CN117395027A - Block chain access control method based on decomposition optical network and related equipment - Google Patents

Block chain access control method based on decomposition optical network and related equipment Download PDF

Info

Publication number
CN117395027A
CN117395027A CN202311206656.4A CN202311206656A CN117395027A CN 117395027 A CN117395027 A CN 117395027A CN 202311206656 A CN202311206656 A CN 202311206656A CN 117395027 A CN117395027 A CN 117395027A
Authority
CN
China
Prior art keywords
metadata
slave
blockchain
master
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311206656.4A
Other languages
Chinese (zh)
Inventor
杨辉
刘伟
张翠
李超
沈俊
黎军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202311206656.4A priority Critical patent/CN117395027A/en
Publication of CN117395027A publication Critical patent/CN117395027A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/561Adding application-functional data or data for application control, e.g. adding metadata
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Library & Information Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a block chain access control method based on a decomposition optical network and related equipment, which are applied to a block chain access control system based on the decomposition optical network, wherein the system comprises the following components: an identity management system layer, a slave blockchain layer, a cross-chain communication layer and a master blockchain layer; the master blockchain layer includes a master proxy node; the slave blockchain layer includes slave agent nodes; the identity management system layer includes a provisioning node. The present application proposes a distributed and secure device authentication and control framework based on blockchain, under which an attribute-based access control mechanism is designed to support operators to monitor all device information in real time and provide cross-vendor access. A safe and reliable decomposition optical network architecture is constructed, and a perfect optical network device joining identity verification process is provided. Secondly, a new asynchronous distributed equipment distribution access network architecture is provided, efficient distributed data sharing and fine-granularity access control are realized, and the safety of user privacy is ensured.

Description

Block chain access control method based on decomposition optical network and related equipment
Technical Field
The present disclosure relates to the field of blockchain technologies, and in particular, to a blockchain access control method and related devices based on a decomposition optical network.
Background
With the rapid development of communication technology, communication network equipment becomes more complex, and the deployment cost of operators is higher and higher. The white-box technology can effectively solve the problem of locking of provider hardware equipment and software equipment, thereby saving the need of operators for deploying funds. White-box technology is one of the key technologies considered by network operators. The method can realize the white-box of the wireless access network hardware, the open-source of the software and the decoupling of the software and the hardware of the traditional base station, and ensure that the software function operates on a general hardware platform. However, providing network controllers, hardware components, and network node combinations by different entities and manufacturers may cause difficulties in sharing and managing the data of the entire device for interoperability and confidentiality reasons, and thus a significant drop in service level may occur. Among the major challenges are: the operators have difficulty in managing equipment of different manufacturers, and safety and privacy in the process of sharing data of the equipment of different manufacturers.
To ensure device trusted management and to ensure data security and data privacy for different vendors, we propose to use blockchain techniques and access control techniques. The decentralized nature of blockchains makes it widely used in distributed system management, where any device participates as a node in system management and permanently verifies and records data transactions between devices. The access control technology adopts a distributed access control scheme based on attributes, and gets rid of a trusted center mechanism, so that users jointly formulate an access strategy and ensure the credibility by a blockchain.
Disclosure of Invention
In view of the foregoing, it is an object of the present application to provide a blockchain access control method and related devices based on a split optical network, so as to solve or partially solve the above-mentioned problems.
Based on the above objects, the present application provides a blockchain access control method based on a decomposition optical network, which is applied to a blockchain access control system based on a decomposition optical network, wherein the system comprises: an identity management system layer, a slave blockchain layer, a cross-chain communication layer and a master blockchain layer; the master blockchain layer includes a master proxy node; the slave blockchain layer includes slave agent nodes; the identity management system layer comprises a supply node;
the method comprises the following steps:
generating source data by a supply user of the supply node, distributing a name space for the source data, obtaining a named data object, and formulating an access strategy of the source data; the supply node generates metadata according to the named data object and the access policy, and sends the metadata to the slave blockchain layer;
the slave agent node encrypts the metadata to obtain metadata ciphertext, and sends the metadata ciphertext to a master blockchain layer through the cross-chain communication layer;
The master agent node decrypts the metadata ciphertext to obtain the metadata, calls an intelligent contract, and obtains a key format file according to the metadata;
the operation user of the main agent node calls an intelligent contract to request verification of the attribute for matching the access strategy and the private key for matching the public key; the master agent node generates public parameters and evidence according to the attribute and the private key, embeds the private key into the attribute, and returns the attribute embedded with the private key to the operation user;
the master agent node invokes an intelligent contract to verify the attribute embedded with the private key and the key format file; in response to a successful verification, granting access rights to the operator user to access the provisioning user;
the operator user obtains the source data of the provider user according to the digital abstract of the named data object in response to the access rights granted to the provider user.
In one possible implementation, the providing node generates metadata according to the named data object and the access policy, including:
and obtaining the digital abstract according to the named data object, encrypting the named data object, generating a public key, and splicing the source data, the public key, the digital abstract and the access strategy to obtain the metadata.
In one possible implementation, the method further includes:
the main agent node splits the metadata to obtain the source data, the public key, the digital abstract and the access policy;
the master agent node invokes an intelligent contract to store the public key as the key format file and the source data, the digital digest, and the access policy as ciphertext.
In one possible implementation, the method further includes:
the slave agent node forwards the metadata to all slave blockchain nodes of the slave blockchain layer.
In one possible implementation, the method further includes:
and verifying the metadata by all the slave block chain nodes of the slave block chain layer, and determining that a supply user corresponding to the metadata is legal in response to the verification of the metadata by a preset number of the slave block chain nodes.
In one possible implementation, the method further includes:
and determining the slave agent node from all the slave block chain nodes according to the ratio of the guarantee gold submitted by all the slave block chain nodes of the slave block chain layer and the ratio of the communication time of all the slave block chain nodes.
In one possible implementation, the method further includes:
and determining the master proxy node from all the master block chain nodes according to the guarantee gold proportion submitted by all the master block chain nodes of the master block chain layer and the communication time proportion of all the master block chain nodes.
Based on the same object, the application also provides a blockchain access control system based on a decomposition optical network, which comprises the following steps: an identity management system layer, a slave blockchain layer, a cross-chain communication layer and a master blockchain layer; the master blockchain layer includes a master proxy node; the slave blockchain layer includes slave agent nodes; the identity management system layer includes a provisioning node:
the identity management system layer is configured to: generating source data by a supply user of the supply node, distributing a name space for the source data, obtaining a named data object, and formulating an access strategy of the source data; the supply node generates metadata according to the named data object and the access policy, and sends the metadata to the slave blockchain layer;
the slave blockchain layer and the cross-chain communication layer are configured to: the slave agent node encrypts the metadata to obtain metadata ciphertext, and sends the metadata ciphertext to a master blockchain layer through the cross-chain communication layer;
The master blockchain layer is configured to: the master agent node decrypts the metadata ciphertext to obtain the metadata, calls an intelligent contract, and obtains a key format file according to the metadata;
the master blockchain layer is further configured to: the operation user of the main agent node calls an intelligent contract to request verification of the attribute for matching the access strategy and the private key for matching the public key; the master agent node generates public parameters and evidence according to the attribute and the private key, embeds the attribute into the private key to obtain a verification value, and returns the verification value to the operation user;
the master blockchain layer is further configured to: the master agent node invokes an intelligent contract to verify the verification value and the key format file; and in response to successful verification, granting access rights to the operator user to the provisioning user.
In view of the above object, the present application further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the method according to any one of the above when executing the program.
Based on the above object, the present application also provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of the above.
As can be seen from the foregoing, the blockchain access control method and the related device based on the decomposition optical network provided in the present application are applied to a blockchain access control system based on the decomposition optical network, where the system includes: an identity management system layer, a slave blockchain layer, a cross-chain communication layer and a master blockchain layer; the master blockchain layer includes a master proxy node; the slave blockchain layer includes slave agent nodes; the identity management system layer comprises a supply node; the method comprises the following steps: a supply user of the supply node generates source data, allocates a name space for the source data, obtains a named data object, and formulates an access strategy of the source data; the supply node generates metadata according to the named data object and the access strategy and sends the metadata to the slave blockchain layer; encrypting the metadata by the slave agent node to obtain a metadata ciphertext, and transmitting the metadata ciphertext to a master blockchain layer through a cross-chain communication layer; the master agent node decrypts the metadata ciphertext to obtain metadata, calls an intelligent contract, and obtains a key format file according to the metadata; an operation user of the main agent node calls an intelligent contract to request verification of an attribute for matching an access strategy and a private key for matching a public key; the main agent node generates public parameters and evidence according to the attribute and the private key, embeds the private key into the attribute, and returns the attribute embedded with the private key to the operation user; the master agent node invokes the intelligent contract to verify the attribute embedded with the private key and the key format file; in response to the authentication being successful, granting access rights to the operator user to access the provisioning user; the operator user obtains source data for the provider user from the digital digest of the named data object in response to being granted access to the provider user. The application provides a distributed and safe device authentication and control framework based on a blockchain, and an access control mechanism based on attributes is designed under the framework so as to support an operator to monitor all device information in real time and provide cross-provider access. Firstly, a safe and credible decomposition optical network architecture is constructed, and a perfect optical network device joining identity verification process is provided. Secondly, a new asynchronous distributed equipment distribution access network architecture is provided, efficient distributed data sharing and fine-granularity access control are realized, and the safety of user privacy is ensured.
Drawings
In order to more clearly illustrate the technical solutions of the present application or the prior art, the following description will briefly introduce the drawings that are needed in the embodiments or the prior art descriptions, it being obvious that the drawings in the following description are only the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a blockchain access control system based on a split optical network according to an embodiment of the present application.
Fig. 2 is a schematic diagram of node identity registration and identity authentication according to an embodiment of the present application.
Fig. 3 is a flowchart of a block chain access control method based on a split optical network according to an embodiment of the present application.
Fig. 4 is a schematic diagram of a blockchain access control system based on a split optical network according to an embodiment of the present application.
Fig. 5 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail below with reference to the accompanying drawings.
It is to be noted that unless otherwise defined, technical or scientific terms used herein should be taken in a general sense as understood by one of ordinary skill in the art to which this application belongs. The terms "first," "second," and the like, as used herein, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
As described in the background section, decomposing the optical network may separate vendor hardware devices from software devices, thereby saving operators the need to deploy funds. Network optical decomposition is mainly decomposed into open, flexible, available components, devices and subsystems, free of the restrictions of proprietary vendors. However, providing network controllers, hardware components, and network node combinations by different entities and manufacturers may not be accessible across providers for device agents in the overall split optical network for reasons of trust, privacy, or vendor barriers. Once a failure event occurs, it presents a significant challenge to the operator in terms of safety maintenance.
The technical scheme of the application is further described in detail through specific examples.
Referring to fig. 1, a schematic diagram of a blockchain access control system based on a split optical network according to an embodiment of the present application is provided.
The block chain access control system based on the decomposition optical network mainly comprises four layers, namely: an identity management system layer, a slave blockchain layer, a cross-chain communication layer and a master blockchain layer.
The identity management system layer mainly comprises various supply nodes of different suppliers in the decomposition optical network, the identity identification structures among the different supply nodes are different, the cross-domain access process is complex, and the supply users in the supply nodes need to be registered in the system for unified identity management. The slave block chain layer is composed of a plurality of alliance chains with the same structure, each alliance chain is composed of all optical network devices of the same supplier, a request of a supply user is received and processed at each slave chain election proxy node, a unified identity mark is generated for the supply user, an on-chain identity credential is created, and a transaction result and a hash value of a transaction are sent to a main chain through a cross-chain communication layer to be stored. In addition, only the supply users authenticated by all alliance chain members can join the slave chain, so that the privacy security of the data in the blockchain is ensured. The cross-chain communication layer supports cross-chain communication between the master and slave chains using cross-chain network components. The cross-chain network is positioned between the main chain and the slave chain, and nodes in the network do not participate in consensus and are only responsible for converting communication protocols and transmitting data. And meanwhile, the Hash locking technology is used for maintaining the atomicity and consistency of the cross-chain transaction. The main blockchain layer mainly comprises a alliance chain formed by an operator SDN controller, and an election agent node on the main chain receives and stores a transaction result and a hash value of a transaction sent by a slave chain through a cross-chain communication layer. The backbone allows for the joining of a generic user who can query the slave chain transaction information stored in the backbone and initiate a request to verify a transaction to a specified slave chain through the cross-chain communication layer.
In the embodiment of the application, the proxy node needs to be elected from the main blockchain layer and the slave blockchain layer to be responsible for receiving and processing the request.
As an alternative embodiment, the slave agent node may be determined from among all slave blockchain nodes based on the percentage of the guarantees submitted by all slave blockchain nodes of the slave blockchain layer and the percentage of the communication time of all slave blockchain nodes.
Specifically, each node participating in the election needs to submit a certain guarantee to prevent the malicious node from electing. Total S of participating election nodes submitting guarantees on chain total Expressed as:
wherein n representsTotal number of nodes participating in the election S i Representing the number of the guaranties submitted by the i nodes, wherein the number of the guaranties submitted by each node accounts for S total Ratio W of (2) i The important index for reference in election is expressed as:
as an alternative embodiment, another factor that is examined when electing a node is the communication time of the node, the shorter the communication time between the node and other nodes, indicating that it can receive and process more requests at the same time. By T i Representing the sum of the communication times of the inode and other nodes in the chain:
wherein m represents the total number of nodes on the chain, t (i,j) Representing the communication time between the i node and the j node, wherein the sum of the communication time between all participating election nodes and other nodes on the chain is T total
The sum of the communication time of participating election nodes and other nodes in the chain occupies T total Is in the ratio of P i
The final node election algorithm formula is:
M i =W i -P i ,(i=0,1,2,…,n)
from the above, the more the number of the submitted assurances of the node, the shorter the communication time with other nodes on the chain, which means that the likelihood of the node being wrongly low, the stronger the communication capability, and the M of the node i The larger the value, the easier it is to elect to be a proxy node. By calculating M for each election node i Values are ordered and M is selected i The node with the highest value becomes the proxy node. In addition, after election is completed, the proxy nodes on the master and slave chains will disclose their own public keys.
It should be noted that, the present application first solves the problem of communication between the main chain and the slave chain, and the cross-chain communication is implemented through a cross-chain network component (i.e., a cross-chain communication layer). The cross-link communication layer is positioned between the main chain and the slave chain and is composed of a plurality of nodes, and the nodes in the cross-link communication layer do not participate in the consensus of any one chain and are only responsible for converting communication protocols, transmitting data and guaranteeing the atoms and consistency of cross-link transactions. The cross-chain network is independent of the backbone and the slave chains, which communicate with the cross-chain network through a gateway. Meanwhile, in order to maintain consistency and atomicity of the cross-chain transaction, a hash locking mode is adopted, and under the condition that passwords of both cross-chain parties Ha Xisuo are correctly input, the whole cross-chain transaction is calculated to be successful. In order to prevent the node faults in the cross-link network from affecting the usability of the whole model, the number of the nodes in the cross-link network is increased as much as possible, and the cross-link network can be ensured to normally operate even if a plurality of nodes are faulty. In addition, to avoid data being compromised in the cross-chain network, plaintext of the data is not propagated in the cross-chain network. Therefore, the availability of the cross-link network is effectively improved, and the privacy security of the data is ensured.
Referring to fig. 2, a schematic diagram of node identity authentication according to an embodiment of the present application is provided.
The blockchain requires identity registration for each entity joining the blockchain and also requires identity verification during the transaction. The blockchain access control based on the decomposition optical network further comprises the processes of identity registration and identity authentication.
As an alternative embodiment, the identity registration comprises:
the purpose of identity registration is to design a unified identity for users in different identity management systems in a white-box network and create on-chain identity credentials, and to implement other functions of the layer based on the on-chain identity credentials. The white-box device firstly sends registration application information to an administrator, wherein the registration application information comprises identity identification information, the administrator firstly verifies the validity of the registration application information after receiving the application, and after the verification is successful, the administrator generates a public key OPki, a private key OSki and a legal certificate OCei according to the identity identification and signs by using the private key of the administrator. Finally, the administrator returns the credential information to the device.
As an alternative embodiment, the authentication comprises:
when a device is newly added or updated in the white-box network, all nodes in the blockchain are required to verify the identity to ensure the credibility of the transaction.
As an optional embodiment, the node identity registration and identity authentication process provided in the embodiment of the present application includes:
step 1: the participants generate unique digital identities with their own pair of keys, including corporate information, transaction time, blockchain information, and the like. The participant generates a digital signature in an encrypted manner using a private key of the keys and then sends the public key to the blockchain.
Step 2: the participants broadcast their own public keys and certificates in the blockchain.
Step 3: nodes in the blockchain receive the message, verify the certificates of the participants by using the public key, and judge whether the certificates are legal or not.
Step 4: after the nodes in the blockchain verify the participant certificates, the administrator sends a ready message ready for authentication of the identity hash value.
Step 5: the participant sends the identity hash value to the administrator.
Step 6: the administrator checks whether the identity hash value exists and then broadcasts the identity hash value to other nodes. If the hash value exists, the administrator sends a message to the participant, and the participant regenerates the identity hash value and sends the identity hash value to the administrator again after receiving the message.
Step 7: and verifying the identity hash value of the participant by the nodes in the blockchain, and if more than half of the nodes verify the identity hash value successfully, considering that the identity verification is successful by the administrator and returning the voting result to the participant.
It should be noted that, the condition that the node in the blockchain verifies the identity hash value of the participant can be set according to the actual situation, in the embodiment of the application, more than half of the nodes verify the identity hash value successfully, that is, the identity authentication passes can be described, and the number and the condition of the nodes participating in the identity authentication can be reset according to the actual situation.
Referring to fig. 3, a flowchart of a block chain access control method based on a split optical network according to an embodiment of the present application is shown.
In the application, encryption (CP-ABE) based on ciphertext policy attributes and an Information Center Network (ICN) are combined to be applied to a white-box optical network, so that efficient distributed data sharing and fine-grained access control are realized, and the safety of user privacy is ensured. Then, non-interactive zero knowledge proof is introduced into the key presence proof of the CP-ABE, and high bandwidth consumption caused by invalid access control request is avoided on the premise of guaranteeing user privacy.
The block chain access control system based on the decomposition optical network comprises six types of entities: devices (i.e., device suppliers), publishers (i.e., provisioning users), rendezvous nodes (i.e., master and slave agent nodes), forwarding nodes (i.e., forwarding nodes across the chain communication layer), blockchains, and subscribers (i.e., operating users).
Wherein, the device refers to optical devices or gateways of different manufacturers, which are producers of data. The data becomes named data objects after being assigned a unique namespace. Named data objects may be, but are not limited to, text, video, pictures, audio, streaming media, and interactive media, regardless of transmission, location, storage methods, and application. The definition of named data objects may be fine grained, as small as a data packet.
The publisher represents the user or administrator of the binding device, i.e., the publisher of the data. Publishers are primarily responsible for namespace management of devices and customization of access control policies. The publisher uploads named data objects with access policies to the rendezvous node according to a particular namespace.
The rendezvous node set implements a rendezvous functional interface responsible for name resolution of the received named data object. The rendezvous node caches the named data object locally and encrypts the data according to the data issued by the issuer and the access policy. In our system, the rendezvous node also serves as the work node for the blockchain. The method has the advantages that the rendezvous node can directly interact with the blockchain locally, so that the management of the access strategy is realized, and the method is efficient and safe. When a publisher wants to distribute content, it sends a broadcast message to other rendezvous nodes in the vicinity, which is forwarded to the other rendezvous nodes via routes and assigned corresponding namespaces.
The forwarding node forwards the named data object to the rendezvous node to realize the topology management function.
The blockchain is used as a distributed and scattered data management cluster and is mainly responsible for managing access control strategies. At the same time, the intelligent contract provided by the intelligent contract can realize the access control program. The non-repudiation and traceability of the blockchain may ensure the security and reliability of access policy management.
Subscribers are intended to represent users or organizations, i.e., consumers of data. Subscribers send a sub-message to the rendezvous node to subscribe to named data objects of the name scope. Once a new data stream reaches the rendezvous node, it pushes the broadcast message to subscribers in the namespace matching group.
Step S301, a provisioning user of the provisioning node generates source data, allocates a namespace for the source data, obtains a named data object, and formulates an access policy of the source data; the supply node generates metadata according to the named data object and the access policy, and sends the metadata to the slave blockchain layer.
Metadata (Metadata) is data about data, i.e., describing a particular type of resource according to a particular purpose-defined description rule, is the basis for organizing and managing data.
In implementations, the device acts as a data source, generating static or dynamic data for a local administrator or its owner, and the publisher manages the device-generated data, assigns namespaces to it, and formulates access policies for it. Metadata sources are noted by the way namespaces are assigned to them, and metadata formats are described and described in this way. After packaging, it can be conveniently read by a computer system.
As an alternative embodiment, the provisioning node may obtain a digital digest from the named data object, encrypt the named data object, generate a public key, and splice the source data, the public key, the digital digest, and the access policy to obtain the metadata.
Specifically, after the provisioning node receives the named data object and the access policy from the publishing server, the named data object is preprocessed. First, a digital digest (hash value) of the named data object is generated using the SHA256 algorithm. The named data object is then encrypted by symmetric encryption and cached locally. Finally, the decryption key and the digital digest are spliced into a piece of metadata. In addition, during the splicing process, the source data, public key, digital digest, and access policy are spliced into the metadata as well.
Access policies can generally be divided into the following cases depending on the type of restriction: only the validation time of the rule is limited: i.e., the effective time period of the access policy, outside of which the access policy is not effective; the rule and default access type are continuously validated without configuring the present parameters. Only the IP used by the user login system is restricted: the user can only access the system using the specified IP address. While limiting the effective time of the IP and policies used by the user to log into the system.
The digital digest is a function of changing an arbitrary length message into a fixed length short message, which is similar to a function in which an argument is a message, i.e., a Hash function. The digital digest is a string of ciphertext of fixed length (128 bits) that is "digest" of the plaintext that needs to be encrypted using a one-way Hash function. This string of ciphertext, also called a digital fingerprint, has a fixed length and different plaintext digests into ciphertext, the result of which always differs, while the same plaintext must have identical digests.
According to the method and the device, metadata is obtained through the named data object of the source data, metadata abstract is encrypted through attributes, rather than directly encrypting the data, efficient distributed data sharing and fine-granularity access control are achieved, and safety of user privacy is ensured.
And step S302, the slave agent node encrypts the metadata to obtain metadata ciphertext, and sends the metadata ciphertext to a master blockchain layer through the cross-chain communication layer.
In order to ensure the data security and privacy of the metadata, the metadata is further encrypted by using a blockchain algorithm after the metadata is received by the slave agent node, so that a metadata ciphertext is obtained.
And step S303, the master agent node decrypts the metadata ciphertext to obtain the metadata, calls an intelligent contract, and obtains a key format file according to the metadata.
As an optional embodiment, the master agent node splits the metadata to obtain source data, a public key, a digital digest and an access policy; the master agent node invokes the smart contract to store the public key as a key format file and the source data, digital digest, and access policy as ciphertext.
Specifically, the master agent node firstly decrypts metadata ciphertext by using an algorithm to obtain metadata, splits the metadata to obtain a public key, an access policy and a digital abstract, then invokes an intelligent contract in a local block chain, stores the public key (the public key represents a named data object) as a key format file, and stores the ciphertext (the ciphertext represents the access policy and the digital abstract) as a V value in the block chain.
As an alternative embodiment, the slave agent node forwards the metadata to all slave blockchain nodes of the slave blockchain layer.
In particular, in forwarding metadata from the blockchain layer, publishers need to send named data objects and access policies to neighboring forwarding nodes according to namespaces, which forward the data to a set of nearby rendezvous nodes via multicast.
Step S304, the operation user of the main agent node calls an intelligent contract to request verification of the attribute for matching the access strategy and the private key for matching the public key; and the master agent node generates public parameters and evidence according to the attribute and the private key, embeds the private key into the attribute, and returns the attribute embedded with the private key to the operation user.
Taking the operator and vendor as an example, to gain vendor access, the operator will invoke a smart contract with the blockchain and request verification of the attributes for matching policies and the private key of the matching public key. To achieve attribute revocation, we write the attribute and carrier ID as key-value pairs to the blockchain. The blockchain first generates public parameters and evidence (using zero knowledge proof techniques) for the attributes and private keys and stores them on the chain, and then returns the attributes embedded with the private keys to the operator. In the whole step the operator only needs to know if he has the right to access the provider.
Step S305, the master agent node invokes an intelligent contract to verify the attribute embedded with the private key and the key format file; and in response to successful verification, granting access rights to the operator user to the provisioning user.
As an alternative embodiment, metadata is validated from all slave blockchain nodes of the blockchain layer, and a supply user corresponding to the metadata is determined to be legal in response to the validation of the metadata by a preset number of slave blockchain nodes.
Specifically, to verify that its private key is legal and present, the master blockchain will automatically invoke the blockchain's smart contract to match the attribute key (the private key after embedding the attribute) with the key format file and access policy ciphertext to complete the identification.
Step S306, the operator user obtains the source data of the provider user according to the digital abstract of the named data object in response to the access right granted to the provider user.
Specifically, the blockchain will open access control rights to the operator and give the digital digest through which the operator can access the source data of the provisioning node.
If the identification is unsuccessful, the request access fails, and the access request is not allowed to be sent again in a short time. And the block chain can send an alarm to the supply node after multiple frequent access failures, so that the attack and destruction of malicious equipment are prevented.
As can be seen from the foregoing, the blockchain access control method and the related device based on the decomposition optical network provided in the present application are applied to a blockchain access control system based on the decomposition optical network, where the system includes: an identity management system layer, a slave blockchain layer, a cross-chain communication layer and a master blockchain layer; the master blockchain layer includes a master proxy node; the slave blockchain layer includes slave agent nodes; the identity management system layer comprises a supply node; the method comprises the following steps: a supply user of the supply node generates source data, allocates a name space for the source data, obtains a named data object, and formulates an access strategy of the source data; the supply node generates metadata according to the named data object and the access strategy and sends the metadata to the slave blockchain layer; encrypting the metadata by the slave agent node to obtain a metadata ciphertext, and transmitting the metadata ciphertext to a master blockchain layer through a cross-chain communication layer; the master agent node decrypts the metadata ciphertext to obtain metadata, calls an intelligent contract, and obtains a key format file according to the metadata; an operation user of the main agent node calls an intelligent contract to request verification of an attribute for matching an access strategy and a private key for matching a public key; the main agent node generates public parameters and evidence according to the attribute and the private key, embeds the private key into the attribute, and returns the attribute embedded with the private key to the operation user; the master agent node invokes the intelligent contract to verify the attribute embedded with the private key and the key format file; in response to the authentication being successful, granting access rights to the operator user to access the provisioning user; the operator user obtains source data for the provider user from the digital digest of the named data object in response to being granted access to the provider user. The application provides a distributed and safe device authentication and control framework based on a blockchain, and an access control mechanism based on attributes is designed under the framework so as to support an operator to monitor all device information in real time and provide cross-provider access. Firstly, a safe and credible decomposition optical network architecture is constructed, and a perfect optical network device joining identity verification process is provided. Secondly, a new asynchronous distributed equipment distribution access network architecture is provided, efficient distributed data sharing and fine-granularity access control are realized, and the safety of user privacy is ensured.
It should be noted that, the method of the embodiments of the present application may be performed by a single device, for example, a computer or a server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of embodiments of the present application, and the devices may interact with each other to complete the methods.
It should be noted that some embodiments of the present application are described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Based on the same inventive concept, the application also provides a blockchain access control system based on the decomposition optical network, which corresponds to the blockchain access control method based on the decomposition optical network provided by any embodiment.
Referring to fig. 4, a schematic diagram of a blockchain access control system based on a split optical network according to an embodiment of the present application is provided.
The system comprises: an identity management system layer 401, a slave blockchain layer 402, a cross-chain communication layer 403, and a master blockchain layer 404; the master blockchain layer includes a master proxy node; the slave blockchain layer includes slave agent nodes; the identity management system layer includes a provisioning node:
the identity management system layer is configured to: generating source data by a supply user of the supply node, distributing a name space for the source data, obtaining a named data object, and formulating an access strategy of the source data; the supply node generates metadata according to the named data object and the access policy, and sends the metadata to the slave blockchain layer;
the slave blockchain layer and the cross-chain communication layer are configured to: the slave agent node encrypts the metadata to obtain metadata ciphertext, and sends the metadata ciphertext to a master blockchain layer through the cross-chain communication layer;
the master blockchain layer is configured to: the master agent node decrypts the metadata ciphertext to obtain the metadata, calls an intelligent contract, and obtains a key format file according to the metadata;
The master blockchain layer is further configured to: the operation user of the main agent node calls an intelligent contract to request verification of the attribute for matching the access strategy and the private key for matching the public key; the master agent node generates public parameters and evidence according to the attribute and the private key, embeds the attribute into the private key to obtain a verification value, and returns the verification value to the operation user;
the master blockchain layer is further configured to: the master agent node invokes an intelligent contract to verify the verification value and the key format file; and in response to successful verification, granting access rights to the operator user to the provisioning user.
Optionally, the identity management system layer 401 is further configured to:
and obtaining the digital abstract according to the named data object, encrypting the named data object, generating a public key, and splicing the source data, the public key, the digital abstract and the access strategy to obtain the metadata.
Optionally, the master blockchain layer 404 is further configured to:
the main agent node splits the metadata to obtain the source data, the public key, the digital abstract and the access policy;
The master agent node invokes an intelligent contract to store the public key as the key format file and the source data, the digital digest, and the access policy as ciphertext.
Optionally, the slave blockchain layer 402 is further configured to:
the slave agent node forwards the metadata to all slave blockchain nodes of the slave blockchain layer.
Optionally, the slave blockchain layer 402 is further configured to:
and verifying the metadata by all the slave block chain nodes of the slave block chain layer, and determining that a supply user corresponding to the metadata is legal in response to the verification of the metadata by a preset number of the slave block chain nodes.
Optionally, the slave blockchain layer 402 is further configured to:
and determining the slave agent node from all the slave block chain nodes according to the ratio of the guarantee gold submitted by all the slave block chain nodes of the slave block chain layer and the ratio of the communication time of all the slave block chain nodes.
Optionally, the master blockchain layer 404 is further configured to:
and determining the master proxy node from all the master block chain nodes according to the guarantee gold proportion submitted by all the master block chain nodes of the master block chain layer and the communication time proportion of all the master block chain nodes.
For convenience of description, the above system is described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.
The system of the above embodiment is used for implementing the corresponding blockchain access control method based on the decomposition optical network in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiments, which are not described herein.
Based on the same inventive concept, the application also provides an electronic device corresponding to the method of any embodiment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor implements the blockchain access control method based on the decomposition optical network according to any embodiment when executing the program.
Fig. 5 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: processor 510, memory 520, input/output interface 530, communication interface 540, and bus 550. Wherein processor 510, memory 520, input/output interface 530, and communication interface 540 enable a communication connection within the device between each other via bus 550.
The processor 510 may be implemented by a general-purpose CPU (Central Processing Unit ), a microprocessor, an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 520 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 520 may store an operating system and other application programs, and when the embodiments of the present disclosure are implemented in software or firmware, the associated program code is stored in memory 520 and executed by processor 510.
The input/output interface 530 is used for connecting with an input/output module to realize information input and output. The input/output module may be configured as a component in a device (not shown in the figure) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
The communication interface 540 is used to connect with a communication module (not shown in the figure) to enable communication interaction between the present device and other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 550 includes a path to transfer information between elements of the device (e.g., processor 510, memory 520, input/output interface 530, and communication interface 540).
It should be noted that although the above device only shows the processor 510, the memory 520, the input/output interface 530, the communication interface 540, and the bus 550, in the implementation, the device may further include other components necessary for achieving normal operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
The electronic device of the foregoing embodiment is configured to implement the blockchain access control method based on the decomposition optical network in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiments, which are not described herein.
Based on the same inventive concept, corresponding to any of the above embodiments of the method, the present application further provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method for controlling blockchain access based on the decomposition optical network according to any of the above embodiments.
The non-transitory computer readable storage media described above can be any available media or data storage device that can be accessed by a computer, including, but not limited to, magnetic storage (e.g., floppy disks, hard disks, magnetic tapes, magneto-optical disks (MOs), etc.), optical storage (e.g., CD, DVD, BD, HVD, etc.), and semiconductor storage (e.g., ROM, EPROM, EEPROM, nonvolatile storage (NAND FLASH), solid State Disk (SSD)), etc.
The storage medium of the above embodiment stores computer instructions for causing the computer to perform the blockchain access control method based on the decomposition optical network according to any one of the above exemplary method parts, and has the advantages of the corresponding method embodiments, which are not described herein.
Furthermore, although the operations of the methods of the present application are depicted in the drawings in a particular order, this is not required to or suggested that these operations must be performed in this particular order or that all of the illustrated operations must be performed in order to achieve desirable results. Rather, the steps depicted in the flowcharts may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present application should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present application belongs. The terms "first," "second," and the like, as used in embodiments of the present application, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
While the spirit and principles of this application have been described with reference to several particular embodiments, it is to be understood that this application is not limited to the disclosed particular embodiments nor does it imply that features in the various aspects are not useful in combination, nor are they intended to be in any way useful for the convenience of the description. The application is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. The scope of the following claims is to be accorded the broadest interpretation so as to encompass all such modifications and equivalent structures and functions.

Claims (10)

1. A blockchain access control method based on a decomposition optical network, applied to a blockchain access control system based on a decomposition optical network, the system comprising: an identity management system layer, a slave blockchain layer, a cross-chain communication layer and a master blockchain layer; the master blockchain layer includes a master proxy node; the slave blockchain layer includes slave agent nodes; the identity management system layer comprises a supply node;
the method comprises the following steps:
generating source data by a supply user of the supply node, distributing a name space for the source data, obtaining a named data object, and formulating an access strategy of the source data; the supply node generates metadata according to the named data object and the access policy, and sends the metadata to the slave blockchain layer;
the slave agent node encrypts the metadata to obtain metadata ciphertext, and sends the metadata ciphertext to a master blockchain layer through the cross-chain communication layer;
the master agent node decrypts the metadata ciphertext to obtain the metadata, calls an intelligent contract, and obtains a key format file according to the metadata;
the operation user of the main agent node calls an intelligent contract to request verification of the attribute for matching the access strategy and the private key for matching the public key; the master agent node generates public parameters and evidence according to the attribute and the private key, embeds the private key into the attribute, and returns the attribute embedded with the private key to the operation user;
The master agent node invokes an intelligent contract to verify the attribute embedded with the private key and the key format file; in response to a successful verification, granting access rights to the operator user to access the provisioning user;
the operator user obtains the source data of the provider user according to the digital abstract of the named data object in response to the access rights granted to the provider user.
2. The method of claim 1, wherein the provisioning node generating metadata from the named data object and the access policy comprises:
and obtaining the digital abstract according to the named data object, encrypting the named data object, generating a public key, and splicing the source data, the public key, the digital abstract and the access strategy to obtain the metadata.
3. The method according to claim 1, wherein the method further comprises:
the main agent node splits the metadata to obtain the source data, the public key, the digital abstract and the access policy;
the master agent node invokes an intelligent contract to store the public key as the key format file and the source data, the digital digest, and the access policy as ciphertext.
4. The method according to claim 1, wherein the method further comprises:
the slave agent node forwards the metadata to all slave blockchain nodes of the slave blockchain layer.
5. The method according to claim 4, wherein the method further comprises:
and verifying the metadata by all the slave block chain nodes of the slave block chain layer, and determining that a supply user corresponding to the metadata is legal in response to the verification of the metadata by a preset number of the slave block chain nodes.
6. The method according to claim 4, wherein the method further comprises:
and determining the slave agent node from all the slave block chain nodes according to the ratio of the guarantee gold submitted by all the slave block chain nodes of the slave block chain layer and the ratio of the communication time of all the slave block chain nodes.
7. The method according to claim 1, wherein the method further comprises:
and determining the master proxy node from all the master block chain nodes according to the guarantee gold proportion submitted by all the master block chain nodes of the master block chain layer and the communication time proportion of all the master block chain nodes.
8. A blockchain access control system based on a split optical network, the system comprising: an identity management system layer, a slave blockchain layer, a cross-chain communication layer and a master blockchain layer; the master blockchain layer includes a master proxy node; the slave blockchain layer includes slave agent nodes; the identity management system layer includes a provisioning node:
the identity management system layer is configured to: generating source data by a supply user of the supply node, distributing a name space for the source data, obtaining a named data object, and formulating an access strategy of the source data; the supply node generates metadata according to the named data object and the access policy, and sends the metadata to the slave blockchain layer;
the slave blockchain layer and the cross-chain communication layer are configured to: the slave agent node encrypts the metadata to obtain metadata ciphertext, and sends the metadata ciphertext to a master blockchain layer through the cross-chain communication layer;
the master blockchain layer is configured to: the master agent node decrypts the metadata ciphertext to obtain the metadata, calls an intelligent contract, and obtains a key format file according to the metadata;
The master blockchain layer is further configured to: the operation user of the main agent node calls an intelligent contract to request verification of the attribute for matching the access strategy and the private key for matching the public key; the master agent node generates public parameters and evidence according to the attribute and the private key, embeds the attribute into the private key to obtain a verification value, and returns the verification value to the operation user;
the master blockchain layer is further configured to: the master agent node invokes an intelligent contract to verify the verification value and the key format file; and in response to successful verification, granting access rights to the operator user to the provisioning user.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 7 when the program is executed by the processor.
10. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1 to 7.
CN202311206656.4A 2023-09-18 2023-09-18 Block chain access control method based on decomposition optical network and related equipment Pending CN117395027A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311206656.4A CN117395027A (en) 2023-09-18 2023-09-18 Block chain access control method based on decomposition optical network and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311206656.4A CN117395027A (en) 2023-09-18 2023-09-18 Block chain access control method based on decomposition optical network and related equipment

Publications (1)

Publication Number Publication Date
CN117395027A true CN117395027A (en) 2024-01-12

Family

ID=89438115

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311206656.4A Pending CN117395027A (en) 2023-09-18 2023-09-18 Block chain access control method based on decomposition optical network and related equipment

Country Status (1)

Country Link
CN (1) CN117395027A (en)

Similar Documents

Publication Publication Date Title
TWI725655B (en) Method, apparatus and system for program execution and data proof for executing a sub-logic code within a trusted execution environment
CN110032865B (en) Authority management method, device and storage medium
AU2019204725B2 (en) Retrieving access data for blockchain networks using highly available trusted execution environments
CA3058239C (en) Field-programmable gate array based trusted execution environment for use in a blockchain network
KR102113910B1 (en) Automatic identification of invalid participants in a secure synchronization system
CN112422532B (en) Service communication method, system and device and electronic equipment
CN112583802B (en) Data sharing platform system and equipment based on block chain and data sharing method
CN112131316B (en) Data processing method and device applied to block chain system
US20040255137A1 (en) Defending the name space
CN112581126A (en) Block chain-based platform data management method and device and storage medium
WO2016131044A1 (en) Systems and methods for secure collaboration with precision access management
US20090100261A1 (en) Method and system for mediation of authentication within a communication network
CN102427442A (en) Combining request-dependent metadata with media content
CN111625869B (en) Data processing method and data processing device
KR20040055674A (en) Method and architecture to provide client session failover
JP2010520518A (en) Method, apparatus and system for distributed delegation and verification
US20180006823A1 (en) Multi-hop secure content routing based on cryptographic partial blind signatures and embedded terms
US20080162928A1 (en) Method and Apparatus for Distributing Root Certification
WO2023124746A1 (en) Cross-subnet interaction permission control
CN112994882B (en) Authentication method, device, medium and equipment based on block chain
CN115412568A (en) Distributed data transmission method, device and system
CN117395027A (en) Block chain access control method based on decomposition optical network and related equipment
US11856091B2 (en) Data distribution system, data processing device, and program
JP4794939B2 (en) Ticket type member authentication apparatus and method
KR100777326B1 (en) Method of jini based secure event service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination