WO2020143318A1 - Data verification method and terminal device - Google Patents

Data verification method and terminal device Download PDF

Info

Publication number
WO2020143318A1
WO2020143318A1 PCT/CN2019/118157 CN2019118157W WO2020143318A1 WO 2020143318 A1 WO2020143318 A1 WO 2020143318A1 CN 2019118157 W CN2019118157 W CN 2019118157W WO 2020143318 A1 WO2020143318 A1 WO 2020143318A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
storage node
data
certificate
public key
Prior art date
Application number
PCT/CN2019/118157
Other languages
French (fr)
Chinese (zh)
Inventor
雷琼
郑映锋
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020143318A1 publication Critical patent/WO2020143318A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present application belongs to the field of computer application technology, and particularly relates to a data verification method, terminal device, and computer non-volatile readable storage medium.
  • P2P storage is a kind of network storage based on P2P (Peer-to-Peer, Peer-to-Peer) technology. It organizes many machines in a peer-to-peer way to provide users with a large-capacity data storage service.
  • Network technology on the Internet It is the product of the combination of computer networks and distributed systems. The core idea is to remove the concept of a central server and build the Internet on the basis of peer-to-peer interconnection to achieve maximum resource sharing.
  • signatures are verified by certificates to achieve identity authentication. However, it may still happen that the certificate and the signature are forged at the same time, resulting in threats to data security.
  • embodiments of the present application provide a data verification method, terminal device, and computer non-volatile readable storage medium to solve the situation in the prior art where certificates and signatures may be forged at the same time, resulting in data security The problem is threatened.
  • the first aspect of the embodiments of the present application provides a data verification method, including:
  • the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes the signature of the storage node;
  • the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID is determined by the storage Digital digest generation of the node's public key;
  • the signature in the stored data stored by the storage node is verified according to the public key of the storage node, and if the signature verification is passed, the stored data is correct.
  • a second aspect of an embodiment of the present application provides a terminal device, including a memory, a processor, and computer-readable instructions stored in the memory and executable on the processor, and the processor executes the computer
  • the method of the first aspect described above can be realized when the instructions are readable.
  • a third aspect of the embodiments of the present application provides a terminal device, including various units that implement the method of the first aspect described above.
  • a fourth aspect of the embodiments of the present application provides a computer nonvolatile readable storage medium.
  • the computer storage medium stores computer readable instructions.
  • the computer readable instructions include program instructions. When the processor executes, the processor is caused to execute the method of the first aspect.
  • the embodiment of the present application verifies whether the node certificate is issued by a preset trusted root certificate by acquiring the node certificate of the storage node; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes The signature of the storage node; if the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node The identification is generated by a digital digest of the storage node's public key; if the storage node's public key is correct, the signature in the stored data stored by the storage node is verified according to the storage node's public key, if the The signature verification indicates that the stored data is correct. By verifying both the node certificate and signature of the storage node and the correctness of the stored data in the storage node, the security of the stored data of the node in the peer-to-peer network is improved.
  • FIG. 1 is a flowchart of a data verification method provided in Embodiment 1 of the present application.
  • FIG. 2 is a flowchart of a data verification method provided in Embodiment 2 of the present application.
  • FIG. 3 is a schematic diagram of a terminal device provided in Embodiment 3 of this application.
  • FIG. 4 is a schematic diagram of a terminal device provided in Embodiment 4 of the present application.
  • FIG. 1 is a flowchart of a data verification method provided in Embodiment 1 of the present application.
  • the execution subject of the data verification method in this embodiment is a terminal.
  • Terminals include but are not limited to mobile terminals such as smart phones, tablet computers, and wearable devices, and may also be desktop computers.
  • the data verification method shown in the figure may include the following steps:
  • S101 Obtain a node certificate of a storage node, and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store storage data sent by a data owner terminal, and the storage data includes the storage node's signature.
  • Digital certificate is a series of numbers that mark the identity information of all parties in the communication, and provides a way to verify the identity of the communicating entity on the Internet.
  • Digital certificate is a stamp or seal stamped on the digital ID card by the identity certification agency.
  • the digital identity of the storage node is obtained to verify whether the node identity of the storage node is authentic.
  • a digital certificate is a file digitally signed by a certificate authority that contains information about the owner of the public key and the public key. The simplest certificate contains a public key, name and digital signature of the certificate authority. Another important feature of digital certificates is that they are only valid for a specific period of time.
  • the digital certificate is bound to the true identity of the public key and its holder. It is similar to the resident ID card in real life. The difference is that the digital certificate is no longer a paper certificate, but a section containing the identity of the certificate holder.
  • the information and the electronic data issued by the certification center can be used more conveniently and flexibly in the process of verifying the data accuracy of the storage node.
  • the process of issuing digital certificates for storage nodes is generally to first generate a key pair for each storage node, that is, a public key and a private key, and transmit the public key and part of the node information to the certification center. After verifying the identity, the certification center will perform some necessary steps to ensure that the request is indeed sent by the storage node. Then, the certification center will issue a digital certificate to the storage node, which contains the node information and other information of the storage node. At the same time, the public key information of the certificate is also attached.
  • the storage node can use its own digital certificate to perform various related activities. Digital certificates are issued by independent certificate issuing agencies. Digital certificates are different, and each certificate can provide different levels of credibility. You can obtain your own digital certificate from the certificate issuing agency.
  • the way to obtain the node certificate of the node may be to send a certificate request to the storage node. After receiving the certificate request, the storage node sends its own certificate to the data owner terminal. It may also be that the storage node periodically sends its own node certificate to the terminal of the data owner, and the data owner is not required to actively request to obtain the node certificate to reduce the workload of the data owner terminal.
  • the storage node in this embodiment is used to store the storage data sent by the data owner terminal.
  • the storage data may be due to the limited data storage capability or data processing capability of the data owner terminal, and the needs determined by the data owner terminal
  • the data owner terminal sends the data stored in the storage node to the storage node, and specifies that this part of the stored data can only be stored by the corresponding storage node, but the storage node cannot perform any type of storage data Only the data owner terminal or the terminal device with the processing authority can handle the processing.
  • the storage data stored by the storage node includes the signature of the storage node, and the signature of the storage node can be used to verify that the storage data is written by the storage node.
  • the signature in this embodiment is generated only by the storage node and cannot be forged by others. This digital string is also an effective proof of the correctness of the stored information.
  • the node certificate in this embodiment is through a certificate authority (Certificate Authority, CA).
  • CA Certificate Authority
  • the certificate entrusting center bears the responsibility of checking the legality of the public key in the public key system.
  • the CA center issues a digital certificate for each storage node that uses the public key.
  • the role of the digital certificate is to prove that the storage node listed in the certificate has the public key listed in the certificate.
  • the CA organization's digital signature prevents attackers from forging and tampering with certificates. It is responsible for generating, distributing and managing the digital certificates required by all individuals involved in online transactions, so it is the core link of secure electronic transactions.
  • the organization is responsible for issuing and managing e-commerce security certificates that meet the national and international standards for secure electronic transactions to all subjects of e-commerce.
  • the issuer ID When verifying the node certificate, first obtain the node certificate of the storage node, and determine the issuer ID that issued the node certificate. According to the issuer ID, check whether the issuer ID exists in the preset trusted e-commerce certification authority table ; If the issuer ID exists in the trusted e-commerce certification authority table, it is determined that the node certificate is issued by the trusted root certificate.
  • S102 If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID is determined by all Generate a digital digest of the storage node's public key.
  • the public key of the storage node is obtained from the storage node.
  • the method of obtaining the public key may be a method of sending a public key acquisition request to the storage node. Since the public key of each storage node can be public, the public key of the storage node can also be pre-stored in the data owner terminal.
  • the data owner terminal needs to verify the storage node's public key, it can access its own database Directly obtain the public key of the storage node.
  • the data owner terminal can obtain the public key of the storage node in real time, and store the situation where the node modifies its own public key in a manner.
  • the verification determines that the node certificate is not issued by the preset trusted root certificate
  • the data owner terminal stores the node ID of each storage node.
  • the node ID is obtained by performing a summary calculation on the storage node's public key, and is used to verify whether the storage node's public key is correct through the node ID.
  • the specific verification method is to first calculate the data summary of the storage node's public key to obtain the public key summary, and then compare the public key summary with the data identification. If the public key summary and the data identification are consistent, the storage node's public key is determined to be correct.
  • the digital signature is some data attached to the stored data, and it can also be a cryptographic transformation made to the stored data. This data or transformation allows the data owner of the stored data to verify the integrity of the stored data to protect the data and prevent the risk of storage node falsification.
  • It is a method for signing messages in electronic form. A signed message can be transmitted in a communication network. Both digital signatures based on public key cryptosystems and private key cryptosystems can be obtained, mainly digital signatures based on public key cryptosystems. Including ordinary digital signatures and special digital signatures.
  • the common digital signature algorithm has a data encryption standard algorithm (Data Encryption Standard (DES), elliptic curve digital signature algorithm and limited automaton digital signature algorithm, etc.
  • DES Data Encryption Standard
  • elliptic curve digital signature algorithm and limited automaton digital signature algorithm
  • it can also include blind signature, proxy signature, group signature, non-repudiation signature, fair blind signature, threshold signature, with message
  • the signature of the recovery function is closely related to the specific application
  • the storage node When verifying the stored data according to the storage node's public key, how to verify the correctness of the data to ensure that the data is the original data of the data owner, and has not been tampered with or deleted by the storage node. At this time, the signature will be used. If the public key of the storage node is correct, the signature in the storage data stored by the storage node is verified according to the public key of the storage node, and the correctness of the data is also determined. Before the data owner sends the stored data to the storage node, perform a data summary process on the stored data to obtain a data summary of the stored data. At this time, the original data cannot be obtained by inverting the data summary.
  • the data owner terminal sends a public key request to the storage node again. After obtaining the storage node's public key again, the public key verification and data verification.
  • the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes storage The signature of the node; if the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID Generated from the digital summary of the storage node's public key; if the storage node's public key is correct, verify the signature in the stored data stored by the storage node according to the storage node's public key, if the signature If the verification is passed, the stored data is correct.
  • the security of the stored data of the node in the peer-to-peer network is improved.
  • FIG. 2 is a flowchart of a data verification method provided in Embodiment 2 of the present application.
  • the execution subject of the data verification method in this embodiment is a terminal.
  • Terminals include but are not limited to mobile terminals such as smart phones, tablet computers, and wearable devices, and may also be desktop computers.
  • the data verification method as shown in the figure may include the following steps:
  • S201 Obtain the node certificate of the storage node, and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes the storage node’s signature.
  • the data owner terminal sends a certificate request to the storage node. After obtaining the node certificate of the storage node, it is verified whether the node certificate is issued by a preset trusted root certificate.
  • the specific way to verify whether the node certificate is issued by the preset trusted root certificate is to first determine the issuer ID that issued the node certificate, and according to the issuer ID, look for the existence in the preset trusted e-commerce certification authority table Issuer ID.
  • the node certificate is determined to be issued by the trusted root certificate; if the issuer ID does not exist in the trusted e-commerce certification authority table, the node certificate is determined not to be valid A letter-root certificate is issued, and the identity of the storage node is stored in a problem, which requires stricter identity authentication, such as obtaining the processing authority of the storage node, and viewing the historical data processing status of the storage node, according to the historical data processing status and processing authority , Perform corresponding processing on the storage node, for example, restrict its data authority or format.
  • step S201 may specifically include steps S2011 ⁇ S2012:
  • S2011 If the node certificate is issued by the trusted root certificate, send an authorization instruction to store the stored data to the storage node.
  • the specific authorization method is to send an authorization instruction for storing data to the storage node.
  • the authorization instruction may include data information to be stored, data storage requirements, etc., and may also include terminal authentication information of the data owner, which is not limited herein.
  • S2012 Receive a write completion notification sent by the storage node; the write completion notification is used to indicate that the storage node has completed the data writing process; the data writing process includes the storage node according to the node After the certificate verifies the authorized content in the authorization instruction, the stored data is written, and the signature of the storage node is attached after the writing is completed; the signature is used to verify whether the stored data is correct.
  • the storage node may start to store the stored data according to the data information and data storage requirements in the authorization instruction. Further, in order to ensure the security of the data and the orderliness of the storage process, the storage node can verify whether the authorization content in the authorization instruction is correct through its own node certificate after receiving the authorization instruction. After the verification is passed, write the storage data in its own storage space, and attach the signature of the storage node after the writing is completed, to verify whether the stored data is correct by the signature, after the writing is completed, the write completion notification Send to the data owner terminal.
  • the terminal authentication information stored in the local data owner can be compared with the terminal authentication information of the data owner in the authorized content. If the two are consistent, Then the authorized content in the authorization instruction is verified.
  • the node certificate After verifying that the node certificate is issued by the trusted root certificate, obtain the public key of the storage node. Since there may be cases where the public key may be tampered when both parties pass the public key in the network, in this embodiment, according to the pre-stored node The ID verifies that the storage node's public key is correct.
  • step S202 may specifically include steps S2021 to S2023:
  • both parties may be tampered with when passing the public key on the network.
  • the public key of the storage node Since the public key of each storage node can be public, the public key of the storage node can also be stored in advance in the data owner terminal. When the data owner terminal needs the public key of the storage node When verifying, you can obtain the public key of the storage node directly from your own database.
  • S2022 Calculate the data digest of the public key of the storage node to obtain a public key digest.
  • a public key cryptosystem is used, and two secret keys are used, one for encrypting information and the other for decrypting information. There is a certain mathematical relationship between these two keys, so that data encrypted with any one of the two keys can only be decrypted with the other one.
  • Each storage node has two secret keys, which are a public key and a private key. The public key is used to send to the data owner terminal for verification, and the private key is used to encrypt and store data. Due to the mathematical relationship between the two secret keys, any other terminal device that receives the public key can guarantee that the data encrypted with the public key can only be decrypted by the storage node using its own private key. Of course, this guarantee is It is based on the privacy of users' private keys.
  • the data owner terminal stores the node ID of each storage node.
  • the node ID is obtained by performing a summary calculation on the storage node's public key, and is used to verify whether the storage node's public key is correct through the node ID.
  • the digest algorithm calculates the message digest of the public key to obtain the public key digest. By comparing the two message digests, you can clearly determine whether the storage node's public key has been tampered with during transmission. The same result indicates that the data has not been modified, and the different results indicate that the data has been modified or the data has been lost, thereby ensuring the accuracy of the storage node in the transmission process.
  • commonly used digest algorithms are Message Digest Algorithm (Message Digest Algorithm, MD5), not limited here.
  • S2023 Compare the public key digest with the data identifier, and if the public key digest is consistent with the data identifier, determine that the public key of the storage node is correct.
  • a fair third party can be introduced.
  • a party wants to publish the public key it submits its own identity information and public key to this third party. The identity is verified, and if there is no problem, the information and public key are packaged into a certificate.
  • this fair third party is often referred to as a certificate authority.
  • S203 If the public key of the storage node is correct, verify the signature in the stored data stored by the storage node according to the public key of the storage node, and if the signature verification is passed, the stored data is correct.
  • S203 is implemented in the same way as S103 in the embodiment corresponding to FIG. 1.
  • S101 in the embodiment corresponding to FIG. 1, and details are not described herein again.
  • the storage node may fail, its storage hard disk may be damaged, or the storage node suddenly goes down, etc.; it may also be intercepted or tampered by a malicious terminal during data transmission, so we have no way to guarantee that the stored data is not The correctness is caused by malicious processing by the storage node. So we determine the situation of the storage node and deal with it by situation.
  • the historical processing records of the stored data that occurred incorrectly can include historical processing time, processing methods, etc.
  • the user information can be the user
  • the user account and other information used when logging in to the storage node are not limited here.
  • it is also necessary to determine the processing terminal corresponding to each historical processing record which can be determined by acquiring the terminal identification of the data processing execution terminal, such as hardware encoding Wait, not limited here.
  • S205 Acquire the data processing authority of each processing terminal.
  • the data processing authority After determining the historical processing records of stored data and the processing terminal corresponding to each historical processing record, we obtain the data processing authority of each processing terminal.
  • the data processing authority may be determined according to the level of data processing, such as primary data processing authority, secondary data processing authority, etc., or it may be a specific method of determining the data processing, for example, only read stored data, or may Modify and delete stored data.
  • the data processing authority By acquiring the data processing authority of each processing terminal, we can use the data processing authority to measure whether the data processing terminal's processing behavior of the stored data is correct.
  • the processing terminal is determined Compliance with the modification records in the historical processing records of stored data.
  • the historical processing record of the processing terminal does not correspond to the data processing authority, for example, the processing authority of a processing terminal is only to read the stored data, and the processing terminal in the historical processing record modifies the stored data, it is determined that the Handle the violation of data by the terminal to the storage node.
  • the corresponding processing method of the violating terminal may be adopted, for example, to delete all processing rights of the processing terminal on the stored data and to pull the processing terminal into the blacklist of stored data processing in.
  • the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes storage The signature of the node; if the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID Generated from the digital summary of the storage node's public key; if the storage node's public key is correct, verify the signature in the stored data stored by the storage node according to the storage node's public key, if the storage If the data is incorrect, determine the historical processing records of the stored data and the processing terminal corresponding to each historical processing record; obtain the data processing authority of each processing terminal; according to the historical processing records of each processing terminal and The data processing authority determines whether the historical processing records of the processing terminal are in compliance.
  • the storage node By verifying the node certificate and signature of the storage node, and verifying the correctness of the storage data in the storage node, and after determining that the storage data is incorrect, the storage node is processed according to the historical processing record and data processing authority of the storage node, It improves the authority of the data owner in data processing and the security of the data stored by the nodes in the distributed network.
  • FIG. 3 is a schematic diagram of a terminal device provided in Embodiment 3 of the present application.
  • Each unit included in the terminal device is used to execute each step in the embodiments corresponding to FIG. 1 to FIG. 2.
  • the terminal device 300 of this embodiment includes:
  • the obtaining unit 301 is used to obtain a node certificate of a storage node and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store stored data sent by a data owner terminal, and the stored data Including the signature of the storage node;
  • the first verification unit 302 is configured to obtain the public key of the storage node and verify whether the public key of the storage node is correct according to the pre-stored node identifier if the node certificate is issued by the trusted root certificate;
  • the node identification is generated from a digital summary of the storage node's public key;
  • the second verification unit 303 is used to verify the signature in the storage data stored by the storage node according to the public key of the storage node if the public key of the storage node is correct. The stored data is correct.
  • the terminal device may further include:
  • An authorization unit configured to send an authorization instruction to store the stored data to the storage node if the node certificate is issued by the trusted root certificate;
  • the receiving unit is configured to receive a write completion notification sent by the storage node; the write completion notification is used to indicate that the storage node has completed the data writing process; the data writing process includes the storage node according to After the node certificate verifies the authorization content in the authorization instruction, write the stored data, and attach the signature of the storage node after the writing is completed; the signature is used to verify whether the stored data is correct .
  • the node identifier is obtained by performing digest processing according to the node public key of the storage node in advance, and stored in the data owner terminal;
  • the first verification unit 302 may include:
  • a public key obtaining unit configured to obtain the public key of the storage node if the node certificate is issued by the trusted root certificate
  • a public key digest unit used to calculate a data digest of the public key of the storage node to obtain a public key digest
  • the public key comparison unit is used to compare the public key summary with the data identification, and if the public key summary is consistent with the data identification, it is determined that the public key of the storage node is correct.
  • the acquiring unit 301 may include:
  • An identification determining unit used to obtain a node certificate of a storage node, and determine an identification of an issuing authority that issued the node certificate
  • An identification search unit configured to search for the existence of the issuer ID in a preset trusted e-commerce certification authority table based on the issuer ID;
  • the certificate determination unit is used to determine that the node certificate is issued by a trusted root certificate if the issuer ID exists in the trusted e-commerce certification authority table.
  • the terminal device may further include:
  • a terminal determining unit configured to determine the historical processing record of the stored data and the processing terminal corresponding to each historical processing record if the stored data is incorrect;
  • the authority determination unit is used to acquire the data processing authority of each processing terminal
  • the record determining unit is configured to determine that the history processing record of the processing terminal is in compliance with the history processing record of the processing terminal corresponding to the data processing authority.
  • the above solution improves the security of data stored by nodes in a peer-to-peer network by verifying both the node certificate and signature of the storage node and the accuracy of the stored data in the storage node.
  • the terminal device 4 of this embodiment includes: a processor 40, a memory 41, and computer-readable instructions 42 stored in the memory 41 and executable on the processor 40.
  • the processor 40 executes the computer-readable instructions 42
  • the steps in the above embodiments of each data verification method are implemented, for example, steps 101 to 103 shown in FIG. 1.
  • the processor 40 executes the computer-readable instructions 42
  • the functions of each module/unit in the foregoing device embodiments are realized, for example, the functions of the units 301 to 303 shown in FIG. 3.
  • the terminal device 4 may be a computing device such as a desktop computer, a notebook, a palmtop computer and a cloud server.
  • the terminal device may include, but is not limited to, the processor 40 and the memory 41.
  • FIG. 4 is only an example of the terminal device 4 and does not constitute a limitation on the terminal device 4, and may include more or less components than the illustration, or a combination of certain components or different components.
  • the terminal device may further include an input and output device, a network access device, a bus, and the like.
  • the processor 40 may be a central processing unit (Central Processing Unit (CPU), can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application-specific integrated circuits (Application Specific Integrated Circuit (ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the memory 41 may be an internal storage unit of the terminal device 4, such as a hard disk or a memory of the terminal device 4.
  • the memory 41 may also be an external storage device of the terminal device 4, such as a plug-in hard disk equipped on the terminal device 4, a smart memory card (Smart Media Card, SMC), and a secure digital (SD) Cards, flash cards (Flash Card, FC), etc.
  • the memory 41 may also include both an internal storage unit of the terminal device 4 and an external storage device.
  • the memory 41 is used to store the computer-readable instructions and other programs and data required by the terminal device.
  • the memory 41 can also be used to temporarily store data that has been or will be output.
  • the integrated module/unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium.
  • this application implements all or part of the processes in the methods of the above embodiments, and can also be completed by instructing relevant hardware through computer-readable instructions, which can be stored in a computer non-volatile Readable storage medium.
  • Non-volatile memory may include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory can include random access memory (RAM) or external cache memory.
  • RAM random access memory
  • DRAM dynamic RAM
  • SDRAM synchronous DRAM
  • DDRSDRAM double data rate SDRAM
  • ESDRAM enhanced SDRAM
  • SLDRAM synchronous chain (Synchlink) DRAM
  • RDRAM direct RAM
  • DRAM direct memory bus dynamic RAM
  • RDRAM memory bus dynamic RAM

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present application is applicable to the technical field of computer applications. Provided are a data verification method, a terminal device and a non-volatile computer-readable storage medium. The method comprises: acquiring a node certificate of a storage node, and verifying whether the node certificate is issued by a preset trusted root certificate; if the node certificate is issued by the trusted root certificate, acquiring a public key of the storage node, and verifying, according to a pre-stored node identifier, whether the public key of the storage node is correct; and if the public key of the storage node is correct, verifying, according to the public key of the storage node, a signature in storage data stored in the storage node, and if the signature passes verification, indicating that the storage data is correct. By means of verifying a node certificate and a signature of a storage node and verifying the correctness of storage data in the storage node, the security of storage data in a node in a peer-to-peer network is improved.

Description

数据验证方法及终端设备Data verification method and terminal equipment
本申请要求于2019年1月7日提交中国专利局、申请号为201910012597.4、发明名称为“数据验证方法及终端设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requires the priority of a Chinese patent application filed on January 7, 2019 in the China Patent Office with application number 201910012597.4 and the invention titled "Data Verification Method and Terminal Equipment", the entire contents of which are incorporated by reference in this application.
技术领域Technical field
本申请属于计算机应用技术领域,尤其涉及一种数据验证方法、终端设备及计算机非易失性可读存储介质。The present application belongs to the field of computer application technology, and particularly relates to a data verification method, terminal device, and computer non-volatile readable storage medium.
背景技术Background technique
P2P存储是基于P2P(Peer-to-Peer,对等网络)技术实现的一种网络存储,将很多机器用对等的方式组织起来共同为用户提供超大容量的数据存储服务。在互联网上的网络技术。它是计算机网络和分布式系统结合的产物,核心思想是去掉了中央服务器的概念,将互联网建立在对等互联的基础上,实现最大程度的资源共享。但是在现有的很多应用中,都是通过证书来验证签名,实现身份认证。但是仍旧可能出现证书和签名同时被伪造的情况,而导致数据安全受到威胁。P2P storage is a kind of network storage based on P2P (Peer-to-Peer, Peer-to-Peer) technology. It organizes many machines in a peer-to-peer way to provide users with a large-capacity data storage service. Network technology on the Internet. It is the product of the combination of computer networks and distributed systems. The core idea is to remove the concept of a central server and build the Internet on the basis of peer-to-peer interconnection to achieve maximum resource sharing. However, in many existing applications, signatures are verified by certificates to achieve identity authentication. However, it may still happen that the certificate and the signature are forged at the same time, resulting in threats to data security.
技术问题technical problem
有鉴于此,本申请实施例提供了一种数据验证方法、终端设备及计算机非易失性可读存储介质,以解决现有技术中可能出现证书和签名同时被伪造的情况,而导致数据安全受到威胁的问题。In view of this, embodiments of the present application provide a data verification method, terminal device, and computer non-volatile readable storage medium to solve the situation in the prior art where certificates and signatures may be forged at the same time, resulting in data security The problem is threatened.
技术解决方案Technical solution
本申请实施例的第一方面提供了一种数据验证方法,包括:The first aspect of the embodiments of the present application provides a data verification method, including:
获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名;Obtain the node certificate of the storage node and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes the signature of the storage node;
若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成;If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID is determined by the storage Digital digest generation of the node's public key;
若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。If the public key of the storage node is correct, the signature in the stored data stored by the storage node is verified according to the public key of the storage node, and if the signature verification is passed, the stored data is correct.
本申请实施例的第二方面提供了一种终端设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机可读指令,所述处理器执行所述计算机可读指令时实现上述第一方面的方法。A second aspect of an embodiment of the present application provides a terminal device, including a memory, a processor, and computer-readable instructions stored in the memory and executable on the processor, and the processor executes the computer The method of the first aspect described above can be realized when the instructions are readable.
本申请实施例的第三方面提供了一种终端设备,包括实现上述第一方面的方法的各个单元。A third aspect of the embodiments of the present application provides a terminal device, including various units that implement the method of the first aspect described above.
本申请实施例的第四方面提供了一种计算机非易失性可读存储介质,所述计算机存储介质存储有计算机可读指令,所述计算机可读指令包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第一方面的方法。A fourth aspect of the embodiments of the present application provides a computer nonvolatile readable storage medium. The computer storage medium stores computer readable instructions. The computer readable instructions include program instructions. When the processor executes, the processor is caused to execute the method of the first aspect.
有益效果Beneficial effect
本申请实施例通过获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名;若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成;若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。通过既验证存储节点的节点证书和签名,并验证存储节点中的存储数据的正确性,提高了点对点网络中节点存储数据的安全性。The embodiment of the present application verifies whether the node certificate is issued by a preset trusted root certificate by acquiring the node certificate of the storage node; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes The signature of the storage node; if the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node The identification is generated by a digital digest of the storage node's public key; if the storage node's public key is correct, the signature in the stored data stored by the storage node is verified according to the storage node's public key, if the The signature verification indicates that the stored data is correct. By verifying both the node certificate and signature of the storage node and the correctness of the stored data in the storage node, the security of the stored data of the node in the peer-to-peer network is improved.
附图说明BRIEF DESCRIPTION
图1是本申请实施例一提供的数据验证方法的流程图;1 is a flowchart of a data verification method provided in Embodiment 1 of the present application;
图2是本申请实施例二提供的数据验证方法的流程图;2 is a flowchart of a data verification method provided in Embodiment 2 of the present application;
图3是本申请实施例三提供的终端设备的示意图;3 is a schematic diagram of a terminal device provided in Embodiment 3 of this application;
图4是本申请实施例四提供的终端设备的示意图。4 is a schematic diagram of a terminal device provided in Embodiment 4 of the present application.
本发明的实施方式Embodiments of the invention
参见图1,图1是本申请实施例一提供的数据验证方法的流程图。本实施例中数据验证方法的执行主体为终端。终端包括但不限于智能手机、平板电脑、可穿戴设备等移动终端,还可以是台式电脑等。如图所示的数据验证方法可以包括以下步骤:Referring to FIG. 1, FIG. 1 is a flowchart of a data verification method provided in Embodiment 1 of the present application. The execution subject of the data verification method in this embodiment is a terminal. Terminals include but are not limited to mobile terminals such as smart phones, tablet computers, and wearable devices, and may also be desktop computers. The data verification method shown in the figure may include the following steps:
S101:获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名。S101: Obtain a node certificate of a storage node, and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store storage data sent by a data owner terminal, and the storage data includes the storage node's signature.
数字证书是互联网通讯中标志通讯各方身份信息的一串数字,提供了一种在互联网上验证通信实体身份的方式,数字证书是身份认证机构盖在数字身份证上的一个章或印,本实施例中通过获取存储节点的数字证书来验证该存储节点的节点身份是否真实。数字证书是一个经证书授权中心数字签名的包含公开密钥拥有者信息以及公开密钥的文件。最简单的证书包含一个公开密钥、名称以及证书授权中心的数字签名。数字证书还有一个重要的特征就是只在特定的时间段内有效。尤其是在电子商务系统中,通过获取每个存储节点的数字证书可以使得顾客在网上购物时能够极其方便地获得商家和企业的信息,但同时也增加了对某些敏感或有价值的数据被滥用的风险。为了保证互联网上电子交易及支付的安全性,保密性等,防范交易及支付过程中的欺诈行为,必须在网上建立一种信任机制。这就要求参加电子商务的买方和卖方都必须拥有合法的身份,并且在网上能够有效无误的被进行验证。Digital certificate is a series of numbers that mark the identity information of all parties in the communication, and provides a way to verify the identity of the communicating entity on the Internet. Digital certificate is a stamp or seal stamped on the digital ID card by the identity certification agency. In the embodiment, the digital identity of the storage node is obtained to verify whether the node identity of the storage node is authentic. A digital certificate is a file digitally signed by a certificate authority that contains information about the owner of the public key and the public key. The simplest certificate contains a public key, name and digital signature of the certificate authority. Another important feature of digital certificates is that they are only valid for a specific period of time. Especially in the e-commerce system, by obtaining the digital certificate of each storage node can make customers extremely convenient to obtain information of merchants and enterprises when shopping online, but at the same time also increase certain sensitive or valuable data. Risk of abuse. In order to ensure the security and confidentiality of electronic transactions and payments on the Internet, and to prevent fraud in the process of transactions and payments, a trust mechanism must be established online. This requires that both buyers and sellers participating in e-commerce must have legal identities and be validated online without errors.
数字证书里存有很多数字和英文,当使用数字证书进行身份认证时,它将随机生成预设位数的身份码,每份数字证书都能生成相应但每次都不可能相同的数码,从而保证数据传输的保密性,即相当于生成一个复杂的密码。数字证书绑定了公钥及其持有者的真实身份,它类似于现实生活中的居民身份证,所不同的是数字证书不再是纸质的证照,而是一段含有证书持有者身份信息并经过认证中心审核签发的电子数据,可以更加方便灵活地运用在存储节点的数据正确性验证的过程中。There are many numbers and English stored in the digital certificate. When the digital certificate is used for identity authentication, it will randomly generate an ID code with a preset number of digits. Each digital certificate can generate a corresponding number that is not the same every time. Ensuring the confidentiality of data transmission is equivalent to generating a complex password. The digital certificate is bound to the true identity of the public key and its holder. It is similar to the resident ID card in real life. The difference is that the digital certificate is no longer a paper certificate, but a section containing the identity of the certificate holder. The information and the electronic data issued by the certification center can be used more conveniently and flexibly in the process of verifying the data accuracy of the storage node.
具体的,对存储节点的数字证书的颁发过程一般为,首先产生每个存储节点的密钥对,即公钥和私钥,并将公共密钥及部分节点信息传送给认证中心。认证中心在核实身份后,将执行一些必要的步骤,以确信请求确实由该存储节点发送而来,然后,认证中心将发给存储节点一个数字证书,该证书内包含存储节点的节点信息和他的公钥信息,同时还附有认证中心的签名信息。存储节点就可以使用自己的数字证书进行相关的各种活动。数字证书由独立的证书发行机构发布。数字证书各不相同,每种证书可提供不同级别的可信度。可以从证书发行机构获得您自己的数字证书。Specifically, the process of issuing digital certificates for storage nodes is generally to first generate a key pair for each storage node, that is, a public key and a private key, and transmit the public key and part of the node information to the certification center. After verifying the identity, the certification center will perform some necessary steps to ensure that the request is indeed sent by the storage node. Then, the certification center will issue a digital certificate to the storage node, which contains the node information and other information of the storage node. At the same time, the public key information of the certificate is also attached. The storage node can use its own digital certificate to perform various related activities. Digital certificates are issued by independent certificate issuing agencies. Digital certificates are different, and each certificate can provide different levels of credibility. You can obtain your own digital certificate from the certificate issuing agency.
本实施例中获取节点的节点证书的方式可以是向存储节点发送证书请求,存储节点在接收到证书请求之后,发送自己的证书到数据所有者终端。还可以是由存储节点周期性的将自己的节点证书发送给数据所有者的终端,不需要数据所有者来主动要求获取节点证书,以减少数据所有者终端的工作量。In this embodiment, the way to obtain the node certificate of the node may be to send a certificate request to the storage node. After receiving the certificate request, the storage node sends its own certificate to the data owner terminal. It may also be that the storage node periodically sends its own node certificate to the terminal of the data owner, and the data owner is not required to actively request to obtain the node certificate to reduce the workload of the data owner terminal.
需要说明的是,本实施例中的存储节点用于存储数据所有者终端发送的存储数据,存储数据可以是由于数据所有者终端的数据存储能力或者数据处理能力有限,数据所有者终端确定的需要存储节点存储的数据,数据所有者终端将待存储节点存储的数据发送至存储节点,并指定这一部分存储数据只能由对应的存储节点存储,但是,该存储节点并不能对存储数据进行任何类型的处理,其处理权限只有数据所有者终端或者具有处理权限的终端设备可以进行处理。同时存储节点所存储的存储数据中包括了存储节点的签名,通过存储节点的签名,可以来验证这些存储数据是由存储节点写入的。本实施例中的签名是只有存储节点者才能产生的,别人无法伪造的一段数字串,这段数字串同时也是对存储信息正确性的一个有效证明。It should be noted that the storage node in this embodiment is used to store the storage data sent by the data owner terminal. The storage data may be due to the limited data storage capability or data processing capability of the data owner terminal, and the needs determined by the data owner terminal For the data stored by the storage node, the data owner terminal sends the data stored in the storage node to the storage node, and specifies that this part of the stored data can only be stored by the corresponding storage node, but the storage node cannot perform any type of storage data Only the data owner terminal or the terminal device with the processing authority can handle the processing. At the same time, the storage data stored by the storage node includes the signature of the storage node, and the signature of the storage node can be used to verify that the storage data is written by the storage node. The signature in this embodiment is generated only by the storage node and cannot be forged by others. This digital string is also an effective proof of the correctness of the stored information.
在获取到存储节点的节点证书之后,我们先验证节点证书的正确性。本实施例中的节点证书是通过证书授证中心(Certificate Authority,CA)颁发。证书授证中心作为电子商务交易中受信任的第三方,承担公钥体系中公钥的合法性检验的责任。CA中心为每个使用公开密钥的存储节点发放一个数字证书,数字证书的作用是证明证书中列出的存储节点合法拥有证书中列出的公开密钥。CA机构的数字签名使得攻击者不能伪造和篡改证书。它负责产生、分配并管理所有参与网上交易的个体所需的数字证书,因此是安全电子交易的核心环节。为保证存储节点中存储数据的安全性、真实性、可靠性、完整性和不可抵赖性,不仅需要对存储节点的身份真实性进行验证,也需要有一个具有权威性、公正性、唯一性的机构,负责向电子商务的各个主体颁发并管理符合国内、国际安全电子交易协议标准的电子商务安全证书。After obtaining the node certificate of the storage node, we first verify the correctness of the node certificate. The node certificate in this embodiment is through a certificate authority (Certificate Authority, CA). As a trusted third party in e-commerce transactions, the certificate entrusting center bears the responsibility of checking the legality of the public key in the public key system. The CA center issues a digital certificate for each storage node that uses the public key. The role of the digital certificate is to prove that the storage node listed in the certificate has the public key listed in the certificate. The CA organization's digital signature prevents attackers from forging and tampering with certificates. It is responsible for generating, distributing and managing the digital certificates required by all individuals involved in online transactions, so it is the core link of secure electronic transactions. In order to ensure the safety, authenticity, reliability, integrity and non-repudiation of the data stored in the storage node, not only the authenticity of the storage node's identity needs to be verified, but also an authoritative, fair and unique The organization is responsible for issuing and managing e-commerce security certificates that meet the national and international standards for secure electronic transactions to all subjects of e-commerce.
在对节点证书进行验证时,先获取存储节点的节点证书,并确定颁发节点证书的颁发机构标识,根据颁发机构标识,在预设的可信电子商务认证授权机构表中查找是否存在颁发机构标识;若可信电子商务认证授权机构表中存在颁发机构标识,则判定节点证书是由可信根证书颁发。When verifying the node certificate, first obtain the node certificate of the storage node, and determine the issuer ID that issued the node certificate. According to the issuer ID, check whether the issuer ID exists in the preset trusted e-commerce certification authority table ; If the issuer ID exists in the trusted e-commerce certification authority table, it is determined that the node certificate is issued by the trusted root certificate.
S102:若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成。S102: If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID is determined by all Generate a digital digest of the storage node's public key.
在验证确定了节点证书由预设的可信根证书颁发时,从存储节点处获取存储节点的公钥,其获取的方式可以是向存储节点发送公钥获取请求的方式,除此之外,由于每个存储节点的公钥可以是公开的,存储节点的公钥也可以是预先存储在数据所有者终端,当数据所有者终端需要对存储节点的公钥进行验证时,可以从自己的数据库中直接获取该存储节点的公钥。优选的,数据所有者终端可以实时获取存储节点的公钥,以方式存储节点修改自己的公钥的情况。When the verification determines that the node certificate is issued by the preset trusted root certificate, the public key of the storage node is obtained from the storage node. The method of obtaining the public key may be a method of sending a public key acquisition request to the storage node. Since the public key of each storage node can be public, the public key of the storage node can also be pre-stored in the data owner terminal. When the data owner terminal needs to verify the storage node's public key, it can access its own database Directly obtain the public key of the storage node. Preferably, the data owner terminal can obtain the public key of the storage node in real time, and store the situation where the node modifies its own public key in a manner.
当验证确定节点证书不是由预设的可信根证书颁发时,我们可以先与存储节点进行节点证书的比对,检测当前的节点证书是否该存储节点的证书,若是,则判定存储节点的节点证书错误,若当前的节点证书不是该存储节点的证书,则可以再次向存储节点获取正确的节点证书,再次进行节点证书的校验。When the verification determines that the node certificate is not issued by the preset trusted root certificate, we can first compare the node certificate with the storage node to detect whether the current node certificate is the certificate of the storage node, and if so, determine the node of the storage node The certificate is wrong. If the current node certificate is not the certificate of the storage node, you can obtain the correct node certificate from the storage node again and verify the node certificate again.
在本实施例中,数据所有者终端存储有每个存储节点的节点标识,节点标识是通过存储节点的公钥进行摘要计算得到的,用于通过该节点标识验证存储节点的公钥是否正确。在获取到存储节点的公钥之后,也可能存在双方在网络中传递公钥时,公钥一样有可能被篡改,因此,我们通过节点标识来验证所获取到的存储节点的公钥的正确性。具体的验证方法为,先计算存储节点的公钥的数据摘要得到公钥摘要,再将公钥摘要与数据标识进行对比,若公钥摘要与数据标识一致,则判定存储节点的公钥正确。In this embodiment, the data owner terminal stores the node ID of each storage node. The node ID is obtained by performing a summary calculation on the storage node's public key, and is used to verify whether the storage node's public key is correct through the node ID. After the public key of the storage node is obtained, there may also be the possibility that the public key may be tampered when both parties pass the public key on the network. Therefore, we verify the correctness of the obtained public key of the storage node through the node ID . The specific verification method is to first calculate the data summary of the storage node's public key to obtain the public key summary, and then compare the public key summary with the data identification. If the public key summary and the data identification are consistent, the storage node's public key is determined to be correct.
S103:若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。S103: If the public key of the storage node is correct, verify the signature in the stored data stored by the storage node according to the public key of the storage node, and if the signature verification is passed, the stored data is correct.
在实际应用中,数字签名是附加在存储数据中的一些数据,还可以是对存储数据所作的密码变换。这种数据或变换允许存储数据的数据所有者用以验证存储数据的完整性,以做到保护数据、防止存储节点伪造的风险。它是对电子形式的消息进行签名的一种方法,一个签名消息能在一个通信网络中传输。基于公钥密码体制和私钥密码体制都可以获得数字签名,主要是基于公钥密码体制的数字签名。包括普通数字签名和特殊数字签名。可选的,普通数字签名算法有数据加密标准算法(Data Encryption Standard,DES)、椭圆曲线数字签名算法和有限自动机数字签名算法等,除此之外,还可包括盲签名、代理签名、群签名、不可否认签名、公平盲签名、门限签名、具有消息恢复功能的签名等,它与具体应用环境密切相关。In practical applications, the digital signature is some data attached to the stored data, and it can also be a cryptographic transformation made to the stored data. This data or transformation allows the data owner of the stored data to verify the integrity of the stored data to protect the data and prevent the risk of storage node falsification. It is a method for signing messages in electronic form. A signed message can be transmitted in a communication network. Both digital signatures based on public key cryptosystems and private key cryptosystems can be obtained, mainly digital signatures based on public key cryptosystems. Including ordinary digital signatures and special digital signatures. Optionally, the common digital signature algorithm has a data encryption standard algorithm (Data Encryption Standard (DES), elliptic curve digital signature algorithm and limited automaton digital signature algorithm, etc. In addition, it can also include blind signature, proxy signature, group signature, non-repudiation signature, fair blind signature, threshold signature, with message The signature of the recovery function is closely related to the specific application environment.
在根据存储节点的公钥对所存储数据进行验证时,如何验证数据的正确性,保证数据是数据所有者原先的数据,而没有经过存储节点的篡改或者删除。这时就要用到签名。若存储节点的公钥正确,则根据存储节点的公钥验证存储节点所存储的存储数据中的签名,同时确定数据的正确性。在数据所有者发送存储数据至存储节点之前,对存储数据进行数据摘要处理,得到存储数据的数据摘要,此时,不能通过数据摘要反推得到原始数据。通过存储节点的公钥对存储数据中的签名进行解密,得到存储数据的数据摘要,再将解密得到的数据摘要与数据所有者预存的数据摘要进行对比,比对解密后的数据摘要和预存的摘要是否一致,一致就证明数据是原始的数据没有遭到篡改。这个加密和验证的过程中保证了数据的安全性和防篡改性。When verifying the stored data according to the storage node's public key, how to verify the correctness of the data to ensure that the data is the original data of the data owner, and has not been tampered with or deleted by the storage node. At this time, the signature will be used. If the public key of the storage node is correct, the signature in the storage data stored by the storage node is verified according to the public key of the storage node, and the correctness of the data is also determined. Before the data owner sends the stored data to the storage node, perform a data summary process on the stored data to obtain a data summary of the stored data. At this time, the original data cannot be obtained by inverting the data summary. Decrypt the signature in the stored data through the public key of the storage node to obtain a data summary of the stored data, and then compare the decrypted data summary with the data summary stored by the data owner to compare the decrypted data summary with the pre-stored data summary. If the abstract is consistent, the consistency proves that the data is the original data and has not been tampered with. This encryption and verification process guarantees data security and tamper resistance.
若存储节点的公钥不正确,则说明存储节点的公钥被篡改,数据所有者终端再次向存储几点发送公钥请求,在再次获取到存储节点的公钥之后,再进行公钥验证和数据验证。If the storage node's public key is incorrect, it means that the storage node's public key has been tampered with. The data owner terminal sends a public key request to the storage node again. After obtaining the storage node's public key again, the public key verification and data verification.
上述方案,通过获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名;若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成;若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。通过既验证存储节点的节点证书和签名,并验证存储节点中的存储数据的正确性,提高了点对点网络中节点存储数据的安全性。In the above solution, by acquiring the node certificate of the storage node, it is verified whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes storage The signature of the node; if the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID Generated from the digital summary of the storage node's public key; if the storage node's public key is correct, verify the signature in the stored data stored by the storage node according to the storage node's public key, if the signature If the verification is passed, the stored data is correct. By verifying both the node certificate and signature of the storage node and the correctness of the stored data in the storage node, the security of the stored data of the node in the peer-to-peer network is improved.
参见图2,图2是本申请实施例二提供的数据验证方法的流程图。本实施例中数据验证方法的执行主体为终端。终端包括但不限于智能手机、平板电脑、可穿戴设备等移动终端,还可以是台式电脑等。如图所示的数据验证方法可以包括以下步骤:Referring to FIG. 2, FIG. 2 is a flowchart of a data verification method provided in Embodiment 2 of the present application. The execution subject of the data verification method in this embodiment is a terminal. Terminals include but are not limited to mobile terminals such as smart phones, tablet computers, and wearable devices, and may also be desktop computers. The data verification method as shown in the figure may include the following steps:
S201:获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名。S201: Obtain the node certificate of the storage node, and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes the storage node’s signature.
数据所有者终端向存储节点发送证书请求,在获取到存储节点的节点证书之后,验证节点证书是否由预设的可信根证书颁发。具体的验证节点证书是否由预设的可信根证书颁发的方式是,先确定颁发节点证书的颁发机构标识,根据颁发机构标识,在预设的可信电子商务认证授权机构表中查找是否存在颁发机构标识。若可信电子商务认证授权机构表中存在颁发机构标识,则判定节点证书是由可信根证书颁发;若可信电子商务认证授权机构表中不存在颁发机构标识,则判定节点证书不是由可信根证书颁发,该存储节点的身份存储在问题,需要进行较为严格的身份认证,例如获取改存储节点的处理权限,并查看该存储节点的历史数据处理情况,根据历史数据处理情况和处理权限,对该存储节点进行对应的处理,例如,限制其数据权限或者进行格式化等。The data owner terminal sends a certificate request to the storage node. After obtaining the node certificate of the storage node, it is verified whether the node certificate is issued by a preset trusted root certificate. The specific way to verify whether the node certificate is issued by the preset trusted root certificate is to first determine the issuer ID that issued the node certificate, and according to the issuer ID, look for the existence in the preset trusted e-commerce certification authority table Issuer ID. If the issuer ID exists in the trusted e-commerce certification authority table, the node certificate is determined to be issued by the trusted root certificate; if the issuer ID does not exist in the trusted e-commerce certification authority table, the node certificate is determined not to be valid A letter-root certificate is issued, and the identity of the storage node is stored in a problem, which requires stricter identity authentication, such as obtaining the processing authority of the storage node, and viewing the historical data processing status of the storage node, according to the historical data processing status and processing authority , Perform corresponding processing on the storage node, for example, restrict its data authority or format.
进一步的,步骤S201可以具体包括步骤S2011~S2012:Further, step S201 may specifically include steps S2011~S2012:
S2011:若所述节点证书是由所述可信根证书颁发,则向所述存储节点发送存储所述存储数据的授权指令。S2011: If the node certificate is issued by the trusted root certificate, send an authorization instruction to store the stored data to the storage node.
本实施例中,在确定了当前存储节点的节点证书是由可信根证书颁发之后,便可以判定节点证书正确,同时授权该存储节点来存储相应的存储数据。具体的授权方式为向存储节点发送用来存储数据的授权指令。授权指令中可以包括待存储的数据信息、数据存储要求等,还可以包括数据所有者的终端认证信息,此处不做限定。In this embodiment, after determining that the node certificate of the current storage node is issued by the trusted root certificate, it can be determined that the node certificate is correct, and at the same time, the storage node is authorized to store the corresponding storage data. The specific authorization method is to send an authorization instruction for storing data to the storage node. The authorization instruction may include data information to be stored, data storage requirements, etc., and may also include terminal authentication information of the data owner, which is not limited herein.
S2012:接收所述存储节点发送的写入完成通知;所述写入完成通知用于表示所述存储节点已完成数据写入过程;所述数据写入过程包括所述存储节点在根据所述节点证书验证通过所述授权指令中的授权内容之后,写入所述存储数据,并在写入完成之后附上所述存储节点的签名;所述签名用于验证所述存储数据是否正确。S2012: Receive a write completion notification sent by the storage node; the write completion notification is used to indicate that the storage node has completed the data writing process; the data writing process includes the storage node according to the node After the certificate verifies the authorized content in the authorization instruction, the stored data is written, and the signature of the storage node is attached after the writing is completed; the signature is used to verify whether the stored data is correct.
存储节点在接收到授权指令之后,便可以开始根据授权指令中的数据信息和数据存储要求对存储数据进行存储。进一步的,为了保证数据的安全性和存储过程的有序性,存储节点可以在接收到授权指令之后,通过自己的节点证书验证授权指令中的授权内容是否正确。在验证通过之后,在自己的存储空间中写入存储数据,并在写入完成之后附上存储节点的签名,以通过签名来验证存储数据是否正确,在写入完成之后,将写入完成通知发送至数据所有者终端。After receiving the authorization instruction, the storage node may start to store the stored data according to the data information and data storage requirements in the authorization instruction. Further, in order to ensure the security of the data and the orderliness of the storage process, the storage node can verify whether the authorization content in the authorization instruction is correct through its own node certificate after receiving the authorization instruction. After the verification is passed, write the storage data in its own storage space, and attach the signature of the storage node after the writing is completed, to verify whether the stored data is correct by the signature, after the writing is completed, the write completion notification Send to the data owner terminal.
具体的,在存储节点对授权指令中的授权内容进行验证时,可以通过存储在本地的数据所有者的终端认证信息与授权内容中的数据所有者的终端认证信息进行对比,若两者一致,则授权指令中的授权内容通过验证。Specifically, when the storage node verifies the authorized content in the authorization instruction, the terminal authentication information stored in the local data owner can be compared with the terminal authentication information of the data owner in the authorized content. If the two are consistent, Then the authorized content in the authorization instruction is verified.
S202:若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确。S202: If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node identifier.
在验证节点证书是由可信根证书颁发之后,获取存储节点的公钥,由于可能存在双方在网络中传递公钥时,公钥有可能被篡改的情况,因此本实施例中根据预存的节点标识验证存储节点的公钥是否正确。After verifying that the node certificate is issued by the trusted root certificate, obtain the public key of the storage node. Since there may be cases where the public key may be tampered when both parties pass the public key in the network, in this embodiment, according to the pre-stored node The ID verifies that the storage node's public key is correct.
进一步的,步骤S202可以具体包括步骤S2021~S2023:Further, step S202 may specifically include steps S2021 to S2023:
S2021:若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥。S2021: If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node.
实际应用中,在验证节点证书是由可信根证书颁发之后,除非对方手把手将公钥交给我们,否则如果不采取措施,双方在网络中传递公钥时,一样有可能被篡改。我们先获取存储节点的公钥,由于每个存储节点的公钥可以是公开的,存储节点的公钥也可以是预先存储在数据所有者终端,当数据所有者终端需要对存储节点的公钥进行验证时,可以从自己的数据库中直接获取该存储节点的公钥。In practical applications, after verifying that the node certificate is issued by a trusted root certificate, unless the other party hands us the public key, otherwise, if no measures are taken, both parties may be tampered with when passing the public key on the network. We first obtain the public key of the storage node. Since the public key of each storage node can be public, the public key of the storage node can also be stored in advance in the data owner terminal. When the data owner terminal needs the public key of the storage node When verifying, you can obtain the public key of the storage node directly from your own database.
S2022:计算所述存储节点的公钥的数据摘要,得到公钥摘要。S2022: Calculate the data digest of the public key of the storage node to obtain a public key digest.
本实施例中采用公钥密码体系,使用两个秘钥,一个用于加密信息,另一个用于解密信息。这两个秘钥之间满足一定数学关系,以至用两个秘钥中的任何一个加密的数据,只能用另外一个进行数据解密。每个存储节点拥有两个秘钥,分别为公钥和私钥,其中公钥用于发送至数据所有者终端进行验证,私钥用于自己加密存储数据。由于这两个秘钥间的数学关系,任何收到该公钥的其它终端设备可以保证发送用此公钥进行加密的数据只有该存储节点用自己的私钥才能进行解密,当然此项保证是建立在用户私钥的私有性基础之上。In this embodiment, a public key cryptosystem is used, and two secret keys are used, one for encrypting information and the other for decrypting information. There is a certain mathematical relationship between these two keys, so that data encrypted with any one of the two keys can only be decrypted with the other one. Each storage node has two secret keys, which are a public key and a private key. The public key is used to send to the data owner terminal for verification, and the private key is used to encrypt and store data. Due to the mathematical relationship between the two secret keys, any other terminal device that receives the public key can guarantee that the data encrypted with the public key can only be decrypted by the storage node using its own private key. Of course, this guarantee is It is based on the privacy of users' private keys.
在实际应用中,我们通过对存储节点的公钥进行数据摘要处理,得到公钥摘要。通过将一个任意长度的存储节点的公钥变换为一个定长的数据串,这一定长的数据串为公钥摘要。合格的摘要算法必须满足下列条件:找出具有相同摘要的消息集合在技术上是不可能的,对一给定的消息摘要,反向计算出消息本身在技术上是不可行的。In practical applications, we get a summary of the public key by performing a data digest on the storage node's public key. By transforming the public key of a storage node of any length into a fixed-length data string, this certain length of data string is the public key digest. A qualified digest algorithm must meet the following conditions: It is technically impossible to find a message set with the same digest. For a given message digest, it is not technically feasible to reversely calculate the message itself.
数据所有者终端存储有每个存储节点的节点标识,节点标识是通过存储节点的公钥进行摘要计算得到的,用于通过该节点标识验证存储节点的公钥是否正确。数据所有者终端在获取到存储节点的公钥之后,摘要算法对公钥计算消息摘要,得到公钥摘要。通过对二个消息摘要的比较,可以明确地判断出存储节点的公钥在传输过程中是否被篡改。结果相同表示数据未被修改,而结果不同表明数据被修改或数据被丢失,从而保证存储节点在传输过程中的正确性。可选的,常用的摘要算法有消息摘要算法(Message Digest Algorithm,MD5),此处不做限定。The data owner terminal stores the node ID of each storage node. The node ID is obtained by performing a summary calculation on the storage node's public key, and is used to verify whether the storage node's public key is correct through the node ID. After the data owner terminal obtains the public key of the storage node, the digest algorithm calculates the message digest of the public key to obtain the public key digest. By comparing the two message digests, you can clearly determine whether the storage node's public key has been tampered with during transmission. The same result indicates that the data has not been modified, and the different results indicate that the data has been modified or the data has been lost, thereby ensuring the accuracy of the storage node in the transmission process. Optional, commonly used digest algorithms are Message Digest Algorithm (Message Digest Algorithm, MD5), not limited here.
S2023:将所述公钥摘要与所述数据标识进行对比,若所述公钥摘要与所述数据标识一致,则判定所述存储节点的公钥正确。S2023: Compare the public key digest with the data identifier, and if the public key digest is consistent with the data identifier, determine that the public key of the storage node is correct.
在得到存储节点的公钥摘要之后,通过对数据标识中的公钥摘要与计算得到的公钥摘要,两个消息摘要之间进行比较,可以明确地判断出存储节点的公钥在传输过程中是否被篡改。结果相同表示数据未被修改,而结果不同表明数据被修改或数据被丢失,从而保证存储节点在传输过程中的正确性。After obtaining the public key digest of the storage node, by comparing the public key digest in the data identification with the calculated public key digest and the two message digests, it can be clearly determined that the storage node's public key is in the process of transmission Whether it has been tampered with. The same result indicates that the data has not been modified, and the different results indicate that the data has been modified or the data has been lost, thereby ensuring the accuracy of the storage node in the transmission process.
可选的,为了保证存储节点公钥的正确性,可以引入一个公正的第三方,当某一方想要发布公钥时,它将自身的身份信息及公钥提交给这个第三方,第三方对其身份进行证实,如果没有问题,则将其信息和公钥打包成为证书。而这个公正的第三方,就是常说的证书颁发机构。当我们需要获取公钥时,只需要获得其证书,然后从中提取出公钥就可以了。Optionally, to ensure the correctness of the storage node's public key, a fair third party can be introduced. When a party wants to publish the public key, it submits its own identity information and public key to this third party. The identity is verified, and if there is no problem, the information and public key are packaged into a certificate. And this fair third party is often referred to as a certificate authority. When we need to obtain the public key, we only need to obtain its certificate, and then extract the public key from it.
S203:若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。S203: If the public key of the storage node is correct, verify the signature in the stored data stored by the storage node according to the public key of the storage node, and if the signature verification is passed, the stored data is correct.
在本实施例中S203与图1对应的实施例中S103的实现方式完全相同,具体可参考图1对应的实施例中的S101的相关描述,在此不再赘述。In this embodiment, S203 is implemented in the same way as S103 in the embodiment corresponding to FIG. 1. For details, reference may be made to the related description of S101 in the embodiment corresponding to FIG. 1, and details are not described herein again.
S204:若所述存储数据不正确,则确定所述存储数据的历史处理记录、以及每个历史处理记录对应的处理终端。S204: If the stored data is incorrect, determine the historical processing records of the stored data and the processing terminal corresponding to each historical processing record.
当检验到存储数据不正确之后,可能存在各种原因导致的。例如,存储节点可能发生故障,他的存储硬盘可能被损坏,或者存储节点突然宕机等情况;还可能是数据传输过程中被恶意终端拦截或者篡改,因此,我们没有办法完全保证说存储数据不正确便是由存储节点进行恶意处理导致的。所以我们通过确定存储节点的情况,来分情况进行处理。When it is verified that the stored data is incorrect, there may be various reasons. For example, the storage node may fail, its storage hard disk may be damaged, or the storage node suddenly goes down, etc.; it may also be intercepted or tampered by a malicious terminal during data transmission, so we have no way to guarantee that the stored data is not The correctness is caused by malicious processing by the storage node. So we determine the situation of the storage node and deal with it by situation.
首先获取发生不正确情况的存储数据的历史处理记录,其中可以包括历史处理时间、处理方式等,同时,为了更加明确处理的情况,我们还可以获取执行处理的用户信息等,用户信息可以是用户登录存储节点时所用的用户账号等信息,此处不做限定。同时,考虑到可能是不同的处理终端对该存储数据进行了处理,还要确定每个历史处理记录对应的处理终端,其确定的方式可以是获取数据处理的执行终端的终端标识,例如硬件编码等,此处不做限定。First, obtain the historical processing records of the stored data that occurred incorrectly, which can include historical processing time, processing methods, etc. At the same time, in order to make the processing situation more clear, we can also obtain the user information that performs the processing, etc. The user information can be the user The user account and other information used when logging in to the storage node are not limited here. At the same time, considering that different processing terminals may process the stored data, it is also necessary to determine the processing terminal corresponding to each historical processing record, which can be determined by acquiring the terminal identification of the data processing execution terminal, such as hardware encoding Wait, not limited here.
S205:获取每个所述处理终端的数据处理权限。S205: Acquire the data processing authority of each processing terminal.
在确定了存储数据的历史处理记录,以及每个历史处理记录对应的处理终端之后,我们获取每个处理终端的数据处理权限。其中,数据处理权限可以是按照数据处理的等级来确定,例如一级数据处理权限、二级数据处理权限等,还可以是确定该数据处理的具体方式,例如只能读取存储数据,或者可以对存储数据进行修改、删除等处理。我们通过获取每个处理终端的数据处理权限,便可以通过数据处理权限来衡量数据处理终端对存储数据的处理行为是否正确。After determining the historical processing records of stored data and the processing terminal corresponding to each historical processing record, we obtain the data processing authority of each processing terminal. Among them, the data processing authority may be determined according to the level of data processing, such as primary data processing authority, secondary data processing authority, etc., or it may be a specific method of determining the data processing, for example, only read stored data, or may Modify and delete stored data. By acquiring the data processing authority of each processing terminal, we can use the data processing authority to measure whether the data processing terminal's processing behavior of the stored data is correct.
S206:若所述处理终端的历史处理记录与所述数据处理权限对应,则判定所述处理终端的历史处理记录合规。S206: If the history processing record of the processing terminal corresponds to the data processing authority, it is determined that the history processing record of the processing terminal is in compliance.
若处理终端的历史处理记录与数据处理权限对应,例如某个处理终端对存储数据进行了修改的历史处理,且该处理终端的数据处理权限包括了可以对存储数据进行修改,则判定该处理终端对存储数据的历史处理记录中的修改记录合规。If the historical processing record of the processing terminal corresponds to the data processing authority, for example, the historical processing that a processing terminal modifies the stored data, and the data processing authority of the processing terminal includes the ability to modify the stored data, the processing terminal is determined Compliance with the modification records in the historical processing records of stored data.
进一步的,若处理终端的历史处理记录与数据处理权限不对应,例如一个处理终端的处理权限只是存储数据的读取,而历史处理记录中的该处理终端对存储数据进行了修改,则判定该处理终端对存储节点的本次修改数据违规行为。在判定该处理终端对存储数据的历史处理记录违规之后,可以采取对应的违规终端处理方式,例如删除该处理终端对存储数据所有的处理权限,并将该处理终端拉入存储数据处理的黑名单中。通过这种数据处理违规检测方式,可以确定被验证不正确的存储数据发生不正确的原因,并在发生违规情况的时候对相应的处理终端进行处罚,提高了数据存储系统的数据安全性。Further, if the historical processing record of the processing terminal does not correspond to the data processing authority, for example, the processing authority of a processing terminal is only to read the stored data, and the processing terminal in the historical processing record modifies the stored data, it is determined that the Handle the violation of data by the terminal to the storage node. After it is determined that the processing terminal has violated the historical processing record of the stored data, the corresponding processing method of the violating terminal may be adopted, for example, to delete all processing rights of the processing terminal on the stored data and to pull the processing terminal into the blacklist of stored data processing in. Through this data processing violation detection method, it is possible to determine the cause of incorrect storage data that is verified to be incorrect, and punish the corresponding processing terminal when a violation occurs, thereby improving the data security of the data storage system.
上述方案,通过获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名;若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成;若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述存储数据不正确,则确定所述存储数据的历史处理记录、以及每个历史处理记录对应的处理终端;获取每个所述处理终端的数据处理权限;根据每个所述处理终端的历史处理记录和数据处理权限,判断所述处理终端的历史处理记录是否合规。通过既验证存储节点的节点证书和签名,并验证存储节点中的存储数据的正确性,同时在判定出存储数据不正确之后,根据存储节点的历史处理记录和数据处理权限对存储节点进行处理,提高了数据所有者对数据处理的权威性,以及分布式网络中节点存储数据的安全性。In the above solution, by acquiring the node certificate of the storage node, it is verified whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes storage The signature of the node; if the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID Generated from the digital summary of the storage node's public key; if the storage node's public key is correct, verify the signature in the stored data stored by the storage node according to the storage node's public key, if the storage If the data is incorrect, determine the historical processing records of the stored data and the processing terminal corresponding to each historical processing record; obtain the data processing authority of each processing terminal; according to the historical processing records of each processing terminal and The data processing authority determines whether the historical processing records of the processing terminal are in compliance. By verifying the node certificate and signature of the storage node, and verifying the correctness of the storage data in the storage node, and after determining that the storage data is incorrect, the storage node is processed according to the historical processing record and data processing authority of the storage node, It improves the authority of the data owner in data processing and the security of the data stored by the nodes in the distributed network.
参见图3,图3是本申请实施例三提供的一种终端设备的示意图。终端设备包括的各单元用于执行图1~图2对应的实施例中的各步骤。具体请参阅图1~图2各自对应的实施例中的相关描述。为了便于说明,仅示出了与本实施例相关的部分。本实施例的终端设备300包括:Referring to FIG. 3, FIG. 3 is a schematic diagram of a terminal device provided in Embodiment 3 of the present application. Each unit included in the terminal device is used to execute each step in the embodiments corresponding to FIG. 1 to FIG. 2. For details, please refer to the related descriptions in the corresponding embodiments of FIG. 1 to FIG. 2. For ease of explanation, only parts related to this embodiment are shown. The terminal device 300 of this embodiment includes:
获取单元301,用于获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名;The obtaining unit 301 is used to obtain a node certificate of a storage node and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store stored data sent by a data owner terminal, and the stored data Including the signature of the storage node;
第一验证单元302,用于若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成;The first verification unit 302 is configured to obtain the public key of the storage node and verify whether the public key of the storage node is correct according to the pre-stored node identifier if the node certificate is issued by the trusted root certificate; The node identification is generated from a digital summary of the storage node's public key;
第二验证单元303,用于若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。The second verification unit 303 is used to verify the signature in the storage data stored by the storage node according to the public key of the storage node if the public key of the storage node is correct. The stored data is correct.
进一步的,所述终端设备还可以包括:Further, the terminal device may further include:
授权单元,用于若所述节点证书是由所述可信根证书颁发,则向所述存储节点发送存储所述存储数据的授权指令;An authorization unit, configured to send an authorization instruction to store the stored data to the storage node if the node certificate is issued by the trusted root certificate;
接收单元,用于接收所述存储节点发送的写入完成通知;所述写入完成通知用于表示所述存储节点已完成数据写入过程;所述数据写入过程包括所述存储节点在根据所述节点证书验证通过所述授权指令中的授权内容之后,写入所述存储数据,并在写入完成之后附上所述存储节点的签名;所述签名用于验证所述存储数据是否正确。The receiving unit is configured to receive a write completion notification sent by the storage node; the write completion notification is used to indicate that the storage node has completed the data writing process; the data writing process includes the storage node according to After the node certificate verifies the authorization content in the authorization instruction, write the stored data, and attach the signature of the storage node after the writing is completed; the signature is used to verify whether the stored data is correct .
所述节点标识为预先根据所述存储节点的节点公钥进行摘要处理得到,并存储在所述数据所有者终端;The node identifier is obtained by performing digest processing according to the node public key of the storage node in advance, and stored in the data owner terminal;
进一步的,所述第一验证单元302可以包括:Further, the first verification unit 302 may include:
公钥获取单元,用于若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥;A public key obtaining unit, configured to obtain the public key of the storage node if the node certificate is issued by the trusted root certificate;
公钥摘要单元,用于计算所述存储节点的公钥的数据摘要,得到公钥摘要;A public key digest unit, used to calculate a data digest of the public key of the storage node to obtain a public key digest;
公钥对比单元,用于将所述公钥摘要与所述数据标识进行对比,若所述公钥摘要与所述数据标识一致,则判定所述存储节点的公钥正确。The public key comparison unit is used to compare the public key summary with the data identification, and if the public key summary is consistent with the data identification, it is determined that the public key of the storage node is correct.
进一步的,所述获取单元301可以包括:Further, the acquiring unit 301 may include:
标识确定单元,用于获取存储节点的节点证书,并确定颁发所述节点证书的颁发机构标识;An identification determining unit, used to obtain a node certificate of a storage node, and determine an identification of an issuing authority that issued the node certificate;
标识查找单元,用于根据所述颁发机构标识,在预设的可信电子商务认证授权机构表中查找是否存在所述颁发机构标识;An identification search unit, configured to search for the existence of the issuer ID in a preset trusted e-commerce certification authority table based on the issuer ID;
证书判定单元,用于所述可信电子商务认证授权机构表中存在所述颁发机构标识,则判定所述节点证书是由可信根证书颁发。The certificate determination unit is used to determine that the node certificate is issued by a trusted root certificate if the issuer ID exists in the trusted e-commerce certification authority table.
进一步的,所述终端设备还可以包括:Further, the terminal device may further include:
终端确定单元,用于若所述存储数据不正确,则确定所述存储数据的历史处理记录、以及每个历史处理记录对应的处理终端;A terminal determining unit, configured to determine the historical processing record of the stored data and the processing terminal corresponding to each historical processing record if the stored data is incorrect;
权限确定单元,用于获取每个所述处理终端的数据处理权限;The authority determination unit is used to acquire the data processing authority of each processing terminal;
记录判断单元,用于若所述处理终端的历史处理记录与所述数据处理权限对应,则判定所述处理终端的历史处理记录合规。The record determining unit is configured to determine that the history processing record of the processing terminal is in compliance with the history processing record of the processing terminal corresponding to the data processing authority.
上述方案,通过既验证存储节点的节点证书和签名,并验证存储节点中的存储数据的正确性,提高了点对点网络中节点存储数据的安全性。The above solution improves the security of data stored by nodes in a peer-to-peer network by verifying both the node certificate and signature of the storage node and the accuracy of the stored data in the storage node.
图4是本申请实施例四提供的终端设备的示意图。如图4所示,该实施例的终端设备4包括:处理器40、存储器41以及存储在所述存储器41中并可在所述处理器40上运行的计算机可读指令42。所述处理器40执行所述计算机可读指令42时实现上述各个数据验证方法实施例中的步骤,例如图1所示的步骤101至103。或者,所述处理器40执行所述计算机可读指令42时实现上述各装置实施例中各模块/单元的功能,例如图3所示单元301至303的功能。4 is a schematic diagram of a terminal device provided in Embodiment 4 of the present application. As shown in FIG. 4, the terminal device 4 of this embodiment includes: a processor 40, a memory 41, and computer-readable instructions 42 stored in the memory 41 and executable on the processor 40. When the processor 40 executes the computer-readable instructions 42, the steps in the above embodiments of each data verification method are implemented, for example, steps 101 to 103 shown in FIG. 1. Alternatively, when the processor 40 executes the computer-readable instructions 42, the functions of each module/unit in the foregoing device embodiments are realized, for example, the functions of the units 301 to 303 shown in FIG. 3.
所述终端设备4可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。所述终端设备可包括,但不仅限于,处理器40、存储器41。本领域技术人员可以理解,图4仅仅是终端设备4的示例,并不构成对终端设备4的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如所述终端设备还可以包括输入输出设备、网络接入设备、总线等。The terminal device 4 may be a computing device such as a desktop computer, a notebook, a palmtop computer and a cloud server. The terminal device may include, but is not limited to, the processor 40 and the memory 41. Those skilled in the art may understand that FIG. 4 is only an example of the terminal device 4 and does not constitute a limitation on the terminal device 4, and may include more or less components than the illustration, or a combination of certain components or different components. For example, the terminal device may further include an input and output device, a network access device, a bus, and the like.
所称处理器40可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 40 may be a central processing unit (Central Processing Unit (CPU), can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application-specific integrated circuits (Application Specific Integrated Circuit (ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
所述存储器41可以是所述终端设备4的内部存储单元,例如终端设备4的硬盘或内存。所述存储器41也可以是所述终端设备4的外部存储设备,例如所述终端设备4上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card,FC)等。进一步地,所述存储器41还可以既包括所述终端设备4的内部存储单元也包括外部存储设备。所述存储器41用于存储所述计算机可读指令以及所述终端设备所需的其他程序和数据。所述存储器41还可以用于暂时地存储已经输出或者将要输出的数据。The memory 41 may be an internal storage unit of the terminal device 4, such as a hard disk or a memory of the terminal device 4. The memory 41 may also be an external storage device of the terminal device 4, such as a plug-in hard disk equipped on the terminal device 4, a smart memory card (Smart Media Card, SMC), and a secure digital (SD) Cards, flash cards (Flash Card, FC), etc. Further, the memory 41 may also include both an internal storage unit of the terminal device 4 and an external storage device. The memory 41 is used to store the computer-readable instructions and other programs and data required by the terminal device. The memory 41 can also be used to temporarily store data that has been or will be output.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,仅以上述各功能单元、模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能单元、模块完成,即将所述装置的内部结构划分成不同的功能单元或模块,以完成以上描述的全部或者部分功能。实施例中的各功能单元、模块可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中,上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。另外,各功能单元、模块的具体名称也只是为了便于相互区分,并不用于限制本申请的保护范围。上述系统中单元、模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for convenience and conciseness of description, only the above-mentioned division of each functional unit and module is used as an example for illustration. In practical applications, the above-mentioned functions may be allocated by different functional units, Module completion means that the internal structure of the device is divided into different functional units or modules to complete all or part of the functions described above. The functional units and modules in the embodiments may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above integrated unit may use hardware It can also be implemented in the form of software functional units. In addition, the specific names of the functional units and modules are only for the purpose of distinguishing each other, and are not intended to limit the protection scope of the present application. For the specific working processes of the units and modules in the above system, reference may be made to the corresponding processes in the foregoing method embodiments, which will not be repeated here.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述或记载的部分,可以参见其它实施例的相关描述。In the above embodiments, the description of each embodiment has its own emphasis. For a part that is not detailed or recorded in an embodiment, you can refer to the related descriptions of other embodiments.
所述集成的模块/单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实现上述实施例方法中的全部或部分流程,也可以通过计算机可读指令来指令相关的硬件来完成,所述的计算机可读指令可存储于一计算机非易失性可读存储介质中。If the integrated module/unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium. Based on this understanding, this application implements all or part of the processes in the methods of the above embodiments, and can also be completed by instructing relevant hardware through computer-readable instructions, which can be stored in a computer non-volatile Readable storage medium.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机可读指令来指令相关的硬件来完成,所述的计算机可读指令可存储于一计算机非易失性可读取存储介质中,该计算机可读指令在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink) DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。Those of ordinary skill in the art may understand that all or part of the process in the method of the foregoing embodiments may be completed by instructing relevant hardware through computer-readable instructions, which may be stored in a computer non-volatile In a readable storage medium, when the computer-readable instructions are executed, they may include the processes of the foregoing method embodiments. Wherein, any reference to the memory, storage, database or other media used in the embodiments provided in this application may include non-volatile and/or volatile memory. Non-volatile memory may include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous chain (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
以上所述实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围,均应包含在本申请的保护范围之内。The above-mentioned embodiments are only used to illustrate the technical solutions of the present application, not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that they can still implement the foregoing The technical solutions described in the examples are modified, or some of the technical features are equivalently replaced; and these modifications or replacements do not deviate from the spirit and scope of the technical solutions of the embodiments of the present application. Within the scope of protection of this application.

Claims (20)

  1. 一种数据验证方法,其特征在于,包括:A data verification method, characterized in that it includes:
    获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名;Obtain the node certificate of the storage node and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes the signature of the storage node;
    若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成;If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID is determined by the storage Digital digest generation of the node's public key;
    若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。If the public key of the storage node is correct, the signature in the stored data stored by the storage node is verified according to the public key of the storage node, and if the signature verification is passed, the stored data is correct.
  2. 如权利要求1所述的数据验证方法,其特征在于,所述获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发之后,还包括:The data verification method according to claim 1, wherein after acquiring the node certificate of the storage node and verifying whether the node certificate is issued by a preset trusted root certificate, the method further comprises:
    若所述节点证书是由所述可信根证书颁发,则向所述存储节点发送存储所述存储数据的授权指令;If the node certificate is issued by the trusted root certificate, send an authorization instruction to store the stored data to the storage node;
    接收所述存储节点发送的写入完成通知;所述写入完成通知用于表示所述存储节点已完成数据写入过程;Receiving a write completion notification sent by the storage node; the write completion notification is used to indicate that the storage node has completed the data writing process;
    所述数据写入过程包括所述存储节点在根据所述节点证书验证通过所述授权指令中的授权内容之后,写入所述存储数据,并在写入完成之后附上所述存储节点的签名;所述签名用于验证所述存储数据是否正确。The data writing process includes the storage node writing the storage data after verifying the authorized content in the authorization instruction according to the node certificate, and attaching the signature of the storage node after the writing is completed ; The signature is used to verify that the stored data is correct.
  3. 如权利要求1所述的数据验证方法,其特征在于,所述节点标识为预先根据所述存储节点的节点公钥进行摘要处理得到,并存储在所述数据所有者终端;The data verification method according to claim 1, characterized in that the node identifier is obtained by performing digest processing on the node public key of the storage node in advance and stored in the data owner terminal;
    所述若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确,包括:If the node certificate is issued by the trusted root certificate, acquiring the public key of the storage node, and verifying whether the public key of the storage node is correct according to the pre-stored node identifier, including:
    若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥;If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node;
    计算所述存储节点的公钥的数据摘要,得到公钥摘要;Calculating a data digest of the public key of the storage node to obtain a public key digest;
    将所述公钥摘要与所述数据标识进行对比,若所述公钥摘要与所述数据标识一致,则判定所述存储节点的公钥正确。Compare the public key digest with the data identification, and if the public key digest is consistent with the data identification, determine that the storage node's public key is correct.
  4. 如权利要求1所述的数据验证方法,其特征在于,所述获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发,包括:The data verification method according to claim 1, wherein the acquiring the node certificate of the storage node and verifying whether the node certificate is issued by a preset trusted root certificate includes:
    获取存储节点的节点证书,并确定颁发所述节点证书的颁发机构标识;Obtain the node certificate of the storage node, and determine the identity of the issuing authority that issued the node certificate;
    根据所述颁发机构标识,在预设的可信电子商务认证授权机构表中查找是否存在所述颁发机构标识;According to the issuer ID, check whether the issuer ID exists in the preset trusted e-commerce certification authority table;
    若所述可信电子商务认证授权机构表中存在所述颁发机构标识,则判定所述节点证书是由可信根证书颁发。If the issuer ID exists in the trusted e-commerce certification authority table, it is determined that the node certificate is issued by a trusted root certificate.
  5. 如权利要求1-4任一项所述的数据验证方法,其特征在于,所述若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若签名正确则说明所述存储数据正确之后,还包括:The data verification method according to any one of claims 1 to 4, wherein, if the storage node's public key is correct, the storage stored by the storage node is verified according to the storage node's public key The signature in the data. If the signature is correct, it means that the stored data is correct. It also includes:
    若所述存储数据不正确,则确定所述存储数据的历史处理记录、以及每个历史处理记录对应的处理终端;If the stored data is incorrect, determine the historical processing records of the stored data and the processing terminal corresponding to each historical processing record;
    获取每个所述处理终端的数据处理权限;Obtain the data processing authority of each processing terminal;
    若所述处理终端的历史处理记录与所述数据处理权限对应,则判定所述处理终端的历史处理记录合规。If the history processing record of the processing terminal corresponds to the data processing authority, it is determined that the history processing record of the processing terminal is in compliance.
  6. 一种终端设备,其特征在于,包括存储器以及处理器,所述存储器中存储有可在所述处理器上运行的计算机可读指令,其特征在于,所述处理器执行所述计算机可读指令时,实现如下步骤:A terminal device, characterized in that it includes a memory and a processor, and the memory stores computer-readable instructions executable on the processor, wherein the processor executes the computer-readable instructions , The following steps are implemented:
    获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名;Obtain the node certificate of the storage node and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes the signature of the storage node;
    若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成;If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID is determined by the storage Digital digest generation of the node's public key;
    若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。If the public key of the storage node is correct, the signature in the stored data stored by the storage node is verified according to the public key of the storage node, and if the signature verification is passed, the stored data is correct.
  7. 如权利要求6所述的终端设备,其特征在于,所述获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发之后,还包括:The terminal device according to claim 6, wherein after acquiring the node certificate of the storage node and verifying whether the node certificate is issued by a preset trusted root certificate, the method further includes:
    若所述节点证书是由所述可信根证书颁发,则向所述存储节点发送存储所述存储数据的授权指令;If the node certificate is issued by the trusted root certificate, send an authorization instruction to store the stored data to the storage node;
    接收所述存储节点发送的写入完成通知;所述写入完成通知用于表示所述存储节点已完成数据写入过程;Receiving a write completion notification sent by the storage node; the write completion notification is used to indicate that the storage node has completed the data writing process;
    所述数据写入过程包括所述存储节点在根据所述节点证书验证通过所述授权指令中的授权内容之后,写入所述存储数据,并在写入完成之后附上所述存储节点的签名;所述签名用于验证所述存储数据是否正确。The data writing process includes the storage node writing the storage data after verifying the authorized content in the authorization instruction according to the node certificate, and attaching the signature of the storage node after the writing is completed ; The signature is used to verify that the stored data is correct.
  8. 如权利要求6所述的终端设备,其特征在于,所述节点标识为预先根据所述存储节点的节点公钥进行摘要处理得到,并存储在所述数据所有者终端;The terminal device according to claim 6, wherein the node identifier is obtained by performing digest processing according to the node public key of the storage node in advance, and stored in the data owner terminal;
    所述若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确,包括:If the node certificate is issued by the trusted root certificate, acquiring the public key of the storage node, and verifying whether the public key of the storage node is correct according to the pre-stored node identifier, including:
    若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥;If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node;
    计算所述存储节点的公钥的数据摘要,得到公钥摘要;Calculating a data digest of the public key of the storage node to obtain a public key digest;
    将所述公钥摘要与所述数据标识进行对比,若所述公钥摘要与所述数据标识一致,则判定所述存储节点的公钥正确。Compare the public key digest with the data identification, and if the public key digest is consistent with the data identification, determine that the storage node's public key is correct.
  9. 如权利要求6所述的终端设备,其特征在于,所述获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发,包括:The terminal device according to claim 6, wherein the acquiring the node certificate of the storage node and verifying whether the node certificate is issued by a preset trusted root certificate includes:
    获取存储节点的节点证书,并确定颁发所述节点证书的颁发机构标识;Obtain the node certificate of the storage node, and determine the identity of the issuing authority that issued the node certificate;
    根据所述颁发机构标识,在预设的可信电子商务认证授权机构表中查找是否存在所述颁发机构标识;According to the issuer ID, check whether the issuer ID exists in the preset trusted e-commerce certification authority table;
    若所述可信电子商务认证授权机构表中存在所述颁发机构标识,则判定所述节点证书是由可信根证书颁发。If the issuer ID exists in the trusted e-commerce certification authority table, it is determined that the node certificate is issued by a trusted root certificate.
  10. 如权利要求6-9任一项所述的终端设备,其特征在于,所述若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若签名正确则说明所述存储数据正确之后,还包括:The terminal device according to any one of claims 6-9, wherein, if the public key of the storage node is correct, the stored data stored by the storage node is verified according to the public key of the storage node If the signature is correct, it means that the stored data is correct, and it also includes:
    若所述存储数据不正确,则确定所述存储数据的历史处理记录、以及每个历史处理记录对应的处理终端;If the stored data is incorrect, determine the historical processing records of the stored data and the processing terminal corresponding to each historical processing record;
    获取每个所述处理终端的数据处理权限;Obtain the data processing authority of each processing terminal;
    若所述处理终端的历史处理记录与所述数据处理权限对应,则判定所述处理终端的历史处理记录合规。If the history processing record of the processing terminal corresponds to the data processing authority, it is determined that the history processing record of the processing terminal is in compliance.
  11. 一种终端设备,其特征在于,包括:A terminal device is characterized by comprising:
    获取单元,用于获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名;An obtaining unit, configured to obtain a node certificate of a storage node, and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store stored data sent by a data owner terminal, and the stored data includes The signature of the storage node;
    第一验证单元,用于若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成;A first verification unit, used to obtain the public key of the storage node if the node certificate is issued by the trusted root certificate, and verify whether the public key of the storage node is correct according to the pre-stored node identifier; The node identification is generated from a digital summary of the storage node's public key;
    第二验证单元,用于若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。The second verification unit is configured to verify the signature in the storage data stored by the storage node according to the public key of the storage node if the public key of the storage node is correct, and to explain if the signature verification is passed The stored data is correct.
  12. 如权利要求11所述的终端设备,其特征在于,还包括:The terminal device according to claim 11, further comprising:
    授权单元,用于若所述节点证书是由所述可信根证书颁发,则向所述存储节点发送存储所述存储数据的授权指令;An authorization unit, configured to send an authorization instruction to store the stored data to the storage node if the node certificate is issued by the trusted root certificate;
    接收单元,用于接收所述存储节点发送的写入完成通知;所述写入完成通知用于表示所述存储节点已完成数据写入过程;所述数据写入过程包括所述存储节点在根据所述节点证书验证通过所述授权指令中的授权内容之后,写入所述存储数据,并在写入完成之后附上所述存储节点的签名;所述签名用于验证所述存储数据是否正确。The receiving unit is configured to receive a write completion notification sent by the storage node; the write completion notification is used to indicate that the storage node has completed the data writing process; the data writing process includes the storage node according to After the node certificate verifies the authorization content in the authorization instruction, write the stored data, and attach the signature of the storage node after the writing is completed; the signature is used to verify whether the stored data is correct .
  13. 如权利要求11所述的终端设备,其特征在于,所述节点标识为预先根据所述存储节点的节点公钥进行摘要处理得到,并存储在所述数据所有者终端;The terminal device according to claim 11, wherein the node identifier is obtained by performing digest processing according to the node public key of the storage node in advance and stored in the data owner terminal;
    所述第一验证单元包括:The first verification unit includes:
    公钥获取单元,用于若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥;A public key obtaining unit, configured to obtain the public key of the storage node if the node certificate is issued by the trusted root certificate;
    公钥摘要单元,用于计算所述存储节点的公钥的数据摘要,得到公钥摘要;A public key digest unit, used to calculate a data digest of the public key of the storage node to obtain a public key digest;
    公钥对比单元,用于将所述公钥摘要与所述数据标识进行对比,若所述公钥摘要与所述数据标识一致,则判定所述存储节点的公钥正确。The public key comparison unit is used to compare the public key summary with the data identification, and if the public key summary is consistent with the data identification, it is determined that the public key of the storage node is correct.
  14. 如权利要求11所述的终端设备,其特征在于,所述获取单元包括:The terminal device according to claim 11, wherein the acquiring unit comprises:
    标识确定单元,用于获取存储节点的节点证书,并确定颁发所述节点证书的颁发机构标识;An identification determining unit, used to obtain a node certificate of a storage node, and determine an identification of an issuing authority that issued the node certificate;
    标识查找单元,用于根据所述颁发机构标识,在预设的可信电子商务认证授权机构表中查找是否存在所述颁发机构标识;An identification search unit, configured to search for the existence of the issuer ID in a preset trusted e-commerce certification authority table based on the issuer ID;
    证书判定单元,用于所述可信电子商务认证授权机构表中存在所述颁发机构标识,则判定所述节点证书是由可信根证书颁发。The certificate determination unit is used to determine that the node certificate is issued by a trusted root certificate if the issuer ID exists in the trusted e-commerce certification authority table.
  15. 如权利要求11-14任一项所述的终端设备,其特征在于,还包括:The terminal device according to any one of claims 11-14, further comprising:
    终端确定单元,用于若所述存储数据不正确,则确定所述存储数据的历史处理记录、以及每个历史处理记录对应的处理终端;A terminal determining unit, configured to determine the historical processing record of the stored data and the processing terminal corresponding to each historical processing record if the stored data is incorrect;
    权限确定单元,用于获取每个所述处理终端的数据处理权限;The authority determination unit is used to acquire the data processing authority of each processing terminal;
    记录判断单元,用于若所述处理终端的历史处理记录与所述数据处理权限对应,则判定所述处理终端的历史处理记录合规。The record determining unit is configured to determine that the history processing record of the processing terminal is in compliance with the history processing record of the processing terminal corresponding to the data processing authority.
  16. 一种计算机非易失性可读存储介质,所述计算机非易失性可读存储介质存储有计算机可读指令,其特征在于,所述计算机可读指令被处理器执行时实现如下步骤:A computer non-volatile readable storage medium, the computer non-volatile readable storage medium stores computer readable instructions, characterized in that, when the computer readable instructions are executed by a processor, the following steps are implemented:
    获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发;所述存储节点用于存储数据所有者终端发送的存储数据,所述存储数据中包括存储节点的签名;Obtain the node certificate of the storage node and verify whether the node certificate is issued by a preset trusted root certificate; the storage node is used to store the storage data sent by the data owner terminal, and the storage data includes the signature of the storage node;
    若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确;所述节点标识由所述存储节点的公钥的数字摘要生成;If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node, and verify whether the public key of the storage node is correct according to the pre-stored node ID; the node ID is determined by the storage Digital digest generation of the node's public key;
    若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若所述签名验证通过则说明所述存储数据正确。If the public key of the storage node is correct, the signature in the stored data stored by the storage node is verified according to the public key of the storage node, and if the signature verification is passed, the stored data is correct.
  17. 如权利要求16所述的计算机非易失性可读存储介质,其特征在于,所述获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发之后,还包括:The computer non-volatile storage medium according to claim 16, wherein after acquiring the node certificate of the storage node and verifying whether the node certificate is issued by a preset trusted root certificate, the method further includes:
    若所述节点证书是由所述可信根证书颁发,则向所述存储节点发送存储所述存储数据的授权指令;If the node certificate is issued by the trusted root certificate, send an authorization instruction to store the stored data to the storage node;
    接收所述存储节点发送的写入完成通知;所述写入完成通知用于表示所述存储节点已完成数据写入过程;Receiving a write completion notification sent by the storage node; the write completion notification is used to indicate that the storage node has completed the data writing process;
    所述数据写入过程包括所述存储节点在根据所述节点证书验证通过所述授权指令中的授权内容之后,写入所述存储数据,并在写入完成之后附上所述存储节点的签名;所述签名用于验证所述存储数据是否正确。The data writing process includes the storage node writing the storage data after verifying the authorized content in the authorization instruction according to the node certificate, and attaching the signature of the storage node after the writing is completed ; The signature is used to verify that the stored data is correct.
  18. 如权利要求16所述的计算机非易失性可读存储介质,其特征在于,所述节点标识为预先根据所述存储节点的节点公钥进行摘要处理得到,并存储在所述数据所有者终端;The computer non-volatile readable storage medium according to claim 16, wherein the node identifier is obtained by performing digest processing according to the node public key of the storage node in advance and stored in the data owner terminal ;
    所述若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥,并根据预存的节点标识验证所述存储节点的公钥是否正确,包括:If the node certificate is issued by the trusted root certificate, acquiring the public key of the storage node, and verifying whether the public key of the storage node is correct according to the pre-stored node identifier, including:
    若所述节点证书是由所述可信根证书颁发,则获取所述存储节点的公钥;If the node certificate is issued by the trusted root certificate, obtain the public key of the storage node;
    计算所述存储节点的公钥的数据摘要,得到公钥摘要;Calculating a data digest of the public key of the storage node to obtain a public key digest;
    将所述公钥摘要与所述数据标识进行对比,若所述公钥摘要与所述数据标识一致,则判定所述存储节点的公钥正确。Compare the public key digest with the data identification, and if the public key digest is consistent with the data identification, determine that the storage node's public key is correct.
  19. 如权利要求16所述的计算机非易失性可读存储介质,其特征在于,所述获取存储节点的节点证书,验证所述节点证书是否由预设的可信根证书颁发,包括:The computer non-volatile readable storage medium of claim 16, wherein the acquiring the node certificate of the storage node and verifying whether the node certificate is issued by a preset trusted root certificate includes:
    获取存储节点的节点证书,并确定颁发所述节点证书的颁发机构标识;Obtain the node certificate of the storage node, and determine the identity of the issuing authority that issued the node certificate;
    根据所述颁发机构标识,在预设的可信电子商务认证授权机构表中查找是否存在所述颁发机构标识;According to the issuer ID, check whether the issuer ID exists in the preset trusted e-commerce certification authority table;
    若所述可信电子商务认证授权机构表中存在所述颁发机构标识,则判定所述节点证书是由可信根证书颁发。If the issuer ID exists in the trusted e-commerce certification authority table, it is determined that the node certificate is issued by a trusted root certificate.
  20. 如权利要求16-19任一项所述的计算机非易失性可读存储介质,其特征在于,所述若所述存储节点的公钥正确,则根据所述存储节点的公钥验证所述存储节点所存储的存储数据中的签名,若签名正确则说明所述存储数据正确之后,还包括:The computer non-volatile storage medium according to any one of claims 16 to 19, wherein if the public key of the storage node is correct, the verification is performed according to the public key of the storage node The signature in the stored data stored by the storage node, if the signature is correct, it indicates that the stored data is correct, and further includes:
    若所述存储数据不正确,则确定所述存储数据的历史处理记录、以及每个历史处理记录对应的处理终端;If the stored data is incorrect, determine the historical processing records of the stored data and the processing terminal corresponding to each historical processing record;
    获取每个所述处理终端的数据处理权限;Obtain the data processing authority of each processing terminal;
    若所述处理终端的历史处理记录与所述数据处理权限对应,则判定所述处理终端的历史处理记录合规。If the history processing record of the processing terminal corresponds to the data processing authority, it is determined that the history processing record of the processing terminal is in compliance.
PCT/CN2019/118157 2019-01-07 2019-11-13 Data verification method and terminal device WO2020143318A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910012597.4 2019-01-07
CN201910012597.4A CN109905360B (en) 2019-01-07 2019-01-07 Data verification method and terminal equipment

Publications (1)

Publication Number Publication Date
WO2020143318A1 true WO2020143318A1 (en) 2020-07-16

Family

ID=66943715

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/118157 WO2020143318A1 (en) 2019-01-07 2019-11-13 Data verification method and terminal device

Country Status (2)

Country Link
CN (1) CN109905360B (en)
WO (1) WO2020143318A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491893A (en) * 2020-11-26 2021-03-12 秦丽霞 Block chain terminal equipment network access method, device, server and storage medium
CN114095180A (en) * 2021-11-29 2022-02-25 深圳市电子商务安全证书管理有限公司 Digital certificate management method, apparatus and medium
CN116361860A (en) * 2022-12-27 2023-06-30 深圳市网新新思软件有限公司 Information storage and verification method, device, equipment and storage medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109905360B (en) * 2019-01-07 2021-12-03 平安科技(深圳)有限公司 Data verification method and terminal equipment
CN111541733B (en) * 2020-03-06 2022-09-20 杜晓楠 Method for testing message storage in P2P network, computer readable storage medium and P2P network
CN111902815B (en) * 2020-03-11 2023-06-27 合肥达朴汇联科技有限公司 Data transmission method, system, device, electronic device and readable storage medium
CN111612456A (en) * 2020-04-27 2020-09-01 深圳壹账通智能科技有限公司 Expired digital certificate management and control method, system, device and storage medium
CN113051630A (en) * 2021-03-31 2021-06-29 联想(北京)有限公司 Control method and electronic equipment
CN114092092B (en) * 2022-01-19 2022-04-29 安徽中科晶格技术有限公司 Decentralized digital certificate management system based on threshold signature and use method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664739A (en) * 2012-04-26 2012-09-12 杜丽萍 PKI (Public Key Infrastructure) implementation method based on safety certificate
CN103326856A (en) * 2013-05-20 2013-09-25 西北工业大学 Cloud storage data responsibility confirmation structure and method based on two-way digital signature
CN105024824A (en) * 2014-11-05 2015-11-04 祝国龙 Method for generating and verifying credible label based on asymmetrical encryption algorithm and system
US20160344725A1 (en) * 2014-04-02 2016-11-24 William B. SEVERIN Signal haystacks
CN108092982A (en) * 2017-12-22 2018-05-29 广东工业大学 A kind of date storage method and system based on alliance's chain
CN109905360A (en) * 2019-01-07 2019-06-18 平安科技(深圳)有限公司 Data verification method and terminal device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9270467B1 (en) * 2013-05-16 2016-02-23 Symantec Corporation Systems and methods for trust propagation of signed files across devices
CN104202168A (en) * 2014-09-19 2014-12-10 浪潮电子信息产业股份有限公司 Cloud data integrity verification method based on trusted third party
CN104378386A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Method for cloud data confidentiality protection and access control
CN104811450B (en) * 2015-04-22 2017-10-17 电子科技大学 The date storage method and integrity verification method of a kind of identity-based in cloud computing
CN105227317B (en) * 2015-09-02 2019-04-05 青岛大学 A kind of cloud data integrity detection method and system for supporting authenticator privacy
CN107959656B (en) * 2016-10-14 2021-08-31 阿里巴巴集团控股有限公司 Data security guarantee system, method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664739A (en) * 2012-04-26 2012-09-12 杜丽萍 PKI (Public Key Infrastructure) implementation method based on safety certificate
CN103326856A (en) * 2013-05-20 2013-09-25 西北工业大学 Cloud storage data responsibility confirmation structure and method based on two-way digital signature
US20160344725A1 (en) * 2014-04-02 2016-11-24 William B. SEVERIN Signal haystacks
CN105024824A (en) * 2014-11-05 2015-11-04 祝国龙 Method for generating and verifying credible label based on asymmetrical encryption algorithm and system
CN108092982A (en) * 2017-12-22 2018-05-29 广东工业大学 A kind of date storage method and system based on alliance's chain
CN109905360A (en) * 2019-01-07 2019-06-18 平安科技(深圳)有限公司 Data verification method and terminal device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491893A (en) * 2020-11-26 2021-03-12 秦丽霞 Block chain terminal equipment network access method, device, server and storage medium
CN114095180A (en) * 2021-11-29 2022-02-25 深圳市电子商务安全证书管理有限公司 Digital certificate management method, apparatus and medium
CN116361860A (en) * 2022-12-27 2023-06-30 深圳市网新新思软件有限公司 Information storage and verification method, device, equipment and storage medium
CN116361860B (en) * 2022-12-27 2024-02-09 深圳市网新新思软件有限公司 Information storage and verification method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN109905360A (en) 2019-06-18
CN109905360B (en) 2021-12-03

Similar Documents

Publication Publication Date Title
US10673632B2 (en) Method for managing a trusted identity
WO2020143318A1 (en) Data verification method and terminal device
EP3701668B1 (en) Methods for recording and sharing a digital identity of a user using distributed ledgers
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
US6381696B1 (en) Method and system for transient key digital time stamps
CN102577229B (en) Key certification in one round trip
JP2022545627A (en) Decentralized data authentication
KR20010043332A (en) System and method for electronic transmission, storage and retrieval of authenticated documents
JPH11512841A (en) Document authentication system and method
KR100563515B1 (en) Method and system for transient key digital time stamps
CN111460457A (en) Real estate property registration supervision method, device, electronic equipment and storage medium
CN112699353B (en) Financial information transmission method and financial information transmission system
EP4092984A1 (en) Data processing method and apparatus, device and medium
CN112074861A (en) Block chain based messaging service for time sensitive events
CN114969786A (en) Block chain-based insurance function data processing method, node and system
CN113302612A (en) Trusted platform based on block chain
CN113597608A (en) Trusted platform based on block chain
CN112074862A (en) Storage management based on message feedback
US11729159B2 (en) System security infrastructure facilitating protecting against fraudulent use of individual identity credentials
Zhu et al. Research on Modify Protection of Metrology Electronic Certificate Based on Blockchain Technology
Verma et al. Applications of Data Security and Blockchain in Smart City Identity Management
Chen et al. A traceable online insurance claims system based on blockchain and smart contract technology. Sustainability 2021, 13, 9386
TWM579789U (en) Electronic contract signing device
Ren et al. BIA: A blockchain-based identity authorization mechanism
CN114567444B (en) Digital signature verification method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19909419

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19909419

Country of ref document: EP

Kind code of ref document: A1