CN114513370A - Universal identification data conversion method and device, storage medium and electronic equipment - Google Patents

Universal identification data conversion method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN114513370A
CN114513370A CN202210407217.9A CN202210407217A CN114513370A CN 114513370 A CN114513370 A CN 114513370A CN 202210407217 A CN202210407217 A CN 202210407217A CN 114513370 A CN114513370 A CN 114513370A
Authority
CN
China
Prior art keywords
data
private key
client
identification
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210407217.9A
Other languages
Chinese (zh)
Other versions
CN114513370B (en
Inventor
马宝罗
刘阳
池程
邵小景
朱斯语
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Information and Communications Technology CAICT
Original Assignee
China Academy of Information and Communications Technology CAICT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Information and Communications Technology CAICT filed Critical China Academy of Information and Communications Technology CAICT
Priority to CN202210407217.9A priority Critical patent/CN114513370B/en
Publication of CN114513370A publication Critical patent/CN114513370A/en
Application granted granted Critical
Publication of CN114513370B publication Critical patent/CN114513370B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the disclosure discloses a universal identification data conversion method and device, a storage medium and an electronic device, wherein the method comprises the following steps: receiving a registration request sent by an original data end, sending a first private key request to an encryption database according to the registration request, and receiving a first private key and a first timestamp corresponding to the private key request; based on a first public key corresponding to the first private key, performing encryption and anti-counterfeiting packaging processing on the identification data in the original data end pair to obtain packaged data; sending a second private key and a second timestamp to the client according to a second private key request received from the client; determining whether the client has data parsing authority based on the second private key, the second timestamp, the first public key and the first timestamp; and in response to the client side having the data analysis permission, decrypting the encapsulated data through the second private key to obtain the identification data.

Description

通用的标识数据转换方法和装置、存储介质、电子设备Universal identification data conversion method and device, storage medium, electronic device

技术领域technical field

本公开涉及一种通用的标识数据转换方法和装置、存储介质、电子设备。The present disclosure relates to a general identification data conversion method and device, a storage medium, and an electronic device.

背景技术Background technique

当前,用户通过标识解析客户端向标识解析节点(例如,服务器)发送标识解析请求,标识解析节点在收到标识解析请求后,向客户端直接反馈解析结果,不对标识解析客户端访问进行权限控制,可能存在访问控制权限过大,易导致数据泄露等风险。Currently, a user sends an identification resolution request to an identification resolution node (for example, a server) through an identification resolution client. After receiving the identification resolution request, the identification resolution node directly feeds back the resolution result to the client, and does not control the access of the identification resolution client. , there may be risks such as excessive access control permissions, which may easily lead to data leakage.

发明内容SUMMARY OF THE INVENTION

为了解决上述技术问题,提出了本公开。本公开的实施例提供了一种通用的标识数据转换方法和装置、存储介质、电子设备。In order to solve the above-mentioned technical problems, the present disclosure is made. Embodiments of the present disclosure provide a general identification data conversion method and apparatus, storage medium, and electronic device.

根据本公开实施例的一个方面,提供了一种通用的标识数据转换方法,应用于第三方服务端,包括:According to an aspect of the embodiments of the present disclosure, a general identification data conversion method is provided, applied to a third-party server, including:

接收原始数据端发送的注册请求,根据所述注册请求向加密数据库发送第一私钥请求,并接收所述私钥请求对应的第一私钥以及第一时间戳;Receive a registration request sent by the original data terminal, send a first private key request to an encrypted database according to the registration request, and receive a first private key and a first timestamp corresponding to the private key request;

基于所述第一私钥对应的第一公钥,对所述原始数据端对中的标识数据执行加密和防伪封装处理,得到封装数据;Based on the first public key corresponding to the first private key, encryption and anti-counterfeiting encapsulation processing are performed on the identification data in the original data end pair to obtain encapsulated data;

根据从客户端接收的第二私钥请求,向所述客户端发送第二私钥以及第二时间戳;sending a second private key and a second timestamp to the client according to the second private key request received from the client;

基于所述第二私钥、所述第二时间戳、所述第一公钥和所述第一时间戳,确定所述客户端是否具有数据解析权限;determining, based on the second private key, the second timestamp, the first public key and the first timestamp, whether the client has data parsing authority;

响应于所述客户端具有数据解析权限,通过所述第二私钥对所述封装数据进行解密,得到所述标识数据。In response to the client having the data parsing authority, decrypt the encapsulated data through the second private key to obtain the identification data.

可选地,所述基于所述第一私钥对应的第一公钥,对所述原始数据端对中的标识数据执行加密和防伪封装处理,得到封装数据,包括:Optionally, performing encryption and anti-counterfeiting encapsulation processing on the identification data in the original data terminal pair based on the first public key corresponding to the first private key to obtain encapsulated data, including:

基于所述第一私钥确定对应的所述第一公钥;determining the corresponding first public key based on the first private key;

将所述第一公钥发送到所述原始数据端,在所述原始数据端通过所述第一公钥对所述标识数据进行加密,得到加密数据和所述加密数据对应的加密属性;其中,所述加密属性包括所述第一公钥与所述第一私钥之间的对应关系;sending the first public key to the original data terminal, and encrypting the identification data at the original data terminal by using the first public key to obtain encrypted data and encryption attributes corresponding to the encrypted data; wherein , the encryption attribute includes the correspondence between the first public key and the first private key;

将所述加密数据、所述加密属性以及所述加密数据对应的防伪编码信息进行封装处理,得到所述封装数据。Encapsulate the encrypted data, the encrypted attribute and the anti-counterfeiting code information corresponding to the encrypted data to obtain the encapsulated data.

可选地,所述将所述第一公钥发送到所述原始数据端,在所述原始数据端通过所述第一公钥对所述标识数据进行加密,得到加密数据和所述加密数据对应的加密属性,包括:Optionally, sending the first public key to the original data terminal, and encrypting the identification data at the original data terminal by using the first public key to obtain encrypted data and the encrypted data. Corresponding encryption properties, including:

将所述第一公钥发送到所述原始数据端;sending the first public key to the original data terminal;

在所述原始数据端通过所述第一公钥对所述标识数据进行加密,得到加密数据;The identification data is encrypted by the first public key at the original data end to obtain encrypted data;

基于预设编码规则将所述第一公钥与所述第一私钥之间的对应关系进行编码,得到所述加密属性。The corresponding relationship between the first public key and the first private key is encoded based on a preset encoding rule to obtain the encryption attribute.

可选地,所述根据从客户端接收的第二私钥请求,向所述客户端发送第二私钥以及第二时间戳,包括:Optionally, the sending the second private key and the second timestamp to the client according to the second private key request received from the client includes:

接收客户端发出的第二私钥请求;Receive the second private key request sent by the client;

根据所述第二私钥请求和预存的加密属性,确定所述第二私钥请求对应的第二私钥;其中,所述加密属性包括私钥与公钥之间的对应关系;Determine the second private key corresponding to the second private key request according to the second private key request and the pre-stored encryption attribute; wherein, the encryption attribute includes the correspondence between the private key and the public key;

根据确定所述第二私钥对应的时间点,确定所述第二时间戳。The second timestamp is determined according to the time point corresponding to the determination of the second private key.

可选地,所述基于所述第二私钥、所述第二时间戳、所述第一公钥和所述第一时间戳,确定所述客户端是否具有数据解析权限,包括:Optionally, the determining whether the client has data parsing authority based on the second private key, the second timestamp, the first public key and the first timestamp includes:

基于所述第二时间戳和所述第一时间戳之间的时间差值,确定所述时间差值与密钥有效期之间的关系,确定所述第二私钥是否有效;Based on the time difference value between the second time stamp and the first time stamp, determine the relationship between the time difference value and the key validity period, and determine whether the second private key is valid;

响应于所述第二私钥有效,根据所述第二私钥与所述第一公钥的加密属性是否相匹配,确定所述客户端是否具有数据解析权限。In response to the second private key being valid, it is determined whether the client has data parsing authority according to whether the encryption properties of the second private key and the first public key match.

可选地,所述根据从客户端接收的第二私钥请求,向所述客户端发送第二私钥以及第二时间戳之前,还包括:Optionally, before sending the second private key and the second timestamp to the client according to the second private key request received from the client, the method further includes:

将所述封装数据发送到所述加密数据库进行存储;sending the encapsulated data to the encrypted database for storage;

通过标识解析端接收所述客户端发出的解析请求,基于所述解析请求获得标识服务地址,基于所述标识服务地址从所述加密数据库获得所述封装数据。The resolution request sent by the client is received by the identification resolution terminal, the identification service address is obtained based on the resolution request, and the encapsulated data is obtained from the encrypted database based on the identification service address.

可选地,所述通过所述第二私钥对所述封装数据进行解密,得到所述标识数据,包括:Optionally, decrypting the encapsulated data by using the second private key to obtain the identification data includes:

基于数据解析权限对所述封装数据进行处理,得到加密数据、加密数据对应的加密属性和防伪追溯信息;Process the encapsulated data based on the data parsing authority to obtain encrypted data, encrypted attributes and anti-counterfeiting traceability information corresponding to the encrypted data;

基于所述加密属性确定所述第二私钥对应的数据范围;其中,所述加密属性还包括确定一个公钥对应的不同私钥可访问的数据范围;Determine the data range corresponding to the second private key based on the encryption attribute; wherein, the encryption attribute further includes determining the data range accessible to different private keys corresponding to a public key;

基于所述私钥对所述加密数据进行解密,得到所述数据范围对应的所述标识数据。Decrypt the encrypted data based on the private key to obtain the identification data corresponding to the data range.

根据本公开实施例的另一方面,提供了一种通用的标识数据转换装置,应用于第三方服务端,包括:According to another aspect of the embodiments of the present disclosure, a general identification data conversion device is provided, which is applied to a third-party server, including:

私钥请求模块,用于接收原始数据端发送的注册请求,根据所述注册请求向加密数据库发送第一私钥请求,并接收所述私钥请求对应的第一私钥以及第一时间戳;a private key request module, configured to receive a registration request sent by the original data terminal, send a first private key request to an encrypted database according to the registration request, and receive a first private key and a first timestamp corresponding to the private key request;

数据封装模块,用于基于所述第一私钥对应的第一公钥,对所述原始数据端对中的标识数据执行加密和防伪封装处理,得到封装数据;a data encapsulation module, configured to perform encryption and anti-counterfeiting encapsulation processing on the identification data in the original data terminal pair based on the first public key corresponding to the first private key to obtain encapsulated data;

私钥发送模块,用于根据从客户端接收的第二私钥请求,向所述客户端发送第二私钥以及第二时间戳;a private key sending module, configured to send the second private key and the second timestamp to the client according to the second private key request received from the client;

权限确定模块,用于基于所述第二私钥、所述第二时间戳、所述第一公钥和所述第一时间戳,确定所述客户端是否具有数据解析权限;an authority determination module, configured to determine whether the client has data parsing authority based on the second private key, the second timestamp, the first public key and the first timestamp;

数据转换模块,用于响应于所述客户端具有数据解析权限,通过所述第二私钥对所述封装数据进行解密,得到所述标识数据。A data conversion module, configured to decrypt the encapsulated data through the second private key in response to the client having the data parsing authority to obtain the identification data.

可选地,所述数据封装模块,包括:Optionally, the data encapsulation module includes:

公钥确定单元,用于基于所述第一私钥确定对应的所述第一公钥;a public key determining unit, configured to determine the corresponding first public key based on the first private key;

数据加密单元,用于将所述第一公钥发送到所述原始数据端,在所述原始数据端通过所述第一公钥对所述标识数据进行加密,得到加密数据和所述加密数据对应的加密属性;其中,所述加密属性包括所述第一公钥与所述第一私钥之间的对应关系;a data encryption unit, configured to send the first public key to the original data end, and encrypt the identification data at the original data end by using the first public key to obtain encrypted data and the encrypted data Corresponding encryption attributes; wherein, the encryption attributes include the correspondence between the first public key and the first private key;

数据封装单元,用于将所述加密数据、所述加密属性以及所述加密数据对应的防伪编码信息进行封装处理,得到所述封装数据。A data encapsulation unit, configured to encapsulate the encrypted data, the encrypted attribute and the anti-counterfeiting coding information corresponding to the encrypted data to obtain the encapsulated data.

可选地,所述数据加密单元,具体用于将所述第一公钥发送到所述原始数据端;在所述原始数据端通过所述第一公钥对所述标识数据进行加密,得到加密数据;基于预设编码规则将所述第一公钥与所述第一私钥之间的对应关系进行编码,得到所述加密属性。Optionally, the data encryption unit is specifically configured to send the first public key to the original data terminal; encrypt the identification data at the original data terminal by using the first public key to obtain Encrypting data; encoding the correspondence between the first public key and the first private key based on a preset encoding rule to obtain the encryption attribute.

可选地,所述私钥发送模块,具体用于接收客户端发出的第二私钥请求;根据所述第二私钥请求和预存的加密属性,确定所述第二私钥请求对应的第二私钥;其中,所述加密属性包括私钥与公钥之间的对应关系;根据确定所述第二私钥对应的时间点,确定所述第二时间戳。Optionally, the private key sending module is specifically configured to receive the second private key request sent by the client; and determine the first private key request corresponding to the second private key request according to the second private key request and the pre-stored encryption attribute. Two private keys; wherein the encryption attribute includes the correspondence between the private key and the public key; the second timestamp is determined according to the time point corresponding to the determination of the second private key.

可选地,所述权限确定模块,具体用于基于所述第二时间戳和所述第一时间戳之间的时间差值,确定所述时间差值与密钥有效期之间的关系,确定所述第二私钥是否有效;响应于所述第二私钥有效,根据所述第二私钥与所述第一公钥的加密属性是否相匹配,确定所述客户端是否具有数据解析权限。Optionally, the authority determination module is specifically configured to determine the relationship between the time difference and the key validity period based on the time difference between the second time stamp and the first time stamp, and determine Whether the second private key is valid; in response to the second private key being valid, determine whether the client has data parsing authority according to whether the encryption attributes of the second private key and the first public key match. .

可选地,所述装置还包括:Optionally, the device further includes:

存储模块,用于将所述封装数据发送到所述加密数据库进行存储;a storage module, configured to send the encapsulated data to the encrypted database for storage;

请求解析模块,用于通过标识解析端接收所述客户端发出的解析请求,基于所述解析请求获得标识服务地址,基于所述标识服务地址从所述加密数据库获得所述封装数据。A request parsing module, configured to receive a parsing request sent by the client through an identity parsing terminal, obtain an identity service address based on the parsing request, and obtain the encapsulated data from the encrypted database based on the identity service address.

可选地,所述数据转换模块,具体用于基于数据解析权限对所述封装数据进行处理,得到加密数据、加密数据对应的加密属性和防伪追溯信息;基于所述加密属性确定所述第二私钥对应的数据范围;其中,所述加密属性还包括确定一个公钥对应的不同私钥可访问的数据范围;基于所述私钥对所述加密数据进行解密,得到所述数据范围对应的所述标识数据。Optionally, the data conversion module is specifically configured to process the encapsulated data based on the data parsing authority to obtain encrypted data, encrypted attributes and anti-counterfeiting traceability information corresponding to the encrypted data; determine the second data based on the encrypted attributes. The data range corresponding to the private key; wherein, the encryption attribute further includes determining the data range accessible to different private keys corresponding to a public key; decrypting the encrypted data based on the private key to obtain the data range corresponding to the data range the identification data.

根据本公开实施例的另一方面,提供了一种通用的标识数据转换系统,包括:According to another aspect of the embodiments of the present disclosure, a general identification data conversion system is provided, including:

第三方服务端,用于执行上述任一项实施例所述的通用的标识数据转换方法;A third-party server, configured to execute the general identification data conversion method described in any one of the above-mentioned embodiments;

原始数据端,用于向所述第三方服务端发送注册请求,接收所述第三方服务端下发的第一公钥,将标识数据通过所述第一公钥进行加密和防伪封装处理,得到封装数据,将所述封装数据发送到加密数据库;The original data terminal is used to send a registration request to the third-party server, receive the first public key issued by the third-party server, encrypt the identification data and perform anti-counterfeiting encapsulation processing through the first public key, and obtain Encapsulating data, and sending the encapsulating data to an encrypted database;

加密数据库,用于根据所述第三方服务端发送的私钥请求,向所述第三方服务端下发第一私钥,接收所述原始数据端上传的所述封装数据;an encrypted database, configured to issue a first private key to the third-party server according to the private key request sent by the third-party server, and receive the packaged data uploaded by the original data end;

标识解析端,用于接收客户端发送的解析请求,基于所述解析请求获得标识服务地址,基于所述标识服务地址从所述加密数据库获得所述封装数据;An identification parsing end, configured to receive a parsing request sent by a client, obtain an identification service address based on the parsing request, and obtain the encapsulated data from the encrypted database based on the identification service address;

客户端,用于向所述第三方服务端发送第二私钥请求,接收所述第三方服务端返回的第二私钥以及第二时间戳,并向所述标识解析端发送解析请求,从所述加密数据库接收所述封装数据。The client is used to send a second private key request to the third-party server, receive the second private key and the second timestamp returned by the third-party server, and send a parsing request to the identification parsing terminal, from The encrypted database receives the encapsulated data.

根据本公开实施例的另一方面,提供了一种计算机可读存储介质,所述存储介质存储有计算机程序,所述计算机程序用于执行上述任一实施例所述的通用的标识数据转换方法。According to another aspect of the embodiments of the present disclosure, a computer-readable storage medium is provided, and the storage medium stores a computer program, and the computer program is used to execute the general identification data conversion method described in any of the foregoing embodiments. .

根据本公开实施例的另一方面,提供了一种电子设备,所述电子设备包括:According to another aspect of the embodiments of the present disclosure, there is provided an electronic device, the electronic device comprising:

处理器;processor;

用于存储所述处理器可执行指令的存储器;a memory for storing the processor-executable instructions;

所述处理器,用于从所述存储器中读取所述可执行指令,并执行所述指令以实现上述任一实施例所述的通用的标识数据转换方法。The processor is configured to read the executable instructions from the memory, and execute the instructions to implement the general identification data conversion method described in any of the foregoing embodiments.

基于本公开上述实施例提供的一种通用的标识数据转换方法和装置、存储介质、电子设备,接收原始数据端发送的注册请求,根据所述注册请求向加密数据库发送第一私钥请求,并接收所述私钥请求对应的第一私钥以及第一时间戳;基于所述第一私钥对应的第一公钥,对所述原始数据端对中的标识数据执行加密和防伪封装处理,得到封装数据;根据从客户端接收的第二私钥请求,向所述客户端发送第二私钥以及第二时间戳;基于所述第二私钥、所述第二时间戳、所述第一公钥和所述第一时间戳,确定所述客户端是否具有数据解析权限;响应于所述客户端具有数据解析权限,通过所述第二私钥对所述封装数据进行解密,得到所述标识数据;本实施例通过在第三方服务端中实现数据公钥和私钥的请求和下发,克服了由于对标识数据的访问权限过大,导致的数据容易泄露等问题,本实施例中为数据分配不同的属性,并根据属性为标识解析客户端分配不同的密钥,由数据所有者决定哪些用户可以访问数据,实现细粒度的访问控制。Based on a general identification data conversion method and device, storage medium, and electronic device provided by the above-mentioned embodiments of the present disclosure, a registration request sent by the original data terminal is received, a first private key request is sent to an encrypted database according to the registration request, and receiving a first private key and a first timestamp corresponding to the private key request; performing encryption and anti-counterfeiting encapsulation processing on the identification data in the original data pair based on the first public key corresponding to the first private key, Obtain the encapsulated data; send the second private key and the second timestamp to the client according to the second private key request received from the client; based on the second private key, the second timestamp, the first a public key and the first timestamp to determine whether the client has the data parsing authority; in response to the client having the data parsing authority, decrypt the encapsulated data through the second private key to obtain the In this embodiment, the request and distribution of the public and private keys of the data is realized in the third-party server, which overcomes the problems such as easy data leakage due to excessive access rights to the identification data. Different attributes are assigned to the data, and different keys are assigned to the identity resolution client according to the attributes, and the data owner decides which users can access the data, realizing fine-grained access control.

下面通过附图和实施例,对本公开的技术方案做进一步的详细描述。The technical solutions of the present disclosure will be further described in detail below through the accompanying drawings and embodiments.

附图说明Description of drawings

通过结合附图对本公开实施例进行更详细的描述,本公开的上述以及其他目的、特征和优势将变得更加明显。附图用来提供对本公开实施例的进一步理解,并且构成说明书的一部分,与本公开实施例一起用于解释本公开,并不构成对本公开的限制。在附图中,相同的参考标号通常代表相同部件或步骤。The above and other objects, features and advantages of the present disclosure will become more apparent from the more detailed description of the embodiments of the present disclosure in conjunction with the accompanying drawings. The accompanying drawings are used to provide a further understanding of the embodiments of the present disclosure, and constitute a part of the specification, and are used to explain the present disclosure together with the embodiments of the present disclosure, and do not limit the present disclosure. In the drawings, the same reference numbers generally refer to the same components or steps.

参照附图,根据下面的详细描述,可以更加清楚地理解本公开,其中:The present disclosure may be more clearly understood from the following detailed description with reference to the accompanying drawings, wherein:

图1是本公开一示例性实施例提供的通用的标识数据转换方法的流程示意图;1 is a schematic flowchart of a general identification data conversion method provided by an exemplary embodiment of the present disclosure;

图2是本公开图1所示的实施例中步骤104的一个流程示意图;FIG. 2 is a schematic flowchart of step 104 in the embodiment shown in FIG. 1 of the present disclosure;

图3是本公开图1所示的实施例中步骤106的一个流程示意图;FIG. 3 is a schematic flowchart of step 106 in the embodiment shown in FIG. 1 of the present disclosure;

图4是本公开一示例性实施例提供的通用的标识数据转换方法中对标识解析请求逐级解析的时序示意图;4 is a schematic time sequence diagram of a step-by-step analysis of an identification resolution request in a general identification data conversion method provided by an exemplary embodiment of the present disclosure;

图5是本公开一示例性实施例提供的通用的标识数据转换装置的结构示意图;5 is a schematic structural diagram of a general identification data conversion device provided by an exemplary embodiment of the present disclosure;

图6是本公开一示例性实施例提供的通用的标识数据转换系统的结构示意图;6 is a schematic structural diagram of a general identification data conversion system provided by an exemplary embodiment of the present disclosure;

图7是本公开一示例性实施例提供的电子设备的结构图。FIG. 7 is a structural diagram of an electronic device provided by an exemplary embodiment of the present disclosure.

具体实施方式Detailed ways

下面,将参考附图详细地描述根据本公开的示例实施例。显然,所描述的实施例仅仅是本公开的一部分实施例,而不是本公开的全部实施例,应理解,本公开不受这里描述的示例实施例的限制。Hereinafter, exemplary embodiments according to the present disclosure will be described in detail with reference to the accompanying drawings. Obviously, the described embodiments are only some of the embodiments of the present disclosure, not all of the embodiments of the present disclosure, and it should be understood that the present disclosure is not limited by the example embodiments described herein.

应注意到:除非另外具体说明,否则在这些实施例中阐述的部件和步骤的相对布置、数字表达式和数值不限制本公开的范围。It should be noted that the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.

本领域技术人员可以理解,本公开实施例中的“第一”、“第二”等术语仅用于区别不同步骤、设备或模块等,既不代表任何特定技术含义,也不表示它们之间的必然逻辑顺序。Those skilled in the art can understand that terms such as "first" and "second" in the embodiments of the present disclosure are only used to distinguish different steps, devices, or modules, etc., and neither represent any specific technical meaning, nor represent any difference between them. the necessary logical order of .

还应理解,在本公开实施例中,“多个”可以指两个或两个以上,“至少一个”可以指一个、两个或两个以上。It should also be understood that, in the embodiments of the present disclosure, "a plurality" may refer to two or more, and "at least one" may refer to one, two or more.

还应理解,对于本公开实施例中提及的任一部件、数据或结构,在没有明确限定或者在前后文给出相反启示的情况下,一般可以理解为一个或多个。It should also be understood that any component, data or structure mentioned in the embodiments of the present disclosure can generally be understood as one or more in the case of no explicit definition or contrary indications given in the context.

另外,本公开中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本公开中字符“/”,一般表示前后关联对象是一种“或”的关系。本公开中所指数据可以包括文本、图像、视频等非结构化数据,也可以是结构化数据。In addition, the term "and/or" in the present disclosure is only an association relationship to describe associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, it can mean that A exists alone, and A and B exist at the same time , there are three cases of B alone. In addition, the character "/" in the present disclosure generally indicates that the related objects are an "or" relationship. The data referred to in this disclosure may include unstructured data such as text, images, and videos, or may be structured data.

还应理解,本公开对各个实施例的描述着重强调各个实施例之间的不同之处,其相同或相似之处可以相互参考,为了简洁,不再一一赘述。It should also be understood that the description of the various embodiments in the present disclosure emphasizes the differences between the various embodiments, and the same or similar points can be referred to each other, and for the sake of brevity, they will not be repeated.

同时,应当明白,为了便于描述,附图中所示出的各个部分的尺寸并不是按照实际的比例关系绘制的。Meanwhile, it should be understood that, for the convenience of description, the dimensions of various parts shown in the accompanying drawings are not drawn in an actual proportional relationship.

以下对至少一个示例性实施例的描述实际上仅仅是说明性的,决不作为对本公开及其应用或使用的任何限制。The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application or uses in any way.

对于相关领域普通技术人员已知的技术、方法和设备可能不作详细讨论,但在适当情况下,所述技术、方法和设备应当被视为说明书的一部分。Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail, but where appropriate, such techniques, methods, and apparatus should be considered part of the specification.

应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步讨论。It should be noted that like numerals and letters refer to like items in the following figures, so once an item is defined in one figure, it does not require further discussion in subsequent figures.

本公开实施例可以应用于终端设备、计算机系统、服务器等电子设备,其可与众多其它通用或专用计算系统环境或配置一起操作。适于与终端设备、计算机系统、服务器等电子设备一起使用的众所周知的终端设备、计算系统、环境和/或配置的例子包括但不限于:个人计算机系统、服务器计算机系统、瘦客户机、厚客户机、手持或膝上设备、基于微处理器的系统、机顶盒、可编程消费电子产品、网络个人电脑、小型计算机系统、大型计算机系统和包括上述任何系统的分布式云计算技术环境,等等。Embodiments of the present disclosure can be applied to electronic devices such as terminal devices, computer systems, servers, etc., which can operate with numerous other general-purpose or special-purpose computing system environments or configurations. Examples of well-known terminal equipment, computing systems, environments and/or configurations suitable for use with terminal equipment, computer systems, servers, etc. electronic equipment include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients computer, handheld or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, network personal computers, minicomputer systems, mainframe computer systems, and distributed cloud computing technology environments including any of the foregoing, among others.

终端设备、计算机系统、服务器等电子设备可以在由计算机系统执行的计算机系统可执行指令(诸如程序模块)的一般语境下描述。通常,程序模块可以包括例程、程序、目标程序、组件、逻辑、数据结构等等,它们执行特定的任务或者实现特定的抽象数据类型。计算机系统/服务器可以在分布式云计算环境中实施,分布式云计算环境中,任务是由通过通信网络链接的远程处理设备执行的。在分布式云计算环境中,程序模块可以位于包括存储设备的本地或远程计算系统存储介质上。Electronic devices such as terminal devices, computer systems, servers, etc., may be described in the general context of computer system-executable instructions, such as program modules, being executed by the computer system. Generally, program modules may include routines, programs, object programs, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. Computer systems/servers may be implemented in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located on local or remote computing system storage media including storage devices.

工业互联网标识解析体系是工业互联网的基础系统,是工业互联网的重要组成部分,也是构建人-机-物全面互联的重要设施,其作用类似于互联网中可以查询网站地址、邮箱地址的域名系统(DNS)。工业互联网标识解析体系主要由标识分配管理系统和标识解析系统组成,其中标识是机器和物品的“身份证”,具有唯一性,采取逐级分配的分层方式进行管理。标识解析系统利用标识对机器和物品进行定位和信息查询,是实现全球供应链系统与企业生产系统精准对接、产品全生命周期管理以及智能化服务的前提和基础。通过搭建一套完善的标识体系,可以为工业系统互联和工业数据传输交换提供强有力的支撑,真正实现工业产品从设计、研发、生产,再到销售和服务等产业要素的互联互通,提升协作效率。The industrial Internet identification resolution system is the basic system of the Industrial Internet, an important part of the Industrial Internet, and an important facility for building a comprehensive interconnection of human-machine-objects. DNS). The industrial Internet identification analysis system is mainly composed of an identification distribution management system and an identification analysis system. The identification is the "identity card" of the machine and the item, which is unique and is managed by a hierarchical distribution method. The identification analysis system uses identification to locate and query information on machines and items, which is the premise and foundation for realizing the precise connection between the global supply chain system and the enterprise production system, product life cycle management and intelligent services. By building a complete identification system, it can provide strong support for industrial system interconnection and industrial data transmission and exchange, and truly realize the interconnection of industrial products from design, R&D, production, to sales and service and other industrial elements, and enhance collaboration. efficiency.

在我国,为实现“统一管理、互联互通”的整体目标,建设了国家顶级节点,对外作为参与全球工业互联网标识解析体系发展的统一出口,与各类工业互联网标识解析体系打通,实现与国际根节点的对接。对内作为统筹各行业二级节点的枢纽和桥梁,从技术标准规范和基础设施建设等维度引导国内工业互联网标识解析体系建设和生态培育发展,也由此打造了我国的工业互联网标识解析体系整体框架。In my country, in order to achieve the overall goal of "unified management and interconnection", a top-level node in the country has been built. As a unified export for participating in the development of the global industrial Internet identification analysis system, it is connected with various industrial Internet identification analysis systems and achieves integration with international roots. connection of nodes. Internally, as a hub and bridge for coordinating secondary nodes in various industries, it guides the construction and ecological cultivation and development of the domestic industrial Internet identification analysis system from the perspectives of technical standards and infrastructure construction, and thus creates my country's industrial Internet identification analysis system as a whole. frame.

示例性方法Exemplary method

图1是本公开一示例性实施例提供的通用的标识数据转换方法的流程示意图。本实施例可应用在第三方服务端等电子设备上,如图1所示,包括如下步骤:FIG. 1 is a schematic flowchart of a general identification data conversion method provided by an exemplary embodiment of the present disclosure. This embodiment can be applied to electronic devices such as third-party servers, as shown in FIG. 1 , and includes the following steps:

步骤102,接收原始数据端发送的注册请求,根据注册请求向加密数据库发送第一私钥请求,并接收私钥请求对应的第一私钥以及第一时间戳。Step 102: Receive a registration request sent by the original data terminal, send a first private key request to an encrypted database according to the registration request, and receive a first private key and a first timestamp corresponding to the private key request.

可选地,原始数据端为本实施例中的数据所有者,例如,标识解析系统中的数据产生端,例如,为标识解析的企业节点等;原始数据端产生标识数据,为了保证数据安全性,向第三方服务端发送注册请求;第三方服务端根据该注册请求向加密数据库请求私钥,并根据该私钥生成对应的公钥返回给原始数据端;加密数据库通常与数据产生端都属于标识解析系统中的模块;加密数据库中存储有数据和具有该数据的获取权限的客户端的对应关系;另外,本实施例中在获取到第一私钥时,还将获取该第一私钥的时刻记录为第一时间戳,以便于后续对第一私钥的权限时间进行控制。Optionally, the original data terminal is the data owner in this embodiment, for example, the data generation terminal in the identification resolution system, for example, the enterprise node of identification analysis, etc.; the original data terminal generates identification data, in order to ensure data security. , send a registration request to the third-party server; the third-party server requests the private key from the encrypted database according to the registration request, and generates the corresponding public key according to the private key and returns it to the original data terminal; the encrypted database usually belongs to the data generation terminal. The module in the identification resolution system; the encrypted database stores the corresponding relationship between the data and the client that has the right to obtain the data; in addition, when the first private key is obtained in this embodiment, the first private key will also be obtained. The time is recorded as the first time stamp, so as to facilitate the subsequent control of the authority time of the first private key.

步骤104,基于第一私钥对应的第一公钥,对原始数据端对中的标识数据执行加密和防伪封装处理,得到封装数据。Step 104 , based on the first public key corresponding to the first private key, perform encryption and anti-counterfeiting encapsulation processing on the identification data in the original data end pair to obtain encapsulated data.

本实施例中,在第三方服务端实现基于私钥生成对应的公钥,此时,基于公钥和私钥的对应关系作为被公钥加密的数据的属性信息;将公钥下发到原始数据端,原始数据端通过公钥对标识数据进行加密和防伪封装处理,以得到封装数据;本实施例中,可将封装数据存储在加密数据库中,以便于后续具有权限的标识解析客户端进行请求获取。In this embodiment, the third-party server implements the generation of the corresponding public key based on the private key. At this time, the corresponding relationship between the public key and the private key is used as the attribute information of the data encrypted by the public key; the public key is delivered to the original At the data end, the original data end encrypts the identification data and performs anti-counterfeiting encapsulation processing through the public key to obtain the encapsulated data; in this embodiment, the encapsulated data can be stored in the encrypted database, so as to facilitate subsequent identification analysis by the authorized client. Request to get.

步骤106,根据从客户端接收的第二私钥请求,向客户端发送第二私钥以及第二时间戳。Step 106: Send the second private key and the second timestamp to the client according to the second private key request received from the client.

本实施例中,客户端在请求标识数据时,可同时或先后向标识解析系统和第三方服务端发送标识数据获取请求和私钥请求,第三方服务端根据请求向客户端发送第二私钥的同时发送该发送时刻的第二时间戳,对第二私钥的有效时限进行控制,进一步提升了标识数据的安全性。In this embodiment, when the client requests identification data, it can simultaneously or successively send an identification data acquisition request and a private key request to the identification resolution system and the third-party server, and the third-party server sends the second private key to the client according to the request. At the same time, the second timestamp of the sending time is sent, and the valid time limit of the second private key is controlled, which further improves the security of the identification data.

步骤108,基于第二私钥、第二时间戳、第一公钥和第一时间戳,确定客户端是否具有数据解析权限。Step 108, based on the second private key, the second timestamp, the first public key and the first timestamp, determine whether the client has the data parsing authority.

本实施例中,通过第二私钥与第一公钥之间是否存在对应关系,以及第二时间戳与第一时间戳之间的时间差,来确定第二私钥对应的客户端是否具有数据解析权限,只有存在对应关系且时间差符合预设时间差时,该客户端才具有数据解析权限,进一步保障了标识数据的安全性。In this embodiment, whether there is a correspondence between the second private key and the first public key, and the time difference between the second timestamp and the first timestamp, determine whether the client corresponding to the second private key has data Parsing authority, only when there is a corresponding relationship and the time difference meets the preset time difference, the client has the data analysis authority, which further ensures the security of the identification data.

步骤110,响应于客户端具有数据解析权限,通过第二私钥对封装数据进行解密,得到标识数据。Step 110, in response to the client having the data parsing authority, decrypt the encapsulated data through the second private key to obtain identification data.

还可以包括,客户端不具有数据解析权限的情况,此时该客户端无法对该封装数据进行解密,无法获得标识数据。It may also include the case where the client does not have the data parsing authority, and at this time the client cannot decrypt the encapsulated data and cannot obtain the identification data.

本公开上述实施例提供的一种通用的标识数据转换方法,接收原始数据端发送的注册请求,根据所述注册请求向加密数据库发送第一私钥请求,并接收所述私钥请求对应的第一私钥以及第一时间戳;基于所述第一私钥对应的第一公钥,对所述原始数据端对中的标识数据执行加密和防伪封装处理,得到封装数据;根据从客户端接收的第二私钥请求,向所述客户端发送第二私钥以及第二时间戳;基于所述第二私钥、所述第二时间戳、所述第一公钥和所述第一时间戳,确定所述客户端是否具有数据解析权限;响应于所述客户端具有数据解析权限,通过所述第二私钥对所述封装数据进行解密,得到所述标识数据;本实施例通过在第三方服务端中实现数据公钥和私钥的请求和下发,克服了由于对标识数据的访问权限过大,导致的数据容易泄露等问题,本实施例中为数据分配不同的属性,并根据属性为标识解析客户端分配不同的密钥,由数据所有者决定哪些用户可以访问数据,实现细粒度的访问控制。A general identification data conversion method provided by the above embodiments of the present disclosure includes receiving a registration request sent by an original data terminal, sending a first private key request to an encrypted database according to the registration request, and receiving a first private key request corresponding to the private key request. a private key and a first timestamp; based on the first public key corresponding to the first private key, perform encryption and anti-counterfeiting encapsulation processing on the identification data in the original data end pair to obtain encapsulated data; send the second private key and the second timestamp to the client; based on the second private key, the second timestamp, the first public key and the first time to determine whether the client has the data parsing authority; in response to the client having the data parsing authority, decrypt the encapsulated data through the second private key to obtain the identification data; The third-party server implements the request and distribution of the data public key and private key, which overcomes the problem of easy data leakage due to excessive access rights to the identification data. In this embodiment, different attributes are assigned to the data, and Assign different keys to identity resolution clients according to attributes, and the data owner decides which users can access the data, enabling fine-grained access control.

如图2所示,在上述图1所示实施例的基础上,步骤104可包括如下步骤:As shown in FIG. 2, on the basis of the above-mentioned embodiment shown in FIG. 1, step 104 may include the following steps:

步骤1041,基于第一私钥确定对应的第一公钥。Step 1041: Determine the corresponding first public key based on the first private key.

可选地,可通过多种编码规则编码每对密钥对(私钥与公钥)之间的对应关系,可以根据任意一种编码规则确定的对应关系为第一私钥确定对应的第一公钥,并赋予不同密钥对不同版本号,并将公钥与私钥的对应关系存储在第三方服务端中。Optionally, the corresponding relationship between each key pair (private key and public key) can be encoded through multiple encoding rules, and the corresponding first key pair can be determined for the first private key according to the corresponding relationship determined by any encoding rule. The public key is assigned to different key pairs with different version numbers, and the correspondence between the public key and the private key is stored in the third-party server.

步骤1042,将第一公钥发送到原始数据端,在原始数据端通过第一公钥对标识数据进行加密,得到加密数据和加密数据对应的加密属性。Step 1042: Send the first public key to the original data end, and encrypt the identification data at the original data end by using the first public key to obtain the encrypted data and the encryption attributes corresponding to the encrypted data.

其中,加密属性包括第一公钥与第一私钥之间的对应关系。The encryption attribute includes the correspondence between the first public key and the first private key.

本实施例中,在得到加密数据的同时,还记录加密数据对应的加密属性,以确定该以公钥加密的加密数据对应的私钥。In this embodiment, when the encrypted data is obtained, the encryption attribute corresponding to the encrypted data is also recorded, so as to determine the private key corresponding to the encrypted data encrypted with the public key.

步骤1043,将加密数据、加密属性以及加密数据对应的防伪编码信息进行封装处理,得到封装数据。Step 1043: Encapsulate the encrypted data, the encrypted attributes, and the anti-counterfeiting code information corresponding to the encrypted data to obtain encapsulated data.

本实施例中,在对加密数据进行封装之前,还为加密数据添加防伪编码信息,可选地,可基于现有技术中任意一种防伪编码方法为加密数据确定对应的防伪编码信息,例如,MD5码等编码方法等;通过将防伪编码信息封装到封装数据中,可以实现对加密数据的可追踪的技术效果,以及解决加密数据在传输过程中被篡改的问题;提升了加密数据的安全性。In this embodiment, before encapsulating the encrypted data, anti-counterfeiting coding information is also added to the encrypted data. Optionally, the corresponding anti-counterfeiting coding information can be determined for the encrypted data based on any anti-counterfeiting coding method in the prior art, for example, Encoding methods such as MD5 code, etc.; by encapsulating the anti-counterfeiting encoded information into the encapsulated data, the traceable technical effect of the encrypted data can be achieved, and the problem of tampering of the encrypted data during transmission can be solved; the security of the encrypted data can be improved. .

可选地,在上述实施例的基础上,步骤1042还可以包括:Optionally, on the basis of the foregoing embodiment, step 1042 may further include:

将第一公钥发送到原始数据端;sending the first public key to the original data end;

在原始数据端通过第一公钥对标识数据进行加密,得到加密数据;The identification data is encrypted by the first public key at the original data end to obtain encrypted data;

基于预设编码规则将第一公钥与第一私钥之间的对应关系进行编码,得到加密属性。The corresponding relationship between the first public key and the first private key is encoded based on a preset encoding rule to obtain an encryption attribute.

本实施例中,原始数据端基于第一公钥对标识数据进行加密,此时,由于原始数据端仅具有第一公钥,如果仅将加密后的加密数据发送给加密数据库,则后续会出现无法解密的问题,因此,本实施例将第一公钥与第一私钥的对应关系进行编码,得到加密属性,通过加密属性可确定加密数据对应的私钥,克服了无法解密的问题,其中,编码方法可以为现有技术中任一可实现对对应关系进行编码的方法,本实施例不限制具体编码方法。In this embodiment, the original data terminal encrypts the identification data based on the first public key. At this time, since the original data terminal only has the first public key, if only the encrypted encrypted data is sent to the encrypted database, the following will occur. Therefore, in this embodiment, the corresponding relationship between the first public key and the first private key is encoded to obtain the encryption attribute, and the private key corresponding to the encrypted data can be determined through the encryption attribute, which overcomes the problem of inability to decrypt, wherein , the encoding method may be any method in the prior art that can implement encoding of the corresponding relationship, and this embodiment does not limit the specific encoding method.

如图3所示,在上述图1所示实施例的基础上,步骤106可包括如下步骤:As shown in FIG. 3 , on the basis of the above-mentioned embodiment shown in FIG. 1 , step 106 may include the following steps:

步骤1061,接收客户端发出的第二私钥请求。Step 1061: Receive a second private key request sent by the client.

本实施例中,客户端向标识解析系统发出获取标识数据解析请求,此时获取的为封装数据,无法查看封装数据中包括的标识数据。In this embodiment, the client sends an identification data analysis request to the identification resolution system, and the obtained identification data is packaged data, and the identification data included in the packaged data cannot be viewed.

步骤1062,根据第二私钥请求和预存的加密属性,确定第二私钥请求对应的第二私钥。Step 1062: Determine a second private key corresponding to the second private key request according to the second private key request and the pre-stored encryption attribute.

其中,加密属性包括私钥与公钥之间的对应关系。The encryption attribute includes the correspondence between the private key and the public key.

可选地,第三方服务端根据第二私钥请求对应的预存在客户端中的加密属性(在加密数据库中生成加密属性后,会将加密属性下发到具有权限的客户端中进行存储),基于该加密属性从第三方服务端中可获取对应的第二私钥。Optionally, the third-party server requests the corresponding encrypted attribute pre-stored in the client according to the second private key (after the encrypted attribute is generated in the encrypted database, the encrypted attribute will be delivered to the authorized client for storage) , and the corresponding second private key can be obtained from the third-party server based on the encryption attribute.

步骤1063,根据确定第二私钥对应的时间点,确定第二时间戳。Step 1063: Determine the second timestamp according to the time point corresponding to the determination of the second private key.

本实施例中,在将第二私钥下发到客户端时,还记录该下发时间点作为第二时间戳,以明确,从私钥在加密数据库中产生到私钥被请求之间的时间差,如果该时间差超出加密数据库中设置的时间差阈值(可根据具体应用场景进行设置),可根据加密数据库中设定的规则确定该私钥失效,如需要获取解密数据的私钥需重新请求,通过私钥时限设定,进一步提升了标识数据的安全性。In this embodiment, when the second private key is delivered to the client, the delivery time point is also recorded as the second timestamp, so as to clarify the time between the generation of the private key in the encrypted database and the request for the private key. Time difference, if the time difference exceeds the time difference threshold set in the encrypted database (which can be set according to specific application scenarios), the private key can be determined to be invalid according to the rules set in the encrypted database. If you need to obtain the private key for decrypted data, you need to request again. By setting the private key time limit, the security of the identification data is further improved.

可选地,在上述实施例的基础上,步骤108还可以包括:Optionally, on the basis of the foregoing embodiment, step 108 may further include:

基于第二时间戳和第一时间戳之间的时间差值,确定时间差值与密钥有效期之间的关系,确定第二私钥是否有效;Based on the time difference between the second time stamp and the first time stamp, determine the relationship between the time difference and the validity period of the key, and determine whether the second private key is valid;

响应于第二私钥有效,根据第二私钥与第一公钥的加密属性是否相匹配,确定客户端是否具有数据解析权限。In response to the second private key being valid, it is determined whether the client has the data parsing authority according to whether the encryption properties of the second private key and the first public key match.

本实施例中,首先执行时间差值的判断,只有当时间差值小于密钥有效期时,第二私钥才有效,第二私钥有效时,根据加密属性确定第二私钥与第一公钥是否相匹配,例如,第二私钥是否为第一私钥,如果是第一私钥,与第一公钥存在对应关系,此时该客户端具有数据解析权限。In this embodiment, the judgment of the time difference is performed first, and the second private key is valid only when the time difference is less than the validity period of the key. When the second private key is valid, the second private key and the first public key are determined according to the encryption attribute. Whether the keys match, for example, whether the second private key is the first private key, and if it is the first private key, there is a corresponding relationship with the first public key, and the client has the data parsing authority.

在一些可选的实施例中,在步骤106之前,还可以包括:In some optional embodiments, before step 106, it may further include:

将封装数据发送到加密数据库进行存储;Send encapsulated data to an encrypted database for storage;

通过标识解析端接收客户端发出的解析请求,基于解析请求获得标识服务地址,基于标识服务地址从加密数据库获得封装数据。The resolution request sent by the client is received by the identification resolution terminal, the identification service address is obtained based on the resolution request, and the encapsulated data is obtained from the encrypted database based on the identification service address.

本实施例中,标识解析端属于标识解析系统中的对外接收请求端口,客户端向标识解析端提交解析请求,标识解析系统经过逐级解析后将标识服务地址返回客户端,其中,逐级解析是在工业互联网中的多级节点中传输解析请求的过程,可选地,逐级解析的过程时序图如图4所示,包括以下过程:(1)客户端向递归节点发送标识解析请求;(2)递归节点查看本地缓存,无缓存结果时,递归节点将解析请求发送国家顶级节点;(3)国家顶级节点向递归节点返回二级节点解析地址;(4)递归节点向二级节点发送解析请求;(5)二级节点向递归节点返回企业节点解析地址;(6)递归节点向企业节点发送解析请求;(7)企业节点向递归节点返回标识解析服务地址;(8)递归节点将标识服务地址返回标识解析客户端;(9)标识解析客户端向企业信息系统发送查询请求;(10)企业信息系统将标识对象信息返回标识解析客户端。In this embodiment, the identification resolution end belongs to the external receiving request port in the identification resolution system, the client submits a resolution request to the identification resolution end, and the identification resolution system returns the identification service address to the client after step-by-step analysis, wherein the step-by-step resolution It is the process of transmitting parsing requests in multi-level nodes in the industrial Internet. Optionally, the sequence diagram of the process of parsing step by step is shown in Figure 4, including the following processes: (1) The client sends an identification parsing request to the recursive node; (2) The recursive node checks the local cache. When there is no cached result, the recursive node sends the parsing request to the top-level node of the country; (3) The top-level node of the country returns the resolution address of the secondary node to the recursive node; (4) The recursive node sends the secondary node to the secondary node (5) The secondary node returns the resolution address of the enterprise node to the recursive node; (6) The recursive node sends a resolution request to the enterprise node; (7) The enterprise node returns the address of the identification resolution service to the recursive node; (8) The recursive node will The identification service address is returned to the identification resolution client; (9) the identification resolution client sends a query request to the enterprise information system; (10) the enterprise information system returns the identification object information to the identification resolution client.

在一些可选的实施例中,在上述任一实施例的基础上,步骤110可以包括:In some optional embodiments, on the basis of any of the foregoing embodiments, step 110 may include:

基于数据解析权限对封装数据进行处理,得到加密数据、加密数据对应的加密属性和防伪追溯信息;Process the encapsulated data based on the data parsing authority, and obtain encrypted data, encrypted attributes and anti-counterfeiting traceability information corresponding to the encrypted data;

基于加密属性确定第二私钥对应的数据范围;Determine the data range corresponding to the second private key based on the encryption attribute;

其中,加密属性还包括确定一个公钥对应的不同私钥可访问的数据范围;Wherein, the encryption attribute also includes determining the range of data accessible by different private keys corresponding to a public key;

基于私钥对加密数据进行解密,得到数据范围对应的标识数据。Decrypt the encrypted data based on the private key to obtain identification data corresponding to the data range.

可选地,当客户端具有权限,首先将封装数据进行解封,得到其中包括的加密数据、加密属性和防伪追溯信息,本实施例中的加密属性还可以是细化的属性信息,例如,具备属性条件1可以访问前半段数据,具有属性条件2可以访问后半段数据等一些细粒度规则等,通过细粒度规则对不同数据范围设定不同的属性条件,将标识数据划分成多个不同属性的部分,实现数据的个性化管理,提升了数据的安全性和灵活性。Optionally, when the client has the authority, it first decapsulates the encapsulated data to obtain the encrypted data, encrypted attributes and anti-counterfeiting traceability information contained therein. The encrypted attributes in this embodiment may also be refined attribute information, for example, With attribute condition 1, you can access the first half of the data, with attribute condition 2, you can access some fine-grained rules such as the second half of the data, etc., set different attribute conditions for different data ranges through fine-grained rules, and divide the identification data into multiple different The attribute part realizes the personalized management of data and improves the security and flexibility of data.

本实施例构建基于CP-ABE的访问控制系统,将访问策略部署在加密数据中,使数据集合库中的加密数据拥有不同的属性,同时根据属性为标识解析客户端分配不同的密钥,只有标识解析客户端的属性集合满足访问策略时才可以解密加密数据,这样数据所有者就可以决定哪些用户可以访问数据,实现细粒度的访问控制。有效避免解析客户端访问权限过大导致的数据泄露风险,提升标识解析体系整体安全防护能力。This embodiment builds an access control system based on CP-ABE, deploys the access policy in the encrypted data, makes the encrypted data in the data collection library have different attributes, and assigns different keys to the identification parsing client according to the attributes. The encrypted data can be decrypted only when the attribute set of the identity parsing client satisfies the access policy, so that the data owner can decide which users can access the data and implement fine-grained access control. Effectively avoid the risk of data leakage caused by excessive access rights of the parsing client, and improve the overall security protection capability of the identity parsing system.

本公开实施例提供的任一种通用的标识数据转换方法可以由任意适当的具有数据处理能力的设备执行,包括但不限于:终端设备和服务器等。或者,本公开实施例提供的任一种通用的标识数据转换方法可以由处理器执行,如处理器通过调用存储器存储的相应指令来执行本公开实施例提及的任一种通用的标识数据转换方法。下文不再赘述。Any of the general identification data conversion methods provided by the embodiments of the present disclosure may be executed by any appropriate device with data processing capabilities, including but not limited to: terminal devices and servers. Alternatively, any of the general identification data conversion methods provided in the embodiments of the present disclosure may be executed by a processor. For example, the processor executes any of the general identification data conversion methods mentioned in the embodiments of the present disclosure by invoking corresponding instructions stored in the memory. method. No further description will be given below.

示例性装置Exemplary device

图5是本公开一示例性实施例提供的通用的标识数据转换装置的结构示意图。如图5所示,本实施例提供的装置应用于第三方服务端,包括:FIG. 5 is a schematic structural diagram of a general identification data conversion apparatus provided by an exemplary embodiment of the present disclosure. As shown in FIG. 5 , the device provided in this embodiment is applied to a third-party server, including:

私钥请求模块51,用于接收原始数据端发送的注册请求,根据注册请求向加密数据库发送第一私钥请求,并接收私钥请求对应的第一私钥以及第一时间戳。The private key request module 51 is configured to receive the registration request sent by the original data terminal, send the first private key request to the encrypted database according to the registration request, and receive the first private key and the first timestamp corresponding to the private key request.

数据封装模块52,用于基于第一私钥对应的第一公钥,对原始数据端对中的标识数据执行加密和防伪封装处理,得到封装数据。The data encapsulation module 52 is configured to perform encryption and anti-counterfeiting encapsulation processing on the identification data in the original data terminal pair based on the first public key corresponding to the first private key to obtain encapsulated data.

私钥发送模块53,用于根据从客户端接收的第二私钥请求,向客户端发送第二私钥以及第二时间戳。The private key sending module 53 is configured to send the second private key and the second timestamp to the client according to the second private key request received from the client.

权限确定模块54,用于基于第二私钥、第二时间戳、第一公钥和第一时间戳,确定客户端是否具有数据解析权限。The authority determination module 54 is configured to determine whether the client has the data parsing authority based on the second private key, the second timestamp, the first public key and the first timestamp.

数据转换模块55,用于响应于客户端具有数据解析权限,通过第二私钥对封装数据进行解密,得到标识数据。The data conversion module 55 is configured to decrypt the encapsulated data through the second private key in response to the client having the data parsing authority to obtain identification data.

本公开上述实施例提供的一种通用的标识数据转换装置,接收原始数据端发送的注册请求,根据所述注册请求向加密数据库发送第一私钥请求,并接收所述私钥请求对应的第一私钥以及第一时间戳;基于所述第一私钥对应的第一公钥,对所述原始数据端对中的标识数据执行加密和防伪封装处理,得到封装数据;根据从客户端接收的第二私钥请求,向所述客户端发送第二私钥以及第二时间戳;基于所述第二私钥、所述第二时间戳、所述第一公钥和所述第一时间戳,确定所述客户端是否具有数据解析权限;响应于所述客户端具有数据解析权限,通过所述第二私钥对所述封装数据进行解密,得到所述标识数据;本实施例通过在第三方服务端中实现数据公钥和私钥的请求和下发,克服了由于对标识数据的访问权限过大,导致的数据容易泄露等问题,本实施例中为数据分配不同的属性,并根据属性为标识解析客户端分配不同的密钥,由数据所有者决定哪些用户可以访问数据,实现细粒度的访问控制。A general identification data conversion device provided by the above embodiments of the present disclosure receives a registration request sent by an original data terminal, sends a first private key request to an encrypted database according to the registration request, and receives a first private key request corresponding to the private key request. a private key and a first timestamp; based on the first public key corresponding to the first private key, perform encryption and anti-counterfeiting encapsulation processing on the identification data in the original data end pair to obtain encapsulated data; send the second private key and the second timestamp to the client; based on the second private key, the second timestamp, the first public key and the first time to determine whether the client has the data parsing authority; in response to the client having the data parsing authority, the encapsulated data is decrypted by the second private key to obtain the identification data; in this embodiment, the The third-party server implements the request and distribution of the data public key and private key, which overcomes the problem of easy data leakage due to excessive access rights to the identification data. In this embodiment, different attributes are allocated to the data, and Assign different keys to identity resolution clients according to attributes, and the data owner decides which users can access the data, enabling fine-grained access control.

在一些可选的实施例中,数据封装模块52,包括:In some optional embodiments, the data encapsulation module 52 includes:

公钥确定单元,用于基于第一私钥确定对应的第一公钥;a public key determination unit, configured to determine a corresponding first public key based on the first private key;

数据加密单元,用于将第一公钥发送到原始数据端,在原始数据端通过第一公钥对标识数据进行加密,得到加密数据和加密数据对应的加密属性;其中,加密属性包括第一公钥与第一私钥之间的对应关系;A data encryption unit, configured to send the first public key to the original data terminal, and encrypt the identification data at the original data terminal by using the first public key to obtain the encrypted data and the encryption attributes corresponding to the encrypted data; wherein, the encryption attributes include the first the correspondence between the public key and the first private key;

数据封装单元,用于将加密数据、加密属性以及加密数据对应的防伪编码信息进行封装处理,得到封装数据。The data encapsulation unit is used for encapsulating the encrypted data, the encrypted attributes and the anti-counterfeiting coding information corresponding to the encrypted data to obtain encapsulated data.

可选地,数据加密单元,具体用于将第一公钥发送到原始数据端;在原始数据端通过第一公钥对标识数据进行加密,得到加密数据;基于预设编码规则将第一公钥与第一私钥之间的对应关系进行编码,得到加密属性。Optionally, the data encryption unit is specifically configured to send the first public key to the original data end; encrypt the identification data at the original data end by using the first public key to obtain encrypted data; The corresponding relationship between the key and the first private key is encoded to obtain the encryption attribute.

可选地,私钥发送模块53,具体用于接收客户端发出的第二私钥请求;根据第二私钥请求和预存的加密属性,确定第二私钥请求对应的第二私钥;其中,加密属性包括私钥与公钥之间的对应关系;根据确定第二私钥对应的时间点,确定第二时间戳。Optionally, the private key sending module 53 is specifically configured to receive the second private key request sent by the client; according to the second private key request and the pre-stored encryption attribute, determine the second private key corresponding to the second private key request; wherein , the encryption attribute includes the correspondence between the private key and the public key; the second timestamp is determined according to the time point corresponding to the determination of the second private key.

可选地,权限确定模块54,具体用于基于第二时间戳和第一时间戳之间的时间差值,确定时间差值与密钥有效期之间的关系,确定第二私钥是否有效;响应于第二私钥有效,根据第二私钥与第一公钥的加密属性是否相匹配,确定客户端是否具有数据解析权限。Optionally, the authority determination module 54 is specifically configured to determine the relationship between the time difference and the key validity period based on the time difference between the second time stamp and the first time stamp, and determine whether the second private key is valid; In response to the second private key being valid, it is determined whether the client has the data parsing authority according to whether the encryption properties of the second private key and the first public key match.

在一些可选的实施例中,本实施例提供的装置还包括:In some optional embodiments, the apparatus provided in this embodiment further includes:

存储模块,用于将封装数据发送到加密数据库进行存储;The storage module is used to send the encapsulated data to the encrypted database for storage;

请求解析模块,用于通过标识解析端接收客户端发出的解析请求,基于解析请求获得标识服务地址,基于标识服务地址从加密数据库获得封装数据。The request parsing module is used for receiving the parsing request sent by the client through the identity parsing terminal, obtaining the identity service address based on the parsing request, and obtaining the encapsulated data from the encrypted database based on the identity service address.

在一些可选的实施例中,数据转换模块55,具体用于基于数据解析权限对封装数据进行处理,得到加密数据、加密数据对应的加密属性和防伪追溯信息;基于加密属性确定第二私钥对应的数据范围;其中,加密属性还包括确定一个公钥对应的不同私钥可访问的数据范围;基于私钥对加密数据进行解密,得到数据范围对应的标识数据。In some optional embodiments, the data conversion module 55 is specifically configured to process the encapsulated data based on the data parsing authority to obtain encrypted data, encrypted attributes and anti-counterfeiting traceability information corresponding to the encrypted data; determine the second private key based on the encrypted attributes The corresponding data range; wherein, the encryption attribute further includes determining the data range accessible to different private keys corresponding to a public key; decrypting the encrypted data based on the private key to obtain identification data corresponding to the data range.

图6是本公开一示例性实施例提供的通用的标识数据转换系统的结构示意图。如图6所示,本实施例提供的系统包括:FIG. 6 is a schematic structural diagram of a general identification data conversion system provided by an exemplary embodiment of the present disclosure. As shown in Figure 6, the system provided by this embodiment includes:

第三方服务端61,用于执行上述任一项实施例提供的通用的标识数据转换方法。The third-party server 61 is configured to execute the general identification data conversion method provided by any of the foregoing embodiments.

原始数据端62,用于向第三方服务端发送注册请求,接收第三方服务端下发的第一公钥,将标识数据通过第一公钥进行加密和防伪封装处理,得到封装数据,将封装数据发送到加密数据库。The original data terminal 62 is used for sending a registration request to the third-party server, receiving the first public key issued by the third-party server, encrypting the identification data and anti-counterfeiting encapsulation through the first public key, obtaining encapsulated data, and encapsulating the encapsulated data. Data is sent to an encrypted database.

加密数据库63,用于根据第三方服务端发送的私钥请求,向第三方服务端下发第一私钥,接收原始数据端上传的封装数据。The encrypted database 63 is configured to issue the first private key to the third-party server according to the private key request sent by the third-party server, and receive the packaged data uploaded by the original data end.

标识解析端64,用于接收客户端发送的解析请求,基于解析请求获得标识服务地址,基于标识服务地址从加密数据库获得封装数据。The identification resolution terminal 64 is configured to receive the resolution request sent by the client, obtain the identification service address based on the resolution request, and obtain the encapsulated data from the encrypted database based on the identification service address.

客户端65,用于向第三方服务端发送第二私钥请求,接收第三方服务端返回的第二私钥以及第二时间戳,并向标识解析端发送解析请求,从加密数据库接收封装数据。The client 65 is configured to send a second private key request to the third-party server, receive the second private key and the second timestamp returned by the third-party server, send a parsing request to the identification parsing client, and receive the encapsulated data from the encrypted database .

其中,原始数据端62、加密数据库63和标识解析客户端64构成标识解析系统,客户端65为发起标识解析请求的用户终端,可以为任意终端设备,例如,手机、电脑等;标识解析系统负责根据标识编码查询目标对象网络位置或相关信息的系统装置,对机器和物品进行唯一性的定位和信息查询;Among them, the original data terminal 62, the encrypted database 63 and the identification analysis client 64 constitute an identification analysis system, and the client 65 is the user terminal that initiates the identification analysis request, which can be any terminal device, such as a mobile phone, a computer, etc.; the identification analysis system is responsible for According to the system device for querying the network location or related information of the target object according to the identification code, the unique positioning and information query of the machines and items are carried out;

第三方服务端61负责密钥的生成、下发和管理,默认可信;The third-party server 61 is responsible for the generation, distribution and management of keys, and is trusted by default;

本申请以扩展工业互联网标识应用为出发点,充分发挥标识在工业互联网领域的价值,针对标识解析客户端访问权限过大、易导致数据被分享乱用等风险,通过构建基于CP-ABE的访问控制系统,将访问策略部署在加密数据中,使数据集合库中的加密数据拥有不同的属性,同时根据属性为标识解析客户端分配不同的密钥,只有标识解析客户端的属性集合满足访问策略时才可以解密加密数据,这样数据所有者就可以决定哪些用户可以访问数据,实现细粒度的访问控制。从而避免解析客户端访问权限过大导致的数据泄露风险,提升标识解析体系整体安全防护能力,助力标识体系健康、稳定、安全发展。The starting point of this application is to expand the application of industrial Internet identification, to give full play to the value of identification in the field of industrial Internet, and to solve the risks of excessive access rights of identification analysis clients, which may easily lead to data being shared and used indiscriminately, by constructing an access control system based on CP-ABE. , deploy the access policy in the encrypted data, make the encrypted data in the data collection library have different attributes, and assign different keys to the identification parsing client according to the attributes, only when the attribute set of the identification parsing client satisfies the access policy Decrypt encrypted data so the data owner can decide which users can access the data, enabling fine-grained access control. In this way, the risk of data leakage caused by excessive access rights of the parsing client is avoided, the overall security protection capability of the identification parsing system is improved, and the healthy, stable and safe development of the identification system is facilitated.

示例性电子设备Exemplary Electronics

下面,参考图7来描述根据本公开实施例的电子设备。该电子设备可以是第一设备100和第二设备200中的任一个或两者、或与它们独立的单机设备,该单机设备可以与第一设备和第二设备进行通信,以从它们接收所采集到的输入信号。Hereinafter, an electronic device according to an embodiment of the present disclosure will be described with reference to FIG. 7 . The electronic device can be either or both of the first device 100 and the second device 200, or a stand-alone device independent of them that can communicate with the first device and the second device to receive data from them The acquired input signal.

图7图示了根据本公开实施例的电子设备的框图。7 illustrates a block diagram of an electronic device according to an embodiment of the present disclosure.

如图7所示,电子设备70包括一个或多个处理器71和存储器72。As shown in FIG. 7 , electronic device 70 includes one or more processors 71 and memory 72 .

处理器71可以是中央处理单元(CPU)或者具有数据处理能力和/或指令执行能力的其他形式的处理单元,并且可以控制电子设备70中的其他组件以执行期望的功能。Processor 71 may be a central processing unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in electronic device 70 to perform desired functions.

存储器72可以包括一个或多个计算机程序产品,所述计算机程序产品可以包括各种形式的计算机可读存储介质,例如易失性存储器和/或非易失性存储器。所述易失性存储器例如可以包括随机存取存储器(RAM)和/或高速缓冲存储器(cache)等。所述非易失性存储器例如可以包括只读存储器(ROM)、硬盘、闪存等。在所述计算机可读存储介质上可以存储一个或多个计算机程序指令,处理器71可以运行所述程序指令,以实现上文所述的本公开的各个实施例的通用的标识数据转换方法以及/或者其他期望的功能。在所述计算机可读存储介质中还可以存储诸如输入信号、信号分量、噪声分量等各种内容。Memory 72 may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random access memory (RAM) and/or cache memory (cache). The non-volatile memory may include, for example, a read only memory (ROM), a hard disk, a flash memory, and the like. One or more computer program instructions may be stored on the computer-readable storage medium, and the processor 71 may execute the program instructions to implement the general identification data conversion method of the various embodiments of the present disclosure described above and / or other desired functionality. Various contents such as input signals, signal components, noise components, etc. may also be stored in the computer-readable storage medium.

在一个示例中,电子设备70还可以包括:输入装置73和输出装置74,这些组件通过总线系统和/或其他形式的连接机构(未示出)互连。In one example, the electronic device 70 may also include an input device 73 and an output device 74 interconnected by a bus system and/or other form of connection mechanism (not shown).

例如,在该电子设备是第一设备100或第二设备200时,该输入装置73可以是上述的麦克风或麦克风阵列,用于捕捉声源的输入信号。在该电子设备是单机设备时,该输入装置73可以是通信网络连接器,用于从第一设备100和第二设备200接收所采集的输入信号。For example, when the electronic device is the first device 100 or the second device 200, the input device 73 may be the above-mentioned microphone or microphone array for capturing the input signal of the sound source. When the electronic device is a stand-alone device, the input device 73 may be a communication network connector for receiving the collected input signals from the first device 100 and the second device 200 .

此外,该输入装置73还可以包括例如键盘、鼠标等等。In addition, the input device 73 may also include, for example, a keyboard, a mouse, and the like.

该输出装置74可以向外部输出各种信息,包括确定出的距离信息、方向信息等。该输出装置74可以包括例如显示器、扬声器、打印机、以及通信网络及其所连接的远程输出设备等等。The output device 74 can output various information to the outside, including the determined distance information, direction information, and the like. The output devices 74 may include, for example, displays, speakers, printers, and communication networks and their connected remote output devices, among others.

当然,为了简化,图7中仅示出了该电子设备70中与本公开有关的组件中的一些,省略了诸如总线、输入/输出接口等等的组件。除此之外,根据具体应用情况,电子设备70还可以包括任何其他适当的组件。Of course, for simplicity, only some of the components in the electronic device 70 related to the present disclosure are shown in FIG. 7 , and components such as buses, input/output interfaces, and the like are omitted. Besides, the electronic device 70 may also include any other suitable components according to the specific application.

示例性计算机程序产品和计算机可读存储介质Exemplary computer program product and computer readable storage medium

除了上述方法和设备以外,本公开的实施例还可以是计算机程序产品,其包括计算机程序指令,所述计算机程序指令在被处理器运行时使得所述处理器执行本说明书上述“示例性方法”部分中描述的根据本公开各种实施例的通用的标识数据转换方法中的步骤。In addition to the methods and apparatus described above, embodiments of the present disclosure may also be computer program products comprising computer program instructions that, when executed by a processor, cause the processor to perform the "exemplary method" described above in this specification Sections describe steps in a general identification data conversion method according to various embodiments of the present disclosure.

所述计算机程序产品可以以一种或多种程序设计语言的任意组合来编写用于执行本公开实施例操作的程序代码,所述程序设计语言包括面向对象的程序设计语言,诸如Java、C++等,还包括常规的过程式程序设计语言,诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。The computer program product may write program code for performing operations of embodiments of the present disclosure in any combination of one or more programming languages, including object-oriented programming languages, such as Java, C++, etc. , also includes conventional procedural programming languages, such as "C" language or similar programming languages. The program code may execute entirely on the user computing device, partly on the user device, as a stand-alone software package, partly on the user computing device and partly on a remote computing device, or entirely on the remote computing device or server execute on.

此外,本公开的实施例还可以是计算机可读存储介质,其上存储有计算机程序指令,所述计算机程序指令在被处理器运行时使得所述处理器执行本说明书上述“示例性方法”部分中描述的根据本公开各种实施例的通用的标识数据转换方法中的步骤。In addition, embodiments of the present disclosure may also be computer-readable storage media having computer program instructions stored thereon that, when executed by a processor, cause the processor to perform the above-described "Example Method" section of this specification Steps in a general identification data conversion method according to various embodiments of the present disclosure described in .

所述计算机可读存储介质可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以包括但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。The computer-readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatuses or devices, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

以上结合具体实施例描述了本公开的基本原理,但是,需要指出的是,在本公开中提及的优点、优势、效果等仅是示例而非限制,不能认为这些优点、优势、效果等是本公开的各个实施例必须具备的。另外,上述公开的具体细节仅是为了示例的作用和便于理解的作用,而非限制,上述细节并不限制本公开为必须采用上述具体的细节来实现。The basic principles of the present disclosure have been described above with reference to specific embodiments. However, it should be pointed out that the advantages, advantages, effects, etc. mentioned in the present disclosure are only examples rather than limitations, and these advantages, advantages, effects, etc. should not be considered to be A must-have for each embodiment of the present disclosure. In addition, the specific details disclosed above are only for the purpose of example and easy understanding, but not for limitation, and the above details do not limit the present disclosure to be implemented by using the above specific details.

本说明书中各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似的部分相互参见即可。对于系统实施例而言,由于其与方法实施例基本对应,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments may be referred to each other. As for the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for related parts, please refer to the partial description of the method embodiment.

本公开中涉及的器件、装置、设备、系统的方框图仅作为例示性的例子并且不意图要求或暗示必须按照方框图示出的方式进行连接、布置、配置。如本领域技术人员将认识到的,可以按任意方式连接、布置、配置这些器件、装置、设备、系统。诸如“包括”、“包含”、“具有”等等的词语是开放性词汇,指“包括但不限于”,且可与其互换使用。这里所使用的词汇“或”和“和”指词汇“和/或”,且可与其互换使用,除非上下文明确指示不是如此。这里所使用的词汇“诸如”指词组“诸如但不限于”,且可与其互换使用。The block diagrams of devices, apparatuses, apparatuses, and systems referred to in this disclosure are merely illustrative examples and are not intended to require or imply that the connections, arrangements, or configurations must be in the manner shown in the block diagrams. As those skilled in the art will appreciate, these means, apparatuses, apparatuses, systems may be connected, arranged, configured in any manner. Words such as "including", "including", "having" and the like are open-ended words meaning "including but not limited to" and are used interchangeably therewith. As used herein, the words "or" and "and" refer to and are used interchangeably with the word "and/or" unless the context clearly dictates otherwise. As used herein, the word "such as" refers to and is used interchangeably with the phrase "such as but not limited to".

可能以许多方式来实现本公开的方法和装置。例如,可通过软件、硬件、固件或者软件、硬件、固件的任何组合来实现本公开的方法和装置。用于所述方法的步骤的上述顺序仅是为了进行说明,本公开的方法的步骤不限于以上具体描述的顺序,除非以其它方式特别说明。此外,在一些实施例中,还可将本公开实施为记录在记录介质中的程序,这些程序包括用于实现根据本公开的方法的机器可读指令。因而,本公开还覆盖存储用于执行根据本公开的方法的程序的记录介质。The methods and apparatus of the present disclosure may be implemented in many ways. For example, the methods and apparatus of the present disclosure may be implemented in software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order of steps for the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Furthermore, in some embodiments, the present disclosure can also be implemented as programs recorded in a recording medium, the programs including machine-readable instructions for implementing methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.

还需要指出的是,在本公开的装置、设备和方法中,各部件或各步骤是可以分解和/或重新组合的。这些分解和/或重新组合应视为本公开的等效方案。It should also be noted that, in the apparatus, device and method of the present disclosure, each component or each step may be decomposed and/or recombined. These disaggregations and/or recombinations should be considered equivalents of the present disclosure.

提供所公开的方面的以上描述以使本领域的任何技术人员能够做出或者使用本公开。对这些方面的各种修改对于本领域技术人员而言是非常显而易见的,并且在此定义的一般原理可以应用于其他方面而不脱离本公开的范围。因此,本公开不意图被限制到在此示出的方面,而是按照与在此公开的原理和新颖的特征一致的最宽范围。The above description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the present disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

为了例示和描述的目的已经给出了以上描述。此外,此描述不意图将本公开的实施例限制到在此公开的形式。尽管以上已经讨论了多个示例方面和实施例,但是本领域技术人员将认识到其某些变型、修改、改变、添加和子组合。The foregoing description has been presented for the purposes of illustration and description. Furthermore, this description is not intended to limit embodiments of the present disclosure to the forms disclosed herein. Although a number of example aspects and embodiments have been discussed above, those skilled in the art will recognize certain variations, modifications, changes, additions and sub-combinations thereof.

Claims (11)

1. A universal identification data conversion method is applied to a third-party server and comprises the following steps:
receiving a registration request sent by an original data end, sending a first private key request to an encryption database according to the registration request, and receiving a first private key and a first timestamp corresponding to the private key request;
based on a first public key corresponding to the first private key, performing encryption and anti-counterfeiting packaging processing on the identification data in the original data end pair to obtain packaged data;
sending a second private key and a second timestamp to the client according to a second private key request received from the client;
determining whether the client has data parsing permission based on the second private key, the second timestamp, the first public key and the first timestamp;
and in response to the client side having the data analysis permission, decrypting the encapsulated data through the second private key to obtain the identification data.
2. The method according to claim 1, wherein the encrypting and anti-counterfeit packaging the identification data in the original data end pair based on the first public key corresponding to the first private key to obtain packaged data comprises:
determining the corresponding first public key based on the first private key;
sending the first public key to the original data end, and encrypting the identification data at the original data end through the first public key to obtain encrypted data and an encryption attribute corresponding to the encrypted data; wherein the encryption attribute comprises a correspondence between the first public key and the first private key;
and packaging the encrypted data, the encryption attribute and the anti-counterfeiting code information corresponding to the encrypted data to obtain the packaged data.
3. The method according to claim 2, wherein the sending the first public key to the original data end, and encrypting the identification data at the original data end through the first public key to obtain encrypted data and an encryption attribute corresponding to the encrypted data comprises:
sending the first public key to the original data terminal;
encrypting the identification data at the original data end through the first public key to obtain encrypted data;
and coding the corresponding relation between the first public key and the first private key based on a preset coding rule to obtain the encryption attribute.
4. The method according to any one of claims 1-3, wherein sending the second private key and the second timestamp to the client based on a second private key request received from the client comprises:
receiving a second private key request sent by the client;
determining a second private key corresponding to the second private key request according to the second private key request and pre-stored encryption attributes; wherein the encryption attribute comprises a corresponding relation between a private key and a public key;
and determining the second time stamp according to the determined time point corresponding to the second private key.
5. The method of any of claims 1-3, wherein determining whether the client has data parsing authority based on the second private key, the second timestamp, the first public key, and the first timestamp comprises:
determining a relationship between the time difference and a key validity period based on the time difference between the second timestamp and the first timestamp, and determining whether the second private key is valid;
and responding to the validity of the second private key, and determining whether the client has the data analysis permission according to whether the encryption attributes of the second private key and the first public key are matched.
6. The method according to any one of claims 1-3, wherein before sending the second private key and the second timestamp to the client according to the second private key request received from the client, further comprising:
sending the packaged data to the encryption database for storage;
and receiving an analysis request sent by the client through an identification analysis end, acquiring an identification service address based on the analysis request, and acquiring the packaging data from the encryption database based on the identification service address.
7. The method according to any one of claims 1-3, wherein said decrypting the encapsulated data with the second private key to obtain the identification data comprises:
processing the encapsulated data based on the data analysis authority to obtain encrypted data, and encryption attributes and anti-counterfeiting tracing information corresponding to the encrypted data;
determining a data range corresponding to the second private key based on the encryption attribute; wherein, the encryption attribute also comprises determining a data range which can be accessed by different private keys corresponding to a public key;
and decrypting the encrypted data based on the private key to obtain the identification data corresponding to the data range.
8. A universal identification data conversion device is applied to a third-party server and comprises:
the private key request module is used for receiving a registration request sent by an original data end, sending a first private key request to an encryption database according to the registration request, and receiving a first private key and a first timestamp corresponding to the private key request;
the data encapsulation module is used for carrying out encryption and anti-counterfeiting encapsulation processing on the identification data in the original data end pair based on a first public key corresponding to the first private key to obtain encapsulated data;
the private key sending module is used for sending a second private key and a second timestamp to the client according to a second private key request received from the client;
the authority determining module is used for determining whether the client has data analysis authority or not based on the second private key, the second timestamp, the first public key and the first timestamp;
and the data conversion module is used for responding to the fact that the client side has the data analysis permission, and decrypting the encapsulated data through the second private key to obtain the identification data.
9. A universal identification data conversion system, comprising:
a third party server for executing the universal identification data conversion method of any one of the above claims 1-7;
the original data end is used for sending a registration request to the third-party server end, receiving a first public key issued by the third-party server end, encrypting and anti-counterfeiting packaging identification data through the first public key to obtain packaged data, and sending the packaged data to an encryption database;
the encryption database is used for issuing a first private key to the third-party server according to a private key request sent by the third-party server and receiving the packaging data uploaded by the original data terminal;
the identification analysis end is used for receiving an analysis request sent by a client, obtaining an identification service address based on the analysis request and obtaining the packaging data from the encryption database based on the identification service address;
and the client is used for sending a second private key request to the third-party server, receiving a second private key and a second timestamp returned by the third-party server, sending an analysis request to the identifier analysis terminal, and receiving the packaged data from the encrypted database.
10. A computer-readable storage medium, characterized in that the storage medium stores a computer program for executing the general identification data conversion method of any one of claims 1 to 7.
11. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing the processor-executable instructions;
the processor is used for reading the executable instructions from the memory and executing the instructions to realize the general identification data conversion method of any one of the claims 1 to 7.
CN202210407217.9A 2022-04-19 2022-04-19 Universal identification data conversion method and device, storage medium, electronic device Active CN114513370B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210407217.9A CN114513370B (en) 2022-04-19 2022-04-19 Universal identification data conversion method and device, storage medium, electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210407217.9A CN114513370B (en) 2022-04-19 2022-04-19 Universal identification data conversion method and device, storage medium, electronic device

Publications (2)

Publication Number Publication Date
CN114513370A true CN114513370A (en) 2022-05-17
CN114513370B CN114513370B (en) 2022-07-15

Family

ID=81554817

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210407217.9A Active CN114513370B (en) 2022-04-19 2022-04-19 Universal identification data conversion method and device, storage medium, electronic device

Country Status (1)

Country Link
CN (1) CN114513370B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116366252A (en) * 2023-03-17 2023-06-30 北京信源电子信息技术有限公司 DOA-based data protection method for handle identification analysis technology

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060280309A1 (en) * 2002-06-28 2006-12-14 Microsoft Corporation Systems and methods for providing secure server key operations
CN105072180A (en) * 2015-08-06 2015-11-18 武汉科技大学 Cloud storage data security sharing method with permission time control
CN107864157A (en) * 2017-12-19 2018-03-30 苗放 Protecting data encryption and ownership mandate decryption application process and system based on ownership
CN110493347A (en) * 2019-08-26 2019-11-22 重庆邮电大学 Data access control method and system in large-scale cloud storage based on block chain
CN111163036A (en) * 2018-11-07 2020-05-15 中移(苏州)软件技术有限公司 A data sharing method, device, client, storage medium and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060280309A1 (en) * 2002-06-28 2006-12-14 Microsoft Corporation Systems and methods for providing secure server key operations
CN105072180A (en) * 2015-08-06 2015-11-18 武汉科技大学 Cloud storage data security sharing method with permission time control
CN107864157A (en) * 2017-12-19 2018-03-30 苗放 Protecting data encryption and ownership mandate decryption application process and system based on ownership
CN111163036A (en) * 2018-11-07 2020-05-15 中移(苏州)软件技术有限公司 A data sharing method, device, client, storage medium and system
CN110493347A (en) * 2019-08-26 2019-11-22 重庆邮电大学 Data access control method and system in large-scale cloud storage based on block chain

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
龚坚 等: "RSA加密在DNS安全中的应用", 《贵州大学学报(自然科学版)》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116366252A (en) * 2023-03-17 2023-06-30 北京信源电子信息技术有限公司 DOA-based data protection method for handle identification analysis technology
CN116366252B (en) * 2023-03-17 2024-01-30 北京信源电子信息技术有限公司 DOA-based data protection method for handle identification analysis technology

Also Published As

Publication number Publication date
CN114513370B (en) 2022-07-15

Similar Documents

Publication Publication Date Title
US12273334B2 (en) Systems and methods for providing secure services
CN114448732B (en) Protection method, device, medium and equipment for identifying private data network transmission
CN109067732B (en) IoT device and data access system, method and computer-readable storage medium
CN114338247B (en) Data transmission method and apparatus, electronic device, storage medium, and program product
CN114357485A (en) Key encryption and decryption management method and system
CN111598695A (en) Block chain data access method and device
CN114513370B (en) Universal identification data conversion method and device, storage medium, electronic device
CN115460019B (en) Method, apparatus, device and medium for providing digital identity-based target application
US9344407B1 (en) Centrally managed use case-specific entity identifiers
CN115021913B (en) Method, system and storage medium for generating key of industrial Internet identification analysis system
CN114782045B (en) Cross-chain non-transactional writing method and device, storage medium and electronic equipment
CN113918982B (en) Data processing method and system based on identification information
CN115941352A (en) Information security interaction method, device, electronic equipment and storage based on big data
US9251375B1 (en) Use case-specific entity identifiers
CN117081740B (en) Key management method and device based on cipher machine resource pool
CN115514578B (en) Block chain based data authorization method and device, electronic equipment and storage medium
CN114826719B (en) Trusted terminal authentication method, system, device and storage medium based on blockchain
Su et al. An Action‐Based Fine‐Grained Access Control Mechanism for Structured Documents and Its Application
CN113312637B (en) Proxy server and its method of matching encrypted subscriptions to events
Lee et al. Resource centric security to protect customer energy information in the smart grid
US9998444B2 (en) Chaining of use case-specific entity identifiers
CN117744158B (en) Access method, device, equipment and medium based on industrial Internet identification
CN115544170B (en) Data hosting method and device based on block chain, electronic equipment and medium
CN106919846A (en) A kind of message-oriented middleware processing method and system
CN119996046A (en) Method, apparatus, device, medium and product for data encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant