CN115118486A

CN115118486A - Internet of things system, and method and device for acquiring data based on block chain

Info

Publication number: CN115118486A
Application number: CN202210722731.1A
Authority: CN
Inventors: 张如意; 王莹
Original assignee: Ant Blockchain Technology Shanghai Co Ltd
Current assignee: Ant Blockchain Technology Shanghai Co Ltd
Priority date: 2022-06-24
Filing date: 2022-06-24
Publication date: 2022-09-27
Anticipated expiration: 2042-06-24
Also published as: CN115118486B

Abstract

The embodiment of the specification provides an Internet of things system, and a method and a device for acquiring data based on a block chain. The IOT system comprises first equipment, management equipment and a blockchain, wherein first data stored in the blockchain are obtained by performing attribute encryption based on a main public key of the management equipment and a first policy, and the first equipment is used for uploading equipment information of the first equipment to the blockchain; the management device is used for acquiring the device information from the blockchain, determining an attribute tag of the first device based on the device information, generating a sub-private key of the first device based on the attribute tag, the main public key and a main private key, and uploading the sub-private key to the blockchain; the first device is further configured to obtain the sub-private key and the first data from the block chain, decrypt the first data using the sub-private key, and obtain second data after decryption succeeds when the attribute tag conforms to the first policy.

Description

Internet of things system, and method and device for acquiring data based on block chain

Technical Field

The embodiment of the specification belongs to the technical field of block chains, and particularly relates to an Internet of things system, and a method and a device for acquiring data based on the block chains.

Background

The Internet of Things (IoT) is a system of computing devices, machines, and digital machine interrelationships, each with a unique identification code and the ability to transmit data over a network. In the internet of things, each device collects various data of the surrounding environment and performs data transmission interaction with other devices. Sensitive data may be included in data collected and transmitted by the internet of things device, and an illegal user may acquire the data, which may cause a data security problem. Therefore, data credibility and transmission safety are of great importance in the data transmission process of the internet of things.

Disclosure of Invention

An embodiment of the present specification describes an internet of things system, where the system includes a first device, a management device, and a blockchain, where first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of the management device and a first policy, and only the first device whose attribute tag matches the first policy corresponding to the first data can be used to successfully decrypt the first data, so as to obtain second data, thereby implementing read control of data in the internet of things based on the blockchain, and improving security of data in the internet of things.

According to a first aspect, an internet of things system is provided, where the system includes a first device, a management device, and a blockchain, where first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of the management device and a first policy, and the first device is configured to upload device information of the first device to the blockchain; the management device is configured to obtain the device information from the blockchain, determine an attribute tag of the first device based on the device information, generate a sub-private key of the first device based on the attribute tag, the master public key, and the master private key, and upload the sub-private key to the blockchain; the first device is further configured to obtain the sub-private key and the first data from the block chain, decrypt the first data using the sub-private key, and obtain second data after decryption succeeds when the attribute tag meets the first policy.

According to a second aspect, there is provided a method for acquiring data based on a blockchain, which is applied to a blockchain node, wherein first data stored in the blockchain is acquired by performing attribute encryption based on a master public key of a management device and a first policy, the method including: receiving equipment information uploaded by first equipment; responding to a request sent by a management device, and sending the device information to the management device; receiving a sub-private key of the first device from the management device, and storing the sub-private key in the block chain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and responding to the request sent by the first equipment, and sending the sub private key and the first data to the first equipment.

According to a third aspect, there is provided a method for obtaining data based on a blockchain, which is applied to a first device, wherein the first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of a management device and a first policy, the method comprising: uploading equipment information to the block chain; acquiring a sub-private key and the first data from the block chain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and decrypting the first data by using the sub private key, and obtaining second data after the decryption succeeds under the condition that the attribute label corresponding to the first equipment conforms to the first strategy.

According to a fourth aspect, there is provided an apparatus for obtaining data based on a blockchain, the apparatus being provided at a blockchain node, wherein first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of a management device and a first policy, the apparatus comprising: the receiving unit is configured to receive the device information uploaded by the first device; a first transmission unit configured to transmit the device information to a management device in response to a request transmitted by the management device; a storage unit configured to receive a sub-private key of the first device from the management device, and store the sub-private key in the block chain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and a second sending unit configured to send the subprivate key and the first data to the first device in response to a request sent by the first device.

According to a fifth aspect, there is provided an apparatus for obtaining data based on a blockchain, the apparatus being provided in a first device, wherein the first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of a management device and a first policy, the apparatus comprising: the uploading unit is configured to upload the equipment information to the block chain; an obtaining unit configured to obtain a sub-private key and the first data from the block chain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and the decryption unit is configured to decrypt the first data by using the sub-private key, and when the attribute tag corresponding to the first device meets the first policy, the decryption is successful to obtain second data.

According to a sixth aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method as described in any one of the implementation manners of the second or third aspect.

According to a seventh aspect, there is provided a computing device comprising a memory and a processor, wherein the memory stores executable code, and the processor executes the executable code to implement the method described in any implementation manner of the second aspect or the third aspect.

According to one embodiment of the present specification, an internet of things system is provided, which includes a first device, a management device, and a blockchain, and first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of the management device and a first policy. The first device is used for uploading device information of the first device to the block chain. The management device is used for obtaining the device information from the blockchain, determining an attribute label of the first device based on the device information, generating a sub-private key of the first device based on the attribute label, the main public key and the main private key, and uploading the sub-private key to the blockchain. And then, the first equipment acquires the sub-private key and the first data from the block chain, decrypts the first data by using the sub-private key, and successfully decrypts the first data to obtain second data under the condition that the attribute label accords with the first strategy. Therefore, only the first device with the attribute tag according with the first strategy corresponding to the first data can decrypt the first data successfully to obtain the second data, so that reading control of data in the Internet of things based on the block chain is realized, and the safety of the data in the Internet of things is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and it is obvious for a person skilled in the art to obtain other drawings based on these drawings without inventive labor.

FIG. 1 illustrates a block chain architecture diagram in one embodiment;

fig. 2 is a schematic diagram illustrating an application scenario in which the internet of things system in the embodiment of the present specification may be applied;

FIG. 3 illustrates a timing diagram of one example of interaction between a first device, a management device, and a blockchain in an Internet of things system;

FIG. 4 is a schematic diagram illustrating a first strategy;

FIG. 5 is a diagram illustrating one data structure for the data stored in the task list ContractTaskList;

fig. 6 is a diagram showing one data structure of data stored in the target information list dataList;

FIG. 7 is a schematic block diagram of an apparatus for obtaining data based on a blockchain according to one embodiment

Fig. 8 shows a schematic block diagram of an apparatus for acquiring data based on a blockchain according to another embodiment.

Detailed Description

In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present specification without making any creative effort shall fall within the protection scope of the present specification.

The block chain technology is a special distributed database technology designed by artificial bitcoin (a digital currency) with a certain name of 'Zhongxiong', is suitable for storing simple data which have precedence relationship and can be verified in a system, and the data is ensured to be not falsified and forged by using cryptography and consensus algorithm. To further illustrate the blockchain technique, FIG. 1 illustrates a blockchain architecture diagram in one embodiment. In the block chain architecture diagram shown in fig. 1, for example, 6 nodes are included in the block chain 100. The lines between the nodes schematically represent P2P (Peer-to-Peer) connections. The nodes may have a full ledger stored on them, i.e. the status of all blocks and all accounts. Wherein each node in the blockchain can generate the same state in the blockchain by performing the same transaction, and each node in the blockchain can store the same state database. It is to be understood that although fig. 1 illustrates 6 nodes included in the blockchain, embodiments of the present specification are not limited thereto and may include other numbers of nodes. Specifically, the nodes included in the block chain may satisfy the Byzantine Fault Tolerance (BFT) requirement. The byzantine fault tolerance requirement can be understood as that byzantine nodes can exist in a block chain, and the block chain does not show the byzantine behavior to the outside. Generally, some Byzantine Fault-tolerant algorithms require the number of nodes to be greater than 3f +1, where f is the number of Byzantine nodes, such as the practical Byzantine Fault-tolerant algorithm pbft (practical Byzantine Fault tolerance).

A transaction in the blockchain domain may refer to a unit of task that is performed in the blockchain and recorded in the blockchain. The transaction typically includes a send field (From), a receive field (To), and a Data field (Data). Where the transaction is a transfer transaction, the From field indicates the address of the account From which the transaction was initiated (i.e., From which a transfer task To another account was initiated), the To field indicates the address of the account From which the transaction was received (i.e., From which a transfer was received), and the Data field includes the transfer amount. In the case of a transaction calling an intelligent contract in a blockchain, a From field represents an account address for initiating the transaction, a To field represents an account address of the contract called by the transaction, and a Data field includes Data such as a function name in the calling contract and incoming parameters To the function, so as To obtain code of the function From the blockchain and execute the code of the function when the transaction is executed.

The block chain may provide the functionality of an intelligent contract. An intelligent contract on a blockchain is a contract that can be executed on a blockchain system triggered by a transaction. An intelligent contract may be defined in the form of code. The intelligent contract is called in the Ethernet workshop, and a transaction pointing to the intelligent contract address is initiated, so that each node in the Ethernet workshop network runs the intelligent contract code in a distributed mode. It should be noted that, in addition to the creation of the smart contracts by the users, the smart contracts may also be set by the system in the creation block. Such contracts are generally referred to as foundational contracts. In general, the data structure, parameters, attributes and methods of some blockchains may be set in the startup contract. Further, an account with system administrator privileges may create a contract at the system level, or modify a contract at the system level (simply referred to as a system contract). Wherein the system contract is usable to add data structures for different services in a blockchain.

In the scenario of contract deployment, for example, Bob sends a transaction containing information to create an intelligent contract (i.e., a deployment contract) into the blockchain as shown in fig. 1, the data field of the transaction includes the code (e.g., bytecode or machine code) of the contract to be created, and the to field of the transaction is null to indicate that the transaction is for contract deployment. After the agreement is achieved among the nodes through a consensus mechanism, a contract address '0 x6f8ae93 …' of the contract is determined, each node adds a contract account corresponding to the contract address of the intelligent contract in a state database, allocates a state storage corresponding to the contract account, and stores a contract code in the state storage of the contract, so that the contract creation is successful.

In the scenario of invoking a contract, for example, Bob sends a transaction for invoking a smart contract into the blockchain as shown in fig. 1, where the from field of the transaction is the address of the account of the transaction initiator (i.e., Bob), and "0 x6f8ae93 …" in the to field represents the address of the invoked smart contract, and the data field of the transaction includes the method and parameters for invoking the smart contract. After the transaction is identified in the blockchain, each node in the blockchain can execute the transaction respectively, so that the contract is executed respectively, and the state database is updated based on the execution of the contract.

As described above, in the data transmission process of the internet of things, data trust and transmission security are crucial. Therefore, an embodiment of the present specification provides a block chain-based internet of things system, which implements reading control on data in the internet of things and improves security of the data in the internet of things.

As an example, fig. 2 shows a schematic diagram of one application scenario in which the system of internet of things of the embodiment of the present specification may be applied. As shown in fig. 2, in the present application scenario, a first device 201, a management device 202, and a blockchain 100 may be included. Here, the first device 201 may be an internet of things device, a plurality of first devices 201 may be included in the internet of things system, and the plurality of first devices 201 may be distributed in different sub-networks. The management device 202 may refer to a device used by a task center, and the task center may be used to configure an information collection task of the internet of things. The internet of things equipment can collect information according to the information collection task. Here, the first device 201 and the management device 202 may be provided with an encryption system, for example, a CP-ABE (ciphertext policy based attribute encryption) encryption system, where a ciphertext of the CP-ABE corresponds to an access policy, and a key corresponds to an attribute set, and the ciphertext may be decrypted if and only if an attribute in the attribute set can satisfy the access policy. The first data stored in the blockchain 100 may be obtained by attribute encryption by the master public key of the management device 202 and the first policy.

The first device 201 may upload its own device information, such as a Unique Identifier (UID), a type of device collection data, and the like, to the blockchain 100. Thereafter, the management device 202 can obtain device information from the blockchain 100, determine an attribute tag of the first device 201 based on the device information, generate a sub-private key for the first device 201 based on the attribute tag, the master public key, and the master private key, and upload the sub-private key to the blockchain 100. In this way. The first device 201 may obtain the first data and the sub-private key generated for the first data from the blockchain, and attempt to decrypt the first data using the sub-private key, and in a case that the corresponding attribute tag conforms to the first policy, the first device 201 may successfully decrypt the first data to obtain the second data.

With continued reference to fig. 3, fig. 3 illustrates a timing diagram of one example of interaction between a first device, a management device, and a blockchain in an internet of things system. In the example shown in fig. 3, a CP-ABE encryption system may be provided in the first device 201 and the management device 202 that interact with the blockchain 100.

The specific interaction process may be as follows:

s301, the management device 202 generates a master public key and a master private key.

As one example, management device 202 may generate the master public key and the master private key by calling a Setup function of the CP-ABE encryption system. As another example, a secure multiparty computation may also be employed to generate a master public key and a master private key, where the master private key is commonly maintained by multiple management devices 202, and the multiple management devices 202 participate in computation at the same time when the master private key is used. The calculation process may be as follows: CPABE _ Setup (msk, mpk), where mpk may represent the master public key and msk may represent the master private key.

S302, the management device 202 uploads the master public key to the blockchain 100.

In this embodiment, management device 202 may send a transaction to any blockchain node of blockchain 100, which may invoke data management contract C1 (hereinafter abbreviated contract C1) in the blockchain to upload the master public key to the blockchain. Wherein the contract may be deployed by management device 202 into a blockchain for management of data, management of access to data, and the like. The blockchain node sends the transaction to other nodes in the blockchain after receiving the transaction, so that each node in the blockchain can execute the transaction. Each node of the blockchain stores the master public key into the contract state of the contract by performing the transaction.

S303, the first device 201 uploads the device information of the first device 201 to the blockchain 100.

In this embodiment, the first device 201 may upload its own device information to the blockchain 100, for example, directly. The device information may be various information related to the device, including but not limited to the UID of the device, the type of device (e.g., sensor, thermometer, hygrometer, etc.), the type of data collected by the device (e.g., digital, audio, video, image, etc.), network information where the device is located (e.g., network ID, network area, network type, etc.), and so on. In addition, when a plurality of sub-networks are included in the internet of things, the device information may further include Network information of the sub-Network in which the first device is located, for example, a Network Identification (NID) of the sub-Network in which the first device is located. The first device 201 may also upload the public key clientPK encrypted asymmetrically to the block chain, and the first device 201 locally stores the private key clientSK corresponding to the clientPK. The clientPK may be used for subsequent encrypted information transfer.

Here, the device information uploaded by the first device 201 may also be used to register the on-chain device identity on the chain. Based on this, the first device 201 may receive the on-chain account information returned by the blockchain 100. Specifically, the first device 201 may send a transaction to the blockchain 100, which may invoke the contract C1 to register an External Owned Accounts (EOA) with the blockchain. The nodes of the blockchain perform the transaction, generate on-chain account information, and return the on-chain account information to the first device 201. The blockchain may store the generated account information of the first device 201 under the contract account. For example, the information included in the device information may be spliced and then subjected to hash calculation, so as to obtain the chain account ID. In particular, the method comprises the following steps of,

clientID＝RegisterClient(clientInfo,clientPK)＝HASH(clientInfo||clientPK)。

wherein the clientInfo represents device information of the first device, and the clientID represents an on-chain account ID.

In practice, the blockchain may directly generate the on-chain account information based on the device information uploaded by the first device 201, and return the on-chain account information to the first device. The blockchain may also generate the on-chain account information based on the device information after the device information is verified by the management device, and then return the on-chain account information to the first device. Specifically, after monitoring the register client contract invoking event, the management device 202 acquires the device information of the first device, verifies the device information (for example, verifies the device information based on a preset verification rule), uploads verification passing information to the block chain after the verification passes, and after receiving the verification passing information, the block chain may generate the on-chain account information based on the device information and then returns the on-chain account information to the first device.

In some alternative implementations, management device 202 may also generate a system public key and a system private key and upload the system public key to blockchain 100. Specifically, the management device 202 may generate an encryption authentication key pair of the internet of things system, where the encryption authentication key pair may include a system public key system mpk and a system private key system msk, and the key pair may support an asymmetric encryption Algorithm and a Signature Algorithm, such as an Elliptic Curve Cryptography (ECC) Algorithm key, an Elliptic Curve Digital Signature Algorithm (ECDSA), and an Elliptic Curve comprehensive encryption scheme (ECIES) encryption and decryption Algorithm. Taking ECC as an example, the system public key system and the system private key system may be generated by calling KeyGen, and the specific calculation process is as follows:

systemPK,systemSK＝ECC_KeyGen()。

here, S303 may also be implemented as follows: the first device 201 encrypts the device information using the system public key system mpk and uploads the encrypted device information to the blockchain. Taking ECIES as an example, encryption may be performed by calling ENCRYPT, specifically,

clientInfoCipher＝ECIES_ENCRYPT(systemPK，clientInfo)。

wherein the clientInfo represents the device information of the first device, and the clientInfo cipher represents the encrypted device information. Through the implementation mode, the equipment information can be uploaded after being encrypted, so that the equipment information is safer.

S304, the management device 202 acquires device information from the blockchain 100.

Here, if the device information acquired by the management device 202 is the encrypted device information clientInfoCipher, the management device 202 may decrypt the acquired encrypted device information using the system private key systemSK, specifically,

clientInfo＝ECIES_DECRYPT(systemSK，clientInfoCipher)。

s305, the management device 202 determines an attribute tag of the first device based on the device information, and generates a sub-private key of the first device based on the attribute tag, the master public key, and the master private key.

In this embodiment, the management device 202 may determine the attribute tag of the first device based on the device information of the first device. Here, the attribute tag may be a sum of a class of features, for example, the type of device, including sensors, thermometers, hygrometers, and the like; the type of data collected by the device, including, digital, audio, video, image, etc.; the network information of the device includes a network ID, a network area, a network type, and the like. Thereafter, the management device 202 can generate a child private key for the first device based on the attribute tag, the master public key, and the master private key. The management device 202 may generate a first device-specific sub-private key sk, specifically,

CPABE _ KeyGen (attribute tag, msk, mpk).

S306, the management device 202 uploads the generated sub-private key of the first device to the blockchain 100.

In this embodiment, after the management device 202 generates the user-specific sub-private key sk, the device identifier (e.g., UID) of the first device and the sub-private key may be uploaded to the block chain in association, so that the first device may obtain the sub-private key from the block chain.

In some optional implementations, the foregoing S306 may be further implemented as follows:

first, the management device may encrypt the sub-private key based on a public key of a blockchain account corresponding to the first device to obtain an encryption result. As an example, the public key of the blockchain account corresponding to the first device may be encrypted by using an encryption scheme, for example, an ECIES (elliptic curve comprehensive encryption scheme), to obtain a first encryption result, and the first device may obtain the sub-private key by decrypting the first encryption result. As another example, the management device may further encrypt the attribute tag and the sub-private key of the first device using the public key to obtain a second encryption result, specifically,

the second encryption result is ECIES _ ENCRYPT (public key corresponding to the first device, attribute tag of the first device, sk).

The first device can obtain the corresponding attribute label and the sub private key by decrypting the second encryption result.

And then, the management device uploads the encryption result and the device identifier of the first device to the block chain in an associated manner, so that the first device can obtain the corresponding encryption result from the block chain according to the device identifier and decrypt the encryption result to obtain the sub-private key. Through the implementation mode, the sub-private key can be encrypted and then uploaded to the block chain, so that the protection of the sub-private key can be realized, and the safety of the sub-private key is improved.

S307, the first device 201 obtains the sub-private key and the first data from the blockchain.

In particular, the first device may send a transaction to blockchain 100, which may invoke contract C1 to obtain the child private key and the first data from the blockchain. The node of the blockchain executes the transaction, sending the child private key and the first data to the first device.

S308, the first device 201 decrypts the first data by using the sub-private key, and when the attribute tag meets the first policy, the decryption is successful, and the second data is obtained.

In this embodiment, the first device 201 may obtain the sub-private key and the first data from the blockchain, and attempt to decrypt the first data using the sub-private key, and in a case that the attribute tag corresponding to the first device conforms to the first policy, the decryption is successful, and the second data is obtained. The first device may attempt to Decrypt the first data by, for example, calling a Decrypt function of the CP-ABE encryption system, specifically,

the second data is CPABE _ DECRYPT (first data sk).

Through the Decrypt function, the second data can be obtained only if the attribute tag corresponding to the first device conforms to the first strategy of the first data.

In some optional implementations, the first device 201 may be an internet of things device, and the first data stored in the blockchain may be obtained by performing attribute encryption on the information collection task based on a master public key of the management device and a first policy. Specifically, the management device 202 may perform attribute encryption based on the master public key, the information collection task, and the first policy to obtain first data, and upload the first data to the block chain.

In the implementation mode, the information acquisition tasks of the Internet of things equipment can be set according to actual scenes and requirements. For example, the internet of things equipment in a flow line workshop in a certain factory can be set to be responsible for acquiring information such as temperature, humidity and flow line progress. For another example, the internet of things device in a restaurant may be set to be responsible for collecting data such as temperature, air, smoke, and the like. For another example, the internet of things equipment in a certain warehouse can be set to be responsible for acquiring data such as temperature, brightness and video. As an example, when there are multiple sub-networks, the sub-networks may perform different information gathering tasks. For different information collection tasks, corresponding first policies can be set, and the first policies can specify that the first device can decrypt the information only if the first device meets the condition of the attribute tags. As an example, the structure of the first policy may be a tree structure. With continued reference to fig. 4, fig. 4 shows a schematic diagram of a first policy that first data obtained by encrypting needs to satisfy the first device "network 1" or "network 2, thermometer" for decryption, otherwise decryption fails. It can be understood that the first policy shown in fig. 4 is only used for explaining the tree structure, and does not limit the content of the first policy, and in practice, different information collection tasks may correspond to different first policies.

For example, assume that the content of the information collection task a (hereinafter, referred to as taskA) is: the equipment in the sub-network 1 is responsible for collecting temperature, other data are not collected, and the data are uploaded every hour; the first policy1 for taskA is: the device possessing the attribute network ID of sub-network 1 can decrypt it. The management device 202 may generate first data taskACipher for taskA by calling an Encrypt function of the CP-ABE encryption system, specifically:

taskACipher＝CPABE_ENCRYPT(taskA,policy1，mpk)。

at the same time, the management device 202 may also sign the task using the system private key system, specifically,

signature＝ECDSA_Sign(systemSK,taskA)。

for another example, assume that the content of the information collection task B (hereinafter, referred to simply as taskB) is: the equipment in the sub-network 2 is responsible for collecting videos, other data are not collected, and data are uploaded at 0 point every day; the first policy2 for taskB is: the device possessing the network ID attribute of sub-network 2 can decrypt it. The management device 202 may generate the first data taskBCipher for the taskB by calling the Encrypt function of the CP-ABE encryption system, and, at the same time, sign the taskB, specifically,

taskBCipher＝CPABE_ENCRYPT(taskB，policy2，mpk)；

signature＝ECDSA_Sign(systemSK，taskB)。

for another example, assume that the content of the information collection task C (hereinafter, referred to as taskC) is: the device with the device ID of ABC is responsible for collecting smoke, other data are not collected, and data are uploaded every minute; the first policy3 for taskC is: a device with a device ID of ABC attribute can decrypt. The management device 202 may generate the first data taskcipher for the taskC by calling the Encrypt function of the CP-ABE encryption system, and, at the same time, sign the taskC, specifically,

taskCCipher＝CPABE_ENCRYPT(taskC，policy3，mpk)；

signature＝ECDSA_Sign(systemSK，taskC)。

by setting the information acquisition task and the corresponding first strategy, the first device can acquire the tasks belonging to the sub-network, and can acquire the tasks belonging to the device. The data of each sub-network is isolated in the task distribution phase. For example, the internet of things devices in sub-network 2 cannot decrypt the information collection task for the internet of things devices in sub-network 1.

After the management device 202 generates the first data, the first data may be uploaded to the blockchain 100. Alternatively to this, the first and second parts may,

first, management device 202 sends a first transaction to blockchain 100, which may invoke contract C1 to upload first data to the blockchain.

The nodes of blockchain 100 then perform a first transaction, storing the first data into the contract state of contract C1. As an example, the first data may be stored into a task list containtasksist of the contract C1, which may be used to store the first data uploaded by the management apparatus 202. With the present implementation, storage of the first data in the contract C1 may be achieved. As an example, fig. 5 shows a schematic diagram of a data structure of data stored in a task list conteracttaskilst, and as shown in fig. 5, the data structure may include a task publishing time publish time (whose data type is Long) and a task list, where the task list may include a task detail TaskInfo, which may include task encryption information Cipher (i.e., first data whose data type is String) and a task information Signature (whose data type is String).

In some optional implementations, the information collection task may include task description information and a second policy. The task description information may refer to content of the information collection task, and is used to describe the information collection task, for example, to describe which devices collect which data, at what period, perform data upload, and the like. For example, the contents of taskA, taskB, and taskC in the foregoing examples may be considered task description information. A second policy may be used to specify that the device satisfies those attribute tags before decrypting data collected from the task description information.

Based on this, after the first device decrypts the first data successfully by using the corresponding sub-private key, the second data is obtained, and the second data may include the task description information and the second policy. And then, the first equipment is also used for acquiring information according to the task description information to obtain target information. Then, the first device may further perform attribute encryption based on the master public key, the target information, and the second policy to obtain encrypted information, and upload the encrypted information to the block chain. For example, the data uploading may be performed according to a data uploading period in the task description information.

For example, assuming that the target information acquired by the first device is data, the second policy is: the device with the attribute of 'network ID where the device is located' can decrypt the data. According to the second strategy, only the device in the same network with the first device can decrypt and view the data collected by the first device. The first device may generate, by calling an Encrypt function of the CP-ABE encryption system, encrypted information dataCipher for the target information data, specifically:

dataCipher＝CPABE_ENCRYPT(data,policy，mpk)。

meanwhile, the first device can also use a locally stored private key clientSK to sign the target information data, so as to ensure authenticity and prevent repudiation, specifically,

signature＝ECDSA_Sign(clientSK,data)。

optionally, the first device uploads the encrypted information to the block chain, which may be implemented as follows: first, the first device sends a second transaction to the blockchain, which may invoke contract C1 to upload the encrypted information dataCipher to the blockchain. The nodes of the blockchain may then perform this second transaction, storing the encrypted information dataCipher in the contract state of contract C1.

As an example, it may be stored in a target information list dataList of the contract C1, which may be used to store target information collected by the first device. By the implementation mode, the target information collected by the first equipment can be stored in the contract C1. Fig. 6 shows a schematic diagram of one data structure of data stored in the target information list dataList as an example. As shown in fig. 6, the data structure may include a target information list dataList, where the target information list dataList includes target information detail data, and the target information detail data may include data encryption information Cipher (i.e., encrypted information, whose data type is String), data information Signature (whose data type is String), and data upload time (whose data type is Long) of the data.

In some optional implementation manners, the internet of things system of this embodiment may further include a second device, where the second device may also be an internet of things device, and the second device may be configured to obtain the encrypted information from the blockchain, and decrypt the encrypted information using the corresponding sub-private key, and when the attribute tag corresponding to the second device conforms to the second policy, the decryption is successful, and the target information is obtained. Here, the second device serves as an internet of things device, and a process of acquiring the corresponding sub-private key by the second device is similar to a process of acquiring the corresponding sub-private key by the first device, which is not described herein again. Through the implementation mode, the target information acquired by the Internet of things equipment in the Internet of things can be read and controlled based on the block chain, and the safety of the information acquired by the Internet of things equipment is improved.

In some optional implementation manners, the internet of things system of this embodiment may further include a data center device, and the management device may be further configured to send the sub-private keys corresponding to the devices in each sub-network of the internet of things to the data center device. The data center equipment can be used for acquiring the encrypted information from the block chain, decrypting the encrypted information by using the stored sub-private key to obtain target information, and analyzing and processing the target information. For example, whether the target information has an error is analyzed according to a preset rule, and taking the target information as the temperature as an example, whether the target information exceeds the temperature threshold can be determined through a preset temperature threshold.

Since the data center device stores the sub-private keys sk corresponding to the devices in each sub-network of the internet of things, the sub-private keys of the data center device can decrypt all encrypted information in the block chain, specifically,

data＝CPABE_DECRYPT(dataCipher,sk)。

the data center device may also be used to verify the validity of the data signature, and in particular,

ECDSA_Verify(clientPK,data,signature)。

in the above embodiments of the present specification, the internet of things system includes the first device, the management device, and the blockchain, the first data stored in the blockchain is obtained by performing attribute encryption based on the master public key of the management device and the first policy, and the first data can be successfully decrypted only by the first device whose attribute tag conforms to the first policy corresponding to the first data, so as to obtain the second data, thereby implementing reading control of data in the internet of things based on the blockchain, and improving security of data in the internet of things.

This specification illustrates, in one embodiment, a method for acquiring data based on a blockchain, which may be applied to blockchain nodes. Wherein, the block chain node can be executed by any device, equipment, platform and equipment cluster with calculation and processing capability. The method for acquiring data based on the block chain can comprise the following steps:

step one, receiving equipment information uploaded by first equipment.

In this embodiment, the first device may be an internet of things device. The first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of the management device and a first policy. The blockchain node may receive device information sent by the first device and store the device information of the first device in the blockchain, where the device information may be used to register an identity of the device on the chain on the blockchain. Here, the device information may be various information related to the device, including but not limited to the UID of the device, the type of the device (e.g., sensor, thermometer, hygrometer, etc.), the type of data collected by the device (e.g., digital, audio, video, image, etc.), network information where the device is located (e.g., network ID, network area, network type, etc.), and so on.

In some optional implementations, the method may further include: first, the blockchain link point may receive a first transaction sent by the management device, where the first transaction invokes a contract to upload first data to the blockchain. The block link point may then perform the first transaction and store the first data into a contract state of the contract. By the implementation mode, the first data can be stored in the contract.

And step two, responding to the request sent by the management equipment, and sending the equipment information to the management equipment.

In this embodiment, the management device may monitor a registration event of the first device on the chain, and after monitoring the registration event of the user, the management device may send a request for acquiring device information of the first device to the blockchain. In response to the request sent by the management device, the block link point may send device information of the first device to the management device. Thereafter, the management device may determine an attribute tag of the first device based on the device information, generate a child private key of the user based on the attribute tag, the master public key of the management device, and the master private key of the management device, and upload the device identification of the first device and the child private key in association to the blockchain.

And step three, receiving the sub private key of the first device from the management device, and storing the sub private key in the block chain.

In this embodiment, the tile chain node may receive the device identification and the child private key of the first device from the managing device and store the device tag and the child private key of the first device in association in the tile chain. Wherein the sub private key is generated based on the device information of the first device, the master public key of the management device, and the master private key of the management device. For example, the management device may extract the attribute tag of the first device from the device information of the first device. Thereafter, the management device may generate a child private key of the first device based on the attribute tag of the first device, the master public key mpk, and the master private key msk. The first device may generate a first device specific sub-private key sk, specifically,

CPABE _ KeyGen (attribute tag, msk, mpk).

In some optional implementations, the above storing the sub-private key in the block chain may specifically be performed as follows: and storing the device identification of the first device and the ciphertext of the sub private key in the blockchain in an associated manner, wherein the ciphertext of the sub private key is obtained by encrypting the sub private key based on the public key of the blockchain account corresponding to the device identification.

In this implementation manner, the management device may encrypt the sub-private key of the first device based on the public key of the blockchain account corresponding to the first device to obtain an encryption result, that is, a sub-private key ciphertext. Then, the management device uploads the encryption result to the block chain in association with the device identifier of the first device, and the device identifier and the ciphertext of the sub private key are stored in the block chain in association by the block chain link point. In this way, the first device may obtain the corresponding encryption result from the blockchain according to the device identifier, and decrypt the encryption result to obtain the sub-private key. Through the implementation mode, the sub-private key can be encrypted and then uploaded to the block chain, so that the protection of the sub-private key can be realized, and the safety of the sub-private key is improved.

And step four, responding to the request sent by the first equipment, and sending the sub private key and the first data to the first equipment.

In this embodiment, the first device may send a request for obtaining the child private key to the block chain node, and in response to the request sent by the first device, the block chain node may send the child private key to the first device. The first device may also send a request to the block-link point to obtain the first data, and the block-link point may send the first data to the first device in response to the request sent by the first device. And then, the first device can decrypt the first data by using the sub-private key, and the second data is obtained by successfully decrypting the first data under the condition that the attribute tag meets the preset strategy.

In some optional implementations, the first device may be an internet of things device, and the first data stored in the blockchain may be obtained by performing attribute encryption on the information collection task based on a master public key of the management device and a first policy. The information collection task may include task description information and a second policy. The task description information may refer to content of the information collection task, and is used to describe the information collection task, for example, to describe which devices collect which data, at what period, perform data upload, and the like. A second policy may be used to specify that the device satisfies those attribute tags before decrypting data collected from the task description information. And after the first device successfully decrypts the first data by using the corresponding sub-private key, obtaining second data, wherein the second data may include task description information and a second policy. And then, the first equipment is also used for acquiring information according to the task description information to obtain target information. Then, the first device may further perform attribute encryption based on the master public key, the target information, and the second policy to obtain encrypted information, and upload the encrypted information to the block chain.

Based on this, the method for obtaining data based on the block chain may further include: the block chain node may further receive encrypted information sent by the first device, and store the encrypted information in the block chain, where the encrypted information may be obtained by performing attribute encryption based on the master public key, the acquired target information, and the second policy.

Specifically, the blockchain link point may receive a second transaction sent by the first device, where the second transaction may invoke a contract to upload the encrypted information to the blockchain. The block link point may then perform a second transaction, storing the encrypted information in a contract state of the contract.

In some optional implementations, the method for acquiring data based on a block chain may further include: and sending the encrypted information to the data center equipment in response to the request sent by the data center equipment.

In this implementation manner, the internet of things system may further include a data center device, and the management device may be further configured to send the sub-private keys corresponding to the devices in each sub-network of the internet of things to the data center device. The data center equipment can send a request for acquiring the encrypted information to the block link point, and the block link point sends the encrypted information to the data center equipment after receiving the request. The data center equipment can decrypt the encrypted information by using the stored sub-private key to obtain the target information, and analyze and process the target information.

This specification further illustrates a method of acquiring data based on a block chain, which may be applied to a first device, of an embodiment. The first device may be an internet of things device. The method for acquiring data based on the block chain can comprise the following steps:

and step 1), uploading equipment information to the block chain.

In the present embodiment, the first data stored in the blockchain is obtained by performing attribute encryption based on the master public key of the management apparatus and the first policy. The first device may upload device information to the blockchain, which may be used to register an on-chain device identity on the chain. Here, the device information may be various information related to the device, including but not limited to the UID of the device, the type of the device (e.g., sensor, thermometer, hygrometer, etc.), the type of data collected by the device (e.g., digital, audio, video, image, etc.), network information where the device is located (e.g., network ID, network area, network type, etc.), and so on.

And step 2), acquiring the sub private key and the first data from the block chain.

In this embodiment, the first device may obtain a sub-private key and first data from the blockchain, where the sub-private key is generated based on the device information, the master public key of the management device, and the master private key of the management device. Specifically, the management device may monitor a registration event of the first device on the chain, and after monitoring the registration event of the user, the management device may send a request for acquiring device information of the first device to the blockchain. In response to the request sent by the management device, the block link point may send device information of the first device to the management device. Thereafter, the management device may determine an attribute tag of the first device based on the device information, generate a child private key of the user based on the attribute tag, a master public key of the management device, and a master private key of the management device, and upload the device identification of the first device in association with the child private key to the blockchain. In this way, the first device may obtain the child private key from the blockchain. In particular, the first device may send a transaction to the blockchain, which may invoke a contract to obtain the child private key and the first data from the blockchain. The node of the blockchain executes the transaction, sending the child private key and the first data to the first device.

And 3), decrypting the first data by using the sub-private key, and successfully decrypting to obtain second data under the condition that the attribute tag corresponding to the first equipment conforms to the first strategy.

In this embodiment, after obtaining the sub-private key and the first data from the blockchain, the first device may attempt to decrypt the first data using the sub-private key sk, and when the attribute tag corresponding to the first device meets the first policy, the decryption is successful, and the second data is obtained. The first device may attempt to Decrypt the first data, for example, by calling a Decrypt function of the CP-ABE encryption system, specifically,

the second data is CPABE _ DECRYPT (first data sk).

In some optional implementation manners, the first device is an internet of things device, and the first data is obtained by performing attribute encryption on the information acquisition task based on a master public key of the management device and a first policy, where the information acquisition task may include task description information and a second policy. The task description information may refer to content of the information collection task, and is used to describe the information collection task, for example, to describe which devices collect which data, at what period, perform data upload, and the like. For example, the contents of taskA, taskB, and taskC in the foregoing examples may be considered task description information. A second policy may be used to specify that the device satisfies those attribute tags before decrypting data collected from the task description information.

According to another aspect, an apparatus for acquiring data based on a blockchain is provided, and the apparatus is disposed at a blockchain node, wherein the blockchain node may be deployed in any device, platform or device cluster having computing and processing capabilities.

Fig. 7 shows a schematic block diagram of an apparatus for acquiring data based on a blockchain according to one embodiment. The first data stored in the block chain is obtained by performing attribute encryption based on a master public key of the management device and a first policy. As shown in fig. 7, the apparatus 700 for obtaining data based on a block chain may include: a receiving unit 701 configured to receive device information uploaded by a first device; a first transmitting unit 702 configured to transmit the device information to a management device in response to a request transmitted by the management device; a storage unit 703 configured to receive a sub-private key of the first device from the management device, and store the sub-private key in the block chain, where the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; a second sending unit 704, configured to send the child private key and the first data to the first device in response to the request sent by the first device.

In some optional implementations of this embodiment, the apparatus 700 further includes: and a receiving and storing unit (not shown in the figure), configured to receive the encrypted information sent by the first device, and store the encrypted information in a block chain, where the encrypted information is obtained by performing attribute encryption based on the master public key, the collected target information, and a second policy.

In some optional implementations of this embodiment, the apparatus 700 further includes: a first transaction receiving unit (not shown in the figure) configured to receive a first transaction sent by the management device, wherein the first transaction invokes a contract to upload the first data to the blockchain; a first transaction execution unit (not shown) configured to execute the first transaction, and store the first data in a contract state of the contract.

In some optional implementations of this embodiment, the receiving and storing unit includes a second transaction receiving unit (not shown in the figure) and a second transaction executing unit (not shown in the figure), where the second transaction receiving unit is configured to receive a second transaction sent by the first device, where the second transaction invokes a contract to upload the encrypted information to the blockchain; and the second transaction execution unit is configured to execute the second transaction and store the encrypted information into the contract state of the contract.

In some optional implementations of this embodiment, the apparatus 700 further includes: and an encrypted information sending unit (not shown in the figure) configured to send the encrypted information to the data center device in response to a request sent by the data center device.

In some optional implementation manners of this embodiment, the storage unit 703 is further configured to store, in the block chain, the device identifier and the ciphertext of the sub-private key in an associated manner, where the ciphertext of the sub-private key is obtained by encrypting the sub-private key based on a public key of a block chain account corresponding to the device identifier.

According to another aspect of the embodiments, there is also provided an apparatus for obtaining data based on a block chain, which is disposed in a first device.

Fig. 8 shows a schematic block diagram of an apparatus for acquiring data based on a blockchain according to another embodiment. Wherein the first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of the management device and a first policy, and the apparatus 800 includes: an upload unit 801 configured to upload device information to the block chain; an obtaining unit 802 configured to obtain, from the block chain, a sub-private key and the first data, where the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; the decryption unit 803 is configured to decrypt the first data using the sub-private key, and when the attribute tag corresponding to the first device meets the first policy, the decryption is successful, and the second data is obtained.

In some optional implementation manners of this embodiment, the first device is an internet of things device, and the first data is obtained by performing attribute encryption on an information acquisition task based on a master public key of a management device and a first policy, where the information acquisition task includes task description information and a second policy; and the apparatus 800 further comprises: an acquisition unit (not shown in the figure) configured to acquire information according to the task description information to obtain target information; an encrypted information uploading unit (not shown in the figure) configured to perform attribute encryption based on the master public key, the target information, and the second policy to obtain encrypted information, and upload the encrypted information to the blockchain.

According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to execute a method of acquiring data based on a blockchain, which method is applicable to a blockchain node.

According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to execute a method of acquiring data based on a block chain, which method is applicable to a first device.

According to another embodiment of the present invention, there is also provided a computing device, including a memory and a processor, where the memory stores executable code, and the processor executes the executable code to implement a method for obtaining data based on a blockchain, where the method is applicable to a blockchain node.

According to another embodiment of the present invention, there is also provided a computing device, including a memory and a processor, wherein the memory stores executable code, and the processor executes the executable code to implement a method for obtaining data based on a block chain, where the method is applicable to a first device.

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain a corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to the software compiler used in program development, but the original code before compiling is also written in a specific Programming Language, which is called Hardware Description Language (HDL), and the HDL is not only one kind but many kinds, such as abel (advanced boot Expression Language), ahdl (alternate Language Description Language), communication, CUPL (computer universal Programming Language), HDCal (Java Hardware Description Language), langa, Lola, mylar, HDL, PALASM, rhydl (runtime Description Language), vhjhdul (Hardware Description Language), and vhygl-Language, which are currently used commonly. It will also be apparent to those skilled in the art that hardware circuitry for implementing the logical method flows can be readily obtained by a mere need to program the method flows with some of the hardware description languages described above and into an integrated circuit.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a server system. Of course, this application does not exclude that with future developments in computer technology, the computer implementing the functionality of the above described embodiments may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device or a combination of any of these devices.

Although one or more embodiments of the present description provide method operational steps as described in the embodiments or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive approaches. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or end product executes, it may execute sequentially or in parallel (e.g., parallel processors or multi-threaded environments, or even distributed data processing environments) according to the method shown in the embodiment or the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in processes, methods, articles, or apparatus that include the recited elements is not excluded. For example, if the terms first, second, etc. are used to denote names, they do not denote any particular order.

For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, when implementing one or more of the present description, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of multiple sub-modules or sub-units, etc. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage, graphene storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

One skilled in the art will appreciate that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In the description of the specification, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the specification. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.

The above description is merely exemplary of one or more embodiments of the present disclosure and is not intended to limit the scope of one or more embodiments of the present disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present specification should be included in the scope of the claims.

Claims

1. An Internet of things system comprises a first device, a management device and a blockchain, wherein first data stored in the blockchain are obtained by performing attribute encryption based on a master public key of the management device and a first policy;

the first equipment is used for uploading the equipment information of the first equipment to a block chain;

the management device is used for acquiring the device information from the blockchain, determining an attribute tag of the first device based on the device information, generating a sub-private key of the first device based on the attribute tag, the main public key and a main private key, and uploading the sub-private key to the blockchain;

the first device is further configured to obtain the sub-private key and the first data from the block chain, decrypt the first data using the sub-private key, and obtain second data after decryption succeeds when the attribute tag conforms to the first policy.

2. The system of claim 1, wherein the first device is an internet of things device, and the first data is obtained by performing attribute encryption on an information collection task based on a master public key of the management device and a first policy, wherein the information collection task comprises task description information and a second policy; and

the first device is further configured to acquire information according to the task description information to obtain target information, encrypt attributes based on the master public key, the target information, and the second policy to obtain encrypted information, and upload the encrypted information to the block chain.

3. The system of claim 2, wherein the device information comprises network information of a sub-network in which the first device is located.

4. The system according to claim 2, further comprising a second device, where the second device is an internet of things device, and the second device is configured to obtain the encrypted information from the blockchain, decrypt the encrypted information using the corresponding sub-private key, and obtain the target information after decryption succeeds when the attribute tag corresponding to the second device meets the second policy.

5. The system of claim 2, wherein the system further comprises a data center device, and the management device is further configured to send sub-private keys corresponding to devices in each sub-network of the internet of things to the data center device;

and the data center equipment is used for acquiring the encrypted information from the block chain, decrypting the encrypted information by using the stored sub private key to obtain the target information, and analyzing and processing the target information.

6. The system of claim 2, wherein the management device is further configured to generate a master public key and a master private key, upload the master public key to the blockchain;

the management device is further configured to perform attribute encryption based on the master public key, the information acquisition task, and the first policy to obtain first data, and upload the first data to a block chain.

7. The system of claim 6, wherein the managing device uploading the first data to a blockchain comprises:

the management device sending a first transaction to the blockchain, the first transaction invoking a contract to upload the first data to the blockchain;

a node of the blockchain executes the first transaction, storing the first data into a contract state of the contract.

8. The system of claim 2, wherein the uploading the encrypted information to a blockchain comprises:

the first equipment sends a second transaction to the blockchain, and the second transaction calls a contract to upload the encrypted information to the blockchain;

and executing the second transaction by the node of the block chain, and storing the encrypted information into a contract state of the contract.

9. The system of claim 1, wherein the management device is further configured to generate a system public key and a system private key, upload the system public key to a blockchain; and

the first device is configured to upload device information of the first device to a blockchain, including:

and the first device encrypts the device information by using the system public key and uploads the encrypted device information to the block chain.

10. The system of claim 1, wherein the uploading the child private key to a blockchain comprises:

and the management device encrypts the sub private key based on a public key of a block chain account corresponding to the first device to obtain an encryption result, and uploads the encryption result and the device identifier of the first device to the block chain in an associated manner, so that the first device obtains the encryption result from the block chain and then decrypts the encryption result to obtain the sub private key.

11. A method for acquiring data based on a blockchain, applied to a blockchain node, wherein first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of a management device and a first policy, the method comprising:

receiving equipment information uploaded by first equipment;

sending the device information to a management device in response to a request sent by the management device;

receiving a sub-private key of the first device from the management device, the sub-private key being stored in the blockchain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device;

and responding to the request sent by the first equipment, and sending the sub private key and the first data to the first equipment.

12. The method of claim 11, wherein the method further comprises:

and receiving encrypted information sent by the first device, and storing the encrypted information in a block chain, wherein the encrypted information is obtained by performing attribute encryption based on the master public key, the acquired target information and a second strategy.

13. The method of claim 11, wherein the method further comprises:

receiving a first transaction sent by the management device, wherein the first transaction invokes a contract to upload the first data to the blockchain;

the first transaction is executed, storing the first data into a contract state of the contract.

14. The method of claim 12, wherein the receiving encrypted information sent by the first device, and storing the encrypted information in a blockchain comprises:

receiving a second transaction sent by the first device, wherein the second transaction calls a contract to upload the encrypted information to the blockchain;

and executing the second transaction, and storing the encrypted information into a contract state of the contract.

15. The method of claim 12, wherein the method further comprises:

and responding to a request sent by data center equipment, and sending the encrypted information to the data center equipment.

16. The method of claim 11, wherein said storing the child private key in the blockchain comprises:

and storing the device identification and the ciphertext of the sub private key in the block chain in an associated manner, wherein the ciphertext of the sub private key is obtained by encrypting the sub private key based on the public key of the block chain account corresponding to the device identification.

17. A method for acquiring data based on a blockchain, applied to a first device, wherein first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of a management device and a first policy, the method comprising:

uploading equipment information to the block chain;

obtaining a sub private key and the first data from the blockchain, wherein the sub private key is generated based on the device information, a master public key of the management device, and a master private key of the management device;

and decrypting the first data by using the sub private key, and obtaining second data by successfully decrypting the first data under the condition that the attribute label corresponding to the first equipment conforms to the first strategy.

18. The method of claim 17, wherein the first device is an internet of things device, and the first data is obtained by performing attribute encryption on an information collection task based on a master public key of a management device and a first policy, wherein the information collection task comprises task description information and a second policy; and

the method further comprises the following steps:

acquiring information according to the task description information to obtain target information;

and performing attribute encryption based on the master public key, the target information and the second strategy to obtain encrypted information, and uploading the encrypted information to a block chain.

19. An apparatus for acquiring data based on a blockchain, which is provided at a blockchain node, wherein first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of a management device and a first policy, the apparatus comprising:

the receiving unit is configured to receive the device information uploaded by the first device;

a first transmission unit configured to transmit the device information to a management device in response to a request transmitted by the management device;

a storage unit configured to receive a sub private key of the first device from the management device, the sub private key being stored in the blockchain, wherein the sub private key is generated based on the device information, a master public key of the management device, and a master private key of the management device;

a second sending unit, configured to send the sub-private key and the first data to the first device in response to the request sent by the first device.

20. An apparatus for acquiring data based on a blockchain, provided to a first device, wherein the first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of a management device and a first policy, the apparatus comprising:

an upload unit configured to upload device information to the blockchain;

an obtaining unit configured to obtain a sub private key and the first data from the blockchain, wherein the sub private key is generated based on the device information, a master public key of the management device, and a master private key of the management device;

and the decryption unit is configured to decrypt the first data by using the sub-private key, and when the attribute tag corresponding to the first device conforms to the first policy, the decryption is successful to obtain second data.

21. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 11-18.

22. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, performs the method of any of claims 11-18.