WO2020253105A1 - Authorization management method, system, apparatus, and computer readable storage medium - Google Patents

Authorization management method, system, apparatus, and computer readable storage medium Download PDF

Info

Publication number
WO2020253105A1
WO2020253105A1 PCT/CN2019/120831 CN2019120831W WO2020253105A1 WO 2020253105 A1 WO2020253105 A1 WO 2020253105A1 CN 2019120831 W CN2019120831 W CN 2019120831W WO 2020253105 A1 WO2020253105 A1 WO 2020253105A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
signature code
data
public key
encrypted data
Prior art date
Application number
PCT/CN2019/120831
Other languages
French (fr)
Chinese (zh)
Inventor
谢丹力
张文明
陈飞
宦鹏飞
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2020253105A1 publication Critical patent/WO2020253105A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • This application relates to the field of blockchain technology, in particular to an authorization management method, system, equipment, and computer-readable storage medium.
  • the problem to be solved by the blockchain network is, first of all, the sharing of information between industries, and large companies regard data as life and are unwilling to share data. For this reason, all sensitive data uploaded to the blockchain must be encrypted. Only in this way can the big companies' concerns about data sharing be resolved, and data sharing will not become a data benefit.
  • information sharing between all business related parties is realized by authorizing the key. For example: Alice will generate a unique public-private key pair for the data when the data is on the chain, and Alice will use the private key Authorize to Bob, so Bob can provide the correct signature value of this piece of data, and the smart contract uses the result of public key verification to determine whether Bob has the authority to modify the current data.
  • the main purpose of this application is to provide an authorization management method, system, equipment, and computer-readable storage medium, which aims to solve the problem that if the data owner Alice in the prior art needs to grant Bob the right to modify data, he must change the private key of the data Give it to Bob, causing Alice to be unable to withdraw permission from Bob.
  • this application provides an authorization management method, which is applied to a blockchain-based authorization management system.
  • the authorization management system includes a first node, a second node and a miner node.
  • the authorization management method includes the following steps :
  • the first node signs the second public key of the authorized user with the first private key of the data owner to obtain the first signature code
  • the miner node obtains the first signature code, and verifies the first signature code using the first public key of the data owner;
  • the miner node adds the second public key to the authorization list
  • the second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code;
  • the miner node obtains the second signature code, and verifies the second signature code based on the authorization list;
  • the miner node publishes the second encrypted data to the blockchain.
  • the method before the step of signing the second public key of the authorized user by the first node using the first private key of the data owner to obtain the first signature code, the method further includes:
  • the first node generates a first public key and a first private key, and encrypts the original data with a symmetric key to obtain the first encrypted data;
  • the miner node publishes the first public key and the first encrypted data to the blockchain
  • the second node obtains the first encrypted data from the blockchain, and decrypts the first encrypted data with a symmetric key to obtain the original data;
  • the second node generates a second public key and a second private key, and sends the second public key to the first node.
  • the second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code include:
  • the second node modifies the original data to obtain second data, and uses the symmetric key to encrypt the second data to obtain second encrypted data;
  • the second node signs the second encrypted data by using the second private key to obtain a second signature code.
  • the step of obtaining the second signature code by the miner node and verifying the second signature code based on the authorization list includes:
  • the miner node obtains the second signature code, and obtains the added public key from the authorization list;
  • the second signature code is checked in turn by the added public key.
  • the method further includes:
  • the first node decrypts the second encrypted data by using the symmetric key to obtain the second data
  • the first node generates a new symmetric key, and encrypts the second data with the new symmetric key to obtain the third encrypted data;
  • the first node signs the third encrypted data with the first private key to obtain the third signature code
  • the miner node obtains the third signature code, and verifies the third signature code through the first public key
  • the miner node publishes the third encrypted data on the blockchain and deletes the second encrypted data.
  • the method further includes:
  • the first node generates a deletion request for the second public key, and signs the deletion request with the first private key to obtain a fourth signature code
  • the miner node obtains the fourth signature code, and verifies the fourth signature code through the first public key
  • the miner node deletes the second public key from the authorization list.
  • the method further includes:
  • the first node counts the existence time of the second public key in the authorization list
  • the execution of the first node When it is detected that the existence duration is greater than a preset threshold, the execution of the first node generates a deletion request for the second public key, and signs the deletion request with the first private key to obtain a fourth signature code A step of.
  • this application also provides an authorization management system applied to the blockchain, the authorization management system including a first node, a second node, and a miner node,
  • the first node includes:
  • the first signature module is used to sign the second public key of the authorized user with the first private key of the data owner to obtain the first signature code
  • the miner node includes:
  • the first signature verification module is configured to obtain the first signature code, and verify the first signature code by the first public key of the data owner;
  • An authorization adding module which is used to add the second public key to the authorization list when the first signature code is verified
  • the second node includes:
  • the second signature module is used to modify and encrypt the original data to obtain the second encrypted data, and to sign the second encrypted data using the second private key of the authorized user to obtain the second signature code;
  • the miner node also includes:
  • a second signature verification module configured to obtain the second signature code, and verify the second signature code based on the authorization list
  • the publishing module is used for publishing the second encrypted data to the blockchain when the verification of the second signature code is passed.
  • the present application also provides an authorization management device, the authorization management device includes: a memory, a processor, and an authorization management program stored in the memory and running on the processor, so When the authorization management program is executed by the processor, the steps of the authorization management method described above are implemented.
  • the present application also provides a computer-readable storage medium, the computer-readable storage medium stores an authorization management program, and when the authorization management program is executed by a processor, the authorization management as described above is realized Method steps.
  • the first node uses the first private key of the data owner to sign the second public key of the authorized user to obtain the first signature code; the miner node obtains the first signature code and passes The first public key of the data owner verifies the first signature code; when the first signature code is verified, the miner node adds the second public key to the authorization list; The second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code; the miner node obtains the Second signature code, and verify the second signature code based on the authorization list; when the second signature code is verified, the miner node publishes the second encrypted data to the block On the chain.
  • the owner of the data can grant the authorized party the right to modify the data without providing the private key to the authorized party, so that the owner of the data always retains absolute control over the data and improves the data safety.
  • FIG. 1 is a schematic diagram of the structure of the authorization management device of the hardware operating environment involved in the solution of the embodiment of the application;
  • FIG. 2 is a schematic flowchart of a first embodiment of an authorization management method for an application
  • FIG. 3 is a schematic flowchart of a second embodiment of the authorization management method for this application.
  • Fig. 4 is a schematic diagram of functional modules of the first embodiment of the authorization management system of this application.
  • FIG. 1 is a schematic diagram of the structure of an authorization management device for a hardware operating environment involved in a solution of an embodiment of the application.
  • the authorization management device in the embodiment of the present application may be a PC, or a terminal device with data processing capabilities, such as a smart phone, a tablet computer, and a portable computer.
  • the authorization management device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, and a communication bus 1002.
  • the communication bus 1002 is used to implement connection and communication between these components.
  • the user interface 1003 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
  • the network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface).
  • the memory 1005 may be a high-speed RAM memory, or a non-volatile memory (non-volatile memory), such as a magnetic disk memory.
  • the memory 1005 may also be a storage device independent of the foregoing processor 1001.
  • FIG. 1 does not constitute a limitation on the authorization management device, and may include more or less components than shown in the figure, or a combination of certain components, or different components Layout.
  • the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and an authorization management program.
  • the network interface 1004 is mainly used to connect to the back-end server and communicate with the back-end server; the user interface 1003 is mainly used to connect to the client (user side) and communicate with the client; and
  • the processor 1001 may be used to call an authorization management program stored in the memory 1005, and execute the steps of the following authorization management methods in each embodiment.
  • FIG. 2 is a schematic flowchart of the first embodiment of the authorization management method of this application.
  • the authorization management method of this application is applied to a blockchain-based authorization management system.
  • the authorization management system includes a first node, a second node, and a miner node.
  • the authorization management method includes:
  • Step S50 the first node signs the second public key of the authorized user with the first private key of the data owner to obtain the first signature code
  • user A who owns the data wants to grant user B the right to modify the data
  • both user A’s terminal and user B’s terminal are connected to the blockchain
  • user A’s terminal is called the first node
  • user B’s The terminal is the second node.
  • the miner node is used to publish the data from the first node and the second node to the block of the blockchain.
  • User A has a pair of public and private keys, called the first public key and the first private key
  • user B also has a pair of public and private keys, called the second public key and the second private key.
  • User A's terminal stores the above-mentioned first private key and second public key, and the first public key is stored on the blockchain.
  • the first node signs the second public key through the first private key (that is, the principle of private key signature, the second public key is encrypted through the first private key), and the first signature code is obtained (that is, through the first private key).
  • a private key encrypts the second public key to obtain the encryption result).
  • Step S60 the miner node obtains the first signature code, and verifies the first signature code using the first public key of the data owner;
  • the first node after the first node generates the first signature code, it broadcasts task one to each miner node on the blockchain, obtains the miner node of task one, obtains the first signature code, and saves it in the blockchain
  • the first public key above verifies the first signature code.
  • Step S70 when the first signature code is verified, the miner node adds the second public key to the authorization list;
  • the first private key and the first public key are relative. Therefore, the first signature can be successfully decrypted by the first public key, that is, the first signature code is verified.
  • the decryption information of the first signature code that is, the second public key, can be obtained. Since the first private key is only known to user A, it means that the generation of the first signature code is allowed by user A (that is, the user to which the data belongs).
  • the miner node adds the decrypted information (second public key) to the authorization In the list (the authorization list is recorded on the blockchain).
  • Step S80 the second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain a second signature code;
  • the original data T is stored on the blockchain. It can be the original data itself, or it can be encrypted original data (the encryption method can be to encrypt the original data T with a symmetric key), that is, T1.
  • step S80 includes: the second node modifies the original data to obtain second data, and encrypts the second data using the symmetric key to obtain second encrypted data; Sign the second encrypted data by using the second private key to obtain a second signature code. That is, the second node obtains the original data from the blockchain (or obtains T1, and then decrypts the original data through the symmetric key), and modifies the original data (based on the operation of user B). After the modification is completed, it passes the symmetric encryption The key encrypts the modified original data to obtain the second encrypted data, namely T2. Then, sign T2 with the second private key (that is, the principle of private key signature, T2 is encrypted with the second private key), and the second signature code is obtained (that is, T2 is encrypted with the second private key, and the encryption result is obtained ).
  • the second node modifies the original data to obtain second data, and encrypts the second data using the symmetric key to obtain second encrypted data
  • Sign the second encrypted data by using the second private key to obtain a second signature
  • Step S90 the miner node obtains the second signature code, and verifies the second signature code based on the authorization list;
  • step S90 includes: the miner node obtains the second signature code, and obtains the added public key from the authorization list; and sequentially signs the second signature by the added public key Code for verification.
  • the second public key of user B is added to the authorization list.
  • user C, user D... these users A want to give the public keys of authorized users It can also be added to the authorization list, that is, the public key of the authorized party exists in the authorization list.
  • the second node after the second node generates the second signature code, it broadcasts task two to each miner node on the blockchain, and obtains the miner node of the task two. Based on the public keys stored in the authorization list, the Second, the signature code is verified (that is, decrypted).
  • step S100 when the verification of the second signature code is passed, the miner node publishes the second encrypted data to the blockchain.
  • the miner node when the miner node passes the second signature code verification through the added second public key, the second encrypted data is released to the blockchain.
  • the miner node can use the second public key to The signature code is successfully decrypted (that is, the signature is successfully verified), and T2 is obtained, and then the miner node publishes T2 on the blockchain (equivalent to accepting the modification of the original data by the second node only when the second signature code is verified) .
  • the first node signs the second public key of the authorized user with the first private key of the data owner to obtain the first signature code; the miner node obtains the first signature code, and The first signature code is verified by the first public key of the data owner; when the first signature code is verified, the miner node adds the second public key to the authorization list; The second node modifies and encrypts the original data to obtain the second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code; the miner node obtains the second encrypted data; The second signature code, and verify the second signature code based on the authorization list; when the second signature code is verified, the miner node publishes the second encrypted data to the district Block chain.
  • the owner of the data can grant the authorized party the right to modify the data without providing the private key to the authorized party, so that the owner of the data always retains absolute control over the data, which improves Data security.
  • FIG. 3 is a schematic flowchart of a second embodiment of the authorization management method of this application.
  • the method before step S50, the method further includes:
  • Step S10 the first node generates a first public key and a first private key, and encrypts the original data with the symmetric key to obtain the first encrypted data;
  • the first node can use the openssl tool to generate a pair of RSA public and private keys, that is, the first public key and the first private key; on the terminal of user A (ie, the first node) to which the data belongs, a random number generation algorithm is used , Generate a symmetric key, and pre-store the symmetric key on the first node and the second node.
  • the original data T is encrypted by the symmetric key to obtain the first encrypted data T1.
  • Step S20 the miner node publishes the first public key and the first encrypted data to the blockchain
  • the miner node publishes the first public key and T1 to the blockchain. That is, an information publishing task is generated on the first node, and the miner node that has acquired the task publishes the information that needs to be published (that is, the first public key and T1) on the blockchain.
  • Step S30 the second node obtains the first encrypted data from the blockchain, and decrypts the first encrypted data with a symmetric key to obtain the original data;
  • the second node obtains the first encrypted data T1 from the blockchain, and decrypts the first encrypted data with a symmetric key to obtain the original data.
  • subsequent actions to modify the original data can be performed.
  • Step S40 The second node generates a second public key and a second private key, and sends the second public key to the first node.
  • a pair of RSA public and private keys namely the second public key and the second private key, can be generated by the openssl tool, and then the second public key is sent to the first node.
  • the method further includes:
  • Step S110 the first node decrypts the second encrypted data by using the symmetric key to obtain second data
  • the miner node uploads the modified original data (that is, the second encrypted data) to the blockchain
  • User A can trigger a viewing prohibition instruction, and restrict viewing prohibited users as user B.
  • the first node receives the instruction, the first node obtains the second encrypted data from the blockchain, and uses the symmetric key to decrypt the second encrypted data to obtain the second data.
  • Step S120 the first node generates a new symmetric key, and encrypts the second data with the new symmetric key to obtain third encrypted data;
  • the first node generates a new symmetric key (without notifying the second node), and encrypts the second data with the new symmetric key to obtain the third encrypted data.
  • Step S130 the first node signs the third encrypted data with the first private key to obtain a third signature code
  • the first node signs the third encrypted data with the first private key (that is, the principle of private key signature, the third encrypted data is encrypted with the first private key) to obtain the third signature code.
  • Step S140 The miner node obtains the third signature code, and verifies the third signature code through the first public key. When the verification of the third signature code is passed, the miner node will The third encrypted data is published on the blockchain, and the second encrypted data is deleted.
  • the first node after the first node generates the third signature code, it broadcasts task three to each miner node on the blockchain, obtains the miner node of task three, and uses the first public key (stored on the blockchain) The third signature code is verified (decrypted). When the verification is passed (decrypted), the third encrypted data is obtained. The miner node then publishes the third encrypted data to the blockchain and deletes the second encrypted data. . At this time, user B cannot know the third encrypted data because he does not know what the new symmetric key is. That is, user B's permission to view data is withdrawn.
  • the method further includes:
  • Step S150 the first node generates a deletion request for deleting the second public key, and signs the deletion request with the first private key to obtain a fourth signature code
  • the public key (the second public key in this embodiment) of the authorized party (user B in this embodiment) is stored in In the authorized list, the modification of the original data by the user B's terminal (second node) will be accepted (that is, published to the blockchain).
  • the first node is controlled to generate Second, the public key deletion request, and the deletion request is signed by the first private key (that is, the principle of private key signature, the deletion request is encrypted by the first private key), and the fourth signature code is obtained.
  • Step S160 the miner node obtains the fourth signature code, and verifies the fourth signature code using the first public key; step S170, when the fourth signature code is verified, the The miner node deletes the second public key from the authorization list.
  • the first node after the first node generates the fourth signature code, it broadcasts task four to each miner node on the blockchain, obtains the miner node of task four, and verifies the fourth signature code with the first public key (I.e. decryption), when the verification is passed (i.e. the decryption is successful), the deletion request is obtained, and the deletion request is executed according to the regulations, and the second public key is deleted from the authorization list.
  • the second public key no longer exists in the authorization list, user B no longer has the right to modify data.
  • the method further includes:
  • the first node counts the existence time of the second public key in the authorization list
  • steps S150-S170 are executed.
  • a preset threshold can be set in advance, for example, one month.
  • start timing When a certain public key is added to the authorization list, start timing.
  • steps S150 to S170 that is, delete the public key from the authorization list.
  • Figure 4 is a schematic diagram of the functional modules of the first embodiment of the authorization management system of this application.
  • the authorization management system is applied to the blockchain, including the first node, the second node and the miner node,
  • the first node 10 includes:
  • the first signature module 101 is used to sign the second public key of the authorized user by the first private key of the data owner to obtain the first signature code;
  • the miner node 20 includes:
  • the first signature verification module 201 is configured to obtain the first signature code, and verify the first signature code using the first public key of the data owner;
  • the authorization adding module 202 is configured to add the second public key to the authorization list when the first signature code passes the verification;
  • the second node 30 includes:
  • the second signature module 301 is used to modify and encrypt the original data to obtain the second encrypted data, and to sign the second encrypted data using the second private key of the authorized user to obtain the second signature code;
  • the miner node 20 further includes:
  • the second verification module 203 is configured to obtain the second signature code, and verify the second signature code based on the authorization list;
  • the publishing module 204 is configured to publish the second encrypted data to the blockchain when the verification of the second signature code is passed.
  • the first node uses the first private key of the data owner to sign the second public key of the authorized user to obtain the first signature code; the miner node obtains the first signature code and passes the data to the owner The first public key to verify the first signature code; when the first signature code is verified, the miner node adds the second public key to the authorization list; the second node verifies the original The data is modified and encrypted to obtain the second encrypted data, and the second encrypted data is signed by the authorized user's second private key to obtain the second signature code; the miner node obtains the second signature code, The second signature code is verified based on the authorization list; when the second signature code is verified, the miner node publishes the second encrypted data to the blockchain.
  • the owner of the data can grant the authorized party the right to modify the data without providing the private key to the authorized party, so that the owner of the data always retains absolute control over the data, which improves Data security.
  • the embodiment of the present application also proposes a computer-readable storage medium, where the computer-readable storage medium may be volatile or non-volatile, which is not specifically limited by this application.
  • the computer-readable storage medium stores an authorization management program, and when the authorization management program is executed by a processor, the steps of each embodiment of the authorization management method described above are implemented.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to the technical field of blockchains, and discloses an authorization management method, a system, an apparatus, and a computer readable storage medium. The authorization management method comprises: a first node signing a second public key by means of a first private key, and obtaining a first signature code; performing signature verification on the first signature code by means of a first public key, and adding the second public key to an authorization list if the signature verification succeeds; a second node signing second encryption data by means of a second private key, and obtaining a second signature code; and performing signature verification on the second signature code on the basis of the authorization list, and publishing the second encryption data on a blockchain if the signature verification succeeds. The present application enables a data owner to grant permission for modifying data to a party to be authorized without providing a private key to the party, such that data owners always keep absolute control of data, thereby enhancing data security.

Description

授权管理方法、系统、设备及计算机可读存储介质Authorization management method, system, equipment and computer readable storage medium
本申请要求于2019年06月21日提交中国专利局、申请号为201910541123.9、发明名称为“授权管理方法、系统、设备及计算机可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on June 21, 2019, the application number is 201910541123.9, and the invention title is "Authorization Management Methods, Systems, Equipment, and Computer-readable Storage Media", all of which are approved The reference is incorporated in the application.
技术领域Technical field
本申请涉及区块链技术领域,尤其涉及一种授权管理方法、系统、设备及计算机可读存储介质。This application relates to the field of blockchain technology, in particular to an authorization management method, system, equipment, and computer-readable storage medium.
背景技术Background technique
区块链网络要解决的问题,首先是行业之间的信息共享,而各个大公司视数据为生命,不愿意共享数据,为此,所有上传区块链的敏感数据都必须是加密的,由此才能解决大公司对数据共享的顾虑,也不至于让数据共享变成数据福利。The problem to be solved by the blockchain network is, first of all, the sharing of information between industries, and large companies regard data as life and are unwilling to share data. For this reason, all sensitive data uploaded to the blockchain must be encrypted. Only in this way can the big companies' concerns about data sharing be resolved, and data sharing will not become a data benefit.
而业务中通过对密钥授权的方式,实现所有业务关联方之间的信息共享,比如:Alice在数据上链的时候,会为该条数据生成唯一的公私钥对,而Alice通过将私钥授权给Bob,由此,Bob可以提供这条数据的正确的签名值,智能合约通过公钥验签的结果来判断Bob是否有权限对当前数据进行修改。In the business, information sharing between all business related parties is realized by authorizing the key. For example: Alice will generate a unique public-private key pair for the data when the data is on the chain, and Alice will use the private key Authorize to Bob, so Bob can provide the correct signature value of this piece of data, and the smart contract uses the result of public key verification to determine whether Bob has the authority to modify the current data.
发明人发现,即现有做法中,数据拥有者Alice若需要授予Bob修改数据的权限,则必须将数据的私钥给到Bob。导致即使在业务对接完成后,由于Bob拥有数据的私钥,Bob便始终拥有修改数据的权限,Alice无法从Bob那里收回权限,这给业务的实施带来了不必要的麻烦。The inventor found that in the existing practice, if the data owner Alice needs to grant Bob the permission to modify the data, he must give Bob the private key of the data. As a result, even after the business connection is completed, because Bob has the private key of the data, Bob always has the authority to modify the data, and Alice cannot withdraw the authority from Bob, which brings unnecessary trouble to the implementation of the business.
发明内容Summary of the invention
本申请的主要目的在于提供一种授权管理方法、系统、设备及计算机可读存储介质,旨在解决现有技术中数据拥有者Alice若需要授予Bob修改数据的权限,则必须将数据的私钥给到Bob,从而导致Alice无法从Bob那里收回权限的技术问题。The main purpose of this application is to provide an authorization management method, system, equipment, and computer-readable storage medium, which aims to solve the problem that if the data owner Alice in the prior art needs to grant Bob the right to modify data, he must change the private key of the data Give it to Bob, causing Alice to be unable to withdraw permission from Bob.
为实现上述目的,本申请提供一种授权管理方法,应用于基于区块链的授权管理系统,所述授权管理系统包括第一节点、第二节点以及矿工节点,所述授权管理方法包括以下步骤:In order to achieve the above objective, this application provides an authorization management method, which is applied to a blockchain-based authorization management system. The authorization management system includes a first node, a second node and a miner node. The authorization management method includes the following steps :
所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行 签名,得到第一签名码;The first node signs the second public key of the authorized user with the first private key of the data owner to obtain the first signature code;
所述矿工节点获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;The miner node obtains the first signature code, and verifies the first signature code using the first public key of the data owner;
当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;When the verification of the first signature code is passed, the miner node adds the second public key to the authorization list;
所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;The second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code;
所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;The miner node obtains the second signature code, and verifies the second signature code based on the authorization list;
当对所述第二签名码验签通过时,所述矿工节点将所述第二加密数据发布到区块链上。When the verification of the second signature code is passed, the miner node publishes the second encrypted data to the blockchain.
可选地,在所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码的步骤之前,还包括:Optionally, before the step of signing the second public key of the authorized user by the first node using the first private key of the data owner to obtain the first signature code, the method further includes:
所述第一节点生成第一公钥和第一私钥,并通过对称密钥对原始数据加密,得到第一加密数据;The first node generates a first public key and a first private key, and encrypts the original data with a symmetric key to obtain the first encrypted data;
所述矿工节点将所述第一公钥和所述第一加密数据发布到区块链上;The miner node publishes the first public key and the first encrypted data to the blockchain;
所述第二节点从区块链上获取第一加密数据,并通过对称密钥对所述第一加密数据进行解密,得到原始数据;The second node obtains the first encrypted data from the blockchain, and decrypts the first encrypted data with a symmetric key to obtain the original data;
所述第二节点生成第二公钥和第二私钥,并将所述第二公钥发送给第一节点。The second node generates a second public key and a second private key, and sends the second public key to the first node.
可选地,所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码的步骤包括:Optionally, the second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code include:
第二节点对所述原始数据进行修改,得到第二数据,并使用所述对称密钥对所述第二数据进行加密,得到第二加密数据;The second node modifies the original data to obtain second data, and uses the symmetric key to encrypt the second data to obtain second encrypted data;
第二节点通过所述第二私钥对所述第二加密数据进行签名,得到第二签名码。The second node signs the second encrypted data by using the second private key to obtain a second signature code.
可选地,所述所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签的步骤包括:Optionally, the step of obtaining the second signature code by the miner node and verifying the second signature code based on the authorization list includes:
所述矿工节点获取所述第二签名码,并从所述授权列表中获取已添加的公钥;The miner node obtains the second signature code, and obtains the added public key from the authorization list;
通过所述已添加的公钥依次对所述第二签名码进行验签。The second signature code is checked in turn by the added public key.
可选地,在所述当对所述第二签名码验签通过时,所述矿工节点将所述 第二加密数据发布到区块链上的步骤之后,还包括:Optionally, after the step of publishing the second encrypted data on the blockchain by the miner node when the verification of the second signature code is passed, the method further includes:
第一节点通过所述对称密钥对所述第二加密数据进行解密,得到第二数据;The first node decrypts the second encrypted data by using the symmetric key to obtain the second data;
第一节点生成新的对称密钥,并通过新的对称密钥对第二数据进行加密,得到第三加密数据;The first node generates a new symmetric key, and encrypts the second data with the new symmetric key to obtain the third encrypted data;
第一节点通过第一私钥对所述第三加密数据进行签名,得到第三签名码;The first node signs the third encrypted data with the first private key to obtain the third signature code;
矿工节点获取所述第三签名码,并通过所述第一公钥对所述第三签名码进行验签;The miner node obtains the third signature code, and verifies the third signature code through the first public key;
当对所述第三签名码验签通过时,所述矿工节点将所述第三加密数据发布到区块链上,并删除所述第二加密数据。When the verification of the third signature code is passed, the miner node publishes the third encrypted data on the blockchain and deletes the second encrypted data.
可选地,在所述当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表的步骤之后,还包括:Optionally, after the step of adding the second public key to the authorization list by the miner node when the first signature code is verified, the method further includes:
第一节点生成针对所述第二公钥的删除请求,并通过第一私钥对所述删除请求进行签名,得到第四签名码;The first node generates a deletion request for the second public key, and signs the deletion request with the first private key to obtain a fourth signature code;
矿工节点获取所述第四签名码,并通过所述第一公钥对所述第四签名码进行验签;The miner node obtains the fourth signature code, and verifies the fourth signature code through the first public key;
当对所述第四签名码验签通过时,所述矿工节点从所述授权列表中删除所述第二公钥。When the verification of the fourth signature code is passed, the miner node deletes the second public key from the authorization list.
可选地,在所述当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表的步骤之后,还包括:Optionally, after the step of adding the second public key to the authorization list by the miner node when the first signature code is verified, the method further includes:
第一节点统计所述第二公钥在所述授权列表中的存在时长;The first node counts the existence time of the second public key in the authorization list;
当检测到所述存在时长大于预设阈值时,执行所述第一节点生成针对所述第二公钥的删除请求,并通过第一私钥对所述删除请求进行签名,得到第四签名码的步骤。When it is detected that the existence duration is greater than a preset threshold, the execution of the first node generates a deletion request for the second public key, and signs the deletion request with the first private key to obtain a fourth signature code A step of.
此外,为实现上述目的,本申请还提供一种授权管理系统,应用于区块链,所述授权管理系统包括第一节点、第二节点以及矿工节点,In addition, in order to achieve the above objective, this application also provides an authorization management system applied to the blockchain, the authorization management system including a first node, a second node, and a miner node,
所述第一节点包括:The first node includes:
第一签名模块,用于通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码;The first signature module is used to sign the second public key of the authorized user with the first private key of the data owner to obtain the first signature code;
所述矿工节点包括:The miner node includes:
第一验签模块,用于获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;The first signature verification module is configured to obtain the first signature code, and verify the first signature code by the first public key of the data owner;
授权添加模块,用于当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;An authorization adding module, which is used to add the second public key to the authorization list when the first signature code is verified;
所述第二节点包括:The second node includes:
第二签名模块,用于对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;The second signature module is used to modify and encrypt the original data to obtain the second encrypted data, and to sign the second encrypted data using the second private key of the authorized user to obtain the second signature code;
所述矿工节点还包括:The miner node also includes:
第二验签模块,用于获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;A second signature verification module, configured to obtain the second signature code, and verify the second signature code based on the authorization list;
发布模块,用于当对所述第二签名码验签通过时,将所述第二加密数据发布到区块链上。The publishing module is used for publishing the second encrypted data to the blockchain when the verification of the second signature code is passed.
此外,为实现上述目的,本申请还提供一种授权管理设备,所述授权管理设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的授权管理程序,所述授权管理程序被所述处理器执行时实现如上所述的授权管理方法的步骤。In addition, in order to achieve the above object, the present application also provides an authorization management device, the authorization management device includes: a memory, a processor, and an authorization management program stored in the memory and running on the processor, so When the authorization management program is executed by the processor, the steps of the authorization management method described above are implemented.
此外,为实现上述目的,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有授权管理程序,所述授权管理程序被处理器执行时实现如上所述的授权管理方法的步骤。In addition, in order to achieve the above objective, the present application also provides a computer-readable storage medium, the computer-readable storage medium stores an authorization management program, and when the authorization management program is executed by a processor, the authorization management as described above is realized Method steps.
本申请中,所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码;所述矿工节点获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;当对所述第二签名码验签通过时,所述矿工节点将所述第二加密数据发布到区块链上。通过本申请,数据的所有者在不将私钥提供给被授权方的基础上,实现了授予被授权方修改数据的权限,使得数据的所有者始终保有对数据的绝对控制权,提高了数据安全性。In this application, the first node uses the first private key of the data owner to sign the second public key of the authorized user to obtain the first signature code; the miner node obtains the first signature code and passes The first public key of the data owner verifies the first signature code; when the first signature code is verified, the miner node adds the second public key to the authorization list; The second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code; the miner node obtains the Second signature code, and verify the second signature code based on the authorization list; when the second signature code is verified, the miner node publishes the second encrypted data to the block On the chain. Through this application, the owner of the data can grant the authorized party the right to modify the data without providing the private key to the authorized party, so that the owner of the data always retains absolute control over the data and improves the data safety.
附图说明Description of the drawings
图1为本申请实施例方案涉及的硬件运行环境的授权管理设备结构示意图;FIG. 1 is a schematic diagram of the structure of the authorization management device of the hardware operating environment involved in the solution of the embodiment of the application;
图2为本申请授权管理方法第一实施例的流程示意图;FIG. 2 is a schematic flowchart of a first embodiment of an authorization management method for an application;
图3为本申请授权管理方法第二实施例的流程示意图;3 is a schematic flowchart of a second embodiment of the authorization management method for this application;
图4为本申请授权管理系统第一实施例的功能模块示意图。Fig. 4 is a schematic diagram of functional modules of the first embodiment of the authorization management system of this application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics, and advantages of the purpose of this application will be further described in conjunction with the embodiments and with reference to the accompanying drawings.
具体实施方式Detailed ways
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described here are only used to explain the application, and are not used to limit the application.
如图1所示,图1为本申请实施例方案涉及的硬件运行环境的授权管理设备结构示意图。As shown in FIG. 1, FIG. 1 is a schematic diagram of the structure of an authorization management device for a hardware operating environment involved in a solution of an embodiment of the application.
本申请实施例授权管理设备可以是PC,也可以是智能手机、平板电脑、便携计算机等具有数据处理能力的终端设备。The authorization management device in the embodiment of the present application may be a PC, or a terminal device with data processing capabilities, such as a smart phone, a tablet computer, and a portable computer.
如图1所示,该授权管理设备可以包括:处理器1001,例如CPU,网络接口1004,用户接口1003,存储器1005,通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 1, the authorization management device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, and a communication bus 1002. Among them, the communication bus 1002 is used to implement connection and communication between these components. The user interface 1003 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 may be a high-speed RAM memory, or a non-volatile memory (non-volatile memory), such as a magnetic disk memory. Optionally, the memory 1005 may also be a storage device independent of the foregoing processor 1001.
本领域技术人员可以理解,图1中示出的授权管理设备结构并不构成对授权管理设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the structure of the authorization management device shown in FIG. 1 does not constitute a limitation on the authorization management device, and may include more or less components than shown in the figure, or a combination of certain components, or different components Layout.
如图1所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及授权管理程序。As shown in FIG. 1, the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and an authorization management program.
在图1所示的授权管理设备中,网络接口1004主要用于连接后台服务器,与后台服务器进行数据通信;用户接口1003主要用于连接客户端(用户端),与客户端进行数据通信;而处理器1001可以用于调用存储器1005中存储的 授权管理程序,并执行以下授权管理方法的各个实施例的步骤。In the authorization management device shown in FIG. 1, the network interface 1004 is mainly used to connect to the back-end server and communicate with the back-end server; the user interface 1003 is mainly used to connect to the client (user side) and communicate with the client; and The processor 1001 may be used to call an authorization management program stored in the memory 1005, and execute the steps of the following authorization management methods in each embodiment.
参照图2,图2为本申请授权管理方法第一实施例的流程示意图。Referring to FIG. 2, FIG. 2 is a schematic flowchart of the first embodiment of the authorization management method of this application.
在本申请授权管理方法第一实施例中,应用于基于区块链的授权管理系统,所述授权管理系统包括第一节点、第二节点以及矿工节点,授权管理方法包括:In the first embodiment of the authorization management method of this application, it is applied to a blockchain-based authorization management system. The authorization management system includes a first node, a second node, and a miner node. The authorization management method includes:
步骤S50,所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码;Step S50, the first node signs the second public key of the authorized user with the first private key of the data owner to obtain the first signature code;
本实施例中,数据的所属用户A想要授予用户B修改数据的权限,且用户A的终端以及用户B的终端均接入区块链,称用户A的终端为第一节点,用户B的终端为第二节点。矿工节点用于将来自第一节点以及第二节点的数据发布至区块链的区块上。用户A拥有一对公、私钥,称为第一公钥、第一私钥;用户B也拥有一对公、私钥,称为第二公钥、第二私钥。用户A的终端中存储有上述第一私钥以及第二公钥,第一公钥保存在区块链上。In this embodiment, user A who owns the data wants to grant user B the right to modify the data, and both user A’s terminal and user B’s terminal are connected to the blockchain, and user A’s terminal is called the first node, and user B’s The terminal is the second node. The miner node is used to publish the data from the first node and the second node to the block of the blockchain. User A has a pair of public and private keys, called the first public key and the first private key; user B also has a pair of public and private keys, called the second public key and the second private key. User A's terminal stores the above-mentioned first private key and second public key, and the first public key is stored on the blockchain.
本实施例中,第一节点通过第一私钥对第二公钥进行签名(即私钥签名原理,通过第一私钥对第二公钥进行加密),得到第一签名码(即通过第一私钥对第二公钥进行加密,得到的加密结果)。In this embodiment, the first node signs the second public key through the first private key (that is, the principle of private key signature, the second public key is encrypted through the first private key), and the first signature code is obtained (that is, through the first private key). A private key encrypts the second public key to obtain the encryption result).
步骤S60,所述矿工节点获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;Step S60, the miner node obtains the first signature code, and verifies the first signature code using the first public key of the data owner;
本实施例中,第一节点生成第一签名码后,向区块链上的各个矿工节点广播任务一,获取到该任务一的矿工节点,获取第一签名码,并通过保存在区块链上的第一公钥对第一签名码进行验签。In this embodiment, after the first node generates the first signature code, it broadcasts task one to each miner node on the blockchain, obtains the miner node of task one, obtains the first signature code, and saves it in the blockchain The first public key above verifies the first signature code.
步骤S70,当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;Step S70, when the first signature code is verified, the miner node adds the second public key to the authorization list;
本实施例中,第一私钥和第一公钥是相对的,因此,通过第一公钥对第一签名可以成功解密,即对第一签名码验签通过。当通过第一公钥对第一签名码验签通过时,可得到第一签名码的解密信息,即第二公钥。由于第一私钥只有用户A知晓,说明第一签名码的生成是用户A(即数据所属用户)允许的,则在验签通过时,矿工节点将解密信息(第二公钥)添加到授权列表中(授权列表记录在区块链上)。In this embodiment, the first private key and the first public key are relative. Therefore, the first signature can be successfully decrypted by the first public key, that is, the first signature code is verified. When the first signature code is verified through the first public key, the decryption information of the first signature code, that is, the second public key, can be obtained. Since the first private key is only known to user A, it means that the generation of the first signature code is allowed by user A (that is, the user to which the data belongs). When the verification is passed, the miner node adds the decrypted information (second public key) to the authorization In the list (the authorization list is recorded on the blockchain).
步骤S80,所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;Step S80, the second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain a second signature code;
本实施例中,原始数据T保存在区块链上。可以是原始数据本身,还可以是经过加密的原始数据(加密方式可以是通过对称密钥对原始数据T进行加密),即T1。In this embodiment, the original data T is stored on the blockchain. It can be the original data itself, or it can be encrypted original data (the encryption method can be to encrypt the original data T with a symmetric key), that is, T1.
本实施例中,步骤S80包括:第二节点对所述原始数据进行修改,得到第二数据,并使用所述对称密钥对所述第二数据进行加密,得到第二加密数据;第二节点通过所述第二私钥对所述第二加密数据进行签名,得到第二签名码。即第二节点从区块链上获取原始数据(或是获取T1,然后通过对称密钥解密,得到原始数据),对原始数据进行修改(基于用户B的操作),修改完成后,通过对称密钥对经过修改的原始数据进行加密,得到第二加密数据,即T2。然后,通过第二私钥对T2进行签名(即私钥签名原理,通过第二私钥对T2进行加密),得到第二签名码(即通过第二私钥对T2进行加密,得到的加密结果)。In this embodiment, step S80 includes: the second node modifies the original data to obtain second data, and encrypts the second data using the symmetric key to obtain second encrypted data; Sign the second encrypted data by using the second private key to obtain a second signature code. That is, the second node obtains the original data from the blockchain (or obtains T1, and then decrypts the original data through the symmetric key), and modifies the original data (based on the operation of user B). After the modification is completed, it passes the symmetric encryption The key encrypts the modified original data to obtain the second encrypted data, namely T2. Then, sign T2 with the second private key (that is, the principle of private key signature, T2 is encrypted with the second private key), and the second signature code is obtained (that is, T2 is encrypted with the second private key, and the encryption result is obtained ).
步骤S90,所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;Step S90, the miner node obtains the second signature code, and verifies the second signature code based on the authorization list;
本实施例中,步骤S90包括:所述矿工节点获取所述第二签名码,并从所述授权列表中获取已添加的公钥;通过所述已添加的公钥依次对所述第二签名码进行验签。In this embodiment, step S90 includes: the miner node obtains the second signature code, and obtains the added public key from the authorization list; and sequentially signs the second signature by the added public key Code for verification.
本实施例中,按照步骤S50至步骤S70的说明,用户B的第二公钥被添加至授权列表中,同理,用户C、用户D……这些用户A想要给予授权的用户的公钥也可被添加至授权列表中,即在授权列表中存在被授权方的公钥。在本实施例中,第二节点生成第二签名码后,向区块链上的各个矿工节点广播任务二,获取到该任务二的矿工节点,基于授权列表中存储的各个公钥依次对第二签名码进行验签(即解密)。In this embodiment, according to the description of step S50 to step S70, the second public key of user B is added to the authorization list. Similarly, user C, user D... these users A want to give the public keys of authorized users It can also be added to the authorization list, that is, the public key of the authorized party exists in the authorization list. In this embodiment, after the second node generates the second signature code, it broadcasts task two to each miner node on the blockchain, and obtains the miner node of the task two. Based on the public keys stored in the authorization list, the Second, the signature code is verified (that is, decrypted).
步骤S100,当对所述第二签名码验签通过时,所述矿工节点将所述第二加密数据发布到区块链上。In step S100, when the verification of the second signature code is passed, the miner node publishes the second encrypted data to the blockchain.
本实施例中,当矿工节点通过已添加的第二公钥对所述第二签名码验签通过时,将所述第二加密数据发布到区块链上。In this embodiment, when the miner node passes the second signature code verification through the added second public key, the second encrypted data is released to the blockchain.
本实施例中,由于第二签名码是通过第二私钥对T2进行加密,得到的加密结果,而第二公钥存在于授权列表中,因此,矿工节点可通过第二公钥对第二签名码成功解密(即成功验签),得到T2,然后矿工节点将T2发布到区块链上(相当于只有在对第二签名码验签通过时,接受第二节点对原始数据的修改)。In this embodiment, since the second signature code is the encrypted result obtained by encrypting T2 with the second private key, and the second public key exists in the authorization list, the miner node can use the second public key to The signature code is successfully decrypted (that is, the signature is successfully verified), and T2 is obtained, and then the miner node publishes T2 on the blockchain (equivalent to accepting the modification of the original data by the second node only when the second signature code is verified) .
本实施例中,所述第一节点通过数据所属者的第一私钥对被授权用户的 第二公钥进行签名,得到第一签名码;所述矿工节点获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;当对所述第二签名码验签通过时,所述矿工节点将所述第二加密数据发布到区块链上。通过本实施例,数据的所有者在不将私钥提供给被授权方的基础上,实现了授予被授权方修改数据的权限,使得数据的所有者始终保有对数据的绝对控制权,提高了数据安全性。In this embodiment, the first node signs the second public key of the authorized user with the first private key of the data owner to obtain the first signature code; the miner node obtains the first signature code, and The first signature code is verified by the first public key of the data owner; when the first signature code is verified, the miner node adds the second public key to the authorization list; The second node modifies and encrypts the original data to obtain the second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code; the miner node obtains the second encrypted data; The second signature code, and verify the second signature code based on the authorization list; when the second signature code is verified, the miner node publishes the second encrypted data to the district Block chain. Through this embodiment, the owner of the data can grant the authorized party the right to modify the data without providing the private key to the authorized party, so that the owner of the data always retains absolute control over the data, which improves Data security.
进一步地,参照图3,图3为本申请授权管理方法第二实施例的流程示意图。Further, referring to FIG. 3, FIG. 3 is a schematic flowchart of a second embodiment of the authorization management method of this application.
在本申请授权管理方法第二实施例中,步骤S50之前,还包括:In the second embodiment of the authorization management method of this application, before step S50, the method further includes:
步骤S10,所述第一节点生成第一公钥和第一私钥,并通过对称密钥对原始数据加密,得到第一加密数据;Step S10, the first node generates a first public key and a first private key, and encrypts the original data with the symmetric key to obtain the first encrypted data;
本实施例中,第一节点可通过openssl工具生成RSA的一对公私钥,即第一公钥和第一私钥;在数据所属用户A的终端上(即第一节点)通过随机数生成算法,生成对称密钥,并将对称密钥预先存储在第一节点和第二节点上。并通过对称密钥对原始数据T进行加密,得到第一加密数据T1。In this embodiment, the first node can use the openssl tool to generate a pair of RSA public and private keys, that is, the first public key and the first private key; on the terminal of user A (ie, the first node) to which the data belongs, a random number generation algorithm is used , Generate a symmetric key, and pre-store the symmetric key on the first node and the second node. The original data T is encrypted by the symmetric key to obtain the first encrypted data T1.
步骤S20,所述矿工节点将所述第一公钥和所述第一加密数据发布到区块链上;Step S20, the miner node publishes the first public key and the first encrypted data to the blockchain;
本实施例中,矿工节点将第一公钥和T1发布到区块链上。即在第一节点上生成信息发布任务,获取到该任务的矿工节点,将需要发布的信息(即第一公钥以及T1)发布到区块链上。In this embodiment, the miner node publishes the first public key and T1 to the blockchain. That is, an information publishing task is generated on the first node, and the miner node that has acquired the task publishes the information that needs to be published (that is, the first public key and T1) on the blockchain.
步骤S30,所述第二节点从区块链上获取第一加密数据,并通过对称密钥对所述第一加密数据进行解密,得到原始数据;Step S30, the second node obtains the first encrypted data from the blockchain, and decrypts the first encrypted data with a symmetric key to obtain the original data;
本实施例中,第二节点从区块链上获取第一加密数据T1,并通过对称密钥对第一加密数据进行解密,即可得到原始数据。从而可进行后续对原始数据进行修改的动作。In this embodiment, the second node obtains the first encrypted data T1 from the blockchain, and decrypts the first encrypted data with a symmetric key to obtain the original data. Thus, subsequent actions to modify the original data can be performed.
步骤S40,第二节点生成第二公钥和第二私钥,并将所述第二公钥发送给第一节点。Step S40: The second node generates a second public key and a second private key, and sends the second public key to the first node.
本实施例中,在第二节点上,可通过openssl工具生成RSA的一对公私 钥,即第二公钥和第二私钥,然后将第二公钥发送给第一节点。In this embodiment, on the second node, a pair of RSA public and private keys, namely the second public key and the second private key, can be generated by the openssl tool, and then the second public key is sent to the first node.
进一步地,在本申请授权管理方法一实施例中,步骤S100之后,还包括:Further, in an embodiment of the authorization management method of the present application, after step S100, the method further includes:
步骤S110,所述第一节点通过所述对称密钥对所述第二加密数据进行解密,得到第二数据;Step S110, the first node decrypts the second encrypted data by using the symmetric key to obtain second data;
本实施例中,当矿工节点将经过(第二节点)修改后的原始数据(即第二加密数据)上传至区块链后,若用户A不再希望用户B查看第二加密数据的解密信息,则用户A可触发禁止查看指令,并限定禁止查看用户为用户B。第一节点收到该指令时,第一节点从区块链上获取第二加密数据,并使用对称密钥对第二加密数据进行解密,得到第二数据。In this embodiment, after the miner node uploads the modified original data (that is, the second encrypted data) to the blockchain, if user A no longer wants user B to view the decryption information of the second encrypted data , User A can trigger a viewing prohibition instruction, and restrict viewing prohibited users as user B. When the first node receives the instruction, the first node obtains the second encrypted data from the blockchain, and uses the symmetric key to decrypt the second encrypted data to obtain the second data.
步骤S120,所述第一节点生成新的对称密钥,并通过新的对称密钥对第二数据进行加密,得到第三加密数据;Step S120, the first node generates a new symmetric key, and encrypts the second data with the new symmetric key to obtain third encrypted data;
本实施例中,第一节点生成新的对称密钥(不告知第二节点),通过新的对称密钥对第二数据进行加密,得到第三加密数据。In this embodiment, the first node generates a new symmetric key (without notifying the second node), and encrypts the second data with the new symmetric key to obtain the third encrypted data.
步骤S130,所述第一节点通过第一私钥对所述第三加密数据进行签名,得到第三签名码;Step S130, the first node signs the third encrypted data with the first private key to obtain a third signature code;
本实施例中,第一节点通过第一私钥对第三加密数据进行签名(即私钥签名原理,通过第一私钥对第三加密数据进行加密),得到第三签名码。In this embodiment, the first node signs the third encrypted data with the first private key (that is, the principle of private key signature, the third encrypted data is encrypted with the first private key) to obtain the third signature code.
步骤S140,矿工节点获取所述第三签名码,并通过所述第一公钥对所述第三签名码进行验签,当对所述第三签名码验签通过时,所述矿工节点将所述第三加密数据发布到区块链上,并删除所述第二加密数据。Step S140: The miner node obtains the third signature code, and verifies the third signature code through the first public key. When the verification of the third signature code is passed, the miner node will The third encrypted data is published on the blockchain, and the second encrypted data is deleted.
本实施例中,第一节点生成第三签名码后,向区块链上的各个矿工节点广播任务三,获取到该任务三的矿工节点,使用第一公钥(保存至区块链上)对第三签名码进行验签(即解密),验签通过时(即解密完成),得到第三加密数据,矿工节点再将第三加密数据发布至区块链上,同时删除第二加密数据。此时用户B由于不知道新的对称密钥是什么,便无法得知第三加密数据。即收回了用户B查看数据的权限。In this embodiment, after the first node generates the third signature code, it broadcasts task three to each miner node on the blockchain, obtains the miner node of task three, and uses the first public key (stored on the blockchain) The third signature code is verified (decrypted). When the verification is passed (decrypted), the third encrypted data is obtained. The miner node then publishes the third encrypted data to the blockchain and deletes the second encrypted data. . At this time, user B cannot know the third encrypted data because he does not know what the new symmetric key is. That is, user B's permission to view data is withdrawn.
进一步地,在本申请授权管理方法一实施例中,步骤S70之后,还包括:Further, in an embodiment of the authorization management method of the present application, after step S70, the method further includes:
步骤S150,第一节点生成用于删除所述第二公钥的删除请求,并通过第一私钥对所述删除请求进行签名,得到第四签名码;Step S150, the first node generates a deletion request for deleting the second public key, and signs the deletion request with the first private key to obtain a fourth signature code;
本实施例中,参照上述步骤S50至步骤S100,只有通过步骤S50至步骤S70,将被授权方(本实施例中为用户B)的公钥(本实施例中为第二公钥) 存储至被授权列表中,用户B的终端(第二节点)对原始数据的修改才会被接收(即被发布至区块链)。In this embodiment, referring to the above steps S50 to S100, only through steps S50 to S70, the public key (the second public key in this embodiment) of the authorized party (user B in this embodiment) is stored in In the authorized list, the modification of the original data by the user B's terminal (second node) will be accepted (that is, published to the blockchain).
本实施例中,当用户B的公钥被添加至授权列表中(即授予用户B修改原始数据的权限)后,若用户A想要收回对用户B的授权,则控制第一节点生成针对第二公钥的删除请求,并通过第一私钥对删除请求进行签名(即私钥签名原理,通过第一私钥对删除请求进行加密),得到第四签名码。In this embodiment, when user B’s public key is added to the authorization list (that is, user B is granted the right to modify the original data), if user A wants to withdraw the authorization to user B, the first node is controlled to generate Second, the public key deletion request, and the deletion request is signed by the first private key (that is, the principle of private key signature, the deletion request is encrypted by the first private key), and the fourth signature code is obtained.
步骤S160,矿工节点获取所述第四签名码,并通过所述第一公钥对所述第四签名码进行验签;步骤S170,当对所述第四签名码验签通过时,所述矿工节点从所述授权列表中删除所述第二公钥。Step S160, the miner node obtains the fourth signature code, and verifies the fourth signature code using the first public key; step S170, when the fourth signature code is verified, the The miner node deletes the second public key from the authorization list.
本实施例中,第一节点生成第四签名码后,向区块链上的各个矿工节点广播任务四,获取到该任务四的矿工节点,通过第一公钥对第四签名码进行验签(即解密),验签通过时(即解密成功),得到上述删除请求,便按照规定执行删除请求,将第二公钥从授权列表中删除。如此一来,由于第二公钥不再存在于授权列表中,故用户B不再拥有修改数据的权限。In this embodiment, after the first node generates the fourth signature code, it broadcasts task four to each miner node on the blockchain, obtains the miner node of task four, and verifies the fourth signature code with the first public key (I.e. decryption), when the verification is passed (i.e. the decryption is successful), the deletion request is obtained, and the deletion request is executed according to the regulations, and the second public key is deleted from the authorization list. In this way, since the second public key no longer exists in the authorization list, user B no longer has the right to modify data.
进一步地,在本申请授权管理方法一实施例中,步骤S70之后,还包括:Further, in an embodiment of the authorization management method of the present application, after step S70, the method further includes:
第一节点统计所述第二公钥在所述授权列表中的存在时长;The first node counts the existence time of the second public key in the authorization list;
当检测到所述存在时长大于预设阈值时,执行步骤S150-S170。When it is detected that the duration of existence is greater than the preset threshold, steps S150-S170 are executed.
本实施例中,可预先设置一预设阈值,例如一个月。当某个公钥被添加到授权列表时,开始计时,当某个公钥在授权列表中的存在时长大于一个月时,自动执行步骤S150至步骤S170(即从授权列表中删除该公钥)。In this embodiment, a preset threshold can be set in advance, for example, one month. When a certain public key is added to the authorization list, start timing. When a certain public key exists in the authorization list for more than one month, automatically execute steps S150 to S170 (that is, delete the public key from the authorization list) .
参照图4,图4为本申请授权管理系统第一实施例的功能模块示意图。Referring to Figure 4, Figure 4 is a schematic diagram of the functional modules of the first embodiment of the authorization management system of this application.
在本申请授权管理系统第一实施例中,授权管理系统应用于区块链,包括第一节点、第二节点以及矿工节点,In the first embodiment of the authorization management system of this application, the authorization management system is applied to the blockchain, including the first node, the second node and the miner node,
所述第一节点10包括:The first node 10 includes:
第一签名模块101,用于通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码;The first signature module 101 is used to sign the second public key of the authorized user by the first private key of the data owner to obtain the first signature code;
所述矿工节点20包括:The miner node 20 includes:
第一验签模块201,用于获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;The first signature verification module 201 is configured to obtain the first signature code, and verify the first signature code using the first public key of the data owner;
授权添加模块202,用于当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;The authorization adding module 202 is configured to add the second public key to the authorization list when the first signature code passes the verification;
所述第二节点30包括:The second node 30 includes:
第二签名模块301,用于对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;The second signature module 301 is used to modify and encrypt the original data to obtain the second encrypted data, and to sign the second encrypted data using the second private key of the authorized user to obtain the second signature code;
所述矿工节点20还包括:The miner node 20 further includes:
第二验签模块203,用于获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;The second verification module 203 is configured to obtain the second signature code, and verify the second signature code based on the authorization list;
发布模块204,用于当对所述第二签名码验签通过时,将所述第二加密数据发布到区块链上。The publishing module 204 is configured to publish the second encrypted data to the blockchain when the verification of the second signature code is passed.
本实施例中,第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码;矿工节点获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;当对所述第二签名码验签通过时,所述矿工节点将所述第二加密数据发布到区块链上。通过本实施例,数据的所有者在不将私钥提供给被授权方的基础上,实现了授予被授权方修改数据的权限,使得数据的所有者始终保有对数据的绝对控制权,提高了数据安全性。In this embodiment, the first node uses the first private key of the data owner to sign the second public key of the authorized user to obtain the first signature code; the miner node obtains the first signature code and passes the data to the owner The first public key to verify the first signature code; when the first signature code is verified, the miner node adds the second public key to the authorization list; the second node verifies the original The data is modified and encrypted to obtain the second encrypted data, and the second encrypted data is signed by the authorized user's second private key to obtain the second signature code; the miner node obtains the second signature code, The second signature code is verified based on the authorization list; when the second signature code is verified, the miner node publishes the second encrypted data to the blockchain. Through this embodiment, the owner of the data can grant the authorized party the right to modify the data without providing the private key to the authorized party, so that the owner of the data always retains absolute control over the data, which improves Data security.
此外,本申请实施例还提出一种计算机可读存储介质,其中,该计算机可读存储介质可以为易失性的,也可以为非易失性的,具体本申请不做限定。所述计算机可读存储介质上存储有授权管理程序,所述授权管理程序被处理器执行时实现如上所述的授权管理方法的各个实施例的步骤。In addition, the embodiment of the present application also proposes a computer-readable storage medium, where the computer-readable storage medium may be volatile or non-volatile, which is not specifically limited by this application. The computer-readable storage medium stores an authorization management program, and when the authorization management program is executed by a processor, the steps of each embodiment of the authorization management method described above are implemented.
本申请计算机可读存储介质的具体实施例与上述授权管理方法的各个实施例基本相同,在此不做赘述。The specific embodiments of the computer-readable storage medium of the present application are basically the same as the respective embodiments of the authorization management method described above, and will not be repeated here.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、 磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better.的实施方式。 Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM) as described above. , Magnetic disks, optical disks), including several instructions to make a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) execute the methods described in the various embodiments of the present application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only preferred embodiments of this application, and do not limit the scope of this application. Any equivalent structure or equivalent process transformation made using the content of the description and drawings of this application, or directly or indirectly used in other related technical fields , The same reason is included in the scope of patent protection of this application.

Claims (20)

  1. 一种授权管理方法,应用于基于区块链的授权管理系统,所述授权管理系统包括第一节点、第二节点以及矿工节点,所述授权管理方法包括以下步骤:An authorization management method is applied to a blockchain-based authorization management system. The authorization management system includes a first node, a second node, and a miner node. The authorization management method includes the following steps:
    所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码;The first node signs the second public key of the authorized user by using the first private key of the data owner to obtain the first signature code;
    所述矿工节点获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;The miner node obtains the first signature code, and verifies the first signature code using the first public key of the data owner;
    当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;When the verification of the first signature code is passed, the miner node adds the second public key to the authorization list;
    所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;The second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code;
    所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;The miner node obtains the second signature code, and verifies the second signature code based on the authorization list;
    当对所述第二签名码验签通过时,所述矿工节点将所述第二加密数据发布到区块链上。When the verification of the second signature code is passed, the miner node publishes the second encrypted data to the blockchain.
  2. 如权利要求1所述的授权管理方法,在所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码的步骤之前,还包括:The authorization management method according to claim 1, before the first node signs the second public key of the authorized user with the first private key of the data owner to obtain the first signature code, the method further comprises:
    所述第一节点生成第一公钥和第一私钥,并通过对称密钥对原始数据加密,得到第一加密数据;The first node generates a first public key and a first private key, and encrypts the original data with a symmetric key to obtain the first encrypted data;
    所述矿工节点将所述第一公钥和所述第一加密数据发布到区块链上;The miner node publishes the first public key and the first encrypted data to the blockchain;
    所述第二节点从区块链上获取第一加密数据,并通过对称密钥对所述第一加密数据进行解密,得到原始数据;The second node obtains the first encrypted data from the blockchain, and decrypts the first encrypted data with a symmetric key to obtain the original data;
    所述第二节点生成第二公钥和第二私钥,并将所述第二公钥发送给第一节点。The second node generates a second public key and a second private key, and sends the second public key to the first node.
  3. 如权利要求2所述的授权管理方法,所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码的步骤包括:The authorization management method according to claim 2, wherein the second node modifies and encrypts the original data to obtain the second encrypted data, and signs the second encrypted data by the second private key of the authorized user, The steps of obtaining the second signature code include:
    第二节点对所述原始数据进行修改,得到第二数据,并使用所述对称密钥对所述第二数据进行加密,得到第二加密数据;The second node modifies the original data to obtain second data, and uses the symmetric key to encrypt the second data to obtain second encrypted data;
    第二节点通过所述第二私钥对所述第二加密数据进行签名,得到第二签 名码。The second node signs the second encrypted data with the second private key to obtain a second signature code.
  4. 如权利要求3所述的授权管理方法,所述所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签的步骤包括:The authorization management method according to claim 3, wherein the step of obtaining the second signature code by the miner node and verifying the second signature code based on the authorization list comprises:
    所述矿工节点获取所述第二签名码,并从所述授权列表中获取已添加的公钥;The miner node obtains the second signature code, and obtains the added public key from the authorization list;
    通过所述已添加的公钥依次对所述第二签名码进行验签。The second signature code is checked in turn by the added public key.
  5. 如权利要求1所述的授权管理方法,在所述当对所述第二签名码验签通过时,所述矿工节点将所述第二加密数据发布到区块链上的步骤之后,还包括:The authorization management method of claim 1, after the step of publishing the second encrypted data on the blockchain by the miner node when the second signature code is verified, the method further comprises :
    第一节点通过所述对称密钥对所述第二加密数据进行解密,得到第二数据;The first node decrypts the second encrypted data by using the symmetric key to obtain the second data;
    第一节点生成新的对称密钥,并通过新的对称密钥对第二数据进行加密,得到第三加密数据;The first node generates a new symmetric key, and encrypts the second data with the new symmetric key to obtain the third encrypted data;
    第一节点通过第一私钥对所述第三加密数据进行签名,得到第三签名码;The first node signs the third encrypted data with the first private key to obtain the third signature code;
    矿工节点获取所述第三签名码,并通过所述第一公钥对所述第三签名码进行验签;The miner node obtains the third signature code, and verifies the third signature code through the first public key;
    当对所述第三签名码验签通过时,所述矿工节点将所述第三加密数据发布到区块链上,并删除所述第二加密数据。When the verification of the third signature code is passed, the miner node publishes the third encrypted data on the blockchain and deletes the second encrypted data.
  6. 如权利要求1所述的授权管理方法,在所述当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表的步骤之后,还包括:The authorization management method according to claim 1, after the step of adding the second public key to the authorization list by the miner node when the first signature code is verified, the method further comprises:
    第一节点生成针对所述第二公钥的删除请求,并通过第一私钥对所述删除请求进行签名,得到第四签名码;The first node generates a deletion request for the second public key, and signs the deletion request with the first private key to obtain a fourth signature code;
    矿工节点获取所述第四签名码,并通过所述第一公钥对所述第四签名码进行验签;The miner node obtains the fourth signature code, and verifies the fourth signature code through the first public key;
    当对所述第四签名码验签通过时,所述矿工节点从所述授权列表中删除所述第二公钥。When the verification of the fourth signature code is passed, the miner node deletes the second public key from the authorization list.
  7. 如权利要求6所述的授权管理方法,在所述当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表的步骤之后,还包括:7. The authorization management method according to claim 6, after the step of adding the second public key to the authorization list by the miner node when the first signature code is verified, the method further comprises:
    第一节点统计所述第二公钥在所述授权列表中的存在时长;The first node counts the existence time of the second public key in the authorization list;
    当检测到所述存在时长大于预设阈值时,执行所述第一节点生成针对所述第二公钥的删除请求,并通过第一私钥对所述删除请求进行签名,得到第四签名码的步骤。When it is detected that the existence duration is greater than a preset threshold, the execution of the first node generates a deletion request for the second public key, and signs the deletion request with the first private key to obtain a fourth signature code A step of.
  8. 一种授权管理系统,应用于区块链,所述授权管理系统包括第一节点、 第二节点以及矿工节点,An authorization management system, applied to a blockchain, the authorization management system including a first node, a second node, and a miner node,
    所述第一节点包括:The first node includes:
    第一签名模块,用于通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码;The first signature module is used to sign the second public key of the authorized user with the first private key of the data owner to obtain the first signature code;
    所述矿工节点包括:The miner node includes:
    第一验签模块,用于获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;The first signature verification module is configured to obtain the first signature code, and verify the first signature code by the first public key of the data owner;
    授权添加模块,用于当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表The authorization adding module is used to add the second public key to the authorization list when the first signature code passes the verification
    所述第二节点包括:The second node includes:
    第二签名模块,用于对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;The second signature module is used to modify and encrypt the original data to obtain the second encrypted data, and to sign the second encrypted data using the second private key of the authorized user to obtain the second signature code;
    所述矿工节点还包括:The miner node also includes:
    第二验签模块,用于获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;A second signature verification module, configured to obtain the second signature code, and verify the second signature code based on the authorization list;
    发布模块,用于当对所述第二签名码验签通过时,将所述第二加密数据发布到区块链上。The publishing module is used for publishing the second encrypted data to the blockchain when the verification of the second signature code is passed.
  9. 如权利要求8所述的授权管理系统,所述第一节点还包括:The authorization management system according to claim 8, wherein the first node further comprises:
    第一加密模块,用于生成第一公钥和第一私钥,并通过对称密钥对原始数据加密,得到第一加密数据;The first encryption module is used to generate the first public key and the first private key, and encrypt the original data with the symmetric key to obtain the first encrypted data;
    所述发布模块,还用于将所述第一公钥和所述第一加密数据发布到区块链上;The publishing module is also used to publish the first public key and the first encrypted data to the blockchain;
    所述第二节点还包括:The second node further includes:
    第二解密模块,用于从区块链上获取第一加密数据,并通过对称密钥对所述第一加密数据进行解密,得到原始数据;The second decryption module is used to obtain the first encrypted data from the blockchain, and decrypt the first encrypted data with the symmetric key to obtain the original data;
    发送模块,用于生成第二公钥和第二私钥,并将所述第二公钥发送给第一节点。The sending module is used to generate a second public key and a second private key, and send the second public key to the first node.
  10. 如权利要求9所述的授权管理系统,所述第二签名模块包括:The authorization management system according to claim 9, wherein the second signature module comprises:
    第二加密单元,用于对所述原始数据进行修改,得到第二数据,并使用所述对称密钥对所述第二数据进行加密,得到第二加密数据;A second encryption unit, configured to modify the original data to obtain second data, and use the symmetric key to encrypt the second data to obtain second encrypted data;
    第二签名单元,用于通过所述第二私钥对所述第二加密数据进行签名,得到第二签名码。The second signature unit is configured to sign the second encrypted data by using the second private key to obtain a second signature code.
  11. 如权利要求10所述的授权管理系统,所述第二验签模块包括:The authorization management system according to claim 10, wherein the second verification module comprises:
    第二获取单元,用于获取所述第二签名码,并从所述授权列表中获取已添加的公钥;A second obtaining unit, configured to obtain the second signature code, and obtain the added public key from the authorization list;
    第二验签单元,用于通过所述已添加的公钥依次对所述第二签名码进行验签。The second verification unit is configured to verify the second signature code sequentially by using the added public key.
  12. 如权利要求8所述的授权管理系统,所述第一节点还包括:The authorization management system according to claim 8, wherein the first node further comprises:
    第一解密模块,用于通过所述对称密钥对所述第二加密数据进行解密,得到第二数据;The first decryption module is configured to decrypt the second encrypted data by using the symmetric key to obtain second data;
    所述第一加密模块,还用于生成新的对称密钥,并通过新的对称密钥对第二数据进行加密,得到第三加密数据;The first encryption module is also used to generate a new symmetric key, and encrypt the second data with the new symmetric key to obtain third encrypted data;
    所述第一签名单元,还用于通过第一私钥对所述第三加密数据进行签名,得到第三签名码;The first signature unit is further configured to sign the third encrypted data with the first private key to obtain a third signature code;
    所述矿工节点还包括:The miner node also includes:
    第三验签模块,用于获取所述第三签名码,并通过所述第一公钥对所述第三签名码进行验签;The third signature verification module is configured to obtain the third signature code, and verify the third signature code through the first public key;
    查看权限回收模块,还用于当对所述第三签名码验签通过时,将所述第三加密数据发布到区块链上,并删除所述第二加密数据。The viewing authority recovery module is also used to publish the third encrypted data to the blockchain and delete the second encrypted data when the third signature code is verified.
  13. 如权利要求8所述的授权管理系统,所述第一签名单元,还用于生成针对所述第二公钥的删除请求,并通过第一私钥对所述删除请求进行签名,得到第四签名码;The authorization management system according to claim 8, wherein the first signature unit is further configured to generate a deletion request for the second public key, and sign the deletion request with the first private key to obtain the fourth Signature code
    所述矿工节点还包括:The miner node also includes:
    第四验签模块,用于获取所述第四签名码,并通过所述第一公钥对所述第四签名码进行验签;A fourth signature verification module, configured to obtain the fourth signature code, and verify the fourth signature code through the first public key;
    更改权限回收模块,用于当对所述第四签名码验签通过时,从所述授权列表中删除所述第二公钥。The modification authority recovery module is configured to delete the second public key from the authorization list when the verification of the fourth signature code is passed.
  14. 如权利要求13所述的授权管理系统,所述第一节点还包括:The authorization management system according to claim 13, wherein the first node further comprises:
    计时模块,用于统计所述第二公钥在所述授权列表中的存在时长;A timing module, configured to count the existence time of the second public key in the authorization list;
    触发模块,用于当检测到所述存在时长大于预设阈值时,执行所述生成针对所述第二公钥的删除请求,并通过第一私钥对所述删除请求进行签名,得到第四签名码的步骤。The trigger module is configured to execute the generation of a deletion request for the second public key when it is detected that the existence duration is greater than a preset threshold, and sign the deletion request with the first private key to obtain the fourth Steps to sign code.
  15. 一种授权管理设备,所述授权管理设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的授权管理程序,所述授权管理程序被所述处理器执行时实现如下所述的授权管理方法的步骤:An authorization management device, the authorization management device comprising: a memory, a processor, and an authorization management program stored in the memory and capable of running on the processor, and when the authorization management program is executed by the processor Steps to implement the authorization management method described below:
    所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码;The first node signs the second public key of the authorized user by using the first private key of the data owner to obtain the first signature code;
    所述矿工节点获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;The miner node obtains the first signature code, and verifies the first signature code using the first public key of the data owner;
    当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;When the verification of the first signature code is passed, the miner node adds the second public key to the authorization list;
    所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;The second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code;
    所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;The miner node obtains the second signature code, and verifies the second signature code based on the authorization list;
    当对所述第二签名码验签通过时,所述矿工节点将所述第二加密数据发布到区块链上。When the verification of the second signature code is passed, the miner node publishes the second encrypted data to the blockchain.
  16. 如权利要求15所述的授权管理设备,所述授权管理程序被所述处理器执行所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码的步骤之前,还执行以下步骤:The authorization management device according to claim 15, wherein the authorization management program is executed by the processor, and the first node signs the second public key of the authorized user through the first private key of the data owner to obtain the first Before the step of a signature code, perform the following steps:
    所述第一节点生成第一公钥和第一私钥,并通过对称密钥对原始数据加密,得到第一加密数据;The first node generates a first public key and a first private key, and encrypts the original data with a symmetric key to obtain the first encrypted data;
    所述矿工节点将所述第一公钥和所述第一加密数据发布到区块链上;The miner node publishes the first public key and the first encrypted data to the blockchain;
    所述第二节点从区块链上获取第一加密数据,并通过对称密钥对所述第一加密数据进行解密,得到原始数据;The second node obtains the first encrypted data from the blockchain, and decrypts the first encrypted data with a symmetric key to obtain the original data;
    所述第二节点生成第二公钥和第二私钥,并将所述第二公钥发送给第一节点。The second node generates a second public key and a second private key, and sends the second public key to the first node.
  17. 如权利要求16所述的授权管理设备,所述授权管理程序被所述处理器执行所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码的步骤时,还执行以下步骤:The authorization management device according to claim 16, wherein the authorization management program is executed by the processor and the second node modifies and encrypts the original data to obtain the second encrypted data, and passes the second private data of the authorized user When the second encrypted data is signed by the key to obtain the second signature code, the following steps are also performed:
    第二节点对所述原始数据进行修改,得到第二数据,并使用所述对称密钥对所述第二数据进行加密,得到第二加密数据;The second node modifies the original data to obtain second data, and uses the symmetric key to encrypt the second data to obtain second encrypted data;
    第二节点通过所述第二私钥对所述第二加密数据进行签名,得到第二签名码。The second node signs the second encrypted data by using the second private key to obtain a second signature code.
  18. 一种计算机可读存储介质,所述计算机可读存储介质上存储有授权管理程序,所述授权管理程序被处理器执行时实现如下所述的授权管理方法的步骤:A computer-readable storage medium, the computer-readable storage medium stores an authorization management program, and when the authorization management program is executed by a processor, the steps of the authorization management method described below are implemented:
    所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码;The first node signs the second public key of the authorized user by using the first private key of the data owner to obtain the first signature code;
    所述矿工节点获取所述第一签名码,并通过数据所属者的第一公钥对所述第一签名码进行验签;The miner node obtains the first signature code, and verifies the first signature code using the first public key of the data owner;
    当对所述第一签名码验签通过时,所述矿工节点将所述第二公钥添加到授权列表;When the verification of the first signature code is passed, the miner node adds the second public key to the authorization list;
    所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码;The second node modifies and encrypts the original data to obtain second encrypted data, and signs the second encrypted data with the second private key of the authorized user to obtain the second signature code;
    所述矿工节点获取所述第二签名码,并基于所述授权列表对所述第二签名码进行验签;The miner node obtains the second signature code, and verifies the second signature code based on the authorization list;
    当对所述第二签名码验签通过时,所述矿工节点将所述第二加密数据发布到区块链上。When the verification of the second signature code is passed, the miner node publishes the second encrypted data to the blockchain.
  19. 如权利要求18所述的计算机可读存储介质,所述授权管理程序被处理器执行所述第一节点通过数据所属者的第一私钥对被授权用户的第二公钥进行签名,得到第一签名码的步骤之前,还执行如下步骤:The computer-readable storage medium according to claim 18, wherein the authorization management program is executed by the processor, and the first node signs the second public key of the authorized user through the first private key of the data owner to obtain the first Before the step of a signature code, perform the following steps:
    所述第一节点生成第一公钥和第一私钥,并通过对称密钥对原始数据加密,得到第一加密数据;The first node generates a first public key and a first private key, and encrypts the original data with a symmetric key to obtain the first encrypted data;
    所述矿工节点将所述第一公钥和所述第一加密数据发布到区块链上;The miner node publishes the first public key and the first encrypted data to the blockchain;
    所述第二节点从区块链上获取第一加密数据,并通过对称密钥对所述第一加密数据进行解密,得到原始数据;The second node obtains the first encrypted data from the blockchain, and decrypts the first encrypted data with a symmetric key to obtain the original data;
    所述第二节点生成第二公钥和第二私钥,并将所述第二公钥发送给第一节点。The second node generates a second public key and a second private key, and sends the second public key to the first node.
  20. 如权利要求19所述的计算机可读存储介质,所述授权管理程序被处理器执行所述第二节点对原始数据进行修改并加密,得到第二加密数据,并通过被授权用户的第二私钥对所述第二加密数据进行签名,得到第二签名码的步骤时,还执行以下步骤:The computer-readable storage medium according to claim 19, wherein the authorization management program is executed by the processor, and the second node modifies and encrypts the original data to obtain the second encrypted data, and passes the second private data of the authorized user When the second encrypted data is signed by the key to obtain the second signature code, the following steps are also performed:
    第二节点对所述原始数据进行修改,得到第二数据,并使用所述对称密钥对所述第二数据进行加密,得到第二加密数据;The second node modifies the original data to obtain second data, and uses the symmetric key to encrypt the second data to obtain second encrypted data;
    第二节点通过所述第二私钥对所述第二加密数据进行签名,得到第二签名码。The second node signs the second encrypted data by using the second private key to obtain a second signature code.
PCT/CN2019/120831 2019-06-21 2019-11-26 Authorization management method, system, apparatus, and computer readable storage medium WO2020253105A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910541123.9A CN110311787B (en) 2019-06-21 2019-06-21 Authorization management method, system, device and computer readable storage medium
CN201910541123.9 2019-06-21

Publications (1)

Publication Number Publication Date
WO2020253105A1 true WO2020253105A1 (en) 2020-12-24

Family

ID=68077046

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/120831 WO2020253105A1 (en) 2019-06-21 2019-11-26 Authorization management method, system, apparatus, and computer readable storage medium

Country Status (2)

Country Link
CN (1) CN110311787B (en)
WO (1) WO2020253105A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113098879A (en) * 2021-04-06 2021-07-09 北京众享比特科技有限公司 Method, system and block chain network for preventing back end from tampering uplink data

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110311787B (en) * 2019-06-21 2022-04-12 深圳壹账通智能科技有限公司 Authorization management method, system, device and computer readable storage medium
CN110851813B (en) * 2019-11-11 2021-01-26 北京海益同展信息科技有限公司 Identity verification method, node device of block chain system and block chain system
CN113381859B (en) * 2020-03-10 2024-02-20 本无链科技(深圳)有限公司 Process mutual sign communication method and system for block chain
CN111783060B (en) * 2020-06-04 2021-03-30 北京海泰方圆科技股份有限公司 Electronic certificate distribution control method and device, electronic equipment and storage medium
CN111884805B (en) * 2020-06-24 2023-08-01 易联众信息技术股份有限公司 Data hosting method and system based on blockchain and distributed identity
CN112199694A (en) * 2020-09-30 2021-01-08 杭州云链趣链数字科技有限公司 Standardized bill processing method and device, electronic device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018022891A1 (en) * 2016-07-29 2018-02-01 Magic Leap, Inc. Secure exchange of cryptographically signed records
CN108537498A (en) * 2018-03-15 2018-09-14 上海卓辰信息科技有限公司 Interorganizational project management method, system, equipment and medium based on block chain
CN108923908A (en) * 2018-06-25 2018-11-30 百度在线网络技术(北京)有限公司 authorization processing method, device, equipment and storage medium
CN109787771A (en) * 2019-01-02 2019-05-21 浙江师范大学 A kind of identification authorization method and system based on block chain
CN110311787A (en) * 2019-06-21 2019-10-08 深圳壹账通智能科技有限公司 Authorization management method, system, equipment and computer readable storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106301794B (en) * 2016-10-17 2019-04-05 特斯联(北京)科技有限公司 The method and system of authorization identifying are carried out using block chain
CN109218291B (en) * 2018-08-14 2021-02-09 深圳高灯计算机科技有限公司 Data transfer method, system and related equipment based on block chain
CN109617703B (en) * 2019-01-31 2022-07-05 北京深思数盾科技股份有限公司 Key management method and device, electronic equipment and storage medium
GB2575896B (en) * 2019-04-15 2021-01-06 Thales Holdings Uk Plc Methods and systems for validating data in a distributed computing network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018022891A1 (en) * 2016-07-29 2018-02-01 Magic Leap, Inc. Secure exchange of cryptographically signed records
CN108537498A (en) * 2018-03-15 2018-09-14 上海卓辰信息科技有限公司 Interorganizational project management method, system, equipment and medium based on block chain
CN108923908A (en) * 2018-06-25 2018-11-30 百度在线网络技术(北京)有限公司 authorization processing method, device, equipment and storage medium
CN109787771A (en) * 2019-01-02 2019-05-21 浙江师范大学 A kind of identification authorization method and system based on block chain
CN110311787A (en) * 2019-06-21 2019-10-08 深圳壹账通智能科技有限公司 Authorization management method, system, equipment and computer readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113098879A (en) * 2021-04-06 2021-07-09 北京众享比特科技有限公司 Method, system and block chain network for preventing back end from tampering uplink data

Also Published As

Publication number Publication date
CN110311787B (en) 2022-04-12
CN110311787A (en) 2019-10-08

Similar Documents

Publication Publication Date Title
WO2020253105A1 (en) Authorization management method, system, apparatus, and computer readable storage medium
CN108768988B (en) Block chain access control method, block chain access control equipment and computer readable storage medium
US11196729B2 (en) Methods and systems for distributing encrypted cryptographic data
US8856530B2 (en) Data storage incorporating cryptographically enhanced data protection
US8059818B2 (en) Accessing protected data on network storage from multiple devices
JP4981921B2 (en) Method and apparatus for license creation in a mobile digital rights management network
CN107579958B (en) Data management method, device and system
US8719956B2 (en) Method and apparatus for sharing licenses between secure removable media
CN109587101B (en) Digital certificate management method, device and storage medium
US20140112470A1 (en) Method and system for key generation, backup, and migration based on trusted computing
US20140096213A1 (en) Method and system for distributed credential usage for android based and other restricted environment devices
CN105103119A (en) Data security service
CN103246850A (en) Method and device for processing file
US20150143107A1 (en) Data security tools for shared data
US11962684B2 (en) System and method for registering a user
CN105122265A (en) Data security service system
WO2020062667A1 (en) Data asset management method, data asset management device and computer readable medium
US11943345B2 (en) Key management method and related device
US11258601B1 (en) Systems and methods for distributed digital rights management with decentralized key management
JP5485452B1 (en) Key management system, key management method, user terminal, key generation management device, and program
JP2014022920A (en) Electronic signature system, electronic signature method, and electronic signature program
US9754118B2 (en) Performing an operation on a data storage
CN111382451A (en) Security level identification method and device, electronic equipment and storage medium
JP4981821B2 (en) Method and device for roaming and using DRM content on a device
KR20230079192A (en) Exclusive Self Escrow Methods and Devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19934221

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19934221

Country of ref document: EP

Kind code of ref document: A1