CN116366252B - DOA-based data protection method for handle identification analysis technology - Google Patents
DOA-based data protection method for handle identification analysis technology Download PDFInfo
- Publication number
- CN116366252B CN116366252B CN202310272611.0A CN202310272611A CN116366252B CN 116366252 B CN116366252 B CN 116366252B CN 202310272611 A CN202310272611 A CN 202310272611A CN 116366252 B CN116366252 B CN 116366252B
- Authority
- CN
- China
- Prior art keywords
- data
- handle
- shared
- code
- authorized
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 238000004458 analytical method Methods 0.000 title claims abstract description 35
- 238000005516 engineering process Methods 0.000 title claims abstract description 29
- 230000007246 mechanism Effects 0.000 claims abstract description 62
- 238000012795 verification Methods 0.000 claims abstract description 12
- 238000013507 mapping Methods 0.000 claims abstract description 7
- 125000004122 cyclic group Chemical group 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 2
- 230000008520 organization Effects 0.000 abstract description 11
- 230000006870 function Effects 0.000 abstract description 10
- 238000007726 management method Methods 0.000 description 20
- 238000004422 calculation algorithm Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- WLNBMPZUVDTASE-HXIISURNSA-N (2r,3r,4s,5r)-2-amino-3,4,5,6-tetrahydroxyhexanal;sulfuric acid Chemical compound [O-]S([O-])(=O)=O.O=C[C@H]([NH3+])[C@@H](O)[C@H](O)[C@H](O)CO.O=C[C@H]([NH3+])[C@@H](O)[C@H](O)[C@H](O)CO WLNBMPZUVDTASE-HXIISURNSA-N 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 238000013523 data management Methods 0.000 description 4
- 206010063344 microscopic polyangiitis Diseases 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- WXZOXVVKILCOPG-UHFFFAOYSA-N bis(2-ethylhexyl) benzene-1,3-dicarboxylate Chemical compound CCCCC(CC)COC(=O)C1=CC=CC(C(=O)OCC(CC)CCCC)=C1 WXZOXVVKILCOPG-UHFFFAOYSA-N 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
- H04L9/3073—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data protection method based on a handle identification analysis technology of DOA. The data protection method based on the handle identification analysis technology of the DOA comprises the following steps: constructing a handle code and associating data to be shared; constructing bilinear mapping e, and generating a public key v and a private key x; determining an authorized data using mechanism, and transmitting the handle code and the private key x to the authorized data using mechanism; receiving verification information returned by the authorized data using mechanism, wherein the verification information comprises a suffix of a handle code and signature information sigma, and performing authority authentication on the authorized data using mechanism; and if and only if the authorized data use organization passes the authority authentication, sharing the data to be shared to the authorized data use organization based on the handle. The invention can overcome the restriction and limitation of the present handle in the aspect of data protection, provide necessary protection for users on data and provide necessary conditions for realizing rich use functions.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a data protection method based on a handle identification analysis technology of DOA.
Background
The DOA/Handle is a digital information management system which is managed by the International organization, distributed globally, and can be used for positioning digital objects on the Internet and realizing interconnection, intercommunication and interoperation. The method has four core functions of coding, analysis, data management and information security. Independent resolution system, independent of DNS, compatible with existing identities. Is praised by the ITU as a key infrastructure for the next generation of internet.
The DOA/Handle is one of the currently mainstream identification analysis technologies, and compared with the currently mainstream identification analysis technologies, such as OID EDODE GS, the Handle system is a more complete digital object management system, and has the characteristics of globally unique registration and locally providing data service, so that the digital object can be analyzed and managed.
Based on the outstanding characteristics of the handle system distributed data management architecture and the analytic mechanism, the method is very convenient for developing the data resource cooperative utilization of cross-region, cross-industry, cross-platform and cross-system. The Handle system is favorable for connecting with the Internet, is autonomously controllable in management, and is the preferred technology of the next generation of Internet.
However, the conventional handle identification analysis technical system of DOA lacks a due data protection mechanism, and restricts the development and application of handle technology.
Disclosure of Invention
The embodiment of the invention provides a data protection method based on a handle identification analysis technology of DOA, which is used for solving the problem that the handle identification technology in the prior art lacks a data protection mechanism.
According to the embodiment of the invention, the data protection method based on the handle identification analysis technology of the DOA comprises the following steps:
constructing a handle code and associating data to be shared;
constructing bilinear mapping e, and generating a public key v and a private key x;
determining an authorized data using mechanism, and transmitting the handle code and the private key x to the authorized data using mechanism;
receiving verification information returned by the authorized data using mechanism, wherein the verification information comprises suffix and signature information sigma of the handle code, and performs authority authentication on the authorized data using mechanism according to a formula e (g, sigma) =e (v, x), wherein g is public information and satisfies the following conditions: v=g x (modp), p is a large prime number;
and if and only if the authorized data using mechanism passes the authority authentication, sharing the data to be shared to the authorized data using mechanism based on the handle.
According to some embodiments of the invention, the associating the data to be shared includes:
and writing the data to be shared into the code value of the handle code.
According to some embodiments of the invention, the constructing the bilinear map e includes:
constructing a bilinear map e: g 1 ×G 2 →G t Wherein G is 1 、G 2 And Gt are both p factorial cyclic groups.
According to some embodiments of the invention, the generating the public key v and the private key x comprises:
from the slaveThe private key x, is obtained randomly>Integer remainder class rings for non-zero modulo p;
based on the private key x, v=g according to the formula x (modp) obtaining a public key v;
wherein g is a generator in the p factorial cyclic group.
According to some embodiments of the invention, the signature information σ is according to formula (θ) x And (c) calculating to obtain the value of [ sigma ], wherein [ theta ] is a hash value of the suffix of the handle code.
According to some embodiments of the invention, the verification information is a suffix of the handle code plus signature information σ.
According to some embodiments of the invention, the sharing the data to be shared to the authorized data using mechanism based on the handle includes:
determining associated data to be shared according to the handle code;
and sharing the data to be shared to the authorized data using mechanism.
According to some embodiments of the invention, the method further comprises:
encrypting the data to be shared based on the public key v;
the sharing the data to be shared to the authorized data using mechanism comprises the following steps:
and decrypting the data to be shared based on the private key x and sharing the decrypted data to the authorized data using mechanism.
According to an embodiment of the invention, a data protection device based on a handle identifier parsing technology of DOA includes: a memory, a processor, and a computer program stored on the memory and executable on the processor, which when executed by the processor, performs the steps of a data protection method of a DOA-based handle identification resolution technique as described above.
According to the computer readable storage medium of the embodiment of the invention, an information transmission implementation program is stored on the computer readable storage medium, and when the program is executed by a processor, the steps of the data protection method based on the handle identification analysis technology of DOA are implemented.
By adopting the embodiment of the invention, the restriction and limitation of the present handle in the aspect of data protection can be overcome, necessary protection for data can be provided for users, and necessary conditions can be provided for realizing rich use functions.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. In the drawings:
FIG. 1 is a flow chart of a data protection method based on the handle identification parsing technique of DOA in an embodiment of the invention;
FIG. 2 is a diagram illustrating code values of a handle code according to an embodiment of the present invention;
FIG. 3 is a flowchart of a data protection method based on the handle identifier parsing technique of DOA in an embodiment of the present invention;
fig. 4 is a data protection method information interaction diagram based on the handle identifier parsing technology of the DOA in the embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. In other instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
As shown in fig. 1, a data protection method based on a handle identifier parsing technology of a DOA according to an embodiment of the present invention includes:
s1, constructing a handle code and associating data to be shared; it can be understood that a handle is correspondingly set for each data to be shared, so that the corresponding data to be shared can be determined based on the handle code.
S2, constructing bilinear mapping e, and generating a public key v and a private key x; the public key v is public and the private key x is not.
S3, determining an authorized data using mechanism, and sending the handle code and the private key x to the authorized data using mechanism;
the authorized data use mechanism is a mechanism which has the right to obtain the data to be shared, and the authorized data use mechanism does not have the right to obtain the data to be shared. The authorized data use organization may obtain the handle code and the private key x, and not the authorized data use organization has no rights to obtain the handle code and the private key x.
S4, receiving verification information returned by the authorized data using mechanism, wherein the verification information comprises suffix and signature information sigma of the handle code, and carrying out authority authentication on the authorized data using mechanism according to a formula e (g, sigma) =e (v, x), wherein g is public information and meets the following conditions: v=g x (modp), p is a large prime number;
and if and only if the authorized data using mechanism passes the authority authentication, sharing the data to be shared to the authorized data using mechanism based on the handle.
It is generally known that a handle code consists of a prefix and a suffix, wherein the suffix is defined by the user himself. For example, the handle code is 86. Xxx/yyyy, where yyy is the suffix of the handle code, and yyy may be defined according to the user's requirements. Because the user accesses the data and can find the position of the data through the analysis of the handle code on the Internet, the data security sharing can be realized by effectively protecting the suffix, the suffix yyy of the handle code is generated, and the suffix generation method meets the requirements of yyy E {1,0} * 。
In the process of authority authentication of the authorized data using organization, if e (g, sigma) =e (v, x) is satisfied, the authority authentication is passed, otherwise, the authority authentication is not passed.
By adopting the embodiment of the invention, the handle code and the private key x are sent to the authorized data using mechanism, and then the authorized data using mechanism is authenticated based on the signature information, so that the protection of the data to be shared corresponding to the handle code can be realized, the restriction and limitation of the present handle in the aspect of data protection can be overcome, the necessary protection of the data is provided for the user, and the necessary condition is provided for realizing rich using functions.
On the basis of the above-described embodiments, various modified embodiments are further proposed, and it is to be noted here that only the differences from the above-described embodiments are described in the various modified embodiments for the sake of brevity of description.
According to some embodiments of the invention, the associating the data to be shared includes:
and writing the data to be shared into the code value of the handle code, as shown in fig. 2.
According to some embodiments of the invention, the constructing the bilinear map e includes:
constructing a bilinear map e: g 1 ×G 2 →G t Wherein G is 1 、G 2 And Gt are both p factorial cyclic groups.
According to some embodiments of the invention, the generating the public key v and the private key x comprises:
from the slaveThe private key x, is obtained randomly>Integer remainder class rings for non-zero modulo p;
based on the private key x, v=g according to the formula x (modp) obtaining a public key v;
wherein g is a generator in the p factorial cyclic group.
According to some embodiments of the invention, the signature information σ is according to formula (θ) x And (c) calculating to obtain the value of [ sigma ], wherein [ theta ] is a hash value of the suffix of the handle code.
Signature information sigma is a hash value calculated by authorized data using organization for suffix (e.g. H (yyy) =θ), and then according to formula (θ) x =σ is calculated from the suffix hash value with private key x, σ is a digital signature of the handle code suffix yyy.
In some embodiments of the present invention, the handle code may be updated based on the signature information σ, where the updated handle code is associated with the data to be shared. For example, if the original handle code is 86.Xxx/yyy, the updated handle code is 86.Xxx/yyyσ. Then the other user mechanisms (e.g., H mechanism in fig. 4) cannot obtain the data to be shared through 86.Xxx/yyy, even if they obtain 86. Xxx/yyy. Only authorized data use organizations (e.g., organization a in fig. 4) can obtain the data to be shared through the updated 86. Xxx/yyyy sigma.
In some embodiments of the present invention, the authorized data use mechanism does not save after obtaining the data to be shared, but only saves the updated 86.Xxx/yyyσ, so that the data to be shared can be accessed based on the updated 86.Xxx/yyyσ.
According to some embodiments of the invention, the verification information is a suffix of the handle code plus signature information σ. For example, if the prefix of the handle code is yyy, the verification information is yyyσ.
According to some embodiments of the invention, the sharing the data to be shared to the authorized data using mechanism based on the handle includes:
determining associated data to be shared according to the handle; if the handle is updated, determining the associated data to be shared according to the updated handle code.
And sharing the data to be shared to the authorized data using mechanism.
According to some embodiments of the invention, the method further comprises:
encrypting the data to be shared based on the public key v;
the sharing the data to be shared to the authorized data using mechanism comprises the following steps:
and decrypting the data to be shared based on the private key x and sharing the decrypted data to the authorized data using mechanism. Or,
the sharing the data to be shared to the authorized data using mechanism comprises the following steps:
and sharing the encrypted data to be shared to the authorized data using mechanism, and decrypting the data to be shared by the authorized data using mechanism based on the private key x.
By adopting the asymmetric encryption algorithm, the data to be shared can be protected, and even if the data to be shared is disclosed, the content of the data to be shared can not be directly acquired.
The asymmetric encryption algorithm requires two keys: public keys (also known as public keys) and private keys (also known as private keys). The public key and the private key are a pair, and if the data is encrypted by the public key, the data can be decrypted only by the corresponding private key; if the data is encrypted with a private key, then decryption is only possible with the corresponding public key. Because two different keys are used for encryption and decryption, this algorithm is called an asymmetric encryption algorithm.
Characteristics of asymmetric cryptosystem: the algorithm strength is complex, the security depends on the algorithm and the secret key, but the encryption and decryption speeds are not as fast as the symmetric encryption and decryption speeds due to the complex algorithm. There is only one key in the symmetric cryptosystem and it is not public and the other party is made aware of the key if it is to be decrypted. The security is guaranteed by guaranteeing the security of the secret key, and the asymmetric secret key system has two secret keys, one of which is public, so that the secret key of the other party can be transmitted without the need of the secret key of the other party like a secret code. Thus the security is much greater.
The following describes in detail a data protection method based on the handle identifier parsing technique of the DOA according to the embodiment of the present invention with a specific embodiment. It is to be understood that the following description is exemplary only and is not intended to limit the invention in any way. All similar structures and similar variations of the invention are included in the scope of the invention.
The data protection method based on the handle identification analysis technology of the DOA is based on the handle identification analysis technology of the DOA and is special for a handle identification analysis information system of the DOA, so that the data security of the handle identification analysis information system of the DOA can be enhanced, the handle identification data function of the conventional DOA is expanded, the usability of the application of the handle system is improved, and the data security of the handle system is enhanced.
The DOA/Handle is a digital information management system which is managed by the International organization, distributed globally, and can be used for positioning digital objects on the Internet and realizing interconnection, intercommunication and interoperation. The method has four core functions of coding, analysis, data management and information security. Independent resolution system, independent of DNS, compatible with existing identities. Is praised by the ITU as a key infrastructure for the next generation of internet.
The DOA/Handle is one of the currently mainstream identification analysis technologies, and compared with the currently mainstream identification analysis technologies, such as OID EDODE GS1, the Handle system is a more complete digital object management system, is globally unique in registration, locally provides the characteristics of data service, and can analyze digital objects and manage digital objects.
Based on the outstanding characteristics of the handle system distributed data management architecture and the analytic mechanism, the method is very convenient for developing the data resource cooperative utilization of cross-region, cross-industry, cross-platform and cross-system. The Handle system is favorable for connecting with the Internet, is autonomously controllable in management, and is the preferred technology of the next generation of Internet.
The DONA foundation is a non-government, non-profit organization in Switzerland, responsible for promoting the application of Digital Object Architecture (DOA) and for the operation and management of the global Handle system. The DONA foundation is responsible for authorizing, authenticating and coordinating a global highest authority Manager (MPA), which is similar to a root server of the first generation Internet, is a global root node of which the Handle system operates independently and cooperates with each other, is responsible for Handle global root services, is an equal, negotiating and co-managing relationship with each other, can create Handle codes and has the right to manage the Handle codes.
The Digital Object Architecture (DOA) abstracts all things, processes, services and various data on the Internet into Data Objects (DO), so that information management and sharing are independent of host equipment and independent of an information system, and the attribute, access right, information interface and other contents of the information can be obtained through a unified rule. The Handle system is a key technology system for implementing DOA. The method defines a set of mature and compatible coding rules, and has a set of stable background analysis system and an autonomous controllable global distributed management architecture.
The DOA architecture mainly comprises two protocol supports, namely a Handle protocol and a DOIP protocol, wherein the Handle is a core protocol of the DOA architecture, and is used for realizing digital object identification, analysis, information management, security and the like and is also a foundation for realizing the DOIP protocol.
The Handle system has great innovation space and is responsible for management and popularization work by the Swiss DONA foundation. The method is a set of technical system which originates from the Internet and aims at realizing the identification registration, analysis, management and security of the information system. Under the support of the Handle system, the secure interoperation among heterogeneous, remote and remote main information systems can be realized.
Firstly, the Handle system has a set of independent global analytic system, and has the unique advantages of solving the problems of information exchange, opening and sharing among different places, different hosts and heterogeneous systems.
And secondly, the Handle system has a set of coding rules which are fully compatible with the prior coding technology, and can be used for quickly and low-cost butting of information systems of enterprises at the upstream and downstream of a supply chain on the basis of not changing the prior information system.
Finally, the distributed storage architecture of the Handle system can effectively avoid the problems of unclear data attribution right, excessively bloated information system and the like caused by the uploading mode of the data set.
The handle system defines a hierarchical set of service models, with the top-level service consisting of a global service called GHR. Below which is made up of other Handle services, commonly referred to as LHS. LHS is in the lower layer of GHR, which is responsible for all Handle services under a certain or some Handle prefix.
GHR is responsible for management by the international organization DONA. DONA authorizes multiple MPAs to be in charge of the operation of GHR in the global scope, and each MPA is equal, negotiated and managed together, each MPA has a Handle prefix which is independently managed, and all lower-level LHSs of the prefix are allocated and analyzed.
An important feature of the Handle system is that it employs a distributed architecture. The Handle system as a whole is made up of many Handle services. Each Handle service consists of one or more service sites (sites). Each service site under the same Handle service has the same function. A service site may contain one or more Handle servers. Handle requests to the service site should ultimately be distributed to these Handle servers. The Handle system should consist of any number of Handle services; the number of service sites constituting the Handle service is not limited; the number of servers constituting the service site is not limited as well.
The Handle system gives a unique, legal, safe and permanent identification to various objects (documents, images, multimedia and the like) on the network in a certain mode, and the functions of reading, positioning, tracking, inquiring, applying and the like of the identified objects can be realized through the identification and analysis.
The method has the characteristics of maturity (possessing a global distributed system, application in nearly 70 countries), uniqueness (ensuring that the identifier is unique in the global scope), safety (ensuring that the identifier is registered, analyzed and managed to operate safely), compatibility (being compatible with various existing identifiers), expandability (possessing enough capacity), practicability (being simple in form, easy to store, read and process, good in economical efficiency) and the like, can be organically integrated with two-dimension codes, RFID, databases, information systems and the like, realizes seamless butt joint with the original system and low-cost interoperation among different application systems at low cost, effectively and reasonably solves the phenomenon of information island, provides international standard-compliant and global unified identification service and information management service for downstream enterprises on the industrial Internet, and is an important underlying commonality technology of the industrial Internet.
The Handle has an independent resolution system, is compatible and complementary with the DNS, and is not limited by the DNS and runs autonomously. The domain name system as an identification layer provides effective support for internet applications. To meet the higher application demands, including industrial internet, the identification layer in the internet architecture needs to be extended from "server-oriented" to "server-oriented" and information-oriented ". The identification resolution system is an important means for supporting the 'servers and information as main bodies'. At present, a plurality of identification analysis schemes at home and abroad are totally divided into two development paths. To identify whether there are two paths (improvement and reformulation paths) for the resolution hierarchy to evolve based on DNS differentiation. The improved path is still based on the internet DNS system, and the identification resolution is implemented in the existing internet DNS resolution system with appropriate improvements. The innovation path adopts a brand new identification analysis system, and is mainly a Handle scheme proposed by a digital object name management agency (DONA foundation).
The Handle system can provide Handle analysis and management services for networks such as public networks. Each handle may be assigned to a set of values. The client may use the handle resolution service to resolve the handle to its settings. Each handle has a data type and a unique index value (value index). The client may query for a particular handle value based on the data type or index value. The handle management service manages handles by responding to requests from clients, including adding, deleting, modifying, etc. handle values. The handle management service also manages naming authorities through naming authority handles. Each handle may have its own administrator or administrators, each of which may be granted certain rights. The Handle system authentication protocol will authenticate the Handle administrator before any management requests are sent.
The Handle system may provide a range of security services such as client and server authentication; data confidentiality and integrity; non-default. By default, handle resolution does not require any client authentication. However, for any confidential data resolution request assigned to handle (by its administrator), and any management request (e.g., adding or deleting handle values), proper authorization authentication of the client is required. During the authorization process, the server will determine whether the client has access to these confidential handle values, or whether it has the right to add or update the handle and handle values. When authentication is required, the handle server will send a challenge to the client before executing its request. In order to meet the authentication requirements, the client must send back the correct response, proving it to be a qualified administrator. Only after the client authentication is successful will the handle server respond to the original request. The handle client may choose to use a secret key or public key for cryptographic authentication. Authentication of the Handle system may also be performed through a third party authentication service. To ensure data integrity, the client may require a digitally signed response from any handle server. They can also establish a secure communication session with the handle server so that any exchanged information can be encrypted with the session key (to ensure data confidentiality). The handle server may also provide confidentiality by encrypting the handle data before it is sent to the client.
The Handle system provides service options for secure information exchange between the client and the server. But this of course does not guarantee the authenticity of the handle value. The value assigned to the handle error by the administrator is likely to mislead the client.
On the other hand, the handle value may contain references to other handle values to provide additional credentials. For example, a handle value R (e.g., a request) may contain references to other (trusted sources) digital signatures, so that the handle value R may be trusted as long as the client trusts the signature.
The Handle code of the Handle identification analysis system is in a key value relation with the data objects, the positions of the corresponding data objects can be determined on the Internet through the Handle code, namely the nodes where the corresponding data objects are located and the paths in the node computers, and the data objects can be accessed through accessing the data objects so as to access the data object members in the data objects, thereby accessing useful data and data attributes. One of the important applications of handle technology is to share data, and in the application scenario of sharing data, sensitive data needs to be protected.
Fig. 3 is a flowchart of a data protection method based on a handle identifier analysis technique of an embodiment of the present invention, fig. 4 is an information interaction diagram of a data protection method based on a handle identifier analysis technique of an embodiment of the present invention, in fig. 4, a U user is a handle code user and is also a data D holding user, data D is data to be shared by a user U in a handle system, a mechanism and an H mechanism are both mechanism data users on the handle system, a mechanism is an authorized data use mechanism for data to be shared, and an H mechanism is an unauthorized other user.
Referring to fig. 3 and fig. 4, a data protection method based on a handle identifier parsing technique of a DOA according to an embodiment of the present invention includes:
step one, the handle system is a key structure, firstly, data D to be shared is written into a handle 1e code value V, and the method is shown with reference to FIG. 2;
the handle code is composed of prefix/suffix, the suffix is defined by user, special suffix, for example 86.Xxx/yyy is adopted, wherein yyy is the suffix of the handle code, yyy can be defined according to user requirements, because the user accesses data and can find the position of the data through analysis of the handle code on the Internet, the effective protection of the suffix can realize data security sharing, the suffix yyy of the handle code is generated, and the suffix generation method meets the requirements of yyy E {1,0} * 。
Step two, a special bilinear mapping e structure is constructed, for example: mapping e: g 1 ×G 2 →G t Wherein G is 1 、G 2 And Gt is p factorial cyclic group, p isA large prime number;
step three, the user U receives the information from the userThe element is selected by adopting a random method>Used as a private key, wherein Z p The remaining class of rings, which is modulo p, p being the large prime number described above, is represented by the formula v=g x Calculating a public key, where x can be used as a private key and v can be used as a public key, requiring that x and v satisfy v=g x (mod p) condition, randomly selecting a signature key pair from the above calculation result to be represented as (v, x), wherein v is a public key and x is a private key;
step four, the user U discloses { g, v } on the internet, and keeps x secret;
step five, the user U sends the handle code and the private key parameter information x to an authorized data using mechanism A mechanism, for example, sends the handle code 86.Xxx/yyy and x to the mechanism A;
step six, user a calculates hash value H (yyy) =θ for the suffix, and calculates (θ) for the suffix hash value with private key x x =σ, σ is a digital signature on the handle code suffix yyy;
step seven, after the user A signs the suffix yyy by using a private key x, signature information sigma is added to the rear of the suffix yyy to construct yyysigma, and the yyysigma is sent to the user U;
step eight, the user a accesses the data D through the handle code, for example, the 86.Xxx/yyy access process system requires a to input authorization information, the system authenticates the access right of a by calculating e (g, sigma) =e (v, x), and e is bilinear mapping;
the unauthorized entity H cannot access the DATA even if it obtains the handle code 86. Xxx/yyy.
In order to realize protection of the handle code suffix, a special asymmetric encryption mode is suitable to be adopted, the embodiment of the invention adopts a special public key and private key pair which effectively encrypts the handle code suffix aiming at the characteristics of the handle code suffix, adopts a special encryption algorithm to encrypt the handle suffix, and then can be used after the access authority of the suffix is authenticated, and in order to adopt the special asymmetric encryption algorithm, the suffix is encrypted and authenticated.
According to the data protection method based on the Handle identification analysis technology of the DOA, double protection, encryption protection and authority protection on the Handle code are realized under a data sharing scene, the data object is protected to be shared only by users with authorities, even if the non-authority user obtains the Handle code which is not effective, the data object cannot be accessed for analysis, even if the Handle code is cracked, the address of the Handle data object can be analyzed, and because the access authority of the Handle code is not available, the data object and the data corresponding to the Handle code cannot be analyzed. The invention further protects the data pointed by the handle code by encrypting and authenticating the handle code itself.
It should be noted that the above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and changes will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
According to an embodiment of the invention, a data protection device based on a handle identifier parsing technology of DOA includes: a memory, a processor, and a computer program stored on the memory and executable on the processor, which when executed by the processor, performs the steps of a data protection method of a DOA-based handle identification resolution technique as described above.
By adopting the embodiment of the invention, the handle code and the private key x are sent to the authorized data using mechanism, and then the authorized data using mechanism is authenticated based on the signature information, so that the protection of the data to be shared corresponding to the handle code can be realized, the restriction and limitation of the present handle in the aspect of data protection can be overcome, the necessary protection of the data is provided for the user, and the necessary condition is provided for realizing rich using functions.
According to the computer readable storage medium of the embodiment of the invention, an information transmission implementation program is stored on the computer readable storage medium, and when the program is executed by a processor, the steps of the data protection method based on the handle identification analysis technology of DOA are implemented.
Note that the computer readable storage medium according to the present embodiment includes, but is not limited to: ROM, RAM, magnetic or optical disks, etc. The program-driven processor may be a mobile phone, a computer, a server, an air conditioner, or a network device.
By adopting the embodiment of the invention, the handle code and the private key x are sent to the authorized data using mechanism, and then the authorized data using mechanism is authenticated based on the signature information, so that the protection of the data to be shared corresponding to the handle code can be realized, the restriction and limitation of the present handle in the aspect of data protection can be overcome, the necessary protection of the data is provided for the user, and the necessary condition is provided for realizing rich using functions.
It should be noted that in the description of the present specification, descriptions of terms "one embodiment," "some embodiments," "illustrative embodiments," "examples," "specific examples," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Although some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. The particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. For example, in the claims, any of the claimed embodiments may be used in any combination.
The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Any reference signs placed between parentheses shall not be construed as limiting the claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The use of the words first, second, third, etc. are used to distinguish between similar objects and not to indicate any order. These words may be interpreted as names.
"and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
Claims (6)
1. The data protection method based on the handle identification analysis technology of the DOA is characterized by comprising the following steps of:
constructing a handle code and associating data to be shared;
constructing bilinear mapping e, and generating a public key v and a private key x;
determining an authorized data using mechanism, and transmitting the handle code and the private key x to the authorized data using mechanism;
receiving verification information returned by the authorized data using mechanism, wherein the verification information comprises suffix and signature information sigma of the handle code, and performs authority authentication on the authorized data using mechanism according to a formula e (g, sigma) =e (v, x), wherein g is public information and satisfies the following conditions: v=g x (modp), p is a large prime number;
if and only if the authorized data using mechanism passes the authority authentication, sharing the data to be shared to the authorized data using mechanism based on the handle;
the constructing the bilinear map e includes:
constructing a bilinear map e: g 1 ×G 2 →G t Wherein G is 1 、G 2 And Gt are p factorial cyclic groups;
the generating the public key v and the private key x includes:
from the slaveThe private key x, is obtained randomly>Integer remainder class rings for non-zero modulo p;
based on the private key x, v=g according to the formula x (modp) obtaining a public key v;
wherein g is a generator in the p factorial cyclic group;
the signature information sigma is according to the formula (theta) x Calculation of [ sigma ], wherein [ theta ] is a hash value of the suffix of the handle code;
and the verification information adds signature information sigma to the suffix of the handle code.
2. The method of claim 1, wherein the associating the data to be shared comprises:
and writing the data to be shared into the code value of the handle code.
3. The method of claim 1, wherein the sharing the data to be shared to the authorized data use mechanism based on the handle comprises:
determining associated data to be shared according to the handle code;
and sharing the data to be shared to the authorized data using mechanism.
4. A method as claimed in claim 3, wherein the method further comprises:
encrypting the data to be shared based on the public key v;
the sharing the data to be shared to the authorized data using mechanism comprises the following steps:
and decrypting the data to be shared based on the private key x and sharing the decrypted data to the authorized data using mechanism.
5. A data protection device based on a handle identifier parsing technique of a DOA, comprising: memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor, performs the steps of the data protection method of the DOA based handle identity resolution technique as claimed in any one of claims 1 to 4.
6. A computer-readable storage medium, wherein a program for implementing information transfer is stored on the computer-readable storage medium, and the program when executed by a processor implements the steps of the data protection method according to the DOA-based handle identifier resolution technique as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310272611.0A CN116366252B (en) | 2023-03-17 | 2023-03-17 | DOA-based data protection method for handle identification analysis technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310272611.0A CN116366252B (en) | 2023-03-17 | 2023-03-17 | DOA-based data protection method for handle identification analysis technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116366252A CN116366252A (en) | 2023-06-30 |
| CN116366252B true CN116366252B (en) | 2024-01-30 |
Family
ID=86934939
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310272611.0A Active CN116366252B (en) | 2023-03-17 | 2023-03-17 | DOA-based data protection method for handle identification analysis technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116366252B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116842546A (en) * | 2023-07-14 | 2023-10-03 | 临沂大学 | Distributed data access authorization and data service method and device, equipment and medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104219232A (en) * | 2014-08-26 | 2014-12-17 | 浙江大学 | Method for controlling file security of block distributed file system |
| US10848301B1 (en) * | 2018-07-20 | 2020-11-24 | Verisign, Inc. | DNS-based public key infrastructure for digital object architectures |
| CN113114619A (en) * | 2021-03-02 | 2021-07-13 | 杭州海康威视数字技术股份有限公司 | Video identification analysis method, device and system based on Handle system |
| CN114513339A (en) * | 2022-01-21 | 2022-05-17 | 国网浙江省电力有限公司金华供电公司 | Security authentication method, system and device |
| CN114513370A (en) * | 2022-04-19 | 2022-05-17 | 中国信息通信研究院 | Universal identification data conversion method and device, storage medium and electronic equipment |
| EP4009223A1 (en) * | 2020-12-07 | 2022-06-08 | EM Microelectronic-Marin SA | Method for providing asymmetric identification and access with respect to a radio-frequency tag |
| WO2022266364A1 (en) * | 2021-06-17 | 2022-12-22 | The @ Company | Enhanced login processes using proprietary security and protocol for sharing and managing personal information |
-
2023
- 2023-03-17 CN CN202310272611.0A patent/CN116366252B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104219232A (en) * | 2014-08-26 | 2014-12-17 | 浙江大学 | Method for controlling file security of block distributed file system |
| US10848301B1 (en) * | 2018-07-20 | 2020-11-24 | Verisign, Inc. | DNS-based public key infrastructure for digital object architectures |
| EP4009223A1 (en) * | 2020-12-07 | 2022-06-08 | EM Microelectronic-Marin SA | Method for providing asymmetric identification and access with respect to a radio-frequency tag |
| CN113114619A (en) * | 2021-03-02 | 2021-07-13 | 杭州海康威视数字技术股份有限公司 | Video identification analysis method, device and system based on Handle system |
| WO2022266364A1 (en) * | 2021-06-17 | 2022-12-22 | The @ Company | Enhanced login processes using proprietary security and protocol for sharing and managing personal information |
| CN114513339A (en) * | 2022-01-21 | 2022-05-17 | 国网浙江省电力有限公司金华供电公司 | Security authentication method, system and device |
| CN114513370A (en) * | 2022-04-19 | 2022-05-17 | 中国信息通信研究院 | Universal identification data conversion method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116366252A (en) | 2023-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Chow et al. | Spice–simple privacy-preserving identity-management for cloud environment | |
| Bernabe et al. | Holistic Privacy-Preserving Identity Management System for the Internet of Things. | |
| Schanzenbach et al. | reclaimID: Secure, self-sovereign identities using name systems and attribute-based encryption | |
| Tassanaviboon et al. | Oauth and abe based authorization in semi-trusted cloud computing: aauth | |
| JP2009514072A (en) | Method for providing secure access to computer resources | |
| JP5065682B2 (en) | System and method for name resolution | |
| US7315950B1 (en) | Method of securely sharing information over public networks using untrusted service providers and tightly controlling client accessibility | |
| CN116366252B (en) | DOA-based data protection method for handle identification analysis technology | |
| CN115426136A (en) | Cross-domain access control method and system based on block chain | |
| EP3817320B1 (en) | Blockchain-based system for issuing and validating certificates | |
| Li et al. | Multi-user searchable encryption with a designated server | |
| Gawande et al. | Decentralized and secure multimedia sharing application over named data networking | |
| Bernal Bernabe et al. | Holistic Privacy‐Preserving Identity Management System for the Internet of Things | |
| CN114826702A (en) | Database access password encryption method and device and computer equipment | |
| JP3908982B2 (en) | CUG (Closed User Group) management method, CUG providing system, CUG providing program, and storage medium storing CUG providing program | |
| Fotiou et al. | Capability-based access control for multi-tenant systems using OAuth 2.0 and Verifiable Credentials | |
| Ali et al. | Provable secure lightweight attribute‐based keyword search for cloud‐based Internet of Things networks | |
| CN113569298A (en) | Identity generation method and identity system based on block chain | |
| Kaffel-Ben Ayed et al. | A generic Kerberos-based access control system for the cloud | |
| Bertino et al. | Securing named data networks: Challenges and the way forward | |
| Gutiérrez et al. | Web Services Security: is the problem solved? | |
| Alzahrani | Self-protected content for information-centric networking architectures using verifiable credentials | |
| Ferretti et al. | Verifiable delegated authorization for user-centric architectures and an OAuth2 implementation | |
| Lampropoulos et al. | Introducing a cross federation identity solution for converged network environments | |
| Celiktas et al. | A Higher Level Security Protocol for Cloud Computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |