WO2019136959A1 - Dispositif et procédé de traitement de données, dispositif informatique et support d'informations - Google Patents

Dispositif et procédé de traitement de données, dispositif informatique et support d'informations Download PDF

Info

Publication number
WO2019136959A1
WO2019136959A1 PCT/CN2018/096760 CN2018096760W WO2019136959A1 WO 2019136959 A1 WO2019136959 A1 WO 2019136959A1 CN 2018096760 W CN2018096760 W CN 2018096760W WO 2019136959 A1 WO2019136959 A1 WO 2019136959A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
distributed system
data
key
written
Prior art date
Application number
PCT/CN2018/096760
Other languages
English (en)
Chinese (zh)
Inventor
张宇
宦鹏飞
谢丹力
王梦寒
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2019136959A1 publication Critical patent/WO2019136959A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/303Terminal profiles

Definitions

  • the present application relates to a data processing method, apparatus, computer device, and storage medium.
  • the distributed database is used by multiple organizations to write data to this database.
  • nodes that join a distributed system provide a read-write interface.
  • the data read and write of the existing distributed system is initiated and controlled by the mechanism that interfaces with the distributed system.
  • the docking mechanism initiates a request for data to be stored in the distributed system, and the data is distributed.
  • the write interface provided by the system writes the data to the distributed system and synchronizes to other nodes in the distributed system.
  • the access mechanism uses the read interface provided by the distributed system from the distributed system. Read the data and use it.
  • the inventors realized that all data to be stored in a distributed system must be completed via a read/write interface provided by the distributed system, which causes problems such as concentration of permissions and performance bottlenecks. In addition, once this read/write interface fails, there is a risk that data cannot be written to the distributed system. When the amount of data to be written is large, there are also problems such as data write delay and loss.
  • a data processing method, apparatus, computer device, and storage medium are provided.
  • a data processing method comprising:
  • a data processing device comprising:
  • a key obtaining module configured to exchange, by using a pre-configured interface, a first temporary session key according to a key exchange protocol and a distributed system
  • An encryption module configured to encrypt data to be written by using the first temporary session key
  • a writing module configured to send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system writes the encrypted to be written by using a second temporary session key
  • the data is decrypted to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
  • a computer device comprising a memory and one or more processors having stored therein computer readable instructions, the computer readable instructions being executable by the processor to cause the one or more processors to execute The following steps: obtaining a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface; encrypting the data to be written by the first temporary session key; and encrypting through a pre-configured interface
  • the to-be-written data is sent to the distributed system, so that the distributed system decrypts the encrypted data to be written by using a second temporary session key to obtain a first plaintext, the second temporary The session key corresponds to the first temporary session key.
  • One or more non-transitory computer readable storage mediums storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of: pre-configuring The interface exchanges with the distributed system according to the key exchange protocol to obtain a first temporary session key; encrypts the data to be written by the first temporary session key; and sends the encrypted data to be written through a pre-configured interface And the distributed system, wherein the distributed system decrypts the encrypted data to be written by using a second temporary session key to obtain a first plaintext, the second temporary session key and the first A temporary session key corresponds.
  • FIG. 1 is an application scenario diagram of a data processing method in accordance with one or more embodiments.
  • FIG. 2 is a flow diagram of a data processing method in accordance with one or more embodiments.
  • FIG. 3 is a flow diagram of pre-configured steps in accordance with one or more embodiments.
  • FIG. 4 is a timing diagram of a data processing method in accordance with one or more embodiments.
  • FIG. 5 is a block diagram of a data processing apparatus in accordance with one or more embodiments.
  • FIG. 6 is a block diagram of a computer device in accordance with one or more embodiments.
  • the data processing method provided by the present application can be applied to an application environment as shown in FIG. 1.
  • the terminal connects to the distributed system through the network through the network.
  • the distributed system allocates the read and write permissions of the read/write nodes originally deployed in the distributed system to the terminal by configuring the terminal in advance, so that the data to be written can be uploaded to any node of the distributed system through the terminal, for example,
  • the terminal is configured by using a configuration file, which may be an integrated SDK (Software Development Kit), and a security module is formed on the terminal by configuring an interface of the terminal, and the security module is distributed.
  • the terminal obtains the first temporary session key by using the security module to exchange with the distributed system according to the key exchange protocol, encrypts the data to be written by using the first temporary session key, and encrypts the data to be written through the pre-configured interface.
  • Sending to the distributed system to achieve data writing, the same data reading may be through the security module to send a data read request to the distributed system, and then through the pre-configured interface to receive the distributed system returned through the second temporary
  • the data to be read after the session key is encrypted; the encrypted data to be read is decrypted by the first temporary session key to obtain the second plaintext.
  • Terminal 102 can be, but is not limited to, a variety of personal computers, notebook computers, smart phones, tablets, and portable wearable devices.
  • a data processing method is provided, which is applied to the terminal in FIG. 1 as an example, and includes the following steps:
  • S202 Obtain a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface.
  • the distributed system may be a blockchain or other distributed system, and is not specifically limited herein.
  • the pre-configured interface is obtained by the terminal by registering with the distributed system.
  • the terminal sends a registration request to the distributed system, and the distributed system determines whether the terminal is a secure terminal.
  • the terminal may perform the terminal.
  • Authorization for example, sending a corresponding configuration file to configure the target interface of the terminal. That is, the read and write permissions of the read/write nodes originally deployed in the distributed system are placed on the terminal through pre-configuration, so that the data to be uploaded can be uploaded to any node of the distributed system after being processed by the terminal, and the distributed system is no longer distributed. A large number of read and write nodes need to be deployed, which can greatly reduce the cost.
  • the deployment process may be in the form of forming a security module in the terminal. For example, after downloading the configured SDK to the terminal for loading and running, the SDK uniformly manages an interface for interacting with the distributed system.
  • the first temporary session key may be different temporary data keys according to different types of data, for example, the temporary session key for each terminal interaction with the distributed system may be different, so that even the criminals Obtaining the temporary session key also fails to predict the key of the next data interaction, so that the data plaintext cannot be obtained.
  • the sharing curve parameter may be stored in the terminal and the authorized terminal, for example, the first shared curve parameter is stored in the first terminal, and the second shared curve parameter is stored in the second terminal, and all the shared files are stored in the distributed system.
  • Curve parameters, each shared curve parameter includes an elliptic curve E, a step N, and a base point G.
  • Obtaining the first temporary session key by using the pre-configured interface to exchange with the distributed system according to the key exchange protocol may include: sending a key exchange request to the distributed system through the pre-configured interface; receiving the distributed system according to the key exchange Requesting a first key key to be returned; generating a first temporary session key according to the first key key; wherein the second temporary session key is generated by the terminal to generate a second random number, and generating a second according to the second random number
  • the key key transmits the second key key to the distributed system, and the distributed system generates the second temporary session key according to the second key key and the first random number generated by the distributed system.
  • the delivery of A can be made public, that is, the attacker can acquire A. Since the discrete logarithm problem of the elliptic curve is a problem, the attacker cannot calculate a through A and G. Therefore, the exchange parties can negotiate a key without sharing any secrets, thereby ensuring the security of the data to be written.
  • S204 Encrypt data to be written by the first temporary session key.
  • the terminal may encrypt the data to be written by using the first temporary session key, thereby ensuring the security of the data to be written, and further
  • the distributed system can be configured to know which terminal to send the data to be written, and send the terminal identifier and the encrypted data to be written together to the distributed system, where the terminal identifier can uniquely determine the terminal, which can It is the MAC address of the terminal, etc.
  • S206 Send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain the first plaintext, and second.
  • the temporary session key corresponds to the first temporary session key.
  • the encrypted data to be written is sent to the distributed system through the pre-configured interface, and the distributed system can obtain the data after the encrypted data to be written. Calculating the obtained second temporary session key, and decrypting the encrypted data to be written by using the second temporary session key to obtain data plaintext.
  • the distributed system first obtains the calculated second temporary session key according to the terminal identifier of the terminal, for example, the distributed system calculates the When the second temporary session key is used, the second temporary session key is first stored in association with the corresponding terminal identifier, so that the distributed system can obtain the calculated second temporary session key according to the terminal identifier, and then according to the second The temporary session key decrypts the encrypted data to be uploaded to obtain the first plaintext.
  • the data may be encrypted and stored according to the data encryption method on the distributed system to ensure the security of the data on the distributed system.
  • the above data processing method pre-configures the interface in the authorization center, and does not need to be deployed at the ingress node of the distributed system, thereby greatly saving the deployment cost, and by configuring the interface to the authorized terminal, the data source in the distributed system can be rich and the access is more. It is simple and convenient, and greatly relieves the pressure on the access nodes of the distributed system, and avoids the problem of writing data by one access node.
  • step S204 further comprises: signing the encrypted data to be written by the pre-deployed terminal private key;
  • the pre-configured interface sends the encrypted data to be written to the distributed system, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain the first plaintext, that is, step S206
  • the method may include: sending, by using a pre-configured interface, the encrypted and signed data to be written to the distributed system, so that the distributed system successfully checks the received data to be written through the terminal public key, and then passes the The second temporary session key decrypts the encrypted data to be written to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
  • the public key of the terminal may be pre-deployed, that is, the data sent by the terminal to the distributed system is signed by the private key of the terminal, so that the distributed system is The verification can be performed through the corresponding terminal public key, which further ensures the security of data transmission.
  • the pre-deployed terminal public private key may be generated by the terminal, that is, when the terminal registers, the public key generated by the terminal is submitted to the distributed system, and then the distributed system passes the certificate public authority of the distributed system to the terminal public key.
  • the signature is stored on the distributed system, and the authorization certificate is returned to the terminal to indicate that the terminal is successfully registered.
  • the public and private keys of the terminal may be generated in a distributed system, that is, the distributed system is based on the terminal information.
  • the public key of the terminal is generated, and then the terminal private key is returned to the terminal, and in order to ensure the security of the private key of the terminal, the process may be performed offline.
  • the encrypted data to be written may be further signed by the pre-deployed terminal private key, thereby encrypting and signing the data.
  • the data to be written and the identifier of the terminal are sent to the distributed system.
  • the distributed system may first obtain the public key of the terminal according to the identifier of the terminal, and the encrypted and tagged to be written by the public key of the terminal. The data is checked. Only after the verification is successful, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext. Otherwise, the data to be written that is unsuccessful in the verification is directly deleted to ensure uploading to the data.
  • the data on the distributed system is all secure data.
  • the step of obtaining the public key of the terminal may be that the distributed system is signed by the certificate of the distributed system, so that the signed public key of the terminal can be checked and verified by the private key corresponding to the distributed system certificate. key.
  • a different session key can be used for both encryption and digital signatures to achieve a one-purpose key.
  • the double-layer signing can be performed. For example, after the terminal adds the key through the terminal private key, the terminal adds the key through the distributed system public key, so that after the distributed system receives the data, it first passes the distribution. The private key corresponding to the public key of the system is checked. After the verification is successful, the terminal public key is used for verification, and finally the second temporary session key is used for decryption to further ensure data security.
  • the distributed system performs signature verification on the data sent by the terminal, confirms the authorization authority of the terminal, ensures that the data is actually sent by the terminal, and has not been tampered with; thereby ensuring that the data on the distributed system is valid. Sex and authenticity.
  • the security problem of uploading data in a system in which a multi-terminal accesses a distributed system is effectively solved, and after obtaining the data, the authorized reader of the data can obtain a certificate of an authorized terminal through the distributed system, and verify Get the authenticity of the data and solve the trust problem of the authorized organization.
  • the data processing method may further include a data reading step, the data reading step may include receiving, by the pre-configured interface, the to-be-read after being encrypted by the second temporary session key returned by the distributed system. Data; decrypting the encrypted data to be read by the first temporary session key to obtain a second plaintext.
  • the foregoing embodiment mainly relates to uploading data to be uploaded of the terminal to the distributed system.
  • the embodiment mainly relates to the terminal reading the data to be read from the distributed system, where the terminal may firstly go to the distributed system.
  • Sending a data read request where the data read request carries a terminal identifier, and then the distributed system performs key exchange with the terminal according to the key exchange protocol to obtain a second temporary session key and a first temporary session key, the first
  • the specific manner of obtaining the temporary session key and the second temporary session key refer to the foregoing, and no further details are provided herein.
  • the distributed system encrypts the data to be read by the acquired second temporary session key, and sends the encrypted data to be read to the corresponding terminal, so that the terminal can pass the second temporary session key.
  • a temporary session key decrypts the data to be read to obtain a second plaintext, so that the second plaintext can be processed.
  • the interface is configured in the authorization center in advance, and the ingress node deployed in the distributed system is not used, which greatly saves the deployment cost, and the interface is configured to the authorized terminal, so that the data source in the distributed system is rich and the access is more. It is simple and convenient, and greatly relieves the pressure on the access nodes of the distributed system, and avoids the problem of writing data by one access node.
  • each terminal uses a unique identifier for the same data, which avoids duplication of incoming data.
  • the access of multiple channels is realized, thereby realizing the function of data sharing.
  • each entrance is independent of each other, and the downtime of an entrance does not affect the work of other entrances.
  • the step of receiving, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system may include: receiving, by the pre-configured interface, the through terminal returned by the distributed system The public key and the second temporary session key are tagged and encrypted data to be read. Therefore, before the step of decrypting the encrypted data to be read by the first temporary session key to obtain the second plaintext, the method further includes: performing, by using the terminal private key, the data to be read after the public key is signed by the terminal The encrypted data to be read is obtained.
  • the public key and the private key of the terminal may be configured in a pre-configuration phase, and the public key of the terminal is stored on the distributed system, so that when the terminal reads data from the distributed system, the distributed system may first pass the first
  • the temporary session key encrypts the data to be read, and then the data to be read is added by the terminal public key to further ensure the security of the data to be read.
  • the terminal receives the data to be read, the terminal obtains the private key of the terminal, and performs verification on the data to be read after the encryption and the signing. After the verification is successful, the data to be read is passed.
  • a temporary session key is decrypted to obtain a second plaintext, thereby performing other processing on the second plaintext.
  • different session keys can be used for encryption and digital signatures, and one-purpose and one-key can be used.
  • the double-layer signing can be performed. For example, after the tag is added by the terminal public key, the distributed system can be added through the distributed system private key, so that after the terminal receives the data, the first After the verification is performed by the distributed system public key, after the verification is successful, the terminal private key is used for verification, and finally the first temporary session key is used for decryption, thereby further ensuring data security.
  • the accessed terminal can save the deployment cost by using the ingress node of the distributed system, and can provide differentiated interface configurations for different terminals, so that the access mode is more abundant.
  • the data source in the distributed system is rich, the access is simpler and more convenient, and the pressure of the distributed system accessing the server is greatly alleviated.
  • the problem of writing data by one access port is avoided.
  • organizations and enterprises use unique identifiers for the same data to avoid duplication of incoming data.
  • the access of multiple channels is realized, thereby realizing the function of data sharing.
  • each entrance is independent of each other, and the downtime of an entrance does not affect the work of other entrances.
  • the data processing method may further include a pre-configuration step for lowering the read and write permissions originally deployed in the read/write node of the distributed system to the terminal, so that the data can pass through the terminal. After processing, it is directly uploaded to the distributed system, and the terminal can directly obtain data from the distributed system. The accessed terminal can save the deployment cost without deploying the ingress node of the distributed system.
  • FIG. 3 is a flowchart of a pre-configuration step in an embodiment, where the pre-configuration step may include:
  • S302 Send a registration request to the distributed system, where the registration request carries a registration type and a terminal identifier.
  • the terminal wants to directly exchange data with the distributed system, the authorization of the distributed system needs to be acquired, so the terminal sends a registration request to the distributed system, where the registration request carries the terminal identifier to uniquely Characterizing the terminal, the registration type is because some terminals are data storage type terminals, and some terminals are accounting type terminals.
  • the configuration files are different for different terminals, and different interfaces can be provided for different authorized terminals. Configuration makes the access method richer.
  • the distributed system may first determine the terminal according to the terminal identifier, and then determine whether the terminal is a secure terminal. For example, the distributed system may pre-store the identifier of the security terminal, when receiving the terminal. The registration request may be compared with the identifier of the pre-stored security terminal. Only if the comparison is successful, the corresponding configuration file may be obtained according to the terminal identifier and the registration type.
  • S304 Receive a configuration file generated by the distributed system according to the terminal identifier and the registration type.
  • the step of obtaining the corresponding configuration file according to the terminal identifier and the registration type may include obtaining the corresponding configuration file according to the registration type in the registration request, and then filling in the related information of the terminal in the configuration file, such as the terminal identifier.
  • the registration type may include a data storage type and a billing type.
  • the initialized interface in the configuration file includes: an interface for data encryption, decryption, data ID confusion, and distributed system database query;
  • the accounting type needs to provide an interface related to accounting reconciliation such as homomorphic encryption and ring signature.
  • the configuration file can be sent to the corresponding terminal, and in order to ensure the security of the configuration file, the configuration file is prevented from being obtained by illegal elements in the online transmission, and can be transmitted offline.
  • the method sends the configuration file to the corresponding terminal.
  • the terminal configures the terminal according to the content in the configuration file.
  • the configuration file is not only the access rights of the authorized terminal, but also includes other functions, such as encryption and decryption, private key/certificate management, etc., which is equivalent to the written SDK module, which is loaded and run locally after being downloaded by the terminal, and the authorized terminal is authorized. It is equivalent to calling the SDK, and the SDK accesses the distributed system read and write nodes.
  • These functions are more complicated, so they can provide security modules. When configuring, they can also be understood as configuring security modules, so that subsequent data upload and data reading are all. It is unified from the security module processing.
  • the read/write permission originally deployed in the read/write node of the distributed system is placed on the terminal, so that the data can be directly uploaded to the distributed system after being processed by the terminal, and the terminal can be directly obtained from the distributed system.
  • the access terminal can not deploy the ingress node of the distributed system, which greatly saves the deployment cost.
  • the pre-configuration step may further include a terminal public-private key generation step, which may include two implementation manners, one is that a public-private key pair is generated by the terminal, and the terminal submits to the distributed system when registering.
  • the certificate authority has the certificate authority to sign the terminal public key, and store the signed terminal public key and the terminal identifier in association with the distributed system, so that the distributed system receives the data signed by the terminal private key.
  • the terminal can be checked by the public key of the terminal.
  • the terminal submits the terminal information to the distributed system, and the distributed system generates the public and private key of the terminal according to the terminal information, and returns the generated terminal private key to the terminal, optionally, by offline
  • the terminal private key is returned to the terminal to ensure the security of the private key of the terminal.
  • the first method may include acquiring terminal information by the terminal, and generating a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information; and transmitting the terminal public key to the distributed system .
  • the terminal information may include a terminal identifier, user information, such as an account number and a password, etc., according to the terminal information, the public key of the terminal may be generated through an open source tool, or the terminal information may be sent to an authoritative certificate authority center, and the authority certificate authority
  • the terminal public key is generated according to the terminal information, and is sent to the terminal, and the terminal uploads the generated terminal public key to the distributed system, so that the distributed system can pass the terminal when receiving the data signed by the terminal private key. The key is checked.
  • the step of receiving a configuration file generated by the distributed system according to the terminal identifier and the registration type includes: after the distributed system successfully signs the terminal public key through the certificate authority, the receiving distributed system generates the terminal identifier and the registration type according to the terminal identifier and the registration type.
  • Configuration file After the distributed system receives the terminal public key uploaded by the terminal, the terminal public key is signed by the certificate authority on the distributed system to be stored in the distributed system, and the public key of the terminal is prevented from being acquired by other illegal elements. After the storage is complete, the authorization certificate is issued to the terminal, that is, the configuration file generated according to the terminal identifier and the registration type.
  • the second method may be that the terminal acquires the terminal information, and sends the terminal information to the distributed system, and the distributed system generates a public key of the corresponding terminal according to the terminal information, where the terminal information may include the terminal identifier and the user information.
  • the distributed system generates a public key of the terminal according to the terminal information through the certificate authority of the distributed system, and sends the terminal private key to the terminal for storage, and the terminal public key is stored in association with the terminal identifier to be distributed.
  • the system so that the distributed system can perform the verification by the terminal public key when receiving the data signed by the terminal private key.
  • Receiving the terminal private key and the terminal public key corresponding to the terminal information returned by the distributed system, and the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authorization center.
  • the pre-configuration step may further generate a public-private key of the terminal, so that when the terminal and the distributed system perform data transmission, not only the temporary session key is used for encryption, but also the terminal public key is used for signing, thereby further improving the data. Security.
  • FIG. 4 is a sequence diagram of a data processing method in an embodiment.
  • a terminal uploads data to a distributed system, and a public-private key of the terminal is generated by the terminal.
  • the distributed system is a blockchain.
  • the terminal first acquires the terminal information, and then generates the terminal public private key according to the terminal information. Secondly, the terminal sends a registration request to the blockchain, where the registration request carries the registration type, the terminal identifier, and the generated terminal public key information; After receiving the registration request, the block link signs the terminal public key through the certificate authority of the blockchain, and stores it on the blockchain, and generates a corresponding configuration file according to the registration type and the terminal identifier; The blockchain delivers the configuration file to the terminal, and the step can be performed in an offline manner. Fifth, the terminal configures the terminal according to the configuration file, for example, forms a corresponding security module.
  • the terminal The authorization certificate can be obtained from the blockchain, that is, the data can be encrypted to ensure data security; seventh, the terminal exchanges with the blockchain according to the key exchange protocol by the security module to obtain a temporary session key; The temporary session key encrypts the uploaded data, and the data is added by the terminal private key; ninth, final The encrypted and tagged data is sent to the blockchain through the security module.
  • the blockchain can obtain the terminal public key according to the terminal identifier, and pass the terminal public key. The encrypted and tagged data is checked. After the successful verification, the encrypted session data is decrypted by the temporary session key obtained by the key exchange to obtain the plaintext. After obtaining the plaintext, the zone can be passed as needed.
  • the public and private keys on the blockchain encrypt the data and store it on the blockchain to ensure the security of the data on the blockchain.
  • the above data processing method pre-configures the interface in the authorization center, and does not need to be deployed at the ingress node of the blockchain, which greatly saves the deployment cost, and by configuring the interface to the authorized terminal, the data source in the blockchain can be rich and the access is more It is simple and convenient, and greatly relieves the pressure of the block link into the node, avoiding the problem of writing data by an access node.
  • FIGS. 2-4 are sequentially displayed as indicated by the arrows, these steps are not necessarily performed in the order indicated by the arrows. Except as explicitly stated herein, the execution of these steps is not strictly limited, and the steps may be performed in other orders. Moreover, at least some of the steps in FIGS. 2-4 may include a plurality of sub-steps or stages, which are not necessarily performed at the same time, but may be executed at different times, these sub-steps or stages The order of execution is not necessarily performed sequentially, but may be performed alternately or alternately with at least a portion of other steps or sub-steps or stages of other steps.
  • a data processing apparatus including a key acquisition module 100, an encryption module 200, and a write module 300, wherein:
  • the key obtaining module 100 is configured to obtain a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface.
  • the encryption module 200 is configured to encrypt the data to be written by using the first temporary session key.
  • the writing module 300 is configured to send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key.
  • the second temporary session key corresponds to the first temporary session key.
  • the apparatus may further include:
  • the signing module is configured to: after encrypting the data to be written by the first temporary session key, sign the encrypted data to be written by using the pre-deployed terminal private key.
  • the writing module 300 is further configured to send the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system successfully checks the received data to be written through the terminal public key. Then, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
  • the apparatus may further include:
  • a reading module configured to receive, by using a pre-configured interface, the data to be read that is encrypted by the second temporary session key returned by the distributed system.
  • a decryption module configured to decrypt the encrypted data to be read by using the first temporary session key to obtain a second plaintext.
  • the reading module is further configured to receive, by the pre-configured interface, the data to be read that is signed and encrypted by the terminal public key and the second temporary session key returned by the distributed system.
  • the device may further include an verification module, configured to: after the encrypted temporary data to be read is decrypted by the first temporary session key to obtain the second plaintext, the terminal private key is to be read after being signed by the terminal public key The data is checked to obtain the encrypted data to be read.
  • an verification module configured to: after the encrypted temporary data to be read is decrypted by the first temporary session key to obtain the second plaintext, the terminal private key is to be read after being signed by the terminal public key The data is checked to obtain the encrypted data to be read.
  • the apparatus may further include:
  • the sending module is configured to send a registration request to the distributed system, where the registration request carries a registration type and a terminal identifier.
  • the receiving module is configured to receive a configuration file generated by the distributed system according to the terminal identifier and the registration type.
  • Configuration module for configuring according to the configuration file.
  • the apparatus may further include:
  • the first public private key generating module is configured to acquire terminal information, and generate a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information.
  • the sending module is also used to send the terminal public key to the distributed system.
  • the receiving module is further configured to: after the distributed system successfully signs the terminal public key through the certificate authority, receive the configuration file generated by the distributed system according to the terminal identifier and the registration type.
  • the sending module is further configured to acquire terminal information and send the terminal information to the distributed system.
  • the receiving module is further configured to receive the terminal private key and the terminal public key corresponding to the terminal information returned by the distributed system, where the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authorization center.
  • the various modules in the data processing apparatus described above may be implemented in whole or in part by software, hardware, and combinations thereof. Each of the above modules may be embedded in or independent of the processor in the computer device, or may be stored in a memory in the computer device in a software form, so that the processor calls to perform operations corresponding to the above modules.
  • a computer device which may be a terminal, and its internal structure diagram may be as shown in FIG. 6.
  • the computer device includes a processor, memory, network interface, display screen, and input device connected by a system bus.
  • the processor of the computer device is used to provide computing and control capabilities.
  • the memory of the computer device includes a non-volatile storage medium, an internal memory.
  • the non-volatile storage medium stores operating systems and computer readable instructions.
  • the internal memory provides an environment for operation of an operating system and computer readable instructions in a non-volatile storage medium.
  • the network interface of the computer device is used to communicate with an external terminal via a network connection.
  • the computer readable instructions are executed by a processor to implement a data processing method.
  • the display screen of the computer device may be a liquid crystal display or an electronic ink display screen
  • the input device of the computer device may be a touch layer covered on the display screen, or may be a button, a trackball or a touchpad provided on the computer device casing. It can also be an external keyboard, trackpad or mouse.
  • FIG. 6 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation of the computer device to which the solution of the present application is applied.
  • the specific computer device may It includes more or fewer components than those shown in the figures, or some components are combined, or have different component arrangements.
  • a computer device comprising a memory and one or more processors having stored therein computer readable instructions that, when executed by a processor, cause one or more processors to perform the steps of: preconfiguring an interface Obtaining a first temporary session key according to a key exchange protocol and a distributed system; and encrypting the data to be written by the first temporary session key; and sending the encrypted data to be written to the distributed through a pre-configured interface a system, wherein the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
  • the method may further include: encrypting the to-be-prepared by the pre-deployed terminal private key pair Writing data for signature; transmitting the encrypted data to be written to the distributed system through a pre-configured interface when the processor executes the computer readable instructions, so that the distributed system is encrypted by the second temporary session key pair
  • the step of decrypting the data to be decrypted to obtain the first plaintext may include: transmitting the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system receives the terminal through the public key pair After the data to be written is successfully verified, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
  • the processor when executing the computer readable instructions, further implements: receiving, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system;
  • the temporary session key decrypts the encrypted data to be read to obtain a second plaintext.
  • the step of receiving, by the processor when executing the computer readable instructions, the data to be read after being encrypted by the second temporary session key returned by the distributed system through the pre-configured interface may include: The configured interface receives, by the distributed system, the data to be read after being encrypted and encrypted by the terminal public key and the second temporary session key; and the first temporary session key pair implemented by the processor when executing the computer readable instruction Before the step of decrypting the encrypted data to obtain the second plaintext, the method further includes: performing, by using the terminal private key, the data to be read after the public key is signed by the terminal to obtain the encrypted data to be read.
  • the processor when executing the computer readable instructions, further implements the steps of: sending a registration request to the distributed system, the registration request carrying the registration type and the terminal identifier; and receiving the distributed system according to the terminal identifier and the registration type The generated configuration file; configured according to the configuration file.
  • the processor further implements the steps of: acquiring terminal information, and generating a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information; and transmitting the terminal public key to the distribution
  • the step of receiving the configuration file generated by the distributed system according to the terminal identifier and the registration type, when the processor executes the computer readable instruction may include: after the distributed system successfully signs the terminal public key through the certificate authority Receiving a configuration file generated by the distributed system according to the terminal identifier and the registration type.
  • the processor further implements the steps of: acquiring terminal information and transmitting the terminal information to the distributed system; and receiving the terminal private key corresponding to the terminal information returned by the distributed system, when the processor executes the computer readable instructions
  • the terminal public key, the terminal private key, and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authority.
  • One or more non-transitory computer readable storage mediums storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of: pre-configuring The interface exchanges with the distributed system according to the key exchange protocol to obtain the first temporary session key; encrypts the data to be written by the first temporary session key; and sends the encrypted data to be written to the distribution through a pre-configured interface
  • the system is configured to cause the distributed system to decrypt the encrypted data to be written by using the second temporary session key to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
  • the computer readable instructions may further include: encrypting the encrypted pair by using a pre-deployed terminal The data to be written is signed; the computer readable instructions are executed by the processor to transmit the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system passes the second temporary session key pair
  • the step of decrypting the encrypted data to obtain the first plaintext may include: sending the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system passes the terminal public key.
  • the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
  • the computer readable instructions are further executed by the processor to: receive, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system; A temporary session key decrypts the encrypted data to be read to obtain a second plaintext.
  • the step of receiving, by the processor, the pre-configured interface, when the computer readable instructions are executed by the processor, the data to be read after being encrypted by the second temporary session key returned by the distributed system may include: The pre-configured interface receives the data to be read that is returned and encrypted by the terminal public key and the second temporary session key returned by the distributed system; and the first temporary session is implemented when the computer readable instructions are executed by the processor Before the step of decrypting the encrypted data to be read to obtain the second plaintext, the method may further include: performing, by using the terminal private key, the data to be read after the public key is signed by the terminal, and the encrypted to be read. data.
  • the computer readable instructions are further executed by the processor to: send a registration request to the distributed system, the registration request carries a registration type and a terminal identifier; and the receiving distributed system is based on the terminal identifier and the registration type.
  • the generated configuration file and configured according to the configuration file.
  • the computer readable instructions are further executed by the processor to: obtain terminal information, and generate a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information; and send the terminal public key to
  • the step of receiving the configuration file generated by the distributed system according to the terminal identifier and the registration type when the computer readable instructions are executed by the processor, may include: when the distributed system signs the terminal public key through the certificate authority After successful, it receives the configuration file generated by the distributed system based on the terminal identification and registration type.
  • the computer readable instructions are further executed by the processor to: acquire terminal information and transmit the terminal information to the distributed system; and receive the terminal private key corresponding to the terminal information returned by the distributed system And the terminal public key, the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authority.
  • Non-volatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory can include random access memory (RAM) or external cache memory.
  • RAM is available in a variety of formats, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization chain.
  • SRAM static RAM
  • DRAM dynamic RAM
  • SDRAM synchronous DRAM
  • DDRSDRAM double data rate SDRAM
  • ESDRAM enhanced SDRAM
  • Synchlink DRAM SLDRAM
  • Memory Bus Radbus
  • RDRAM Direct RAM
  • DRAM Direct Memory Bus Dynamic RAM
  • RDRAM Memory Bus Dynamic RAM

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de traitement de données consistant à : acquérir une première clé de session temporaire au moyen d'une interface pré-configurée selon un protocole d'échange de clé et un échange de système distribué ; chiffrer des données à écrire au moyen de la première clé de session temporaire ; et envoyer les données chiffrées à écrire à un système distribué au moyen de l'interface pré-configurée, ce qui permet au système distribué de déchiffrer les données chiffrées à écrire au moyen d'une seconde clé de session temporaire, de façon à obtenir un premier texte en clair, la seconde clé de session temporaire correspondant à la première clé de session temporaire.
PCT/CN2018/096760 2018-01-12 2018-07-24 Dispositif et procédé de traitement de données, dispositif informatique et support d'informations WO2019136959A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810030994.XA CN108322451B (zh) 2018-01-12 2018-01-12 数据处理方法、装置、计算机设备和存储介质
CN201810030994.X 2018-01-12

Publications (1)

Publication Number Publication Date
WO2019136959A1 true WO2019136959A1 (fr) 2019-07-18

Family

ID=62894319

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/096760 WO2019136959A1 (fr) 2018-01-12 2018-07-24 Dispositif et procédé de traitement de données, dispositif informatique et support d'informations

Country Status (2)

Country Link
CN (1) CN108322451B (fr)
WO (1) WO2019136959A1 (fr)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040076B (zh) * 2018-08-09 2020-07-24 腾讯科技(深圳)有限公司 一种数据处理方法、系统、装置、设备及介质
CN109241756B (zh) * 2018-08-20 2020-01-31 深圳市腾讯网络信息技术有限公司 基于区块链的数据处理方法、系统、服务器和介质
CN110969527B (zh) * 2018-09-29 2023-02-24 北京天能博信息科技有限公司 一种区块链的数据处理方法及相关设备
CN109361663B (zh) * 2018-10-10 2021-05-28 中航信托股份有限公司 一种访问加密数据的相关方法、系统和相关装置
CN109670325B (zh) * 2018-12-21 2023-03-28 北京思源理想控股集团有限公司 一种配置文件加解密的装置及其方法
CN109698834A (zh) * 2019-01-11 2019-04-30 深圳市元征科技股份有限公司 一种加密传输方法以及系统
CN110166460B (zh) * 2019-05-24 2021-12-14 北京思源理想控股集团有限公司 业务帐号的注册方法和装置、存储介质、电子装置
CN111294349B (zh) * 2020-01-22 2021-09-03 重庆大学 用于物联网设备数据共享的方法及装置
CN111314072B (zh) * 2020-02-21 2021-06-22 北京邮电大学 一种基于sm2算法的可扩展身份认证方法和系统
CN111541690B (zh) * 2020-04-21 2022-05-20 北京智芯微电子科技有限公司 智能终端与服务端通信的安全防护方法
CN112003697B (zh) * 2020-08-25 2023-09-29 成都卫士通信息产业股份有限公司 密码模块加解密方法、装置、电子设备及计算机存储介质
CN113138809A (zh) * 2021-04-30 2021-07-20 广东天波信息技术股份有限公司 一种终端的工作模式安全切换方法及系统
CN113343309B (zh) * 2021-08-02 2022-01-04 北京东方通软件有限公司 自然人数据库隐私安全保护方法、装置和终端设备
CN115147956A (zh) * 2022-06-29 2022-10-04 中国第一汽车股份有限公司 数据处理方法、装置、电子设备及存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106100981A (zh) * 2016-08-22 2016-11-09 布比(北京)网络技术有限公司 社交网络数据交互方法及装置
WO2017022917A1 (fr) * 2015-08-03 2017-02-09 (주)코인플러그 Système d'émission de certificat basé sur une chaîne de blocs
CN106534092A (zh) * 2016-11-02 2017-03-22 西安电子科技大学 基于消息依赖于密钥的隐私数据加密方法

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100373991C (zh) * 2005-06-30 2008-03-05 中国科学院计算技术研究所 一种分组网络中语音通信的加密协商方法
US8533746B2 (en) * 2006-11-01 2013-09-10 Microsoft Corporation Health integration platform API
KR101197207B1 (ko) * 2011-05-17 2012-11-02 인크로스 주식회사 검증 플랫폼을 이용한 콘텐츠 검증방법
CN103167498B (zh) * 2011-12-19 2015-11-11 卓望数码技术(深圳)有限公司 一种能力管控方法和系统
CN102970299B (zh) * 2012-11-27 2015-06-03 西安电子科技大学 文件安全保护系统及其方法
CN105516117A (zh) * 2015-12-02 2016-04-20 南方电网科学研究院有限责任公司 一种基于云计算的电力数据安全存储方法
CN107135219B (zh) * 2017-05-05 2020-04-28 四川长虹电器股份有限公司 一种物联网信息安全传输方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017022917A1 (fr) * 2015-08-03 2017-02-09 (주)코인플러그 Système d'émission de certificat basé sur une chaîne de blocs
CN106100981A (zh) * 2016-08-22 2016-11-09 布比(北京)网络技术有限公司 社交网络数据交互方法及装置
CN106534092A (zh) * 2016-11-02 2017-03-22 西安电子科技大学 基于消息依赖于密钥的隐私数据加密方法

Also Published As

Publication number Publication date
CN108322451B (zh) 2020-09-22
CN108322451A (zh) 2018-07-24

Similar Documents

Publication Publication Date Title
WO2019136959A1 (fr) Dispositif et procédé de traitement de données, dispositif informatique et support d'informations
CN110581860B (zh) 基于区块链的身份认证方法、装置、存储介质和设备
WO2019233204A1 (fr) Procédé, appareil et système de gestion de clef, support de stockage, et dispositif informatique
CN111767527B (zh) 基于区块链的数据权限控制方法、装置和计算机设备
WO2020181845A1 (fr) Procédé et dispositif de chiffrement de données de chaîne de blocs, appareil informatique et support d'informations
WO2021003980A1 (fr) Procédé et appareil de partage de liste noire, dispositif informatique et support de stockage
CN109325342B (zh) 身份信息管理方法、装置、计算机设备和存储介质
US11196745B2 (en) Blockchain-based account management
US11853438B2 (en) Providing cryptographically secure post-secrets-provisioning services
WO2021219086A1 (fr) Procédé et système de transmission de données basés sur une chaîne de blocs
WO2020057002A1 (fr) Système et procédé de partage de données de facture fondés sur une chaîne de blocs
US11757640B2 (en) Non-fungible token authentication
US11258590B1 (en) Coordinated management of cryptographic keys for communication with peripheral devices
WO2021190197A1 (fr) Procédé et appareil d'authentification de dispositif de paiement biométrique, dispositif informatique et support d'informations
CN111651794A (zh) 基于联盟链的电子数据管理方法、装置和存储介质
KR20180127384A (ko) 공동 계좌에 대한 인가 방법과 디바이스, 및 공동 계좌에 대한 인증 방법과 디바이스
CN109359977A (zh) 网络通信方法、装置、计算机设备和存储介质
CN110942382A (zh) 电子合同的生成方法、装置、计算机设备及存储介质
CN114070614A (zh) 身份认证方法、装置、设备、存储介质和计算机程序产品
US20180357411A1 (en) Authentication Of A Device
JP2016111440A (ja) 情報処理装置、及びコンピュータプログラム
CN116680687A (zh) 数据处理方法、装置、设备和存储介质
CN114238915A (zh) 数字证书添加方法、装置、计算机设备和存储介质
EP4016921A1 (fr) Procédé et appareil de gestion de certificat
CN112182627A (zh) 基于移动设备的区块链数字证书管理方法和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18900320

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/11/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18900320

Country of ref document: EP

Kind code of ref document: A1