CN115766268A - Processing method, device, equipment and storage medium - Google Patents

Processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN115766268A
CN115766268A CN202211512771.XA CN202211512771A CN115766268A CN 115766268 A CN115766268 A CN 115766268A CN 202211512771 A CN202211512771 A CN 202211512771A CN 115766268 A CN115766268 A CN 115766268A
Authority
CN
China
Prior art keywords
key
access
access record
record
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211512771.XA
Other languages
Chinese (zh)
Inventor
金辉
杨四雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN202211512771.XA priority Critical patent/CN115766268A/en
Publication of CN115766268A publication Critical patent/CN115766268A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application discloses a processing method, a processing device and a storage medium, comprising the following steps: receiving a first access request; generating a first access record corresponding to the first access request; uploading the first access record to enable the first access record to be stored in a data storage system, and enabling a second server to obtain the first access record from the data storage system.

Description

Processing method, device, equipment and storage medium
Technical Field
The present application relates to the field of processing technology, and relates to, but is not limited to, processing methods, apparatuses, devices, and storage media.
Background
With the continuous development of internet technology, various services should be generated. Such as shopping-related services, medical-related services, educational learning-related services, and the like.
In the related art, different services are independently managed, data between each service end is independently stored, and the utilization rate of resources is low along with the continuous increase of the services.
Disclosure of Invention
The processing method, the processing device, the processing equipment and the storage medium can obtain the first access record generated by the first service end through the second service end, so that the access records are shared among a plurality of service ends.
The technical scheme of the application is realized as follows:
the application provides a first processing method, which is applied to a first service end and comprises the following steps:
receiving a first access request;
generating a first access record corresponding to the first access request;
uploading the first access record to enable the first access record to be stored in a data storage system, and enabling a second server to obtain the first access record from the data storage system.
The application provides a second processing method, which is applied to a first client side, and the method comprises the following steps:
sending a first access request to a first service terminal; and enabling the first service end to generate a first access record corresponding to the first access request, uploading the first access record, enabling the first access record to be stored in a data storage system, and enabling a second service end to obtain the first access record from the data storage system.
The present application provides a first processing apparatus, the apparatus is deployed at a first service end, and the apparatus includes:
a receiving unit configured to receive a first access request;
the generating unit is used for generating a first access record corresponding to the first access request;
and the uploading unit is used for uploading the first access record so as to enable the first access record to be stored in a data storage system, and enable a second server to obtain the first access record from the data storage system.
The present application provides a second processing apparatus, which is deployed at a first client, and includes:
a sending unit, configured to send a first access request to a first service end; and the first server generates a first access record corresponding to the first access request, uploads the first access record, so that the first access record is stored in a data storage system, and a second server can obtain the first access record from the data storage system.
The present application further provides an electronic device, including: a memory storing a computer program operable on a processor and a processor implementing the above processing method when executing the program.
The present application also provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the processing method described above.
The processing method, apparatus, device and storage medium provided by the present application at least include: receiving a first access request; generating a first access record corresponding to the first access request; uploading the first access record to enable the first access record to be stored in a data storage system, and enabling a second server to obtain the first access record from the data storage system.
Drawings
FIG. 1 is a schematic diagram of an alternative configuration of a processing system provided in an embodiment of the present application;
fig. 2 is an alternative flow chart of a first processing method provided in the embodiment of the present application;
FIG. 3 is a schematic flow chart of another alternative of the first processing method according to the embodiment of the present disclosure;
fig. 4 is a schematic flow chart of yet another alternative of the first processing method according to the embodiment of the present application;
FIG. 5 is an alternative flow chart of a second processing method provided by the embodiments of the present application;
FIG. 6 is a schematic diagram of an alternative data processing flow of a process provided in an embodiment of the present application;
FIG. 7 is a schematic diagram illustrating an alternative data storage principle of a processing procedure provided in an embodiment of the present application;
fig. 8 is an alternative schematic structural diagram of a first processing device according to an embodiment of the present disclosure;
fig. 9 is an alternative structural schematic diagram of a second processing apparatus provided in an embodiment of the present application;
fig. 10 is an alternative structural schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the following detailed descriptions of the specific technical solutions will be made with reference to the accompanying drawings in the embodiments of the present application. The following examples are intended to illustrate the present application, but are not intended to limit the scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
In the following description, the terms "first \ second \ third" are used merely as examples to distinguish different objects, and do not represent a specific ordering for the objects, and do not have a definition of a sequential order. It is to be understood that "first \ second \ third" may be interchanged under certain circumstances or sequences so as to enable embodiments of the present application described herein to be practiced otherwise than as illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the application.
The embodiment of the application can provide a processing method, a processing device, processing equipment and a storage medium. In practical applications, the processing method may be implemented by a processing apparatus, and each functional entity in the processing apparatus may be cooperatively implemented by hardware resources of the electronic device, such as computing resources like a processor, and communication resources (e.g. for supporting various modes of communication, such as optical cable and cellular).
The specific type of the electronic device executing the processing method is not limited, and can be determined according to actual conditions. Illustratively, the electronic device may be a server, a desktop computer, a notebook, a tablet, a cell phone, and so forth.
The processing method provided by the embodiment of the application is applied to a processing system, and the processing system comprises: a server and a client; the server side at least comprises a first server side and a second server side, and the client side at least comprises a first client side.
The first client is used for executing: sending a first access request to a first service terminal; and the first server generates a first access record corresponding to the first access request, uploads the first access record, so that the first access record is stored in a data storage system, and a second server can obtain the first access record from the data storage system.
The first server is used for executing: receiving a first access request; generating a first access record corresponding to the first access request; uploading the first access record to enable the first access record to be stored in a data storage system, and enabling a second server to obtain the first access record from the data storage system.
The second server is used for executing: receiving a second access request; generating a second access record corresponding to the second access request; uploading the second access record to enable the second access record to be stored in a data storage system, and enabling a first server to obtain the second access record from the data storage system.
It should be noted that the number of the clients is greater than or equal to 1, and the specific number of the clients is not limited in the embodiment of the present application, and may be configured according to an actual situation. The number of the service ends is greater than or equal to 2, and the specific number of the service ends is not limited in the embodiment of the application and can be configured according to actual situations.
As an example, a processing system is shown in FIG. 1, a processing system 10 comprising: a first server 101, a second server 102, and a first client 103. The first client 103 may perform data transmission with the first server 101 and the second server 102, respectively.
Specifically, the first service end 101 is configured to execute: receiving a first access request; generating a first access record corresponding to the first access request; uploading the first access record to enable the first access record to be stored in a data storage system, and enabling a second server to obtain the first access record from the data storage system.
The first server 101 may be an electronic device with associated processing capabilities. Illustratively, the first service end 101 may include, but is not limited to: electronic devices such as tablet computers, servers, desktop computers, and the like; or a virtual device with associated processing capabilities.
The second server 102 is configured to perform: receiving a second access request; generating a second access record corresponding to the second access request; uploading the second access record to enable the second access record to be stored in a data storage system, and enabling a first server to obtain the second access record from the data storage system.
The second server 102 may be an electronic device with associated processing capabilities. By way of example, the second server 102 may include, but is not limited to: electronic devices such as tablet computers, servers, desktop computers, and the like; or a virtual device with associated processing capabilities.
The first client 103 is configured to perform: sending a first access request to a first service terminal; and enabling the first service end to generate a first access record corresponding to the first access request, uploading the first access record, enabling the first access record to be stored in a data storage system, and enabling a second service end to obtain the first access record from the data storage system.
The first client 103 may be an electronic device with associated processing capabilities. Illustratively, the first client 103 may include, but is not limited to: terminal equipment such as mobile phones and tablet computers; intelligent wearable devices such as intelligent watches; or a virtual device with associated processing capabilities.
Embodiments of the processing method, the processing apparatus, the processing device, and the storage medium according to the embodiments of the present application are described below with reference to a schematic diagram of a processing system shown in fig. 1.
In a first aspect, an embodiment of the present application provides a first processing method, which is applied to a first processing device; the first processing device may be deployed in the first server 101 in fig. 1. Next, a first processing method provided in the embodiment of the present application is described with a first service end as an execution subject.
Fig. 2 is an alternative flow chart of the first processing method, which may include, but is not limited to, S201 to S203 shown in fig. 2, with reference to the content shown in fig. 2.
S201, the first service end receives a first access request.
The first service end is any service end in the processing system. The first server is not specifically limited in the embodiment of the application, and may be determined according to actual conditions. Illustratively, the first service end may be a processing end of a shopping-related service, or a processing end of a medical-related service, etc.
The first access request is used for accessing data of the first service terminal. The access content of the first access request is not specifically limited in the embodiment of the present application, and may be determined according to an actual situation.
The embodiment of the present application does not limit the specific format of the received first access request, and may determine the format according to actual situations. For example, the first access request may be in an encrypted format or an unencrypted format.
S201 may be implemented as: the first server receives a first access request sent by the client through a related data receiving interface.
After the first service end receives the first access request, the first service end performs corresponding processing. The specific treatment process is not limited in the embodiment of the application, and can be determined according to actual conditions. For example, the first server may perform access and output of related data based on the first access request; the first access request may not be accessed and output with respect to the relevant data.
S202, the first service terminal generates a first access record corresponding to the first access request.
The first access record is used to record the relevant information in the first access request. The specific content of the first access record is not limited in the embodiment of the present application, and may be determined according to an actual situation.
In one possible implementation, the first access record may include: the accessed user information, the accessed data and the identification information of whether the access is successful or not.
It is to be understood that the first access record may further include: access time, etc.
Illustratively, S202 may be implemented as: the first server determines accessed user information based on the first access request, then determines access data requested by the first access request, then judges whether the access is successful or not, processes the user information and the access data according to a preset access record format, and generates a first access record corresponding to the first access request.
The specific format of the first access record is not limited in the embodiment of the present application, and may be configured according to actual situations. For example, it may be in the form of a table, or in the form of a textual description, etc.
S203, the first service end uploads the first access record so that the first access record is stored in a data storage system, and the second service end can obtain the first access record from the data storage system.
The second service end is any service end different from the first service end.
The data storage system is used for storing access records uploaded by a plurality of service terminals; and the access record uploaded by one server can be obtained by other servers. The embodiment of the present application does not limit the specific manner of storing the access record of the data storage system, and may determine the access record according to actual situations.
The embodiment of the application does not limit the type of the data storage system, and the data storage system can be configured according to actual conditions. For example, the data storage system may be a database storage system; or the data storage system may be a blockchain storage system.
The first access record process of the first service end is not limited in the embodiment of the application, and can be configured according to actual situations. For example, the first server may directly upload the first access record to the data storage system, or may also upload the first access record to the data storage system through another device.
After the first server uploads the first access record, the first access record is shared in the data storage system, and therefore the second server can obtain the first access record from the data storage system.
The embodiment of the application does not limit the sharing mode of the access record in the data storage system, and can determine the access record according to the actual situation. Illustratively, the access records may be fully shared in the storage system, that is, the second server may share the first access record in any case; alternatively, the access records may be shared for accesses of the same user, i.e. the second server may share the first access record when accessing for the same user.
Whether the users are the same user or not can be determined based on the user information, and the specific implementation manner of the user information is not limited in the embodiment of the application and can be determined according to actual conditions. For example, the user information may be an Identity (ID) of a user, and it may be determined whether the user is the same user based on the ID of the user, or the user information may be key information, where access records of the same user correspond to the same root key, and access records of the same user at different service terminals correspond to different sub-keys.
The first processing scheme provided by the embodiment of the present application includes: receiving a first access request; generating a first access record corresponding to the first access request; uploading the first access record to enable the first access record to be stored in a data storage system, and enabling a second server to obtain the first access record from the data storage system.
For the first processing scheme of the present application, the first access record generated by the first service end may be obtained by the second service end, so that the access records are shared among multiple service ends. Therefore, on one hand, the storage space is reduced, and the utilization rate of storage resources is improved; on the other hand, the second service can acquire the access record generated by the first service end, so that the second service can perform further processing based on the access record of the first service end, and the flexibility and convenience of management of the second service are improved.
Next, a process of the first server uploading the first access record in S203 is described. Specifically, the following mode 1 or mode 2 may be included, but not limited thereto.
The method comprises the following steps that 1, under the condition that a data storage system is a database, a first access record is uploaded;
mode 2, uploading of the first access record in the case that the data storage system is a blockchain.
In the mode 1, the first server side arranges the first access record into a format supported by the database and uploads the first access record to the database.
Next, in the case where the data storage system is a block chain in the embodiment 2, the procedure of uploading the first access record will be described.
In the mode 2, the data storage system has a first node and a second node, the first node is associated with the first service end, the second node is associated with the second service end, and after the first access record is uploaded to the first node, the second node obtains and stores the first access record.
The first node is associated with the first service end, so that after the first node uploads the first access record to the first node, the first node recognizes the first access record to other nodes in the block chain.
The second node is associated with the second server, so that the second node can receive the access record uploaded by the second server and identify the access record to other nodes in the blockchain through the second node.
The number of nodes included in the block chain is not specifically limited in the embodiment of the present application, and may be determined according to actual situations. Illustratively, a blockchain may include a first node and a second node; alternatively, the blockchain may also include other nodes.
The deployment mode between the first node and the first service end is not limited in the embodiment of the application, and can be configured according to actual configuration. For example, the first service end and the first node may be integrated on the same electronic device; alternatively, the first service end and the first node may also be deployed on different electronic devices independently.
The embodiment of the present application does not limit the specific type of the block chain, and the block chain may be configured according to actual situations. In one possible implementation, the blockchain may be a public chain. In another possible implementation, the blockchains may also be joined by a union. For example, the blockchain may be a federation chain of internet properties, or a federation chain of security properties.
In practice, the data storage system may further include a plurality of block chains at the same time, for example, the data storage system includes a federation chain of internet attributes and a federation chain of security attributes, where the federation chain of internet attributes is used for storing access records generated by a server of internet attributes; the alliance chain of the security attributes is used for storing access records generated by a server with higher security level such as a bank. Therefore, the access records of the service terminals with different attributes can be stored in different block chains, and the safety of data storage is further improved.
Compared with the mode 2, the implementation process of the mode 1 has the characteristics of simplicity and convenience. Compared with the mode 1, the implementation process of the mode 2 has the characteristics of high reliability and high safety.
In the processing method provided in the embodiment of the present application, before the first service end generates the first access record corresponding to the first access request in S202, verification may also be performed first.
Specifically, as shown in fig. 3, the processing method may include, but is not limited to, S301 to S305 described below.
S301, the first service terminal receives the first access request.
The implementation of S301 may refer to the detailed description that the first service end receives the first access request in S201, and details are not repeated here.
S302, the first server side obtains the second access record.
The second access record is the access record uploaded to the data storage system by the second server. That is, the second access record is an access record generated by the second server.
The second access record has a first association relation with the first access request; the first incidence relation is used for representing that the second access record and the first access request relate to the same user information. In other words, the accessing user of the second access record is the same user as the accessing user of the first access request.
It can also be understood that the first server may obtain, based on the first access request, other access records belonging to the same user as the user to which the first access request relates. The other access records include the access record of the first service end and the access record of the second service end.
Specifically, a first server sends a first request to a data storage system, the first request is used for obtaining a second access record having a first association relation with the first access request, the data storage system searches the second access record having the first association relation with the first access request in a plurality of access records after receiving the first request, and sends the second access record to the first server, and the first server correspondingly receives the second access record sent by the data storage system.
S303, the first server side verifies the first access request according to the second access record.
In one possible implementation, S303 may be implemented as: the first server side directly uses the access condition (whether the access is successful) or the trust condition in the second access record as the basis for verifying the first access request. For example, if the access is successful in the second access record, the verification for the first access request at this time is considered to pass; if the access is not passed in the second access record, the verification for the first access request at this time is considered to be failed.
In another possible implementation, the first service side uses the second access record as a reference factor in the first access request verification process. For example, in the case that the access is successful in the second access record and the first access request also meets the access condition, the authentication of the first access request is considered to be passed.
Therefore, the first access request is verified through the access record of the second server, the verification process is simplified, and the verification process can be more reliable by combining the access record of the second server.
It is understood that the first service may obtain a plurality of second access records of the second service, and verify the first access request according to the plurality of second access records.
It is to be understood that the first service may further obtain at least one third access record of the third service, and verify the first access request according to the at least one second access record and the at least one third access record.
And the third access record and the first access request have a second association relationship, and the second association relationship is used for representing that the third access record and the first access request relate to the same user information.
S304, the first service terminal generates a first access record corresponding to the first access request.
The implementation of S304 may refer to a detailed description that the first server generates the first access record corresponding to the first access request in S202, and details are not repeated here.
S305, the first service end uploads the first access record so that the first access record is stored in a data storage system, and the second service end can obtain the first access record from the data storage system.
In the implementation of S305, the first server uploads the first access record in S203, so that the first access record is stored in the data storage system, and the second server can obtain a detailed description of the first access record from the data storage system, which is not described herein again.
Next, the second access record and the first access request related to S302 having the first association relationship will be described.
In a possible implementation manner, the first access request is information encrypted by a first key, the second access record includes key information corresponding to a second key, the first key is different from the second key, and a root key corresponding to the first key and the root key corresponding to the second key are the same.
The key information corresponding to the second key comprises the second key; or a method of generating the second key and associated data (e.g., including the root key and associated information for generating the second key).
The root keys corresponding to the first key and the second key are the same, i.e. the first access request is associated with the second access record by the same root key.
Next, a process of the first server verifying the first access request according to the second access record in S303 is described.
In one possible implementation, this process may include, but is not limited to, S3031 and S3032 described below.
S3031, the first server side obtains the trust evaluation information in the second access record.
In one possible embodiment, the trust evaluation information is used to characterize whether the second access request was successfully accessed. For example, if the trust evaluation information is a first numerical value, it indicates that the second access request is successfully accessed; and if the trust evaluation is the second value, the second access request is not successfully accessed.
The specific values of the first numerical value and the second numerical value are not limited in the embodiment of the application and can be determined according to actual conditions. For example, the first value may be 1 and the second value may be 0.
In one possible implementation, the trust rating information may be a trust score. The trust score is used to characterize the degree to which the user's access is trusted. Wherein, the higher the trust score is, the higher the corresponding trust degree is.
In the actual processing, the number of times of successful access may be related to the number of times of failed access according to the access request of the user. The higher the number of access successes, the higher the trust score. Specifically, after one time of verification, the trust score may be updated based on the verification result; if the verification is passed, namely the data access is successful, increasing the trust score of the user, and if the verification is not passed, namely the data access is failed, reducing the trust score of the user.
S3031 may be implemented as: the first server reads the trust evaluation information in the second access record; to obtain a trust score or whether the second access request was successfully accessed.
S3032, the first server side verifies the first access request according to the trust evaluation information.
In a possible implementation, in case that the trust evaluation information is used to characterize whether the second access request is successfully accessed, S3032 may be implemented as: if the trust evaluation information represents that the second access request is successfully accessed, the first access request is considered to pass the verification; and if the trust evaluation information represents that the second access request fails to access, the first access request is considered to be verified to be failed.
It is understood that the first service end may also determine whether the first access request verification passes or not according to the plurality of trust evaluation information in an integrated manner. For example, in the trust evaluation information, if the ratio of successful access is greater than the first ratio threshold, the first access request is considered to pass the verification, otherwise, the verification fails.
The first duty threshold may be determined based on actual conditions. Wherein, the larger the first duty ratio threshold value is, the higher the safety performance is.
In another possible implementation, in case that the trust evaluation information is a trust score, S3032 may be implemented as: and the first service end reads the trust score in the trust evaluation information, judges the size relationship between the trust score and the trust score threshold, if the trust score is greater than or equal to the trust score threshold, the first access request is considered to pass the verification, otherwise, the verification fails.
In yet another possible implementation, in case the trust evaluation information is a trust score, S3032 may be implemented as: and the first service end reads the trust score in the trust evaluation information, judges the size relationship between the trust score and the trust score threshold, if the trust score is greater than or equal to the trust score threshold and the first access request meets the access condition, the first access request is considered to pass the verification, otherwise, the verification fails.
The embodiment of the present application does not limit the specific content of the access condition, and can be determined according to the actual situation. Illustratively, the access condition may include: the access address belongs to a secure address, the access time belongs to a common access time range, and the like.
Optionally, the trust score in the trust evaluation information may be further updated with the first access request verification result.
The processing method provided by the embodiment of the application can also query the access record list. As shown in fig. 4, the process may include, but is not limited to, S401 to S404 described below.
S401, the first service end receives a query request.
The query request is used for requesting to acquire an access record list.
The query request is encrypted by the first key. In particular, the query request is encrypted by the private key of the first key. In this way, the corresponding user information may be determined based on the first key to obtain an access record list corresponding to the user information.
S401 may be implemented as: the first service end receives the query request sent by the first client end, the query request is decrypted through the public key of the first secret key, and if the decryption is successful, the object of the list queried by the query request can be determined to be the access record corresponding to all the sub-secret keys under the root secret key of the first secret key based on the first secret key.
S402, the first service end obtains the target access record from the data storage system.
The target access record is an access record encrypted by a target key, wherein the target access record comprises key information corresponding to the target key.
The target key is the same as the root key corresponding to the first key, and in a possible implementation, the target key includes the second key.
The number of the target access records is not limited in the embodiment of the application, and can be determined according to actual conditions.
S402 may be implemented as: and the first server side traverses each access record in the data storage system, decrypts through the second key, and determines the access record as a target access record if the decryption is successful and the second key and the first key have the same root key, otherwise, determines the access record as a non-target access record, thereby obtaining all target access records.
And S403, the first server generates an access record list according to the target access information.
The access record list is used for recording at least one piece of target access information. The embodiment of the application does not limit the specific format of the access record list, and can determine the access record list according to the actual situation.
S403 may be implemented as: the first server side arranges all the target access information to generate an access record list.
S404, the first server outputs the access record list.
The output side of the access list is not limited in the embodiment of the application, and can be determined according to actual conditions.
In one possible implementation, the first service end outputs the access record list to the client end sending the query request.
In another possible implementation manner, the first service end may output the access record list to all the clients. All the clients here may refer to all the clients logging in the user information, and the user corresponds to the user to which the root key of the first key belongs.
Therefore, the access record list can be checked through the query request, so that the basis of the next processing is made according to the access record condition, and the method has the characteristics of simplicity and clarity in implementation.
It should be noted that the action executed by the server (the first server or the second server) may be completed by one server device deployed integrally or may be completed by multiple devices deployed independently. For example, the authentication action of the server may be performed by an authentication party, the action of the data storage system may be performed by a data owner, and so on.
In a second aspect, the present application provides a second processing method, which is applied to a second processing device; wherein the second processing device may be deployed at the first client 103 in fig. 1. Next, a second processing method provided in the embodiment of the present application is described with the first client as an execution subject.
Fig. 5 is a schematic flow chart of an alternative second processing method, which may include, but is not limited to, S501 shown in fig. 5, with reference to the content shown in fig. 5.
S501, a first client sends a first access request to a first server; and the first server generates a first access record corresponding to the first access request, uploads the first access record, so that the first access record is stored in a data storage system, and a second server can obtain the first access record from the data storage system.
The first client is any client. Wherein the first user logs in on the first client. The first user is a user corresponding to a root key of the first key.
Wherein the first access request may be encrypted or unencrypted.
In one possible embodiment, the first access request is encrypted by a public key of the first key.
Illustratively, S501 may be implemented as: the first client generates a first access request, encrypts the first access request through a public key of a first secret key and then sends the first access request to the first service end; after receiving the first access request, the first service end can generate a first access record corresponding to the first access request based on the first access request, upload the first access record, so that the first access record is stored in the data storage system, and the second service end can obtain the first access record from the data storage system.
In this way, after the first client sends the first access request, the first access record generated based on the first access request can be uploaded to the data storage system to be shared by the multiple servers.
As shown in fig. 5, the second processing method provided in the embodiment of the present application further includes, but is not limited to, the following S502 and S503.
S502, the first client generates a first key, and sends a public key of the first key to the first service end, so that the first service end verifies the first access request according to the public key of the first key.
The first access record comprises key information corresponding to the first key.
The first client generates a root key for the first user, and then generates a sub-key as a first key according to the root key.
The embodiment of the present application does not limit the specific manner of generating the first key, and may be configured according to actual situations.
S503, the first client generates a second key, and sends the public key of the second key to the second server, so that the second server verifies the second access request of the first client according to the public key of the second key.
The first key and the root key corresponding to the second key are the same, a second access record corresponding to the second access request is generated by the second server, the second access request is uploaded to the data storage system, and the second access request comprises key information corresponding to the second key.
The first client generates another sub-key as a second key according to the root key.
The embodiment of the present application does not limit the specific manner of generating the second key, and may be configured according to actual situations.
It should be noted that, here, one first user corresponds to one root key, and one server corresponds to one sub-key. For example, the first service end corresponds to the first key, and the second service end corresponds to the second key. The first key and the second key have the same root key.
As shown in fig. 5, the second processing method provided in the embodiment of the present application may further include, but is not limited to, the following S504 and S505.
S504, the first client sends a query request.
The query request is used for requesting to acquire an access record list.
The query request is encrypted by the first key.
S504 may be implemented as: and the first client encrypts the query request by a private key of the first key and then sends the query request to the first client. Here, the information may be sent to the first service end or the second service end.
And S505, the first client receives the access record list.
The access record list is generated according to a target access record, the target access record is obtained from the data storage system, the target access record is generated by the first service terminal or the second service terminal, the target access record comprises key information corresponding to a target key, and the target key is the same as a root key corresponding to the first key.
The access record list received here may be sent by the first service terminal or may be sent by the second service terminal.
In the following, a processing method provided by the embodiment of the present application is described by taking an example that a server is deployed in different devices and a complete access process is performed.
Authentication and authorization of a user's identity is typically done by a service provider or identity provider. However, these centralized systems limit the user's control over their identity and, due to their centralized nature, are susceptible to large data leaks. And performing identity authentication and authorization on the user by using an access control strategy and a privacy protection algorithm based on attributes, and finally returning the control right of the user identity to the user.
Identity authentication is performed by an identity provider or a service provider as a third-party operator to identify and authorize the identity of a user in an identity management system, and the traditional system is neither safe nor reliable. The usual password manager or single sign-on provider, once hacked, all customer confidence is compromised.
The embodiment of the application provides a complete set of data identity management service system, a user can select different identity attributes to process corresponding data, related data keys are encrypted in a layered mode, and privacy and safety of the data are enhanced; the identity provider (also called an identity verifier) enables single sign-on, the data owner is responsible for verifying and propagating the identity of the user, and related data requests are stored through a blockchain, so that the auditability and the traceability of transactions are provided; and the service provider judges whether to provide related services according to the request trust score.
As shown in fig. 6, the process involves a user side (which may also be referred to as a user side or a client), a server side (a service provider, a data owner (which may be on the blockchain or off the blockchain), and an authenticator).
Wherein, the function of each part is described as follows:
a client: the client side can have different privacy protection roles and freely control the interaction between the roles of the client side and the identity authentication side.
A service provider: the system is a relying party of an open source identity authentication protocol (oid), and provides specific services according to a user request, and provides functions such as redirection, threshold judgment and the like.
Identity provider: authentication and authorization of user identity information are processed, and the OIDC is used for realizing the single sign-on function. It will essentially act as the OIDC provider. And the system is responsible for redirecting the encrypted file to a corresponding data owner and generating a trust evaluation score according to the received data owner information.
The data owner: responsible for decrypting data, data access information uplinks, authorizing requests based on the ID and access time.
Specifically, the processing procedure may include, but is not limited to, S601 to S611 described below.
S601, the client side initiates a service request.
S602, the service provider receives the service request and carries out redirection authentication.
S603, the identity authentication party logs in.
If the login is successful, the following step S604 is executed, and if the login is failed, no relevant service is provided.
S604, the client selects a data owner and encrypts the data.
S605, the client side encrypts the attribute.
And S606, redirecting and encrypting the identity authentication party to a specified data party.
S607, the data owner decrypts the data.
And S608, the identity authentication party generates a trust score.
And S609, the service provider judges the threshold value.
If the threshold value is greater than the threshold value, executing S610; if the value is less than or equal to the threshold value, the relevant service is not provided.
S610, the service provider provides the service.
And S611, ending the client request.
According to the scheme, the block chain is adopted to store the data access request and the identity attribute re-authentication event, the actual identity information of the user is not stored, and the identity information of the user is obtained in a safe and verifiable mode, so that the integrity of data is ensured, and meanwhile, the transparency and traceability of the system are improved. The data owner is responsible for verifying data and propagating user identity information, providing auditability and transaction traceability. The authenticator enables single sign-on using the OIDC protocol when needed. The process is stored through a cryptographic algorithm, thereby ensuring privacy of user information. These algorithms also ensure auditability of transactions when needed.
As shown in fig. 7, if the block chain is used to store related data (e.g., access records), an association chain may be selected in terms of block chain selection, and specifically, different identity associations, such as a security attribute association block chain, an internet attribute association block chain, and the like, may be established. The user side (client) is allowed to control which identity federation to use, depending on the particular use case. For example, the social media network identity attribute and the security identity attribute exist, so that the user can control the identity attribute according to specific service requirements. Blockchains allow identity providers to query and verify identity attributes.
The user can define a plurality of attributes to enable the user to isolate identities in different alliances, and the privacy of the user is enhanced by utilizing attribute encryption. In addition, since the users have different data owners, an attacker needs to obtain keys of different identities of a plurality of users to achieve the attack purpose, which cannot be achieved by the attacker.
A hierarchical deterministic wallet is used in a cryptographic scheme to generate keys and identity information, and the user's entire system's personal information is securely stored and transmitted based on conditional proxy re-encryption.
Identity-based conditional proxy re-Encryption attribute Encryption (IBCPRE)) algorithm, and overall packing is an extension of proxy re-Encryption. By using the conditional proxy for re-encryption, the proxy can use the IBCPRE scheme for re-encrypting the ciphertext, the ciphertext format is good, decryption is convenient, and the application program can be easily shared through encryption storage.
The layered deterministic wallet can obtain the child key through the parent key (including the parent key obtaining the child private key and the parent key obtaining the child public key), but otherwise, the layered deterministic wallet is not established; the master public key can be made public without worrying about the loss of funds. The scheme has the advantages of convenient backup, transfer to other compatible devices, layered authority control and the like. Such a master key may generate a sequence of child keys. These child keys can derive grandchild keys, and so on.
The user side may generate sub-private key data access keys for the respective data sources. The data owner has access to the key that it owns and any subsequent keys that the data owner derives from its key. The data owner can derive more keys that can then be used for association transactions on the blockchain. This ensures anonymity of the blockchain. Since these data owner keys are derived from the data access keys, the user will have access to all subsequent keys derived by the data owner.
The user side generates and stores the data access key and the data authorization key locally. The user provides the data access key to the identity provider only when accessing the online service; the user side provides the data authorization key to the data owner. The data access key and the data authorization key encrypt data using an IBCPRE scheme during transmission. The data access key and the data authorization key are independent, thus providing a protective barrier between data authentication and data authorization.
The IBCPRE scheme encrypts information in transit using Advanced Encryption Standard (AES). The user side creates different number keys for each data owner, and ensures the information isolation owner between data. The hierarchical deterministic key generation scheme allows a user to have a separate transaction key commitment on the blockchain each time a new transaction is made. The blockchain stores only data access requests and re-authentication activities for the identity attribute. Since the transaction keys for these transactions are derived from a single parent key, all transactions belonging to the same user information can be tracked by the data owner. This ensures that the traceability and auditability of the transaction is used when needed. The user side has access to the master key and is able to monitor all transactions.
According to the type data owner and the attributes, the identity provider generates a trust score and returns the trust score to the service provider. The trust score may be higher if there are multiple data owners verifying the identity attribute. The identity provider does not know the identity information of the user side and only acts as a trusted proxy between the user side and the service provider. Using an attribute-based access control policy, the data owner is relied upon to verify the identity information of the user.
In a third aspect, to implement the processing method, in an embodiment of the present application, a first processing apparatus is disposed at a first service end, and is described below with reference to a schematic structural diagram of the processing apparatus shown in fig. 8.
As shown in fig. 8, the first processing device 80 includes: a receiving unit 801, a generating unit 802, and an uploading unit 803. Wherein:
a receiving unit 801 configured to receive a first access request;
a generating unit 802, configured to generate a first access record corresponding to the first access request;
an uploading unit 803, configured to upload the first access record, so that the first access record is stored in a data storage system, and a second server can obtain the first access record from the data storage system.
In some embodiments, the data storage system has a first node and a second node, the first node is associated with the first server, the second node is associated with the second server, and after the first access record is uploaded to the first node, the second node obtains and stores the first access record.
In some embodiments, the first processing device 80 further includes a verification unit, configured to, before the generation unit 802 performs the generation of the first access record corresponding to the first access request, perform:
obtaining a second access record, where the second access record is an access record uploaded to the data storage system by the second server, and the second access record has a first association relationship with the first access request; the first incidence relation is used for representing that the second access record and the first access request relate to the same user information;
and verifying the first access request according to the second access record.
In some embodiments, the first access request is information encrypted by a first key, the second access record includes key information corresponding to a second key, the first key is different from the second key, and a root key corresponding to the first key and the second key is the same.
In some embodiments, the verification unit is further to:
obtaining trust evaluation information in the second access record;
and verifying the first access request according to the trust evaluation information.
In some embodiments, the first processing device 80 further comprises a query unit for:
receiving a query request, the query request being encrypted by the first key;
acquiring a target access record from the data storage system, wherein the target access record comprises key information corresponding to a target key, the target key is the same as a root key corresponding to the first key, and the target key comprises the second key;
generating an access record list according to the target access information;
and outputting the access record list.
In a fourth aspect, to implement the processing method, a second processing device according to an embodiment of the present application is disposed on the first client, and is described below with reference to a schematic structural diagram of the processing device shown in fig. 9.
As shown in fig. 9, the second processing device 90 includes: a transmitting unit 901.
Wherein: the sending unit 901 is configured to: sending a first access request to a first service terminal; and the first server generates a first access record corresponding to the first access request, uploads the first access record, so that the first access record is stored in a data storage system, and a second server can obtain the first access record from the data storage system.
In some embodiments, the first processing device 90 further comprises a generating unit for:
generating a first secret key, and sending a public key of the first secret key to the first service end, so that the first service end verifies the first access request according to the public key of the first secret key; the first access record comprises key information corresponding to the first key;
generating a second secret key, and sending the public key of the second secret key to the second server, so that the second server verifies a second access request of the first client according to the public key of the second secret key; the first key and the root key corresponding to the second key are the same, a second access record corresponding to the second access request is generated by the second server, the second access request is uploaded to the data storage system, and the second access request comprises key information corresponding to the second key.
In some embodiments, the first processing device 90 further comprises a transmission unit for:
sending a query request, the query request being encrypted by the first key;
receiving an access record list, wherein the access record list is generated according to a target access record, the target access record is obtained from the data storage system, the target access record is generated by the first service terminal or the second service terminal, the target access record comprises key information corresponding to a target key, and the target key is the same as a root key corresponding to the first key.
It should be noted that the processing apparatus provided in the embodiment of the present application includes each included unit, and may be implemented by a processor in an electronic device; of course, the implementation can also be realized through a specific logic circuit; in the implementation process, the Processor may be a Central Processing Unit (CPU), a microprocessor Unit (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like.
The above description of the apparatus embodiments, similar to the above description of the method embodiments, has similar beneficial effects as the method embodiments. For technical details not disclosed in the embodiments of the apparatus of the present application, reference is made to the description of the embodiments of the method of the present application for understanding.
It should be noted that, in the embodiment of the present application, if the data processing method is implemented in the form of a software functional module and sold or used as a standalone product, the data processing method may also be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application or portions thereof that contribute to the related art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, or an optical disk. Thus, embodiments of the present application are not limited to any specific combination of hardware and software.
In a fifth aspect, to implement the foregoing processing method, an embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory stores a computer program that is executable on the processor, and the processor implements the steps in the data processing method provided in the foregoing embodiment when executing the program.
Next, a configuration diagram of the electronic apparatus will be described with reference to the electronic apparatus 100 shown in fig. 10.
In an example, the electronic device 100 may be the electronic device described above. As shown in fig. 10, the electronic device 100 includes: a processor 1001, at least one communication bus 1002, a user interface 1003, at least one external communication interface 1004, and a memory 1005. Wherein the communication bus 1002 is configured to enable connected communication between these components. The user interface 1003 may include a display screen, and the external communication interface 1004 may include a standard wired interface and a wireless interface, among others.
The Memory 1005 is configured to store instructions and applications executable by the processor 1001, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by the processor 1001 and modules in the electronic device, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).
In a sixth aspect, the present application provides a storage medium, that is, a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the processing method provided in the foregoing embodiments.
It is to be noted here that: the above description of the storage medium and device embodiments is similar to the description of the method embodiments above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus of the present application, reference is made to the description of the embodiments of the method of the present application for understanding.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in some embodiments" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application. The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one of 8230, and" comprising 8230does not exclude the presence of additional like elements in a process, method, article, or apparatus comprising the element.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or in other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as a removable Memory device, a Read Only Memory (ROM), a magnetic disk, or an optical disk.
Alternatively, the integrated unit described above may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the related art may be embodied in the form of a software product stored in a storage medium, and including several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media that can store program code, such as removable storage devices, ROMs, magnetic or optical disks, etc.
The above description is only for the embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A processing method is applied to a first service end, and the method comprises the following steps:
receiving a first access request;
generating a first access record corresponding to the first access request;
uploading the first access record to enable the first access record to be stored in a data storage system, and enabling a second server to obtain the first access record from the data storage system.
2. The method of claim 1, wherein the data storage system comprises a first node and a second node, the first node is associated with the first server, the second node is associated with the second server, and the second node obtains and stores the first access record after the first access record is uploaded to the first node.
3. The method of claim 1, prior to generating the first access record corresponding to the first access request, the method further comprising:
obtaining a second access record, wherein the second access record is an access record uploaded to the data storage system by the second server, and the second access record has a first association relation with the first access request; the first incidence relation is used for representing that the second access record and the first access request relate to the same user information;
and verifying the first access request according to the second access record.
4. The method of claim 3, wherein the first access request is encrypted by a first key, the second access record includes key information corresponding to a second key, the first key is different from the second key, and a root key corresponding to the first key and the second key is the same.
5. The method of claim 3, the validating the first access request according to the second access record, comprising:
obtaining trust evaluation information in the second access record;
and verifying the first access request according to the trust evaluation information.
6. The method of claim 4, further comprising:
receiving a query request, the query request being encrypted by the first key;
acquiring a target access record from the data storage system, wherein the target access record comprises key information corresponding to a target key, the target key is the same as a root key corresponding to the first key, and the target key comprises the second key;
generating an access record list according to the target access information;
and outputting the access record list.
7. A processing method is applied to a first client side, and comprises the following steps:
sending a first access request to a first service terminal; and the first server generates a first access record corresponding to the first access request, uploads the first access record, so that the first access record is stored in a data storage system, and a second server can obtain the first access record from the data storage system.
8. The method of claim 7, the method comprising:
generating a first secret key, and sending a public key of the first secret key to the first service end, so that the first service end verifies the first access request according to the public key of the first secret key; the first access record comprises key information corresponding to the first key;
generating a second secret key, and sending the public key of the second secret key to the second server, so that the second server verifies a second access request of the first client according to the public key of the second secret key; the first key and the root key corresponding to the second key are the same, a second access record corresponding to the second access request is generated by the second server, the second access request is uploaded to the data storage system, and the second access request comprises key information corresponding to the second key.
9. The method of claim 8, further comprising:
sending a query request, the query request being encrypted by the first key;
receiving an access record list, wherein the access record list is generated according to a target access record, the target access record is obtained from the data storage system, the target access record is generated by the first service terminal or the second service terminal, the target access record comprises key information corresponding to a target key, and the target key is the same as a root key corresponding to the first key.
10. An electronic device comprising a memory and a processor, the memory storing a computer program operable on the processor, the processor implementing the processing method of any one of claims 1 to 9 when executing the program.
CN202211512771.XA 2022-11-28 2022-11-28 Processing method, device, equipment and storage medium Pending CN115766268A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211512771.XA CN115766268A (en) 2022-11-28 2022-11-28 Processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211512771.XA CN115766268A (en) 2022-11-28 2022-11-28 Processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115766268A true CN115766268A (en) 2023-03-07

Family

ID=85340476

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211512771.XA Pending CN115766268A (en) 2022-11-28 2022-11-28 Processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115766268A (en)

Similar Documents

Publication Publication Date Title
US8059818B2 (en) Accessing protected data on network storage from multiple devices
US10187373B1 (en) Hierarchical, deterministic, one-time login tokens
US9866387B2 (en) Method and system for accessing device by a user
US20120054491A1 (en) Re-authentication in client-server communications
JP2023500570A (en) Digital signature generation using cold wallet
CN108809633B (en) Identity authentication method, device and system
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
Rana et al. Efficient and secure attribute based access control architecture for smart healthcare
WO2020123926A1 (en) Decentralized computing systems and methods for performing actions using stored private data
KR20210139344A (en) Methods and devices for performing data-driven activities
Tu et al. A secure, efficient and verifiable multimedia data sharing scheme in fog networking system
Bhandari et al. A framework for data security and storage in Cloud Computing
Chidambaram et al. Enhancing the security of customer data in cloud environments using a novel digital fingerprinting technique
WO2021098152A1 (en) Blockchain-based data processing method, device, and computer apparatus
Athena et al. An identity attribute–based encryption using elliptic curve digital signature for patient health record maintenance
Tiwari et al. ACDAS: Authenticated controlled data access and sharing scheme for cloud storage
Khan et al. A brief review on cloud computing authentication frameworks
Almuzaini et al. Key Aggregation Cryptosystem and Double Encryption Method for Cloud‐Based Intelligent Machine Learning Techniques‐Based Health Monitoring Systems
Das et al. A decentralized open web cryptographic standard
Ramachandran et al. Secure and efficient data forwarding in untrusted cloud environment
CN114553557B (en) Key calling method, device, computer equipment and storage medium
CN115766268A (en) Processing method, device, equipment and storage medium
Neela et al. A Hybrid Cryptography Technique with Blockchain for Data Integrity and Confidentiality in Cloud Computing
Chang et al. A dependable storage service system in cloud environment
Huang et al. Enhanced authentication for commercial video services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination