CN116910739A - Device data access control method, system, device and medium based on block chain - Google Patents

Device data access control method, system, device and medium based on block chain Download PDF

Info

Publication number
CN116910739A
CN116910739A CN202310777656.3A CN202310777656A CN116910739A CN 116910739 A CN116910739 A CN 116910739A CN 202310777656 A CN202310777656 A CN 202310777656A CN 116910739 A CN116910739 A CN 116910739A
Authority
CN
China
Prior art keywords
data
equipment
key
random number
blockchain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310777656.3A
Other languages
Chinese (zh)
Inventor
谢毅
吴飞
何德明
吴谋凡
孔美美
张晓燕
黄娟娟
陈林
李霆
何金栋
朱星伟
章成
刘宇轩
吴华锋
黄江东
刘涵
胡晓卉
李虹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Fujian Electric Power Co Ltd
Ningde Power Supply Co of State Grid Fujian Electric Power Co Ltd
Original Assignee
State Grid Fujian Electric Power Co Ltd
Ningde Power Supply Co of State Grid Fujian Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Fujian Electric Power Co Ltd, Ningde Power Supply Co of State Grid Fujian Electric Power Co Ltd filed Critical State Grid Fujian Electric Power Co Ltd
Priority to CN202310777656.3A priority Critical patent/CN116910739A/en
Publication of CN116910739A publication Critical patent/CN116910739A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
    • G06F2211/008Public Key, Asymmetric Key, Asymmetric Encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a device data access control method based on a block chain, which comprises the following steps: initializing, generating an elliptic curve initial parameter through an authentication server, and publishing the elliptic curve initial parameter in a blockchain; when the equipment is registered, a registration request is sent to an authentication server, and the authentication server carries out key negotiation with the equipment after receiving the registration request, so as to generate a public and private key pair of the equipment for bidirectional authentication; updating the corresponding equipment to a legal equipment list in the blockchain after the authentication is passed; when a legal device needs to access data uploaded by other legal devices, the data all-party device initiates a key negotiation request to the access request device, generates a session key, encrypts the data by using the session key and then sends the encrypted data to the access request device; the access request equipment generates a data abstract after decrypting by using the session key, compares the data abstract with the data abstract on the blockchain, receives data if the data abstract is consistent with the data abstract, and discards the data if the data abstract is not consistent with the data abstract.

Description

Device data access control method, system, device and medium based on block chain
Technical Field
The application relates to a device data access control method, a system, a device and a medium based on a blockchain, and belongs to the technical field of access control.
Background
The electric power Internet of things can efficiently integrate electric power facility resources and build an intelligent electric power system with functions of remote control, real-time monitoring, performance optimization and the like. Different power devices in the same scenario often belong to different institutions, device data is difficult to share in different institutions, and sometimes devices are only allowed to share part of the data. Under the traditional access control, the data access among different institutions is controlled through a rights server of a center, the centralized structure is difficult to deal with equipment which is continuously expanded and increased, and the expandability is greatly limited.
Disclosure of Invention
The present application has been made to solve the above-mentioned problems occurring in the prior art.
The technical scheme of the application is as follows:
in one aspect, the present application provides a method for controlling device data access based on a blockchain, comprising the steps of:
initializing, generating an elliptic curve initial parameter through an authentication server, and publishing the elliptic curve initial parameter in a blockchain;
when the equipment is registered, a registration request is sent to an authentication server, the authentication server receives the registration request and then carries out key negotiation with the equipment, the equipment generates an equipment public-private key pair according to the received information, and the equipment public-private key pair is used for carrying out bidirectional authentication with the authentication server;
updating the corresponding equipment to a legal equipment list in the block chain after the authentication is passed, and uploading data and corresponding data abstracts by the legal equipment in the block chain for other equipment to inquire;
when a legal device needs to access data uploaded by other legal devices, an access request is generated by triggering an intelligent contract, a key negotiation request is initiated to an access request device by data all party devices, a session key is generated, the session key is used for encrypting the data, and the encrypted data is sent to the access request device;
the access request equipment generates a data abstract after decrypting by using the session key, compares the data abstract with the data abstract on the blockchain, receives data if the data abstract is consistent with the data abstract, and discards the data if the data abstract is not consistent with the data abstract.
In a preferred embodiment, the method for performing key agreement with the device after receiving the registration request by the authentication server, generating a public-private key pair of the device according to the received information by the device, and performing bidirectional authentication with the authentication server by using the public-private key pair of the device specifically includes:
after receiving the registration request, the authentication server verifies the validity of the equipment information according to the registration request; generating a random number in a finite field of the elliptic curve according to the initial parameters of the elliptic curve, encrypting the random number by using a server private key, and then transmitting the encrypted random number to corresponding equipment;
after receiving the encryption information, the corresponding equipment decrypts the encryption information by using a server public key provided by an authentication server to obtain a corresponding random number, calculates the random number and the equipment ID as parameters through a hash function to obtain a hash value, and stores the hash value as an equipment private key;
multiplying the private key by an elliptic curve generator according to elliptic curve parameters stored in the blockchain to obtain a corresponding public key of the equipment;
the corresponding device adds 1 to the received random number from the authentication server, encrypts the random number with the generated device private key, sends the encrypted random number to the authentication server, decrypts the random number with the device public key, verifies whether the difference between the received random number and the sent random number is 1, adds device information to a legal device list after the verification is passed, and updates information in a block chain.
As a preferred embodiment, the steps of uploading data and the corresponding data summary in the blockchain by the legal device are specifically as follows:
when legal equipment reaches the appointed time in the period, the intelligent contract on the block chain is triggered after the operation data of the equipment in the period are packed;
the legal device uses the hash function to generate a hash value of the operation data as a data abstract, and carries out digital signature on the data abstract, and sends the hash value, digital signature content, a secret key and other necessary information to the blockchain node;
and the blockchain node calculates a key address corresponding to the digital signature content through an operation Ethernet address calculation function, compares whether the calculated key address is consistent with a key address sent by legal equipment, if so, the signature verification is passed, and a data abstract and other necessary information of operation data are stored in the blockchain.
In a preferred embodiment, a bloom filter is disposed in the blockchain, when a legal device needs to access data uploaded by other legal devices, the bloom filter queries the published data of the blockchain to obtain a target data abstract, when a request for accessing the complete data is made, an intelligent contract is triggered to generate an access request to all the party devices of the data, and the following operations are executed:
the incoming includes request parameters requesting access to device information and access to data types;
querying the address of the device of the data owner;
an access request is sent to the data owner device based on the request parameters and the address of the data owner device.
As a preferred embodiment, the step of querying the blockchain published data by using a bloom filter to obtain a target data summary specifically comprises the following steps:
and the legal equipment inputs the key attribute to inquire, the bloom filter carries out hash calculation on the attribute value of the key attribute, and if the positions of the corresponding hash values in the bloom filter are all 1, the target data abstract is indicated to be stored in the blockchain.
As a preferred embodiment, the step of generating the session key by the data owner device initiating a key negotiation request to the access request device specifically includes:
after receiving the access request, the data owner device initiates a communication request to the access request device according to the device information of the access request device, generates a first random number, encrypts the first random number by using a device private key of the data owner device and sends the encrypted first random number to the access request device;
after the access request equipment receives the communication request, decrypting the encrypted information by using the equipment public key of the equipment of the data owner, and verifying the identity of the equipment of the data owner;
the access request device generates a second random number, encrypts the second random number by using a device private key of the access request device, then sends the second random number to the data owner device, the data owner device decrypts the second random number by using a device public key of the access request device, adds the first random number and the second random number to obtain a third random number, and calculates a key by using a hash function based on the third random number:
Key ij =H(Sk i *Pk j +nonce);
where H represents a hash function, sk i Device private key, pk, representing access requesting device j A device public key representing a device of the data owner;
by means of Key Key ij The third random number is encrypted and then sent to the access request equipment;
the access request device calculates a Key ij =H(Sk j *Pk i +nonce), with Key Key ij Decrypting and verifying whether the value of the received third random number is correct, and after the verification is passed, using Key ij Encrypting the value of the third random number added with 1 and transmitting the value to data owner equipment;
key for data owner device ij After verifying the correctness of the value of the third random number plus 1, the two parties establish a Key Key ij Is a session key.
As a preferred embodiment, the method further comprises a malicious device detection step, which is specifically as follows;
detecting behaviors of legal devices in the legal list in real time, when the legal devices are found to have malicious behaviors, identifying the corresponding legal devices as malicious devices, and deleting the corresponding devices in the legal list;
the malicious behavior includes sending error data multiple times and repeatedly requesting the same data multiple times.
In another aspect, the present application also provides a device data access control system based on a blockchain, including:
the authentication server is used for initializing, generating an elliptic curve initial parameter and publishing the elliptic curve initial parameter in a block chain;
the network access equipment is used for sending a registration request to the authentication server to register equipment;
the authentication server is also used for carrying out key negotiation with the corresponding equipment after receiving the registration request; the network access equipment is also used for generating an equipment public and private key pair according to the received information and performing bidirectional authentication with the authentication server by using the equipment public and private key pair;
the authentication server is also used for updating the corresponding equipment to a legal equipment list in the blockchain after the authentication is passed; the legal device uploads data in the block chain and corresponding data abstract for other devices to inquire;
when a legal device needs to access data uploaded by other legal devices, an access request is generated by triggering an intelligent contract, a key negotiation request is initiated to an access request device by data all party devices, a session key is generated, the session key is used for encrypting the data, and the encrypted data is sent to the access request device;
the access request equipment generates a data abstract after decrypting by using the session key, compares the data abstract with the data abstract on the blockchain, receives data if the data abstract is consistent with the data abstract, and discards the data if the data abstract is not consistent with the data abstract.
In yet another aspect, the present application further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing a blockchain-based device data access control method according to any embodiment of the present application when the program is executed.
In yet another aspect, the present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a blockchain-based device data access control method according to any of the embodiments of the present application.
The application has the following beneficial effects:
the application provides a device data access control method of a blockchain, which uses a blockchain technology to store abstract information and other necessary attribute information of data, uses a bloom filter to accelerate screening efficiency of target data, and designs a key negotiation scheme based on elliptic curves. The block chain technology ensures that the data cannot be tampered after uploading, and the distributed structure does not need a centralized authority server.
Drawings
Fig. 1 is a flowchart illustrating a method according to a first embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be understood that the step numbers used herein are for convenience of description only and are not limiting as to the order in which the steps are performed.
It is to be understood that the terminology used in the description of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
The terms "comprises" and "comprising" indicate the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The term "and/or" refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Embodiment one:
referring to fig. 1, the embodiment provides a device data access control method based on a blockchain, which specifically includes the following steps:
s100, initializing, generating an elliptic curve initial parameter through an authentication server, and publishing the elliptic curve initial parameter in a blockchain.
And S200, when the equipment is registered, a registration request is sent to the authentication server, and the request parameters comprise equipment ID and other necessary identity information. The authentication server receives the registration request, then carries out key negotiation with the equipment, the authentication server generates partial information and sends the partial information to the equipment, the equipment generates an equipment public-private key pair according to the received information, and the equipment public-private key pair is used for carrying out bidirectional authentication with the authentication server.
And S300, updating the corresponding equipment to a legal equipment list in the blockchain by the authentication server after passing the authentication, uploading data in the blockchain by the authenticated legal equipment, calculating a hash value of the uploaded data as corresponding data abstract and other necessary information for other equipment to inquire, wherein the other necessary information comprises equipment type, equipment registration time, equipment attribution and the like.
S400, when a legal device needs to access data uploaded to the blockchain by other legal devices, an access request is generated by triggering an intelligent contract in the blockchain, a key negotiation request is initiated by all data party devices to the access request device, a session key is generated, and the session key is used for encrypting the data and then sending the encrypted data to the access request device.
S500, the access request equipment decrypts the received encrypted data by using the session key, calculates the hash value of the decrypted data as summary information, compares the calculated summary information with the data summary on the blockchain, receives the data if the calculated summary information is consistent with the data summary on the blockchain, and discards and requests retransmission if the calculated summary information is not consistent with the data summary on the blockchain.
As a preferred implementation manner of this embodiment, in step S200, the authentication server performs key negotiation with the device after receiving the registration request, and the device generates a device public-private key pair according to the received information, and uses the device public-private key pair to perform bidirectional authentication with the authentication server, where the method specifically includes:
s201, after receiving the registration request, the authentication server verifies the validity of the equipment information according to the request parameters of the registration request.
S202, after verifying the legality, the authentication server generates a random number in the limited domain of the elliptic curve according to the initial parameters of the elliptic curve, encrypts the random number by using a server private key and then sends the encrypted random number to the corresponding equipment.
S203, after receiving the encrypted information, the corresponding device decrypts the encrypted information by using a server public key provided by the authentication server to obtain a corresponding random number, and calculates a hash value by taking the random number and the device ID as parameters through a hash function, wherein the hash function is used for mapping the information into a finite field of an elliptic curve and has a length of 256 bits. The hash value is stored as a device private key.
S204, multiplying the private key by an elliptic curve generator according to elliptic curve parameters stored in the blockchain to obtain a corresponding public key of the equipment.
S205, the corresponding device encrypts the received random number from the authentication server by adding 1 and other necessary information together with the generated device private key, then sends the encrypted data to the authentication server, the authentication server decrypts the encrypted data by using the device public key, verifies whether the difference between the received random number and the sent random number is 1, adds the device information to a legal device list after the verification is passed, and updates the information in the blockchain.
As a preferred implementation manner of this embodiment, in step S300, the steps of uploading data and the corresponding data summary in the blockchain by the legal device are specifically:
the device uploads data every day at regular time, and when the device reaches the appointed time, the contract is triggered after the data is packed to run on the same day.
Legal equipment generates a hash value of operation data by using a hash function as a data abstract, digitally signs the data abstract, and sends the hash value, digital signature content, an equipment public key and other necessary information to a blockchain node, wherein the other necessary information comprises information such as equipment type, equipment registration time, equipment owner and the like;
and the blockchain node calculates a key address corresponding to the digital signature content through an operation Ethernet address calculation function, compares whether the calculated key address is consistent with a key address sent by legal equipment, if so, the signature verification is passed, and a data abstract and other necessary information of operation data are stored in the blockchain.
As a preferred implementation manner of the embodiment, a bloom filter contract is arranged in the blockchain to quickly search the equipment public information, and a plurality of independent hash functions are arranged in the bloom filter to prevent collision.
Specifically, when a legal device needs to access data uploaded by other legal devices, the legal device inputs a key attribute to query, a bloom filter performs hash calculation on an attribute value of the key attribute, if positions of corresponding hash values in the bloom filter are all 1, it is indicated that a target data abstract is stored in a block chain, and a data access request is sent to a data owner device where the target data abstract is located. The device triggers an intelligent contract when querying target data in the bloom filter, and the intelligent contract performs the following operations:
the incoming includes request parameters requesting access to device information and access to data types;
querying the address of the device of the data owner;
an access request is sent to the data owner device based on the request parameters and the address of the data owner device.
As a preferred implementation manner of this embodiment, in step S400, the step of generating the session key by the data owner device initiating a key negotiation request to the access request device specifically includes:
s401, after receiving the access request, the data owner device initiates a communication request to the access request device according to the device information of the access request device, and generates a first random number nonce 1 The first random number nonce is used for 1 And encrypting the device private key of the data owner device and then sending the encrypted device private key to the access request device.
And S402, after the access request equipment receives the communication request, decrypting the encrypted information by using the equipment public key of the equipment of the data owner, and verifying the identity of the equipment of the data owner.
S403, after verifying the identity of the device of the data owner, the access request device generates a second random number nonce 2 Encrypting a second random number nonce with a device private key of the access-requesting device 2 Then the data is sent to the data owner equipment, and the data owner equipment decrypts the data by using the equipment public key of the access request equipment to obtain a second random number nonce 2 Thereafter, the first random number nonce 1 And a second random number nonce 2 Adding to obtain a third random number nonce, and calculating communication keys of the two parties by using a hash function based on the third random number nonce:
Key ij =H(Sk i *Pk j +nonce);
where H represents a hash function, sk i Device private key, pk, representing access requesting device j A device public key representing a device of the data owner;
s404, a communication Key Key for data owner equipment ij And encrypting the third random number nonce and then sending the encrypted third random number nonce to the access request device.
S405, the access request device calculates a Key Key based on the third random number nonce ij =H(Sk j *Pk i +nonce), with Key Key ij Decrypting encrypted data containing a third random number nonce sent from the data owner device and verifying whether the value of the received third random number nonce is correct, after the verification is passed, using a Key Key ij Encrypting the value of the third random number added with 1, namely nonce+1, and sending the encrypted value to data owner equipment;
s406, a Key Key for data owner equipment ij After verifying the correctness of the value of the third random number plus 1, the two parties establish a Key Key ij Is a session key.
As a preferred implementation manner of this embodiment, if a malicious behavior of a device is found during an execution process, an authentication server penalizes the malicious device, specifically as follows;
s601, an authentication server detects behaviors of legal devices in a legal list in real time, when the legal devices are found to have malicious behaviors, the corresponding legal devices are identified as malicious devices, the authentication server deletes the malicious devices in the legal device list by executing intelligent contracts, and the malicious devices can recover normal access only by re-executing a registration process;
the malicious behavior includes the behavior of sending error data for a plurality of times, repeatedly requesting the same data for a plurality of times, and the like.
Embodiment two:
the embodiment provides a device data access control system based on a blockchain, which comprises the following components:
the authentication server is used for initializing, generating an elliptic curve initial parameter and publishing the elliptic curve initial parameter in a block chain; this part is used to implement the function of step S100 in the first embodiment, and will not be described here again;
the network access equipment is used for sending a registration request to the authentication server to register equipment; the authentication server is also used for carrying out key negotiation with the corresponding equipment after receiving the registration request; the network access equipment is also used for generating an equipment public and private key pair according to the received information and performing bidirectional authentication with the authentication server by using the equipment public and private key pair; this part is used to implement the function of step S200 in the first embodiment, and will not be described here again;
the authentication server is also used for updating the corresponding equipment to a legal equipment list in the blockchain after the authentication is passed; the legal device uploads data in the block chain and corresponding data abstract for other devices to inquire; this part is used to implement the function of step S300 in the first embodiment, and will not be described here again;
when a legal device needs to access data uploaded by other legal devices, an access request is generated by triggering an intelligent contract, a key negotiation request is initiated to an access request device by data all party devices, a session key is generated, the session key is used for encrypting the data, and the encrypted data is sent to the access request device; this part is used to implement the function of step S400 in the first embodiment, and will not be described here again;
the access request equipment generates a data abstract after decrypting by using the session key, compares the data abstract with the data abstract on the blockchain, receives data if the data abstract is consistent with the data abstract, and discards the data if the data abstract is not consistent with the data abstract; this part is used to implement the function of step S500 in the first embodiment, and will not be described here.
Embodiment III:
the embodiment provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the device data access control method based on the blockchain according to any embodiment of the application when executing the program.
Embodiment four:
the present embodiment proposes a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements a blockchain-based device data access control method according to any of the embodiments of the present application.
In the embodiments of the present application, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relation of association objects, and indicates that there may be three kinds of relations, for example, a and/or B, and may indicate that a alone exists, a and B together, and B alone exists. Wherein A, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of the following" and the like means any combination of these items, including any combination of single or plural items. For example, at least one of a, b and c may represent: a, b, c, a and b, a and c, b and c or a and b and c, wherein a, b and c can be single or multiple.
Those of ordinary skill in the art will appreciate that the various elements and algorithm steps described in the embodiments disclosed herein can be implemented as a combination of electronic hardware, computer software, and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In several embodiments provided by the present application, any of the functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (hereinafter referred to as ROM), a random access Memory (Random Access Memory) and various media capable of storing program codes such as a magnetic disk or an optical disk.
The foregoing description is only illustrative of the present application and is not intended to limit the scope of the application, and all equivalent structures or equivalent processes or direct or indirect application in other related technical fields are included in the scope of the present application.

Claims (10)

1. A blockchain-based device data access control method, comprising the steps of:
initializing, generating an elliptic curve initial parameter through an authentication server, and publishing the elliptic curve initial parameter in a blockchain;
when the equipment is registered, a registration request is sent to an authentication server, the authentication server receives the registration request and then carries out key negotiation with the equipment, the equipment generates an equipment public-private key pair according to the received information, and the equipment public-private key pair is used for carrying out bidirectional authentication with the authentication server;
updating the corresponding equipment to a legal equipment list in the block chain after the authentication is passed, and uploading data and corresponding data abstracts by the legal equipment in the block chain for other equipment to inquire;
when a legal device needs to access data uploaded by other legal devices, an access request is generated by triggering an intelligent contract, a key negotiation request is initiated to an access request device by data all party devices, a session key is generated, the session key is used for encrypting the data, and the encrypted data is sent to the access request device;
the access request equipment generates a data abstract after decrypting by using the session key, compares the data abstract with the data abstract on the blockchain, receives data if the data abstract is consistent with the data abstract, and discards the data if the data abstract is not consistent with the data abstract.
2. The method for controlling data access of a device based on blockchain as in claim 1, wherein the method for performing key agreement with the device after receiving the registration request by the authentication server, generating a device public-private key pair by the device according to the received information, and performing bidirectional authentication with the authentication server by using the device public-private key pair is specifically as follows:
after receiving the registration request, the authentication server verifies the validity of the equipment information according to the registration request; generating a random number in a finite field of the elliptic curve according to the initial parameters of the elliptic curve, encrypting the random number by using a server private key, and then transmitting the encrypted random number to corresponding equipment;
after receiving the encryption information, the corresponding equipment decrypts the encryption information by using a server public key provided by an authentication server to obtain a corresponding random number, calculates the random number and the equipment ID as parameters through a hash function to obtain a hash value, and stores the hash value as an equipment private key;
multiplying the private key by an elliptic curve generator according to elliptic curve parameters stored in the blockchain to obtain a corresponding public key of the equipment;
the corresponding device adds 1 to the received random number from the authentication server, encrypts the random number with the generated device private key, sends the encrypted random number to the authentication server, decrypts the random number with the device public key, verifies whether the difference between the received random number and the sent random number is 1, adds device information to a legal device list after the verification is passed, and updates information in a block chain.
3. The method for controlling data access of a device based on a blockchain as in claim 1, wherein the step of uploading data and the corresponding data summary by the legal device in the blockchain specifically comprises:
when legal equipment reaches the appointed time in the period, the intelligent contract on the block chain is triggered after the operation data of the equipment in the period are packed;
the legal device uses the hash function to generate a hash value of the operation data as a data abstract, and carries out digital signature on the data abstract, and sends the hash value, digital signature content, a secret key and other necessary information to the blockchain node;
and the blockchain node calculates a key address corresponding to the digital signature content through an operation Ethernet address calculation function, compares whether the calculated key address is consistent with a key address sent by legal equipment, if so, the signature verification is passed, and a data abstract and other necessary information of operation data are stored in the blockchain.
4. The method for controlling equipment data access based on a blockchain as in claim 1, wherein a bloom filter is provided in the blockchain, when a legal equipment needs to access data uploaded by other legal equipment, the bloom filter queries the published data of the blockchain to obtain a target data abstract, and when the request for accessing the complete data is made, an intelligent contract is triggered to generate an access request to all the equipment of the data, and the following operations are performed:
the incoming includes request parameters requesting access to device information and access to data types;
querying the address of the device of the data owner;
an access request is sent to the data owner device based on the request parameters and the address of the data owner device.
5. The method for controlling equipment data access based on blockchain as in claim 4, wherein the step of querying the blockchain published data by using a bloom filter to obtain the target data summary is specifically as follows:
and the legal equipment inputs the key attribute to inquire, the bloom filter carries out hash calculation on the attribute value of the key attribute, and if the positions of the corresponding hash values in the bloom filter are all 1, the target data abstract is indicated to be stored in the blockchain.
6. The method for controlling data access of a device based on a blockchain as in claim 4, wherein the step of generating the session key by the data owner device initiating a key negotiation request to the access request device is specifically:
after receiving the access request, the data owner device initiates a communication request to the access request device according to the device information of the access request device, generates a first random number, encrypts the first random number by using a device private key of the data owner device and sends the encrypted first random number to the access request device;
after the access request equipment receives the communication request, decrypting the encrypted information by using the equipment public key of the equipment of the data owner, and verifying the identity of the equipment of the data owner;
the access request device generates a second random number, encrypts the second random number by using a device private key of the access request device, then sends the second random number to the data owner device, the data owner device decrypts the second random number by using a device public key of the access request device, adds the first random number and the second random number to obtain a third random number, and calculates a key by using a hash function based on the third random number:
Key ij =H(Sk i *Pk j +nonce);
where H represents a hash function, sk i Device private key, pk, representing access requesting device j A device public key representing a device of the data owner;
by means of Key Key ij The third random number is encrypted and then sent to the access requestSolving equipment;
the access request device calculates a Key ij =H(Sk j *Pk i +nonce), with Key Key ij Decrypting and verifying whether the value of the received third random number is correct, and after the verification is passed, using Key ij Encrypting the value of the third random number added with 1 and transmitting the value to data owner equipment;
key for data owner device ij After verifying the correctness of the value of the third random number plus 1, the two parties establish a Key Key ij Is a session key.
7. The method for controlling data access of a blockchain-based device of claim 1, further comprising a malicious device detection step, comprising;
detecting behaviors of legal devices in the legal list in real time, when the legal devices are found to have malicious behaviors, identifying the corresponding legal devices as malicious devices, and deleting the corresponding devices in the legal list;
the malicious behavior includes sending error data multiple times and repeatedly requesting the same data multiple times.
8. A blockchain-based device data access control system, comprising:
the authentication server is used for initializing, generating an elliptic curve initial parameter and publishing the elliptic curve initial parameter in a block chain;
the network access equipment is used for sending a registration request to the authentication server to register equipment;
the authentication server is also used for carrying out key negotiation with the corresponding equipment after receiving the registration request; the network access equipment is also used for generating an equipment public and private key pair according to the received information and performing bidirectional authentication with the authentication server by using the equipment public and private key pair;
the authentication server is also used for updating the corresponding equipment to a legal equipment list in the blockchain after the authentication is passed; the legal device uploads data in the block chain and corresponding data abstract for other devices to inquire;
when a legal device needs to access data uploaded by other legal devices, an access request is generated by triggering an intelligent contract, a key negotiation request is initiated to an access request device by data all party devices, a session key is generated, the session key is used for encrypting the data, and the encrypted data is sent to the access request device;
the access request equipment generates a data abstract after decrypting by using the session key, compares the data abstract with the data abstract on the blockchain, receives data if the data abstract is consistent with the data abstract, and discards the data if the data abstract is not consistent with the data abstract.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the blockchain-based device data access control method of any of claims 1 to 7 when the program is executed by the processor.
10. A computer-readable storage medium having stored thereon a computer program, which when executed by a processor implements the blockchain-based device data access control method of any of claims 1 to 7.
CN202310777656.3A 2023-06-28 2023-06-28 Device data access control method, system, device and medium based on block chain Pending CN116910739A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310777656.3A CN116910739A (en) 2023-06-28 2023-06-28 Device data access control method, system, device and medium based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310777656.3A CN116910739A (en) 2023-06-28 2023-06-28 Device data access control method, system, device and medium based on block chain

Publications (1)

Publication Number Publication Date
CN116910739A true CN116910739A (en) 2023-10-20

Family

ID=88350325

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310777656.3A Pending CN116910739A (en) 2023-06-28 2023-06-28 Device data access control method, system, device and medium based on block chain

Country Status (1)

Country Link
CN (1) CN116910739A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117408846A (en) * 2023-12-14 2024-01-16 陕西华海信息技术有限公司 School educational administration data processing system based on cloud computing
CN117955649A (en) * 2024-03-26 2024-04-30 杭州海康威视数字技术股份有限公司 Safe and efficient data transmission method and system for Internet of things and electronic equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117408846A (en) * 2023-12-14 2024-01-16 陕西华海信息技术有限公司 School educational administration data processing system based on cloud computing
CN117408846B (en) * 2023-12-14 2024-03-01 陕西华海信息技术有限公司 School educational administration data processing system based on cloud computing
CN117955649A (en) * 2024-03-26 2024-04-30 杭州海康威视数字技术股份有限公司 Safe and efficient data transmission method and system for Internet of things and electronic equipment

Similar Documents

Publication Publication Date Title
JP6547079B1 (en) Registration / authorization method, device and system
US9646161B2 (en) Relational database fingerprinting method and system
JP4896537B2 (en) Method and system for asymmetric key security
Ray et al. Universal and secure object ownership transfer protocol for the Internet of Things
CN116910739A (en) Device data access control method, system, device and medium based on block chain
Hoang et al. Privacy-preserving blockchain-based data sharing platform for decentralized storage systems
El Ghazouani et al. Blockchain & multi-agent system: a new promising approach for cloud data integrity auditing with deduplication
Subha et al. Efficient privacy preserving integrity checking model for cloud data storage security
Selvamani et al. A review on cloud data security and its mitigation techniques
Bhandari et al. A framework for data security and storage in Cloud Computing
Ma et al. CP‐ABE‐Based Secure and Verifiable Data Deletion in Cloud
CN110910110B (en) Data processing method and device and computer storage medium
CN110188545B (en) Data encryption method and device based on chained database
ALmarwani et al. An effective, secure and efficient tagging method for integrity protection of outsourced data in a public cloud storage
CN111711607A (en) Block chain-based flow type micro-service trusted loading and verifying method
CN108737383B (en) Anonymous authentication method capable of confusing
Neela et al. Enhancement of data confidentiality and secure data transaction in cloud storage environment
CN113343201A (en) Registration request processing method, user identity information management method and device
JPWO2018100740A1 (en) Ciphertext verification system and ciphertext verification method
CN116112185A (en) Private data sharing method based on blockchain and zero knowledge proof
Suryawanshi et al. Improving data storage security in cloud environment using public auditing and threshold cryptography scheme
Hahn et al. Verifiable outsourced decryption of encrypted data from heterogeneous trust networks
Salunke et al. Secure data sharing in distributed cloud environment
Neela et al. A Hybrid Cryptography Technique with Blockchain for Data Integrity and Confidentiality in Cloud Computing
CN114005190B (en) Face recognition method for class attendance system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination