CN118041513A - Agricultural product supply chain-based data access control method and apparatus - Google Patents
Agricultural product supply chain-based data access control method and apparatus Download PDFInfo
- Publication number
- CN118041513A CN118041513A CN202410446238.0A CN202410446238A CN118041513A CN 118041513 A CN118041513 A CN 118041513A CN 202410446238 A CN202410446238 A CN 202410446238A CN 118041513 A CN118041513 A CN 118041513A
- Authority
- CN
- China
- Prior art keywords
- data
- access control
- attribute
- key
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000012795 verification Methods 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 17
- 230000001105 regulatory effect Effects 0.000 claims description 17
- 238000003860 storage Methods 0.000 claims description 13
- 230000001276 controlling effect Effects 0.000 claims description 10
- 238000011217 control strategy Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 238000007726 management method Methods 0.000 description 8
- 230000008520 organization Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 101100203322 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) SKS1 gene Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010921 in-depth analysis Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a data access control method and device based on an agricultural product supply chain, and relates to the technical field of block chains, wherein the method comprises the following steps: acquiring a data access request transmitted by a data requester through an edge node, wherein the data access request carries trapdoor information; performing ABAC based on trapdoor information, searchable ciphertext, authentication tokens, and attribute keys of the data requesters; in the case of determining that the data access request of the data requester is allowed, returning the requested data ciphertext to the data requester; trapdoor information is generated based on the first key and the ABSE encrypted first access control policy, the query token, the search token, the private key used to create trapdoor information, and the private attribute key; the searchable ciphertext is generated based on the second key, the ABSE encrypted second access control policy, the data ciphertext, and the index token. The invention combines ABSE with ABAC, and effectively solves the problems of data security and sharing in agricultural product supply chains.
Description
Technical Field
The invention relates to the technical field of blockchain, in particular to a data access control method and device based on an agricultural product supply chain.
Background
With the increasing variety of agricultural products in the market and the increasing consumer interest in the agricultural product supply chain, the data security and management of the agricultural product supply chain faces more complex and huge challenges.
For the data management problem of agricultural product supply chains, a common solution is to introduce blockchain technology and attribute-based access control (Attribute Based Access control, ABAC). Attributes and access control policies in ABAC are typically stored in plaintext on the blockchain, and corresponding resource data may be obtained by requesters that satisfy the access control policies. However, due to the transparent property of the blockchain, storing the attribute and the access policy directly on the blockchain can cause private data disclosure.
Therefore, it is necessary to provide a data access control method based on an agricultural product supply chain, so as to improve the security and privacy of data access control and effectively solve the problems of data security and sharing in the agricultural product supply chain.
Disclosure of Invention
The invention provides a data access control method and device based on an agricultural product supply chain, which are used for solving the defects of low data security and easiness in exposing privacy in the prior art, improving the security and privacy of data access control and effectively solving the problems of data security and sharing in the agricultural product supply chain.
The invention provides a data access control method based on an agricultural product supply chain, which is applied to a supervision organization and comprises the following steps:
acquiring a data access request transmitted by a data requester through an edge node, wherein the data access request carries trapdoor information;
Performing attribute-based access control based on trapdoor information, a searchable ciphertext, a verification token, and an attribute key of the data requester;
Returning a requested data ciphertext to the data requester if it is determined that the data access request of the data requester is allowed;
Wherein the trapdoor information is generated by the data requester based on a first key and ABSE encrypted first access control policies, query tokens, search tokens, private keys and private attribute keys used to create the trapdoor information; the searchable ciphertext is generated by the data owner based on the second key, the ABSE encrypted second access control policy, the data ciphertext, and the index token;
The first key and the first access control policy are determined by the data requestor based on the requested data; the second key, the second access control policy, is determined by the data owner based on the shared data.
In some embodiments, the attribute-based access control based on trapdoor information, searchable ciphertext, authentication token, and the attribute key of the data requester comprises:
Authenticating the data requester based on the authentication token and the attribute key of the data requester;
after verification is passed, comparing the trapdoor information with the searchable ciphertext based on a policy ciphertext management intelligent contract;
in the event of a match, determining that the data access request of the data requester is allowed.
In some embodiments, the method further comprises:
In the event that it is determined that the data access request of the data requester is not allowed, a penalty policy of the data requester is determined based on a policy penalty smart contract.
In some embodiments, the method further comprises:
Receiving the second access control policy sent by the data owner;
generating the index token based on the second access control policy and the attribute public key list;
And sending the index token to the data owner.
In some embodiments, the method further comprises:
the authentication token is created based on the second access control policy.
In some embodiments, the method further comprises:
receiving the first access control policy sent by the data requester;
generating the query token based on the first access control policy, the authentication token, the attribute key of the data requester, and the attribute public key list;
Generating the search token based on the first access control policy and the attribute public key list;
and sending the query token and the search token to the data requester.
In some embodiments, the method further comprises:
each party participating in the agricultural product supply chain is registered and authenticated based on the Kerberos service.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the agricultural product supply chain-based data access control method as described in any one of the above when executing the computer program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of controlling data access based on an agricultural product supply chain as described in any of the above.
The present invention also provides a computer program product comprising a computer program which when executed by a processor implements a method of controlling data access based on an agricultural product supply chain as described in any one of the above.
According to the data access control method and device based on the agricultural product supply chain, the searchable encryption based on the attribute is combined with the access control based on the attribute, so that the data sharing is efficiently completed while the privacy of the data is ensured, the safety and privacy of the data access control are improved, and the problems of data safety and sharing in the agricultural product supply chain are effectively solved.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a data uplink flow provided by the present invention;
FIG. 2 is a schematic flow chart of a method for controlling data access based on an agricultural product supply chain according to the present invention;
FIG. 3 is a second flow chart of a method for controlling data access based on an agricultural product supply chain according to the present invention;
FIG. 4 is a schematic diagram of a searchable encryption flow based on attributes provided by the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. The embodiments of the present invention and the features in the embodiments may be combined with each other without collision. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The agricultural product supply chain comprises five links of production, processing, storage, transportation and sales, and in each link, terminal equipment (such as various sensors) is used for acquiring source data, and an edge node uploads the data acquired by the terminal equipment to a blockchain. Because the edge node needs to have certain computing and storage capacity, the edge node is generally served as the edge node by an edge server, a base station, a gateway and the like, but because the storage and the computing capacity of the edge node are inconsistent, the storage of the edge node is prevented from being quickly filled with a large amount of data of the internet of things, the edge node is added into the blockchain in the identity of a light node so as to effectively process the data, and the blockchain is built at the cloud.
In an integrated agricultural product supply chain, in order to ensure the authenticity of data of an upstream enterprise and a downstream enterprise and the privacy security of the enterprise, the data are divided into public data and privacy data with different grades according to the privacy level of the data.
For example, data is divided into public data, primary privacy data, and secondary privacy data. The public data is data which is directly uploaded to the blockchain and can be checked by all people, and is mainly targeted to consumer tracing. The primary privacy data is data which is shared under the cooperation of the upstream and downstream of a supply chain and the government supervision, has certain commercial value but does not relate to the core privacy of the link, and mainly comprises data such as the number of products, the time of factory entry and exit, the source of the products, the destination of the products, the temperature and humidity and the like at the stage. The second-level privacy data relates to secret information of the link, only government regulators can check the secret information, and the data relates to cost price, personnel information and the like of enterprises and belongs to business confidentiality.
On the basis of in-depth analysis of the characteristics of the agricultural product supply chain, an agricultural product supply chain traceability model under an edge computing scene is designed, and compared with a Proof of Work (PoW) and Proof of interest (PoS) consensus mechanism, the agricultural product supply chain traceability model under the edge computing scene can improve throughput and reduce system delay and is more suitable for the edge computing scene.
Fig. 1 is a schematic flow chart of data uplink provided by the present invention, as shown in fig. 1, a terminal layer interacts with an edge layer through P2P network transmission, and the edge layer interacts with a blockchain layer through P2P network transmission.
At the terminal layer, terminal equipment (such as various sensors) acquires source data, divides the source data into public data and privacy data of different grades, and transmits hash values of the public data and the privacy data to an edge server. Because the private data volume is larger, the hash value of the private data is stored in the blockchain, so that on one hand, the storage space can be saved, and on the other hand, the security of the private data is improved.
At the edge layer, an edge node (edge server) as a light node uploads hash values of public data and private data transmitted by the terminal device to the blockchain.
At the blockchain layer, public data transmitted on the blockchain is plaintext, and the transmitted private data is a corresponding hash value.
In addition, the terminal device encrypts the privacy data with different hash functions. For example, the public data does not need encryption or hash processing. Because the primary privacy data occupies huge data memory, the data is subjected to hash calculation through the SHA2-256 hash function, and the hash value is subjected to data transmission. The secondary privacy data needs extremely high privacy, and then the SHA3 hash function hashes the privacy data.
Fig. 2 is a schematic flow chart of a data access control method based on an agricultural product supply chain, and as shown in fig. 2, the invention provides a data access control method based on an agricultural product supply chain, which is applied to a supervision organization and comprises the following steps:
Step 210, obtaining a data access request transmitted by a data requester through an edge node, wherein the data access request carries trapdoor information; trapdoor information is generated by a data requester based on a first key and ABSE encrypted first access control policies, a query token, a search token, a private key for creating trapdoor information, and a private attribute key; the first key and the first access control policy are determined by the data requester based on the requested data.
Step 220, performing attribute-based access control based on trapdoor information, searchable ciphertext, authentication token, and an attribute key of the data requester; the searchable ciphertext is generated by the data owner based on the second key, the ABSE encrypted second access control policy, the data ciphertext, and the index token; the second key, the second access control policy, is determined by the data owner based on the shared data.
In step 230, in the event that a determination is made to allow the data access request of the data requester, the requested data ciphertext is returned to the data requester.
Specifically, the data requester determines a first key and a first access control policy based on the requested data, the first access control policy being encrypted via Attribute-based searchable encryption (Attribute-Based Searchable Encryption, ABSE). The access control policy specifies the corresponding resources that the user can access according to their unique attributes.
ABSE is a method that allows a user to perform a search operation on an encrypted data set without decrypting the data. ABSE can realize the search of the encrypted data according to the attribute of the user and the search keyword, thereby realizing the safe search of the encrypted data. ABSE is to combine attribute-based encryption with searchable encryption to enable secure searching of encrypted data. By encrypting the access control strategy by ABSE, the access control strategy can be ensured to be displayed in the form of ciphertext, and the encrypted access control strategy can be searched.
The data requester generates trapdoor information based on the first key and the first access control policy, the query token, the search token, a private key for creating trapdoor information, and a private attribute key. The expression for generating trapdoor information is as follows:
Wherein, Representing the first keyword,/>Representing a first access control policy,/>Representing user/>Is a query token of/>Representing a search token for creating trapdoor information,/>Representing user/>For creating a private key for the trapdoor,Representing user/>Private attribute key of/>,/>Representing user/>(1 /)Private attribute public key, superscript/>Representing user/>Total number of private attribute public keys,/>Representing trapdoor information.
The data requester sends a data access request to the edge node, the data access request carries trapdoor information, and the edge node converts the data access request into a data access request in XACML format and sends the data access request to the regulatory agency.
The data owner determines a second key, a second access control policy, based on the shared data, the second access control policy being ABSE encrypted.
The data owner generates a searchable ciphertext based on the second key, the second access control policy, the data ciphertext, and the index token. The data owner communicates the generated searchable ciphertext to the regulatory agency via the edge node. The process of generating the searchable ciphertext is as follows:
Wherein, Representing the second keyword,/>Representing a second access control policy,/>Representing data ciphertext,/>Representing index tokens,/>Representing a searchable ciphertext.
The regulatory agency performs Attribute-based access control (ABAC) based on trapdoor information, searchable ciphertext, authentication tokens, and Attribute keys of the data requesters to determine whether to allow the data access requests of the data requesters.
The policy decision intelligent contract is responsible for managing the decision process of access control, returns a requested data ciphertext to the data requester in the case of determining that the data access request of the data requester is allowed, and returns 0 (null information) to the data requester in the case of determining that the data access request of the data requester is not allowed. The expression is as follows:
Wherein, Representing searchable ciphertext,/>Representing trapdoor information,/>Representing an authentication token,/>Representing user/>Attribute key of/>Representing the ciphertext of the data.
According to the agricultural product supply chain-based data access control method, the attribute-based searchable encryption is combined with the attribute-based access control, so that the data sharing is efficiently completed while the data privacy is ensured, the safety and the privacy of the data access control are improved, and the problems of data safety and sharing in the agricultural product supply chain are effectively solved.
In some embodiments, attribute-based access control based on trapdoor information, searchable ciphertext, authentication token, and an attribute key of a data requester includes:
verifying the data requester based on the verification token and the attribute key of the data requester;
after verification is passed, comparing trapdoor information with searchable ciphertext based on a policy ciphertext management intelligent contract;
In the case of a consistent comparison, a determination is made to allow the data access request of the data requester.
Specifically, the authority first authenticates the data requester based on the authentication token and the attribute key of the data requester.
The attribute key is typically a key or password generated when the user registers or initializes the account, for encrypting and decrypting data and verifying the user's identity. The attribute key is adopted for verification, so that only users with correct registration keys can successfully perform search operation, and the security and privacy of search are guaranteed.
The authentication token contains attribute information of the encrypted data and identity information of the user, and can be used for authenticating the identity of the user, but cannot prove that the user holds the correct registration key. Authentication with the authentication token may confirm whether the user has the corresponding attributes of the access control policy and ensure that the user has sufficient rights to perform a particular search operation.
After both types of verification pass, the supervision organization compares trapdoor information with the searchable ciphertext based on the policy ciphertext management intelligent contract. The policy ciphertext management intelligent contract is responsible for managing verification and comparison of trapdoor information and searchable ciphertext. In the case of a contrast agreement, determining to allow the data access request of the data requester, and in the case of a contrast disagreement, determining not to allow the data access request of the data requester.
It should be noted that, the regulatory body is responsible for defining attribute information including a subject attribute (belonging stage, device number, role, authority level, etc.), an object attribute (belonging organization, data sensitivity level, file type, etc.), an environment attribute (for example, time, location, date, etc.), and a behavior (reading, writing, etc.).
According to the agricultural product supply chain-based data access control method, the data requester is verified through the verification token and the attribute key of the data requester, trapdoor information and searchable ciphertext are compared based on the policy ciphertext management intelligent contract after verification is passed, whether the data access request of the data requester is allowed or not is determined according to a comparison result, and the safety and privacy of data access control are further improved through a first verification and then comparison mode.
In some embodiments, the method for controlling data access based on agricultural product supply chain provided by the invention further comprises:
Receiving a second access control policy sent by a data owner;
generating an index token based on the second access control policy and the attribute public key list;
The index token is sent to the data owner.
Specifically, the regulatory body receives a second access control policy sent by the data owner, and the regulatory body generates an index token for creating a searchable ciphertext based on the second access control policy and the attribute public key list. The attribute public key list refers to a set of public keys used to encrypt data and to generate attributes for trapdoors. The expression for generating the index token is as follows:
Wherein, Representing a second access control policy,/>Representing a list of attribute public keys,/>,Represents the z-th attribute public key in the attribute public key list, the superscript n represents the total number of attribute public keys in the attribute public key list, and/>Representing the index token.
The regulatory agency sends the index token to the data owner for the data owner to generate a searchable ciphertext based on the index token.
According to the agricultural product supply chain-based data access control method, the second access control strategy sent by the data owner is received, the index token is generated based on the second access control strategy and the attribute public key list, and the index token is sent to the data owner so that the data owner can generate the searchable ciphertext based on the index token.
In some embodiments, the method for controlling data access based on agricultural product supply chain provided by the invention further comprises:
an authentication token is created based on the second access control policy.
Specifically, the regulatory body creates the authentication token based on the second access control policy sent by the data owner. The expression for creating the authentication token is as follows:
Wherein, Representing a second access control policy,/>Representing an authentication token.
According to the data access control method based on the agricultural product supply chain, the verification token is created based on the second access control strategy, so that subsequent verification of a data requester is facilitated.
In some embodiments, the method for controlling data access based on agricultural product supply chain provided by the invention further comprises:
Receiving a first access control policy sent by a data requester;
Generating a query token based on the first access control policy, the authentication token, the attribute key of the data requester, and the attribute public key list;
Generating a search token based on the first access control policy and the attribute public key list;
The query token and the search token are sent to the data requestor.
Specifically, the administrative authority receives a first access control policy sent by the data requester, generates a query token based on the first access control policy, the authentication token, the attribute key of the data requester and the attribute public key list, and sends the generated query token to the data requester. The query token is used to indicate keywords that allow the user to search under the second access control policy. The expression for generating the query token is as follows:
Wherein, Representing a first access control policy,/>Representing an authentication token,/>Representing user/>Attribute key of/>Representing a list of attribute public keys,/>Representing the query token.
The regulatory body generates a search token for creating trapdoor information based on the first access control policy and the attribute public key list, and transmits the generated search token to the data requester. The expression of the generated search token is as follows:
Wherein, Representing a first access control policy,/>Representing a list of attribute public keys,/>Representing a search token.
According to the data access control method based on the agricultural product supply chain, the first access control strategy sent by the data requester is received, the query token is generated based on the first access control strategy, the verification token and the attribute key and attribute public key list of the data requester, the search token is generated based on the first access control strategy and the attribute public key list, and the query token and the search token are sent to the data requester so that the data requester can generate trapdoor information based on the search token and the query token.
In some embodiments, the method for controlling data access based on agricultural product supply chain provided by the invention further comprises:
In the event that it is determined that the data access request of the data requester is not allowed, a penalty policy of the data requester is determined based on the policy penalty smart contract.
Specifically, the policy punishment intelligent contract is responsible for managing whether a data access request has malicious attack behaviors or not, and punishment is carried out on a malicious visitor.
In the event that it is determined that the data access request of the data requester is not allowed, a penalty policy of the data requester is determined based on the policy penalty smart contract. The penalty policy may be to blacklist the data requester's IP for ten minutes, and prohibit access by the data requester during the period that the data requester's IP is blacklisted.
According to the agricultural product supply chain-based data access control method provided by the invention, under the condition that the data access request of the data requester is not allowed, the malicious data requester is punished through the strategy punishment intelligent contract, so that illegal access can be effectively solved, and the network trust degree can be improved.
In some embodiments, the method for controlling data access based on agricultural product supply chain provided by the invention further comprises:
each party participating in the agricultural product supply chain is registered and authenticated based on the Kerberos service.
Specifically, kerberos is widely used in big data ecology as an efficient and reliable authentication mechanism. Each party participating in the agricultural product supply chain (internet of things device, edge device and enterprise node) uses an identity (e.g., MAC address) to register and authenticate by accessing the Kerberos service to create a user name for identifying the identity.
During registration, kerberos generates a pair of public and private keys, associates the public keys with identification of authentication equipment, establishes service of the authentication equipment in Kerberos after registration is completed, then other equipment can access the service to establish contact, and Kerberos authentication is adopted to provide security assurance for delivery verification process.
The supervision mechanism obtains the security parameters, and outputs public parameters and users according to the security parametersIs used for the master key of (a). The specific process is as follows:
Wherein, Representing security parameters,/>Representing common parameters,/>Representing user/>Is used for the master key of (a).
The regulatory authorities are based on common parameters and usersGenerates a user/>Attribute keys and private keys of (a). The specific expression is as follows:
Wherein, Representing common parameters,/>Representing user/>Is/is a master key of (1)Representing user/>Is a key of an attribute of (a),Representing user/>For creating a private key for trapdoor information.
The supervision organization generates a master key and an attribute public key of the attribute j according to the public parameters. The attribute master key is used for creating an attribute private key when a user registers, and the attribute public key is used for generating attribute verification, trapdoor information and the like. The specific expression is as follows:
Wherein, Main Key representing Attribute j,/>The attribute public key representing attribute j.
The regulatory agency is based on the userThe user/>, and the master key of attribute jCorrelating with the attribute j to generate a user/>Possess the attribute private key of attribute j. The specific expression is as follows:
Wherein, Representing user/>Attribute key of/>Main Key representing Attribute j,/>Representing user/>Possess the attribute private key of attribute j.
After the data requester obtains the data ciphertext, the data ciphertext is decrypted through the attribute private key to obtain a service website of the data owner in Kerberos, the access right is obtained after the service website is obtained, and the data requester can establish a session key with the data owner in Kerseros to carry out the link privacy data transmission.
In order to prevent inconsistent data under the chain, namely, the situation that private data transmitted under the chain may be tampered, hash can be performed on the private data transmitted under the chain and the data on the chain, so as to ensure the authenticity and accuracy of the data.
According to the agricultural product supply chain-based data access control method, all the participants participating in the agricultural product supply chain are registered and authenticated through the Kerberos service, so that the high-efficiency reliability of authentication is improved.
Fig. 3 is a second flow chart of the data access control method based on an agricultural product supply chain provided by the invention, and as shown in fig. 3, the data access control method based on the agricultural product supply chain specifically includes the following steps:
The data owner encrypts the access control strategy by adopting the searchable encryption based on the attribute, and binds the encrypted access strategy with the encrypted Kerberos service website to obtain encrypted data. The data owner sends the searchable ciphertext to the edge node, which passes the searchable ciphertext on to the blockchain.
The data requesters can be divided into legal data requesters and illegal data requesters, for example, the manager role with the first-level authority level in the B stage requests to conduct data reading behavior, which is the legal data requesters; and B, requesting to conduct data reading action by a role of a common employee with a zero-level authority level, which is an illegal data requester.
The legitimate data requester sends a data access request to the edge node, the data access request carrying trapdoor information. The edge node converts the data access request into XACML format for delivery to the policy decision intelligence contract.
After the policy decision intelligent contract receives the information transmitted by the edge node, the trapdoor information is transmitted to the policy ciphertext management intelligent contract, the policy ciphertext management intelligent contract searches the searchable ciphertext, the searched searchable ciphertext is compared with the trapdoor information, and a comparison result is returned to the policy decision intelligent contract.
And under the condition that the comparison results are consistent, the policy decision intelligent contract returns the data ciphertext from the blockchain to the legal data requester for request. The legal data requester requests to acquire permission, decrypts the data ciphertext to obtain a Kerberos service website of the data owner, namely, the permission for accessing the data owner is acquired.
Under the condition that the comparison results are inconsistent, the policy decision intelligent contract requests punishment information from the policy punishment intelligent contract, and the punishment policy can be that the IP address is blacked for 10 minutes under the condition that the IP address is not blacked more than 5 times. The number of times of the blackening of the IP address is increased by 1, and when judging that the blackening of the IP address exceeds 5 times, the IP address is permanently blacked. The policy punishment intelligent contract returns punishment information to the policy decision intelligent contract according to the punishment policy, and the policy decision intelligent contract punishs the illegal data requesters according to the punishment information.
Fig. 4 is a schematic diagram of an attribute-based searchable encryption process provided by the present invention, and as shown in fig. 4, the attribute-based searchable encryption process specifically includes:
The regulatory agency publishes the common parameters onto the blockchain. The data requester and the data owner each request the user registration from the administrative authority, and the administrative authority returns the attribute key and the private key to the data requester and the data owner and assigns attribute rights and associates with the user.
The data owner requests the generation of an index token from the regulatory body, the regulatory body sends the index token to the data owner, the data owner generates a searchable ciphertext based on the index token, and the searchable ciphertext is uplink.
The data requester requests generation of a search token and a query token from a regulatory agency, the regulatory agency transmits the search token and the query token to a data owner, the data requester generates trapdoor information based on the search token and the query token, and the trapdoor information is linked up.
The supervision organization generates a verification token, and the supervision organization performs identity verification of the data requester based on trapdoor information, the verification token and the searchable ciphertext and returns a comparison result.
Fig. 5 is a schematic structural diagram of an electronic device according to the present invention, and as shown in fig. 5, the electronic device may include: processor 510, communication interface (Communications Interface) 520, memory 530, and communication bus 540, wherein processor 510, communication interface 520, memory 530 complete communication with each other through communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform a method of data access control based on a commodity supply chain, the method comprising:
Acquiring a data access request transmitted by a data requester through an edge node, wherein the data access request carries trapdoor information; performing attribute-based access control based on trapdoor information, a searchable ciphertext, a verification token, and an attribute key of the data requester; returning a requested data ciphertext to the data requester if it is determined that the data access request of the data requester is allowed; wherein the trapdoor information is generated by the data requester based on a first key and ABSE encrypted first access control policies, query tokens, search tokens, private keys and private attribute keys used to create the trapdoor information; the searchable ciphertext is generated by the data owner based on the second key, the ABSE encrypted second access control policy, the data ciphertext, and the index token; the first key and the first access control policy are determined by the data requestor based on the requested data; the second key, second access control policy, is determined by the data owner based on the shared data.
Further, the logic instructions in the memory 530 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product including a computer program, the computer program being storable on a non-transitory computer readable storage medium, the computer program, when executed by a processor, being capable of executing the agricultural product supply chain-based data access control method provided by the above methods, the method comprising:
Acquiring a data access request transmitted by a data requester through an edge node, wherein the data access request carries trapdoor information; performing attribute-based access control based on trapdoor information, a searchable ciphertext, a verification token, and an attribute key of the data requester; returning a requested data ciphertext to the data requester if it is determined that the data access request of the data requester is allowed; wherein the trapdoor information is generated by the data requester based on a first key and ABSE encrypted first access control policies, query tokens, search tokens, private keys and private attribute keys used to create the trapdoor information; the searchable ciphertext is generated by the data owner based on the second key, the ABSE encrypted second access control policy, the data ciphertext, and the index token; the first key and the first access control policy are determined by the data requestor based on the requested data; the second key, second access control policy, is determined by the data owner based on the shared data.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the agricultural product supply chain-based data access control method provided by the above methods, the method comprising:
Acquiring a data access request transmitted by a data requester through an edge node, wherein the data access request carries trapdoor information; performing attribute-based access control based on trapdoor information, a searchable ciphertext, a verification token, and an attribute key of the data requester; returning a requested data ciphertext to the data requester if it is determined that the data access request of the data requester is allowed; wherein the trapdoor information is generated by the data requester based on a first key and ABSE encrypted first access control policies, query tokens, search tokens, private keys and private attribute keys used to create the trapdoor information; the searchable ciphertext is generated by the data owner based on the second key, the ABSE encrypted second access control policy, the data ciphertext, and the index token; the first key and the first access control policy are determined by the data requestor based on the requested data; the second key, second access control policy, is determined by the data owner based on the shared data.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
It is further intended that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The term "at least one" in the present invention means one or more, and "a plurality" means two or more. The terms "first," "second," "third," "fourth," and the like in this disclosure, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
In embodiments of the invention, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A method of controlling data access based on a supply chain of agricultural products, applied to a regulatory agency, comprising:
acquiring a data access request transmitted by a data requester through an edge node, wherein the data access request carries trapdoor information;
Performing attribute-based access control based on trapdoor information, a searchable ciphertext, a verification token, and an attribute key of the data requester;
Returning a requested data ciphertext to the data requester if it is determined that the data access request of the data requester is allowed;
Wherein the trapdoor information is generated by the data requester based on a first key and ABSE encrypted first access control policies, query tokens, search tokens, private keys and private attribute keys used to create the trapdoor information; the searchable ciphertext is generated by the data owner based on the second key, the ABSE encrypted second access control policy, the data ciphertext, and the index token;
The first key and the first access control policy are determined by the data requestor based on the requested data; the second key, the second access control policy, is determined by the data owner based on the shared data.
2. The agricultural product supply chain-based data access control method of claim 1, wherein the attribute-based access control based on trapdoor information, searchable ciphertext, authentication token, and the attribute key of the data requester comprises:
Authenticating the data requester based on the authentication token and the attribute key of the data requester;
after verification is passed, comparing the trapdoor information with the searchable ciphertext based on a policy ciphertext management intelligent contract;
in the event of a match, determining that the data access request of the data requester is allowed.
3. The agricultural product supply chain-based data access control method of claim 2, further comprising:
In the event that it is determined that the data access request of the data requester is not allowed, a penalty policy of the data requester is determined based on a policy penalty smart contract.
4. The agricultural product supply chain-based data access control method of claim 1, further comprising:
Receiving the second access control policy sent by the data owner;
generating the index token based on the second access control policy and the attribute public key list;
And sending the index token to the data owner.
5. The agricultural product supply chain-based data access control method of claim 4, further comprising:
the authentication token is created based on the second access control policy.
6. The agricultural product supply chain-based data access control method of claim 5, further comprising:
receiving the first access control policy sent by the data requester;
generating the query token based on the first access control policy, the authentication token, the attribute key of the data requester, and the attribute public key list;
Generating the search token based on the first access control policy and the attribute public key list;
and sending the query token and the search token to the data requester.
7. The agricultural product supply chain-based data access control method of claim 1, further comprising:
each party participating in the agricultural product supply chain is registered and authenticated based on the Kerberos service.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the agricultural product supply chain-based data access control method of any one of claims 1 to 7 when the computer program is executed.
9. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the agricultural product supply chain-based data access control method of any of claims 1 to 7.
10. A computer program product comprising a computer program which when executed by a processor implements a method of agricultural product supply chain-based data access control as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410446238.0A CN118041513A (en) | 2024-04-15 | 2024-04-15 | Agricultural product supply chain-based data access control method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410446238.0A CN118041513A (en) | 2024-04-15 | 2024-04-15 | Agricultural product supply chain-based data access control method and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118041513A true CN118041513A (en) | 2024-05-14 |
Family
ID=90993644
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410446238.0A Pending CN118041513A (en) | 2024-04-15 | 2024-04-15 | Agricultural product supply chain-based data access control method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118041513A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110224986A (en) * | 2019-05-07 | 2019-09-10 | 电子科技大学 | It is a kind of that access control method efficiently can search for based on hiding strategy CP-ABE |
| US20220368545A1 (en) * | 2020-07-08 | 2022-11-17 | Zhejiang University City College | Searchable encrypted data sharing method and system based on blockchain and homomorphic encryption |
| WO2023226641A1 (en) * | 2022-05-25 | 2023-11-30 | 南京理工大学 | Blockchain privacy data access control method and system |
| CN117828673A (en) * | 2024-03-05 | 2024-04-05 | 北京全景智联科技有限公司 | Block chain-based data circulation and privacy protection method and device |
-
2024
- 2024-04-15 CN CN202410446238.0A patent/CN118041513A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110224986A (en) * | 2019-05-07 | 2019-09-10 | 电子科技大学 | It is a kind of that access control method efficiently can search for based on hiding strategy CP-ABE |
| US20220368545A1 (en) * | 2020-07-08 | 2022-11-17 | Zhejiang University City College | Searchable encrypted data sharing method and system based on blockchain and homomorphic encryption |
| WO2023226641A1 (en) * | 2022-05-25 | 2023-11-30 | 南京理工大学 | Blockchain privacy data access control method and system |
| CN117828673A (en) * | 2024-03-05 | 2024-04-05 | 北京全景智联科技有限公司 | Block chain-based data circulation and privacy protection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11314891B2 (en) | Method and system for managing access to personal data by means of a smart contract | |
| JP7181539B2 (en) | METHOD AND APPARATUS FOR MANAGING USER IDENTIFICATION AND AUTHENTICATION DATA | |
| US20220200975A1 (en) | Method and System for Zero-Knowledge and Identity Based Key Management for Decentralized Applications | |
| Joshi et al. | Unified authentication and access control for future mobile communication‐based lightweight IoT systems using blockchain | |
| JP6054457B2 (en) | Private analysis with controlled disclosure | |
| CN109617692B (en) | Anonymous login method and system based on block chain | |
| US20170237717A1 (en) | Identity binding systems and methods in a personal data store in an online trust system | |
| Liu et al. | Enabling secure and privacy preserving identity management via smart contract | |
| CN110569658A (en) | User information processing method and device based on block chain network, electronic equipment and storage medium | |
| CN109492424B (en) | Data asset management method, data asset management device, and computer-readable medium | |
| CN111914293A (en) | Data access authority verification method and device, computer equipment and storage medium | |
| Deebak et al. | A robust and distributed architecture for 5G-enabled networks in the smart blockchain era | |
| CN112291062B (en) | Voting method and device based on block chain | |
| Hong et al. | Service outsourcing in F2C architecture with attribute-based anonymous access control and bounded service number | |
| Guo et al. | Using blockchain to control access to cloud data | |
| Chai et al. | BHE-AC: A blockchain-based high-efficiency access control framework for Internet of Things | |
| Wang et al. | An efficient data sharing scheme for privacy protection based on blockchain and edge intelligence in 6G-VANET | |
| Singh et al. | A technical look at the indian personal data protection bill | |
| CN111078649A (en) | Block chain-based on-cloud file storage method and device and electronic equipment | |
| WO2022218629A1 (en) | Blockchain based system and method | |
| CN118041513A (en) | Agricultural product supply chain-based data access control method and apparatus | |
| Kiyomoto et al. | Fair-trading protocol for anonymised datasets requirements and solution | |
| Janani et al. | A security framework to enhance IoT device identity and data access through blockchain consensus model | |
| Tan et al. | Research on user security authentication method of eco-environmental monitoring database | |
| Rathod et al. | The Use of Blockchain Technology to Verify KYC Documents |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |