CN115118486B - Internet of things system, method and device for acquiring data based on blockchain, storage medium and computing device - Google Patents

Abstract

The embodiment of the specification provides an Internet of things system, and a method and a device for acquiring data based on a blockchain. The system comprises a first device, a management device and a blockchain, wherein first data stored in the blockchain is obtained by performing attribute encryption based on a main public key of the management device and a first policy, and the first device is used for uploading device information of the first device to the blockchain; the management device is used for acquiring the device information from the blockchain, determining an attribute tag of the first device based on the device information, generating a sub-private key of the first device based on the attribute tag, the main public key and the main private key, and uploading the sub-private key to the blockchain; the first device is further configured to obtain the subprivate key and the first data from the blockchain, decrypt the first data using the subprivate key, and obtain second data after successful decryption when the attribute tag conforms to the first policy.

Description

Internet of things system, method and device for acquiring data based on blockchain, storage medium and computing device

Technical Field

The embodiment of the specification belongs to the technical field of blockchains, and particularly relates to an Internet of things system, and a method and a device for acquiring data based on a blockchain.

Background

The internet of things (Internet of Things, ioT) is a system of computing devices, machines and digital machines interrelations, each device having a unique identification code and having the ability to transmit data over a network. In the internet of things, each device can collect various data of the surrounding environment and perform data transmission interaction with other devices. Sensitive data may be included in the data collected and transmitted by the internet of things device, and an illegal user may acquire the data, which may cause a security problem of the data. Therefore, in the data transmission process of the Internet of things, the data credibility and the transmission safety are important.

Disclosure of Invention

An embodiment of the specification describes an internet of things system, the system comprises first equipment, management equipment and a blockchain, first data stored in the blockchain is obtained by carrying out attribute encryption based on a main public key of the management equipment and a first strategy, the first data can be successfully decrypted only by using first equipment with an attribute tag conforming to the first strategy corresponding to the first data, and second data is obtained, so that reading control of the data in the internet of things based on the blockchain is realized, and the safety of the data in the internet of things is improved.

According to a first aspect, there is provided an internet of things system, the system including a first device, a management device, and a blockchain, wherein first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of the management device and a first policy, and the first device is configured to upload device information of the first device to the blockchain; the management device is configured to obtain the device information from the blockchain, determine an attribute tag of the first device based on the device information, generate a child private key of the first device based on the attribute tag, the master public key and the master private key, and upload the child private key to the blockchain; the first device is further configured to obtain the subprivate key and the first data from the blockchain, decrypt the first data using the subprivate key, and obtain the second data after successful decryption when the attribute tag conforms to the first policy.

According to a second aspect, there is provided a method of obtaining data based on a blockchain, applied to a blockchain node, wherein first data stored in the blockchain is obtained by attribute encryption based on a master public key of a management device and a first policy, the method comprising: receiving device information uploaded by a first device; transmitting the device information to a management device in response to a request transmitted by the management device; receiving a sub-private key of the first device from the management device, the sub-private key being stored in the blockchain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and transmitting the sub private key and the first data to the first device in response to a request transmitted by the first device.

According to a third aspect, there is provided a method of obtaining data based on a blockchain applied to a first device, wherein the first data stored in the blockchain is obtained by attribute encryption based on a master public key of a management device and a first policy, the method comprising: uploading equipment information to the block chain; acquiring a sub private key and the first data from the blockchain, wherein the sub private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and decrypting the first data by using the sub private key, and obtaining second data after successful decryption when the attribute tag corresponding to the first device accords with the first strategy.

According to a fourth aspect, there is provided an apparatus for acquiring data based on a blockchain, provided at a blockchain node, wherein first data stored in the blockchain is obtained by attribute encryption based on a master public key of a management device and a first policy, the apparatus comprising: the receiving unit is configured to receive the device information uploaded by the first device; a first transmitting unit configured to transmit the device information to a management device in response to a request transmitted by the management device; a storage unit configured to receive a sub-private key of the first device from the management device, and store the sub-private key in the blockchain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and a second transmitting unit configured to transmit the sub private key and the first data to the first device in response to a request transmitted by the first device.

According to a fifth aspect, there is provided an apparatus for acquiring data based on a blockchain, provided to a first device, wherein the first data stored in the blockchain is obtained by attribute encryption based on a master public key of a management device and a first policy, the apparatus comprising: an uploading unit configured to upload device information to the blockchain; an obtaining unit configured to obtain a sub-private key and the first data from the blockchain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and the decryption unit is configured to decrypt the first data by using the sub-private key, and if the attribute tag corresponding to the first device accords with the first policy, the decryption is successful, so as to obtain second data.

According to a sixth aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method as described in any of the implementations of the second or third aspects.

According to a seventh aspect, there is provided a computing device comprising a memory and a processor, wherein the memory has executable code stored therein, and wherein the processor, when executing the executable code, implements a method as described in any of the implementations of the second or third aspects.

According to one embodiment of the present specification, there is provided an internet of things system including a first device, a management device, and a blockchain, first data stored in the blockchain being obtained by attribute encryption based on a master public key of the management device and a first policy. The first device is configured to upload device information of the first device to the blockchain. The management device is used for acquiring the device information from the blockchain, determining an attribute tag of the first device based on the device information, generating a sub-private key of the first device based on the attribute tag, the main public key and the main private key, and uploading the sub-private key to the blockchain. And then, the first device acquires the sub-private key and the first data from the blockchain, decrypts the first data by using the sub-private key, and obtains the second data after successful decryption when the attribute tag accords with the first strategy. Therefore, only the first device with the attribute tag conforming to the first strategy corresponding to the first data can successfully decrypt the first data to obtain the second data, so that the reading control of the data in the Internet of things based on the blockchain is realized, and the safety of the data in the Internet of things is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 illustrates a block chain architecture diagram in one embodiment;

fig. 2 is a schematic diagram of an application scenario in which the internet of things system according to the embodiments of the present disclosure may be applied;

FIG. 3 illustrates a timing diagram of one example of interactions between a first device, a management device, and a blockchain in an Internet of things system;

FIG. 4 shows a schematic diagram of a first strategy;

FIG. 5 illustrates a schematic diagram of one data structure of data stored in task list ContractTaskList;

FIG. 6 is a schematic diagram showing a data structure of data stored in the target information list dataList;

FIG. 7 illustrates a schematic block diagram of an apparatus for obtaining data based on a blockchain in accordance with an embodiment

FIG. 8 illustrates a schematic block diagram of an apparatus for acquiring data based on a blockchain in accordance with another embodiment.

Detailed Description

In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.

The block chain technology is a special distributed database technology designed by artificial bit coin (a digital currency) in a bit name of 'Benzhang', and is suitable for storing simple, orderly-related and verifiable data in a system, and the cryptographic and consensus algorithm is used for ensuring that the data cannot be tampered and counterfeited. To further illustrate the blockchain technique, FIG. 1 illustrates a blockchain architecture diagram in an embodiment. In the blockchain architecture diagram shown in fig. 1,6 nodes are included in the blockchain 100, for example. The connections between nodes are schematically represented as P2P (Peer to Peer) connections. The nodes may store a full amount of ledgers, i.e., the state of all blocks and all accounts. Wherein each node in the blockchain may generate the same state in the blockchain by performing the same transaction, each node in the blockchain may store the same state database. It will be appreciated that while 6 nodes are shown in FIG. 1 as being included in a blockchain, embodiments of the present description are not so limited, but may include other numbers of nodes. Specifically, the nodes included in the blockchain may meet the bayer fault tolerance (Byzantine Fault Tolerance, BFT) requirements. The bayer fault tolerance requirement is understood to be that the bin node may exist inside the blockchain, and the blockchain does not show the bin behavior. In general, some bayer fault-tolerant algorithms require a number of nodes greater than 3f+1, where f is the number of bayer nodes, e.g., the practical bayer fault-tolerant algorithm PBFT (Practical Byzantine Fault Tolerance).

Transactions in the blockchain domain may refer to task units that execute in the blockchain and are recorded in the blockchain. The transaction typically includes a send field (From), a receive field (To), and a Data field (Data). Where the transaction is a transfer transaction, the From field indicates an account address From which the transaction was initiated (i.e., a transfer task To another account was initiated), the To field indicates an account address From which the transaction was received (i.e., a transfer was received), and the Data field includes the transfer amount. In the case of a transaction calling a smart contract in a blockchain, the From field represents the account address From which the transaction originated, the To field represents the account address of the contract that the transaction called, and the Data field includes Data, such as the name of the function in the calling contract, and the incoming parameters To the function, for retrieving the code of the function From the blockchain and executing the code of the function when the transaction is executed.

The functionality of the smart contract may be provided in the blockchain. Intelligent contracts on blockchains are contracts on blockchain systems that can be executed by transaction triggers. The smart contracts may be defined in the form of codes. Invoking the smart contract in the ethernet network initiates a transaction directed to the smart contract address such that each node in the ethernet network runs the smart contract code in a distributed manner. It should be noted that, in addition to the smart contracts that can be created by the user, the smart contracts can also be set by the system in the creation block. Such contracts are commonly referred to as an opening contract. In general, some blockchain data structures, parameters, properties, and methods may be set in the creating contract. In addition, an account with system administrator rights may create a system level contract, or modify a system level contract (simply referred to as a system contract). Wherein the system contracts can be used to add data structures for data of different services in the blockchain.

In the scenario of deploying contracts, for example, bob sends a transaction containing information to create an intelligent contract (i.e., deploying a contract) into a blockchain as shown in fig. 1, the data field of the transaction includes the code (e.g., bytecode or machine code) of the contract to be created, and the to field of the transaction is empty to indicate that the transaction is for deploying the contract. After agreement is achieved among the nodes through a consensus mechanism, determining a contract address '0 x6f8ae93 …' of the contract, adding a contract account corresponding to the contract address of the intelligent contract in a state database by each node, distributing a state storage corresponding to the contract account, and storing a contract code in the state storage of the contract, so that the contract is successfully created.

In the scenario of invoking a contract, for example, bob sends a transaction for invoking a smart contract into a blockchain as shown in fig. 1, the from field of the transaction is the address of the account of the transaction initiator (i.e., bob), the "0x6f8ae93 …" in the to field represents the address of the invoked smart contract, and the data field of the transaction includes the method and parameters for invoking the smart contract. After the transaction is consensus in the blockchain, each node in the blockchain may execute the transaction separately, thereby executing the contract separately, updating the status database based on execution of the contract.

As mentioned above, in the data transmission process of the internet of things, the data reliability and the transmission security are important. Therefore, one embodiment of the specification provides an Internet of things system based on a block chain, so that the reading control of data in the Internet of things is realized, and the safety of the data in the Internet of things is improved.

As an example, fig. 2 shows a schematic diagram of one application scenario in which the internet of things system of the embodiments of the present specification may be applied. As shown in fig. 2, in the present application scenario, a first device 201, a management device 202, and a blockchain 100 may be included. Here, the first device 201 may be an internet of things device, the internet of things system may include a plurality of first devices 201, and the plurality of first devices 201 may be distributed in different sub-networks. The management device 202 may refer to a device used by a task center, which may be used to configure an information collection task of the internet of things. The internet of things device can collect information according to the information collection task. Here, the first device 201 and the management device 202 may be provided with an encryption system, for example, a CP-ABE (ciphertext policy attribute based encryption, attribute encryption based on ciphertext policies) encryption system, the ciphertext of the CP-ABE corresponding to one access policy, the key corresponding to an attribute set, the ciphertext being decryptable if and only if an attribute in the attribute set is capable of satisfying this access policy. The first data stored in the blockchain 100 may be obtained by attribute encryption of the primary public key and the first policy of the management device 202.

The first device 201 may upload its own device information to the blockchain 100, such as a device unique identification code (Unique identifier, UID), a type of device acquisition data, and so forth. Thereafter, the management device 202 may obtain device information from the blockchain 100 and determine an attribute tag of the first device 201 based on the device information, generate a child private key for the first device 201 based on the attribute tag, the master public key, and the master private key, and upload the child private key to the blockchain 100. In this way. The first device 201 may obtain the first data and the sub-private key generated for the first data from the blockchain, and attempt to decrypt the first data using the sub-private key, where the first device 201 may successfully decrypt the second data if the corresponding attribute tag conforms to the first policy.

With continued reference to fig. 3, fig. 3 illustrates a timing diagram of one example of interactions between a first device, a management device, and a blockchain in an internet of things system. In the example shown in fig. 3, a CP-ABE encryption system may be provided in the first device 201 and the management device 202 that interact with the blockchain 100.

The specific interaction process may be as follows:

S301, the management device 202 generates a master public key and a master private key.

As one example, the management device 202 may generate the master public key and the master private key by invoking Setup functions of the CP-ABE encryption system. As another example, a secure multiparty calculation may also be employed to generate a master public key and a master private key, the master private key being maintained jointly by the plurality of management devices 202, the master private key being engaged in the calculation by the plurality of management devices 202 simultaneously when needed. The calculation process may be as follows: CPABE _setup (msk, mpk), where mpk may represent the master public key and msk may represent the master private key.

S302, the management device 202 uploads the master public key to the blockchain 100.

In this embodiment, the management device 202 may send a transaction to any blockchain node of the blockchain 100 that may invoke a data management contract C1 (hereinafter simply referred to as contract C1) in the blockchain to upload the master public key to the blockchain. Wherein the contract may be deployed by the management device 202 into a blockchain for management of data, management of data access, and the like. The blockchain node sends the transaction to other nodes in the blockchain after receiving the transaction, thereby enabling each node in the blockchain to execute the transaction. Each node of the blockchain stores the master public key into the contract state of the contract by performing the transaction.

S303, the first device 201 uploads the device information of the first device 201 to the blockchain 100.

In this embodiment, the first device 201 may upload its device information to the blockchain 100, e.g., directly. The device information may be various information related to the device including, but not limited to, the UID of the device, the type of device (e.g., sensor, thermometer, hygrometer, etc.), the type of data collected by the device (e.g., digital, audio, video, image, etc.), the network information in which the device is located (e.g., network ID, network area, network type, etc.), and so forth. In addition, when the internet of things includes a plurality of sub-networks, the device information may further include network information of the sub-network where the first device is located, for example, a network identification code (Network Identification, NID) of the sub-network where the first device is located. The first device 201 may also upload the asymmetrically encrypted public key clientPK to the blockchain, the first device 201 locally storing clientPK a corresponding private key clientSK. clientPK may be used for subsequent encrypted information transmissions.

Here, the device information uploaded by the first device 201 may also be used to register the on-chain device identity on the chain. Based on this, the first device 201 may receive the on-chain account information returned by the blockchain 100. Specifically, the first device 201 may send a transaction to the blockchain 100 that may invoke contract C1 to register all external accounts (Externally Owned Accounts, EOA) with the blockchain. The nodes of the blockchain execute the transaction, generate the on-chain account information, and return the on-chain account information to the first device 201. The blockchain may store the generated account information of the first device 201 under the contract account. For example, the information included in the device information may be spliced and then subjected to hash calculation, so as to obtain the account ID on the chain. In particular, the method comprises the steps of,

clientID＝RegisterClient(clientInfo,clientPK)＝HASH(clientInfo||clientPK)。

Wherein clientInfo denotes device information of the first device, clientID denotes an on-chain account ID.

In practice, the blockchain may directly generate on-chain account information based on the device information uploaded by the first device 201 and return the on-chain account information to the first device. The blockchain may also generate the account information on the chain based on the device information after the management device verifies the device information, and then return the account information on the chain to the first device. Specifically, after monitoring the REGISTERCLIENT contract invoking event, the management device 202 acquires the device information of the first device, performs verification (for example, performs verification based on a preset verification rule) on the device information, uploads verification passing information to the blockchain after the verification passing information is passed, and after receiving the verification passing information, the blockchain may generate account information on the chain based on the device information, and then returns the account information on the chain to the first device.

In some alternative implementations, the management device 202 may also generate and upload system public and private keys to the blockchain 100. Specifically, the management device 202 may generate an encryption authentication key pair of the internet of things system, where the encryption authentication key pair may include a system public key systemPK and a system private key systemSK, and the key pair may support an asymmetric encryption algorithm and a signature algorithm, for example, elliptic curve cryptography (Elliptic curve cryptography, ECC) algorithm keys, support an elliptic curve digital signature algorithm (Elliptic Curve Digital Signature Algorithm, ECDSA) and an Elliptic Curve Integrated Encryption Scheme (ECIES) encryption and decryption algorithm. Taking ECC as an example, the system public key systemPK and the system private key systemSK can be generated by calling KeyGen, and the specific calculation process is as follows:

systemPK,systemSK＝ECC_KeyGen()。

Here, S303 may also be specifically implemented as follows: the first device 201 encrypts the device information using the system public key systemPK and uploads the encrypted device information to the blockchain. Taking ECIES as an example, encryption may be performed by invoking ENCRYPT, specifically,

clientInfoCipher＝ECIES_ENCRYPT(systemPK，clientInfo)。

Wherein clientInfo denotes device information of the first device, clientInfoCipher denotes encrypted device information. By the implementation mode, the device information can be encrypted and then uploaded, so that the device information is safer.

S304, the management device 202 acquires device information from the blockchain 100.

Here, if the device information acquired by the management device 202 is encrypted device information clientInfoCipher, the management device 202 may decrypt the acquired encrypted device information using the system private key systemSK, specifically,

clientInfo＝ECIES_DECRYPT(systemSK，clientInfoCipher)。

S305, the management device 202 determines an attribute tag of the first device based on the device information, and generates a sub-private key of the first device based on the attribute tag, the main public key, and the main private key.

In this embodiment, the management device 202 may determine the attribute tag of the first device based on the device information of the first device. Here, the attribute tag may be a sum of a class of features, for example, a type of device, including a sensor, a thermometer, a hygrometer, and the like; types of data collected by the device include, digital, audio, video, image, and the like; network information in which the device is located, including network ID, network area, network type, etc. Thereafter, the management device 202 may generate a child private key of the first device based on the attribute tag, the master public key, and the master private key. For example, the management device 202 may generate the first device-specific subprivate key sk by calling a KeyGen function of the CP-ABE encryption system, and in particular,

Sk= CPABE _keygen (attribute tag, msk, mpk).

S306, the management device 202 uploads the generated child private key of the first device to the blockchain 100.

In this embodiment, after the management device 202 generates the user-specific sub-private key sk, the device identification (e.g., UID) of the first device may be uploaded to the blockchain in association with the sub-private key for the first device to obtain the sub-private key from the blockchain.

In some alternative implementations, S306 may be further implemented as follows:

Firstly, the management device may encrypt the sub-private key based on the public key of the blockchain account corresponding to the first device to obtain an encryption result. As an example, an encryption scheme, such as the ECIES (elliptic curve integrated encryption scheme), may be employed using a public key of a blockchain account corresponding to the first device to encrypt the subprivate key, resulting in a first encryption result, and the first device may obtain the subprivate key by decrypting the first encryption result. As another example, the management device may further encrypt the attribute tag and the subprivate key of the first device using the public key to obtain a second encryption result, specifically,

Second encryption result=ecies_encryption (public key corresponding to the first device, attribute tag of the first device, sk).

The first device can obtain the corresponding attribute tag and the sub-private key by decrypting the second encryption result.

Then, the management device uploads the encryption result and the device identifier of the first device to the blockchain in an associated manner, so that the first device can acquire the corresponding encryption result from the blockchain according to the device identifier, and decrypt the encryption result to obtain the subprivate key. Through the implementation mode, the sub private key can be encrypted and then uploaded to the blockchain, so that the protection of the sub private key can be realized, and the security of the sub private key is improved.

S307, the first device 201 obtains the child private key and the first data from the blockchain.

Specifically, the first device may send a transaction to the blockchain 100 that may invoke the contract C1 to obtain the child private key and the first data from the blockchain. The node of the blockchain performs the transaction and sends the child private key and the first data to the first device.

And S308, the first device 201 decrypts the first data by using the sub-private key, and the second data is obtained after successful decryption when the attribute tag accords with the first strategy.

In this embodiment, the first device 201 may acquire the subprivate key and the first data from the blockchain, and attempt to decrypt the first data using the subprivate key, where the attribute tag corresponding to the first device matches the first policy, the decryption is successful, and the second data is obtained. The first device may attempt to decrypt the first data by, for example, invoking Decrypt functions of the CP-ABE encryption system, and in particular,

Second data= CPABE _decrypt (first data, sk).

Through Decrypt functions, decryption can be successfully performed only when the attribute tag corresponding to the first device accords with the first strategy of the first data, and second data is obtained.

In some alternative implementations, the first device 201 may be an internet of things device, and the first data stored in the blockchain may be obtained by attribute encryption of the information gathering task based on the master public key of the management device and the first policy. Specifically, the management device 202 may encrypt the attribute based on the master public key, the information collecting task and the first policy to obtain the first data, and upload the first data to the blockchain.

In the implementation manner, the information acquisition task of each internet of things device can be set according to the actual scene and the requirement. For example, an internet of things device in a pipeline workshop in a certain factory can be set to be responsible for collecting information such as temperature, humidity, pipeline progress and the like. For another example, an internet of things device in a restaurant may be configured to collect data such as temperature, air, smoke, etc. For another example, an internet of things device in a warehouse may be configured to collect data such as temperature, brightness, video, etc. As an example, when there are multiple sub-networks, the sub-networks may perform different information gathering tasks. For different information collection tasks, a corresponding first policy may be set that may specify that the first device can decrypt only if those attribute tags are satisfied. As an example, the structure of the first policy may be a tree structure. With continued reference to fig. 4, fig. 4 shows a schematic diagram of a first policy that encrypts the obtained first data, and the first device that needs to satisfy "network 1" or "network 2, thermometer" can decrypt the first data, otherwise the decryption fails. It will be appreciated that the first strategy shown in fig. 4 is merely for explaining the tree structure, and not for limiting the content of the first strategy, and in practice, different information collecting tasks may correspond to different first strategies.

For example, assume that the content of the information collection task a (hereinafter abbreviated as taskA) is: the equipment in the sub-network 1 is responsible for acquiring temperature, other data are not acquired, and data are uploaded every hour; taskA the corresponding first policy1 is: the device having the "network ID of sub-network 1" attribute can decrypt. The management device 202 may generate first data TASKACIPHER for taskA by invoking the encrypter function of the CP-ABE encryption system, in particular:

taskACipher＝CPABE_ENCRYPT(taskA,policy1，mpk)。

at the same time, the management device 202 may also sign the task using the system private key systemSK, which, in particular,

signature＝ECDSA_Sign(systemSK,taskA)。

For another example, assume that the content of the information collection task B (hereinafter abbreviated as taskB) is: the equipment in the sub-network 2 is responsible for collecting video, other data are not collected, and data are uploaded at 0 point every day; taskB the corresponding first policy2 is: the device having the "network ID of sub-network 2" attribute can decrypt. The management device 202 may generate the first data taskBCipher for taskB by invoking the encryp function of the CP-ABE encryption system, while signing taskB, specifically,

taskBCipher＝CPABE_ENCRYPT(taskB，policy2，mpk)；

signature＝ECDSA_Sign(systemSK，taskB)。

For another example, assume that the content of the information collection task C (hereinafter abbreviated as taskC) is: the equipment with the equipment ID of ABC is responsible for collecting smoke, other data are not collected, and data are uploaded every minute; taskC the corresponding first policy3 is: the device having the "device ID ABC" attribute can decrypt. The management device 202 may generate the first data TASKCCIPHER for taskC by invoking the encryp function of the CP-ABE encryption system, while signing taskC, specifically,

taskCCipher＝CPABE_ENCRYPT(taskC，policy3，mpk)；

signature＝ECDSA_Sign(systemSK，taskC)。

By setting the information acquisition task and the corresponding first strategy, the first device can acquire the task belonging to the sub-network where the first device is located, and the first device can acquire the task unique to the first device. The data of each sub-network is isolated in the task distribution phase. For example, the internet of things devices in sub-network 2 cannot decrypt information gathering tasks for the internet of things devices in sub-network 1.

After the management device 202 generates the first data, the first data may be uploaded to the blockchain 100. Alternatively to this, the method may comprise,

First, the management device 202 sends a first transaction to the blockchain 100 that may invoke the contract C1 to upload first data to the blockchain.

The node of the blockchain 100 then performs a first transaction, storing the first data into the contract state of the contract C1. As an example, the first data may be stored in the task list ContractTaskList of contract C1, and the data list ContractTaskList may be used to store the first data uploaded by the management device 202. By this implementation, the storage of the first data in the contract C1 can be achieved. By way of example, FIG. 5 shows a schematic diagram of a data structure of data stored in task list ContractTaskList, where, as shown in FIG. 5, a task issue time PublishTime (whose data type is Long) and a task list may be included, where task detail TaskInfo, which may include task encryption information Cipher (i.e., first data whose data type is String) and task information Signature (whose data type is String), may be included in the task list.

In some alternative implementations, the information collection task may include task description information and a second policy. The task description information may refer to the content of the information collection task, and is used to describe the information collection task, for example, describe which devices collect which data, and what period the data is uploaded. For example, the contents of task A, task B, and taskC in the foregoing examples may be considered task description information. The second policy may be used to specify that the device is to decrypt data collected based on the task description information only if those attribute tags are satisfied.

Based on the above, the first device uses the corresponding sub-private key to successfully decrypt the first data to obtain second data, where the second data may include task description information and a second policy. And then, the first equipment is also used for carrying out information acquisition according to the task description information to obtain target information. The first device may then further perform attribute encryption based on the master public key, the target information, and the second policy to obtain encrypted information, and upload the encrypted information to the blockchain. For example, the data uploading may be performed according to a data uploading period in the task description information.

For example, assuming that the target information acquired by the first device is data, the second policy is: the device having the "network ID where the device is located" attribute can decrypt the data. According to the second policy, only devices in the same network as the first device can decrypt and view the data collected by the first device. The first device may generate encrypted information DATACIPHER for which the target information is data by calling an Encrypt function of the CP-ABE encryption system, specifically:

dataCipher＝CPABE_ENCRYPT(data,policy，mpk)。

meanwhile, the first device can also use the locally stored private key clientSK to sign the target information data, ensuring authenticity and anti-repudiation, in particular,

signature＝ECDSA_Sign(clientSK,data)。

Optionally, the first device uploads the encrypted information to the blockchain, which may be specifically implemented as follows: first, the first device sends a second transaction to the blockchain, which may invoke contract C1 to upload the encrypted information DATACIPHER to the blockchain. Thereafter, the node of the blockchain may perform the second transaction, storing the encrypted information DATACIPHER into the contract state of the contract C1.

As an example, the target information list dataList may be stored in the contract C1, and the target information list dataList may be used to store target information collected by the first device. By the implementation manner, the target information acquired by the first device can be stored in the contract C1. As an example, fig. 6 shows a schematic diagram of one data structure of data stored in the target information list dataList. As shown in fig. 6, the data structure may include a target information list dataList, and the target information list dataList includes target information detail data, where the target information detail data may include data encryption information Cipher of data (i.e., encrypted information, whose data type is String), data information Signature (whose data type is String), and data upload time UploadTime (whose data type is Long).

In some optional implementation manners, the internet of things system of the embodiment may further include a second device, where the second device may also be an internet of things device, and the second device may be configured to obtain encrypted information from the blockchain, decrypt the encrypted information by using the corresponding subprivate key, and if the attribute tag corresponding to the second device conforms to the second policy, successfully decrypt the encrypted information, and obtain the target information. Here, the process of obtaining the corresponding sub-private key by the second device as the internet of things device is similar to the process of obtaining the corresponding sub-private key by the first device, which is not described herein. According to the implementation mode, the target information acquired by the Internet of things equipment in the Internet of things can be read and controlled based on the blockchain, and the safety of the information acquired by the Internet of things equipment is improved.

In some optional implementations, the internet of things system of the embodiment may further include a data center device, and the management device may be further configured to send a subprivate key corresponding to a device in each subnet of the internet of things to the data center device. The data center device may be configured to obtain encrypted information from the blockchain, decrypt the encrypted information using the stored child private key to obtain target information, and analyze the target information. For example, whether the target information has errors or not is analyzed according to a preset rule, and whether the target information exceeds a temperature threshold or not can be judged by taking the target information as a temperature example through a preset temperature threshold.

Because the data center device stores the sub-private keys sk corresponding to the devices in the sub-networks of the internet of things, the sub-private keys of the data center device can decrypt all encrypted information on the blockchain, and in particular,

data＝CPABE_DECRYPT(dataCipher,sk)。

In addition, the data center device may be used to verify the validity of the data signature, and in particular,

ECDSA_Verify(clientPK,data,signature)。

Reviewing the above process, in the above embodiment of the present specification, the system for internet of things includes a first device, a management device and a blockchain, where first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of the management device and a first policy, and only the first device with an attribute tag conforming to the first policy corresponding to the first data can successfully decrypt the first data to obtain second data, thereby implementing read control on data in the internet of things based on the blockchain, and improving security of data in the internet of things.

The present specification illustrates a blockchain-based method of acquiring data that may be applied to blockchain nodes in accordance with an embodiment. Wherein a blockchain node may be implemented by any apparatus, device, platform, cluster of devices having computing, processing capabilities. The method for acquiring data based on the block chain can comprise the following steps:

step one, receiving device information uploaded by a first device.

In this embodiment, the first device may be an internet of things device. The first data stored in the blockchain is obtained by attribute encryption based on the master public key of the management device and the first policy. The blockchain node may receive device information sent by the first device and store the device information of the first device into the blockchain, which may be used to register on-chain device identities on the chain. Here, the device information may be various information related to the device, including, but not limited to, a UID of the device, a type of the device (e.g., sensor, thermometer, hygrometer, etc.), a type of data collected by the device (e.g., digital, audio, video, image, etc.), network information in which the device is located (e.g., network ID, network area, network type, etc.), and so forth.

In some alternative implementations, the method may further include: first, the blockchain node may receive a first transaction sent by the management device that invokes a contract to upload first data to the blockchain. The blockchain node may then perform the first transaction and store the first data into a contract state of the contract. By means of the implementation mode, the first data can be stored in the contract.

And step two, in response to the request sent by the management equipment, sending equipment information to the management equipment.

In this embodiment, the management device may monitor a registration event of the first device on the chain, and after monitoring a registration event of the user, the management device may send a request to the blockchain for acquiring device information of the first device. In response to a request sent by the management device, the blockchain node may send device information of the first device to the management device. Thereafter, the management device may determine an attribute tag of the first device based on the device information, generate a child private key of the user based on the attribute tag, a master public key of the management device, and a master private key of the management device, and upload a device identification of the first device to the blockchain in association with the child private key.

And thirdly, receiving the sub private key of the first device from the management device, and storing the sub private key in the blockchain.

In this embodiment, the blockchain node may receive the device identification and the subprivate key of the first device from the management device and store the device tag and the subprivate key of the first device in association in the blockchain. The sub private key is generated based on the device information of the first device, the master public key of the management device, and the master private key of the management device. For example, the management device may extract the attribute tag of the first device from the device information of the first device. Thereafter, the management device may generate a child private key of the first device based on the attribute tag of the first device, the master public key mpk, and the master private key msk. For example, the first device may generate a first device-specific subprivate key sk by calling a KeyGen function of the CP-ABE encryption system, and in particular,

Sk= CPABE _keygen (attribute tag, msk, mpk).

In some alternative implementations, the storing the child private key in the blockchain may be specifically performed as follows: and storing the equipment identifier of the first equipment and the ciphertext of the sub-private key in the blockchain in an associated mode, wherein the ciphertext of the sub-private key is obtained by encrypting the sub-private key based on the public key of the blockchain account corresponding to the equipment identifier.

In this implementation manner, the management device may encrypt the sub-private key of the first device based on the public key of the blockchain account corresponding to the first device to obtain an encryption result, that is, a sub-private key ciphertext. The management device then uploads the encryption result in association with the device identification of the first device to the blockchain, where the device identification and ciphertext of the child private key are stored in association by the blockchain node. Thus, the first device can obtain the corresponding encryption result from the blockchain according to the device identifier, and decrypt the encryption result to obtain the sub-private key. Through the implementation mode, the sub private key can be encrypted and then uploaded to the blockchain, so that the protection of the sub private key can be realized, and the security of the sub private key is improved.

And step four, the sub private key and the first data are sent to the first device in response to the request sent by the first device.

In this embodiment, the first device may send a request to the blockchain node to obtain the child private key, and in response to the request sent by the first device, the blockchain node may send the child private key to the first device. The first device may also send a request to the blockchain node to obtain the first data, and in response to the request sent by the first device, the blockchain node may send the first data to the first device. And then, the first device can decrypt the first data by using the sub-private key, and the second data is obtained after successful decryption under the condition that the attribute tag accords with the preset strategy.

In some alternative implementations, the first device may be an internet of things device, and the first data stored in the blockchain may be obtained by attribute encryption of the information gathering task based on a master public key of the management device and the first policy. The information collection task may include task description information and a second policy. The task description information may refer to the content of the information collection task, and is used to describe the information collection task, for example, describe which devices collect which data, and what period the data is uploaded. The second policy may be used to specify that the device is to decrypt data collected based on the task description information only if those attribute tags are satisfied. And after the first device uses the corresponding sub-private key to successfully decrypt the first data, obtaining second data, wherein the second data can comprise task description information and a second strategy. And then, the first equipment is also used for carrying out information acquisition according to the task description information to obtain target information. The first device may then further perform attribute encryption based on the master public key, the target information, and the second policy to obtain encrypted information, and upload the encrypted information to the blockchain.

Based on this, the method for acquiring data based on the blockchain may further include: the blockchain node may also receive encrypted information sent by the first device and store the encrypted information to the blockchain, where the encrypted information may be obtained by performing attribute encryption based on the master public key, the collected target information, and the second policy.

Specifically, the blockchain node may receive a second transaction sent by the first device, where the second transaction may invoke a contract to upload encrypted information to the blockchain. Thereafter, the blockchain node may perform a second transaction, storing the encrypted information into the contract state of the contract.

In some optional implementations, the method for obtaining data based on a blockchain may further include: and transmitting the encrypted information to the data center equipment in response to the request transmitted by the data center equipment.

In this implementation manner, the internet of things system may further include a data center device, and the management device may be further configured to send a subprivate key corresponding to a device in each subnet of the internet of things to the data center device. The data center device may send a request to the blockchain link to obtain the encrypted information, and the blockchain node may send the encrypted information to the data center device after receiving the request. The data center device can decrypt the encrypted information by using the stored sub-private key to obtain target information, and analyze and process the target information.

The present specification further illustrates a blockchain-based method of acquiring data that may be applied to a first device, in accordance with an embodiment. The first device may be an internet of things device. The method for acquiring data based on the block chain can comprise the following steps:

Step 1), uploading equipment information to a blockchain.

In the present embodiment, the first data stored in the blockchain is obtained by attribute encryption based on the master public key of the management device and the first policy. The first device may upload device information to the blockchain that may be used to register on-chain device identities on the chain. Here, the device information may be various information related to the device, including, but not limited to, a UID of the device, a type of the device (e.g., sensor, thermometer, hygrometer, etc.), a type of data collected by the device (e.g., digital, audio, video, image, etc.), network information in which the device is located (e.g., network ID, network area, network type, etc.), and so forth.

Step 2), the sub private key and the first data are obtained from the blockchain.

In this embodiment, the first device may obtain the sub-private key and the first data from the blockchain, wherein the sub-private key is generated based on the device information, the master public key of the management device, and the master private key of the management device. Specifically, the management device may monitor a registration event of the first device on the chain, and after monitoring a registration event of the user, the management device may send a request to the blockchain for acquiring device information of the first device. In response to a request sent by the management device, the blockchain node may send device information of the first device to the management device. Thereafter, the management device may determine an attribute tag of the first device based on the device information, generate a child private key of the user based on the attribute tag, a master public key of the management device, and a master private key of the management device, and upload a device identification of the first device to the blockchain in association with the child private key. In this way, the first device may obtain the child private key from the blockchain. Specifically, the first device may send a transaction to the blockchain that may invoke a contract to obtain the child private key and the first data from the blockchain. The node of the blockchain performs the transaction and sends the child private key and the first data to the first device.

And 3) decrypting the first data by using the sub private key, and obtaining the second data after successful decryption when the attribute tag corresponding to the first equipment accords with the first strategy.

In this embodiment, after the first device obtains the sub-private key and the first data from the blockchain, it may attempt to decrypt the first data using the sub-private key sk, where the decrypting is successful when the attribute tag corresponding to the first device conforms to the first policy, and obtain the second data. The first device may attempt to decrypt the first data by, for example, invoking Decrypt functions of the CP-ABE encryption system, and in particular,

Second data= CPABE _decrypt (first data, sk).

Through Decrypt functions, decryption can be successfully performed only when the attribute tag corresponding to the first device accords with the first strategy of the first data, and second data is obtained.

In some optional implementations, the first device is an internet of things device, and the first data is obtained by performing attribute encryption on an information collection task based on a master public key of the management device and a first policy, where the information collection task may include task description information and a second policy. The task description information may refer to the content of the information collection task, and is used to describe the information collection task, for example, describe which devices collect which data, and what period the data is uploaded. For example, the contents of task A, task B, and taskC in the foregoing examples may be considered task description information. The second policy may be used to specify that the device is to decrypt data collected based on the task description information only if those attribute tags are satisfied.

Based on the above, the first device uses the corresponding sub-private key to successfully decrypt the first data to obtain second data, where the second data may include task description information and a second policy. And then, the first equipment is also used for carrying out information acquisition according to the task description information to obtain target information. The first device may then further perform attribute encryption based on the master public key, the target information, and the second policy to obtain encrypted information, and upload the encrypted information to the blockchain. For example, the data uploading may be performed according to a data uploading period in the task description information.

According to another aspect of the present invention, there is provided an apparatus for obtaining data based on a blockchain, the apparatus being configured at a blockchain node, wherein the blockchain node may be deployed in any device, platform or cluster of devices having computing and processing capabilities.

FIG. 7 illustrates a schematic block diagram of an apparatus for acquiring data based on a blockchain in accordance with an embodiment. Wherein the first data stored in the blockchain is obtained by performing attribute encryption based on the master public key of the management device and the first policy. As shown in fig. 7, the apparatus 700 for acquiring data based on a blockchain may include: a receiving unit 701 configured to receive device information uploaded by the first device; a first transmitting unit 702 configured to transmit the device information to a management device in response to a request transmitted by the management device; a storage unit 703 configured to receive a sub-private key of the first device from the management device, and store the sub-private key in the blockchain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and a second transmitting unit 704 configured to transmit the subprivate key and the first data to the first device in response to a request transmitted by the first device.

In some optional implementations of this embodiment, the apparatus 700 further includes: and a receiving and storing unit (not shown in the figure) configured to receive encrypted information sent by the first device, and store the encrypted information in a blockchain, where the encrypted information is obtained by performing attribute encryption based on the master public key, the collected target information and the second policy.

In some optional implementations of this embodiment, the apparatus 700 further includes: a first transaction receiving unit (not shown) configured to receive a first transaction transmitted from the management device, wherein the first transaction invokes a contract to upload the first data to the blockchain; a first transaction execution unit (not shown) configured to execute the first transaction and store the first data in a contract state of the contract.

In some optional implementations of this embodiment, the receiving and storing unit includes a second transaction receiving unit (not shown) and a second transaction executing unit (not shown), where the second transaction receiving unit is configured to receive a second transaction sent by the first device, and where the second transaction invokes a contract to upload the encrypted information to the blockchain; and a second transaction execution unit configured to execute the second transaction and store the encrypted information in a contract state of the contract.

In some optional implementations of this embodiment, the apparatus 700 further includes: an encrypted information transmitting unit (not shown in the figure) configured to transmit the encrypted information to the data center apparatus in response to a request transmitted from the data center apparatus.

In some optional implementations of this embodiment, the storage unit 703 is further configured to store, in association with the blockchain, a device identifier and a ciphertext of the subprivate key, where the ciphertext of the subprivate key is obtained by encrypting the subprivate key based on a public key of a blockchain account corresponding to the device identifier.

According to another embodiment, the apparatus for acquiring data based on a blockchain is further provided, and the apparatus is disposed in the first device.

FIG. 8 illustrates a schematic block diagram of an apparatus for acquiring data based on a blockchain in accordance with another embodiment. Wherein the first data stored in the blockchain is obtained by performing attribute encryption based on a master public key of a management device and a first policy, and the apparatus 800 includes: an uploading unit 801 configured to upload device information to the blockchain; an obtaining unit 802 configured to obtain a sub-private key and the first data from the blockchain, where the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device; and a decryption unit 803 configured to decrypt the first data by using the subprivate key, where the attribute tag corresponding to the first device conforms to the first policy, and the decryption is successful, so as to obtain second data.

In some optional implementations of this embodiment, the first device is an internet of things device, and the first data is obtained by performing attribute encryption on an information acquisition task based on a master public key of a management device and a first policy, where the information acquisition task includes task description information and a second policy; the apparatus 800 further comprises: a collecting unit (not shown in the figure) configured to collect information according to the task description information to obtain target information; an encrypted information uploading unit (not shown in the figure) configured to perform attribute encryption based on the master public key, the target information, and the second policy to obtain encrypted information, and upload the encrypted information to a blockchain.

According to an embodiment of another aspect, there is also provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method of obtaining data based on a blockchain node, the method being applicable to the blockchain node.

According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method of acquiring data based on a blockchain, the method being applicable to a first device.

According to an embodiment of yet another aspect, there is provided a computing device including a memory and a processor, wherein the memory has executable code stored therein, and the processor, when executing the executable code, implements a method for obtaining data based on a blockchain, the method being applicable to a blockchain node.

According to an embodiment of still another aspect, there is provided a computing device including a memory and a processor, where the memory stores executable code, and the processor executes the executable code to implement a method for obtaining data based on a blockchain, where the method can be applied to a first device.

In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable GATE ARRAY, FPGA)) is an integrated circuit whose logic functions are determined by user programming of the device. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented with "logic compiler (logic compiler)" software, which is similar to the software compiler used in program development and writing, and the original code before being compiled is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but HDL is not just one, but a plurality of kinds, such as ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language), and VHDL (Very-High-SPEED INTEGRATED Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application SPECIFIC INTEGRATED Circuits (ASICs), programmable logic controllers, and embedded microcontrollers, examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation device is a server system. Of course, the application does not exclude that as future computer technology advances, the computer implementing the functions of the above-described embodiments may be, for example, a personal computer, a laptop computer, a car-mounted human-computer interaction device, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

Although one or more embodiments of the present description provide method operational steps as described in the embodiments or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented in an actual device or end product, the instructions may be executed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment, or even in a distributed data processing environment) as illustrated by the embodiments or by the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, it is not excluded that additional identical or equivalent elements may be present in a process, method, article, or apparatus that comprises a described element. For example, if first, second, etc. words are used to indicate a name, but not any particular order.

For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, when one or more of the present description is implemented, the functions of each module may be implemented in the same piece or pieces of software and/or hardware, or a module that implements the same function may be implemented by a plurality of sub-modules or a combination of sub-units, or the like. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage, graphene storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

One skilled in the relevant art will recognize that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Moreover, one or more embodiments of the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

One or more embodiments of the present specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments. In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present specification. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.

The foregoing is merely an example of one or more embodiments of the present specification and is not intended to limit the one or more embodiments of the present specification. Various modifications and alterations to one or more embodiments of this description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principles of the present specification, should be included in the scope of the claims.

Claims (22)

1. An internet of things system comprises first equipment, management equipment and a blockchain, wherein first data stored in the blockchain are obtained by carrying out attribute encryption on an information acquisition task based on a main public key of the management equipment and a first strategy, the information acquisition task comprises task description information, and the first strategy comprises a specified attribute tag used for indicating equipment to decrypt the first data under the condition of having the specified attribute tag;

the first device is used for uploading device information of the first device to a blockchain;

The management device is used for acquiring the device information from the blockchain, determining an attribute tag of the first device based on the device information, generating a sub-private key of the first device based on the attribute tag, the main public key and a main private key of the management device, and uploading the sub-private key to the blockchain;

The first device is further configured to obtain the subprivate key and the first data from the blockchain, decrypt the first data using the subprivate key, and obtain second data after successful decryption when the attribute tag has the specified attribute tag included in the first policy.

2. The system of claim 1, wherein the first device is an internet of things device, and the information collection task further comprises a second policy; and

The first device is further configured to perform information acquisition according to the task description information to obtain target information, perform attribute encryption based on the master public key, the target information and the second policy to obtain encrypted information, and upload the encrypted information to the blockchain.

3. The system of claim 2, wherein the device information includes network information of a sub-network in which the first device is located.

4. The system of claim 2, further comprising a second device, where the second device is an internet of things device, and the second device is configured to obtain the encrypted information from the blockchain, decrypt the encrypted information using the corresponding subprivate key, and obtain the target information after decryption is successful if the attribute tag corresponding to the second device conforms to the second policy.

5. The system of claim 2, wherein the system further comprises a data center device, and the management device is further configured to send a subprivate key corresponding to a device in each subnet of the internet of things to the data center device;

the data center equipment is used for acquiring the encrypted information from the blockchain, decrypting the encrypted information by using a stored sub private key to obtain the target information, and analyzing and processing the target information.

6. The system of claim 2, wherein the management device is further configured to generate a master public key and a master private key, upload the master public key to the blockchain;

the management device is further configured to perform attribute encryption based on the master public key, the information collection task and the first policy to obtain first data, and upload the first data to a blockchain.

7. The system of claim 6, wherein the management device uploading the first data to a blockchain comprises:

the management device sending a first transaction to the blockchain, the first transaction invoking a contract to upload the first data to the blockchain;

the node of the blockchain performs the first transaction, storing the first data into a contract state of the contract.

8. The system of claim 2, wherein the uploading the encrypted information to a blockchain includes:

The first device sending a second transaction to the blockchain, the second transaction invoking a contract to upload the encrypted information to the blockchain;

The node of the blockchain performs the second transaction, storing the encrypted information into a contract state of the contract.

9. The system of claim 1, wherein the management device is further configured to generate a system public key and a system private key, the system public key being uploaded to a blockchain; and

The first device is configured to upload device information of the first device to a blockchain, including:

The first device encrypts the device information by using the system public key and uploads the encrypted device information to a blockchain.

10. The system of claim 1, wherein the uploading the child private key to a blockchain comprises:

The management device encrypts the sub private key based on the public key of the blockchain account corresponding to the first device to obtain an encryption result, and uploads the encryption result and the device identifier of the first device to the blockchain so that the first device obtains the encryption result from the blockchain and then decrypts the encryption result to obtain the sub private key.

11. A method for obtaining data based on a blockchain, applied to a blockchain node, wherein first data stored in the blockchain is obtained by performing attribute encryption on an information collection task based on a main public key of a management device and a first policy, wherein the information collection task comprises task description information, the first policy comprises a designated attribute tag used for indicating that a device can decrypt the first data under the condition of having the designated attribute tag, and the method comprises:

Receiving device information uploaded by a first device;

Transmitting the device information to a management device in response to a request transmitted by the management device;

Receiving a child private key of the first device from the management device, storing the child private key in the blockchain, wherein the child private key is generated based on the device information, a master public key of the management device, and a master private key of the management device;

And responding to the request sent by the first device, sending the sub-private key and the first data to the first device, decrypting the first data by the first device by using the sub-private key, and obtaining second data after successful decryption when the attribute tag has the specified attribute tag included by the first policy.

12. The method of claim 11, wherein the method further comprises:

and receiving encrypted information sent by the first device, and storing the encrypted information into a blockchain, wherein the encrypted information is obtained by performing attribute encryption based on the main public key, the acquired target information and a second strategy.

13. The method of claim 11, wherein the method further comprises:

receiving a first transaction sent by the management device, wherein the first transaction invokes a contract to upload the first data to the blockchain;

Executing the first transaction, storing the first data into a contract state of the contract.

14. The method of claim 12, wherein the receiving the encrypted information sent by the first device, storing the encrypted information to a blockchain, comprises:

receiving a second transaction sent by the first device, wherein the second transaction invokes a contract to upload the encrypted information to the blockchain;

and executing the second transaction, and storing the encrypted information into a contract state of the contract.

15. The method of claim 12, wherein the method further comprises:

And transmitting the encrypted information to the data center equipment in response to a request transmitted by the data center equipment.

16. The method of claim 11, wherein the storing the child private key in the blockchain comprises:

And storing the equipment identifier and the ciphertext of the sub private key in the blockchain in an associated manner, wherein the ciphertext of the sub private key is obtained by encrypting the sub private key based on the public key of the blockchain account corresponding to the equipment identifier.

17. A method for obtaining data based on a blockchain, applied to a first device, wherein first data stored in the blockchain is obtained by performing attribute encryption on an information collection task based on a main public key of the management device and a first policy, wherein the information collection task comprises task description information, the first policy comprises a designated attribute tag used for indicating that a device can decrypt the first data under the condition of having the designated attribute tag, and the method comprises:

uploading device information to the blockchain;

Obtaining a sub private key and the first data from the blockchain, wherein the sub private key is generated based on the device information, a master public key of the management device, and a master private key of the management device;

and decrypting the first data by using the sub private key, and obtaining second data after successful decryption when the attribute tag corresponding to the first device has the designated attribute tag included in the first policy.

18. The method of claim 17, wherein the first device is an internet of things device and the first data is obtained by attribute encryption of an information collection task based on a master public key of a management device and a first policy, wherein the information collection task includes task description information and a second policy; and

The method further comprises the steps of:

Acquiring information according to the task description information to obtain target information;

and carrying out attribute encryption based on the main public key, the target information and the second strategy to obtain encrypted information, and uploading the encrypted information to a blockchain.

19. An apparatus for obtaining data based on a blockchain, which is disposed at a blockchain node, wherein first data stored in the blockchain is obtained by performing attribute encryption on an information collection task based on a master public key of the management device and a first policy, wherein the information collection task includes task description information, the first policy includes a specified attribute tag for indicating that a device can decrypt the first data only when the device has the specified attribute tag, the apparatus comprising:

the receiving unit is configured to receive the device information uploaded by the first device;

a first transmitting unit configured to transmit the device information to a management device in response to a request transmitted by the management device;

A storage unit configured to receive a sub-private key of the first device from the management device, the sub-private key being stored in the blockchain, wherein the sub-private key is generated based on the device information, a master public key of the management device, and a master private key of the management device;

And the second sending unit is configured to respond to the request sent by the first device, send the sub-private key and the first data to the first device, decrypt the first data by using the sub-private key by the first device, and obtain second data after successful decryption when the attribute tag has the specified attribute tag included in the first policy.

20. An apparatus for acquiring data based on a blockchain, which is disposed in a first device, wherein first data stored in the blockchain is obtained by performing attribute encryption on an information acquisition task based on a master public key of the management device and a first policy, wherein the information acquisition task includes task description information, the first policy includes a specified attribute tag for indicating that a device can decrypt the first data only when the device has the specified attribute tag, and the apparatus includes:

an uploading unit configured to upload device information to the blockchain;

an acquisition unit configured to acquire a sub private key and the first data from the blockchain, wherein the sub private key is generated based on the device information, a master public key of the management device, and a master private key of the management device;

And the decryption unit is configured to decrypt the first data by using the sub-private key, and the second data is obtained after successful decryption when the attribute tag corresponding to the first device has the designated attribute tag included in the first policy.

21. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 11-18.

22. A computing device comprising a memory and a processor, wherein the memory has executable code stored therein, which when executed by the processor, implements the method of any of claims 11-18.