CN117454445A

CN117454445A - Block chain-based data access control method and related equipment

Info

Publication number: CN117454445A
Application number: CN202311633560.6A
Authority: CN
Inventors: 武志立; 薛峰; 林博
Original assignee: Jiaxing Research Institute of Zhejiang University
Current assignee: Jiaxing Research Institute of Zhejiang University
Priority date: 2023-11-30
Filing date: 2023-11-30
Publication date: 2024-01-26

Abstract

The application discloses a data access control method and related equipment based on a block chain, and relates to the technical field of block chains, wherein the method comprises the following steps: encrypting target data based on an asymmetric key algorithm, and sending the encrypted target data to an interstellar file storage system, so that the interstellar file storage system performs block and hash calculation operations based on the encrypted target data to generate fingerprint information corresponding to the target data; and under the condition that the fingerprint information is received, initiating a registration request of the target data to a data authorization credential chain so that a data user terminal with authorization queries the target data.

Description

Block chain-based data access control method and related equipment

Technical Field

The present disclosure relates to the field of blockchain technologies, and more particularly, to a blockchain-based data access control method and related devices.

Background

Data authorization is the process of ensuring that data is only accessible to authorized users. This is important for data privacy and security. Traditional data authorization methods, such as RBAC (Role-Based Access Control ), ABAC (Attribute-based access control), OAuth (Open Authorization, open grant), access control list (Access Control List, ACL), and the like. These methods are typically based on authentication and rights control, but may not be sufficient to provide security and controllability of data, while a centralized authorization system exists with a single point of failure, security risk, and counterfeitability.

Disclosure of Invention

In the summary, a series of concepts in a simplified form are introduced, which will be further described in detail in the detailed description. The summary of the present application is not intended to define the key features and essential features of the claimed subject matter, nor is it intended to be used to determine the scope of the claimed subject matter.

In a first aspect, the present application proposes a data access control method based on a blockchain, for a data owner, where the method includes:

encrypting target data based on an asymmetric key algorithm, and transmitting the encrypted target data to an interstellar file storage system, so that the interstellar file storage system performs block and hash calculation operations based on the encrypted target data to generate fingerprint information corresponding to the target data;

and under the condition that the fingerprint information is received, initiating a registration request of the target data to a data authorization credential chain so that a data user terminal with authorization queries the target data.

Optionally, the method further comprises:

under the condition that the data access request transmitted by the data using end through the data authorization credential chain is received, generating a data authorization credential through an authorization credential generation algorithm, storing the data authorization credential in the data authorization credential chain, and carrying out broadcasting operation on the data using end.

Optionally, the method further comprises:

and the data access authority of the data use terminal is revoked by modifying the attribute of the data authorization credential to be invalid and uploading the modified data authorization credential to the data authorization credential chain again.

In a second aspect, the present application proposes a data access control method based on a blockchain, for a data user, where the method includes:

inquiring target data through a data authorization credential chain, and sending a first data access request to a data possession terminal to obtain a data authorization credential generated by the data possession terminal;

and under the condition that the data authorization credential is received, initiating a second access request to the interstellar file system.

In a third aspect, the present application proposes a blockchain-based data access control method for an interstellar file storage system, where the method includes:

under the condition that encrypted target data sent by a data possession terminal is received, performing block and hash calculation operations on the encrypted target data to generate fingerprint information corresponding to the target data;

and sending the fingerprint information to the data possession terminal so that the data possession terminal initiates a registration request of the target data to a data authorization credential chain, and a data use terminal with authorization inquires the target data.

Optionally, the method further comprises:

under the condition that a second access request sent by a data using end is received, verifying the address information of the data using end, and initiating a verification request to an authorization credential chain by using a credential ID to obtain a verification result;

and controlling whether to provide the encrypted target data to the data using end based on the verification result.

In a fourth aspect, an embodiment of the present application proposes a data access control device based on a blockchain, which is used for a data owner, and includes:

the first sending unit is used for encrypting the target data based on an asymmetric key algorithm and sending the encrypted target data to the interstellar file storage system so that the interstellar file storage system performs block and hash calculation operation based on the encrypted target data to generate fingerprint information corresponding to the target data;

and the first initiating unit is used for initiating a registration request of the target data to the data authorization credential chain under the condition of receiving the fingerprint information so as to enable the authorized data using end to inquire the target data.

In a fifth aspect, an embodiment of the present application proposes a data access control device based on a blockchain, which is used for a data user, and includes:

The second sending unit is used for inquiring target data through the data authorization credential chain and sending a first data access request to the data possession end to obtain a data authorization credential generated by the data possession end;

and the second initiating unit initiates a second access request to the interstellar file system under the condition that the data authorization certificate is received.

In a sixth aspect, an electronic device includes: a memory, a processor and a computer program stored in and executable on the processor, the processor being configured to implement the steps of the blockchain-based data access control method as in any of the first to third aspects above when the computer program stored in the memory is executed.

In a seventh aspect, the present application also proposes a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the blockchain-based data access control method of any of the first to third aspects.

In summary, the data access control method based on the blockchain in the embodiment of the application includes: encrypting target data based on an asymmetric key algorithm, and transmitting the encrypted target data to an interstellar file storage system, so that the interstellar file storage system performs block and hash calculation operations based on the encrypted target data to generate fingerprint information corresponding to the target data; and under the condition that the fingerprint information is received, initiating a registration request of the target data to a data authorization credential chain so that a data user terminal with authorization queries the target data. According to the data access control method based on the blockchain, the data is encrypted by using an asymmetric key algorithm, so that only users with corresponding private keys can decrypt and access the data. The data fingerprint generated by the IPFS through chunking and hash computation ensures the integrity and non-tamper-ability of the data. IPFS provides a decentralised storage solution that reduces drawbacks of a centralized storage system, such as single point failure and risk of data loss. The generated data fingerprint enables the data to be retrieved more efficiently and accurately, and the data management process is simplified. By registering the data information onto the chain of data authorization credentials, the data access process is made transparent and traceable. The authorized data use terminal can inquire the data information through the block chain network, so that the convenience and transparency of data use are improved. The data information includes account addresses, data fingerprints, names, types, and brief descriptions, which allow regulatory authorities and data managers to easily track and maintain data. The user data on the chain is confirmed through the data registration information of the data owner, and the data access authority is flexibly granted or revoked by the data owner through a data authorization mechanism realized through a blockchain technology. The method provides a secure, efficient, transparent and easy-to-supervise data storage and access solution by combining asymmetric encryption, IPFS and blockchain techniques. This is critical to protecting sensitive data, facilitating data sharing, and maintaining the integrity and security of the data system.

Additional advantages, objects, and features of the present application will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the present application.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the specification. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:

FIG. 1 is a schematic flow chart of a block chain-based data access control method according to an embodiment of the present application;

FIG. 2 is a schematic diagram of a block chain-based data access control method according to an embodiment of the present disclosure;

FIG. 3 is a flowchart illustrating another block chain based data access control method according to an embodiment of the present disclosure;

FIG. 4 is a flowchart illustrating another block chain based data access control method according to an embodiment of the present disclosure;

FIG. 5 is a schematic structural diagram of a block chain based data access control device according to an embodiment of the present application;

FIG. 6 is a schematic block chain-based data access control device according to an embodiment of the present disclosure;

fig. 7 is a schematic structural diagram of a block chain-based data access control electronic device according to an embodiment of the present application.

Detailed Description

The terms "first," "second," "third," "fourth" and the like in the description and in the claims of this application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application.

Aiming at the defects of the prior art, the invention provides a data access control method based on a block chain. The method relies on the blockchain technology to realize the complete life cycle of generation, use, verification, revocation and the like of the authorization certificate, ensures that the circulation and use of data are not controlled by a third party, and avoids the problems of malicious tampering, access and the like of the data. As shown in fig. 2, the method comprises the following entities:

data Owner (DO): as a data owner with data ownership, the method can be used for realizing autonomous authorization and control of data, and the data owner operates through a data owner terminal.

Data User (DU): as a data user, the method can safely and effectively acquire data, and the data user operates through a data use terminal.

Interplanetary file storage system (InterPlanetary File System, IPFS): as a peer-to-peer distributed file system, permanent, decentralized saving and sharing of files is achieved.

Data authorization credential chain (Authorization Certificate Chain, ACC): the data authorization credential chain records data registration information, credential generation, credential authorization, credential revocation and the like.

Referring to fig. 1, a block chain-based data access control method provided in an embodiment of the present application may specifically include:

s110, encrypting target data based on an asymmetric key algorithm, and sending the encrypted target data to an interstellar file storage system, so that the interstellar file storage system performs block and hash calculation operations based on the encrypted target data to generate fingerprint information corresponding to the target data;

exemplary, FIG. 2 is a schematic illustration of a blockchain-based data access control method according to an embodiment of the present applicationIt is intended that step (1) the data owner DO makes use of an asymmetric key algorithm, i.e. by means of the personal public key Pk _DO Encrypting the original data and storing the encrypted data into the IPFS. This step can be expressed using symbols as: do→ipfs: { data } PK _DO . Step (2) after the IPFS obtains the data, the unique corresponding data fingerprint information digital is generated through operations such as data blocking and hash calculation, and the data fingerprint information is returned. This step can be expressed using symbols as: IPFS→DO { digital }.

And S120, under the condition that the fingerprint information is received, initiating a registration request of the target data to a data authorization credential chain so that a data user terminal with authorization inquires the target data.

Illustratively, upon receipt of the fingerprint information, the data owner DO initiates a data information registration request to the data authorization credential chain ACC, as in step (3) of fig. 2, completing the in-chain storage of the data information. Other users joining the blockchain network can query the data information through the broadcast of the blockchain network. Wherein the data information dataInfo includes an account address DO of the data owner DO _address Information such as data fingerprint information digitals, data name dataName, data type dataType, data brief description dataDescription and the like. This step can be expressed using symbols as: DO→ACC: { dataInfo: { DO _address 、digital、dataName、dataType、dataDescription}}。

In summary, the embodiments of the present application provide a blockchain-based data access control method for a data owner, which encrypts data by using an asymmetric key algorithm, so as to ensure that only users having corresponding private keys can decrypt and access the data. The data fingerprint generated by the IPFS through chunking and hash computation ensures the integrity and non-tamper-ability of the data. IPFS provides a decentralised storage solution that reduces drawbacks of a centralized storage system, such as single point failure and risk of data loss. The generated data fingerprint enables the data to be retrieved more efficiently and accurately, and the data management process is simplified. By registering the data information onto the chain of data authorization credentials, the data access process is made transparent and traceable. The authorized data use terminal can inquire the data information through the block chain network, so that the convenience and transparency of data use are improved. The data information includes account addresses, data fingerprints, names, types, and brief descriptions, which allow regulatory authorities and data managers to easily track and maintain data. The user data on the chain is confirmed through the data registration information of the data owner, and the data access authority is flexibly granted or revoked by the data owner through a data authorization mechanism realized through a blockchain technology. The method provides a secure, efficient, transparent and easy-to-supervise data storage and access solution by combining asymmetric encryption, IPFS and blockchain techniques. This is critical to protecting sensitive data, facilitating data sharing, and maintaining the integrity and security of the data system.

In some examples, the above method further comprises:

Illustratively, the data owner DO, e.g., step (5) of FIG. 2, verifies the identity DU of the data consumer after obtaining the data usage application datarequest _address After verification, an authorization credential generation algorithm is utilized to generate a data authorization credential AC, the data authorization credential AC is stored in a data authorization credential chain ACC, and broadcast is carried out to a data user. Wherein the data authorization credential AC comprises a unique identification ID, a data name dataName, data fingerprint information digital, and a data owner identity DO _address Data user identity DU _address Status of credentials status, encrypted private key information SK, public key PK of data owner _DO And data voucher signature and the like. The encrypted private key information SK is obtained by using the public key PK of the data user _DU Private key SK of data owner _DO Obtained after encryption, i.e. sk= { SK _DO }PK _DU . At the same time, the data owner uses the private key SK _DO Signing the generated certificate to ensure the integrity and validity of the certificateI.e. sign= { AC } SK _DO . This step can be expressed using symbols as: DO→ACC { AC { ID, dataName, digital, DO _address ,startTime,endTime,DU _address ,PK _DO ，status,SK,sign}}。

The input information of the algorithm is as follows:

DO _address account address of the data owner.

DU _address Account address of data user.

dataRequest-data request information containing the data user address, the requested data name, the start and end times of use, and the public key of the data user.

The output information of the algorithm is as follows: status, create the result state of the operation.

authStatus, authorization status.

dataList, a resource access list of data owners.

The algorithm flow includes:

a1, initializing states, namely, setting Status and authStatus as false initially, and indicating that authorization has not succeeded.

A2, verifying the identity of the data user, checking the Data User (DU) _address ) Whether a chain (join chain) is added. If not, status remains false.

A3, broadcasting the data request, wherein if the data user is an on-chain user, the Data Owner (DO) broadcasts the data request (dataRequest) to the block chain network (ACC).

A4、Authentication and authorization credential generation the data owner verifies the identity (DU) of the data user _address) . If the verification is successful, the data user address is added to the access list (dataList) of the data owner. Generating an Authorization Credential (AC), comprising: the SHA256 hash of the dataRequest is used to generate an access token ID (ac.id). Other authorization credential information is set such as data name, data fingerprint, data owner and user address, owner public key, authorization status (valid), etc. Public Key (PK) using data user _DU ) Private key (SK) of encrypted data owner _DO ) Encrypted private key information (ac.sk) is generated. The data owner signs (ac.sign) the authorization credential using its private key.

A5, broadcasting authorization credentials, namely broadcasting Authorization Credentials (AC) by a Data User (DU) through a block chain network (ACC).

A6, updating the state, namely setting Status and authStatus as true, and indicating that the authorization credential is successfully created and broadcast.

A7, returning results, namely returning Status, authStatus and dataList.

The algorithm is combined with the blockchain technology, so that the transparency and the security of data authorization are realized. It allows the data owner to control who can access his data while guaranteeing traceability and non-tamper-ability of the entire authorization process.

In some examples, the above method further comprises:

Illustratively, for example, step (d) in fig. 2, when the data owner DO wants to revoke the right of the data user DU to access the data, only the status attribute of the authorization credential AC needs to be modified to be invalid by using the credential revocation algorithm, and the uplink request is re-initiated to the data authorization credential chain ACC. This step can be symbolically represented as: do→acc: { AC, status: invalid }. The authorization credential revocation algorithm is as follows:

the above algorithm describes a process of authorization credential revocation implemented in a blockchain-based data access control system. The purpose of this algorithm is to enable the data owner to revoke the access rights previously granted to the data user.

The input information of the algorithm is:

DO _address account address of the data owner.

dataList, a resource access list maintained by the data owner.

DU _address Account address of data user.

The output information of the algorithm is:

RevokeStatus-the result state of the authorization credential revocation operation.

Algorithm flow

B1, setting the revokinStatus as false, which indicates that the revocation operation has not succeeded.

B2, checking the identity of the data owner, verifying the identity of the data owner (DO _address ) Whether a blockchain network (ACC) is added. If not, the revokeStatus remains false.

B3, searching authorization certificate, namely searching the resource access list (dataList) of the data owner and searching the Data User (DU) _address ) An associated authorization credential (ac).

And B4, modifying the state of the authorization credential, namely setting the state of the found authorization credential (ac) to false, namely marking the state as invalid.

B5, broadcasting the updated authorization credential, namely broadcasting the updated authorization credential (ac) to the whole blockchain network (ACC).

And B6, updating the revocation status, namely if broadcasting is successful, setting the revokeStatus as true to indicate that the authorization credential is successfully revoked. If the broadcast fails, the revokeStatus remains false.

And B7, returning a result, namely returning to the revokeStatus.

The algorithm realizes dynamic management of data access rights by modifying the authorization credential state on the blockchain and broadcasting the modification to the whole network. The process ensures that the data owner can revoke the access rights granted previously at any time, and increases the flexibility and security of data management. By application of the blockchain technique, the non-tamper-ability and transparency of the undo operation is ensured.

In a second aspect, the present application proposes a data access control method based on a blockchain, which is used by a data user, and fig. 3 is a schematic flow chart of another data access control method based on a blockchain, where the method includes:

S210, inquiring target data through a data authorization credential chain, and sending a first data access request to a data possession terminal to obtain a data authorization credential generated by the data possession terminal;

illustratively, as in step (4) of FIG. 2, the data consumer DU queries satisfactory data via the data authorization credential chain ACC, initiates the use application dataRequest, and broadcasts the request to the data owner DO via the blockchain. The request includes the account address DU of the data user _address Public key PK of request data name dataname and user _DU Information such as start time startTime, end time endTime, etc. This step can be expressed using symbols as: DU→ACC: { dataRequest: { DU _address ,dataName,start Time,endTime,PK _DU }}。

The data authorization credential generated by the data owner is shown in step (5) in fig. 2.

S220, under the condition that the data authorization credential is received, a second access request is initiated to the interstellar file system.

Illustratively, as in step (6) of FIG. 2, after receiving the broadcast request, the data user DU obtains the corresponding authorization credential AC through the data authorization credential chain ACC, and then uses the public key PK of the data owner _DO The certification signature sign is verified and, After the verification is passed, a data access request is initiated to the IPFS. This step of using compliance can be expressed as: ACC→DU: { AC: { ID, dataName, digital, DO _address ,DU _address ,PK _DO ，status,SK,sign}}。

In summary, the data access control method based on the blockchain for the data user terminal provided by the embodiment of the application is enhanced in data security and user privacy through asymmetric encryption and blockchain technology. The dependence of a centralized authorization system is reduced, and the risk of single-point faults is reduced. The data owner can more effectively manage who can access his data, as well as the conditions of access. All authorized operations and data requests are recorded on the blockchain, increasing the transparency and traceability of the overall process, and the overall data access process becomes more direct and user friendly for the data user. By combining the non-tamper-evident, transparent and secure properties of blockchain technology, an efficient and secure data access control scheme is provided for the data consumer.

In a third aspect, the present application proposes a blockchain-based data access control method for an interstellar file storage system, and fig. 4 is a schematic flow chart of another blockchain-based data access control method according to an embodiment of the present application, where the method includes:

S310, under the condition that encrypted target data sent by a data possession terminal is received, performing block and hash calculation operations on the encrypted target data to generate fingerprint information corresponding to the target data;

illustratively, the IPFS system receives encrypted target data from a data owner. And performs a chunking process on the data, and performs a hash operation on each chunk of data to generate a unique identifier or "fingerprint" that represents the uniqueness and integrity of the original data. By creating a unique fingerprint in this step that can be used to verify the integrity and authenticity of the data, while ensuring the non-tamper-ability of the data.

S320, the fingerprint information is sent to the data possession terminal, so that the data possession terminal initiates a registration request of the target data to a data authorization credential chain, and a data use terminal with authorization inquires the target data.

Illustratively, the IPFS sends the generated fingerprint information back to the data owner. The data owner uses this fingerprint information to initiate a registration request for the target data with the data authorization credential chain. This completes the validation of the data because the registration information on the chain contains the user account address and the owner's data fingerprint information. Once the data is registered on the chain, the authorized data user terminal can inquire the target data, so that the efficiency and the safety of data retrieval are improved.

In summary, the data access control method based on the blockchain for the interstellar file storage system provided by the embodiment of the application strengthens the security of data by ensuring the integrity and the authenticity of the data. The generated data fingerprint provides a powerful tool for data verification. The decentralizing nature of IPFS reduces the risk of data loss and tampering. Each access and change of data can be recorded on the blockchain, and transparency and traceability of the whole data life cycle are improved. By registering the data fingerprint on the blockchain, the retrieval and access processes of the data are simplified, and the overall data processing efficiency is improved.

In some examples, the above method further comprises:

Illustratively, as in step (7) of fig. 2: after the data user DU obtains the authorization certificate AC, the URL address of the access IPFS can be constructed by utilizing the data fingerprint information digital, and a data access request Access request is initiated to the IPF S by utilizing a certificate use algorithm, wherein the URL address uniquely corresponds to the data to be used. This step can be expressed using symbols as: du→ipfs: { Access request: { AC, DU _address }}。

The above algorithm describes an authorization credential usage process, which is the step that a data consumer uses to request and access data in a blockchain-based data access control system:

the input information is:

DU _address account address of data user.

SK _DU The private key of the data user.

PK _DO Public keys of data owners.

The output information is:

and (4) applying a status of the request resource carrying the credential, wherein the status indicates whether the request is successful or not.

The algorithm flow is as follows:

and C1, initializing the state that the application status is initially set to false, wherein the state indicates that the operation of requesting the resource is not successful.

C2, checking the identity of the data user, verifying the identity of the data user (DU _address ) Whether a blockchain network (ACC) is added. If not, the apply status remains false.

C3, obtaining authorization credentials if the data user is an on-chain user, using its account address (DU _address ) Corresponding Access Credentials (ACs) are obtained from the blockchain.

C4, verifying the credential signature using the Public Key (PK) of the data owner _DO ) To verify the signature (ac.sign) of the authorization ticket (AC). If signature verification fails, the applyStatus remains false.

And C5, constructing an access URL and requesting resources, namely constructing the URL for accessing the data according to the data fingerprint (digital) in the authorization credential if signature verification is successful. An access request is initiated to the IPFS, carrying the authorization credential and related information. If the request is successful, the apply status is set to true.

And C6, returning a result, namely returning to the application status, wherein the result indicates whether the operation of requesting the resource is successful or not.

The legitimacy and security of data access are ensured by verifying the signature of the authorization credential. It allows a data user to verify his own access rights on the blockchain network and, after rights validation, securely access the data stored on the IPFS through the constructed URL. The whole process increases the security of data access while maintaining the transparency and traceability of the operation. In this way, the access control of the data is reliable and efficient, and is suitable for application scenes in which the privacy and security of the data need to be protected.

Step (8) as in fig. 2: the IPFS storage server firstly verifies whether the address of the data user is consistent with that in the AC, then uses a credential verification algorithm by using the credential ID to initiate a verification request to the data authorization credential chain ACC, and obtains the result verifyResult of the on-chain verification. This step can be expressed using symbols as: acc→ipfs: { verifyResult }.

The above algorithm describes an authorization credential verification process for verifying whether an access request of a data user is legitimate in a blockchain-based data access control system.

The input information is:

DU _address Account address of data user.

AC, authorization credentials.

SK _DO A private key of the data owner.

Access request, data request information containing authorization credentials and data user addresses.

The output information is:

checkStatus, authorization credential verification result, indicating whether the verification passed.

The algorithm flow is as follows:

and D1, initializing a checkStatus to be false initially, wherein the initial setting of the checkStatus indicates that the authorization credential is not verified.

D2, checking account address consistency, verifying data user address (Access request. DU) in the data request message _address ) Whether to match the provided data user address (DU _address ) And consistent. If the addresses are not consistent, the checkStatus remains false.

And D3, inquiring the on-chain authorization credential information, namely inquiring the corresponding on-chain credential information (temp) in the blockchain network (ACC) through the ID (AC.ID) of the authorization credential.

D4, verifying the authenticity and validity of the certificate, checking whether the provided Authorization Certificate (AC) is matched with the on-chain certificate information (temp). The validity period (endTime) and status (status) of the authorization ticket are checked. Using the Public Key (PK) of the data owner _DO ) Verify the authorization credential signature (ac.sign).

And D5, updating the verification result, namely if all the checks pass, setting the checkStatus as true to indicate that the authorization credential is valid. If any one of the checks fails, the checkStatus remains false.

And D6, returning a result, namely returning to the checkStatus.

The algorithm ensures the authenticity and validity of the authorization credential through multiple checks. It involves verification of account addresses, inquiry of on-chain credential information, checking of validity period and status, and verification of signatures. The method improves the security of the data access request, and ensures that only legal and authorized requests can access the target data. Through the blockchain technology, the process not only enhances the data security, but also improves the transparency and traceability of the operation.

Step (9) as in fig. 2: the IPFS store server responds to the data consumer in accordance with the verifyResult. If verifyResult is true, providing the encrypted original data to the data user, otherwise, prompting the data user that no authority is available for proceedingAnd (5) accessing. After the original data is obtained by the data user, the data user uses the private key SK _DU Decrypting the SK to obtain the private key SK of the data owner _DO Then through SK _DO The original data is decrypted. This step can be expressed using symbols as: ipfs→du: { data } PK _DO ,{SK}SK _DU ,{{data}PK _DO }SK _DO }。

In summary, the embodiment of the application introduces the blockchain-based data access control method from the data possession terminal, the data use terminal and the interstellar file storage system, and the specific implementation process is shown in steps (1) to (d) of fig. 2. The constructed data authorization credential chain helps to ensure the integrity and non-tamper resistance of the data. By linking the authorization information and transaction records to the blockchain, any tampering or malicious attack of the data will become extremely difficult, thereby providing the trustworthiness of the data. The data authorization credential chain eliminates centralized data storage, and control of data authorization is no longer dependent on a single entity, but is maintained by multiple nodes on the blockchain network. This decentralized control reduces the risk of a single attack point, providing a higher level of security. By establishing a chain of trusted data authorization credentials, the streaming sharing of data becomes more trusted because the data owner and data user can rely on this chain to verify the origin and authorization of the data. This increases the confidence of the data exchange, helping to promote legal sharing of the data.

Based on the blockchain credential technology, on one hand, the binding of the data owner to the affiliated data is realized, namely the on-chain validation of the data is realized, and on the other hand, the whole life cycle of the data authorization is completely covered through the functions of credential grant, credential use, credential verification, credential revocation and the like, so that the autonomous and controllable authorization of the data owner to the data is realized. The on-chain validation of data by the data owner is achieved through blockchain vouchers. This means that the data owner can establish a tamper-proof binding of data on the blockchain, ensuring ownership and control of the data. Functions such as credential grant, credential use, credential verification, and credential revocation are provided, covering the entire lifecycle of data authorization. This ensures that the authorization of the data is controllable and the data owner can revoke or update the authorization at any time as required. The data owner has autonomous and controllable authorization rights to the data. They can decide to grant, modify or revoke access rights to data at any time, guaranteeing the security and privacy of data.

Referring to fig. 5, an embodiment of a blockchain-based data access control device for a data owner in an embodiment of the present application may include:

A first transmitting unit 21, configured to encrypt target data based on an asymmetric key algorithm, and transmit the encrypted target data to an interstellar file storage system, so that the interstellar file storage system performs a block and hash calculation operation based on the encrypted target data to generate fingerprint information corresponding to the target data;

the first initiating unit 22 is configured to initiate a registration request of the target data to a data authorization credential chain when the fingerprint information is received, so that a data consumer having authorization queries the target data.

Referring to fig. 6, an embodiment of the present application proposes a blockchain-based data access control device for a data consumer, including:

a second sending unit 31, configured to query target data through a data authorization credential chain, and send a first data access request to a data owner to obtain a data authorization credential generated by the data owner;

the second initiating unit 32 initiates a second access request to the interstellar file system when receiving the data authorization credential.

As shown in fig. 7, the embodiment of the present application further provides an electronic device 300, including a memory 310, a processor 320, and a computer program 311 stored on the memory 310 and executable on the processor, where the processor 320 implements any of the steps of the above-described blockchain-based data access control method when executing the computer program 311.

Since the electronic device described in this embodiment is a device for implementing a blockchain-based data access control apparatus in this embodiment, based on the method described in this embodiment, those skilled in the art can understand the specific implementation of the electronic device in this embodiment and various modifications thereof, so how to implement the method in this embodiment in this electronic device will not be described in detail herein, and only those devices for implementing the method in this embodiment by those skilled in the art are within the scope of protection intended in this application.

In a specific implementation, the computer program 311 may implement any of the embodiments corresponding to fig. 1 when executed by a processor.

In the foregoing embodiments, the descriptions of the embodiments are focused on, and for those portions of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Embodiments also provide a computer program product comprising computer software instructions that, when run on a processing device, cause the processing device to perform the flow of blockchain-based data access control in the corresponding embodiments

The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). Computer readable storage media can be any available media that can be stored by a computer or data storage devices such as servers, data centers, etc. that contain an integration of one or more available media. Usable media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., DVDs), or semiconductor media (e.g., solid State Disks (SSDs)), among others.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.

In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims

1. A blockchain-based data access control method for a data owner, comprising:

encrypting target data based on an asymmetric key algorithm, and sending the encrypted target data to an interstellar file storage system, so that the interstellar file storage system performs block and hash calculation operations based on the encrypted target data to generate fingerprint information corresponding to the target data;

2. The blockchain-based data access control method of claim 1, further comprising:

Under the condition that a data access request transmitted by a data using end through the data authorization credential chain is received, generating a data authorization credential through an authorization credential generation algorithm, storing the data authorization credential in the data authorization credential chain, and carrying out broadcasting operation to the data using end.

3. The blockchain-based data access control method of claim 1, further comprising:

4. A data access control method based on a blockchain, which is used for a data user terminal, and is characterized by comprising the following steps:

inquiring target data through a data authorization credential chain, and sending a first data access request to a data owner to the authorization credential chain so as to acquire a data authorization credential generated by the data owner;

5. A blockchain-based data access control method for an interstellar file storage system, comprising:

6. The blockchain-based data access control method of claim 5, further comprising:

under the condition that a second access request sent by a data using end is received, verifying address information of the data using end, and initiating a verification request to an authorization credential chain by using a credential ID to obtain a verification result;

and controlling whether to provide the encrypted target data for the data using end based on the verification result.

7. A blockchain-based data access control device for a data owner, comprising:

the first sending unit is used for encrypting the target data based on an asymmetric key algorithm and sending the encrypted target data to an interstellar file storage system so that the interstellar file storage system performs block and hash calculation operation based on the encrypted target data to generate fingerprint information corresponding to the target data;

And the first initiating unit is used for initiating a registration request of the target data to a data authorization credential chain under the condition that the fingerprint information is received, so that the authorized data using end queries the target data.

8. A blockchain-based data access control device for a data consumer, comprising:

the second sending unit is used for inquiring target data through a data authorization credential chain and sending a first data access request to a data possession terminal to obtain a data authorization credential generated by the data possession terminal;

and the second initiating unit initiates a second access request to the interstellar file system under the condition that the data authorization credential is received.

9. An electronic device, comprising: memory and processor, wherein the processor is configured to implement the steps of the blockchain-based data access control method as recited in any of claims 1-6 when executing a computer program stored in the memory.

10. A computer-readable storage medium having stored thereon a computer program, characterized by: the computer program, when executed by a processor, implements the blockchain-based data access control method of any of claims 1-6.