KR102500497B1 - Apparatus for performing access control based on blockchain and method thereof - Google Patents

Abstract

A blockchain-based access control device is provided. The access control device includes a processor, a network interface, a memory, and at least one program loaded into the memory and executed by the processor, wherein the at least one program is a control target given an access restriction period. After an operation of generating a first data fragment and a second data fragment based on data, an operation of recording the first data fragment on a first blockchain, and the lapse of the access restriction period, the second data fragment is It may include instructions for performing an operation to be recorded on the first blockchain.

Description

Blockchain-based access control device and its operation method {APPARATUS FOR PERFORMING ACCESS CONTROL BASED ON BLOCKCHAIN AND METHOD THEREOF}

The present invention relates to a block chain-based access control device and its operating method. More specifically, it relates to a device for controlling access to control target data for a plurality of users while guaranteeing the integrity of control target data using a blockchain and an operating method of the device.

Blockchain is a data management technology in which continuously increasing data is recorded in a block of a specific unit, and each node constituting a P2P (peer-to-peer) network manages the block in a chain-type data structure. Alternatively, it means the data itself composed of the chain-type data structure. At this time, the blockchain composed of a chain-type data structure is operated in the form of a distributed ledger in each node without a central system.

Each blockchain node constituting the blockchain network manages blocks in a chain-type data structure as shown in FIG. Here, the hash value of the previous block is recorded in each block, and the previous block can be referred to through the hash value. Therefore, as blocks are piled up, forgery and falsification of data recorded in the block becomes difficult, reliability of data is improved, and integrity of data can be guaranteed even in a distributed environment.

On the other hand, since all data recorded on the blockchain in a blockchain-based system is distributed and stored in all blockchain nodes, it is impossible to force certain users to not view the data for a certain period of time (e.g. confidentiality period). . In other words, since data recorded on the blockchain can be viewed by all users using the blockchain, it is impossible to restrict users' access to the data for a certain period of time.

Of course, there is a method of restricting access to other users by encrypting the data and recording it on the blockchain, but this method encrypts the data before recording it on the blockchain and decrypts it when reading the data. causes cumbersome tasks such as performing In addition, when the confidentiality period of the data has elapsed, there is a problem in that additional work is required, such as distributing an encryption key or recording it on a blockchain again after decryption. In addition, the above method also has problems with the management of encryption keys and the decrease in stability of encryption technology with the development of computing technology.

Accordingly, a method for efficiently controlling access to data requiring access restriction for a certain period of time in a blockchain environment is required.

Korean Patent Publication No. 10-2017-0137388 (published on December 13, 2017)

A technical problem to be solved by the present invention is to provide a device for controlling access to control target data given an access restriction period in a blockchain environment and a method of operating the device.

The technical problems of the present invention are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the description below.

In order to solve the above technical problem, a block chain-based access control device according to an embodiment of the present invention is loaded into a processor, a network interface, a memory, and the memory, and at least one of the processors executed by the processor. A program, wherein the at least one program generates a first data fragment and a second data fragment based on control subject data given an access restriction period, and records the first data fragment on a first blockchain and, after the access restriction period has elapsed, instructions for performing an operation to process the second data piece to be recorded on the first block chain. In this case, the control target data may be regenerated based on the first data piece and the second data piece.

In one embodiment, the operation of generating the first data piece and the second data piece includes an operation of generating the first data piece and the second data piece according to a preset rule, and The operation of processing to be recorded on may include an operation of processing to record the second data piece and the preset rule on the first blockchain.

In one embodiment, the at least one program may further include instructions for performing an operation of generating anti-forgery information for the control target data and an operation of recording the anti-forgery information on the first blockchain. In one embodiment, the operation of processing to be recorded on the first block chain is executed in response to the operation of recording the second data piece on the second block chain and the determination of the lapse of the access restriction period. It may include an operation of registering a smart contract on the second blockchain. At this time, the smart contract may include a routine for processing the second data piece recorded on the second blockchain to be recorded on the first blockchain.

A block chain-based access control device according to another embodiment of the present invention for solving the above technical problem is a processor, a network interface, a memory, and at least one of a processor, a network interface, a memory, and loaded into the memory, and executed by the processor. program can be included. The at least one program records the data subject to control given an access restriction period on the first block chain, and after the access restriction period has passed, the control subject data is recorded on the second block chain. It may contain instructions for performing an operation.

In one embodiment, the first block chain may be implemented such that only access by users having specific access rights is allowed, and the second blockchain may be implemented such that access by users without the specific access rights is allowed.

In one embodiment, the first blockchain may be implemented in a private blockchain network, and the second blockchain may be implemented in a public blockchain network.

In one embodiment, the operation of processing to be recorded on the second blockchain includes an operation of registering a smart contract executed in response to the determination of the lapse of the access restriction period on the first blockchain. can do. At this time, the smart contract may include a routine for processing the control target data recorded on the first blockchain to be recorded on the second blockchain.

In one embodiment, the control object data includes the first data piece of the first data piece and the second data piece generated based on the original control object data, and the at least one program, the access restriction period Before passing, it may further include instructions for performing an operation of recording the second piece of data on the second blockchain. In this case, the original control object data may be regenerated based on the first data piece and the second data piece.

A blockchain-based access control method according to an embodiment of the present invention for solving the above-mentioned technical problem is a block-chain-based access control method performed by an access control device, in which an access restriction period is given to control target data Generating a first data piece and a second data piece based on, recording the first data piece on the first blockchain, and after the access restriction period has elapsed, the second data piece 1 It may include processing to be recorded on the blockchain. In this case, the control target data may be regenerated based on the first data piece and the second data piece.

A blockchain-based access control method according to another embodiment of the present invention for solving the above-described technical problem is a block-chain-based access control method performed by an access control device, in which the access restriction period is given to control target data It may include the step of recording on the first block chain and the step of processing the data to be controlled so that it is recorded on the second block chain after the access restriction period has passed.

A computer program according to an embodiment of the present invention for solving the above technical problem is combined with a computing device, generating a first data piece and a second data piece based on control target data given an access restriction period , To a computer to execute the step of recording the first data piece on the first block chain and the step of processing the second data piece to be recorded on the first block chain after the access restriction period has passed. It can be stored on a readable recording medium. In this case, the control target data may be regenerated based on the first data piece and the second data piece.

A computer program according to another embodiment of the present invention for solving the above-described technical problem is combined with a computing device, recording control object data given an access restriction period on a first block chain, and the access restriction period After the past, in order to execute the step of processing the control target data to be recorded on the second block chain, it can be stored in a computer-readable recording medium.

1 is a diagram showing the data structure of a block chain that can be referenced in some embodiments of the present invention.
2 is a configuration diagram of an exemplary system in which an access control method according to some embodiments of the present invention may be performed.
3 and 4 are diagrams for explaining the configuration of a blockchain network that can be referenced in some embodiments of the present invention.
5 is a flowchart illustrating a block chain-based access control method according to a first embodiment of the present invention.
6 is an exemplary diagram of a data partitioning method that may be referred to in some embodiments of the present invention.
7 is an exemplary diagram of forgery prevention information that may be referred to in some embodiments of the present invention.
8 is an exemplary diagram for explaining a block chain-based access control method according to the first embodiment of the present invention.
9 and 10 are flowcharts illustrating a block chain-based access control method according to a second embodiment of the present invention.
11 is an exemplary diagram for explaining an access control method according to a first utilization example of the present invention.
12 is an exemplary diagram for explaining an access control method according to a second utilization example of the present invention.
13 is an exemplary diagram for explaining an access control method according to a third utilization example of the present invention.
14 is a block diagram showing a block chain-based access control device according to an embodiment of the present invention.
15 is a hardware configuration diagram of a block chain-based access control device according to an embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. Advantages and features of the present invention, and methods of achieving them, will become clear with reference to the detailed description of the following embodiments taken in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various different forms, and only these embodiments make the disclosure of the present invention complete, and common knowledge in the art to which the present invention belongs. It is provided to completely inform the person who has the scope of the invention, and the present invention is only defined by the scope of the claims.

In adding reference numerals to components of each drawing, it should be noted that the same components have the same numerals as much as possible even if they are displayed on different drawings. In addition, in describing the present invention, if it is determined that a detailed description of a related known configuration or function may obscure the gist of the present invention, the detailed description will be omitted.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used in a meaning commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless explicitly specifically defined. Terminology used herein is for describing the embodiments and is not intended to limit the present invention. In this specification, singular forms also include plural forms unless specifically stated otherwise in a phrase.

Also, terms such as first, second, A, B, (a), and (b) may be used in describing the components of the present invention. These terms are only used to distinguish the component from other components, and the nature, order, or order of the corresponding component is not limited by the term. When an element is described as being “connected,” “coupled to,” or “connected” to another element, that element is directly connected or connectable to the other element, but there is another element between the elements. It will be understood that elements may be “connected”, “coupled” or “connected”.

As used herein, "comprises" and/or "comprising" means that a stated component, step, operation, and/or element is the presence of one or more other components, steps, operations, and/or elements. or do not rule out additions.

Prior to the description of this specification, some terms used in this specification will be clarified.

In this specification, a blockchain network refers to a P2P structured network composed of a plurality of blockchain nodes operating according to a blockchain algorithm/protocol.

In this specification, a blockchain node refers to a computing node that configures a blockchain network and maintains and manages a blockchain based on a blockchain algorithm/protocol. The computing node may be implemented as a logical computing device such as a physical computing device or a virtual machine. When the computing node is implemented as a virtual machine, a plurality of blockchain nodes may be included in one physical computing device.

In this specification, a smart contract refers to a script or software code used for processing various transactions in a blockchain environment. More specifically, the smart contract is a code written programmatically for various conditions, states, and actions according to the conditions used in transaction processing. For example, a smart contract of Ethereum or a hyperledger fabric It may include chain code and the like. In a blockchain environment, blockchain nodes share smart contracts registered on the blockchain.

In this specification, a piece of data refers to a part of original data or a part of data generated based on original data. Accordingly, it should be noted that the data fragment does not refer only to a physical part of the original data itself. The term "piece" may be used interchangeably with terms such as chunk, segment, and part in the art.

In this specification, an instruction refers to a component of a computer program and executed by a processor as a series of instructions grouped on the basis of function.

Hereinafter, some embodiments of the present invention will be described in detail with reference to the accompanying drawings.

2 is a block diagram of an exemplary system in which a blockchain-based access control method according to some embodiments of the present invention can be performed.

Referring to FIG. 2 , the exemplary system may include an access control device 100 and a blockchain network 200 composed of a plurality of blockchain nodes. However, this is only a preferred embodiment for achieving the object of the present invention, and it goes without saying that some components may be added or deleted as needed. In addition, it should be noted that each component constituting the system shown in FIG. 2 represents functionally differentiated functional elements, and at least one component may be implemented in a form integrated with each other in an actual physical environment. For example, at least one blockchain node constituting the access control device 100 and the blockchain network 200 may be implemented with different logic within the same physical computing device.

In the exemplary system, the access control device 100 is a computing device that controls access to control target data. Here, the computing device may be a notebook, a desktop, or a laptop, but is not limited thereto, and may include all kinds of devices having a computing function and a communication function.

The data subject to control refers to data given a predetermined access restriction period. For example, the data subject to control may be data required to be kept secret for a certain period of time. According to some embodiments of the present invention, the access restriction period may be set for each user and/or access authority. In addition, the access restriction period may be set to a period between two points in time at which access restrictions are required, or may be set to a specific point in time at which access restrictions are lifted.

According to an embodiment of the present invention, the access control device 100 performs access control for the control target data based on a blockchain. At this time, the data to be controlled is recorded on the blockchain. Therefore, according to the present embodiment, the confidentiality of control target data is guaranteed during the access restriction period, and the integrity of control target data can also be guaranteed. A detailed description of the access control method performed by the access control device 100 will be described in detail with reference to the drawings below in FIG. 5 .

In the exemplary system above, blockchain network 200 is a peer-to-peer (P2P) network constituted by a plurality of blockchain nodes. At this time, the blockchain node is a node that operates according to a blockchain algorithm (or protocol), and each blockchain node maintains the same blockchain data by the blockchain algorithm.

According to some embodiments of the invention, blockchain network 200 may maintain multiple blockchains. In this case, the first block chain may be a block chain implemented so that only a specific user with access authority is allowed access, and the second block chain may be a block chain implemented so that the user's access is allowed regardless of access authority. In this case, the access control device 100 registers the control target data recorded on the first block chain in the second block chain after the access restriction period has elapsed, thereby preventing multiple users using the second block chain. Access control can be performed.

A method of implementing the plurality of blockchains may vary depending on the embodiment.

For example, as shown in FIG. 3, the blockchain network 200 is composed of a plurality of different blockchain networks 211 and 213, and each blockchain network 211 and 213 creates a mutually independent blockchain. can be implemented to maintain

As another example, as shown in FIG. 4, the blockchain network 200 is composed of a multi-channel network, and each channel can be implemented to correspond to one blockchain. . That is, in the example shown in FIG. 4, blockchain nodes belonging to the first channel 221 in the same blockchain network 200 maintain the first blockchain, and the blockchain belonging to the second channel 223 Nodes may be implemented to maintain a second blockchain.

However, the above-listed examples are for explaining some embodiments of the present invention, the scope of the present invention is not limited to the above-listed examples, and a plurality of blockchains can be implemented in various ways.

In the exemplary system, the user terminal 300 is a terminal used by a user for purposes such as registering data in a blockchain or retrieving data registered in a blockchain. The user terminal 300 may be implemented as any computing device.

Components of the system shown in FIG. 2 may communicate over a network. Here, the network is a local area network (LAN), a wide area network (Wide Area Network; WAN), a mobile communication network (mobile radio communication network), all types of wired / wireless networks such as Wibro (Wireless Broadband Internet) can be implemented

So far, with reference to FIGS. 2 to 4, exemplary systems in which access control methods according to some embodiments of the present invention can be performed have been described. Hereinafter, an access control method according to some embodiments of the present invention will be described with reference to FIGS. 5 to 14.

Each step of the block chain-based access control method according to embodiments of the present invention, which will be described below, may be performed by a computing device. For example, when the access control method is performed in the environment shown in FIG. 2, the computing device may be the access control device 100. However, for convenience of description, the description of the subject of each step included in the block chain-based access control method may be omitted. In addition, each step of the access control method may be implemented as instructions of a computer program that is loaded into a memory and executed by a processor.

First, the access control method according to the first embodiment of the present invention will be described with reference to FIGS. 5 to 8 .

5 is a flowchart illustrating an access control method according to a first embodiment of the present invention. The access control method according to the first embodiment is performed based on one blockchain. Hereinafter, description will be made with reference to FIG. 5 .

Referring to FIG. 5 , the access control method according to the first embodiment starts at step S10 of receiving a registration request for control target data from the user terminal 300 . As described above, the data to be controlled is data given a predetermined access restriction period.

In one embodiment, the access restriction period may be set by the user.

In another embodiment, the access restriction period may be automatically set by the access control device 100 or another device (eg, the user terminal 300). For example, an access restriction period may be automatically set based on the importance level of control target data. However, the method in which the access restriction period is set may be performed in any number of different ways.

In step S20, in response to the registration request, a registration procedure for control target data starts. In the first step (S20) of the registration process, the access control device 100 generates a plurality of data pieces from the control target data according to a preset partitioning rule. For example, the access control device 100 may generate a plurality of data pieces 245 and 247 by applying the specified partitioning rule 243 to the control target data 241 as shown in FIG. 6 . Hereinafter, for convenience of understanding, it is assumed that the number of data pieces generated according to the splitting rule is two, and the description continues. However, the scope of the present invention is not limited by the number of data pieces.

The split rule may include various types of rules. For example, as shown in FIG. 6, a first rule for dividing data pieces into physical parts of the original data, a second rule for compressing the original data and dividing the data based on the compressed original data, and the original data It may include a third rule for encrypting and dividing the data based on the encrypted original data. In addition, the split rule may include all types of rules capable of generating a plurality of data pieces based on original data. In addition, the splitting rule may also include a rule for regenerating corresponding data from a plurality of pieces of data.

For reference, when a data fragment is generated according to the second rule, a certain encryption effect may be obtained according to a compression process. In addition, due to the reduction in data capacity due to compression, the problem of storage capacity, which is one of the sensitive problems in the blockchain environment, can be reduced.

According to some embodiments of the present invention, the partitioning rule applied to control target data may vary according to the importance of the control target data. For example, in the case of controlled data having a high importance level (e.g. confidentiality level, security level, etc.), a stronger partitioning rule may be applied. Here, the meaning of "high strength" is to increase the number of divided data pieces or to perform additional processing such as data mixing/shuffling, compression/encryption, etc. This means that the difficulty of division/regeneration is improved. According to this embodiment, security of data with high importance can be further improved.

In addition, according to some embodiments of the present invention, the access control device 100 may generate a data key (ie, an identification value) for control target data. In this embodiment, the piece of data generated in step S20 is matched with the data key and recorded on the blockchain 230, and is used to query control target data. However, according to embodiments, the data key may be provided from the user terminal 300 .

In addition, according to some embodiments of the present invention, the access control device 100 may generate information for preventing forgery and alteration of control target data. The forgery prevention information may consist of a hash value for the entire control subject data and/or a hash value for each piece of data, but may be configured in any way as long as the forgery of the control subject data can be verified. . For example, as shown in FIG. 7 , the forgery prevention information may be composed of a merkle tree or hash tree for hash values of each data piece 251 to 259 . Through this, integrity of control target data may be further strengthened. Since the merkle tree is a well-known concept in the art, a description thereof will be omitted.

Referring back to FIG. 5 , in step S30 , the access control device 100 first registers some pieces of data in the blockchain 230 . For example, the access control device 100 may record the first piece of data and anti-forgery information on the blockchain 230 by matching the data key. In this step (S30), as some pieces of data are first recorded in the block chain 230, whether and/or registration time of control target data can be guaranteed.

In step S40, the access control device 100 registers the remaining data pieces to the blockchain 230. For example, the access control device 100 may match the data key and record the second data fragment and the split rule in the blockchain 230 .

This step (S40) is performed after the access restriction period of the controlled data has elapsed. That is, as shown in FIG. 8, the access control device 100 determines whether or not the access restriction period of the controlled data has elapsed, and performs this step (S40) in response to the elapsed determination. Therefore, during the access restriction period, some data of the controlled data is not exposed to the user of the blockchain, and as a result, the user's access to the controlled data may be restricted.

After the access restriction time has elapsed, when a search request for corresponding control target data is received from the user terminal 300, a data regeneration procedure may be performed. Specifically, in the data regeneration procedure, all data fragments recorded on the blockchain, division rules, and anti-forgery information are queried, and the corresponding data to be controlled is regenerated based on the division rules, and based on the anti-forgery information Verification of the corresponding control target data may be performed. In addition, regenerated control target data may be provided as a response to the inquiry request. The above data regeneration procedure may be performed by the access control device 100, but may be performed by another device.

On the other hand, in FIG. 8, the first data piece 261 and the forgery prevention information 267 are first registered in the blockchain 230 at the first time point T ₁ , and the second time point T ₂ after the access restriction period has elapsed. ), the second data piece 263 and the partitioning rule 265 are shown to be registered. However, the type and number of data registered at the first time point T ₁ and the second time point T ₂ may vary. For example, only the first data piece 261 may be registered in the blockchain at the first time point T ₁ , and the remaining data 263 to 267 may be registered in the blockchain at the second time point T ₂ .

So far, the access control method according to the first embodiment of the present invention has been described with reference to FIGS. 5 to 8 . According to the method described above, by registering some data in the blockchain and registering the rest of the data in the blockchain after the access restriction period has passed, the registration time of the data to be controlled and the integrity of the data to be controlled are guaranteed through the blockchain. It can be. In addition, in the prior art, even for data given a confidentiality period, it was impossible to prevent access such as data viewing after being registered in a public-based blockchain. However, according to the method described above, since access control can be performed even in a public-based blockchain environment by registering some of the divided data after the confidentiality period has elapsed, confidentiality of the data is also guaranteed during the confidentiality period. It can be. In addition, since there is no need to manage a separate access control list, efficient access control is possible. In addition, since there is no need to rebuild a public-based blockchain into a private-based blockchain for access control, the human cost, time cost, and computing cost required for reconstruction can be greatly reduced.

Hereinafter, an access control method according to a second embodiment of the present invention will be described with reference to FIGS. 9 and 10 . Hereinafter, a description will be made with reference to the drawings below in FIG. 9, and descriptions of the same contents as those of the foregoing embodiment will be omitted.

9 is a flowchart illustrating an access control method according to a second embodiment of the present invention.

As shown in FIG. 9, the access control method according to the second embodiment is performed based on a plurality of blockchains 271 and 273. At this time, the first block chain 271 refers to a block chain implemented such that access is allowed even to users who do not have access rights (or users who can access the data after the access restriction period has passed). For example, the first blockchain 271 may be implemented in a public blockchain network in which access control for users is not performed. The second block chain 273 refers to a block chain that can be accessed only by users with access rights (or users who can access even during the access restriction period). For example, the second blockchain 273 may be implemented in a private blockchain network allowing access control for a specific user. However, it goes without saying that both the first blockchain 271 and the second blockchain 271 can be implemented in a private blockchain network, which can vary according to the embodiment.

Looking at the specific access control method, the access control method according to the second embodiment also starts at the step of receiving a registration request for control target data (S100).

In step S110, the access control device 100 generates a plurality of pieces of data based on access control target data according to a preset partitioning rule. Description of this step (S110) is the same as described above, so it will be omitted.

In step S120, the access control device 100 registers meta information such as a data key in the second block chain 273 together with the generated plurality of data pieces. Since only users with access rights can access the second blockchain 273, even if all data is registered, control target data is not exposed to users without access rights.

In step S130, the access control device 100 registers some data pieces to the first block chain 271. In this step (S130), even if some pieces of data are recorded on the first block chain 271, since the control object data cannot be regenerated, the control object data is not exposed to a user without access rights.

In step S140, after the access restriction period has elapsed, the access control device 100 registers the remaining data pieces in the first block chain 271. For example, the access control device 100 may determine whether the access restriction period of the controlled data has elapsed, and record the remaining data pieces on the first block chain 271 in response to the elapsed determination . Accordingly, since the exposure time of the data to be controlled is determined as the time after the access restriction period has elapsed, access control to the control object data can be performed during the access restriction period.

Meanwhile, according to another embodiment of the present invention, this step (S140) may be performed by a smart contract. Specifically, as shown in FIG. 10, the access control device 100 registers a predetermined smart contract in the second blockchain 273 in advance. The smart contract is executed in response to the lapse of the access restriction period, and includes a routine for processing some pieces of data recorded on the second blockchain 273 to be recorded on the first blockchain 271. It is a smart contract that Therefore, when the access restriction period elapses, the smart contract is executed (S240), and the remaining data pieces can be recorded on the first blockchain 270 by the smart contract (S250). According to this embodiment, the corresponding step (S140) is automatically performed on the blockchain using a smart contract shared on the blockchain. Therefore, the load of the access control device 100 is reduced, and safe processing of the corresponding step (S140) can be ensured through blockchain technology that ensures the safety of transaction processing. In addition, all data (e.g. data pieces, forgery prevention information, division rules) required for regeneration of control target data are directly recorded on the blockchain, minimizing the period during which the access control device 100 retains the data. As a result, the integrity and security of control target data can be further improved.

For reference, in FIG. 10, the smart contract is shown as being registered in the second blockchain 273 together with the data pieces generated in the second blockchain 273, but the smart contract is the second blockchain 273. The time of registration may vary depending on the embodiment.

Also, in FIGS. 9 and 10 , steps S110 and S210 of generating a plurality of pieces of data may be omitted according to embodiments. In this case, the entire control target data is first registered in the second block chain 273, and when the access restriction period elapses, the entire control target data can be operated to be registered in the first block chain 271.

So far, the access control method according to the second embodiment of the present invention has been described with reference to FIGS. 9 and 10 . According to the above-described method, access control can be effectively performed for multiple users by delaying the point in time at which data subject to control is registered on the blockchain used by multiple users for an access restriction period. Therefore, unlike the prior art, there is no need to perform separate processing such as encryption to perform access control, and there is no need to separately manage an access control list, so access control can be efficiently performed. Also, unlike the prior art, even when the first blockchain 271 is implemented as a public blockchain, access control for users can be performed.

Hereinafter, in order to provide more convenience of understanding, specific examples of application of the present invention will be described based on the foregoing.

First, with reference to FIG. 11, a first utilization example of the present invention will be described.

In the first application example, the first blockchain 281 is a blockchain implemented to allow access of all users A and B. The first blockchain 281 may be implemented in a public blockchain network, or may be implemented in a manner allowing access to all users A and B in a private blockchain network.

The second block chain 283 is a block chain implemented so that only access to a specific user (A) with access authority is permitted. The second blockchain 283 may be implemented in a way that grants access rights only to a specific user (A) in a private blockchain network.

When the first block chain 281 and the second block chain 283 are implemented as shown in FIG. 11, the user (A) with access authority can use the second block chain 283 even during the access restriction period. Control target data can be used.

In addition, user B cannot access control target data during the access restriction period, and after all data 261 to 267 are registered in the first blockchain 281, Control target data can be used.

In this way, according to the first utilization example, access control can be performed for each user (A, B) (or for each access authority) based on the blockchains 281 and 283. For example, if user A is a creator or registrant of control target data, access control may be performed so that only the creator or registrant can access the data during the access restriction period, and other users cannot access the data.

Next, a second utilization example of the present invention will be described with reference to FIG. 12 .

As shown in FIG. 12, in the second use case, access control is performed using four or more blockchains 291, 293, 295, and 297, and different access restriction periods are applied for each access right. Specifically, the first access restriction period is applied to the user (A) with the first access right, the second access restriction period is applied to the user (B) with the second access right, and the second access restriction period is applied to the user without access right. 3 Access restriction period applies. In addition, access control is performed so that the registrant of the control target data can access the control target data regardless of the access restriction period.

In the second application example, the first blockchain 291 is a blockchain implemented to allow access to all users. Therefore, after the third access restriction period has elapsed, the remaining data (265, 267) are registered in the first blockchain 291, and after the third access restriction period has elapsed, the data to be controlled is exposed to all users do. As described above, registration of the remaining data 265 and 267 may be performed directly by the access control device 100 or may be performed by a smart contract.

The second block chain 293 is a block chain implemented such that only a specific user B (or a user having the second access right) is allowed access. Accordingly, the remaining data 265 and 267 are registered in the second block chain 293 after the second access restriction period has elapsed. 12 shows that the data 265 and 267 recorded on the fourth blockchain 297 are registered in the second blockchain 293 as an example, but the data recorded on the third blockchain 295 Of course, (265, 267) can operate to be registered in the second block chain (295).

The third block chain 295 is a block chain implemented such that only a specific user A (or a user having the first access right) is allowed access. Therefore, after the first access restriction period has elapsed, the remaining data (265, 267) is registered in the third block chain (295).

The fourth block chain 297 is a block chain implemented so that only the registrant is allowed access. Since all data 261 to 267 are registered in the fourth block chain 297 at the time of data registration, the registrant can use the controlled data regardless of the access restriction period.

In this way, according to the second utilization example, access control can be performed by access authority (or user) by delaying the registration time of some data (265, 267) by access authority (or user). . Conventionally, in order to perform access control by access authority and/or by user, there was a burden of maintaining and managing a complex type of access control list. However, according to the above-described applications, there is no need to manage a separate access control list, so access control can be efficiently performed, and complex access control functions for each user and/or access authority even in a blockchain environment. this can be provided.

Next, a third utilization example of the present invention will be described with reference to FIG. 13 .

As shown in FIG. 13, the third utilization example performs access control by access authority (or by user) in the same way as the above-mentioned second utilization example, but uses only three blockchains 301, 303, and 305. .

In the third utilization example, the first blockchain 301 is a blockchain implemented to allow access to all users, and is the same as the aforementioned second utilization example.

The second block chain 301 is a block chain implemented so that only registrants and specific users (B) (or users with second access rights) are allowed access. Accordingly, the remaining data 265 and 267 are registered in the second block chain 293 after the second access restriction period has elapsed.

The third block chain 305 is a block chain implemented so that access is allowed only to the registrant and the specific user A (or a user having the first access right). Therefore, after the first access restriction period has elapsed, the remaining data (265, 267) are registered in the third block chain (305).

In the fourth utilization example, some (265, 267) of the data generated from the control target data are directly registered in the second blockchain (303), and the remaining parts (261, 267) are registered in the third blockchain (305). registered immediately. Therefore, only registrants who can access the two blockchains 303 and 305 can use the control target data regardless of the access restriction period. In addition, users A and B cannot use the control target data until the access restriction period set for each user elapses.

So far, several utilization examples of the present invention have been described with reference to FIGS. 11 to 13 . However, it should be noted that the above-described several utilization examples are merely for providing convenience of understanding of the present invention, and the scope of the present invention is not limited by the above-described utilization examples.

According to some of the above-described utilization examples, a confidential document management system that performs access control for each user with respect to confidential documents can be easily constructed. At this time, the confidential document management system is a system that manages documents that require confidentiality for a certain period of time. In the case of a confidential document, not only the confidentiality of the document must be guaranteed during the confidentiality period, but also the integrity of the document must be guaranteed. In addition, in the case of confidential documents, different access rights may be granted to each user. According to the above-described applications, flexible access control functions can be provided for each user and/or access authority without an access control list using multiple blockchains, and the integrity of confidential documents can also be guaranteed due to the characteristics of the blockchain. can In addition, unlike DRM (digital rights management) solutions commonly used for confidential document management, since encryption is not required, the confidential document management system built according to the above-described utilization examples solves the problem of managing encryption keys and It is free from the problem of declining stability of encryption technology according to the development of computing technology.

Hereinafter, the configuration and operation of the access control device 100 for performing the access control method according to the above-described embodiments will be described with reference to FIGS. 14 and 15.

14 is a block diagram showing an access control device 100 according to an embodiment of the present invention.

Referring to FIG. 14, the access control device 100 may include a data division unit 110, a data registration unit 130, a blockchain linkage unit 140, a data request processing unit 150, and a data regeneration unit 160. can However, only components related to the embodiment of the present invention are shown in FIG. 14 . Accordingly, those skilled in the art to which the present invention pertains can know that other general-purpose components may be further included in addition to the components shown in FIG. 14 . In addition, each component of the access control device 100 shown in FIG. 14 represents functionally differentiated functional elements, and note that at least one component may be implemented in a form integrated with each other in an actual physical environment. do.

Looking at each component, the data division unit 110 divides control target data according to the division rule 120 in response to the registration request. As mentioned in some of the above embodiments, the data division unit 110 may generate a plurality of pieces of data, data keys, anti-forgery information, and the like from control target data according to the division rule 120 .

The data registration unit 130 registers the data generated by the data division unit 110 (e.g. a plurality of data pieces, data keys, anti-counterfeiting information) and the division rules used on the blockchain. The registration process may be performed through the blockchain linking unit 140.

As mentioned in some of the foregoing embodiments, the data registration unit 130 registers some data pieces on the blockchain at a first time point, and the remaining data pieces at a second time point after the set access restriction period has elapsed. Register on the chain. In this way, access control can be performed for each access authority and/or for each user by controlling when some data is registered on the blockchain. A detailed description of this will be omitted since it is the same as described above.

The blockchain interworking unit 140 performs various interworking functions such as communication between the blockchain network 200 and the access control device 100 and message conversion.

The data request processing unit 150 obtains data such as a plurality of data pieces recorded on the blockchain, a division rule, and forgery prevention information in response to a search request for control target data. For example, the data request processing unit 150 may obtain the data by inquiring the blockchain with the data key of the corresponding data to be controlled.

The data regeneration unit 160 regenerates the requested control target data from the plurality of pieces of data. For example, the data regenerating unit 160 verifies the plurality of pieces of data using the anti-forgery information, and regenerates the requested data to be controlled by combining the plurality of pieces of data in response to a determination that they are valid. The combining process may be performed using the splitting rule, and a description thereof will be omitted since it may obscure the subject matter of the present invention.

Meanwhile, according to another embodiment of the present invention, the data request processing unit 150 and the data regeneration unit 160 may be excluded from the components of the access control device 100. For example, the functions of the data request processor 150 and the data regenerator 160 may be implemented in another device that processes a data search request. Alternatively, the user terminal 300 may directly query the block chain to obtain a plurality of pieces of data, and regenerate control target data by referring to the split rule.

Each component of the access control device 100 shown in FIG. 14 may mean software or hardware such as a Field Programmable Gate Array (FPGA) or an Application-Specific Integrated Circuit (ASIC). However, the components are not limited to software or hardware, and may be configured to be in an addressable storage medium or configured to execute one or more processors. Functions provided within the components may be implemented by more subdivided components, or may be implemented as a single component that performs a specific function by combining a plurality of components.

15 is a hardware configuration diagram of a block chain-based access control device 100 according to an embodiment of the present invention.

Referring to FIG. 15, the access control device 100 includes one or more processors 101, a bus 105, a network interface 107, and a memory 103 that loads a computer program executed by the processor 101. ) and a storage 109 for storing the computer program 109a. However, only components related to the embodiment of the present invention are shown in FIG. 15 . Therefore, those skilled in the art to which the present invention pertains can know that other general-purpose components may be further included in addition to the components shown in FIG. 15 .

The processor 101 controls the overall operation of each component of the access control device 100. The processor 101 includes a central processing unit (CPU), a micro processor unit (MPU), a micro controller unit (MCU), a graphic processing unit (GPU), or any type of processor well known in the art of the present invention. It can be. Also, the processor 101 may perform an operation for at least one application or program for executing a method according to embodiments of the present invention. The access control device 100 may have one or more processors.

Memory 103 stores various data, commands and/or information. The memory 103 may load one or more programs 109a from the storage 109 in order to execute the block chain-based access control method according to embodiments of the present invention. In FIG. 15 , RAM is illustrated as an example of the memory 103 .

The bus 105 provides a communication function between components of the access control device 100. The bus 105 may be implemented in various types of buses such as an address bus, a data bus, and a control bus.

The network interface 107 supports wired and wireless Internet communication of the access control device 100 . In addition, the network interface 107 may support various communication methods other than Internet communication. To this end, the network interface 107 may include a communication module well known in the art.

The storage 109 may non-temporarily store the one or more programs 109a.

The storage 109 may be a non-volatile memory such as read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, or the like, a hard disk, a removable disk, or a device well known in the art. It may be configured to include any known type of computer-readable recording medium.

The computer program 109a includes a series of instructions that are loaded into the memory 103 and cause one or more processors 101 to execute the aforementioned blockchain-based access control method according to some embodiments of the present invention. can do. That is, the computer program 109a may include instructions that cause the access control device 100 to perform operations corresponding to each step of the blockchain-based access control method according to some embodiments of the present invention described above. .

For a first example, the computer program 109a generates a first data fragment and a second data fragment based on control object data given an access restriction period, and records the first data fragment on a first blockchain. and, after the access restriction period has elapsed, instructions for performing an operation to process the second data piece to be recorded on the first block chain.

For a second example, the computer program 109a performs an operation of recording control object data for which an access restriction period is given on the first block chain, and after the access restriction period has elapsed, the control object data is stored on the second block chain. It may include instructions to perform an operation to process to be recorded in .

In addition, the computer program 109a may include instructions for performing operations according to some of the embodiments described above.

So far, with reference to FIGS. 2 to 15 , several embodiments of the present invention have been described and effects according to the embodiments have been described. The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description below.

The concept of the present invention described with reference to FIGS. 2 to 15 so far can be implemented as computer readable code on a computer readable medium. The computer-readable recording medium may be, for example, a removable recording medium (CD, DVD, Blu-ray disc, USB storage device, removable hard disk) or a fixed recording medium (ROM, RAM, computer-equipped hard disk). can The computer program recorded on the computer-readable recording medium may be transmitted to another computing device through a network such as the Internet, installed in the other computing device, and thus used in the other computing device.

In the above, even though all the components constituting the embodiment of the present invention have been described as being combined or operated as one, the present invention is not necessarily limited to these embodiments. That is, within the scope of the object of the present invention, all of the components may be selectively combined with one or more to operate.

Although actions are shown in a particular order in the drawings, it should not be understood that the actions must be performed in the specific order shown or in a sequential order, or that all shown actions must be performed to obtain a desired result. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of the various components in the embodiments described above should not be understood as requiring such separation, and the described program components and systems may generally be integrated together into a single software product or packaged into multiple software products. It should be understood that there is

Although the embodiments of the present invention have been described with reference to the accompanying drawings, those skilled in the art to which the present invention pertains can be implemented in other specific forms without changing the technical spirit or essential features of the present invention. can understand that Therefore, the embodiments described above should be understood as illustrative in all respects and not limiting. The protection scope of the present invention should be construed according to the claims below, and all technical ideas within the equivalent range should be construed as being included in the scope of the present invention.

Claims (20)

processor;
network interface;
Memory; and
At least one program loaded into the memory and executed by the processor,
The at least one program,
An operation of generating a first data piece and a second data piece based on the controlled data given the access restriction period;
Recording the first piece of data on a first blockchain; and
After the access restriction period has elapsed, instructions for performing an operation of processing the second data piece to be recorded on the first blockchain,
The control target data can be regenerated based on the first data piece and the second data piece,
The first data piece and the second data piece,
It is matched to the identification value and recorded on the first block chain, and can be inquired through the identification value.
Blockchain-based access control device. According to claim 1,
The operation of generating the first data piece and the second data piece,
Generating the first data piece and the second data piece according to a preset rule;
The operation of processing to be recorded on the first blockchain,
Characterized in that it comprises an operation of processing the second data piece and the preset rule to be recorded on the first blockchain,
Blockchain-based access control device. According to claim 1,
The operation of generating the first data piece and the second data piece,
Including generating the first data piece and the second data piece according to a preset rule,
Characterized in that the predetermined rule is determined based on the importance of the control target data,
Blockchain-based access control device. According to claim 1,
The operation of generating the first data piece and the second data piece,
compressing the control target data; and
Characterized in that it comprises an operation of generating the first data piece and the second data piece based on the compressed control target data,
Blockchain-based access control device. According to claim 1,
The at least one program,
An operation of generating anti-forgery information for the control target data; and
Characterized in that it further comprises instructions for performing an operation of recording the forgery prevention information on the first blockchain,
Blockchain-based access control device. According to claim 5,
The forgery prevention information,
Characterized in that it comprises first information for preventing forgery and alteration of the first data piece and second information for preventing forgery and alteration of the second data piece.
Blockchain-based access control device. According to claim 6,
The forgery prevention information is composed of a merkle tree,
Characterized in that the first information and the second information correspond to lower nodes of the Merkle tree.
Blockchain-based access control device. According to claim 1,
The operation of processing to be recorded on the first blockchain,
An operation of determining whether the access restriction period has elapsed and
In response to a progress determination, characterized in that it comprises an operation of recording the second piece of data on the first block chain,
Blockchain-based access control device. According to claim 1,
The operation of processing to be recorded on the first blockchain,
Recording the second data piece on a second blockchain; and
Including the operation of registering a smart contract executed in response to the elapsed determination of the access restriction period on the second blockchain,
The smart contract,
Characterized in that it comprises a routine for processing the second data piece recorded on the second blockchain to be recorded on the first blockchain,
Blockchain-based access control device. According to claim 9,
The second block chain is implemented so that only users with specific access rights are allowed access,
Characterized in that the first block chain is implemented to allow access of a user without the specific access right,
Blockchain-based access control device. delete According to claim 1,
The at least one program,
Receiving a search request for the control target data together with the identification value after the access restriction period has passed;
In response to the query request, an operation of querying data recorded on the first blockchain with the identification value and obtaining the first data fragment and the second data fragment as a result of the inquiry;
regenerating the control target data based on the first data piece and the second data piece; and
Characterized in that it further comprises instructions for performing an operation of providing the regenerated control target data,
Blockchain-based access control device. processor;
network interface;
Memory; and
At least one program loaded into the memory and executed by the processor,
The at least one program,
An operation of recording control target data given an access restriction period on the first blockchain, and
After the access restriction period has passed, instructions for performing an operation of processing the data to be controlled are recorded on a second blockchain,
The first block chain is implemented to allow access only to users who have access to the control target data,
The second block chain is implemented to allow the user's access to the recorded data regardless of the access restriction period of the recorded data,
Blockchain-based access control device. delete According to claim 13,
The first blockchain is implemented in a private blockchain network,
Characterized in that the second blockchain is implemented in a public blockchain network,
Blockchain-based access control device. According to claim 13,
The first blockchain corresponds to a first channel operated in a multi-channel based blockchain network,
Characterized in that the second blockchain corresponds to the second channel operated in the blockchain network,
Blockchain-based access control device. According to claim 13,
The operation of processing to be recorded on the second blockchain,
An operation of determining whether the access restriction period has elapsed and
Characterized in that, in response to the progress determination, an operation of recording the control subject data on the second blockchain,
Blockchain-based access control device. According to claim 13,
The operation of processing to be recorded on the second blockchain,
Including the operation of registering a smart contract executed in response to the elapsed determination of the access restriction period on the first blockchain,
The smart contract,
Characterized in that it comprises a routine for processing the control target data recorded on the first blockchain to be recorded on the second blockchain,
Blockchain-based access control device. According to claim 13,
The control subject data includes the first data piece among first data pieces and second data pieces generated based on original control subject data;
The at least one program,
Further comprising instructions for performing an operation of recording the second data piece on the second blockchain before the access restriction period passes,
Characterized in that the original data to be controlled is regenerable based on the first data piece and the second data piece,
Blockchain-based access control device. According to claim 19,
The first data piece and the second data piece are generated according to a preset rule,
Characterized in that the preset rule is recorded on the second blockchain,
Blockchain-based access control device.

Images