the first application, and a private key corresponding to a terminal group is a private key included in a key group corresponding to both the identifier of the terminal group and the identifier of the first application.
Optionally, the data processing apparatus 70 further comprises an obtaining module 705 and a determining module 706.
The receiving module 701 is further configured to receive a data verification account book query request sent by the first business device, where the data verification account book query request includes an identifier of a first terminal group and an identifier of the first application program, the data verification account book query request is used to request to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program, and the first terminal group is one of the multiple terminal groups.
The obtaining module 705 is configured to obtain, from the data integrity verification ledger, a public key corresponding to both the identifier of the first terminal group and the identifier of the first application based on the identifier of the first terminal group and the identifier of the first application.
The determining module 706 is configured to determine the obtained public key as a first public key, where the first public key is a public key included in a first secret key set, and the first secret key set is a secret key set corresponding to both an identifier of the first terminal set and an identifier of the first application.
The sending module 703 is further configured to send a data verification ledger query response to the first business device, where the data verification ledger query response includes the first public key.
In the case of using an integrated unit, fig. 19 shows a schematic diagram of a possible structure of the data processing apparatus (specifically, the above block chain management device) in the above embodiment. As shown in fig. 19, the data processing device 80 may include: a processing module 801 and a communication module 802. The processing module 801 may be used to control and manage the actions of the data processing apparatus 80. The communication module 802 may be used to support communication of the data processing apparatus 80 with other entities. Optionally, as shown in fig. 19, the data processing apparatus 80 may further include a storage module 803 for storing program codes and data of the data processing apparatus 80.
The processing module 801 may be a processor or a controller (e.g., the processor 201 shown in fig. 2). The communication module 802 may be a transceiver, a transceiver circuit, or a communication interface, etc. (e.g., may be the network interface 203 as shown in fig. 2 described above). The storage module 803 may be a memory (e.g., may be the memory 202 described above with reference to fig. 2).
When the processing module 801 is a processor, the communication module 802 is a transceiver, and the storage module 803 is a memory, the processor, the transceiver, and the memory may be connected via a bus. The bus may be a PCI bus or an EISA bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc.
It should be understood that, in various embodiments of the present invention, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented using a software program, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the invention are all or partially effected when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optics, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or can comprise one or more data storage devices, such as a server, a data center, etc., that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (20)

1. A data processing method applied to a data gateway, the method comprising:
acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group, wherein the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application program;
acquiring a first private key and a preset hash algorithm based on the identifier of the first secret key group, wherein the first private key is a private key included in the first secret key group;
generating a target digital signature of the original data based on the original data, the preset hash algorithm and the first private key;
and sending a target data group to first business equipment, wherein the target data group comprises the original data and the target digital signature, and the first business equipment is corresponding to the first application program.
2. The data processing method of claim 1, wherein the method further comprises:
acquiring a first use certificate, wherein the first use certificate is a secret key use certificate corresponding to the first secret key set;
determining whether the first use certificate is the same as a second use certificate, wherein the second use certificate is a key use certificate corresponding to the first application program;
the obtaining a first private key based on the identifier of the first secret key set includes:
when the first usage certificate is the same as the second usage certificate, the first private key is obtained based on the identity of the first key set.
3. The data processing method of claim 1, wherein the method further comprises:
acquiring the identifier of the first terminal and the identifier of the first application program;
acquiring the identifier of the first terminal group and the identifier of the first secret key group, including:
sending an information acquisition request to the first service device, where the information acquisition request includes an identifier of the first terminal and an identifier of the first application program, and the information acquisition request is used to request to acquire the identifier of the first terminal group and the identifier of the first secret key group;
receiving an information acquisition response sent by the first service device, where the information acquisition response includes an identifier of the first terminal group and an identifier of the first secret key group, the identifier of the first terminal group is acquired by the first service device based on the identifier of the first terminal, and the identifier of the first secret key group is determined by the first service device based on the identifier of the first terminal group and the identifier of the first application program.
4. A data processing method is applied to a first service device, and the method comprises the following steps:
receiving a target data group sent by a data gateway, wherein the target data group comprises original data acquired by a first application program in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm and a first private key, the first private key is a private key included in a first private key group, the first private key group is a private key group corresponding to both an identifier of the first terminal group and an identifier of the first application program, and the first terminal group is a terminal group corresponding to the first terminal;
sending a data verification account book query request to a block chain management device, wherein the data verification account book query request comprises the identifier of the first terminal group and the identifier of the first application program, and the data verification account book query request is used for requesting to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program;
receiving a data verification account book query response sent by the block chain management device, where the data verification account book query response includes a first public key, the first public key is a public key included in the first secret key group, and the first public key is determined by the block chain management device based on an identifier of the first terminal group and an identifier of the first application program;
and determining whether the original data is abnormal or not based on the target digital signature, the first public key and the preset hash algorithm.
5. The data processing method of claim 4, wherein the determining whether the original data has an anomaly based on the target digital signature, the first public key and the preset hash algorithm comprises:
generating a first digest based on the target digital signature and the first public key, and generating a second digest based on the original data and the preset hash algorithm;
determining that there is no anomaly in the original data if the first summary is the same as the second summary.
6. The data processing method of claim 4, wherein the method comprises:
sending a key distribution request to the block chain management device, where the key distribution request includes identifiers of multiple terminal groups and identifiers of the first application program, the multiple terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, and the key distribution request is used to request that keys are distributed to the multiple terminal groups;
and receiving a key distribution response sent by the block chain management device, wherein the key distribution response comprises identifiers of key groups corresponding to the plurality of terminal groups, and the identifier of the key group corresponding to one terminal group is the identifier of the key group corresponding to both the identifier of the terminal group and the identifier of the first application program.
7. A data processing method according to any one of claims 4-6, characterized in that the method further comprises:
receiving an information acquisition request sent by the data gateway, wherein the information acquisition request comprises an identifier of the first terminal and an identifier of the first application program, and the information acquisition request is used for requesting to acquire the identifier of the first terminal group and the identifier of the first secret key group;
acquiring the identifier of the first terminal group from a first corresponding relationship based on the identifier of the first terminal, wherein the first corresponding relationship comprises the identifiers of a plurality of terminal groups and the identifiers of terminals corresponding to the identifiers of the plurality of terminal groups;
acquiring the identifier of the key group corresponding to both the identifier of the first terminal group and the identifier of the first application program under the condition that the identifier of the key group corresponding to both the identifier of the first terminal group and the identifier of the first application program exists in the second corresponding relationship, and determining the acquired identifier of the key group as the identifier of the first key group;
and sending an information acquisition response to the data gateway, wherein the information acquisition response comprises the identifier of the first terminal group and the identifier of the first secret key group.
8. A data processing method applied to a block chain management device, the method comprising:
receiving a key distribution request sent by a first service device, wherein the key distribution request comprises identifiers of a plurality of terminal groups and identifiers of first application programs, the terminal groups are terminal groups corresponding to the first service device, one terminal group comprises at least one terminal, the first application program is an application program corresponding to the first service device, and the key distribution request is used for requesting to distribute keys to the terminal groups;
distributing key groups for the plurality of terminal groups, wherein the key group corresponding to one terminal group is a key group corresponding to both the identifier of the terminal group and the identifier of the first application program;
sending a key distribution response to the first service device, wherein the key distribution response comprises identifiers of key groups corresponding to the plurality of terminal groups;
storing the identifiers of the plurality of terminal groups, the identifier of the first application program and the public keys corresponding to the plurality of terminal groups to a data integrity verification account book, and sending the private keys corresponding to the plurality of terminal groups and the identifiers of the key groups corresponding to the plurality of terminal groups to a data gateway, wherein the public key corresponding to one terminal group is a public key included in the key group corresponding to both the identifier of the terminal group and the identifier of the first application program, and the private key corresponding to one terminal group is a private key included in the key group corresponding to both the identifier of the terminal group and the identifier of the first application program.
9. The data processing method of claim 8, wherein the method further comprises:
receiving a data verification account book query request sent by the first business device, wherein the data verification account book query request comprises an identifier of a first terminal group and an identifier of the first application program, the data verification account book query request is used for requesting to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program, and the first terminal group is one of the plurality of terminal groups;
acquiring public keys corresponding to the identifier of the first terminal group and the identifier of the first application program from the data integrity verification account book based on the identifier of the first terminal group and the identifier of the first application program, and determining the acquired public keys as first public keys, wherein the first public keys are public keys included in a first secret key group, and the first secret key group is a secret key group corresponding to the identifier of the first terminal group and the identifier of the first application program;
and sending a data verification ledger inquiry response to the first business equipment, wherein the data verification ledger inquiry response comprises the first public key.
10. A data processing apparatus, comprising: the device comprises an acquisition module, a processing module and a sending module;
the acquiring module is used for acquiring original data acquired by a first application program in a first terminal, an identifier of a first terminal group and an identifier of a first key group, wherein the first terminal group is a terminal group corresponding to the first terminal, and the first key group is a key group corresponding to both the identifier of the first terminal group and the identifier of the first application program;
the obtaining module is further configured to obtain a first private key and a preset hash algorithm based on an identifier of the first secret key group, where the first private key is a private key included in the first secret key group;
the processing module is used for generating a target digital signature of the original data based on the original data, the preset hash algorithm and the first private key;
the sending module is configured to send a target data set to a first service device, where the target data set includes the original data and the target digital signature, and the first service device is a service device corresponding to the first application program.
11. The data processing apparatus of claim 10, further comprising a determination module;
the obtaining module is further configured to obtain a first usage certificate, where the first usage certificate is a key usage certificate corresponding to the first secret key set;
the determining module is configured to determine whether the first usage certificate is the same as a second usage certificate, where the second usage certificate is a key usage certificate corresponding to the first application;
the processing module is specifically configured to, when the first usage credential is the same as the second usage credential, obtain the first private key based on the identifier of the first key group.
12. The data processing apparatus of claim 10, further comprising a receiving module;
the obtaining module is further configured to obtain an identifier of the first terminal and an identifier of the first application;
the sending module is further configured to send an information acquisition request to the first service device, where the information acquisition request includes an identifier of the first terminal and an identifier of the first application, and the information acquisition request is used to request to acquire the identifier of the first terminal group and the identifier of the first secret key group;
the receiving module is configured to receive an information acquisition response sent by the first service device, where the information acquisition response includes an identifier of the first terminal group and an identifier of the first secret key group, the identifier of the first terminal group is acquired by the first service device based on the identifier of the first terminal, and the identifier of the first secret key group is determined by the first service device based on the identifier of the first terminal group and the identifier of the first application.
13. A data processing apparatus, comprising: the device comprises a receiving module, a sending module and a determining module;
the receiving module is configured to receive a target data group sent by a data gateway, where the target data group includes original data acquired by a first application in a first terminal and a target digital signature of the original data, the target digital signature is generated by the data gateway based on the original data, a preset hash algorithm and a first private key, the first private key is a private key included in a first private key group, the first private key group is a private key group corresponding to both an identifier of the first terminal group and an identifier of the first application, and the first terminal group is a terminal group corresponding to the first terminal;
the sending module is configured to send a data verification account book query request to the blockchain management device, where the data verification account book query request includes an identifier of the first terminal group and an identifier of the first application program, and the data verification account book query request is used to request to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program;
the receiving module is further configured to receive a data verification account book query response sent by the blockchain management device, where the data verification account book query response includes a first public key, the first public key is a public key included in the first secret key group, and the first public key is determined by the blockchain management device based on an identifier of the first terminal group and an identifier of the first application program;
the determining module is configured to determine whether the original data is abnormal based on the target digital signature, the first public key, and the preset hash algorithm.
14. The data processing apparatus of claim 13, wherein the data processing apparatus further comprises a processing module;
the processing module is used for generating a first digest based on the target digital signature and the first public key and generating a second digest based on the original data and the preset hash algorithm;
the determining module is specifically configured to determine that the original data is not abnormal under the condition that the first summary is the same as the second summary.
15. The data processing apparatus of claim 13,
the sending module is further configured to send a key allocation request to the blockchain management device, where the key allocation request includes identifiers of multiple terminal groups and an identifier of the first application, the multiple terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, and the key allocation request is used to request that keys are allocated to the multiple terminal groups;
the receiving module is further configured to receive a key distribution response sent by the blockchain management device, where the key distribution response includes identifiers of key groups corresponding to the plurality of terminal groups, and an identifier of a key group corresponding to a terminal group is an identifier of a key group corresponding to both the identifier of the terminal group and the identifier of the first application.
16. The data processing apparatus according to any of claims 13-15, further comprising an acquisition module;
the receiving module is further configured to receive an information acquisition request sent by the data gateway, where the information acquisition request includes an identifier of the first terminal and an identifier of the first application, and the information acquisition request is used to request to acquire the identifier of the first terminal group and the identifier of the first secret key group;
the obtaining module is configured to obtain, based on an identifier of the first terminal, an identifier of the first terminal group from a first corresponding relationship, where the first corresponding relationship includes identifiers of a plurality of terminal groups and identifiers of terminals corresponding to the identifiers of the plurality of terminal groups;
the obtaining module is further configured to obtain, when an identifier of a key group corresponding to both the identifier of the first terminal group and the identifier of the first application exists in the second correspondence, an identifier of a key group corresponding to both the identifier of the first terminal group and the identifier of the first application;
the determining module is further configured to determine the obtained identifier of the secret key group as the identifier of the first secret key group;
the sending module is further configured to send an information obtaining response to the data gateway, where the information obtaining response includes the identifier of the first terminal group and the identifier of the first secret key group.
17. A data processing apparatus, comprising: the device comprises a receiving module, a processing module, a sending module and a storage module;
the receiving module is configured to receive a key allocation request sent by a first service device, where the key allocation request includes identifiers of multiple terminal groups and identifiers of first applications, the multiple terminal groups are terminal groups corresponding to the first service device, one terminal group includes at least one terminal, the first application is an application corresponding to the first service device, and the key allocation request is used to request that keys are allocated to the multiple terminal groups;
the processing module is configured to allocate key groups to the plurality of terminal groups, where a key group corresponding to a terminal group is a key group corresponding to both an identifier of the terminal group and an identifier of the first application;
the sending module is configured to send a key distribution response to the first service device, where the key distribution response includes identifiers of key groups corresponding to the multiple terminal groups;
the storage module is configured to store the identifiers of the multiple terminal groups, the identifier of the first application program, and the public keys corresponding to the multiple terminal groups to a data integrity verification ledger;
the sending module is further configured to send, to the data gateway, the respective private keys corresponding to the plurality of terminal groups and the respective identifiers of the key groups corresponding to the plurality of terminal groups, where a public key corresponding to one terminal group is a public key included in a key group corresponding to both the identifier of the terminal group and the identifier of the first application, and a private key corresponding to one terminal group is a private key included in a key group corresponding to both the identifier of the terminal group and the identifier of the first application.
18. The data processing apparatus of claim 17, further comprising an acquisition module and a determination module;
the receiving module is further configured to receive a data verification account book query request sent by the first business device, where the data verification account book query request includes an identifier of a first terminal group and an identifier of the first application program, the data verification account book query request is used to request to acquire a public key corresponding to both the identifier of the first terminal group and the identifier of the first application program, and the first terminal group is one of the terminal groups;
the obtaining module is configured to obtain, from the data integrity verification book, a public key corresponding to both the identifier of the first terminal group and the identifier of the first application based on the identifier of the first terminal group and the identifier of the first application;
the determining module is configured to determine the obtained public key as a first public key, where the first public key is a public key included in a first secret key group, and the first secret key group is a secret key group corresponding to both an identifier of the first terminal group and an identifier of the first application;
the sending module is further configured to send a data verification ledger query response to the first business device, where the data verification ledger query response includes the first public key.
19. A server, characterized in that the server comprises:
a processor;
a memory configured to store the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the data processing method of any one of claims 1-3, or to implement the data processing method of any one of claims 4-7, or to implement the data processing method of claim 8 or 9.
20. A computer-readable storage medium having instructions stored thereon, which, when executed by a server, enable the server to perform the data processing method of any one of claims 1-3, or perform the data processing method of any one of claims 4-7, or perform the data processing method of claim 8 or 9.
CN202111342923.1A 2021-11-12 2021-11-12 Data processing method, device, server and storage medium Active CN114124404B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111342923.1A CN114124404B (en) 2021-11-12 2021-11-12 Data processing method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111342923.1A CN114124404B (en) 2021-11-12 2021-11-12 Data processing method, device, server and storage medium

Publications (2)

Publication Number Publication Date
CN114124404A true CN114124404A (en) 2022-03-01
CN114124404B CN114124404B (en) 2023-07-07

Family

ID=80379428

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111342923.1A Active CN114124404B (en) 2021-11-12 2021-11-12 Data processing method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN114124404B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117195300A (en) * 2023-09-20 2023-12-08 全拓科技(杭州)股份有限公司 Big data safety protection method, device and system

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108604990A (en) * 2016-12-02 2018-09-28 华为技术有限公司 The application method and device of local authorized certificate in terminal
CN108769038A (en) * 2018-06-04 2018-11-06 立旃(上海)科技有限公司 Data processing method based on block chain and device
US20190303587A1 (en) * 2018-03-27 2019-10-03 Workday, Inc. Digital credentials for access to sensitive data
US20190305964A1 (en) * 2018-03-27 2019-10-03 Workday, Inc. Digital credentials for user device authentication
CN111488596A (en) * 2020-03-30 2020-08-04 腾讯科技(深圳)有限公司 Data processing permission verification method and device, electronic equipment and storage medium
CN111932426A (en) * 2020-09-15 2020-11-13 支付宝(杭州)信息技术有限公司 Identity management method, device and equipment based on trusted hardware
CN112311537A (en) * 2020-10-30 2021-02-02 国网江苏省电力有限公司信息通信分公司 Block chain-based equipment access authentication system and method
CN113067703A (en) * 2021-03-19 2021-07-02 上海摩联信息技术有限公司 Terminal equipment data uplink method and system
CN113468569A (en) * 2021-07-13 2021-10-01 京东科技控股股份有限公司 Data encryption method and device and data decryption method and device
CN113497709A (en) * 2020-04-02 2021-10-12 浪潮云信息技术股份公司 Trusted data source management method based on block chain, signature device and verification device
CN113497778A (en) * 2020-03-18 2021-10-12 北京同邦卓益科技有限公司 Data transmission method and device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108604990A (en) * 2016-12-02 2018-09-28 华为技术有限公司 The application method and device of local authorized certificate in terminal
US20190303587A1 (en) * 2018-03-27 2019-10-03 Workday, Inc. Digital credentials for access to sensitive data
US20190305964A1 (en) * 2018-03-27 2019-10-03 Workday, Inc. Digital credentials for user device authentication
CN108769038A (en) * 2018-06-04 2018-11-06 立旃(上海)科技有限公司 Data processing method based on block chain and device
CN113497778A (en) * 2020-03-18 2021-10-12 北京同邦卓益科技有限公司 Data transmission method and device
CN111488596A (en) * 2020-03-30 2020-08-04 腾讯科技(深圳)有限公司 Data processing permission verification method and device, electronic equipment and storage medium
CN113497709A (en) * 2020-04-02 2021-10-12 浪潮云信息技术股份公司 Trusted data source management method based on block chain, signature device and verification device
CN111932426A (en) * 2020-09-15 2020-11-13 支付宝(杭州)信息技术有限公司 Identity management method, device and equipment based on trusted hardware
CN112311537A (en) * 2020-10-30 2021-02-02 国网江苏省电力有限公司信息通信分公司 Block chain-based equipment access authentication system and method
CN113067703A (en) * 2021-03-19 2021-07-02 上海摩联信息技术有限公司 Terminal equipment data uplink method and system
CN113468569A (en) * 2021-07-13 2021-10-01 京东科技控股股份有限公司 Data encryption method and device and data decryption method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
汪允敏;李挥;王菡;白永杰;宁崇辉;: "区块链在工业互联网标识数据管理策略研究", 计算机工程与应用, no. 07 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117195300A (en) * 2023-09-20 2023-12-08 全拓科技(杭州)股份有限公司 Big data safety protection method, device and system
CN117195300B (en) * 2023-09-20 2024-03-29 全拓科技(杭州)股份有限公司 Big data safety protection method, device and system

Also Published As

Publication number Publication date
CN114124404B (en) 2023-07-07

Similar Documents

Publication Publication Date Title
CN1996834B (en) Method and apparatus for acquiring domain information and domain-related data
CN110505305B (en) Block chain fragmentation method and device and block chain system
US10581849B2 (en) Data packet transmission method, data packet authentication method, and server thereof
CN109639643B (en) Block chain-based client manager information sharing method, electronic device and readable storage medium
CN111523890A (en) Data processing method and device based on block chain, storage medium and equipment
CN110084600B (en) Processing and verifying method, device, equipment and medium for resolution transaction request
CN110599275A (en) Data processing method and device based on block chain network and storage medium
KR20190115515A (en) AUTHENTICATION METHOD AND SYSTEM OF IoT(Internet of Things) DEVICE BASED ON PUBLIC KEY INFRASTRUCTURE
CN114124404B (en) Data processing method, device, server and storage medium
CN111414640B (en) Key access control method and device
CN110990790B (en) Data processing method and equipment
CN108280024B (en) Flow distribution strategy testing method and device and electronic equipment
US12081675B2 (en) Content use system, permission terminal, browsing terminal, distribution terminal, and content use program
CN116561820A (en) Trusted data processing method and related device
CN113490249B (en) Transmission path determining method and device
KR102318947B1 (en) Method for protecting privacy data, computing device and system for executing the method
CN112491855B (en) Method and device for determining handle identifier analysis state
CN115438333A (en) Authority distribution method and device
CN114707134A (en) High-performance password card security management method, device and system
CN109587241B (en) Data sharing method and equipment
CN109743237B (en) Authentication method of APP and gateway
KR101406530B1 (en) Method and system for managing secret key service using smart meter
CN112019603A (en) Transaction data processing method and device
CN112350868A (en) Wall opening processing method, device, server, system and readable storage medium
CN114124494B (en) Data processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant