WO2020062667A1 - Procédé de gestion d'actifs de données, dispositif de gestion d'actifs de données et support lisible par ordinateur - Google Patents

Procédé de gestion d'actifs de données, dispositif de gestion d'actifs de données et support lisible par ordinateur Download PDF

Info

Publication number
WO2020062667A1
WO2020062667A1 PCT/CN2018/123516 CN2018123516W WO2020062667A1 WO 2020062667 A1 WO2020062667 A1 WO 2020062667A1 CN 2018123516 W CN2018123516 W CN 2018123516W WO 2020062667 A1 WO2020062667 A1 WO 2020062667A1
Authority
WO
WIPO (PCT)
Prior art keywords
data asset
identity
user
encrypted
information
Prior art date
Application number
PCT/CN2018/123516
Other languages
English (en)
Chinese (zh)
Inventor
褚秋实
左龙龙
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020062667A1 publication Critical patent/WO2020062667A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Definitions

  • the present application relates to the field of blockchain technology, and in particular, to a data asset management method, a data asset management device, and a computer-readable medium.
  • the embodiments of the present application provide a data asset management method, which can quickly collect private data assets scattered in various systems and enable users to effectively control and manage their own private data assets.
  • an embodiment of the present application provides a data asset management method.
  • the method includes:
  • the system node receives a data asset extraction request, where the data asset extraction request includes first encrypted identity information and a first user address identifier;
  • the system node obtains first identity mapping information corresponding to the first user address identifier from the alliance chain ledger, and the first identity mapping information includes a first user address identifier, a first public key, and a first identity fingerprint. ;
  • the system node After the system node authenticates the first user using the first identity fingerprint and the first encrypted identity information, the system node uses the first public key to encrypt data corresponding to the first identity in the system node Information to obtain the first encrypted data asset;
  • the system node adds the first encrypted data asset to a data asset account of a first user in the alliance chain.
  • an embodiment of the present application further provides a data asset management method, which includes:
  • the first user node sends a data asset extraction request, where the data asset extraction request includes first encrypted identity information and a first user address identifier;
  • the first user node adds the third encrypted data asset to a data asset account of the first user in the alliance chain.
  • an embodiment of the present application provides a data asset management device.
  • the data asset management device applied to a system node includes:
  • a first receiving unit configured to receive a data asset extraction request by a system node, where the data asset extraction request includes first encrypted identity information and a first user address identifier;
  • the first obtaining unit is configured to obtain first identity mapping information corresponding to the first user address identifier from the alliance chain ledger, where the first identity mapping information includes the first user address identifier, the first public key, and the first An identity fingerprint;
  • a first verification unit configured to use the first identity fingerprint and the first encrypted identity information to authenticate a first user
  • a first encryption unit configured to use the first public key to encrypt data information corresponding to the first identity in a system node after the verification unit passes the authentication to obtain a first encrypted data asset;
  • a first adding unit is configured to add the first encrypted data asset to a data asset account of a first user in the alliance chain.
  • an embodiment of the present application provides a data asset management apparatus.
  • the data asset management apparatus applied to the first user node includes:
  • a second sending unit configured to send a data asset extraction request, where the data asset extraction request includes first encrypted identity information and a first user address identifier
  • a second receiving unit is configured to receive a third encrypted data asset, where the third encrypted data asset is obtained after the identity verification of the first user node is passed according to the first user address identifier and the first encrypted identity information. Using the public key corresponding to the first user address identifier to encrypt the encrypted data asset generated by the first user's data information in the system;
  • a second adding unit is configured to add the third encrypted data asset to a data asset account of the first user in the alliance chain.
  • an embodiment of the present application provides a data asset management apparatus, including a processor, a memory, and a communication module, wherein the memory is used to store program code, and the processor is used to call the program code to execute the first Aspect and the method of the second aspect and the method of any of its alternatives.
  • an embodiment of the present application provides a computer-readable storage medium.
  • the computer storage medium stores a computer program, where the computer program includes program instructions, and the program instructions cause the processing when executed by a processor.
  • the processor performs the method of the first aspect and the second aspect.
  • the public key, address identifier, and identity fingerprint of each node in the alliance chain are recorded in the ledger of the alliance chain. Therefore, the public key and identity fingerprint recorded in the ledger of the alliance chain can be used for identity verification.
  • the above identity fingerprint is generated by the user's real identity information through a one-way encryption algorithm, in the alliance chain, when there is no information disclosed to other nodes, there is a good privacy between nodes. .
  • users in the alliance chain can extract private data from various systems in the alliance chain into personal data asset accounts, and can authorize the use of their own data assets according to the authorization conditions. Therefore, according to the embodiments of the present application, the private data scattered in various systems can be effectively collected, and the private data assets can be effectively managed effectively.
  • FIG. 1 is a schematic flowchart of a data asset management method according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a data asset management method according to an embodiment of the present application.
  • FIG. 3 is a functional unit composition diagram of a data asset management device according to an embodiment of the present application.
  • FIG. 4 is a functional unit composition diagram of another data asset management device according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a data asset management device according to an embodiment of the present application.
  • FIG. 1 is a schematic flowchart of a data asset management method according to an embodiment of the present application. As shown in the figure, the method may include:
  • a system node in the alliance chain receives a data asset extraction request.
  • the data asset extraction request includes first encrypted identity information and a first user address identifier.
  • the first encrypted identity information is information obtained by encrypting the first identity information using a public key of the system node, and the identity information is identity information of a user corresponding to initiating the data asset extraction request.
  • the first user address identifier is a user address identifier of a user corresponding to the data asset extraction request.
  • the above-mentioned alliance chain may be created by a master account operation node, and then various systems (application systems, APPs, websites, etc.) in the real Internet world are invited to access as nodes.
  • each node (including the system and the user) in the alliance chain After the key creation of the alliance chain is successful, each node (including the system and the user) in the alliance chain generates its own private and public keys and the corresponding address identifier through the alliance chain, and verifies the alliance chain through the verification node in the alliance chain.
  • Each other node (system or user) in the network performs identity verification, and then records the public key, address identification, and identity fingerprint of each node in the alliance chain to the alliance chain's ledger. After the consensus mechanism, the block ledger Access to the alliance chain.
  • the above-mentioned identity fingerprint is generated by the identity identification (for example, information such as the user's name, ID card number, or the name of an enterprise, an organization, or an organization code) after being encrypted by a one-way encryption algorithm.
  • the identity identification for example, information such as the user's name, ID card number, or the name of an enterprise, an organization, or an organization code
  • the real identity information of the user who holds the private key corresponding to the above identity fingerprint and public key For example, the real identity is hashed to obtain a hash value, and the hash value is used as the identity fingerprint.
  • the verification node is not limited.
  • the verification node may be the main account operation node or a third-party trust organization.
  • the third-party information organization may be a public security system for user identification
  • the enterprise or unit may be a business management system. .
  • the one-way encryption algorithm is an algorithm that can only encrypt data to obtain encrypted data, but cannot have encrypted data to obtain data. That is, a one-way encryption algorithm can be used to encrypt the identity to obtain the identity fingerprint, but there is no corresponding decryption algorithm to decrypt the identity fingerprint to obtain the identity.
  • the above one-way encryption algorithm may include Message-Digest Algorithm (MD), Algorithm and Secure Hash Algorithm 1 (SHA-1), Hash Message Authentication Code (HMAC) Wait.
  • MD Message-Digest Algorithm
  • SHA-1 Secure Hash Algorithm 1
  • HMAC Hash Message Authentication Code
  • the public key, address identifier, and identity fingerprint of each node in the alliance chain are recorded in the ledger of the alliance chain. Therefore, the public key and identity fingerprint recorded in the ledger of the alliance chain can be used for identity verification. (Between users, between users and systems, between systems and systems); In addition, because the identity fingerprint is generated by the user ’s real identity information through a one-way encryption algorithm, in the alliance chain, there is no When publishing their information to other nodes, there is good privacy between nodes.
  • the first user may be registered in one or more systems of the alliance chain, so the digital assets of the user (including the user's personal information, and the user is using These systems generate various personal data).
  • the first user wants to extract his own digital assets in each system of the alliance chain into his own data asset account in the alliance chain, so that he can effectively grasp his own digital assets.
  • the above-mentioned first user may initiate a personal data asset extraction request to the first system in the alliance chain through his own user terminal. After receiving the request for extracting the personal data assets, the first system verifies the personal data assets. After the verification is passed, the data assets of the first user in the first system are encrypted with the public key of the first user, and then added to the system. To the digital asset account of the first user.
  • the system node obtains first identity mapping information corresponding to the first user address identifier from the alliance chain.
  • the first identity mapping information includes a first user address identifier, a first public key, and a first identity fingerprint.
  • the system node after the system node receives the data asset extraction request, the system node obtains the first identity mapping information corresponding to the first user address identifier from the alliance chain ledger, so that the system node uses the first The first public key and the first identity information included in the identity mapping information authenticate the first user who initiated the data asset extraction request.
  • the first identity fingerprint mentioned above is a one-way encryption algorithm for the identity provided by the first user (for example, the user's name and ID number) after the verification node in the alliance chain verifies the identity information of the first user. Generated after encryption. For example, the real identity information is hashed to obtain a hash value, and the hash value is used as the identity fingerprint.
  • the system node After the system node authenticates the first user by using the first identity fingerprint and the first encrypted identity information, the first public key is used to encrypt the data information corresponding to the first identity in the system node to obtain First encrypted data asset.
  • the system node after the system node obtains the first identity mapping information from the alliance chain, the system node performs identity verification on the first user according to the first identity fingerprint and the first encrypted identity information. . After the identity verification of the first user is passed, the system node uses the first public key to encrypt data information corresponding to the first identity in the system node to obtain a first encrypted data asset.
  • the system node uses the private key of the system node to decrypt the first encrypted identity information in order to obtain a first identity identifier.
  • the system node then encrypts the first identity using the first one-way encryption algorithm to obtain a second identity fingerprint.
  • the system node determines whether the first identity fingerprint and the second identity fingerprint are equal. If the first identity fingerprint and the second identity fingerprint are equal, the identity verification of the first user is passed.
  • the system node obtains data information related to the first identity from a database of the system node according to the first identity information, and uses the first public key to encrypt the data information to obtain the first encrypted data. assets.
  • the system node adds the above-mentioned first encrypted data asset to the data asset account of the first user in the alliance chain.
  • the system node after the system node obtains the first encrypted data asset, the system node adds the first encrypted data asset to a data asset account of the first user locally; and the first encryption Data assets are broadcast across the network in the alliance chain, in order to trigger the first smart contract to cause other nodes in the alliance chain to add the first encrypted data asset to the user's data asset account.
  • the above system node may also initiate a data asset use request to a user in the alliance chain in order to obtain the data asset that the system node wants to obtain.
  • the system node sends a data asset use request to a user node in the alliance chain, and the data asset use request includes a data asset list, second encrypted identity information, and an address identifier of the system node.
  • the second encrypted identity information is information obtained by the system node using the first public key to encrypt its own identity (that is, the identity of the requester).
  • the user node When the user node receives the data asset use request, it obtains the identity mapping information corresponding to the system node from the alliance chain according to the address identifier of the system node included in the data asset use request, and then the user node uses its own private information. Key to decrypt the second encrypted identity information to obtain a second identity, and use the first one-way encryption algorithm to encrypt the second identity to obtain a second identity fingerprint, and then use the address identifier of the system node to obtain the second identity fingerprint To obtain the corresponding third identity mapping information, and compare the second identity fingerprint with the third identity fingerprint in the third identity mapping information. If they are equal or match, it means that the second identity is indeed the address identifier of the system. Corresponding identity.
  • the user judges whether to authorize the system corresponding to the data asset extraction request according to the second identity. If yes, the data assets in the user ’s data asset account or the corresponding data assets in the data asset list are encrypted according to the data asset list. Because the data assets in the user ’s data asset account are encrypted, the data assets are obtained. After listing the corresponding data assets, the user's private key is first used to decrypt them to obtain the confidential data assets, and then the public keys of the system nodes are used to encrypt the decrypted data assets to obtain the second encrypted data assets. Then, the user node receives the authorization condition input by the user through the input device.
  • the user node generates data asset authorization information, and the feedback information includes the authorization conditions and the second encrypted data asset, and broadcasts the data asset authorization information on the entire network, that is, sends the data asset authorization information to the system node.
  • the above authorization conditions include at least one of an authorization period, the number of authorizations, and an authorization range.
  • the system node After the system node receives the data asset authorization information, the system node automatically triggers a second smart contract to provide the system node with the encrypted data asset information according to the authorization conditions. Finally, the system node uses the private key of the system node to decrypt the second encrypted data asset to obtain a data asset corresponding to the data asset list.
  • the public key, address identifier, and identity fingerprint of each node in the alliance chain are recorded in the ledger of the alliance chain, so the public key and identity fingerprint recorded in the ledger of the alliance chain can be obtained through the above.
  • the identity fingerprint is generated by the user ’s real identity information through a one-way encryption algorithm, in the alliance chain, when no information is disclosed to other nodes, there is a very strong relationship between nodes. Good privacy.
  • users in the alliance chain can extract private data from various systems in the alliance chain into personal data asset accounts, and can authorize the use of their own data assets according to the authorization conditions. Therefore, according to the embodiments of the present application, the private data scattered in various systems can be collected effectively, and the private data assets can be effectively managed effectively.
  • FIG. 2 a schematic flowchart of another data asset management method is also provided in an embodiment of the present application. As shown in the figure, the method may include:
  • the first user node sends a data asset extraction request.
  • the data asset extraction request includes first encrypted identity information and a first user address identifier.
  • the first encrypted identity information is information obtained by encrypting the first identity information using a public key of the system node, and the identity information is identity information of a user corresponding to initiating the data asset extraction request.
  • the first user address identifier is a user address identifier of a user corresponding to the data asset extraction request.
  • the above-mentioned alliance chain may be created by a master account operation node, and then various systems (application systems, APPs, websites, etc.) in the real Internet world are invited to access as nodes.
  • each node (including the system and the user) in the alliance chain After the key creation of the alliance chain is successful, each node (including the system and the user) in the alliance chain generates its own private and public keys and the corresponding address identifier through the alliance chain, and verifies the alliance chain through the verification node in the alliance chain.
  • Each other node (system or user) in the network performs identity verification, and then records the public key, address identification, and identity fingerprint of each node in the alliance chain to the alliance chain's ledger. After the consensus mechanism, the block ledger Access to the alliance chain.
  • the above-mentioned identity fingerprint is generated by the identity identification (for example, information such as the user's name, ID card number, or the name of an enterprise, an organization, or an organization code) after being encrypted by a one-way encryption algorithm.
  • the identity identification for example, information such as the user's name, ID card number, or the name of an enterprise, an organization, or an organization code
  • the real identity information of the user who holds the private key corresponding to the above identity fingerprint and public key For example, the real identity is hashed to obtain a hash value, and the hash value is used as the identity fingerprint.
  • the verification node is not limited.
  • the verification node may be the main account operation node or a third-party trust organization.
  • the third-party information organization may be a public security system for user identification
  • the enterprise or unit may be a business management system. .
  • the one-way encryption algorithm is an algorithm that can only encrypt data to obtain encrypted data, but cannot have encrypted data to obtain data. That is, a one-way encryption algorithm can be used to encrypt the identity to obtain the identity fingerprint, but there is no corresponding decryption algorithm to decrypt the identity fingerprint to obtain the identity.
  • the above one-way encryption algorithm may include Message-Digest Algorithm (MD), Algorithm and Secure Hash Algorithm 1 (SHA-1), Hash Message Authentication Code (HMAC) Wait.
  • MD Message-Digest Algorithm
  • SHA-1 Secure Hash Algorithm 1
  • HMAC Hash Message Authentication Code
  • the public key, address identifier, and identity fingerprint of each node in the alliance chain are recorded in the ledger of the alliance chain. Therefore, the public key and identity fingerprint recorded in the ledger of the alliance chain can be used for identity verification. (Between users, between users and systems, between systems and systems); In addition, because the above-mentioned identity fingerprint is generated by the user's real identity information through a one-way encryption algorithm, in the alliance chain, there is no When publishing their information to other nodes, there is good privacy between nodes.
  • the first user may be registered in one or more systems of the alliance chain, so the digital assets of the user (including the user's personal information, and the user is using These systems generate various personal data).
  • the first user wants to extract his own digital assets in each system of the alliance chain into his own data asset account in the alliance chain, so that he can effectively grasp his own digital assets.
  • the above-mentioned first user may initiate a personal data asset extraction request to the first system in the alliance chain through his own user terminal. After receiving the request for extracting the personal data assets, the first system verifies the personal data assets. After the verification is passed, the data assets of the first user in the first system are encrypted with the public key of the first user, and then added to the system. To the digital asset account of the first user.
  • the first individual user wants to extract his own digital assets in each system of the alliance chain to his personal account in the alliance chain, so that he can effectively grasp his own digital assets
  • the first system can include one or more systems; the personal data asset extraction request includes the first personal user's The public key and the first identity verification information, the first identity verification information is generated by encrypting the personal identity information of the user by the public key of the first system, wherein the personal identity information is the same as the identity information generating the user identity fingerprint.
  • the personal data asset extraction request is broadcasted on the entire network, so that other nodes in the alliance chain receive the personal data asset extraction request.
  • the first user node receives a third encrypted data asset.
  • the third encrypted data asset is obtained after the identity verification of the first user node according to the first user address identifier and the first encrypted identity information is passed.
  • a public key corresponding to a user address identifier encrypts the encrypted data asset generated by the data information of the first user in the system.
  • the first system after the first system receives the personal data asset extraction request, it obtains the corresponding identity fingerprint from the alliance chain according to the public key in the personal data asset extraction request, and then uses the first The system's private key decrypts the first identity verification information in the personal data asset extraction request to obtain the personal identity information of the first user, then generates the identity fingerprint of the first user according to the obtained personal identity information of the first user, and finally A user's identity fingerprint is compared with the identity fingerprint obtained from the alliance chain according to the public key in the above-mentioned personal data asset extraction request.
  • the personal identity information of a user extracts the data assets of the first user from the database in the first system, and encrypts the data assets of the first user with the public key of the first user to obtain the third encrypted data asset, and Three encrypted data assets broadcast across the network, that is, the third encrypted data asset is sent to the first use Node.
  • the first user node adds the third encrypted data asset to the data asset account of the first user in the alliance chain.
  • the first user node after the first user node receives the third encrypted data asset data, the first user node adds the third encrypted data asset to the data asset account of the first user in the alliance chain. .
  • the first user node receives a data asset use request, wherein the data asset use
  • the request includes a list of data assets, second encrypted identity information, and a third address identifier.
  • the second encrypted identity information is information obtained by using the first public key to encrypt the identity of the requester (that is, the identity of the requester) that initiated the data asset use;
  • the third address identifier is the address identifier of the requester.
  • the first user node obtains third identity mapping information corresponding to the third address identifier from the alliance chain ledger, and the third identity mapping information includes a third address identifier, a third public key, and a third identity fingerprint. Then, the first user node uses the third identity fingerprint and the second encrypted identity information to verify the identity of the requester. After the verification is passed, the first user node uses the third public key to encrypt a data asset corresponding to the data asset list to obtain a third encrypted data asset. Then, the first user node receives an authorization condition input by the first user through an input device, where the authorization condition includes at least one of an authorization period, the number of authorizations, and an authorization range. Finally, the first user node generates feedback information according to the feedback information including the authorization conditions and the third encrypted data asset, and broadcasts the feedback information throughout the network.
  • the first user node uses the third identity fingerprint and the second encrypted identity information to verify the identity of the requester. Specifically, the first user node uses the private key of the first user node to decrypt the second encrypted identity information to obtain a second identity, and then the first user node uses a one-way encryption algorithm to encrypt the second identity to obtain a second identity. The fingerprint is compared with the second identity fingerprint and the third identity fingerprint. If the two identity fingerprints match, the verification is passed.
  • the private data scattered in various systems can be collected effectively, and the private data assets can be effectively managed effectively.
  • FIG. 3 is a block diagram of a possible functional unit of a data asset management apparatus 300 provided by an embodiment of the present application.
  • the data asset management apparatus includes a first receiving unit 310, a first obtaining unit 320, The first verification unit 330, the first encryption unit 340, and the first adding unit 350.
  • a first receiving unit 310 configured to receive a data asset extraction request by a system node, where the data asset extraction request includes first encrypted identity information and a first user address identifier;
  • the first obtaining unit 320 is configured to obtain first identity mapping information corresponding to the first user address identifier from the alliance chain ledger, where the first identity mapping information includes a first user address identifier, a first public key, and First identity fingerprint
  • a first obtaining unit 320 configured to use the first identity fingerprint and the first encrypted identity information to authenticate a first user
  • a first encryption unit 340 configured to use the first public key to encrypt data information corresponding to the first identity in a system node after the verification unit passes the verification to obtain a first encrypted data asset;
  • a first adding unit 350 is configured to add the first encrypted data asset to a data asset account of a first user in the alliance chain.
  • the first identity mapping information is that the verification node in the alliance chain uses the first one-way encryption algorithm to encrypt the first identity of the first user to generate the first identity fingerprint, and then according to the first user, The mapping relationship information generated by the address identifier, the first public key, and the first identity fingerprint.
  • the verification unit includes:
  • the first decryption unit uses the private key of the system node to decrypt the first encrypted identity information to obtain a first identity identifier
  • a second encryption unit further configured to encrypt the first identity using the first one-way encryption algorithm to obtain a second identity fingerprint
  • the first determining unit is configured to determine whether the first identity fingerprint is equal to the second identity fingerprint, and if they are equal, the verification is passed.
  • the first adding unit 350 is configured to add the first encrypted data asset to a data asset account of the first user locally; and perform the first encrypted data asset in an alliance chain.
  • the whole network broadcasts in order to trigger the first smart contract to cause other nodes in the alliance chain to add the first encrypted data asset to the user's data asset account.
  • the data asset management device further includes:
  • a first sending unit configured to send a data asset use request, where the data asset use request includes a data asset list, second encrypted identity information, and an address identifier of the system node;
  • the first receiving unit 310 is configured to receive data asset authorization information, where the authorization information is obtained by using the system node ’s address identifier and the second encrypted identity information to authenticate the system node, and using the A second encrypted data asset generated by encrypting a data asset corresponding to the data asset list with a system public key corresponding to an address identifier of the system node, and information generated according to the second encrypted data asset and authorization conditions;
  • a first providing unit that triggers a second smart contract and provides the second encrypted data asset information to the system node according to the authorization condition, where the authorization condition includes at least one of an authorization period, the number of authorizations, and an authorization range;
  • a first decryption unit is configured to decrypt the second encrypted data asset using the private key of the system node to obtain a data asset corresponding to the data asset list.
  • the public key, address identifier, and identity fingerprint of each node in the alliance chain are recorded in the ledger of the alliance chain, so the public key and identity fingerprint recorded in the ledger of the alliance chain can be obtained through the above.
  • the identity fingerprint is generated by the user ’s real identity information through a one-way encryption algorithm, in the alliance chain, when no information is disclosed to other nodes, there is a very strong relationship between nodes. Good privacy.
  • users in the alliance chain can extract private data from various systems in the alliance chain into personal data asset accounts, and can authorize the use of their own data assets according to the authorization conditions. Therefore, according to the embodiments of the present application, the private data scattered in various systems can be collected effectively, and the private data assets can be effectively managed effectively.
  • FIG. 4 is a block diagram of a possible functional unit of a data asset management apparatus 400 provided by an embodiment of the present application.
  • the data asset management apparatus includes a second sending unit 410, a second receiving unit 420, and The second adding unit 430.
  • a second sending unit 410 configured to send a data asset extraction request, where the data asset extraction request includes first encrypted identity information and a first user address identifier;
  • the second receiving unit 420 is configured to receive a third encrypted data asset, where the third encrypted data asset passes the identity verification of the first user node according to the first user address identifier and the first encrypted identity information. And then encrypting the encrypted data asset generated by the data information of the first user in the system with a public key corresponding to the first user address identifier;
  • a second adding unit 430 is configured to add the third encrypted data asset to a data asset account of the first user in the alliance chain.
  • the second receiving unit 420 is configured to receive a data asset use request, where the data asset use request includes a data asset list, second encrypted identity information, and a third address identifier;
  • the data asset management device further includes:
  • a second obtaining unit obtaining third identity mapping information corresponding to the third address identifier from the alliance chain ledger, where the third identity mapping information includes a third address identifier, a third public key, and a third identity fingerprint;
  • a second verification unit configured to use the third public key to encrypt data corresponding to the data asset list after the identity verification of the requester is passed using the third identity fingerprint and the second encrypted identity information
  • the asset gets a third encrypted data asset
  • the second receiving unit is configured to receive an authorization condition input by an input device, where the authorization condition includes at least one of an authorization period, the number of authorizations, and an authorization range;
  • a second generating unit is configured to generate feedback information, where the feedback information includes the authorization condition and the third encrypted data asset, and broadcast the feedback information throughout the network.
  • the second verification unit includes:
  • a second decryption unit configured to decrypt the second encrypted identity information by using the private key of the first user node to obtain a second identity identifier
  • a third encryption unit configured to encrypt the second identity using a first one-way encryption algorithm to obtain a second identity fingerprint
  • the comparing unit is configured to compare the second identity fingerprint and the third identity fingerprint. If the two identity fingerprints match, the identity verification of the requester is passed.
  • the third identity mapping information is that the verification node in the alliance chain uses the first one-way encryption algorithm to encrypt the third identity of the requester to generate the third identity fingerprint, and then the third identity fingerprint is generated according to the third identity fingerprint.
  • the mapping relationship information generated by the address identifier, the third public key, and the third identity fingerprint.
  • the private data scattered in various systems can be collected effectively, and the private data assets can be effectively managed effectively.
  • FIG. 5 is a schematic structural diagram of a data asset management apparatus 500 according to an embodiment of the present application.
  • the apparatus 500 includes a processor, a memory, a communication interface, and one or more programs.
  • the one or more programs are different from the one or more application programs, and the one or more programs are stored in the memory and configured to be executed by the processor.
  • the above program includes instructions for performing the following steps: receiving a data asset extraction request, the data asset extraction request including first encrypted identity information and a first user address identifier; and obtaining from the alliance chain ledger
  • the first identity mapping information corresponding to the first user address identifier, and the first identity mapping information includes a first user address identifier, a first public key, and a first identity fingerprint; using the first identity fingerprint and the first encryption
  • the first public key is used to encrypt the data information corresponding to the first identity in the system node to obtain a first encrypted data asset; adding the first encrypted data asset to the alliance The data asset account of the first user in the chain.
  • the above program includes instructions for performing the following steps: sending a data asset extraction request, where the data asset extraction request includes first encrypted identity information and a first user address identifier; and receiving a third encrypted data asset
  • the third encrypted data asset is encrypted in the system by using a public key corresponding to the first user address identifier after the identity verification of the first user node is passed according to the first user address identifier and the first encrypted identity information.
  • the encrypted data asset generated by the data information of the first user; adding the third encrypted data asset to the data asset account of the first user in the alliance chain.
  • the processor may be a central processing unit (CPU), and the processor may also be another general-purpose processor, a digital signal processor (DSP), Application-specific integrated circuits (Application Specific Integrated Circuits, ASICs), ready-made programmable gate arrays (Field-Programmable Gate Arrays, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • DSP digital signal processor
  • ASICs Application Specific Integrated Circuits
  • FPGAs ready-made programmable gate arrays
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • a computer-readable storage medium stores a computer program.
  • the computer program When the computer program is executed by a processor, the computer program is implemented to receive a data asset extraction request and the data asset extraction request.
  • the first encrypted identity information and the first user address identifier are included; the first identity mapping information corresponding to the first user address identifier is obtained from the alliance chain ledger, and the first identity mapping information includes the first user address identifier, the first The public key and the first identity fingerprint; after the first user is authenticated using the first identity fingerprint and the first encrypted identity information, the first public key encryption system node is used to correspond to the first identity identifier
  • To obtain the first encrypted data asset add the above-mentioned first encrypted data asset to the data asset account of the first user in the alliance chain.
  • the data asset extraction request is sent, and the data asset extraction request includes first encrypted identity information and a first user address identifier; a third encrypted data asset is received, and the third encrypted data asset is After the identity verification of the first user node is passed according to the first user address identifier and the first encrypted identity information, the public key corresponding to the first user address identifier is used to encrypt data information generated by the first user in the system.
  • the encrypted data asset of the above; the third encrypted data asset is added to the data asset account of the first user in the alliance chain.
  • the computer-readable storage medium may be an internal storage unit of the terminal described in any one of the foregoing embodiments, such as a hard disk or a memory of the terminal.
  • the computer-readable storage medium may also be an external storage device of the terminal, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, and a flash memory card provided on the terminal. (Flash Card), etc.
  • the computer-readable storage medium may further include both an internal storage unit of the terminal and an external storage device.
  • the computer-readable storage medium is used to store the computer program and other programs and data required by the terminal.
  • the computer-readable storage medium described above may also be used to temporarily store data that has been or will be output.
  • the disclosed systems, servers, and methods may be implemented in other ways.
  • the device embodiments described above are merely schematic.
  • the division of the above units is only a logical function division.
  • multiple units or components may be combined or may be combined. Integration into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may also be electrical, mechanical or other forms of connection.
  • the units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, which may be located in one place, or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions in the embodiments of the present application.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the above integrated unit may be implemented in the form of hardware or in the form of software functional unit.
  • the technical solution of this application is essentially a part that contributes to the existing technology, or all or part of the technical solution may be embodied in the form of a software product, which is stored in a storage medium
  • a computer device which may be a personal computer, a server, or a network device, etc.
  • the foregoing storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de gestion d'actifs de données, un dispositif de gestion d'actifs de données et un support lisible par ordinateur. Le procédé comprend les étapes suivantes : un nœud de système reçoit une demande d'extraction d'actifs de données ; le nœud de système acquiert à partir d'un registre de chaîne de consortium des premières informations de mappage d'identité correspondant à un premier identifiant d'adresse d'utilisateur, les premières informations de mappage d'identité comprenant le premier identifiant d'adresse d'utilisateur, une première clé publique et une première empreinte d'identité ; après l'utilisation de la première empreinte d'identité et des premières informations d'identité chiffrées pour authentifier un premier utilisateur, le nœud de système utilise des informations de données correspondant à un premier identifiant d'identité dans un premier nœud de système de chiffrement de clé publique pour obtenir un premier actif de données chiffrées ; le nœud de système ajoute le premier actif de données chiffrées à un compte d'actif de données du premier utilisateur dans la chaîne de consortium. Le procédé peut efficacement collecter des données privées dispersées dans divers systèmes, et peut également gérer efficacement des actifs de données privées.
PCT/CN2018/123516 2018-09-29 2018-12-25 Procédé de gestion d'actifs de données, dispositif de gestion d'actifs de données et support lisible par ordinateur WO2020062667A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811153080.9A CN109492424B (zh) 2018-09-29 2018-09-29 数据资产管理方法、数据资产管理装置及计算机可读介质
CN201811153080.9 2018-09-29

Publications (1)

Publication Number Publication Date
WO2020062667A1 true WO2020062667A1 (fr) 2020-04-02

Family

ID=65689398

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/123516 WO2020062667A1 (fr) 2018-09-29 2018-12-25 Procédé de gestion d'actifs de données, dispositif de gestion d'actifs de données et support lisible par ordinateur

Country Status (2)

Country Link
CN (1) CN109492424B (fr)
WO (1) WO2020062667A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112669141A (zh) * 2020-12-31 2021-04-16 深圳市辰宝信息服务有限公司 基于区块链智能合约机制的大宗商品的仓单质押方法
CN113779605A (zh) * 2021-09-14 2021-12-10 码客工场工业科技(北京)有限公司 一种基于联盟链的工业互联网Handle标识体系解析认证方法

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110443077A (zh) * 2019-08-09 2019-11-12 北京阿尔山区块链联盟科技有限公司 数字资产的处理方法、装置以及电子设备
US11876890B2 (en) * 2019-12-10 2024-01-16 International Business Machines Corporation Anonymization of partners
CN113806788A (zh) * 2020-06-11 2021-12-17 中国标准化研究院 一种数据资产管理装置及方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150244690A1 (en) * 2012-11-09 2015-08-27 Ent Technologies, Inc. Generalized entity network translation (gent)
WO2016179334A1 (fr) * 2015-05-05 2016-11-10 ShoCard, Inc. Service de gestion d'identité utilisant un registre des transactions
CN107066893A (zh) * 2017-02-28 2017-08-18 腾讯科技(深圳)有限公司 区块链中账户信息的处理方法和装置
CN108492180A (zh) * 2018-02-14 2018-09-04 阿里巴巴集团控股有限公司 资产管理方法及装置、电子设备
CN108537047A (zh) * 2018-02-09 2018-09-14 北京京东尚科信息技术有限公司 基于区块链生成信息的方法及装置

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10013573B2 (en) * 2015-12-16 2018-07-03 International Business Machines Corporation Personal ledger blockchain
CN106779716B (zh) * 2016-11-21 2021-06-04 江苏通付盾区块链科技有限公司 基于区块链账户地址的认证方法、装置及系统
CN106686008B (zh) * 2017-03-03 2019-01-11 腾讯科技(深圳)有限公司 信息存储方法及装置
CN107391944A (zh) * 2017-07-27 2017-11-24 北京太云科技有限公司 一种基于区块链的电子病历共享系统
CN107579817A (zh) * 2017-09-12 2018-01-12 广州广电运通金融电子股份有限公司 基于区块链的用户身份验证方法、装置及系统
CN107862215B (zh) * 2017-09-29 2020-10-16 创新先进技术有限公司 一种数据存储方法、数据查询方法及装置
CN108055274B (zh) * 2017-12-22 2020-09-11 广东工业大学 一种基于联盟链存储数据的加密与共享方法及系统
CN108429732B (zh) * 2018-01-23 2021-01-08 平安普惠企业管理有限公司 一种获取资源的方法及系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150244690A1 (en) * 2012-11-09 2015-08-27 Ent Technologies, Inc. Generalized entity network translation (gent)
WO2016179334A1 (fr) * 2015-05-05 2016-11-10 ShoCard, Inc. Service de gestion d'identité utilisant un registre des transactions
CN107066893A (zh) * 2017-02-28 2017-08-18 腾讯科技(深圳)有限公司 区块链中账户信息的处理方法和装置
CN108537047A (zh) * 2018-02-09 2018-09-14 北京京东尚科信息技术有限公司 基于区块链生成信息的方法及装置
CN108492180A (zh) * 2018-02-14 2018-09-04 阿里巴巴集团控股有限公司 资产管理方法及装置、电子设备

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112669141A (zh) * 2020-12-31 2021-04-16 深圳市辰宝信息服务有限公司 基于区块链智能合约机制的大宗商品的仓单质押方法
CN113779605A (zh) * 2021-09-14 2021-12-10 码客工场工业科技(北京)有限公司 一种基于联盟链的工业互联网Handle标识体系解析认证方法

Also Published As

Publication number Publication date
CN109492424B (zh) 2023-05-26
CN109492424A (zh) 2019-03-19

Similar Documents

Publication Publication Date Title
JP7181539B2 (ja) 利用者識別認証データを管理する方法および装置
JP6941146B2 (ja) データセキュリティサービス
JP7121459B2 (ja) ハード/ソフトトークン検証を介したブロックチェーン認証
US10554420B2 (en) Wireless connections to a wireless access point
US10541806B2 (en) Authorizing account access via blinded identifiers
WO2020062668A1 (fr) Procédé d'authentification d'identité, dispositif d'authentification d'identité et support lisible par ordinateur
WO2022262078A1 (fr) Procédé de commande d'accès sur la base de la sécurité à vérification systématique, dispositif, et support de stockage
US10671733B2 (en) Policy enforcement via peer devices using a blockchain
US8196186B2 (en) Security architecture for peer-to-peer storage system
WO2020062667A1 (fr) Procédé de gestion d'actifs de données, dispositif de gestion d'actifs de données et support lisible par ordinateur
WO2018099285A1 (fr) Procédé et appareil de vérification de combustion de dispositif de l'internet des objets, et procédé et appareil d'authentification d'identité
CN109274652B (zh) 身份信息验证系统、方法及装置及计算机存储介质
US8819444B2 (en) Methods for single signon (SSO) using decentralized password and credential management
TWI578749B (zh) 用於遷移金鑰之方法及設備
WO2021184755A1 (fr) Procédé et appareil d'accès à une application, ainsi que dispositif électronique et support de stockage
US20200412554A1 (en) Id as service based on blockchain
JP2023502346A (ja) 量子安全ネットワーキング
US20080019527A1 (en) Method and apparatus for managing cryptographic keys
CN108234442B (zh) 获取合约的方法、系统及可读存储介质
WO2016155281A1 (fr) Procédé et dispositif de gestion d'identifiant d'application
US9356924B1 (en) Systems, methods, and computer readable media for single sign-on (SSO) using optical codes
US10063655B2 (en) Information processing method, trusted server, and cloud server
WO2016173211A1 (fr) Procédé et dispositif de gestion d'identificateur d'application
US20220005039A1 (en) Delegation method and delegation request managing method
US10740478B2 (en) Performing an operation on a data storage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18935675

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 08/07/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18935675

Country of ref document: EP

Kind code of ref document: A1