CN115766098A - Personal health data sharing method based on block chain and proxy re-encryption - Google Patents
Personal health data sharing method based on block chain and proxy re-encryption Download PDFInfo
- Publication number
- CN115766098A CN115766098A CN202211297319.6A CN202211297319A CN115766098A CN 115766098 A CN115766098 A CN 115766098A CN 202211297319 A CN202211297319 A CN 202211297319A CN 115766098 A CN115766098 A CN 115766098A
- Authority
- CN
- China
- Prior art keywords
- data
- ciphertext
- block chain
- key
- ciphertext data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a personal health data sharing method based on block chain and proxy re-encryption, which comprises the following steps: the data demander forwards a public key pk2 and a data authorization request to a data wallet APP through a block chain fat node; the data wallet APP generates a conversion key according to the private key sk1 and the public key pk2 of the patient, encrypts the symmetric encryption key by using the public key pk1 of the patient to obtain a ciphertext p, and uploads the conversion key and the ciphertext p to the block chain fat node; the block chain fat node re-encrypts the ciphertext p by using the conversion key to obtain a ciphertext q, and sends the ciphertext q and the corresponding ciphertext data En to the data demander; and the data demander acquires a hash value corresponding to the ciphertext data En from the block chain, verifies the ciphertext data En according to the hash value, and decrypts the ciphertext data En by using a symmetric encryption key obtained by decrypting the ciphertext q by using the private key sk2 to obtain plaintext data if the verification is passed. The invention solves the problem that the personal health data cannot safely share contents in a fine-grained manner in the sharing process under the condition that a third party is not trusted.
Description
Technical Field
The invention relates to the field of data management, in particular to a personal health data sharing method based on block chain and proxy re-encryption.
Background
Chronic diseases, also known as "chronic diseases" and "chronic non-infectious diseases", are a general term for diseases that do not constitute infections and that have long-term accumulation and form lesions. Personal health data management is particularly important for preventing and treating chronic diseases, personal health data are generally stored by hospitals at present, and a block chain technology is applied to the personal health data management in order to solve the problems of data security and privacy. The block chain technology uses a cryptographic means to generate a set of database which records time sequence, is not falsifiable and is reliable, so that the safety of data can be effectively ensured, and participants can establish consensus on the time sequence and the current state of the whole network transaction record.
The patent with application number 202210274523.X discloses a block chain-based medical data controllable sharing method, in the process of sharing medical data, asymmetric encryption and symmetric encryption are combined, so that a symmetric key is only held in the hand of a data owner, and the block chain is used for recording the operation of sharing data each time, thereby realizing the function that the data owner can control and share specific medical data to a specific data visitor and the shared record cannot be tampered. However, this patent suffers from the following disadvantages:
the data collection and uploading mode is not described, and if the data collection and uploading are manually performed, the operation cost of a user is greatly increased;
the data is encrypted symmetrically and asymmetrically, so that the calculation cost is increased;
the third party agent can obtain data plaintext and encryption key, the user cannot completely and autonomously control own medical data, the data safety problem exists, and the portability right of the data cannot be realized.
The patent with application number 202210380332.1 discloses a private information protection method, device and storage medium based on a block chain, based on a trusted third party, data to be shared are encrypted by means of symmetric encryption and public key encryption, and then proxy re-encryption is performed on the ciphertext through the trusted third party, so that a data demander can decrypt the ciphertext to complete data sharing. However, this patent suffers from the following disadvantages:
the method comprises the following steps that data sharing is carried out by utilizing an agent re-encryption technology based on a trusted third party, and the data sharing is not necessary by utilizing the agent re-encryption under the condition that the third party is trusted;
the third party agent can obtain a key for symmetrically encrypting the data, and the security and the credibility of the data cannot be guaranteed under the condition that the third party is not credible;
and the public key encryption algorithm is used for encrypting and decrypting the data, so that the calculation burden of a third-party agent is increased.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the method solves the problem that the personal health data cannot safely share content in a fine-grained manner in the sharing process under the condition that a third party is not trusted.
Aiming at the technical problems in the prior art, the invention provides a personal health data sharing method based on block chain and proxy re-encryption, which uses a block chain technology to complete the secure transmission and storage of personal health data, and utilizes the proxy re-encryption to realize the fine-grained secure sharing of data contents.
In order to solve the technical problems, the technical scheme provided by the invention is as follows:
a personal health data sharing method based on block chain and agent re-encryption is applied to a personal health data management system, wherein the personal health data management system comprises a data wallet APP of a patient and health data acquisition equipment, and the method comprises the following steps:
a data demander forwards a public key pk2 and a data authorization request to a corresponding data wallet APP through a block chain fat node, and the data wallet APP waits for operation information of a patient after receiving the public key pk2 and the data authorization request;
if the data wallet APP obtains operation information agreeing to authorization, a conversion key zk is generated according to a private key sk1 and a public key pk2 of a patient, a symmetric encryption key (k 1, k2, \8230;, kn) is encrypted by the public key pk1 of the patient to obtain a ciphertext p, and the conversion key zk and the ciphertext p are uploaded to a block chain fat node;
the block chain fat node re-encrypts the ciphertext p by using the conversion key zk to obtain a ciphertext q, and sends the ciphertext q and corresponding ciphertext data En to a data demander, wherein the ciphertext data En is ciphertext data of the acquired personal health data which are encrypted and uploaded by using a symmetric encryption key (k 1, k2, 8230; kn) after being classified by the health data acquisition equipment;
the data demander decrypts the ciphertext q by using the private key sk2 to obtain a symmetric encryption key (k 1, k2, \ 8230;, kn), obtains a hash value corresponding to the ciphertext data En from the block chain, verifies the ciphertext data En according to the hash value, and decrypts the ciphertext data En according to the symmetric encryption key (k 1, k2, \\ 8230;, kn) to obtain corresponding plaintext data if the verification is passed.
Further, before the data demander forwards the public key pk2 and the data authorization request to the corresponding data wallet APP via the blockchain fat node, the method further includes a step of uploading the blockchain fat node with the ciphertext data En, and specifically includes:
the data wallet APP acquires and authenticates identity information of a patient, if the authentication is passed, a public key pk1, a private key sk1 and a symmetric encryption key K0 are generated, the symmetric encryption key K0 is sent to corresponding health data acquisition equipment, and the public key pk1 is uploaded to a block chain;
the health data acquisition equipment acquires and classifies plaintext data of personal health data, randomly generates a symmetric encryption key (K1, K2, \ 8230;, kn) corresponding to each class and sends the symmetric encryption key to a data wallet APP, encrypts each class of plaintext data by using the symmetric encryption key (K1, K2, \ 8230;, kn) to obtain ciphertext data En, encrypts the symmetric encryption key (K1, K2, \ 8230;, kn) by using the symmetric encryption key K0 to obtain ciphertext data e0, and respectively calculates hash values of the ciphertext data En and the ciphertext data e 0;
the health data acquisition equipment uploads the hash values corresponding to the ciphertext data En and the ciphertext data e0 to the block chain, and uploads the ciphertext data En and the ciphertext data e0 to the block chain fat node.
Further, after the ciphertext data En and the ciphertext data e0 are uploaded to the block chain fat node, the method further includes the step of acquiring the personal health data and displaying the personal health data by the data wallet APP, and specifically includes:
the block chain fat node calculates to obtain address information according to the public key pk1, and sends ciphertext data En and ciphertext data e0 to the data wallet APP according to the address information, the data wallet APP obtains corresponding hash values from the block chain after obtaining the ciphertext data En and the ciphertext data e0, the ciphertext data En and the ciphertext data e0 are verified according to the hash values, if the verification is passed, the ciphertext data e0 is decrypted according to the symmetric encryption key K0 to obtain symmetric encryption keys (K1, K2, \\ 8230;, kn), and the ciphertext data En is decrypted according to the symmetric encryption keys (K1, K2, \\ 8230;, kn) to obtain plaintext data and store the plaintext data;
and the data wallet APP acquires and authenticates the identity information of the patient, waits for and acquires a request for displaying the personal health data if the authentication is passed, and selects plaintext data of the personal health data for displaying.
Further, the public key pk1, the private key sk1, the public key pk2 and the private key sk2 are all generated by using a preset key generation function.
Further, the symmetric encryption key (k 1, k2, \8230;, kn) is randomly generated using a preset symmetric encryption algorithm.
Further, the step of respectively calculating the hash values of the ciphertext data En and the ciphertext data e0 specifically includes: and respectively mapping the ciphertext data En and the ciphertext data e0 into 256-bit hash values by using a preset hash algorithm.
Further, uploading the ciphertext data En and the ciphertext data e0 to the block chain fat node further includes: and the health data acquisition equipment deletes the plaintext data corresponding to the uploaded ciphertext data En and ciphertext data e0, and deletes the ciphertext data En and ciphertext data e0 which are kept overtime.
Further, obtaining a hash value corresponding to the ciphertext data En from the block chain, and verifying the ciphertext data En according to the hash value specifically includes:
after receiving the ciphertext data En, constructing a data request transaction proposal and uploading a block chain, and waiting for the block chain to issue hash value data;
and after receiving the hash value data, calculating the hash value of the ciphertext data En by using a cryptographic algorithm SM3, if the hash value of the ciphertext data En is the same as the received hash value, checking to pass, and otherwise, requesting to resend the data from the block chain fat node.
Further, the blockchain fat node is a cloud server.
Compared with the prior art, the invention has the advantages that:
in the invention, the data to be shared is classified and then encrypted by using the symmetric encryption key, and then the controllable sharing of the fine granularity of the data and the shared object can be realized only by carrying out public key encryption, re-encryption and sharing on the symmetric encryption key. Compared with the existing scheme, the invention has high efficiency of data encryption, and the calculation burden of the data owner (sharer) is small, and the invention has the following advantages:
(1) The personal health data are encrypted after being classified, the encryption keys are randomly generated, the shared content of the data is convenient to control in the proxy re-encryption process, and after the decryption keys of the corresponding data are shared, the decryption keys cannot decrypt other data.
(2) The block chain stores the hash value of the ciphertext data, and only the block chain fat node stores the ciphertext data, so that the data transmission and storage cost of the block chain is effectively reduced.
(3) The third-party agent (cloud server) is used as a block chain fat node, ciphertext data which is symmetrically encrypted is directly stored, plaintext data and an encryption key cannot be obtained, the plaintext data is only controlled by a data owner before being shared, and data safety is guaranteed.
Drawings
FIG. 1 is a system architecture diagram of an embodiment of the present invention.
FIG. 2 is a flow chart of a method according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the drawings and specific preferred embodiments of the description, without thereby limiting the scope of protection of the invention.
Before describing the specific scheme of the embodiment, the following concepts are introduced:
block chains: is a chain database constructed and maintained together among computing nodes in a distributed peer-to-peer network, linked back and forth by a plurality of data blocks. At present, the block chain technology has fused a plurality of leading-edge technologies such as a distributed network technology, a consensus algorithm, an intelligent contract technology, a cryptographic algorithm and the like, and shows the following characteristics:
non-tamper-able property of block chains. Modification of one block of data will result in a huge change of all subsequent blocks of data, which change is unlikely to form a new consensus in the distributed network;
uniqueness of value. The unchangeable characteristic ensures that the data in the Internet is definite in right, and the uniqueness of the value is realized;
and (4) intelligent contracts. The method comprises the following steps of forming consensus contract contents in a distributed network, wherein the contract contents cannot be changed and are automatically executed, so that intelligent value transfer is realized;
non-completely centralized organization. The distributed peer-to-peer network maintains a consensus algorithm, and breaks through the current absolute authoritative mode of the internet controlled by a center;
openness and privacy. The password and signature algorithm comprises the privacy of user data, and meanwhile, the openness of the desensitized data is also guaranteed.
Thus, blockchain techniques are the best solution for many scenarios where multiple parties participate and require trust mechanisms to be established.
The fat node: the system is a computing node in a cluster in high-performance computing, and is configured with a large-capacity memory to be suitable for computing tasks with high requirements on the memory and processing performance; the number of fat nodes in the cluster is determined according to the actual application requirements.
A data wallet: the software program contains the information of the user and exists in the form of a pair of public key and private key, and the user carries out transaction authorization of the blockchain through the pair of public key and private key.
The agent re-encryption can convert the ciphertext encrypted by the user A by using the public key thereof into the ciphertext in another form, so that the user B can decrypt the converted ciphertext by using the private key thereof, and any corresponding plaintext and private key information cannot be revealed in the whole conversion process, and the method mainly comprises the following steps:
(1) The data sending party A encrypts the data m by using the own public key pk (a) to obtain a ciphertext c1, generates a conversion key zk by using the own private key sk (a) and the public key pk (B) of the data receiving party B, and sends c1 and zk to the third-party agent P;
(2) The third-party agent P performs re-encryption on the c1 by using zk to obtain a ciphertext c2, and sends the ciphertext c2 to the data receiver B, and in the process, the P cannot obtain a data plaintext m and cannot obtain private keys of a data sender and a data receiver;
(3) And the data receiver B decrypts the c2 by using the private key sk (B) of the data receiver B to obtain the data plaintext m.
In order to complete secure transmission and storage of personal health data by using a blockchain and internet-of-things equipment and realize fine-grained secure sharing control of data contents by using proxy re-encryption, the following problems need to be solved:
(1) The problem of safe and convenient acquisition and uploading of personal health data is solved by adopting health data acquisition equipment with a data encryption function to acquire and encrypt data, and data leakage in the acquisition and transmission process is avoided.
(2) The problem that the calculation burden of a user is high is solved by taking the symmetric encryption into consideration to encrypt data, and the encryption calculation is completed by the Internet of things equipment, so that the calculation burden of a data owner is reduced, and the data encryption and decryption efficiency is improved.
(3) The third-party agent can acquire the data plaintext, and the third-party agent directly stores the symmetrically encrypted ciphertext by presetting a symmetric encryption key for encryption and decryption of encrypted data, so that the data plaintext and the data encryption key cannot be acquired, the data is guaranteed to be only mastered by a data owner before sharing, and the data is guaranteed to be safe and credible.
In order to solve the above problem, as shown in fig. 1, the present embodiment provides a personal health data management system, which includes four modules of a chronic health data wallet APP (hereinafter referred to as a data wallet APP), a chronic health data collecting device (hereinafter referred to as a health data collecting device), a block chain, and a third-party agent (cloud service), wherein:
the data wallet APP is an APP application program developed on the basis of basic functions of the data wallet, and is programmed to realize functions of registration login, data decryption, data verification, data display, data authorization and the like;
health data acquisition equipment is for having data upload and data processing function's chronic disease data acquisition thing networking device, carries intelligent sphygmomanometer, the intelligent heart rate detector etc. of MCU (microprocessor) and wifi module for example. The health data acquisition equipment is programmed to realize the functions of identity binding, data acquisition, data encryption (Hash encryption and symmetric encryption), data uploading and the like;
the blockchain is used for recording the hash value of the personal health data and the authorized operation of the personal health data, ensuring that the data cannot be tampered and being used for data verification;
the cloud service, namely the third-party agent, belongs to the block chain fat node, is used for storing non-privacy information (such as address public keys, digital certificates and the like) of a user and encrypted personal health data, can push the encrypted personal health data to a corresponding data wallet APP, provides agent re-encryption computing service for data sharing, and has the characteristics of high safety, high reliability and high performance.
As shown in fig. 1 and fig. 2, based on the foregoing personal health data management system, the present embodiment provides a personal health data sharing method based on block chain and proxy re-encryption, including the following steps:
s1) identity registration and binding: the data wallet APP acquires and authenticates identity information of a patient, if the authentication is passed, a public key pk1, a private key sk1 and a symmetric encryption key K0 are generated, the symmetric encryption key K0 is sent to corresponding health data acquisition equipment, and the public key pk1 is uploaded to a block chain;
s2) acquiring and encrypting personal health data: the health data acquisition equipment acquires and classifies plaintext data of personal health data, randomly generates a symmetric encryption key (K1, K2, \ 8230;, kn) corresponding to each class and sends the symmetric encryption key to a data wallet APP, encrypts each class of plaintext data by using the symmetric encryption key (K1, K2, \ 8230;, kn) to obtain ciphertext data En, encrypts the symmetric encryption key (K1, K2, \ 8230;, kn) by using the symmetric encryption key K0 to obtain ciphertext data e0, and respectively calculates hash values of the ciphertext data En and the ciphertext data e 0;
s3) uploading and storing the personal health data ciphertext: the health data acquisition equipment uploads hash values corresponding to the ciphertext data En and the ciphertext data e0 to the block chain and uploads the ciphertext data En and the ciphertext data e0 to the block chain fat node;
s4) pushing, verifying, decrypting, storing and displaying the personal health data: the block chain fat node calculates to obtain address information according to the public key pk1, and sends ciphertext data En and ciphertext data e0 to the data wallet APP according to the address information, the data wallet APP obtains corresponding hash values from the block chain after obtaining the ciphertext data En and the ciphertext data e0, the ciphertext data En and the ciphertext data e0 are verified according to the hash values, if the verification is passed, the ciphertext data e0 is decrypted according to the symmetric encryption key K0 to obtain symmetric encryption keys (K1, K2, \\ 8230;, kn), and the ciphertext data En is decrypted according to the symmetric encryption keys (K1, K2, \\ 8230;, kn) to obtain plaintext data and store the plaintext data;
s5) applying for data authorization: a data demander forwards a public key pk2 and a data authorization request to a corresponding data wallet APP through a block chain fat node, and the data wallet APP waits for operation information of a patient after receiving the public key pk2 and the data authorization request;
s6) encryption key proxy re-encryption: if the data wallet APP obtains operation information agreeing to authorization, a conversion key zk is generated according to a private key sk1 and a public key pk2 of the patient, a symmetric encryption key (k 1, k2, \8230;, kn) is encrypted by the public key pk1 of the patient to obtain a ciphertext p, and the conversion key zk and the ciphertext p are uploaded to a block chain fat node;
the block chain fat node re-encrypts the ciphertext p by using the conversion key zk to obtain a ciphertext q, and sends the ciphertext q and corresponding ciphertext data En to a data demander, wherein the ciphertext data En is ciphertext data of the personal health data acquired by the health data acquisition equipment in the steps S2 to S3, and after the plaintext data is classified, ciphertext data of the block chain is encrypted and uploaded by using a symmetric encryption key (k 1, k2, \ 8230;, kn);
s7) data decryption and verification: the data demander decrypts the ciphertext q by using the private key sk2 to obtain a symmetric encryption key (k 1, k2, \8230;, kn), acquires a hash value corresponding to the ciphertext data En from the block chain, verifies the ciphertext data En according to the hash value, and decrypts the ciphertext data En according to the symmetric encryption key (k 1, k2, \8230;, kn) to obtain corresponding plaintext data if the verification is passed.
Therefore, through the steps S1 to S3, the health data acquisition equipment acquires and classifies plaintext data of personal health data, encrypts each type of plaintext data by using a corresponding symmetric encryption key (K1, K2, \8230;, kn) to obtain ciphertext data En, encrypts the symmetric encryption key (K1, K2, \8230;, kn) by using a symmetric encryption key K0 set by a data wallet APP to obtain ciphertext data e0, calculates hash values corresponding to the ciphertext data En and e0, uploads a block chain, and uploads the ciphertext data En and e0 to a block chain fat node; the uploaded ciphertext data En and e0 are used for the process of obtaining and displaying the personal health data for the data wallet APP of the patient in the step S4, and the uploaded ciphertext data En is used for the process of sharing the personal health data to the data demander through proxy re-encryption for the data wallet APP of the patient in the steps S5 to S7.
As shown in fig. 1 and fig. 2, step S1 of this embodiment specifically includes:
a patient with chronic disease registers and logs in a personal health data wallet APP by using own identity information (including a mobile phone number, an identity card number, a real name and the like), the data wallet APP acquires and authenticates the identity information of the patient, after the authentication is passed, a public key pk1 and a private key sk1 of the patient are generated by using a key generation function of a cryptographic algorithm SM2, the private key sk1 can be obtained by calculation according to the identity information of the patient, the public key pk1 can be generated according to address information, in the embodiment, the address information refers to network address information of equipment for operating the data wallet APP, such as an IP address, a port address, an MAC address and the like, an X.509 digital identity certificate is acquired, and a symmetric encryption key K0 is set;
the data wallet APP uploads the digital certificate (public key pk 1) to the blockchain;
the data wallet APP binds the identities (the private key sk1 and the symmetric encryption key K0) to the health data acquisition device, and specifically, the device running the data wallet APP can send the private key sk1 and the symmetric encryption key K0 to the health data acquisition device used by the patient with the chronic disease through a wireless network.
As shown in fig. 1 and fig. 2, step S2 of this embodiment specifically includes:
the chronic disease patient uses the health data acquisition equipment of the patient, the health data acquisition equipment acquires and records the plaintext data of the health data, and the patient is classified according to the preset classification rule (assuming that the patient is divided into n classes, each class is represented as d1, d2, \ 8230;, dn);
the health data acquisition equipment randomly generates n symmetric encryption keys (k 1, k2, \ 8230;, kn) by using a national secret algorithm SM4 (symmetric encryption algorithm), sends the n symmetric encryption keys to a data wallet APP through a wireless network, and then encrypts the i-th personal health data di by respectively using the symmetric encryption key ki to obtain a ciphertext ei = E (ki, di) (1 ≦ i ≦ n), wherein the ciphertext string represents En = (E1, E2, \ 8230;, en);
the health data acquisition device encrypts the encryption key (K1, K2, \ 8230;, kn) by using a symmetric encryption key K0 set by the data wallet APP to obtain a ciphertext E0= E (K0, (K1, K2, \ 8230;, kn));
the health data acquisition equipment uses a state cryptographic algorithm SM3 (Hash algorithm) to map the ciphertext data En and e0 to obtain a corresponding 256-bit Hash value hi = SM3 (ej) (j is more than or equal to 0 and less than or equal to n).
As shown in fig. 1 and fig. 2, step S3 of this embodiment specifically includes:
the health data acquisition equipment constructs a block chain transaction proposal containing hash values corresponding to the ciphertext data En and e0 and uploads the block chain transaction proposal to other nodes except the fat node in the block chain;
then, the health data acquisition device uploads the ciphertext data En and e0 to a block chain fat node, namely a cloud server, it needs to be noted that in general situations, the ciphertext data of a plurality of patients may be uploaded at the same time, and in order to distinguish the uploaded ciphertext data, the ciphertext data can be uploaded after being bound with the identity information of the patients;
and finally, deleting and destroying the plaintext data corresponding to the uploaded ciphertext data En and e0 by the health data acquisition equipment, and automatically deleting the ciphertext data retained in the personal health data after the preset time limit is exceeded, wherein the time limit is 48 hours in the embodiment, and the ciphertext data can be automatically retransmitted within 48 hours after being generated if the uploading fails.
As shown in fig. 1 and fig. 2, step S4 of this embodiment specifically includes:
after receiving the ciphertext data, the block chain fat node, namely the cloud server, matches the corresponding public key pk1 according to the identity information bound by the ciphertext data, then calculates the address of the equipment for operating the data wallet APP according to the public key pk1, and pushes the ciphertext data En and e0 to the corresponding data wallet APP according to the address;
after the data wallet APP acquires the ciphertext data En and e0, constructing a data request transaction proposal and uploading a block chain, waiting for the block chain to issue hash value data, and issuing the hash value data corresponding to the ciphertext data received by the data wallet APP by the block chain according to the data request transaction proposal;
after the data wallet APP receives the hash value data (called hash value A for distinguishing), the hash values of the ciphertext data En and e0 (called hash value B for distinguishing) are respectively calculated by using a cryptographic algorithm SM3 (hash algorithm), if the hash value A is the same as the hash value B, namely the hash values of the ciphertext data En and e0 are the same as the received hash values, the ciphertext data En and e0 are not tampered, the verification is passed, otherwise, the ciphertext data are tampered or the ciphertext data are mistakenly sent, and the data are requested to be sent again to the block chain fat node;
after the verification is passed, the data wallet APP decrypts the ciphertext data e0 by using the symmetric encryption key K0 to obtain a symmetric encryption key (K1, K2, \8230; kn), and then decrypts the ciphertext data En by using the symmetric encryption key (K1, K2, \8230; kn) to obtain plaintext data (d 1, d2, \8230; dn) of the health data, and stores the plaintext data;
finally, when the patient needs to check personal health data of the patient, the patient registers and logs in the personal health data wallet APP through the personal identity information again, the data wallet APP acquires the identity information of the patient and authenticates the identity information, after the authentication is passed, the patient operates the data wallet APP to initiate a request for displaying the personal health data, the data wallet APP waits for the request for displaying the personal health data, and plaintext data of the personal health data is selected for displaying.
As shown in fig. 1 and fig. 2, step S5 of this embodiment specifically includes:
and the data demander registers and logs in the block chain platform, and a secret key generation function of the SM2 is called to generate a private key sk2 and a public key pk2.
The data demander submits a data authorization request (containing the required data type and time range) to the cloud server, i.e. the blockchain fat node.
The cloud server pushes the data authorization request and the public key pk2 to a data wallet APP of a corresponding patient according to the content of the data authorization request (such as patient identity information), and the data wallet APP of the patient generates prompt information after receiving the public key pk2 and the data authorization request, and waits for operation information of the patient.
As shown in fig. 1 and fig. 2, step S6 of this embodiment specifically includes:
the patient with the chronic disease processes the data authorization request through the data wallet APP, and if authorization is refused, the data wallet APP directly uploads refused information to the block chain after receiving operation information refusing authorization; if the user agrees to the authorization, the data wallet APP receives the authorization agreement operation information, then a private key sk1 of the patient and a public key pk2 of the data demander are used for generating a conversion key zk, according to the data type in the data authorization request, a target key is selected as a decryption key from a symmetric encryption key (k 1, k2, \ 8230;, kn) obtained from the health data acquisition equipment, and the public key pk1 of the patient is used for encrypting the decryption keys to obtain a ciphertext p;
the data wallet APP sends the conversion key zk and the ciphertext p to a cloud server, namely a block chain fat node;
the cloud server uses the conversion key zk to re-encrypt the ciphertext p to obtain a ciphertext q, and sends the ciphertext q and the corresponding ciphertext data En to the data demander.
As shown in fig. 1 and fig. 2, step S7 of this embodiment specifically includes:
the data demander decrypts the ciphertext q by using the private key sk2 to obtain a decryption key (k 1, k2, \ 8230;, kn);
after receiving the ciphertext data En, the data demander constructs a data request transaction proposal and uploads a block chain, requests a hash value of the ciphertext data En from the block chain and waits for the block chain to issue hash value data;
after the data demander receives the hash value data, a state cipher algorithm SM3 is called to calculate the hash value of the ciphertext data En, integrity verification is carried out on the ciphertext data En by comparing whether the hash values are the same or not, if the hash value of the ciphertext data En is the same as the received hash value, the ciphertext data En is not tampered, otherwise, the ciphertext data En is tampered or is sent wrongly, and the data demander requests the block chain fat node to resend the data.
The data demander decrypts the ciphertext data En by using the decryption key (k 1, k2, \8230;, kn) to obtain plaintext data of corresponding personal health data and stores the plaintext data.
In summary, in the embodiment, data is encrypted and transmitted through the health data acquisition device of the internet of things, so that data security is ensured, the key is shared by using proxy re-encryption without disclosing any plaintext and data encryption key to a third-party proxy, and the calculation burden of a data owner during data sharing is reduced while the data security is ensured.
In the embodiment, the health data acquisition equipment has the functions of data encryption and uploading, and only the hash value of the ciphertext data is uploaded to the block chain, so that the data transmission and storage cost of the block chain is reduced; meanwhile, the ciphertext data of the health data are uploaded to the cloud server serving as the block chain fat node, so that the data are not leaked, and the data are not tampered.
In this embodiment, the health data acquisition device acquires data and encrypts the data after classification, and the data encryption key is generated randomly, so that the shared content of the data can be controlled conveniently in the proxy re-encryption process, and after the decryption keys of corresponding data are shared, the decryption keys cannot decrypt other data, thereby avoiding the risk of data leakage in the acquisition and transmission process.
In this embodiment, the symmetric encryption key is set for encryption and decryption of encrypted data, and the third-party agent directly stores the symmetric encrypted ciphertext, so that a data plaintext and a data encryption key cannot be obtained, and the data is guaranteed to be only mastered in the hands of a data owner before sharing, thereby ensuring the security of the data to a certain extent.
The foregoing is illustrative of the preferred embodiments of the present invention and is not to be construed as limiting the invention in any way. Although the present invention has been described with reference to the preferred embodiments, it is not intended to be limited thereto. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical spirit of the present invention should fall within the protection scope of the technical scheme of the present invention, unless the technical spirit of the present invention departs from the content of the technical scheme of the present invention.
Claims (10)
1. A personal health data sharing method based on block chain and agent re-encryption is applied to a personal health data management system, wherein the personal health data management system comprises a data wallet APP of a patient and health data acquisition equipment, and the method comprises the following steps:
a data demander forwards a public key pk2 and a data authorization request to a corresponding data wallet APP through a block chain fat node, and the data wallet APP waits for operation information of a patient after receiving the public key pk2 and the data authorization request;
if the data wallet APP obtains operation information agreeing to authorization, a conversion key zk is generated according to a private key sk1 and a public key pk2 of a patient, a symmetric encryption key (k 1, k2, \8230;, kn) is encrypted by the public key pk1 of the patient to obtain a ciphertext p, and the conversion key zk and the ciphertext p are uploaded to a block chain fat node;
the block chain fat node re-encrypts the ciphertext p by using the conversion key zk to obtain a ciphertext q, and sends the ciphertext q and corresponding ciphertext data En to a data demander, wherein the ciphertext data En is obtained by encrypting and uploading ciphertext data of a block chain by using a symmetric encryption key (k 1, k2, \ 8230;, kn) after the ciphertext data En is classified for the plaintext data of personal health data acquired by health data acquisition equipment;
the data demander decrypts the ciphertext q by using the private key sk2 to obtain a symmetric encryption key (k 1, k2, \8230;, kn), acquires a hash value corresponding to the ciphertext data En from the block chain, verifies the ciphertext data En according to the hash value, and decrypts the ciphertext data En according to the symmetric encryption key (k 1, k2, \8230;, kn) to obtain corresponding plaintext data if the verification is passed.
2. The method as claimed in claim 1, wherein before the data demander forwards its public key pk2 and data authorization request to the corresponding data wallet APP via the blockchain fat node, the method further comprises a step of uploading ciphertext data En to the blockchain fat node, and specifically comprises:
the method comprises the steps that a data wallet APP obtains identity information of a patient and authenticates the identity information, if the identity information passes the authentication, a public key pk1, a private key sk1 and a symmetric encryption key K0 are generated, the symmetric encryption key K0 is sent to corresponding health data acquisition equipment, and the public key pk1 is uploaded to a block chain;
the health data acquisition equipment acquires and classifies plaintext data of personal health data, randomly generates a symmetric encryption key (K1, K2, \8230;, kn) corresponding to each class and sends the symmetric encryption key to a data wallet APP, encrypts each class of plaintext data by using the symmetric encryption key (K1, K2, \8230;, kn) to obtain ciphertext data En, encrypts the symmetric encryption key (K1, K2, \8230;, kn) by using the symmetric encryption key K0 to obtain ciphertext data e0, and respectively calculates hash values of the ciphertext data En and the ciphertext data e 0;
and the health data acquisition equipment uploads the hash values corresponding to the ciphertext data En and the ciphertext data e0 to the blockchain and uploads the ciphertext data En and the ciphertext data e0 to the blockchain fat node.
3. The method of claim 2, wherein after uploading the ciphertext data En and the ciphertext data e0 to the blockchain fat node, the method further comprises a step of obtaining and displaying the personal health data by the data wallet APP, and specifically comprises:
the block chain fat node calculates to obtain address information according to the public key pk1, and sends ciphertext data En and ciphertext data e0 to the data wallet APP according to the address information, the data wallet APP obtains corresponding hash values from the block chain after obtaining the ciphertext data En and the ciphertext data e0, the ciphertext data En and the ciphertext data e0 are verified according to the hash values, if the verification is passed, the ciphertext data e0 is decrypted according to the symmetric encryption key K0 to obtain symmetric encryption keys (K1, K2, \\ 8230;, kn), and the ciphertext data En is decrypted according to the symmetric encryption keys (K1, K2, \\ 8230;, kn) to obtain plaintext data and store the plaintext data;
the data wallet APP acquires identity information of a patient and authenticates the identity information, if the identity information passes the authentication, a request for displaying the personal health data is waited and acquired, and plaintext data of the personal health data is selected for displaying.
4. The block chain and agent re-encryption based personal health data sharing method according to claim 1, wherein the public key pk1, the private key sk1, the public key pk2 and the private key sk2 are all generated using a preset key generation function.
5. The method for sharing personal health data based on block chain and agent re-encryption according to claim 2, wherein the symmetric encryption key (k 1, k2, \8230;, kn) is randomly generated using a preset symmetric encryption algorithm.
6. The method of claim 2, wherein the calculating the hash values of the ciphertext data En and the ciphertext data e0 respectively comprises: and respectively mapping the ciphertext data En and the ciphertext data e0 into 256-bit hash values by using a preset hash algorithm.
7. The method as claimed in claim 2, wherein uploading the ciphertext data En and the ciphertext data e0 to the blockchain fat node further comprises: and the health data acquisition equipment deletes the plaintext data corresponding to the uploaded ciphertext data En and ciphertext data e0, and deletes the ciphertext data En and ciphertext data e0 which are kept overtime.
8. The method for sharing personal health data based on blockchain and proxy re-encryption as claimed in claim 1, wherein the step of waiting for the operation information of the patient after the data wallet APP receives the public key pk2 and the data authorization request further comprises the steps of: and if the data wallet APP acquires operation information of refusing authorization, the data wallet APP uploads the refused information to the block chain.
9. The method of claim 1, wherein the obtaining of the hash value corresponding to the ciphertext data En from the blockchain comprises, and the verifying the ciphertext data En according to the hash value comprises:
after receiving the ciphertext data En, constructing a data request transaction proposal, uploading a block chain, and waiting for the block chain to issue hash value data;
and after receiving the hash value data, calculating the hash value of the ciphertext data En by using a cryptographic algorithm SM3, if the hash value of the ciphertext data En is the same as the received hash value, passing the check, and otherwise, requesting the block chain fat node to resend the data.
10. The method of claim 1, wherein the blockchain-based re-encryption personal health data sharing method is characterized in that the blockchain fat node is a cloud server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211297319.6A CN115766098A (en) | 2022-10-21 | 2022-10-21 | Personal health data sharing method based on block chain and proxy re-encryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211297319.6A CN115766098A (en) | 2022-10-21 | 2022-10-21 | Personal health data sharing method based on block chain and proxy re-encryption |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115766098A true CN115766098A (en) | 2023-03-07 |
Family
ID=85352721
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211297319.6A Pending CN115766098A (en) | 2022-10-21 | 2022-10-21 | Personal health data sharing method based on block chain and proxy re-encryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766098A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117527445A (en) * | 2024-01-02 | 2024-02-06 | 江苏荣泽信息科技股份有限公司 | Data sharing system based on re-encryption and distributed digital identity |
-
2022
- 2022-10-21 CN CN202211297319.6A patent/CN115766098A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117527445A (en) * | 2024-01-02 | 2024-02-06 | 江苏荣泽信息科技股份有限公司 | Data sharing system based on re-encryption and distributed digital identity |
| CN117527445B (en) * | 2024-01-02 | 2024-03-12 | 江苏荣泽信息科技股份有限公司 | Data sharing system based on re-encryption and distributed digital identity |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108600227B (en) | Medical data sharing method and device based on block chain | |
| CN108632292B (en) | Data sharing method and system based on alliance chain | |
| CN106104562B (en) | System and method for securely storing and recovering confidential data | |
| US20210089676A1 (en) | Methods and systems for secure data exchange | |
| EP2348446B1 (en) | A computer implemented method for authenticating a user | |
| CN108040056B (en) | Safe medical big data system based on Internet of things | |
| CN113553574A (en) | Internet of things trusted data management method based on block chain technology | |
| KR20190012969A (en) | Data access management system based on blockchain and method thereof | |
| CN112187798B (en) | Bidirectional access control method and system applied to cloud-side data sharing | |
| TW201701226A (en) | System, method, and apparatus for electronic prescription | |
| WO2020186823A1 (en) | Blockchain-based data querying method, device, system and apparatus, and storage medium | |
| CN113225302B (en) | Data sharing system and method based on proxy re-encryption | |
| Tu et al. | A secure, efficient and verifiable multimedia data sharing scheme in fog networking system | |
| CN113645195A (en) | Ciphertext access control system and method based on CP-ABE and SM4 | |
| Saha et al. | A cloud security framework for a data centric WSN application | |
| Pecarina et al. | SAPPHIRE: Anonymity for enhanced control and private collaboration in healthcare clouds | |
| CN115766098A (en) | Personal health data sharing method based on block chain and proxy re-encryption | |
| Wang et al. | Data transmission and access protection of community medical internet of things | |
| CN114866244B (en) | Method, system and device for controllable anonymous authentication based on ciphertext block chaining encryption | |
| US20220360429A1 (en) | Location-key encryption system | |
| De Oliveira et al. | Red Alert: break-glass protocol to access encrypted medical records in the cloud | |
| Wu et al. | A trusted and efficient cloud computing service with personal health record | |
| Saxena et al. | A Lightweight and Efficient Scheme for e-Health Care System using Blockchain Technology | |
| Paverd et al. | Omnishare: Encrypted cloud storage for the multi-device era | |
| CN114285636A (en) | Alliance chain-based shared medical data proxy re-encryption system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |