CN115118435A - Private data protection and authorization framework based on double-layer chain - Google Patents
Private data protection and authorization framework based on double-layer chain Download PDFInfo
- Publication number
- CN115118435A CN115118435A CN202210756058.3A CN202210756058A CN115118435A CN 115118435 A CN115118435 A CN 115118435A CN 202210756058 A CN202210756058 A CN 202210756058A CN 115118435 A CN115118435 A CN 115118435A
- Authority
- CN
- China
- Prior art keywords
- data
- node
- chain
- authorization
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 88
- 238000012795 verification Methods 0.000 claims abstract description 47
- 238000011084 recovery Methods 0.000 claims description 24
- 238000000034 method Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 14
- 238000012423 maintenance Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000009286 beneficial effect Effects 0.000 claims description 3
- 238000013524 data verification Methods 0.000 claims description 2
- 239000003999 initiator Substances 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 8
- 238000013500 data storage Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 3
- 239000002699 waste material Substances 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000013502 data validation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
- G06F11/0715—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in a system implementing multitasking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Quality & Reliability (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a privacy data protection and authorization framework based on a double-layer chain, which adopts a double-layer chain structure and respectively comprises a verification chain and an authorization chain, wherein the verification chain is responsible for verifying the authenticity and the validity of data and simultaneously generating a data possession certificate; the authorization chain is responsible for storing authorization records of users, each user has a data account, and the user can only authorize the data of the user; the nodes in the verification chain are equivalent to 'privileged' nodes in the authorization chain and can add data to the data account of the user; the authenticated storage of data and authorization are performed separately. The privacy data protection adopts a double-chain structure, and a service provider can provide services under the condition that specific data of a user are not exposed. A consensus algorithm (PoB) based on benefit proof is also proposed to adapt the current consensus mechanism to the framework.
Description
Technical Field
The invention belongs to the technical field of block chains, and particularly relates to a privacy data protection and authorization framework based on a double-layer chain.
Background
With the rapid development of network technology, the protection of private data is receiving more and more attention, and in recent years, information loss and privacy disclosure are all around the world. Privacy data protection is increasingly gaining importance. At present, the mainstream data storage mode is centralized storage, and then data is encrypted through an encryption technology, so that data leakage can be effectively prevented. In this way, passive leakage can only be avoided, so much law is devoted to information protection, but the condition of private data leakage is still serious, and a user is difficult to obtain evidence, so that many people unscrupulous sell private data to invade the privacy of the user.
The block chain solves the problem of centralized storage, is provided by the Chinese smart at first, is a novel application mode integrating technologies such as distributed data storage, point-to-point transmission, a consensus mechanism and an encryption algorithm, has the characteristics of non-falsification, traceability, distrust removal and the like, is very suitable for the field of private data protection, and provides safety guarantee for private data protection due to the decentralized characteristic. However, due to the characteristics of the blockchain, the integrity and security of data cannot be guaranteed when private data storage and authorization are all delivered to blockchain processing, and the existing processing mode needs to send data to a service provider, so that a potential safety hazard exists, and as the number of transactions in the blockchain increases, the blockchain nodes are also under storage pressure. In addition, the existing consensus mechanism and block chain structure are generally used for virtual currency, but the processing speed is slow when the existing consensus mechanism and block chain structure are used in the field of private data storage, so that the system cannot be optimized, and a protection and authorization framework with higher safety and higher processing speed needs to be provided for the private data storage.
Disclosure of Invention
In view of the shortcomings of the prior art, the invention provides a privacy data protection and authorization framework based on a double-layer chain. The privacy data protection adopts a double-chain structure, and a service provider can provide services under the condition that specific data of a user are not exposed. A consensus algorithm (PoB) based on benefit attestation is also proposed to adapt the current consensus mechanism to the framework.
The technical scheme for solving the technical problems is to provide a privacy data protection and authorization framework based on a double-layer chain, which is characterized in that the framework adopts a double-layer chain structure and respectively comprises a verification chain and an authorization chain, wherein the verification chain is responsible for verifying the authenticity and the validity of data, and simultaneously generates a data possession certificate; the authorization chain is responsible for storing authorization records of users, each user has a data account of the user, and the user can only authorize the data of the user; the nodes in the authentication chain correspond to "privileged" nodes in the authorization chain, and data may be added to the user's data account. The structure separately carries out verification storage and authorization of data, and can trace back in a verification chain through authorization records when problems occur, so that the security of private data is ensured, and the rights and interests of both users and data demanders are ensured.
In order to ensure the safety and the authenticity of private data, nodes in the verification chain are a credible third party or an authority, so the verification chain adopts a private chain, namely only consistency and the working efficiency and the stability of a system are required to be ensured, an improved raft consensus algorithm is used, each node can verify the data, the data is stored in an IPFS, a user can check own data and ensure traceability at the same time, and a data possession certificate is generated and sent to an account of the user in the authorization chain.
Since the users on the authorization chain are not all trusted nodes, the number of data demanders is not fixed, and how to maintain the operation of the whole chain is the key of the authorization chain, the authorization chain adopts a public chain without an incentive mechanism, and a block node is determined in N nodes by adopting verifiable random numbers (VRFs) by using a benefit-based consensus mechanism (PoB).
The benefit-based consensus mechanism (PoB) has the following specific contents: and selecting the nodes which have the first N authorized data numbers to maintain and operate the authorization chain, wherein the nodes have more authorization data and are more trustworthy, and the nodes only store blocks relevant to the nodes.
The improved raft consensus algorithm comprises: deleting overtime elections, using sequential elections to perform leader elections, supporting a consensus process of simultaneously processing data by multiple nodes, and processing and recovering faults;
and (3) leader election:
(1) deleting the overtime election process in the Raft algorithm, sequentially selecting nodes as leaders, and maintaining a node list together, wherein all nodes except the leaders are follower nodes;
(2) when the leader node fails, the current leader node is moved into a failure list, and the next node selects the leader to perform block output;
a consensus process:
(1) each follower node can independently verify the authenticity of the data, generate a transaction list of the follower node, and send the generated transaction information and the latest block number of the follower node to the leader;
(2) the leader receives the transaction information generated by each follower node and generates a new block, meanwhile, the leader compares the latest block number sent by each follower node with the block number of the new block generated by the leader, and if the latest block number sent by the follower node is smaller than the block number of the new block generated by the leader, the leader respectively sends the blocks with the missing nodes to the corresponding follower nodes;
(3) the follower node receives the information sent by the leader and checks the deals therein, deletes the same deals in the deal list, and then continues to send the deal information in the deal list and the latest block number of the follower node to the leader to keep synchronization;
and (3) state maintenance:
(1) the consensus process comprises state maintenance, each message transmission represents a heartbeat signal, and the node automatically resets the timeout time;
(2) when all nodes (including the leader) are idle, the leader sends the latest block number, the follower node returns the latest block number of the follower node, and the leader sends the content of the next heartbeat signal according to the block number of the block chain;
fault processing and recovery:
(1) when the leader fails and the overtime time is over, the node updates the node list and sends unprocessed transaction information to a new leader;
(2) when the block number of the follower node is larger than that of the leader, taking the leader as a standard, and resending the trade of the block where the block number is positioned to the leader;
(3) when a fault node requests recovery, the fault node sends recovery requests to other nodes, the other nodes check whether the fault node is the fault node, if so, the fault node is deleted from a fault list of each node, the fault node requesting recovery is added into the node list, and the node list is sent to the fault node requesting recovery.
The invention also discloses a private data protection and authorization framework used in real-name authentication, and the framework adopts the private data protection and authorization framework based on the double-layer chain.
Compared with the prior art, the invention has the beneficial effects that:
1. better privacy. According to the traditional storage and authorization scheme of the private data, the original data are displayed during authorization, so that the situation of malicious collection cannot be avoided, in some cases, a service provider does not need to know specific data, and only a user is proved to be a data owner.
2. Traceability. Although there is no specific data in the authorization chain, the authorization record can be traced back through the verification chain as proof.
3. The verification chain adopts an improved RAFT consensus algorithm, and the algorithm deletes overtime election, supports simultaneous processing of data by multiple nodes and recovery of failed nodes, so that the data processing speed and the leader election speed are improved.
4. The authorization chain adopts the framework to provide a beneficial consensus mechanism, so that the reliable operation of the layer can be ensured, only N before the account authorization number can participate in the block generation in the mechanism, the malicious nodes do not have benefits for the nodes, the nodes only need to store blocks related to the nodes, and the storage pressure of the nodes is reduced, so that the layer has good safety and expandability.
5. The public chain such as the bit currency and the like adopts a PoW common identification mechanism to decide the block nodes, which causes a great deal of resource waste, and the authorization chain of the framework adopts a VRFs (verifiable random functions) algorithm to select the block nodes, so that a great deal of computing resources can be saved, and the transaction processing speed is greatly improved.
Drawings
FIG. 1 is a schematic diagram of a validation chain leader election process.
FIG. 2 is a schematic diagram of a verification chain block structure.
FIG. 3 is a schematic diagram of the block structure of the proof chain region.
Fig. 4 is a block diagram of grant chain blocks.
FIG. 5 is a block diagram of the authorized chain region.
FIG. 6 is a schematic step diagram of the framework.
Fig. 7 and 8 are schematic diagrams of a chain state maintaining process.
Fig. 9 shows a schematic diagram of the authorization chain consensus process.
Detailed Description
Specific examples of the present invention are given below. The specific examples are only for illustrating the present invention in further detail and do not limit the scope of protection of the present application.
The invention provides a privacy data protection and authorization framework (a short framework) based on a double-layer chain, which comprises the following contents:
(1) the framework consists of two chains, an authentication chain and an authorization chain.
(2) The verification chain is maintained and operated by n credible nodes and is used for receiving and verifying real data of a user, saving the data to an IPFS (interplanetary file system), saving an address to an account of the user in the verification chain and generating a unique data possession certificate to be saved to the user account in the authorization chain.
(3) The authorization chain is maintained and run by the user and the data demander, where the user can authorize the data proof to the data demander.
The working process of the privacy data protection and authorization framework based on the double-layer chain is as follows:
verification chain improved raft consensus algorithm:
1. leader election (as shown in FIG. 1):
(1) and deleting the overtime election process in the Raft algorithm, sequentially electing the nodes to a leader, and maintaining a node list together, wherein all nodes except the leader are follower nodes.
(2) When the leader node fails, the current leader node is moved into the failure list, the next node selects the leader to perform out-blocking, as shown in part (2) in fig. 1, the node 1 starts to be the leader, and when the leader node fails, the node 2 serves as a new leader, and the node 1 is moved into the failure list.
2. A consensus process:
(1) each follower node can independently verify the authenticity of the data, generate a transaction list of the follower node, and send the generated transaction information and the latest block number of the follower node to the leader. I.e. the follower node can be interactively handled with the user.
(2) The leader receives the transaction information generated by each follower node and generates a new block (the generated new block comprises a block number), meanwhile, the leader compares the latest block number sent by each follower node with the block number of the new block generated by the leader, and if the latest block number sent by the follower node is smaller than the block number of the new block generated by the leader, the leader sends the blocks with the missing nodes to the corresponding follower nodes respectively.
(3) And the follower node receives the information sent by the leader and checks the deals in the information, deletes the same deals in the deal list, and then continuously sends the deal information in the deal list and the latest block number of the follower node to the leader to keep synchronization.
3. And (3) state maintenance:
(1) the consensus process involves state maintenance, each message transmission representing a "heartbeat" signal, and the node automatically resets the timeout period.
(2) When all nodes (including the leader) are idle, the leader sends the latest block number, the follower node returns the latest block number of the follower node, and the leader sends the content of the next heartbeat signal according to the block number of the block chain.
4. Fault processing and recovery:
(1) when the leader fails and the timeout period ends, the node updates the node list and sends the unprocessed transaction information to the new leader.
(2) And when the block number of the follower node is larger than that of the leader, taking the leader as a standard, and retransmitting the transaction of the block with the block number to the leader.
(3) When a fault node requests recovery, the fault node sends recovery requests to other nodes, the other nodes check whether the fault node is the fault node, if so, the fault node is deleted from a fault list of each node, the fault node requesting recovery is added into the node list, and the node list is sent to the fault node requesting recovery.
Verify the structure of the blocks in the chain, as shown in FIG. 2:
the block header of the verification chain is composed of PreHash, GenerateNode, Time, Tsum, MerkLeroot and BNumber, wherein the PreHash is the Hash value of the previous block, the value in the created block is 0, and the blocks are connected into a chain by the value to prevent the previous block from being tampered; the generateeNode is the address of the egress node; the Time is a timestamp, and the block Time is recorded; tsum records the data of the transactions in the block; MerkleRoot is the root node of a merkle tree in which the hash (H) of each transaction (Tx1, tx2..) is a leaf node, and changes as long as one transaction changes the value of MerkleRoot; BNumber is the block number, which is the "heartbeat" signal for the modified raft consensus algorithm, and a node does not have to query the length of the block chain every time.
Structure of transaction in verification chain:
the block of blocks is shown in fig. 3, the transactions are data validation records, and all transactions constitute a data "ledger". H (PKu) is the address of the user account, binding data to the user; the VerificationNode represents a node for verifying data, and decrypts data in the IPFS (interplanetary file system) when tracing and a user views the data; the Address is a data Address returned by the IPFS; the Type is a data Type; h (date) is a hash value of the data, ensures the uniqueness of the data, avoids repeated verification of the data, and is also the "balance" (own information) in the user data account.
Consensus algorithm of authorization chain:
proposed benefit-based consensus mechanism (PoB): because the authorization chain has no reward mechanism, the benefit is judged according to the authorization quantity in the data account, and the authorization quantity also determines whether the node is trusted. The method comprises the following specific steps:
(1) the first N nodes of the authorization number are responsible for block generation, and since the authorization chain only has data possession proof, a malicious node does not benefit from the authorization chain.
(2) The N nodes use VRFs (verifiable random function) to determine the block nodes.
Structure of blocks in grant chain:
as shown in fig. 4, the block header of the authorization chain is composed of a pre-hash, a generateenode, Time, BNumber, MerkleRoot, and VRFsProve, where the pre-hash is a hash value of the previous block header, and since not all nodes store all blocks, the value is a hash value of the block header, which facilitates the verification of the block chain; the generateeNode is the address of the egress node; time is a timestamp; BNumber is the block number; MerkLeroot is the root node of the merkle tree; VRFsProve is the proof of the VRFs algorithm, and other nodes can verify the block nodes according to the proof.
Structure of transactions in the authorization chain:
the structure of the block body comprises a plurality of transactions Tx1, …, Txi, … and Txn as shown in FIG. 5, wherein the information of each transaction comprises a Sender, a Receiver, a Type, a DateProof, a Bind and a Validity, the Sender is a transaction initiator, and is generally an authorizer or a notary; a Receiver is a Receiver, generally a service provider or a user; the Type is a data Type; DateProof is a data proof, i.e., a proof that a notary signed a binding with a user (SigSKn (H (Address), H (PKu)); the Bind is an account or service and the like bound by authorization; the BNumber is the block number where the transaction is located, so that the transaction can be conveniently and quickly found; validity is the Validity of authorization, the value is set to True when authorization is performed, the value is set to False when the authorization is canceled, and the value when the transaction finally occurs is a valid value.
Example 1
The embodiment is based on a two-layer chain privacy data protection and authorization framework for real-name authentication, and the framework comprises the following steps, as shown in fig. 6.
In the step 1 and the step 2, a user (data owner) signs data (date) by using a private key (SKu) of the user, the signed data (SigSKu (date)) and a public key (PKu) of the user are sent to a verification chain, and if the verification is passed, a verification result is returned.
And 3, after the verification chain receives the data, firstly verifying the signature, then verifying the data, verifying the data by adopting a manual or verification interface, if the data passes the verification, encrypting (EnSKn (date)) the data by a node public key (PKn) and storing the data into the IPFS, hashing the user public key to generate a user account Address (H (PKu)), and taking the storage Address (Address), the data hash value (H (date)), the verification node (verify node) and the data type (type) returned by the IPFS as transaction information. The hash value of the data can avoid repeated verification of the data; since the public key is used for encryption, in steps 10 and 11, the node for verifying the data can be quickly found according to the verification node for tracing, and the responsibility and the like can be followed after the data has a problem. If the verification fails, the reason for the failure is returned to the user.
And step 5, each node of the verification chain is a notary, signs the hash value (H (address)) of the IPFS return address and the user address by using a private key (SKn) to serve as a data certificate (SigSKn (H (address), H (PKu))), and uses the data certificate and the data type as transaction information of the authorization chain. SigSKn denotes signing with a private key.
And 6, step 7, when the service provider needs the user to provide data certification, the service provider provides an account address, the user sends an authorization transaction to an authorization chain to authorize the data, and an authorization result is returned after the transaction verification is passed. In this step, the user can only authorize the data which is signed by the notary node and the account address of which is consistent, otherwise, the user cannot pass the transaction request.
Step 8 and step 9, the transaction information includes the account information of the user on the service provider, after the user authorizes, the service provider checks whether the authorization is authorized by inquiring the authorization account, and if the transaction has problems, the service provider can refuse to provide the service.
And step 10, when the service provider finds that the user has violation behaviors, the service provider provides a tracing request to the verification chain and submits violation evidence and an authorization record.
And 11, checking the authorization records and the evidence by the verification chain, and manually intervening subsequent operations such as responsibility tracing and the like.
And (3) verifying the chain consensus process:
step 1: and the verification chain node receives the data of the user, generates corresponding transaction information after performing verification and storage, and then adds the transaction information into a transaction list.
And 2, step: the follower node stores the user address, the verification node information, the data storage address, the data type and the verification certificate (i.e. the hash of the data) as transaction information into a transaction list, as shown in fig. 7, the follower nodes 2, 3 and 4 respectively contain 4, 5 and 3 transactions, where Bn represents the block number and Tx represents the transaction, and these transactions and the latest block number are sent to the leader node as a "heartbeat" signal.
And step 3: the leader node integrates the deals after receiving the deals sent by the follower nodes, adds the deals in the deal list into the newly generated blocks (if within the quantity limit) to generate new blocks, compares the latest block numbers with the block numbers in the heartbeat signals of the nodes, and respectively sends the corresponding blocks to the follower nodes.
And 4, step 4: as shown in fig. 8, each follower node looks up the transactions in the block sent by the leader node, deletes the transactions identical to the own transaction list, adds the block sent by the leader node to the own chain of the node, and continues to send the transaction information in the transaction list and the latest block number of the leader node to the leader so that the leader and the follower nodes keep synchronization.
And (3) verifying the failure recovery process of the link node:
case 1: when the leader node goes down, and the follower node does not receive the signal of the leader node after the set timeout time after sending the heartbeat signal, the follower node adds the first node of the node list to the fault list, removes the current leader node from the node list, and selects the leader by the next node.
Case 2: when the follower nodes are down, the leader node sets timeout time for each follower node, if a certain node heartbeat signal is not received in the timeout time, the leader updates a node list, the follower nodes which do not receive the heartbeat signal are added into a fault list, then the latest node list and the heartbeat signal are sent to other nodes in the node list, and the follower nodes update own node lists after receiving the node list and add the fault nodes into the fault list.
When the fault node is recovered, the fault node broadcasts a recovery signal to all nodes in the node list (because the fault node does not know who the fault node is the leader after recovery), the leader receives the recovery signal, updates the node list, adds the fault recovery node to the tail of the node list, removes the fault recovery node from the fault list, and sends a next heartbeat signal and a new fault list and node list to other nodes.
The process of authorization chain consensus, as shown in fig. 9:
step 1: nodes in the first 4 of the authorization quantity broadcast each other to generate a VRF Hash output R through VRF _ Hash (SK, M), wherein SK is a private key of the node, M is a Hash value of the last block, and the node with the minimum R is responsible for generating the next block.
Step 2: the out-block node generates a VRF Proof P through VRF _ Proof (SK, M) to be contained in a block header, then sends the newly generated block to other 3 nodes, the node receives the newly generated block, firstly verifies the validity of P through VRF _ Verify (PK, M, P), wherein PK is a public key of the out-block node, VRF _ P2H (P) restores an R ', and verifies whether R and R' are equal to determine the validity of R.
And step 3: if the verification is passed, the hash H (block) of the new block is sent to other nodes, and if more than half of the hashes sent by the nodes are received by one node, the block is determined to be legal.
And 4, step 4: and after the block is determined to be legal, broadcasting a new block to the user node, and checking whether the transaction in the block is related to the user node by the user node, if so, storing the whole block, otherwise, only storing the block head.
The protection of the privacy data in the real-name authentication is completed through the process.
On a verification layer, an improved RAFT algorithm is adopted, an overtime election strategy is changed into sequential election, data processed by a single node is changed into data processed by all nodes together, and a fault node automatic recovery mechanism is added, so that data verification and storage are more efficient; a Verifiable Random Function (VRFS) is used for selecting the block-out nodes on the authorization layer, so that fairness is guaranteed, and a large amount of computing resource waste is reduced compared with a PoW algorithm.
Nothing in this specification is said to apply to the prior art.
Claims (7)
1. A privacy data protection and authorization framework based on a double-layer chain is characterized in that the framework adopts a double-layer chain structure and is respectively a verification chain and an authorization chain, the verification chain is responsible for verifying the authenticity and the validity of data, and meanwhile, a data possession certificate is generated; the authorization chain is responsible for storing authorization records of users, each user has a data account of the user, and the user can only authorize the data of the user; the nodes in the verification chain are equivalent to 'privileged' nodes in the authorization chain and can add data to the data account of the user; the authenticated storage of data and authorization are performed separately.
2. The private data protection and authorization framework based on the double-layer chain according to claim 1, characterized in that the nodes in the verification chain are trusted third parties or authorities, the verification chain adopts a private chain, that is, only consistency and system work efficiency and stability need to be guaranteed, an improved raft consensus algorithm is used, so that each node can verify data, the data is stored in an IPFS, a user can check own data and simultaneously guarantee traceability, and a data possession certificate is generated and sent to an account of the user in the authorization chain;
because the users on the authorization chain are not all trusted nodes and the number of data demanders is not fixed, the authorization chain adopts a public chain, the public chain has no incentive mechanism, and a block node is decided in N nodes by adopting verifiable random numbers (VRFs) based on a beneficial consensus mechanism (PoB).
3. The two-tier chain-based private data protection and authorization framework of claim 1, wherein the benefit-based consensus mechanism (PoB) is specific to: and selecting the nodes which have the first N authorized data numbers to maintain and operate the authorization chain, wherein the nodes have more authorization data and are more trustworthy, and the nodes only store blocks relevant to the nodes.
4. The two-tier chain-based private data protection and authorization framework of claim 1, wherein the improved raft consensus algorithm comprises: deleting overtime election and using sequence election to carry out leader election, supporting the consensus process of simultaneously processing data by multiple nodes, and carrying out fault processing and recovery;
and (3) leader election:
(1) deleting the overtime election process in the Raft algorithm, sequentially selecting nodes as leaders, and maintaining a node list together, wherein all nodes except the leaders are follower nodes;
(2) when the leader node fails, the current leader node is moved into a failure list, and a next node is selected as the leader to carry out block output;
a consensus process:
(1) each follower node can independently verify the authenticity of the data, generate a transaction list of the follower node, and send the generated transaction information and the latest block number of the follower node to the leader;
(2) the leader receives the transaction information generated by each follower node and generates a new block, meanwhile, the leader compares the latest block number sent by each follower node with the block number of the new block generated by the leader, and if the latest block number sent by the follower node is smaller than the block number of the new block generated by the leader, the leader respectively sends the blocks with the missing nodes to the corresponding follower nodes;
(3) the follower node receives the information sent by the leader and checks the deals therein, deletes the same deals in the deal list, and then continues to send the deal information in the deal list and the latest block number of the follower node to the leader to keep synchronization;
and (3) state maintenance:
(1) the consensus process comprises state maintenance, each message transmission represents a heartbeat signal, and the node automatically resets the timeout time;
(2) when all nodes (including the leader) are idle, the leader sends the latest block number, the follower node returns the latest block number of the follower node, and the leader sends the content of the next heartbeat signal according to the block number of the block chain;
fault processing and recovery:
(1) when the leader fails and the overtime time is over, the node updates the node list and sends unprocessed transaction information to a new leader;
(2) when the block number of the follower node is larger than that of the leader, taking the leader as a standard, and resending the trade of the block where the block number is positioned to the leader;
(3) when a fault node requests recovery, the fault node sends recovery requests to other nodes, the other nodes check whether the fault node is the fault node, if so, the fault node is deleted from a fault list of each node, the fault node requesting recovery is added into the node list, and the node list is sent to the fault node requesting recovery.
5. The two-tier chain-based private data protection and authorization framework of claim 4, wherein the block header of the verification chain is composed of PreHash, GenerateNode, Time, Tsum, MerkLeroot, BNumber, wherein PreHash is a hash value of a previous block, and the created block has a value of 0, by which the blocks are linked into a chain, preventing the previous block from being tampered with; the generateeNode is the address of the egress node; the Time is a timestamp, and the block Time is recorded; tsum records the data of the transaction in the block; the MerkLEroot is a root node of the merkle tree, the hash of each transaction in the merkle tree is a leaf node, and the value of the MerkLEroot can be changed as long as one transaction changes; BNumber is the block number, which is the "heartbeat" signal for the modified raft consensus algorithm, and a node does not have to query the length of the block chain every time.
Structure of transaction in verification chain: the transaction is a data verification record, all transactions form a data 'account book', and H (PKu) is an address of a user account and enables the data to be bound with the user; the VerificationNode represents a node for verifying data, and decrypts the data in the IPFS when tracing and a user views the data; the Address is a data Address returned by the IPFS; the Type is a data Type; h (date) is a hash value of the data, ensuring the uniqueness of the data, avoiding repeated verification of the data, and also being the "balance" in the user data account.
6. The dual-tier chain-based private data protection and authorization framework of claim 2, wherein the block header of the authorization chain is composed of PreHash, GenerateNode, Time, BNumber, Merklerroot, VRFsProve, PreHash is a hash value of a previous block header, which is a hash value of a block header since not all nodes store all blocks, facilitating authentication of the block chain; the generateeNode is the address of the egress node; time is a timestamp; BNumber is the block number; MerkLeroot is the root node of the merkle tree; VRFsProve is the proof of the VRFs algorithm, and other nodes can verify the block nodes according to the proof;
structure of transactions in the authorization chain: the method comprises multiple transactions Tx1, …, Txi, … and Txn, wherein the information of each transaction comprises Sender, Receiver, Type, DateProof, Bind and Validity, and the Sender is a transaction initiator and is an authorizer or notary; a Receiver is a receiving party and is a service provider or a user; the Type is a data Type; DateProof is a data certificate, i.e. a certificate signed by a notary and bound to a user (SigSKn (h (address), h (pku)); bind is an account or service authorized to Bind; the BNumber is the block number where the transaction is located, so that the transaction can be conveniently and quickly found; validity is the Validity of authorization, the value is set to True when authorization is performed, the value is set to False when authorization is canceled, and the value when the transaction finally occurs is a valid value.
7. A framework for private data protection and authorization for use in real-name authentication, characterized in that it employs the framework for private data protection and authorization based on a double-layer chain as claimed in any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210756058.3A CN115118435B (en) | 2022-06-29 | 2022-06-29 | Privacy data protection and authorization framework based on double-layer chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210756058.3A CN115118435B (en) | 2022-06-29 | 2022-06-29 | Privacy data protection and authorization framework based on double-layer chain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115118435A true CN115118435A (en) | 2022-09-27 |
| CN115118435B CN115118435B (en) | 2024-03-22 |
Family
ID=83329819
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210756058.3A Active CN115118435B (en) | 2022-06-29 | 2022-06-29 | Privacy data protection and authorization framework based on double-layer chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115118435B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108875411A (en) * | 2018-07-11 | 2018-11-23 | 成都理工大学 | The storage of Intelligent bracelet data and sharing method based on block chain |
| WO2020016637A1 (en) * | 2018-07-20 | 2020-01-23 | Valencia Renato | Blockchain-enabled double entry recordkeeping system and method of implementing the same |
| WO2020189800A1 (en) * | 2019-03-15 | 2020-09-24 | 라인플러스 주식회사 | Method and system for authenticating data generated in blockchain |
| WO2021120253A1 (en) * | 2019-12-16 | 2021-06-24 | 郑杰骞 | Data storage method and verification method for blockchain structure, blockchain structure implementation method, blockchain-structured system, device, and medium |
| WO2022027531A1 (en) * | 2020-08-03 | 2022-02-10 | 西安电子科技大学 | Blockchain construction method and system, and storage medium, computer device and application |
-
2022
- 2022-06-29 CN CN202210756058.3A patent/CN115118435B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108875411A (en) * | 2018-07-11 | 2018-11-23 | 成都理工大学 | The storage of Intelligent bracelet data and sharing method based on block chain |
| WO2020016637A1 (en) * | 2018-07-20 | 2020-01-23 | Valencia Renato | Blockchain-enabled double entry recordkeeping system and method of implementing the same |
| WO2020189800A1 (en) * | 2019-03-15 | 2020-09-24 | 라인플러스 주식회사 | Method and system for authenticating data generated in blockchain |
| WO2021120253A1 (en) * | 2019-12-16 | 2021-06-24 | 郑杰骞 | Data storage method and verification method for blockchain structure, blockchain structure implementation method, blockchain-structured system, device, and medium |
| WO2022027531A1 (en) * | 2020-08-03 | 2022-02-10 | 西安电子科技大学 | Blockchain construction method and system, and storage medium, computer device and application |
Non-Patent Citations (1)
| Title |
|---|
| 罗得寸: "基于区块链的安全通讯与隐私数据共享机制", 硕士电子期刊, no. 2022, 15 February 2022 (2022-02-15) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115118435B (en) | 2024-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109766673B (en) | Alliance type audio and video copyright block chain system and audio and video copyright chaining method | |
| CN109360100B (en) | Transaction rapid confirmation method and device based on block chain technology | |
| CN109936457B (en) | Block chain multi-party witness method, device, equipment and computer readable storage medium | |
| CN109040012B (en) | Block chain-based data security protection and sharing method and system and application | |
| CN107682308B (en) | Electronic evidence preservation system based on block chain latent channel technology | |
| CN111159288A (en) | Method, system, device and medium for storing, verifying and realizing chain structure data | |
| CN110351133A (en) | Method and device for the host node hand-off process in block catenary system | |
| CN112311772B (en) | Hyperridge-based cross-domain certificate management system and method | |
| CN109547218B (en) | Alliance link node key distribution and backup system for improving BIP (building information processing) protocol | |
| CN113065961A (en) | Power block chain data management system | |
| CN112615847B (en) | Data sharing and privacy protection method based on block chain | |
| CN112069550B (en) | Electronic contract evidence-storing system based on intelligent contract mode | |
| CN111815321A (en) | Transaction proposal processing method, device, system, storage medium and electronic device | |
| CN113255014B (en) | Data processing method based on block chain and related equipment | |
| CN112861172A (en) | Symmetric searchable encryption method based on PBFT (public domain representation) consensus mechanism | |
| CN112749417A (en) | Electronic academic certificate data protection and sharing system based on block chain | |
| CN115987697B (en) | Multi-level information data sharing method and system based on event subscription mechanism | |
| CN111489143A (en) | Auditable encrypted digital currency supervision method based on alliance side chain | |
| CN112035896A (en) | Electronic contract deposit certificate system based on transaction mode | |
| CN116527684A (en) | Multi-chain information interaction method based on 1+1+N relay consensus committee | |
| CN110945833B (en) | Method and system for multi-mode identification network privacy protection and identity management | |
| CN113037827B (en) | Voting method based on block chain, self-organization management method and computer equipment | |
| Liu et al. | A blockchain-based cross-domain authentication management system for IoT devices | |
| CN113706106A (en) | Government affair cooperation system constructed based on block chain | |
| CN112669037A (en) | Block chain construction method based on copyright transaction, copyright transaction system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |