WO2020088108A1 - Blockchain-based data attestation method and apparatus, and electronic device - Google Patents

Blockchain-based data attestation method and apparatus, and electronic device Download PDF

Info

Publication number
WO2020088108A1
WO2020088108A1 PCT/CN2019/104943 CN2019104943W WO2020088108A1 WO 2020088108 A1 WO2020088108 A1 WO 2020088108A1 CN 2019104943 W CN2019104943 W CN 2019104943W WO 2020088108 A1 WO2020088108 A1 WO 2020088108A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
computing environment
private key
terminal device
secure computing
Prior art date
Application number
PCT/CN2019/104943
Other languages
French (fr)
Chinese (zh)
Inventor
王林青
蒋海滔
张鸿
翁欣雨
李富强
林锋
吴军
曾晓东
杨磊
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2020088108A1 publication Critical patent/WO2020088108A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Definitions

  • One or more embodiments of this specification relate to the field of blockchain technology, and in particular to a blockchain-based data certification method and device, and electronic equipment.
  • Blockchain technology also known as distributed ledger technology, is an emerging technology in which several computing devices jointly participate in "bookkeeping" and jointly maintain a complete distributed database.
  • Blockchain technology has the characteristics of decentralization, openness and transparency, each computing device can participate in database records, and data synchronization can be quickly performed between computing devices, making blockchain technology widely used in many fields. To apply.
  • This specification proposes a blockchain-based data storage method, which is applied to terminal devices; wherein the terminal device is equipped with a secure computing environment, and the secure computing environment stores a private key corresponding to the terminal device
  • the method includes:
  • Sign the data digest based on the private key corresponding to the terminal device in the secure computing environment and publish the signed data digest to the blockchain to allow the nodes in the blockchain
  • the device verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
  • signing the data digest based on the private key corresponding to the terminal device in the secure computing environment includes:
  • the data digest is signed based on the private key corresponding to the terminal device in the secure computing environment.
  • a key generation algorithm is stored in the secure computing environment
  • the method also includes:
  • the generated private key is bound to the user's identity information, and the binding relationship is stored in the secure computing environment.
  • signing the data digest based on the private key corresponding to the terminal device in the secure computing environment includes:
  • the secure computing environment also stores device authentication information signed based on the private key held by the manufacturer of the terminal device;
  • the method Before signing the data digest based on the private key in the secure computing environment, the method further includes:
  • signing the data digest based on the private key corresponding to the terminal device in the secure computing environment, and publishing the signed target data to the blockchain includes:
  • the data digest and the description information of the target data are overall signed based on the private key corresponding to the terminal device, and the signed data digest and the description data are published To the blockchain certificate; or,
  • the description data includes: a collection time, a collection location of the target data, and a combination of one or more of the objects related to the target data.
  • the terminal device includes a law enforcement recorder or a driving recorder;
  • the target data includes one or a combination of video data, audio data, and image data.
  • This specification also proposes a blockchain-based data certificate storage device, which is applied to terminal devices; wherein the terminal device is equipped with a secure computing environment, and the secure computing environment stores a private key corresponding to the terminal device ,
  • the device includes:
  • Acquisition module to acquire the collected target data
  • a calculation module to calculate a data summary of the target data
  • the certificate storage module signs the data digest based on the private key corresponding to the terminal device in the secure computing environment, and publishes the signed data digest to the blockchain to allow the block
  • the node device in the chain verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
  • the certificate storage module further:
  • the data digest is signed based on the private key corresponding to the terminal device in the secure computing environment.
  • a key generation algorithm is stored in the secure computing environment
  • the acquisition module further:
  • the certificate storage module further:
  • identity authentication for the user based on the identity information obtained by the obtaining module; if the identity authentication for the user is passed, calling the key generation algorithm in the secure computing environment to generate the private A key and a public key; and, binding the generated private key with the identity information of the user, and storing the binding relationship in the secure computing environment.
  • the certificate storage module further:
  • the secure computing environment also stores device authentication information signed based on the private key held by the manufacturer of the terminal device;
  • the certificate storage module further:
  • the data digest Before signing the data digest based on the private key in the secure computing environment, verify the signature of the device authentication information based on the public key corresponding to the private key held by the manufacturer of the terminal device; If the verification is passed, it is determined that the terminal device is a legal terminal device produced by the manufacturer, and the data digest is further signed based on the private key corresponding to the terminal device in the secure computing environment.
  • certificate storage module
  • the data digest and the description information of the target data are overall signed based on the private key corresponding to the terminal device, and the signed data digest and the description data are published To the blockchain certificate; or,
  • the description data includes: a collection time, a collection location of the target data, and a combination of one or more of the objects related to the target data.
  • the terminal device includes a law enforcement recorder or a driving recorder;
  • the target data includes one or a combination of video data, audio data, and image data.
  • This manual also proposes an electronic device, including:
  • Memory for storing machine executable instructions
  • the electronic device is equipped with a secure computing environment, and a private key corresponding to the electronic device is stored in the secure computing environment;
  • Sign the data digest based on the private key corresponding to the electronic device in the secure computing environment and publish the signed data digest to the blockchain to allow the nodes in the blockchain
  • the device verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
  • the terminal device is equipped with a secure computing environment, and the private key corresponding to the terminal device is stored in the secure computing environment, so that the terminal device will collect
  • terminal devices no longer need to deposit the original content of the collected data on the blockchain, but the original content of the collected data Store locally, and deposit the data summary of the original content on the blockchain, so that the terminal device can serve as the hub of the physical world and the on-chain world, and it is more convenient to deposit the collected data on the blockchain;
  • the third party that obtains the data collected by the terminal since the data summary of the obtained data is matched with the data summary of the data stored on the blockchain, the obtained data can be conveniently Perform legality verification; therefore, the data collected by the terminal device can be submitted to third parties as evidence, which can significantly improve the availability of the data collected by the terminal device.
  • FIG. 1 is a flowchart of a blockchain-based data certification method provided by an exemplary embodiment.
  • FIG. 2 is a schematic structural diagram of an electronic device provided by an exemplary embodiment.
  • FIG. 3 is a block diagram of a blockchain-based data certification device provided by an exemplary embodiment.
  • this specification proposes a technical solution that uses the terminal device as the hub of the physical world and the on-chain world to more conveniently store the data it collects on the blockchain.
  • the hardware environment of the terminal device can be improved, a secure computing environment can be built in the hardware environment of the terminal device, and the private key corresponding to the terminal device can be stored and maintained in the secure computing environment.
  • a security chip can be mounted in the hardware environment of the law enforcement recorder or a driving recorder, and a secure computing environment can be built based on the security chip. Store and maintain the private key held by the law enforcement recorder or driving recorder, and provide a secure computing environment for the law enforcement recorder or driving recorder.
  • the terminal device can obtain the collected data and calculate the data summary of the collected data, and then based on the private corresponding to the terminal device in the secure computing environment Key, sign the calculated data digest, and then publish the signed data digest to the blockchain.
  • the node device in the blockchain can obtain the public key corresponding to the private key of the terminal device, and then verify the signature of the data digest based on the public key; if After the signature is verified, the data digest can be stored in the blockchain for data certification.
  • the terminal device is equipped with a secure computing environment, and the private key corresponding to the terminal device is stored in the secure computing environment, so that the terminal device will collect
  • terminal devices no longer need to deposit the original content of the collected data on the blockchain, but the original content of the collected data Store locally, and deposit the data summary of the original content on the blockchain, so that the terminal device can serve as the hub of the physical world and the on-chain world, and it is more convenient to deposit the collected data on the blockchain;
  • the third party that obtains the data collected by the terminal since the data summary of the obtained data is matched with the data summary of the data stored on the blockchain, the obtained data can be conveniently Perform legality verification; therefore, the data collected by the terminal device can be submitted to third parties as evidence, which can significantly improve the availability of the data collected by the terminal device.
  • FIG. 1 is a blockchain-based data certification method provided in an embodiment of the present specification, which is applied to a terminal device, wherein the terminal device is equipped with a secure computing environment, and the secure computing environment The private key corresponding to the terminal device is stored and the following steps are performed:
  • Step 102 Obtain the collected target data
  • Step 104 Calculate the data summary of the target data
  • Step 106 sign the data digest based on the private key corresponding to the terminal device in the secure computing environment, and publish the signed data digest to the blockchain, so that the blockchain
  • the node device in verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified for data in the blockchain.
  • the blockchain described in this specification may specifically include private chains, shared chains, and alliance chains, etc., and is not particularly limited in this specification.
  • the above-mentioned blockchain may specifically be a consortium chain consisting of a server of a third-party payment platform, a domestic bank server, an overseas bank server, and several user node devices as member devices.
  • the operator of the alliance chain can rely on the alliance chain to deploy online services such as cross-border transfer and asset transfer based on the alliance chain online.
  • the above terminal device may include any form of terminal device that can join the blockchain as a node device and deposit the collected data on the blockchain;
  • the terminal device may specifically include a law enforcement recorder or a driving recorder.
  • Law enforcement recorders or driving recorders can be added to the blockchain as nodes, and the collected streaming data such as video data and audio data can be stored on the blockchain for certification.
  • storing data on the blockchain refers to using the data as evidence for persistent storage in the blockchain.
  • the above target data including any type of data collected by the terminal device, needs to be completed in the distributed database of the blockchain for data certification;
  • the above target data may specifically be stream data such as video data, audio data, and image data collected by terminal devices such as law enforcement recorders or driving recorders.
  • the specific way to build a secure computing environment in the hardware environment of the terminal device is not particularly limited in this specification.
  • a solution based on SE can be used to build a secure computing environment for terminal devices.
  • SE hardware can be introduced into the hardware environment of the terminal device (either hardware built into the terminal ’s hardware environment or hardware externally connected to the terminal through the interface), using SE hardware to store and Maintain the private key of the terminal equipment, and provide a secure computing environment for the terminal equipment.
  • a solution based on TEE can be used to build a secure computing environment for terminal devices.
  • TEE Trusted Execution, Trusted Execution Environment
  • a solution based on SE + TEE can be adopted to build a secure computing environment for terminal devices.
  • SE hardware can be used to store and maintain the private key of the terminal device
  • TEE can be used to provide a secure computing environment for the terminal device.
  • the above terminal device can be added as a node device to the blockchain (also known as device on-chain), and the private key corresponding to the terminal device is performed in a secure computing environment built for the terminal device Storage and maintenance.
  • the private key corresponding to the terminal device may specifically be a private key held by the terminal device or a private key held by a user who uses the terminal device.
  • the "private key corresponding to the terminal device" described in this specification may specifically be the private key generated by the terminal device manufacturer for the terminal device in the device production stage and held by the terminal device; also It may be a private key generated by the terminal device for the user when the user uses the terminal device, and held by the user personally.
  • the private key and the public key held by the terminal device can be generated by the device manufacturer for the terminal device during the device production stage, and the private key is written into the terminal device by the device manufacturer in advance Storage and maintenance in a secure computing environment.
  • the private key and public key held by the terminal device are not related to the identity of the user who uses the terminal device. For different users of the terminal device, they can share the same private key written by the device manufacturer in the secure computing environment of the terminal device by default.
  • the private key and the public key held by the terminal device can also be generated by the terminal device for the user of the terminal device, and the terminal device can automatically write the private key to the Safe computing environment for terminal equipment.
  • the private key and the public key generated by the terminal device can be associated with the identity of the user of the terminal device, and the terminal device can generate one for each user based on the identity information of the different user. Bind the private key and the public key, and bind the generated private key with the identity information of each user, and then store and maintain the binding relationship in a secure computing environment.
  • the manufacturer of the terminal device may write the key generation algorithm into the secure computing environment of the terminal device in advance.
  • the terminal device may prompt the user to input identity information for identity authentication;
  • the data type of the identity information input by the user and the identity authentication method adopted by the terminal device are not particularly limited in this specification; for example, a traditional authentication method such as entering a password or a password may also be used. Authentication methods such as fingerprints or human faces.
  • the terminal device After the terminal device obtains the identity information input by the user, it can determine whether the private key bound to the identity information is stored in the secure computing environment; if the private key bound to the identity information is not stored in the secure computing environment, It indicates that the user is a new user using the terminal device for the first time. At this time, the terminal device can authenticate the user based on the obtained identity information; if the identity authentication for the user is passed, the terminal device can be in the above security Call the above key generation algorithm in the computing environment to generate a pair of private and public keys, and bind the generated private key with the user's identity information, and then store and maintain the binding relationship in the above secure computing environment .
  • users can use terminal devices to collect data, and deposit the collected data on the blockchain through the terminal device.
  • the terminal device only needs to store the collected data locally, and save the data summary of the collected data on the blockchain, and it is no longer necessary to store the original data collected.
  • the content is stored on the blockchain.
  • the terminal device can check the streaming data according to a preset time period Ways to conduct shard deposit certificate;
  • the terminal device can take the video data every N minutes as a shard, calculate the data summary of the shard, and then deposit the data summary of the shard in the blockchain, and strictly Ensure the chronological order of the data summary of each shard stored on the blockchain to facilitate backtracking.
  • the terminal device when the terminal device needs to collect the collected target data on the blockchain, it can first calculate the data summary of the target data; for example, the data summary can be calculated based on a specific hash algorithm The hash value of the target data; then, the terminal device can sign the data digest based on the private key stored in the secure computing environment in the secure computing environment.
  • device authentication information after signing based on the private key held by the manufacturer of the terminal device can also be stored and maintained; for example, the device The authentication information can be written into the secure computing environment for storage and maintenance after the device manufacturer signs the signature based on the held private key at the device generation stage.
  • the above-mentioned device authentication information may specifically be any form of information for legally authenticating the terminal device; for example, the above-mentioned device authentication information may specifically be such as the production number of the terminal device or other forms of anti-counterfeiting information.
  • the terminal device can obtain the key corresponding to the private key held by the manufacturer of the terminal device before signing the data digest based on the private key stored in the secure computing environment in the secure computing environment.
  • the public key and based on the obtained public key, verify the signature of the device authentication information; if the verification is passed, it can be determined that the terminal device is a legitimate terminal device produced by the manufacturer; at this time, the terminal device performs further, In a secure computing environment, the process of signing the data digest based on the private key stored in the secure computing environment.
  • the private key stored and maintained in the secure computing environment of the terminal device is the private key generated by the device manufacturer for the terminal device during the device production stage and held by the terminal device;
  • an identity authentication mechanism for the user of the terminal device can be introduced to prompt the user to enter identity information for identity authentication; when the terminal device obtains the identity information entered by the user, the user can use the identity information based on the obtained identity information.
  • the user performs identity authentication; if the identity authentication for the user is passed, the terminal device can sign the data digest in the secure computing environment based on the private key held and maintained by the terminal device in the secure computing environment deal with.
  • the terminal device autonomously generates the private key generated by the user and held by the user; at this time, the secure computing environment The binding relationship between the user's identity information and the private key is stored and maintained in advance.
  • the terminal device after the terminal device obtains the identity information input by the user, it can query the binding relationship maintained in the secure computing environment to determine whether the private key bound to the identity information is stored in the secure computing environment; If the private key bound to the identity information is stored in the secure computing environment, the terminal device can sign the data summary based on the queried private key in the secure computing environment.
  • the terminal device can identify the user based on the obtained identity information.
  • Perform identity authentication and after the identity authentication is passed, call the key generation algorithm stored in the secure computing environment to generate the private key and public key for the user, and use the generated private key to sign the data digest; and , Bind the generated private key with the user's identity information, and then store and maintain the binding relationship in a secure computing environment.
  • the terminal device when the terminal device is in a secure computing environment, based on the private key stored in the secure computing environment, after the signature digest of the collected target data is completed, the signed data digest can be placed in the block Publish in the chain;
  • a blockchain transaction can be constructed based on the signed data digest, and the transaction can be broadcast and diffused to other node devices.
  • the node device in the blockchain can obtain the public key corresponding to the private key stored in the secure computing environment, and then verify the signature of the data digest based on the obtained public key; If the signature verification of the data digest is passed, the node device can initiate consensus processing on the data digest in the blockchain, and after the data digest consensus processing is passed, package the data digest into the block in the blockchain Store to complete the data certification for the data summary.
  • the consensus mechanism adopted by the blockchain described in this specification is not particularly limited in this specification. In practical applications, the operator of the blockchain can flexibly based on actual needs select.
  • the terminal device when the terminal device collects the target data, when depositing on the blockchain, it can also describe the target data and the data summary of the target data. And deposit certificates on the blockchain.
  • the terminal device in the secure computing environment based on the private key stored in the secure computing environment, when signing the data summary of the target data, the data summary and the description information of the target data can be signed as a whole
  • the data summary and the description information of the target data are packaged and signed as a whole; then, the signed data summary and the description data of the above target data are released to the blockchain for data certification.
  • the terminal device may construct a blockchain transaction based on the signed data digest and the above-mentioned target data description data, and broadcast the transaction to other node devices for broadcast diffusion.
  • the terminal device in the secure computing environment signs the data digest of the target data based on the private key stored in the secure computing environment, it may also sign only the data digest; then , The description data of the above target data, and the signed data summary, are released to the blockchain for data certification.
  • the terminal device may construct a blockchain transaction based on the description data of the target data and the signed data summary, and broadcast the transaction to other node devices for broadcast diffusion.
  • the specific content contained in the description information of the above target data is not particularly limited in this specification, and in practical applications, it can cover any content related to the above target data;
  • the data collection time, collection location, and data-related objects are usually extremely important attributes of the data as evidence documents; therefore, in this specification, the description information of the above target data, Specifically, it may include a collection time, a collection location of the target data, and a combination of one or more of the objects related to the target data.
  • the target data collection time may specifically be the terminal authority interacts with the time authentication center when the target data is collected, and obtains the authoritative authorized time obtained from the time authentication center ( Timestamp).
  • the collection location of the target data may be an accurate collection location obtained by calling the positioning module (such as a GPS module) carried by the terminal device in real time when the terminal device collects the target data.
  • the object related to the above target data may be a related object manually input by a legal user of the terminal device after the terminal device collects the target data.
  • the description information of the video data may specifically include the authoritative and authorized moments acquired from the time certification center
  • the law enforcement recorder calls the precise collection location obtained by the positioning module in real time, and the vehicle information and driver information related to the video data input by the law enforcement officer.
  • the terminal device is equipped with a secure computing environment, and the private key corresponding to the terminal device is stored in the secure computing environment, so that the terminal device will collect
  • terminal devices no longer need to deposit the original content of the collected data on the blockchain, but the original content of the collected data Store locally, and deposit the data summary of the original content on the blockchain, so that the terminal device can serve as the hub of the physical world and the on-chain world, and it is more convenient to deposit the collected data on the blockchain;
  • the third party that obtains the data collected by the terminal since the data summary of the obtained data is matched with the data summary of the data stored on the blockchain, the obtained data can be conveniently Perform legality verification; therefore, the data collected by the terminal device can be submitted to third parties as evidence, which can significantly improve the availability of the data collected by the terminal device.
  • the third-party institution when the user submits the flow data collected by the law enforcement recorder or driving recorder as evidence to a third-party institution (such as a judicial institution or an insurance company), the third-party institution only needs to recalculate the data summary of the obtained data
  • the data summary of the data matches the data summary of the data stored on the blockchain, so that the legality of the obtained data can be conveniently verified, so that in this way, the law enforcement recorder or driving recorder can be significantly improved
  • this specification also provides an embodiment of a blockchain-based data storage device.
  • the embodiment of the blockchain-based data certification device of this specification can be applied to electronic devices.
  • the electronic device is equipped with a secure computing environment, and a private key corresponding to the electronic device is stored in the secure computing environment.
  • the device embodiments may be implemented by software, or by hardware or a combination of hardware and software. Taking software implementation as an example, as a logical device, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory through the processor of the electronic device where it is located.
  • FIG. 2 it is a hardware structure diagram of the electronic equipment where the blockchain-based data certification device is located in this specification, except for the processor, memory, network interface, and In addition to the non-volatile memory, the electronic device in which the apparatus is located in the embodiment generally may include other hardware according to the actual function of the electronic device, which will not be repeated here.
  • FIG. 3 is a block diagram of a blockchain-based data certification device shown in an exemplary embodiment of this specification.
  • the blockchain-based data certification device 30 can be applied to the aforementioned electronic device shown in FIG. 2, including: an acquisition module 301, a calculation module 302 and a certification module 303.
  • the obtaining module 301 obtains the collected target data
  • the calculation module 302 calculates the data summary of the target data
  • the certificate storage module 303 signs the data digest based on the private key corresponding to the electronic device in the secure computing environment, and publishes the signed data digest to the blockchain to allow
  • the node device in the blockchain verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
  • the certificate storage module 303 further:
  • the data digest is signed based on the private key corresponding to the electronic device in the secure computing environment.
  • a key generation algorithm is stored in the secure computing environment
  • the obtaining module 301 further:
  • the certificate storage module 303 further:
  • the acquiring module 301 Based on the identity information acquired by the acquiring module 301, perform identity authentication for the user; if the identity authentication for the user is passed, call the key generation algorithm in the secure computing environment to generate the A private key and a public key; and, binding the generated private key with the identity information of the user, and storing the binding relationship in the secure computing environment.
  • the certificate storage module 303 further:
  • the secure computing environment also stores device authentication information signed based on the private key held by the manufacturer of the electronic device;
  • the certificate storage module 303 further:
  • the data digest Before signing the data digest based on the private key in the secure computing environment, verifying the signature of the device authentication information based on the public key corresponding to the private key held by the manufacturer of the electronic device; If the verification is passed, it is determined that the electronic device is a legitimate electronic device produced by the manufacturer, and the data digest is further signed based on the private key corresponding to the electronic device in the secure computing environment.
  • the certificate storage module 303 the certificate storage module 303:
  • the data digest and the description information of the target data are overall signed, and the signed data digest and the description data are published To the blockchain certificate; or,
  • the description data includes: a collection time of the target data, a collection location, and a combination of one or more of the objects related to the target data.
  • the electronic device includes a law enforcement recorder or a driving recorder;
  • the target data includes one or a combination of one of video data, audio data, and image data.
  • the relevant parts can be referred to the description of the method embodiments.
  • the device embodiments described above are only schematic, wherein the modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, may be located in One place, or can be distributed to multiple network modules. Some or all of the modules can be selected according to actual needs to achieve the objectives of the solution in this specification. Those of ordinary skill in the art can understand and implement without paying creative labor.
  • the system, device, module or module explained in the above embodiments may be implemented by a computer chip or entity, or by a product with a certain function.
  • a typical implementation device is a computer, and the specific form of the computer may be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email sending and receiving device, and a game control Desk, tablet computer, wearable device, or any combination of these devices.
  • the electronic device includes: a processor and a memory for storing machine-executable instructions; wherein, the processor and the memory are usually connected to each other through an internal bus.
  • the device may also include an external interface to be able to communicate with other devices or components.
  • the electronic device is equipped with a secure computing environment, and a private key corresponding to the electronic device is stored in the secure computing environment;
  • Sign the data digest based on the private key corresponding to the electronic device in the secure computing environment and publish the signed data digest to the blockchain to allow the nodes in the blockchain
  • the device verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
  • the data digest is signed based on the private key corresponding to the electronic device in the secure computing environment.
  • a key generation algorithm is stored in the secure computing environment
  • the generated private key is bound to the user's identity information, and the binding relationship is stored in the secure computing environment.
  • the secure computing environment also stores device authentication information signed based on the private key held by the manufacturer of the electronic device;
  • the data digest and the description information of the target data are overall signed, and the signed data digest and the description data are published To the blockchain certificate; or,

Abstract

Disclosed is a blockchain-based data attestation method, which is applied to a terminal device, wherein the terminal device is mounted with a secure computing environment, and a private key corresponding to the terminal device is stored in the secure computing environment. The method comprises: obtaining collected target data; calculating a data digest of the target data; signing the data digest on the basis of the private key corresponding to the terminal device in the secure computing environment, and publishing the signed data digest to a blockchain, so that a node device in the blockchain verifies the signature of the data digest on the basis of a public key corresponding to the private key, and once the signature verification passes, data attestation is performed for the data digest in the blockchain.

Description

基于区块链的数据存证方法及装置、电子设备Blockchain-based data storage method and device, and electronic equipment 技术领域Technical field
本说明书一个或多个实施例涉及区块链技术领域,尤其涉及一种基于区块链的数据存证方法及装置、电子设备。One or more embodiments of this specification relate to the field of blockchain technology, and in particular to a blockchain-based data certification method and device, and electronic equipment.
背景技术Background technique
区块链技术,也被称之为分布式账本技术,是一种由若干台计算设备共同参与“记账”,共同维护一份完整的分布式数据库的新兴技术。由于区块链技术具有去中心化、公开透明、每台计算设备可以参与数据库记录、并且各计算设备之间可以快速的进行数据同步的特性,使得区块链技术已在众多的领域中广泛的进行应用。Blockchain technology, also known as distributed ledger technology, is an emerging technology in which several computing devices jointly participate in "bookkeeping" and jointly maintain a complete distributed database. Blockchain technology has the characteristics of decentralization, openness and transparency, each computing device can participate in database records, and data synchronization can be quickly performed between computing devices, making blockchain technology widely used in many fields. To apply.
发明内容Summary of the invention
本说明书提出一种基于区块链的数据存证方法,应用于终端设备;其中,所述终端设备搭载了安全运算环境,所述安全运算环境中存储了与所述终端设备对应的私钥,所述方法包括:This specification proposes a blockchain-based data storage method, which is applied to terminal devices; wherein the terminal device is equipped with a secure computing environment, and the secure computing environment stores a private key corresponding to the terminal device The method includes:
获取采集到的目标数据;Obtain the collected target data;
计算所述目标数据的数据摘要;Calculate a data summary of the target data;
在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将签名后的所述数据摘要发布至所述区块链,以由区块链中的节点设备基于所述私钥对应的公钥对所述数据摘要的签名进行验证,并在所述签名验证通过后,将所述数据摘要在区块链中进行数据存证。Sign the data digest based on the private key corresponding to the terminal device in the secure computing environment, and publish the signed data digest to the blockchain to allow the nodes in the blockchain The device verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
可选的,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,包括:Optionally, signing the data digest based on the private key corresponding to the terminal device in the secure computing environment includes:
获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
基于获取到的所述身份信息针对所述使用用户进行身份认证;Perform identity authentication for the user based on the obtained identity information;
如果针对所述使用用户的身份认证通过,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名。If the identity authentication for the user is passed, the data digest is signed based on the private key corresponding to the terminal device in the secure computing environment.
可选的,所述安全运算环境中存储了密钥生成算法;Optionally, a key generation algorithm is stored in the secure computing environment;
所述方法还包括:The method also includes:
获取所述终端设备的使用用户在首次使用所述终端设备时输入的身份信息;Acquiring the identity information input by the user of the terminal device when using the terminal device for the first time;
基于获取到的所述身份信息针对所述使用用户进行身份认证;Perform identity authentication for the user based on the obtained identity information;
如果针对所述使用用户的身份认证通过,在所述安全运算环境中调用所述密钥生成算法生成所述私钥以及公钥;以及,If the identity authentication for the user is passed, call the key generation algorithm in the secure computing environment to generate the private key and the public key; and,
将生成的所述私钥与所述使用用户的身份信息进行绑定,并将绑定关系在所述安全运算环境进行存储。The generated private key is bound to the user's identity information, and the binding relationship is stored in the secure computing environment.
可选的,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,包括:Optionally, signing the data digest based on the private key corresponding to the terminal device in the secure computing environment includes:
获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
确定所述安全运算环境中是否存储了与所述身份信息绑定的私钥;Determining whether a private key bound to the identity information is stored in the secure computing environment;
如果是,在所述安全运算环境中基于与所述身份信息绑定的私钥对所述数据摘要进行签名。If so, sign the data digest based on the private key bound to the identity information in the secure computing environment.
可选的,所述安全运算环境中还存储了基于所述终端设备的生产商持有的私钥进行签名后的设备认证信息;Optionally, the secure computing environment also stores device authentication information signed based on the private key held by the manufacturer of the terminal device;
在所述安全运算环境中基于所述私钥对所述数据摘要进行签名之前,还包括:Before signing the data digest based on the private key in the secure computing environment, the method further includes:
基于所述终端设备的生产商持有的私钥对应的公钥,对所述设备认证信息的签名进行验证;如果验证通过,确定所述终端设备为所述生产商生产的合法终端设备,进一步在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名。Verify the signature of the device authentication information based on the public key corresponding to the private key held by the manufacturer of the terminal device; if the verification passes, determine that the terminal device is a legitimate terminal device produced by the manufacturer, Sign the data digest based on the private key corresponding to the terminal device in the secure computing environment.
可选的,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将签名后的所述目标数据发布至所述区块链,包括:Optionally, signing the data digest based on the private key corresponding to the terminal device in the secure computing environment, and publishing the signed target data to the blockchain includes:
在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要和所述目标数据的描述信息进行整体签名,并将签名后的所述数据摘要和所述描述数据,发布至所述区块链证;或者,In the secure computing environment, the data digest and the description information of the target data are overall signed based on the private key corresponding to the terminal device, and the signed data digest and the description data are published To the blockchain certificate; or,
在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将所述目标数据的描述数据和签名后的所述数据摘要发布至所述区块链。In the secure computing environment, sign the data digest based on the private key corresponding to the terminal device, and publish the description data of the target data and the signed data digest to the blockchain.
可选的,所述描述数据包括:所述目标数据的采集时刻、采集地点、以及所述目标数据相关的对象中的一个或者多个的组合。Optionally, the description data includes: a collection time, a collection location of the target data, and a combination of one or more of the objects related to the target data.
可选的,所述终端设备包括执法记录仪或者行车记录仪;所述目标数据包括视频数据、音频数据、图像数据中的一种或者多种的组合。Optionally, the terminal device includes a law enforcement recorder or a driving recorder; the target data includes one or a combination of video data, audio data, and image data.
本说明书还提出一种基于区块链的数据存证装置,应用于终端设备;其中,所述终端设备搭载了安全运算环境,所述安全运算环境中存储了与所述终端设备对应的私钥,所述装置包括:This specification also proposes a blockchain-based data certificate storage device, which is applied to terminal devices; wherein the terminal device is equipped with a secure computing environment, and the secure computing environment stores a private key corresponding to the terminal device , The device includes:
获取模块,获取采集到的目标数据;Acquisition module to acquire the collected target data;
计算模块,计算所述目标数据的数据摘要;A calculation module to calculate a data summary of the target data;
存证模块,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将签名后的所述数据摘要发布至所述区块链,以由区块链中的节点设备基于所述私钥对应的公钥对所述数据摘要的签名进行验证,并在所述签名验证通过后,将所述数据摘要在区块链中进行数据存证。The certificate storage module signs the data digest based on the private key corresponding to the terminal device in the secure computing environment, and publishes the signed data digest to the blockchain to allow the block The node device in the chain verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
可选的,所述存证模块进一步:Optionally, the certificate storage module further:
获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
基于获取到的所述身份信息针对所述使用用户进行身份认证;Perform identity authentication for the user based on the obtained identity information;
如果针对所述使用用户的身份认证通过,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名。If the identity authentication for the user is passed, the data digest is signed based on the private key corresponding to the terminal device in the secure computing environment.
可选的,所述安全运算环境中存储了密钥生成算法;Optionally, a key generation algorithm is stored in the secure computing environment;
所述获取模块进一步:The acquisition module further:
获取所述终端设备的使用用户在首次使用所述终端设备时输入的身份信息;Acquiring the identity information input by the user of the terminal device when using the terminal device for the first time;
所述存证模块进一步:The certificate storage module further:
基于所述获取模块获取到的所述身份信息针对所述使用用户进行身份认证;如果针对所述使用用户的身份认证通过,在所述安全运算环境中调用所述密钥生成算法生成所述私钥以及公钥;以及,将生成的所述私钥与所述使用用户的身份信息进行绑定,并将绑定关系在所述安全运算环境进行存储。Performing identity authentication for the user based on the identity information obtained by the obtaining module; if the identity authentication for the user is passed, calling the key generation algorithm in the secure computing environment to generate the private A key and a public key; and, binding the generated private key with the identity information of the user, and storing the binding relationship in the secure computing environment.
可选的,所述存证模块进一步:Optionally, the certificate storage module further:
获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
确定所述安全运算环境中是否存储了与所述身份信息绑定的私钥;Determining whether a private key bound to the identity information is stored in the secure computing environment;
如果是,在所述安全运算环境中基于与所述身份信息绑定的私钥对所述数据摘要进行签名。If so, sign the data digest based on the private key bound to the identity information in the secure computing environment.
可选的,所述安全运算环境中还存储了基于所述终端设备的生产商持有的私钥进行签名后的设备认证信息;Optionally, the secure computing environment also stores device authentication information signed based on the private key held by the manufacturer of the terminal device;
所述存证模块进一步:The certificate storage module further:
在所述安全运算环境中基于所述私钥对所述数据摘要进行签名之前,基于所述终端设备的生产商持有的私钥对应的公钥,对所述设备认证信息的签名进行验证;如果验证通过,确定所述终端设备为所述生产商生产的合法终端设备,进一步在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名。Before signing the data digest based on the private key in the secure computing environment, verify the signature of the device authentication information based on the public key corresponding to the private key held by the manufacturer of the terminal device; If the verification is passed, it is determined that the terminal device is a legal terminal device produced by the manufacturer, and the data digest is further signed based on the private key corresponding to the terminal device in the secure computing environment.
可选的,存证模块:Optional, certificate storage module:
在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要和所述目标数据的描述信息进行整体签名,并将签名后的所述数据摘要和所述描述数据,发布至所述区块链证;或者,In the secure computing environment, the data digest and the description information of the target data are overall signed based on the private key corresponding to the terminal device, and the signed data digest and the description data are published To the blockchain certificate; or,
在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将所述目标数据的描述数据和签名后的所述数据摘要发布至所述区块链。In the secure computing environment, sign the data digest based on the private key corresponding to the terminal device, and publish the description data of the target data and the signed data digest to the blockchain.
可选的,所述描述数据包括:所述目标数据的采集时刻、采集地点、以及所述目标数据相关的对象中的一个或者多个的组合。Optionally, the description data includes: a collection time, a collection location of the target data, and a combination of one or more of the objects related to the target data.
可选的,所述终端设备包括执法记录仪或者行车记录仪;所述目标数据包括视频数据、音频数据、图像数据中的一种或者多种的组合。Optionally, the terminal device includes a law enforcement recorder or a driving recorder; the target data includes one or a combination of video data, audio data, and image data.
本说明书还提出一种电子设备,包括:This manual also proposes an electronic device, including:
处理器;processor;
用于存储机器可执行指令的存储器;Memory for storing machine executable instructions;
其中,通过读取并执行所述存储器存储的与基于区块链的基于区块链的数据存证的控制逻辑对应的机器可执行指令,所述处理器被促使:Wherein, by reading and executing the machine-executable instructions stored in the memory corresponding to the control logic of the blockchain-based blockchain-based data certification, the processor is prompted to:
获取采集到的目标数据;其中,所述电子设备搭载了安全运算环境,所述安全运算 环境中存储了与所述电子设备对应的私钥;Acquiring the collected target data; wherein, the electronic device is equipped with a secure computing environment, and a private key corresponding to the electronic device is stored in the secure computing environment;
计算所述目标数据的数据摘要;Calculate a data summary of the target data;
在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名,并将签名后的所述数据摘要发布至所述区块链,以由区块链中的节点设备基于所述私钥对应的公钥对所述数据摘要的签名进行验证,并在所述签名验证通过后,将所述数据摘要在区块链中进行数据存证。Sign the data digest based on the private key corresponding to the electronic device in the secure computing environment, and publish the signed data digest to the blockchain to allow the nodes in the blockchain The device verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
在以上技术方案中,一方面,通过对终端设备的硬件环境进行改造,在终端设备中搭载安全运算环境,并在安全运算环境中存储与终端设备对应的私钥,使得终端设备在将采集到的数据在区块链上进行存证时,可以在安全运算环境中基于私钥对需要存证的数据进行签名,从而可以避免在区块链上存证的数据在传播过程中被篡改,可以保障在区块链上存证数据时的数据安全;In the above technical solution, on the one hand, through the transformation of the hardware environment of the terminal device, the terminal device is equipped with a secure computing environment, and the private key corresponding to the terminal device is stored in the secure computing environment, so that the terminal device will collect When storing data on the blockchain, you can sign the data that needs to be stored based on the private key in the secure computing environment, so that the data stored on the blockchain can be prevented from being tampered during the propagation process. Ensure data security when storing data on the blockchain;
另一方面,通过对区块链上进行数据存证的流程进行改进,终端设备不再需要将采集到的数据的原始内容在区块链上存证,而是将采集到的数据的原始内容在本地存储,并将原始内容的数据摘要在区块链上存证,使得终端设备可以作为物理世界和链上世界的枢纽,更加便捷的将采集到的数据在区块链上进行存证;而且,对于获得终端采集到的数据的第三方而言,由于通过将获得的数据的数据摘要,与在区块链上存证的该数据的数据摘要进行匹配,就可以便捷的对获得的数据进行合法性验证;因此,使得终端设备采集到的数据将可以作为证据提交给第三方,可以显著的提升终端设备采集到的数据的可用性。On the other hand, by improving the process of data certification on the blockchain, terminal devices no longer need to deposit the original content of the collected data on the blockchain, but the original content of the collected data Store locally, and deposit the data summary of the original content on the blockchain, so that the terminal device can serve as the hub of the physical world and the on-chain world, and it is more convenient to deposit the collected data on the blockchain; Moreover, for the third party that obtains the data collected by the terminal, since the data summary of the obtained data is matched with the data summary of the data stored on the blockchain, the obtained data can be conveniently Perform legality verification; therefore, the data collected by the terminal device can be submitted to third parties as evidence, which can significantly improve the availability of the data collected by the terminal device.
附图说明BRIEF DESCRIPTION
图1是一示例性实施例提供的一种基于区块链的数据存证方法的流程图。FIG. 1 is a flowchart of a blockchain-based data certification method provided by an exemplary embodiment.
图2是一示例性实施例提供的一种电子设备的结构示意图。FIG. 2 is a schematic structural diagram of an electronic device provided by an exemplary embodiment.
图3是一示例性实施例提供的一种基于区块链的数据存证装置的框图。FIG. 3 is a block diagram of a blockchain-based data certification device provided by an exemplary embodiment.
具体实施方式detailed description
由于在区块链存储的数据具有不可篡改的特性,因此将数据存储在区块链上来做数据存证,是业界目前的主流趋势。Because the data stored in the blockchain is tamper-proof, it is the current mainstream trend in the industry to store the data on the blockchain for data storage.
然而,在实际应用中,对于一些流数据;比如,执法记录仪或者行车记录仪采集到 的视频流、音频流等数据;由于其自身所需占用的存储空间较大,则通常无法直接存储到区块链上进行存证。However, in practical applications, for some streaming data; for example, video streams, audio streams and other data collected by law enforcement recorders or driving recorders; due to the large storage space required by itself, it cannot usually be directly stored to Deposit certificate on the blockchain.
但在一些场景下,这类流数据却又存在着强烈的存证需求;比如,在司法存证的场景,对于执法记录仪或者行车记录仪采集到的视频流,可能会作为证据提交给司法部门。However, in some scenarios, there is a strong evidence storage requirement for such streaming data; for example, in the case of judicial evidence storage, the video stream collected by the law enforcement recorder or driving recorder may be submitted as evidence to the judicial department.
由于缺乏数据认证手段,这类流数据作为证据的合法性,通常会存在广泛质疑。因此,对于这类流数据,最好的处理方式还是存储在区块链上进行数据局存证;同时,还需要能够更加便捷的验证这些存证的数据作为司法证据的合法性。Due to the lack of data authentication methods, the legality of such streaming data as evidence is often widely questioned. Therefore, for this kind of streaming data, the best way to deal with it is to store it on the blockchain for data bureau certification; at the same time, it also needs to be able to more easily verify the legitimacy of the data stored as judicial evidence.
基于以上需求,本说明书提出一种将终端设备作为物理世界和链上世界的枢纽,来更加便捷的将其采集到的数据在区块链上进行存证的技术方案。Based on the above requirements, this specification proposes a technical solution that uses the terminal device as the hub of the physical world and the on-chain world to more conveniently store the data it collects on the blockchain.
在实现时,可以对终端设备的硬件环境进行改进,在终端设备的硬件环境中搭建安全运算环境,并在安全运算环境中存储和维护与终端设备对应的私钥。During implementation, the hardware environment of the terminal device can be improved, a secure computing environment can be built in the hardware environment of the terminal device, and the private key corresponding to the terminal device can be stored and maintained in the secure computing environment.
例如,以终端设备为执法记录仪或者行车记录仪为例,可以在执法记录仪或者行车记录仪的硬件环境中搭载安全芯片,并基于该安全芯片来搭建安全运算环境,利用该安全运算环境来存储和维护执法记录仪或者行车记录仪持有的私钥,面向执法记录仪或者行车记录仪提供安全的运算环境。For example, taking a terminal device as a law enforcement recorder or a driving recorder as an example, a security chip can be mounted in the hardware environment of the law enforcement recorder or a driving recorder, and a secure computing environment can be built based on the security chip. Store and maintain the private key held by the law enforcement recorder or driving recorder, and provide a secure computing environment for the law enforcement recorder or driving recorder.
进一步的,终端设备在采集到需要在区块链上存证的数据之后,可以获取采集到的数据,并计算采集到的数据的数据摘要,然后在安全运算环境中基于与终端设备对应的私钥,对计算出的数据摘要进行签名处理,然后将签名后的数据摘要发布至区块链。Further, after collecting the data that needs to be stored on the blockchain, the terminal device can obtain the collected data and calculate the data summary of the collected data, and then based on the private corresponding to the terminal device in the secure computing environment Key, sign the calculated data digest, and then publish the signed data digest to the blockchain.
区块链中的节点设备在收到终端设备发布的签名后的数据摘要之后,可以获取与该终端设备的私钥对应的公钥,然后基于该公钥对该数据摘要的签名进行验证;如果签名验证通过,可以将该数据摘要存储到区块链中进行数据存证。After receiving the signed data digest issued by the terminal device, the node device in the blockchain can obtain the public key corresponding to the private key of the terminal device, and then verify the signature of the data digest based on the public key; if After the signature is verified, the data digest can be stored in the blockchain for data certification.
在以上技术方案中,一方面,通过对终端设备的硬件环境进行改造,在终端设备中搭载安全运算环境,并在安全运算环境中存储与终端设备对应的私钥,使得终端设备在将采集到的数据在区块链上进行存证时,可以在安全运算环境中基于私钥对需要存证的数据进行签名,从而可以避免在区块链上存证的数据在传播过程中被篡改,可以保障在区块链上存证数据时的数据安全;In the above technical solution, on the one hand, through the transformation of the hardware environment of the terminal device, the terminal device is equipped with a secure computing environment, and the private key corresponding to the terminal device is stored in the secure computing environment, so that the terminal device will collect When storing data on the blockchain, you can sign the data that needs to be stored based on the private key in the secure computing environment, so that the data stored on the blockchain can be prevented from being tampered during the propagation process. Ensure data security when storing data on the blockchain;
另一方面,通过对区块链上进行数据存证的流程进行改进,终端设备不再需要将采集到的数据的原始内容在区块链上存证,而是将采集到的数据的原始内容在本地存储,并将原始内容的数据摘要在区块链上存证,使得终端设备可以作为物理世界和链上世界 的枢纽,更加便捷的将采集到的数据在区块链上进行存证;而且,对于获得终端采集到的数据的第三方而言,由于通过将获得的数据的数据摘要,与在区块链上存证的该数据的数据摘要进行匹配,就可以便捷的对获得的数据进行合法性验证;因此,使得终端设备采集到的数据将可以作为证据提交给第三方,可以显著的提升终端设备采集到的数据的可用性。On the other hand, by improving the process of data certification on the blockchain, terminal devices no longer need to deposit the original content of the collected data on the blockchain, but the original content of the collected data Store locally, and deposit the data summary of the original content on the blockchain, so that the terminal device can serve as the hub of the physical world and the on-chain world, and it is more convenient to deposit the collected data on the blockchain; Moreover, for the third party that obtains the data collected by the terminal, since the data summary of the obtained data is matched with the data summary of the data stored on the blockchain, the obtained data can be conveniently Perform legality verification; therefore, the data collected by the terminal device can be submitted to third parties as evidence, which can significantly improve the availability of the data collected by the terminal device.
下面通过具体实施例并结合具体的应用场景对本说明书进行描述。The following describes the specification through specific embodiments and specific application scenarios.
请参考图1,图1是本说明书一实施例提供的一种基于区块链的数据存证方法,应用于终端设备,其中,所述终端设备搭载了安全运算环境,所述安全运算环境中存储了与所述终端设备对应的私钥执行以下步骤:Please refer to FIG. 1. FIG. 1 is a blockchain-based data certification method provided in an embodiment of the present specification, which is applied to a terminal device, wherein the terminal device is equipped with a secure computing environment, and the secure computing environment The private key corresponding to the terminal device is stored and the following steps are performed:
步骤102,获取采集到的目标数据;Step 102: Obtain the collected target data;
步骤104,计算所述目标数据的数据摘要;Step 104: Calculate the data summary of the target data;
步骤106,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将签名后的所述数据摘要发布至所述区块链,以由区块链中的节点设备基于所述私钥对应的公钥对所述数据摘要的签名进行验证,并在所述签名验证通过后,将所述数据摘要在区块链中进行数据存证。 Step 106, sign the data digest based on the private key corresponding to the terminal device in the secure computing environment, and publish the signed data digest to the blockchain, so that the blockchain The node device in verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified for data in the blockchain.
在本说明书所描述的区块链,具体可以包括私有链、共有链以及联盟链等,在本说明书中不进行特别限定。The blockchain described in this specification may specifically include private chains, shared chains, and alliance chains, etc., and is not particularly limited in this specification.
例如,在一个场景中,上述区块链具体可以是由第三方支付平台的服务器、境内银行服务器、境外银行服务器、以及若干用户节点设备作为成员设备组成的一个联盟链。该联盟链的运营方可以依托于该联盟链,来在线部署诸如基于联盟链的跨境转账、资产转移等在线业务。For example, in a scenario, the above-mentioned blockchain may specifically be a consortium chain consisting of a server of a third-party payment platform, a domestic bank server, an overseas bank server, and several user node devices as member devices. The operator of the alliance chain can rely on the alliance chain to deploy online services such as cross-border transfer and asset transfer based on the alliance chain online.
上述终端设备,可以包括能够作为节点设备加入区块链,并将采集到的数据在区块链上进行存证的任意形式的终端设备;The above terminal device may include any form of terminal device that can join the blockchain as a node device and deposit the collected data on the blockchain;
例如,在实际应用中,上述终端设备具体可以包括执法记录仪或者行车记录仪等。执法记录仪或者行车记录仪可以作为节点加入区块链,并将采集到的诸如视频数据、音频数据等流数据,在区块链上进行存证。For example, in practical applications, the terminal device may specifically include a law enforcement recorder or a driving recorder. Law enforcement recorders or driving recorders can be added to the blockchain as nodes, and the collected streaming data such as video data and audio data can be stored on the blockchain for certification.
其中,将数据在区块链上进行存证,是指将数据作为证据在区块链中进行持久化存储。Among them, storing data on the blockchain refers to using the data as evidence for persistent storage in the blockchain.
上述目标数据,包括由终端设备采集到的,需要在区块链的分布式数据库中完成数据存证的任意类型的数据;The above target data, including any type of data collected by the terminal device, needs to be completed in the distributed database of the blockchain for data certification;
例如,上述目标数据具体可以是诸如执法记录仪或者行车记录仪等终端设备采集到的视频数据、音频数据、图像数据等流数据。For example, the above target data may specifically be stream data such as video data, audio data, and image data collected by terminal devices such as law enforcement recorders or driving recorders.
在本说明书中,可以对终端设备的硬件环境进行改造,在终端设备的硬件环境中搭建安全运算环境,并利用搭建的安全运算环境,来存储和维护与终端设备对应的私钥,并面向终端设备提供安全的运算环境。In this manual, you can transform the hardware environment of the terminal device, build a secure computing environment in the hardware environment of the terminal device, and use the built secure computing environment to store and maintain the private key corresponding to the terminal device and face the terminal. The device provides a safe computing environment.
其中,在终端设备的硬件环境中搭建安全运算环境的具体方式,在本说明书中不进行特别限定。Among them, the specific way to build a secure computing environment in the hardware environment of the terminal device is not particularly limited in this specification.
在实际应用中,可以通过在终端设备的硬件环境中引入新的硬件来搭建安全运算环境,也可以对终端设备的硬件环境中已有的硬件的软件环境进行改造来搭建安全运算环境;或者,也可以将在终端设备的硬件环境中引入新的硬件,以及对终端设备的硬件环境中已有的硬件的软件环境进行改造的搭建方式进行结合的方式,来为终端设备搭建安全运算环境。In practical applications, you can build a secure computing environment by introducing new hardware into the hardware environment of the terminal device, or you can modify the software environment of the existing hardware in the terminal device hardware environment to build a secure computing environment; or, It is also possible to build a safe computing environment for the terminal device by combining new hardware introduced into the hardware environment of the terminal device and a building method that transforms the software environment of the existing hardware in the hardware environment of the terminal device.
例如,在一种实施方式中,可以采用基于SE(Secure Element,安全元件)的解决方案,为终端设备搭建安全运算环境。在这种解决方案下,可以在终端设备的硬件环境中引入SE硬件(可以是内置于终端的硬件环境中的硬件,也可以是通过接口外接在终端上的硬件),利用SE硬件来存储和维护终端设备的私钥,并面向终端设备提供安全运算环境。For example, in one embodiment, a solution based on SE (Secure Elements) can be used to build a secure computing environment for terminal devices. With this solution, SE hardware can be introduced into the hardware environment of the terminal device (either hardware built into the terminal ’s hardware environment or hardware externally connected to the terminal through the interface), using SE hardware to store and Maintain the private key of the terminal equipment, and provide a secure computing environment for the terminal equipment.
在示出的另一种实施方式中,可以采用基于TEE(Trusted Execution Environment,可信执行环境)的解决方案,为终端设备搭建安全运算环境。在这种解决方案下,可以对终端设备的硬件环境中已有的硬件(比如主芯片)的软件环境进行改造,在该软件环境中来搭建可信执行环境,利用该可信执行环境来存储和维护终端设备的私钥,并面向终端设备提供安全运算环境。In another embodiment shown, a solution based on TEE (Trusted Execution, Trusted Execution Environment) can be used to build a secure computing environment for terminal devices. With this solution, you can transform the software environment of the existing hardware (such as the main chip) in the hardware environment of the terminal device, build a trusted execution environment in the software environment, and use the trusted execution environment to store And maintain the private key of the terminal equipment, and provide a secure computing environment for the terminal equipment.
在示出的第三种实施方式,可以采用基于SE+TEE的解决方案,为终端设备搭建安全运算环境。在这种解决方案下,可以利用SE硬件来存储和维护终端设备的私钥,利用TEE来面向终端设备提供安全运算环境。In the third embodiment shown, a solution based on SE + TEE can be adopted to build a secure computing environment for terminal devices. Under this solution, SE hardware can be used to store and maintain the private key of the terminal device, and TEE can be used to provide a secure computing environment for the terminal device.
需要说明的是,以上列举出的为终端设备搭建安全运算环境的实施方式,进为示例性的。在实际应用中,显然也可以通过以上列举出的其它实施手段,为终端设备搭建安 全运算环境,在本说明书中不在进行一一列举。It should be noted that the embodiments listed above for establishing a secure computing environment for terminal devices are exemplary. In practical applications, it is obvious that other implementation means listed above can also be used to build a secure computing environment for the terminal device, which is not enumerated in this specification.
在本说明书中,上述终端设备可以作为节点设备加入到区块链(也称之为设备上链),并将与该终端设备对应的私钥,在为该终端设备搭建的安全运算环境中进行存储和维护。In this specification, the above terminal device can be added as a node device to the blockchain (also known as device on-chain), and the private key corresponding to the terminal device is performed in a secure computing environment built for the terminal device Storage and maintenance.
其中,与终端设备对应的私钥,具体可以是由终端设备持有的私钥,也可以是终端设备的使用用户所持有的私钥。Wherein, the private key corresponding to the terminal device may specifically be a private key held by the terminal device or a private key held by a user who uses the terminal device.
也即,本说明书中描述的“与终端设备对应的私钥”,具体可以是终端设备的设备生产商在设备生产阶段,为该终端设备生成的,并由终端设备持有的私钥;也可以是由终端设备在用户使用该终端设备时,由终端设备自主的为该用户生成的,并由该用户个人持有的私钥。That is, the "private key corresponding to the terminal device" described in this specification may specifically be the private key generated by the terminal device manufacturer for the terminal device in the device production stage and held by the terminal device; also It may be a private key generated by the terminal device for the user when the user uses the terminal device, and held by the user personally.
在示出的一种实施方式中,终端设备持有的私钥以及公钥,可以由设备生产商在设备生产阶段为终端设备生成,并由设备生产商预先将该私钥写入该终端设备的安全运算环境中进行存储和维护。In an embodiment shown, the private key and the public key held by the terminal device can be generated by the device manufacturer for the terminal device during the device production stage, and the private key is written into the terminal device by the device manufacturer in advance Storage and maintenance in a secure computing environment.
在这种情况下,终端设备持有的私钥以及公钥,则与终端设备的使用用户的身份并不关联。对于该终端设备的不同的使用用户而言,可以共用由设备生产商默认写入该终端设备的安全运算环境中的同一个私钥。In this case, the private key and public key held by the terminal device are not related to the identity of the user who uses the terminal device. For different users of the terminal device, they can share the same private key written by the device manufacturer in the secure computing environment of the terminal device by default.
在示出的一种实施方式中,终端设备持有的私钥以及公钥,也可以由终端设备自主的为该终端设备的使用用户生成,并由终端设备自主的将该私钥写入该终端设备的安全运算环境。In an embodiment shown, the private key and the public key held by the terminal device can also be generated by the terminal device for the user of the terminal device, and the terminal device can automatically write the private key to the Safe computing environment for terminal equipment.
在这种情况下,终端设备自主的生成的私钥以及公钥,可以与终端设备的使用用户的身份相关联,终端设备可以基于不同的使用用户的身份信息,为不同的使用用户分别生成一对私钥和公钥,并将生成的私钥与各使用用户的身份信息分别进行绑定,然后将绑定关系在安全运算环境中进行存储和维护。In this case, the private key and the public key generated by the terminal device can be associated with the identity of the user of the terminal device, and the terminal device can generate one for each user based on the identity information of the different user. Bind the private key and the public key, and bind the generated private key with the identity information of each user, and then store and maintain the binding relationship in a secure computing environment.
例如,在实现时,终端设备的生产商可以预先将密钥生成算法写入该终端设备的安全运算环境。当终端设备的使用用户在使用终端设备时,终端设备可以提示使用用户输入身份信息进行身份认证;For example, during implementation, the manufacturer of the terminal device may write the key generation algorithm into the secure computing environment of the terminal device in advance. When the user of the terminal device is using the terminal device, the terminal device may prompt the user to input identity information for identity authentication;
其中,使用用户输入的身份信息的数据类型,以及终端设备所采用的身份认证方式,在本说明书中均不进行特别的限定;例如,可以采用诸如输入密码或者口令的传统认证方式,也可以采用诸如基于指纹或者人脸等生理特征的认证方式。Among them, the data type of the identity information input by the user and the identity authentication method adopted by the terminal device are not particularly limited in this specification; for example, a traditional authentication method such as entering a password or a password may also be used. Authentication methods such as fingerprints or human faces.
当终端设备获取到使用用户输入的身份信息后,可以确定安全运算环境中是否存储了与该身份信息绑定的私钥;如果安全运算环境中并未存储与该身份信息绑定的私钥,表明该使用用户为首次使用该终端设备的新用户,此时终端设备可以基于获取到的该身份信息对该使用用户进行身份认证;如果针对该使用用户身份认证通过,则终端设备可以在上述安全运算环境中调用上述密钥生成算法生成一对私钥以及公钥,并将生成的私钥与该使用用户的身份信息进行绑定,然后将绑定关系在上述安全运算环境中进行存储和维护。After the terminal device obtains the identity information input by the user, it can determine whether the private key bound to the identity information is stored in the secure computing environment; if the private key bound to the identity information is not stored in the secure computing environment, It indicates that the user is a new user using the terminal device for the first time. At this time, the terminal device can authenticate the user based on the obtained identity information; if the identity authentication for the user is passed, the terminal device can be in the above security Call the above key generation algorithm in the computing environment to generate a pair of private and public keys, and bind the generated private key with the user's identity information, and then store and maintain the binding relationship in the above secure computing environment .
在本说明书中,用户可以使用终端设备进行数据采集,并通过终端设备将采集到的数据在区块链上进行存证。In this specification, users can use terminal devices to collect data, and deposit the collected data on the blockchain through the terminal device.
其中,在本说明书中,终端设备仅需要将采集到的数据在本地存储,并将采集到的数据的数据摘要在区块链上进行存证即可,不再需要将采集到的数据的原始内容在区块链上进行存证。Among them, in this specification, the terminal device only needs to store the collected data locally, and save the data summary of the collected data on the blockchain, and it is no longer necessary to store the original data collected. The content is stored on the blockchain.
需要说明的是,如果终端设备采集到的目标数据为诸如视频数据、音频数据等流数据,这类流数据在区块链上进行存证时,终端设备可以按照预设的时间周期,对流数据进行分片存证的方式;It should be noted that if the target data collected by the terminal device is streaming data such as video data, audio data, etc., when such streaming data is stored on the blockchain, the terminal device can check the streaming data according to a preset time period Ways to conduct shard deposit certificate;
例如,以视频数据为例,终端设备可以将每N分钟的视频数据作为一个分片,计算该分片的数据摘要,然后将该分片的数据摘要在区块链中进行存证,并严格保证在区块链上存证的各分片的数据摘要在时间上的顺序,以便于进行回溯。For example, taking video data as an example, the terminal device can take the video data every N minutes as a shard, calculate the data summary of the shard, and then deposit the data summary of the shard in the blockchain, and strictly Ensure the chronological order of the data summary of each shard stored on the blockchain to facilitate backtracking.
在本说明书中,终端设备在需要将采集到的目标数据在区块链上进行存证时,首先可以计算该目标数据的数据摘要;比如,该数据摘要具体可以是基于特定的哈希算法计算该目标数据的hash值;然后,终端设备可以在安全运算环境中,基于安全运算环境中存储的私钥,对该数据摘要进行签名处理。In this specification, when the terminal device needs to collect the collected target data on the blockchain, it can first calculate the data summary of the target data; for example, the data summary can be calculated based on a specific hash algorithm The hash value of the target data; then, the terminal device can sign the data digest based on the private key stored in the secure computing environment in the secure computing environment.
在示出的一种实施方式中,在上述终端设备的安全运算环境中,还可以存储和维护,基于该终端设备的生产商持有的私钥进行签名后的设备认证信息;例如,该设备认证信息,可以在设备生成阶段有设备生产商基于持有的私钥进行签名处理后,写入安全运算环境进行存储和维护。In an embodiment shown, in the secure computing environment of the terminal device described above, device authentication information after signing based on the private key held by the manufacturer of the terminal device can also be stored and maintained; for example, the device The authentication information can be written into the secure computing environment for storage and maintenance after the device manufacturer signs the signature based on the held private key at the device generation stage.
其中,上述设备认证信息,具体可以是用于对终端设备进行合法性认证的任意形式的信息;例如,上述设备认证信息具体可以是诸如终端设备的生产编号或者其它形式的防伪信息。Wherein, the above-mentioned device authentication information may specifically be any form of information for legally authenticating the terminal device; for example, the above-mentioned device authentication information may specifically be such as the production number of the terminal device or other forms of anti-counterfeiting information.
在这种情况下,终端设备可以在安全运算环境中,基于安全运算环境中存储的私钥,对该数据摘要进行签名处理之前,可以获取与该终端设备的生厂商持有的私钥对应的公钥,并基于获取到的该公钥,对该设备认证信息的签名进行验证;如果验证通过,可以确定该终端设备为该生产商生产的合法终端设备;此时,终端设备再进一步执行,在安全运算环境中,基于该安全运算环境中存储的私钥,对该数据摘要进行签名的处理过程。In this case, the terminal device can obtain the key corresponding to the private key held by the manufacturer of the terminal device before signing the data digest based on the private key stored in the secure computing environment in the secure computing environment The public key, and based on the obtained public key, verify the signature of the device authentication information; if the verification is passed, it can be determined that the terminal device is a legitimate terminal device produced by the manufacturer; at this time, the terminal device performs further, In a secure computing environment, the process of signing the data digest based on the private key stored in the secure computing environment.
通过这种方式,可以在基于安全运算环境中存储的私钥,对上链的摘要数据进行签名处理之前,引入终端设备的合法验证,及时终止一些非法设备(比如伪造设备,或者被恶意改造后的合法设备)的数据上链行为,可以提升上链数据的安全等级。In this way, you can introduce legal verification of terminal devices based on the private key stored in the secure computing environment before signing the summary data on the chain, and terminate some illegal devices (such as counterfeit devices or after malicious modification) in a timely manner Legal equipment) can improve the data security level of the data on the chain.
在示出的一种实施方式中,如果终端设备的安全运算环境中存储和维护的私钥,为设备生产商在设备生产阶段为终端设备生成的,由终端设备持有的私钥;在这种情况下,可以引入对终端设备的使用用户的身份认证机制,提示使用用户输入身份信息进行身份认证;当终端设备获取到使用用户输入的身份信息后,可以基于获取到的身份信息对该使用用户进行身份认证;如果针对该使用用户的身份认证通过,终端设备可以在安全运算环境中,基于该安全运算环境中存储和维护的由该终端设备持有的私钥,对该数据摘要进行签名处理。In one embodiment shown, if the private key stored and maintained in the secure computing environment of the terminal device is the private key generated by the device manufacturer for the terminal device during the device production stage and held by the terminal device; In this case, an identity authentication mechanism for the user of the terminal device can be introduced to prompt the user to enter identity information for identity authentication; when the terminal device obtains the identity information entered by the user, the user can use the identity information based on the obtained identity information. The user performs identity authentication; if the identity authentication for the user is passed, the terminal device can sign the data digest in the secure computing environment based on the private key held and maintained by the terminal device in the secure computing environment deal with.
在示出的一种实施方式中,如果终端设备的安全运算环境中存储和维护的私钥,终端设备自主的为使用用户生成的,由使用用户持有的私钥;此时,安全运算环境中预先存储和维护了使用用户的身份信息与私钥的绑定关系。In one embodiment shown, if the private key stored and maintained in the secure computing environment of the terminal device, the terminal device autonomously generates the private key generated by the user and held by the user; at this time, the secure computing environment The binding relationship between the user's identity information and the private key is stored and maintained in advance.
在这种情况下,当终端设备获取到该使用用户输入的身份信息后,可以查询安全运算环境中维护的绑定关系,确定安全运算环境中是否存储了与该身份信息绑定的私钥;如果安全运算环境中存储了该身份信息绑定的私钥,终端设备可以在安全运算环境中,基于查询到的该私钥,对该数据摘要进行签名处理。In this case, after the terminal device obtains the identity information input by the user, it can query the binding relationship maintained in the secure computing environment to determine whether the private key bound to the identity information is stored in the secure computing environment; If the private key bound to the identity information is stored in the secure computing environment, the terminal device can sign the data summary based on the queried private key in the secure computing environment.
当然,如果安全运算环境中并未存储与该身份信息绑定的私钥,表明该使用用户为首次使用该终端设备的新用户,此时终端设备可以基于获取到的该身份信息对该使用用户进行身份认证,并在身份认证通过后,调用安全运算环境中存储的密钥生成算法,为该使用用户生成私钥和公钥,并使用生成的私钥,对该数据摘要进行签名处理;以及,将生成的私钥与该使用用户的身份信息进行绑定,然后将绑定关系在安全运算环境中进行存储和维护。Of course, if the private key bound to the identity information is not stored in the secure computing environment, it indicates that the user is a new user using the terminal device for the first time. At this time, the terminal device can identify the user based on the obtained identity information. Perform identity authentication, and after the identity authentication is passed, call the key generation algorithm stored in the secure computing environment to generate the private key and public key for the user, and use the generated private key to sign the data digest; and , Bind the generated private key with the user's identity information, and then store and maintain the binding relationship in a secure computing environment.
在本说明书中,当终端设备在安全运算环境中,基于安全运算环境中存储的私钥,对采集到的目标数据的数据摘要进行签名处理完成之后,可以将签名后的数据摘要,在区块链中进行发布;In this specification, when the terminal device is in a secure computing environment, based on the private key stored in the secure computing environment, after the signature digest of the collected target data is completed, the signed data digest can be placed in the block Publish in the chain;
例如,可以基于签名后的数据摘要构建一笔区块链交易(Transaction),将该交易向其它各节点设备进行广播扩散。For example, a blockchain transaction (Transaction) can be constructed based on the signed data digest, and the transaction can be broadcast and diffused to other node devices.
区块链中的节点设备在收到该签名后的数据摘要后,可以获取与安全运算环境中存储的私钥对应的公钥,然后基于获取到的公钥对该数据摘要的签名进行验证;如果该数据摘要的签名验证通过,该节点设备可以在区块链中发起对该数据摘要的共识处理,并在该数据摘要共识处理通过后,将该数据摘要打包进区块在区块链中进行存储,以完成针对该数据摘要的数据存证。After receiving the signed data digest, the node device in the blockchain can obtain the public key corresponding to the private key stored in the secure computing environment, and then verify the signature of the data digest based on the obtained public key; If the signature verification of the data digest is passed, the node device can initiate consensus processing on the data digest in the blockchain, and after the data digest consensus processing is passed, package the data digest into the block in the blockchain Store to complete the data certification for the data summary.
其中,需要说明的是,本说明书中所描述的区块链所采用的共识机制,在本说明书中不进行特别限定,在实际应用中,区块链的运营方可以基于实际的需求来灵活的选择。Among them, it should be noted that the consensus mechanism adopted by the blockchain described in this specification is not particularly limited in this specification. In practical applications, the operator of the blockchain can flexibly based on actual needs select.
在示出的另一种实施方式中,终端设备在将采集到的目标数据时,在区块链上进行存证时,还可以将该目标数据的描述数据与该目标数据的数据摘要,一并在区块链上进行存证。In another embodiment shown, when the terminal device collects the target data, when depositing on the blockchain, it can also describe the target data and the data summary of the target data. And deposit certificates on the blockchain.
这种情况下,终端设备在安全运算环境中,基于安全运算环境中存储的私钥,对该目标数据的数据摘要进行签名处理时,可以将该数据摘要和该目标数据的描述信息进行整体签名;即将数据摘要和该目标数据的描述信息进行打包后作为一个整体进行签名;然后,将签名后的数据摘要和上述目标数据的描述数据,发布至区块链进行数据存证。In this case, the terminal device in the secure computing environment, based on the private key stored in the secure computing environment, when signing the data summary of the target data, the data summary and the description information of the target data can be signed as a whole The data summary and the description information of the target data are packaged and signed as a whole; then, the signed data summary and the description data of the above target data are released to the blockchain for data certification.
例如,终端设备可以基于签名后的数据摘要和上述目标数据的描述数据构建一笔区块链交易,将该交易向其它各节点设备进行广播扩散。For example, the terminal device may construct a blockchain transaction based on the signed data digest and the above-mentioned target data description data, and broadcast the transaction to other node devices for broadcast diffusion.
或者,在另一种情况下,终端设备在安全运算环境中,基于安全运算环境中存储的私钥,对该目标数据的数据摘要进行签名处理时,也可以仅针对该数据摘要进行签名;然后,将上述目标数据的描述数据,和将签名后的数据摘要,发布至区块链进行数据存证。Or, in another case, when the terminal device in the secure computing environment signs the data digest of the target data based on the private key stored in the secure computing environment, it may also sign only the data digest; then , The description data of the above target data, and the signed data summary, are released to the blockchain for data certification.
例如,终端设备可以基于上述目标数据的描述数据,和签名后的数据摘要来构建一笔区块链交易,将该交易向其它各节点设备进行广播扩散。For example, the terminal device may construct a blockchain transaction based on the description data of the target data and the signed data summary, and broadcast the transaction to other node devices for broadcast diffusion.
其中,上述目标数据的描述信息所包含的具体内容,在本说明书中不进行特别限定,在实际应用中,可以涵盖与上述目标数据相关的任意内容;The specific content contained in the description information of the above target data is not particularly limited in this specification, and in practical applications, it can cover any content related to the above target data;
在示出的一种实施方式中,由于数据的采集时刻、采集地点和数据相关的对象,通常为数据作为证据文件的极其重要的属性;因此,在本说明书中,上述目标数据的描述信息,具体可以包括上述目标数据的采集时刻、采集地点、以及上述目标数据相关的对象中的一个或者多个的组合。In the illustrated embodiment, because the data collection time, collection location, and data-related objects are usually extremely important attributes of the data as evidence documents; therefore, in this specification, the description information of the above target data, Specifically, it may include a collection time, a collection location of the target data, and a combination of one or more of the objects related to the target data.
其中,在示出的一种实施方式中,目标数据的采集时刻,具体可以是终端设备在采集到目标数据时,与时间认证中心进行交互,从时间认证中心获取到的经过认证的权威时刻(时间戳)。目标数据的采集地点,可以是终端设备采集到目标数据时,实时调用终端设备搭载的定位模块(比如GPS模块)获取到的精确采集地点。而与上述目标数据相关的对象,可以是终端设备在采集到目标数据后,由该终端设备的合法使用者手动输入的相关对象。Among them, in one embodiment shown, the target data collection time may specifically be the terminal authority interacts with the time authentication center when the target data is collected, and obtains the authoritative authorized time obtained from the time authentication center ( Timestamp). The collection location of the target data may be an accurate collection location obtained by calling the positioning module (such as a GPS module) carried by the terminal device in real time when the terminal device collects the target data. The object related to the above target data may be a related object manually input by a legal user of the terminal device after the terminal device collects the target data.
例如,以执法记录仪采集到的与车祸事件的取证视频数据为例,该视频数据的描述信息,具体可以包括采集到该视频数据的时刻从时间认证中心获取到的经过认证的权威时刻、采集到该视频数据的时刻执法记录仪实时调用定位模块获取到的精确采集地点、以及由执法者输入的与该视频数据相关的车辆信息、驾驶者信息等。For example, taking the forensic video data collected by the law enforcement recorder and the car accident incident as an example, the description information of the video data may specifically include the authoritative and authorized moments acquired from the time certification center At the moment of the video data, the law enforcement recorder calls the precise collection location obtained by the positioning module in real time, and the vehicle information and driver information related to the video data input by the law enforcement officer.
在以上技术方案中,一方面,通过对终端设备的硬件环境进行改造,在终端设备中搭载安全运算环境,并在安全运算环境中存储与终端设备对应的私钥,使得终端设备在将采集到的数据在区块链上进行存证时,可以在安全运算环境中基于私钥对需要存证的数据进行签名,从而可以避免在区块链上存证的数据在传播过程中被篡改,可以保障在区块链上存证数据时的数据安全;In the above technical solution, on the one hand, through the transformation of the hardware environment of the terminal device, the terminal device is equipped with a secure computing environment, and the private key corresponding to the terminal device is stored in the secure computing environment, so that the terminal device will collect When storing data on the blockchain, you can sign the data that needs to be stored based on the private key in the secure computing environment, so that the data stored on the blockchain can be prevented from being tampered during the propagation process. Ensure data security when storing data on the blockchain;
另一方面,通过对区块链上进行数据存证的流程进行改进,终端设备不再需要将采集到的数据的原始内容在区块链上存证,而是将采集到的数据的原始内容在本地存储,并将原始内容的数据摘要在区块链上存证,使得终端设备可以作为物理世界和链上世界的枢纽,更加便捷的将采集到的数据在区块链上进行存证;On the other hand, by improving the process of data certification on the blockchain, terminal devices no longer need to deposit the original content of the collected data on the blockchain, but the original content of the collected data Store locally, and deposit the data summary of the original content on the blockchain, so that the terminal device can serve as the hub of the physical world and the on-chain world, and it is more convenient to deposit the collected data on the blockchain;
而且,对于获得终端采集到的数据的第三方而言,由于通过将获得的数据的数据摘要,与在区块链上存证的该数据的数据摘要进行匹配,就可以便捷的对获得的数据进行合法性验证;因此,使得终端设备采集到的数据将可以作为证据提交给第三方,可以显著的提升终端设备采集到的数据的可用性。Moreover, for the third party that obtains the data collected by the terminal, since the data summary of the obtained data is matched with the data summary of the data stored on the blockchain, the obtained data can be conveniently Perform legality verification; therefore, the data collected by the terminal device can be submitted to third parties as evidence, which can significantly improve the availability of the data collected by the terminal device.
例如,对于执法记录仪或者行车记录仪等终端设备,只需要将采集到的视频数据、音频数据等流数据的原始内容在本地存储,并将这些流数据的原始内容的数据摘要在区块链上存证即可,不再需要将将这些流数据的原始内容在区块链上进行存证;For example, for terminal devices such as law enforcement recorders or driving recorders, you only need to store the original content of the collected streaming data such as video data and audio data locally, and summarize the data of the original content of these streaming data on the blockchain Just deposit the certificate, no longer need to deposit the original content of these stream data on the blockchain;
而且,用户在将执法记录仪或者行车记录仪采集到的流数据作为证据提交给第三方机构(比如司法机构或者保险公司)时,第三方机构只需要重新计算获得的数据的数据摘要,将该数据的数据摘要与在区块链上存证的该数据的数据摘要进行匹配,就可以便捷的对获得的数据进行合法性验证,从而通过这种方式,可以显著提升执法记录仪或者行车记录仪采集到的数据作为合法证据文件的高可用性。Moreover, when the user submits the flow data collected by the law enforcement recorder or driving recorder as evidence to a third-party institution (such as a judicial institution or an insurance company), the third-party institution only needs to recalculate the data summary of the obtained data The data summary of the data matches the data summary of the data stored on the blockchain, so that the legality of the obtained data can be conveniently verified, so that in this way, the law enforcement recorder or driving recorder can be significantly improved The high availability of the collected data as legal evidence files.
与上述方法实施例相对应,本说明书还提供了一种基于区块链的数据存证装置的实施例。本说明书的基于区块链的数据存证装置的实施例可以应用在电子设备上。其中,所述电子设备搭载了安全运算环境,所述安全运算环境中存储了与所述电子设备对应的私钥,装置实施例可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。以软件实现为例,作为一个逻辑意义上的装置,是通过其所在电子设备的处理器将非易失性存储器中对应的计算机程序指令读取到内存中运行形成的。从硬件层面而言,如图2所示,为本说明书的基于区块链的数据存证装置所在电子设备的一种硬件结构图,除了图2所示的处理器、内存、网络接口、以及非易失性存储器之外,实施例中装置所在的电子设备通常根据该电子设备的实际功能,还可以包括其他硬件,对此不再赘述。Corresponding to the above method embodiments, this specification also provides an embodiment of a blockchain-based data storage device. The embodiment of the blockchain-based data certification device of this specification can be applied to electronic devices. Wherein, the electronic device is equipped with a secure computing environment, and a private key corresponding to the electronic device is stored in the secure computing environment. The device embodiments may be implemented by software, or by hardware or a combination of hardware and software. Taking software implementation as an example, as a logical device, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory through the processor of the electronic device where it is located. From the hardware level, as shown in Figure 2, it is a hardware structure diagram of the electronic equipment where the blockchain-based data certification device is located in this specification, except for the processor, memory, network interface, and In addition to the non-volatile memory, the electronic device in which the apparatus is located in the embodiment generally may include other hardware according to the actual function of the electronic device, which will not be repeated here.
图3是本说明书一示例性实施例示出的一种基于区块链的数据存证装置的框图。FIG. 3 is a block diagram of a blockchain-based data certification device shown in an exemplary embodiment of this specification.
请参考图3,所述基于区块链的数据存证装置30可以应用在前述图2所示的电子设备中,包括有:获取模块301、计算模块302和存证模块303。Please refer to FIG. 3, the blockchain-based data certification device 30 can be applied to the aforementioned electronic device shown in FIG. 2, including: an acquisition module 301, a calculation module 302 and a certification module 303.
获取模块301,获取采集到的目标数据;The obtaining module 301 obtains the collected target data;
计算模块302,计算所述目标数据的数据摘要;The calculation module 302 calculates the data summary of the target data;
存证模块303,在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名,并将签名后的所述数据摘要发布至所述区块链,以由区块链中的节点设备基于所述私钥对应的公钥对所述数据摘要的签名进行验证,并在所述签名验证通过后,将所述数据摘要在区块链中进行数据存证。The certificate storage module 303 signs the data digest based on the private key corresponding to the electronic device in the secure computing environment, and publishes the signed data digest to the blockchain to allow The node device in the blockchain verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
在本实施例中,所述存证模块303进一步:In this embodiment, the certificate storage module 303 further:
获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
基于获取到的所述身份信息针对所述使用用户进行身份认证;Perform identity authentication for the user based on the obtained identity information;
如果针对所述使用用户的身份认证通过,在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名。If the identity authentication for the user is passed, the data digest is signed based on the private key corresponding to the electronic device in the secure computing environment.
在本实施例中,所述安全运算环境中存储了密钥生成算法;In this embodiment, a key generation algorithm is stored in the secure computing environment;
所述获取模块301进一步:The obtaining module 301 further:
获取所述电子设备的使用用户在首次使用所述电子设备时输入的身份信息;Acquiring the identity information input by the user of the electronic device when using the electronic device for the first time;
所述存证模块303进一步:The certificate storage module 303 further:
基于所述获取模块301获取到的所述身份信息针对所述使用用户进行身份认证;如果针对所述使用用户的身份认证通过,在所述安全运算环境中调用所述密钥生成算法生成所述私钥以及公钥;以及,将生成的所述私钥与所述使用用户的身份信息进行绑定,并将绑定关系在所述安全运算环境进行存储。Based on the identity information acquired by the acquiring module 301, perform identity authentication for the user; if the identity authentication for the user is passed, call the key generation algorithm in the secure computing environment to generate the A private key and a public key; and, binding the generated private key with the identity information of the user, and storing the binding relationship in the secure computing environment.
在本实施例中,所述存证模块303进一步:In this embodiment, the certificate storage module 303 further:
获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
确定所述安全运算环境中是否存储了与所述身份信息绑定的私钥;Determining whether a private key bound to the identity information is stored in the secure computing environment;
如果是,在所述安全运算环境中基于与所述身份信息绑定的私钥对所述数据摘要进行签名。If so, sign the data digest based on the private key bound to the identity information in the secure computing environment.
在本实施例中,所述安全运算环境中还存储了基于所述电子设备的生产商持有的私钥进行签名后的设备认证信息;In this embodiment, the secure computing environment also stores device authentication information signed based on the private key held by the manufacturer of the electronic device;
所述存证模块303进一步:The certificate storage module 303 further:
在所述安全运算环境中基于所述私钥对所述数据摘要进行签名之前,基于所述电子设备的生产商持有的私钥对应的公钥,对所述设备认证信息的签名进行验证;如果验证通过,确定所述电子设备为所述生产商生产的合法电子设备,进一步在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名。Before signing the data digest based on the private key in the secure computing environment, verifying the signature of the device authentication information based on the public key corresponding to the private key held by the manufacturer of the electronic device; If the verification is passed, it is determined that the electronic device is a legitimate electronic device produced by the manufacturer, and the data digest is further signed based on the private key corresponding to the electronic device in the secure computing environment.
在本实施例中,存证模块303:In this embodiment, the certificate storage module 303:
在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要和所述目标数据的描述信息进行整体签名,并将签名后的所述数据摘要和所述描述数据,发布至所述区块链证;或者,In the secure computing environment, based on the private key corresponding to the electronic device, the data digest and the description information of the target data are overall signed, and the signed data digest and the description data are published To the blockchain certificate; or,
在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名,并将所述目标数据的描述数据和签名后的所述数据摘要发布至所述区块链。Sign the data digest based on the private key corresponding to the electronic device in the secure computing environment, and publish the description data of the target data and the signed data digest to the blockchain.
在本实施例中,所述描述数据包括:所述目标数据的采集时刻、采集地点、以及所述目标数据相关的对象中的一个或者多个的组合。In this embodiment, the description data includes: a collection time of the target data, a collection location, and a combination of one or more of the objects related to the target data.
在本实施例中,所述电子设备包括执法记录仪或者行车记录仪;所述目标数据包括视频数据、音频数据、图像数据中的一种或者多种的组合。In this embodiment, the electronic device includes a law enforcement recorder or a driving recorder; the target data includes one or a combination of one of video data, audio data, and image data.
上述装置中各个模块的功能和作用的实现过程具体详见上述方法中对应步骤的实现过程,在此不再赘述。For the implementation process of the functions and functions of each module in the above device, please refer to the implementation process of the corresponding steps in the above method for details, which will not be repeated here.
对于装置实施例而言,由于其基本对应于方法实施例,所以相关之处参见方法实施例的部分说明即可。以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本说明书方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。As for the device embodiments, since they basically correspond to the method embodiments, the relevant parts can be referred to the description of the method embodiments. The device embodiments described above are only schematic, wherein the modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, may be located in One place, or can be distributed to multiple network modules. Some or all of the modules can be selected according to actual needs to achieve the objectives of the solution in this specification. Those of ordinary skill in the art can understand and implement without paying creative labor.
上述实施例阐明的系统、装置、模块或模块,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机,计算机的具体形式可以是个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件收发设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任意几种设备的组合。The system, device, module or module explained in the above embodiments may be implemented by a computer chip or entity, or by a product with a certain function. A typical implementation device is a computer, and the specific form of the computer may be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email sending and receiving device, and a game control Desk, tablet computer, wearable device, or any combination of these devices.
与上述方法实施例相对应,本说明书还提供了一种电子设备的实施例。该电子设备包括:处理器以及用于存储机器可执行指令的存储器;其中,处理器和存储器通常通过内部总线相互连接。在其他可能的实现方式中,所述设备还可能包括外部接口,以能够与其他设备或者部件进行通信。Corresponding to the above method embodiments, this specification also provides an embodiment of an electronic device. The electronic device includes: a processor and a memory for storing machine-executable instructions; wherein, the processor and the memory are usually connected to each other through an internal bus. In other possible implementations, the device may also include an external interface to be able to communicate with other devices or components.
在本实施例中,通过读取并执行所述存储器存储的与基于区块链的数据存证的控制逻辑对应的机器可执行指令,所述处理器被促使:In this embodiment, by reading and executing machine-executable instructions stored in the memory corresponding to the control logic of blockchain-based data certification, the processor is prompted to:
获取采集到的目标数据;其中,所述电子设备搭载了安全运算环境,所述安全运算环境中存储了与所述电子设备对应的私钥;Acquiring the collected target data; wherein, the electronic device is equipped with a secure computing environment, and a private key corresponding to the electronic device is stored in the secure computing environment;
计算所述目标数据的数据摘要;Calculate a data summary of the target data;
在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名,并将签名后的所述数据摘要发布至所述区块链,以由区块链中的节点设备基于所述私钥对应的公钥对所述数据摘要的签名进行验证,并在所述签名验证通过后,将所述数据摘要在区块链中进行数据存证。Sign the data digest based on the private key corresponding to the electronic device in the secure computing environment, and publish the signed data digest to the blockchain to allow the nodes in the blockchain The device verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
在本实施例中,通过读取并执行所述存储器存储的与基于区块链的数据存证的控制逻辑对应的机器可执行指令,所述处理器被促使:In this embodiment, by reading and executing machine-executable instructions stored in the memory corresponding to the control logic of blockchain-based data certification, the processor is prompted to:
获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
基于获取到的所述身份信息针对所述使用用户进行身份认证;Perform identity authentication for the user based on the obtained identity information;
如果针对所述使用用户的身份认证通过,在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名。If the identity authentication for the user is passed, the data digest is signed based on the private key corresponding to the electronic device in the secure computing environment.
在本实施例中,所述安全运算环境中存储了密钥生成算法;In this embodiment, a key generation algorithm is stored in the secure computing environment;
通过读取并执行所述存储器存储的与基于区块链的数据存证的控制逻辑对应的机器可执行指令,所述处理器被促使:By reading and executing machine-executable instructions stored in the memory corresponding to the control logic of blockchain-based data certification, the processor is prompted to:
获取所述电子设备的使用用户在首次使用所述电子设备时输入的身份信息;Acquiring the identity information input by the user of the electronic device when using the electronic device for the first time;
基于获取到的所述身份信息针对所述使用用户进行身份认证;Perform identity authentication for the user based on the obtained identity information;
如果针对所述使用用户的身份认证通过,在所述安全运算环境中调用所述密钥生成算法生成所述私钥以及公钥;以及,If the identity authentication for the user is passed, call the key generation algorithm in the secure computing environment to generate the private key and the public key; and,
将生成的所述私钥与所述使用用户的身份信息进行绑定,并将绑定关系在所述安全运算环境进行存储。The generated private key is bound to the user's identity information, and the binding relationship is stored in the secure computing environment.
在本实施例中,通过读取并执行所述存储器存储的与基于区块链的数据存证的控制逻辑对应的机器可执行指令,所述处理器被促使:In this embodiment, by reading and executing machine-executable instructions stored in the memory corresponding to the control logic of blockchain-based data certification, the processor is prompted to:
获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
确定所述安全运算环境中是否存储了与所述身份信息绑定的私钥;Determining whether a private key bound to the identity information is stored in the secure computing environment;
如果是,在所述安全运算环境中基于与所述身份信息绑定的私钥对所述数据摘要进行签名。If so, sign the data digest based on the private key bound to the identity information in the secure computing environment.
在本实施例中,所述安全运算环境中还存储了基于所述电子设备的生产商持有的私钥进行签名后的设备认证信息;In this embodiment, the secure computing environment also stores device authentication information signed based on the private key held by the manufacturer of the electronic device;
通过读取并执行所述存储器存储的与基于区块链的数据存证的控制逻辑对应的机器可执行指令,所述处理器被促使:By reading and executing machine-executable instructions stored in the memory corresponding to the control logic of blockchain-based data certification, the processor is prompted to:
基于所述电子设备的生产商持有的私钥对应的公钥,对所述设备认证信息的签名进行验证;如果验证通过,确定所述电子设备为所述生产商生产的合法电子设备,进一步在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名。Verify the signature of the device authentication information based on the public key corresponding to the private key held by the manufacturer of the electronic device; if the verification passes, determine that the electronic device is a legitimate electronic device produced by the manufacturer, further Sign the data digest based on the private key corresponding to the electronic device in the secure computing environment.
在本实施例中,通过读取并执行所述存储器存储的与基于区块链的数据存证的控制逻辑对应的机器可执行指令,所述处理器被促使:In this embodiment, by reading and executing machine-executable instructions stored in the memory corresponding to the control logic of blockchain-based data certification, the processor is prompted to:
在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要和所述目标数据的描述信息进行整体签名,并将签名后的所述数据摘要和所述描述数据,发布至所述区块链证;或者,In the secure computing environment, based on the private key corresponding to the electronic device, the data digest and the description information of the target data are overall signed, and the signed data digest and the description data are published To the blockchain certificate; or,
在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名,并将所述目标数据的描述数据和签名后的所述数据摘要发布至所述区块链。Sign the data digest based on the private key corresponding to the electronic device in the secure computing environment, and publish the description data of the target data and the signed data digest to the blockchain.
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本说明书的其它实施方案。本说明书旨在涵盖本说明书的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本说明书的一般性原理并包括本说明书未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本说明书的真正范围和精神由下面的权利要求指出。After considering the description and practicing the invention disclosed herein, those skilled in the art will easily think of other embodiments of the description. This specification is intended to cover any variations, uses, or adaptive changes of this specification. These variations, uses, or adaptive changes follow the general principles of this specification and include common general knowledge or common technical means in the technical field not disclosed in this specification. . The description and examples are to be considered exemplary only, and the true scope and spirit of this description are pointed out by the following claims.
应当理解的是,本说明书并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本说明书的范围仅由所附的权利要求来限制。It should be understood that this specification is not limited to the precise structure that has been described above and shown in the drawings, and that various modifications and changes can be made without departing from the scope thereof. The scope of this description is limited only by the appended claims.
以上所述仅为本说明书的较佳实施例而已,并不用以限制本说明书,凡在本说明书的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本说明书保护的范围之内。The above are only the preferred embodiments of this specification and are not intended to limit this specification. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of this specification should be included in this specification Within the scope of protection.

Claims (17)

  1. 一种基于区块链的数据存证方法,应用于终端设备;其中,所述终端设备搭载了安全运算环境,所述安全运算环境中存储了与所述终端设备对应的私钥,所述方法包括:A blockchain-based data certification method applied to terminal equipment; wherein the terminal equipment is equipped with a secure computing environment, and the secure computing environment stores a private key corresponding to the terminal equipment, the method include:
    获取采集到的目标数据;Obtain the collected target data;
    计算所述目标数据的数据摘要;Calculate a data summary of the target data;
    在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将签名后的所述数据摘要发布至所述区块链,以由区块链中的节点设备基于所述私钥对应的公钥对所述数据摘要的签名进行验证,并在所述签名验证通过后,将所述数据摘要在区块链中进行数据存证。Sign the data digest based on the private key corresponding to the terminal device in the secure computing environment, and publish the signed data digest to the blockchain to allow the nodes in the blockchain The device verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
  2. 根据权利要求1所述的方法,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,包括:The method according to claim 1, wherein signing the data digest based on the private key corresponding to the terminal device in the secure computing environment includes:
    获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
    基于获取到的所述身份信息针对所述使用用户进行身份认证;Perform identity authentication for the user based on the obtained identity information;
    如果针对所述使用用户的身份认证通过,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名。If the identity authentication for the user is passed, the data digest is signed based on the private key corresponding to the terminal device in the secure computing environment.
  3. 根据权利要求1所述的方法,所述安全运算环境中存储了密钥生成算法;The method according to claim 1, wherein a key generation algorithm is stored in the secure computing environment;
    所述方法还包括:The method also includes:
    获取所述终端设备的使用用户在首次使用所述终端设备时输入的身份信息;Acquiring the identity information input by the user of the terminal device when using the terminal device for the first time;
    基于获取到的所述身份信息针对所述使用用户进行身份认证;Perform identity authentication for the user based on the obtained identity information;
    如果针对所述使用用户的身份认证通过,在所述安全运算环境中调用所述密钥生成算法生成所述私钥以及公钥;以及,If the identity authentication for the user is passed, call the key generation algorithm in the secure computing environment to generate the private key and the public key; and,
    将生成的所述私钥与所述使用用户的身份信息进行绑定,并将绑定关系在所述安全运算环境进行存储。The generated private key is bound to the user's identity information, and the binding relationship is stored in the secure computing environment.
  4. 根据权利要求3所述的方法,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,包括:According to the method of claim 3, signing the data digest based on the private key corresponding to the terminal device in the secure computing environment includes:
    获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
    确定所述安全运算环境中是否存储了与所述身份信息绑定的私钥;Determining whether a private key bound to the identity information is stored in the secure computing environment;
    如果是,在所述安全运算环境中基于与所述身份信息绑定的私钥对所述数据摘要进行签名。If so, sign the data digest based on the private key bound to the identity information in the secure computing environment.
  5. 根据权利要求1所述的方法,所述安全运算环境中还存储了基于所述终端设备 的生产商持有的私钥进行签名后的设备认证信息;According to the method of claim 1, the secure computing environment further stores device authentication information signed based on a private key held by the manufacturer of the terminal device;
    在所述安全运算环境中基于所述私钥对所述数据摘要进行签名之前,还包括:Before signing the data digest based on the private key in the secure computing environment, the method further includes:
    基于所述终端设备的生产商持有的私钥对应的公钥,对所述设备认证信息的签名进行验证;如果验证通过,确定所述终端设备为所述生产商生产的合法终端设备,进一步在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名。Verify the signature of the device authentication information based on the public key corresponding to the private key held by the manufacturer of the terminal device; if the verification passes, determine that the terminal device is a legitimate terminal device produced by the manufacturer, Sign the data digest based on the private key corresponding to the terminal device in the secure computing environment.
  6. 根据权利要求1所述的方法,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将签名后的所述目标数据发布至所述区块链,包括:The method according to claim 1, in the secure computing environment, signing the data digest based on a private key corresponding to the terminal device, and publishing the signed target data to the blockchain ,include:
    在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要和所述目标数据的描述信息进行整体签名,并将签名后的所述数据摘要和所述描述数据,发布至所述区块链证;或者,In the secure computing environment, the data digest and the description information of the target data are overall signed based on the private key corresponding to the terminal device, and the signed data digest and the description data are published To the blockchain certificate; or,
    在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将所述目标数据的描述数据和签名后的所述数据摘要发布至所述区块链。In the secure computing environment, sign the data digest based on the private key corresponding to the terminal device, and publish the description data of the target data and the signed data digest to the blockchain.
  7. 根据权利要求6所述的方法,所述描述数据包括:所述目标数据的采集时刻、采集地点、以及所述目标数据相关的对象中的一个或者多个的组合。The method according to claim 6, wherein the description data includes: a combination of one or more of a collection time, a collection location, and objects related to the target data of the target data.
  8. 根据权利要求1所述的方法,所述终端设备包括执法记录仪或者行车记录仪;所述目标数据包括视频数据、音频数据、图像数据中的一种或者多种的组合。The method according to claim 1, wherein the terminal device includes a law enforcement recorder or a driving recorder; the target data includes one or a combination of video data, audio data, and image data.
  9. 一种基于区块链的数据存证装置,应用于终端设备;其中,所述终端设备搭载了安全运算环境,所述安全运算环境中存储了与所述终端设备对应的私钥,所述装置包括:A blockchain-based data certificate storage device applied to terminal equipment; wherein the terminal equipment is equipped with a secure computing environment, and the secure computing environment stores a private key corresponding to the terminal equipment, the device include:
    获取模块,获取采集到的目标数据;Acquisition module to acquire the collected target data;
    计算模块,计算所述目标数据的数据摘要;A calculation module to calculate a data summary of the target data;
    存证模块,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将签名后的所述数据摘要发布至所述区块链,以由区块链中的节点设备基于所述私钥对应的公钥对所述数据摘要的签名进行验证,并在所述签名验证通过后,将所述数据摘要在区块链中进行数据存证。The certificate storage module signs the data digest based on the private key corresponding to the terminal device in the secure computing environment, and publishes the signed data digest to the blockchain to allow the block The node device in the chain verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
  10. 根据权利要求9所述的装置,所述存证模块进一步:The apparatus according to claim 9, the certificate depositing module further:
    获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
    基于获取到的所述身份信息针对所述使用用户进行身份认证;Perform identity authentication for the user based on the obtained identity information;
    如果针对所述使用用户的身份认证通过,在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名。If the identity authentication for the user is passed, the data digest is signed based on the private key corresponding to the terminal device in the secure computing environment.
  11. 根据权利要求9所述的装置,所述安全运算环境中存储了密钥生成算法;The device according to claim 9, wherein a key generation algorithm is stored in the secure computing environment;
    所述获取模块进一步:The acquisition module further:
    获取所述终端设备的使用用户在首次使用所述终端设备时输入的身份信息;Acquiring the identity information input by the user of the terminal device when using the terminal device for the first time;
    所述存证模块进一步:The certificate storage module further:
    基于所述获取模块获取到的所述身份信息针对所述使用用户进行身份认证;如果针对所述使用用户的身份认证通过,在所述安全运算环境中调用所述密钥生成算法生成所述私钥以及公钥;以及,将生成的所述私钥与所述使用用户的身份信息进行绑定,并将绑定关系在所述安全运算环境进行存储。Performing identity authentication for the user based on the identity information obtained by the obtaining module; if the identity authentication for the user is passed, calling the key generation algorithm in the secure computing environment to generate the private A key and a public key; and, binding the generated private key with the identity information of the user, and storing the binding relationship in the secure computing environment.
  12. 根据权利要求11所述的装置,所述存证模块进一步:The apparatus of claim 11, the certificate storage module further:
    获取所述终端的使用用户输入的身份信息;Acquiring identity information input by the user of the terminal;
    确定所述安全运算环境中是否存储了与所述身份信息绑定的私钥;Determining whether a private key bound to the identity information is stored in the secure computing environment;
    如果是,在所述安全运算环境中基于与所述身份信息绑定的私钥对所述数据摘要进行签名。If so, sign the data digest based on the private key bound to the identity information in the secure computing environment.
  13. 根据权利要求9所述的装置,所述安全运算环境中还存储了基于所述终端设备的生产商持有的私钥进行签名后的设备认证信息;The apparatus according to claim 9, wherein the secure computing environment further stores device authentication information signed based on a private key held by the manufacturer of the terminal device;
    所述存证模块进一步:The certificate storage module further:
    在所述安全运算环境中基于所述私钥对所述数据摘要进行签名之前,基于所述终端设备的生产商持有的私钥对应的公钥,对所述设备认证信息的签名进行验证;如果验证通过,确定所述终端设备为所述生产商生产的合法终端设备,进一步在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名。Before signing the data digest based on the private key in the secure computing environment, verify the signature of the device authentication information based on the public key corresponding to the private key held by the manufacturer of the terminal device; If the verification is passed, it is determined that the terminal device is a legal terminal device produced by the manufacturer, and the data digest is further signed based on the private key corresponding to the terminal device in the secure computing environment.
  14. 根据权利要求9所述的装置,存证模块:The device according to claim 9, the certificate storage module:
    在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要和所述目标数据的描述信息进行整体签名,并将签名后的所述数据摘要和所述描述数据,发布至所述区块链证;或者,In the secure computing environment, the data digest and the description information of the target data are overall signed based on the private key corresponding to the terminal device, and the signed data digest and the description data are published To the blockchain certificate; or,
    在所述安全运算环境中基于与所述终端设备对应的私钥对所述数据摘要进行签名,并将所述目标数据的描述数据和签名后的所述数据摘要发布至所述区块链。In the secure computing environment, sign the data digest based on the private key corresponding to the terminal device, and publish the description data of the target data and the signed data digest to the blockchain.
  15. 根据权利要求14所述的装置,所述描述数据包括:所述目标数据的采集时刻、采集地点、以及所述目标数据相关的对象中的一个或者多个的组合。The apparatus according to claim 14, wherein the description data includes: a combination of one or more of a collection time, a collection location, and objects related to the target data of the target data.
  16. 根据权利要求9所述的装置,所述终端设备包括执法记录仪或者行车记录仪;所述目标数据包括视频数据、音频数据、图像数据中的一种或者多种的组合。The apparatus according to claim 9, wherein the terminal device includes a law enforcement recorder or a driving recorder; and the target data includes one or a combination of video data, audio data, and image data.
  17. 一种电子设备,包括:An electronic device, including:
    处理器;processor;
    用于存储机器可执行指令的存储器;Memory for storing machine executable instructions;
    其中,通过读取并执行所述存储器存储的与基于区块链的基于区块链的数据存证的控制逻辑对应的机器可执行指令,所述处理器被促使:Wherein, by reading and executing the machine-executable instructions stored in the memory corresponding to the control logic of the blockchain-based blockchain-based data certification, the processor is prompted to:
    获取采集到的目标数据;其中,所述电子设备搭载了安全运算环境,所述安全运算环境中存储了与所述电子设备对应的私钥;Acquiring the collected target data; wherein, the electronic device is equipped with a secure computing environment, and a private key corresponding to the electronic device is stored in the secure computing environment;
    计算所述目标数据的数据摘要;Calculate a data summary of the target data;
    在所述安全运算环境中基于与所述电子设备对应的私钥对所述数据摘要进行签名,并将签名后的所述数据摘要发布至所述区块链,以由区块链中的节点设备基于所述私钥对应的公钥对所述数据摘要的签名进行验证,并在所述签名验证通过后,将所述数据摘要在区块链中进行数据存证。Sign the data digest based on the private key corresponding to the electronic device in the secure computing environment, and publish the signed data digest to the blockchain to allow the nodes in the blockchain The device verifies the signature of the data digest based on the public key corresponding to the private key, and after the signature verification is passed, the data digest is verified in the blockchain for data certification.
PCT/CN2019/104943 2018-10-31 2019-09-09 Blockchain-based data attestation method and apparatus, and electronic device WO2020088108A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811289558.0 2018-10-31
CN201811289558.0A CN109660350A (en) 2018-10-31 2018-10-31 Data based on block chain deposit card method and device, electronic equipment

Publications (1)

Publication Number Publication Date
WO2020088108A1 true WO2020088108A1 (en) 2020-05-07

Family

ID=66110371

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/104943 WO2020088108A1 (en) 2018-10-31 2019-09-09 Blockchain-based data attestation method and apparatus, and electronic device

Country Status (3)

Country Link
CN (1) CN109660350A (en)
TW (1) TWI701573B (en)
WO (1) WO2020088108A1 (en)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109660350A (en) * 2018-10-31 2019-04-19 阿里巴巴集团控股有限公司 Data based on block chain deposit card method and device, electronic equipment
CN113793151A (en) * 2018-11-28 2021-12-14 创新先进技术有限公司 Block chain-based data evidence storing method and device and electronic equipment
CN110166442B (en) * 2019-04-30 2022-09-06 创新先进技术有限公司 Data processing method and device based on block chain
CN112199738B (en) * 2019-05-17 2024-03-08 创新先进技术有限公司 Infringement evidence method and device based on blockchain and electronic equipment
CN113240519A (en) * 2019-05-30 2021-08-10 创新先进技术有限公司 Intelligent contract management method and device based on block chain and electronic equipment
CN110445617B (en) * 2019-07-16 2022-05-03 创新先进技术有限公司 Vehicle parking image storage method, device and system based on block chain
CN110365928A (en) * 2019-07-16 2019-10-22 阿里巴巴集团控股有限公司 A kind of Driving Test videotape storage means, apparatus and system based on block chain
CN110414203B (en) * 2019-07-26 2022-06-17 郑州大学 Internet medical identity authentication method based on block chain technology
CN110609869B (en) * 2019-09-10 2023-04-07 连连银通电子支付有限公司 Block chain-based data storage method, related equipment and storage medium
CN111130751A (en) * 2019-11-04 2020-05-08 杭州云萃流图网络科技有限公司 Appointment information processing method, device and system based on block chain and electronic equipment
CN112966042A (en) * 2019-12-12 2021-06-15 成都鼎桥通信技术有限公司 Law enforcement recorder information processing method and system based on block chain
CN111191240B (en) * 2019-12-30 2023-04-07 蚂蚁区块链科技(上海)有限公司 Method, device and equipment for collecting Internet electronic evidence
CN113794569B (en) * 2020-02-27 2023-10-13 支付宝(杭州)信息技术有限公司 Material inventory data providing method, device and system based on block chain
CN111786791A (en) * 2020-06-16 2020-10-16 湖南天河国云科技有限公司 Industrial Internet data acquisition method based on block chain and gateway
CN112073728A (en) * 2020-08-29 2020-12-11 富盛科技股份有限公司 Video processing method and device, electronic equipment and computer readable storage medium
CN112257107A (en) * 2020-10-23 2021-01-22 上海万向区块链股份公司 Block chain-based storage verification method and system
CN112291067B (en) * 2020-11-02 2023-02-07 路玉太 Business operation record and operation verification method and device
CN112583587B (en) * 2020-12-11 2022-11-01 杭州趣链科技有限公司 Digital identity construction method, system, management equipment and storage medium
CN112560104B (en) * 2021-01-17 2022-07-19 金网络(北京)电子商务有限公司 Data storage method and safety information platform based on cloud computing and block chain
CN113037496B (en) * 2021-03-15 2022-11-04 承德石油高等专科学校 Video acquisition device and method based on block chain technology
TWI818344B (en) * 2021-11-01 2023-10-11 神達數位股份有限公司 Method and system for video data managing
CN115694790B (en) * 2023-01-04 2023-06-23 广东安证计算机司法鉴定所 Digital asset evidence-storing method, device, equipment and medium based on quantum security

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107277020A (en) * 2017-06-23 2017-10-20 国民认证科技(北京)有限公司 The system and method for remote validation mobile device legitimacy based on public private key system
CN107480451A (en) * 2017-08-15 2017-12-15 济南浪潮高新科技投资发展有限公司 The solution method of fast verification electronic health record integrality based on block chain technology
CN108616539A (en) * 2018-05-03 2018-10-02 东莞市翔实信息科技有限公司 A kind of method and system that block chain transaction record accesses
CN109583230A (en) * 2018-10-31 2019-04-05 阿里巴巴集团控股有限公司 Data based on block chain deposit card method and device, electronic equipment
CN109660350A (en) * 2018-10-31 2019-04-19 阿里巴巴集团控股有限公司 Data based on block chain deposit card method and device, electronic equipment
US10298395B1 (en) * 2018-09-26 2019-05-21 Accenture Global Solutions Limited Interoperability of zero-knowledge proof enabled blockchains

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10402792B2 (en) * 2015-08-13 2019-09-03 The Toronto-Dominion Bank Systems and method for tracking enterprise events using hybrid public-private blockchain ledgers
CN105975868A (en) * 2016-04-29 2016-09-28 杭州云象网络技术有限公司 Block chain-based evidence preservation method and apparatus
US9992022B1 (en) * 2017-02-06 2018-06-05 Northern Trust Corporation Systems and methods for digital identity management and permission controls within distributed network nodes
CN107248074A (en) * 2017-03-29 2017-10-13 阿里巴巴集团控股有限公司 A kind of method for processing business and equipment based on block chain
CN107222303A (en) * 2017-05-11 2017-09-29 暨南大学 Digital publishing rights traceability system building method based on block chain and cloud platform
CN107169125B (en) * 2017-05-31 2020-12-18 北京小米移动软件有限公司 Multimedia resource delivery statistical data acquisition method and device
CN107292621B (en) * 2017-06-22 2020-10-27 丁江 Method and node for determining authority and storing certificate of mass data
CN107862215B (en) * 2017-09-29 2020-10-16 创新先进技术有限公司 Data storage method, data query method and device
CN108055133B (en) * 2017-12-12 2020-02-14 江苏安凰领御科技有限公司 Key security signature method based on block chain technology
CN108717431A (en) * 2018-05-11 2018-10-30 中国科学院软件研究所 A kind of electronic evidence based on block chain deposits card, verification method and system
CN108632381B (en) * 2018-05-14 2020-09-29 浪潮集团有限公司 Block chain-based environment supervision method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107277020A (en) * 2017-06-23 2017-10-20 国民认证科技(北京)有限公司 The system and method for remote validation mobile device legitimacy based on public private key system
CN107480451A (en) * 2017-08-15 2017-12-15 济南浪潮高新科技投资发展有限公司 The solution method of fast verification electronic health record integrality based on block chain technology
CN108616539A (en) * 2018-05-03 2018-10-02 东莞市翔实信息科技有限公司 A kind of method and system that block chain transaction record accesses
US10298395B1 (en) * 2018-09-26 2019-05-21 Accenture Global Solutions Limited Interoperability of zero-knowledge proof enabled blockchains
CN109583230A (en) * 2018-10-31 2019-04-05 阿里巴巴集团控股有限公司 Data based on block chain deposit card method and device, electronic equipment
CN109660350A (en) * 2018-10-31 2019-04-19 阿里巴巴集团控股有限公司 Data based on block chain deposit card method and device, electronic equipment

Also Published As

Publication number Publication date
TWI701573B (en) 2020-08-11
CN109660350A (en) 2019-04-19
TW202018569A (en) 2020-05-16

Similar Documents

Publication Publication Date Title
WO2020088108A1 (en) Blockchain-based data attestation method and apparatus, and electronic device
TWI741314B (en) Block chain-based data storage method and device, and electronic equipment
TW202018571A (en) Data storage method and device based on block chain and electronic equipment
CN108898389B (en) Content verification method and device based on block chain and electronic equipment
TWI694709B (en) Blockchain-based electronic signature method and device, and electronic equipment
US11170092B1 (en) Document authentication certification with blockchain and distributed ledger techniques
WO2020108114A1 (en) Blockchain-based data attestation method and apparatus, and electronic device
US11334882B1 (en) Data access management on a distributed ledger system
TW202024944A (en) Data sharing method, apparatus, and system, and electronic device
CN110958319B (en) Method and device for managing infringement and evidence-based block chain
WO2020000770A1 (en) Block chain-based method and apparatus for querying pledge information, and computer device
CN110800254A (en) System and method for generating digital indicia
US20220021528A1 (en) Secure storage techniques utilizing consortium distributed ledgers
US11250423B2 (en) Encapsulated security tokens for electronic transactions
CN110969531A (en) Borrowing deposit verification and online checking method and system
WO2020108130A1 (en) Blockchain-based service processing method and apparatus, and electronic device
Xu et al. Blockchain-based transparency framework for privacy preserving third-party services
CN113779637B (en) Attribute data processing method, attribute data processing device, attribute data processing equipment and attribute data processing medium
WO2021223653A1 (en) Methods and devices for protecting and verifying state transition of record
WO2021139605A1 (en) Methods and devices for providing decentralized identity verification
CN117155553A (en) Certificate storing method, device, medium and equipment
CN116244758A (en) Electronic contract solidifying method, device, equipment and storage medium based on block chain
CN114945933A (en) Method and apparatus for protecting and verifying recorded status information
CN115576944A (en) Block chain-based electronic certificate authentication method and device
CN116091063A (en) Transaction processing method, electronic device and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19879595

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19879595

Country of ref document: EP

Kind code of ref document: A1