WO2021098152A1 - Blockchain-based data processing method, device, and computer apparatus - Google Patents

Blockchain-based data processing method, device, and computer apparatus Download PDF

Info

Publication number
WO2021098152A1
WO2021098152A1 PCT/CN2020/087739 CN2020087739W WO2021098152A1 WO 2021098152 A1 WO2021098152 A1 WO 2021098152A1 CN 2020087739 W CN2020087739 W CN 2020087739W WO 2021098152 A1 WO2021098152 A1 WO 2021098152A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
sub
supervisory
key
node
Prior art date
Application number
PCT/CN2020/087739
Other languages
French (fr)
Chinese (zh)
Inventor
赖骏
王梦寒
高建欣
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2021098152A1 publication Critical patent/WO2021098152A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Definitions

  • This application relates to the field of blockchain, and in particular to a data processing method, device and computer equipment based on blockchain.
  • the data uploaded by the data provider needs to be monitored by the data supervisor.
  • the authorization key is adopted for the data that needs to be obtained, and the supervisor can view the encrypted data corresponding to the key on the chain after obtaining the key.
  • the entire piece of business data must be authorized to the supervisor at the same time, which ensures the overall security and independence of each piece of encrypted data.
  • the inventor realized that in the case where there are multiple supervisors and each supervisor has different supervisory authority, if you want different supervisors to supervise different content in the same piece of business data, for example, in the same piece of business data
  • the same piece of business data must be split and sent to the blockchain, and because these multiple pieces of data belong to the same piece of business data and are related to each other, and they need to be managed after being split.
  • the relationship between data, such an operation is more complicated, which brings a lot of trouble to the encrypted data processing of the business side, and reduces the flexibility of encrypted data processing.
  • the embodiments of the present application provide a blockchain-based data processing method, device, storage medium, and computer equipment, which are used to solve the problem of low flexibility in encrypted data processing in the prior art.
  • the embodiments of the present application provide a data processing method based on a blockchain.
  • the blockchain includes a first-level node and a second-level node, and both the data monitoring end and the data providing end are configured with corresponding first-level nodes And a secondary node, wherein the secondary node corresponding to the data supervisory terminal is used to establish a connection between the data supervisory terminal and its corresponding primary node, and the secondary node corresponding to the data provider uses To establish a connection between the data provider and its corresponding first-level node; the method is applied to the data provider, and the method includes:
  • the first subkey corresponding to the first subdata among the plurality of subkeys is sent to the secondary node corresponding to the data supervisory end, so that the secondary node corresponding to the data supervisory end can use all
  • the first subkey decrypts the ciphertext corresponding to the first subdata to obtain the plaintext and returns the plaintext to the data supervisory end.
  • an embodiment of the present application provides a block chain-based data encryption device, including:
  • the blockchain includes a first-level node and a second-level node.
  • the data monitoring end and the data providing end are both configured with corresponding first-level nodes and second-level nodes, wherein the second-level node corresponding to the data monitoring end is used to establish The connection between the data supervisory terminal and its corresponding primary node, and the secondary node corresponding to the data provider is used to establish a connection between the data provider and its corresponding primary node;
  • the data encryption device is applied to the data provider, and the data encryption device includes:
  • the dividing module is used to obtain original data and divide the original data into multiple sub-data
  • the first generating module is configured to generate a plurality of sub-keys corresponding to the plurality of sub-data in a one-to-one manner;
  • a second generation module configured to use the plurality of subkeys to respectively encrypt each subdata in the plurality of subdata, and generate a plurality of ciphertexts corresponding to the plurality of subdata in a one-to-one manner;
  • the first sending module is configured to send the multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node;
  • the determining module is used to determine whether the data monitoring terminal has the monitoring authority of all the sub-data, and if not, determining the first sub-data for which the data monitoring terminal has the monitoring authority among the plurality of sub-data;
  • the second sending module is configured to send the first subkey corresponding to the first subdata among the plurality of subkeys to the secondary node corresponding to the data supervisory end, so that the data supervisory end corresponds to
  • the secondary node of can use the first subkey to decrypt the ciphertext corresponding to the first subdata to obtain the plaintext and return the plaintext to the data supervisory end.
  • an embodiment of the present application provides a storage medium, the storage medium includes a stored program, wherein the device where the storage medium is located is controlled to execute the above method when the program is running.
  • an embodiment of the present application provides a computer device, including a memory and a processor, the memory is used to store information including program instructions, the processor is used to control the execution of the program instructions, and the program instructions are processed.
  • the above method is implemented when the processor is loaded and executed.
  • this application sets up the second-level node to connect the first-level node with the data supervisory end and the data provider, so that the data supervisory end and the data provider only need to connect to the blockchain through the node.
  • This connection method reduces the data supervisory end. The difficulty of docking the blockchain transformation corresponding to the data provider, saving implementation time and manpower.
  • the data monitoring terminal and the data provider are not directly connected to the first-level nodes of the blockchain, which can further ensure the first-level nodes The security of the data stored inside.
  • Figure 1 is a flowchart of a blockchain-based data processing method provided by an embodiment of the application
  • FIG. 2 is a schematic block diagram of a data encryption device provided by an embodiment of the application.
  • Fig. 3 is a schematic block diagram of a computer device provided by an embodiment of the application.
  • the embodiment of the application provides a data processing method based on a blockchain, wherein the blockchain includes a first-level node and a second-level node, and the data monitoring end and the data providing end are both configured with corresponding first-level nodes and second-level nodes. Nodes, where the secondary node configured by the data supervisory terminal is used to establish the connection between the data supervisory terminal and its configured primary node, and the secondary node configured by the data provider terminal is used to establish the data provider and its configured primary node The connection between the first-level nodes.
  • the blockchain in the implementation of this application can specifically refer to a P2P network system with a distributed data storage structure reached by each node through a consensus mechanism.
  • the data in the blockchain is distributed in time-connected “blocks”. Within (block)”, the next block contains the data summary of the previous block, and according to the specific consensus mechanism (such as POW, POS, DPOS, or PBFT, etc.), a full backup of all or part of the node data is achieved.
  • the specific consensus mechanism such as POW, POS, DPOS, or PBFT, etc.
  • the primary node of the blockchain in the embodiment of the application is an electronic device that stores data on the blockchain, such as a tablet computer, a personal computer (PC) or other smart devices, etc., the second of the blockchain
  • the level node is a server or terminal used to establish the connection between the data supervisory end/data provider and the level one node and to store the key.
  • the data supervision terminal in the embodiment of this application is the terminal where the institution performing supervision duties in the information supervision is located.
  • the data provider of the embodiment provided in this solution can be the supervised terminal in the information supervision or the supervised terminal.
  • Other terminals that have a data connection to the terminal such as a smart phone, a tablet, a personal computer (PC) or other smart devices, etc., and the "information" provided by the data provider is the object information data to be supervised.
  • each data supervisory terminal or data provider connected to the blockchain is configured with a corresponding independent secondary node.
  • Each data supervisory end or data provider connected to the blockchain can be configured with an independent first-level node, or multiple data supervisory end or data provider can share one node.
  • the central Ministry of Finance system Public-Private-Partnership, PPP
  • the provincial Ministry of Finance system are the data supervision end, and each social capital party, financial institution, project company, intermediary institution, and shareholder system are different Data provider.
  • the blockchain also includes a management node, and the management node of the blockchain will manage each secondary node through the CA digital certificate to verify its legitimacy.
  • the legality of the CA digital certificate of the secondary node will be verified. If it is legal, the connection between the secondary node and the primary node will be established, and the connection will no longer be correct during the time the connection is maintained.
  • the CA digital certificate is verified. If the secondary node disconnects from the primary node, it needs to verify the validity of the CA digital certificate when requesting the connection again.
  • the CA digital certificate has a certificate (including a public key) and a private key, and the secondary node corresponding to the CA digital certificate is trusted by verifying the signature of the CA digital certificate.
  • the data processing method takes the data provider as the execution subject, and the data processing method includes:
  • Step S01 Obtain original data, and divide the original data into multiple sub-data.
  • Step S02 Generate multiple sub-keys corresponding to multiple sub-data one-to-one.
  • Step S03 Encrypt each sub-data in the multiple sub-data by using multiple sub-keys to generate multiple ciphertexts corresponding to the multiple sub-data one-to-one.
  • Step S04 Send multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node, so that each first-level node saves the ciphertext.
  • Step S05 Determine whether the data supervisory terminal has supervisory authority for all sub-data. If the data supervisory end does not have supervisory authority for all sub-data, then the first sub-data is determined in the sub-data. The first sub-data is that the data supervisory end has supervisory authority Permission data;
  • Step S06 Send the first subkey corresponding to the first subdata among the multiple subkeys to the secondary node corresponding to the data supervisory terminal, so that the secondary node corresponding to the data supervisory terminal can use the first subkey pair
  • the ciphertext corresponding to the first sub-data is decrypted to obtain the plaintext and return the plaintext to the data supervisory end.
  • the embodiment of the present application divides the original data into different sub-data according to preset rules, and then generates multiple sub-keys, and uses the sub-keys to encrypt multiple sub-data, so as to realize one piece of data. Separately encrypt multiple sub-data of the original data, so that multiple sub-data of the same piece of business data can be decrypted separately using the corresponding sub-key, and further realize separate access to different sub-data of the same piece of business data.
  • the supervisor In the same piece of business data, if the supervisor only wants to access part of the content and must split the data into a separate processing method, it can greatly improve the efficiency of encrypted data processing and the convenience of access.
  • this application sets up the second-level node to connect the first-level node with the data supervisory end and the data provider, so that the data supervisory end and the data provider only need to connect to the blockchain through the node.
  • This connection method reduces the data supervisory end. The difficulty of docking the blockchain transformation corresponding to the data provider, saving implementation time and manpower.
  • the data monitoring terminal and the data provider are not directly connected to the first-level nodes of the blockchain, which can further ensure the first-level nodes The security of the data stored inside.
  • step S01 obtain original data, and divide the original data into multiple sub-data.
  • the original data includes, but is not limited to, data generated during the project process such as project name, project type, project amount, project feasibility report, environmental impact assessment report, value for money assessment report, etc.
  • step S01 dividing the original data into multiple sub-data, which may specifically include:
  • Step S011 Determine whether the original data is in JSON format
  • Step S012 If not, convert the original data into JSON format
  • Step S013 Use each key-value pair in the converted original data in the JSON format as a sub-data to divide the original data into multiple sub-data.
  • the original data can be split into different parts according to the key-value pairs in the JSON format to obtain different sub-data, that is, each key-value pair in the JSON format is used as a sub-data. data.
  • the original data is not in JSON format, the original data is converted into a key-value pair format, that is, the object in the original data is used as the Key, and the value or attribute of the object is used as the Value.
  • the Key value is the index in the array
  • the Value is the value corresponding to the array.
  • each key-value pair is used as a sub-data, and the data to be encrypted is divided into multiple sub-data to further realize the flexible authorization of the data corresponding to the sub-data by encrypting different sub-data .
  • the way to divide the sub-data can be based on the attributes of the data. For example, the data of the same business attribute is in JSON format, and each key-value pair (that is, a key-value pair) of JSON is used as a sub-data (in English) For Field).
  • sub-data refers to the data range that is encrypted with a key for independent authorization.
  • the two columns of item name and unit price can each be a sub-data.
  • JSON English is JavaScript Object Notation
  • JS Object Notation is a lightweight data exchange format
  • the writing format of JSON data is: name/value pair.
  • step S02 multiple subkeys corresponding to the multiple subdata one-to-one are generated.
  • step S02: generating multiple sub-keys corresponding to multiple sub-data in one-to-one correspondence may specifically include:
  • Step S021 Generate the root key, initial parameters and agreed step value corresponding to the original data
  • the initial parameter can be a random number with a fixed length generated instantly by the random number generator inside the data provider, such as 342.
  • the initial parameter and the agreed step value can be preset or instantaneous like the initial parameter. generate.
  • Step S022 Based on the preset sub-key derivation mechanism, perform iterative operations on the root key, the initial parameters, and the agreed step value to generate multiple sub-keys corresponding to multiple sub-data one-to-one.
  • the process of performing iterative operations on the root key, initial parameters, and agreed step value to generate multiple sub-keys corresponding to multiple sub-data is specifically: combining the root key and The initial parameters are substituted into the preset first function to obtain the first subkey.
  • the initial parameters and the agreed step value are added together to obtain the first variable; then the root key and the first variable are substituted into In the preset first function, the second subkey is obtained, and the first variable and the agreed step value are added together to obtain the second variable; then the root key and the second variable are substituted into the preset In the first function, the third subkey is obtained, and so on, until a preset number of subkeys are generated.
  • step S021: generating a root key corresponding to the original data may specifically include:
  • Step S0211 Obtain the password entered by the user and generate a random number
  • the password can be obtained by the user pressing or clicking on the touchable display screen, or inputting through the physical keyboard, and the random number is generated by the random number generating unit inside the data provider.
  • the password entered by the user may be obtained first, and then the random number is generated, or the random number is generated first, and then the password entered by the user is obtained, which is not limited in this application.
  • Step S0212 randomly select a first preset algorithm from a plurality of preset algorithms, and calculate a password and a random number based on the first preset algorithm to obtain a root key, wherein each of the plurality of preset algorithms is preset The algorithm corresponds to a unique algorithm identifier;
  • Multiple preset algorithms may include, but are not limited to, KDF (Key Derivation Function, key derivation algorithm) algorithm, bcrypt encryption algorithm, Blowfish algorithm, DES algorithm, DESede algorithm, HmacMD5 algorithm, or HmacSHA1 algorithm.
  • KDF Key Derivation Function, key derivation algorithm
  • bcrypt encryption algorithm Blowfish algorithm
  • DES algorithm DESede algorithm
  • HmacMD5 algorithm HmacMD5 algorithm
  • HmacSHA1 algorithm HmacSHA1 algorithm.
  • Each algorithm corresponds to a unique algorithm.
  • the algorithm ID of the algorithm such as 1, 2, 3, etc., uses the password and random number input by the user as the input data of the preset algorithm, and then obtains the root key.
  • Step S0213 Store the random number and the algorithm identifier corresponding to the first preset algorithm in the corresponding secondary node.
  • the data provider after the data provider sends the generated subkey to the corresponding data supervisory end with supervisory authority, the data provider also deletes the calculated first root key.
  • the data provider When the data provider itself needs to query one or more sub-data in the original data, the data provider obtains the ciphertext corresponding to the sub-data that needs to be queried from its configured secondary node, and then decrypts it.
  • the decryption process includes: generation Prompt information to prompt the user to enter the corresponding password.
  • the password is the password the user entered when uploading the corresponding original data.
  • the stored algorithm identifier corresponding to the first preset algorithm it is determined that the first preset algorithm is determined in the plurality of preset algorithms. Set the algorithm, and then use the password input by the user and the stored random number as the input data of the first preset algorithm to obtain the root key, and then obtain the corresponding subkey through the root key operation, and then decrypt it by the subkey. Get the corresponding plaintext, that is, the sub-data.
  • this application does not directly store the root key, but instead stores the parameters (such as random numbers) and algorithm identifications for generating the root key, which will greatly improve the security of the entire system. Attackers cannot steal the root key, and cannot crack other keys in the entire key system. At the same time, the secondary node generated by the data provider cannot store all the sub-keys and other information, which can reduce the use of storage space. In addition, this application increases the flexibility and security of generating the root key by using the user's input password as the root key generation parameter.
  • step S03 each sub-data in the multiple sub-data is respectively encrypted with multiple sub-keys to generate multiple ciphertexts corresponding to the multiple sub-data one-to-one.
  • Key1 can be used to encrypt the project name, so Key1 can be used to access the project name separately; Key2 is used to encrypt the project amount Therefore, Key2 can be used to access the project amount separately, and Key3 can be used to encrypt the company name. Therefore, Key3 can be used to access the company name individually, so that different sub-data can be respectively encrypted with different sub-keys to realize the pairing.
  • Different sub-data of the same piece of business data use separate keys for separate authorization and access.
  • step S04 send multiple ciphertexts to each primary node of the blockchain through the corresponding secondary node, and each primary node of the blockchain saves the ciphertext after receiving the ciphertext.
  • each first-level node saves the ciphertext
  • different indexes will be established for different ciphertexts, so that the data supervisory end and the data provider can both query the corresponding ciphertext according to different indexes.
  • step S05 determine whether the data supervisory terminal has supervisory authority for all sub-data, and if not, determine the first sub-data for which the data supervisory end has supervisory authority among the multiple sub-data.
  • the data monitoring terminal's monitoring authority for the sub-data may be set by the user. For example, after the data provider divides the original data into multiple sub-data, each sub-data is displayed on the display interface for The user views and selects the sub-data to be authorized by each data supervisory terminal.
  • the data processing method further includes: if the data supervisory end has supervisory authority for all sub-data, sending the generated root key, initial parameters, and agreed step value to the data supervisory end, so that the data supervisory end can according to the sub-secret.
  • the key derivation mechanism performs iterative operations on the root key, initial parameters, and agreed step values to obtain the sub-key corresponding to each sub-data and save the sub-key corresponding to each sub-data in its corresponding secondary node, and then Delete the root key, where both the data supervisory terminal and the data provider are configured with algorithms corresponding to the subkey derivation mechanism.
  • the generated root key, initial parameters and agreed step value will be sent to the corresponding secondary node of the data supervisory end, so that the corresponding data supervisory end can be based on The root key, the initial parameters and the agreed step value obtain the sub-key corresponding to each sub-data, thereby obtaining the plaintext of each sub-data.
  • the data provider to send the subkey corresponding to each subdata to the corresponding secondary node of the data supervisory terminal, so as to reduce the data transmission load of the communication network and the storage space usage of each secondary node.
  • step S06 the first subkey corresponding to the first subdata among the multiple subkeys is sent to the secondary node corresponding to the data supervisory end, so that the secondary node corresponding to the data supervisory end can adopt the first subkey
  • the key decrypts the ciphertext corresponding to the first sub-data to obtain the plaintext and returns the plaintext to the data supervisory end.
  • the secondary node corresponding to the data supervisory terminal and the secondary node corresponding to the data provider will also provide the data supervisory terminal and the data provider respectively.
  • the specific process for the secondary node corresponding to the data provider to verify the data provider includes: the secondary node corresponding to the data provider determines whether the data provider is within the legal period, and if not, the data provider The end sends a token verification request, and the secondary node corresponding to the data provider receives the token of the data provider and judges whether the token of the data provider is legal.
  • the specific process for the secondary node corresponding to the data monitoring terminal to verify the data monitoring terminal includes: the secondary node corresponding to the data monitoring terminal judges whether the data monitoring terminal is within the legal period, if not, to The data supervisory end sends a token verification request, and the corresponding secondary node of the data supervisory end receives the token (token) of the data supervisory end, and judges whether the token of the data supervisory end is legal, if the token of the data supervisory end is legal , It is determined that the data supervisory terminal has passed the verification.
  • the data provider will send the generated root key, initial parameters and agreed step value to the corresponding secondary node of the data supervisory end, or combine multiple subkeys with The first subkey corresponding to the first subdata is sent to the secondary node configured by the data supervisory end.
  • This application provides a block chain-based data encryption device 1, including:
  • the blockchain includes a first-level node and a second-level node.
  • the data monitoring terminal and the data providing terminal are equipped with corresponding first-level nodes and second-level nodes.
  • the second-level node corresponding to the data monitoring terminal is used to establish the data monitoring terminal and
  • the secondary node corresponding to the data provider is used to establish the connection between the data provider and its corresponding primary node;
  • the data encryption device is applied to the data provider, and the data encryption device 1 includes:
  • the dividing module 11 is used to obtain original data and divide the original data into multiple sub-data;
  • the first generating module 12 is configured to generate a plurality of sub-keys corresponding to a plurality of sub-data in a one-to-one manner;
  • the second generating module 13 is configured to use a plurality of subkeys to respectively encrypt each subdata of the plurality of subdata, and generate a plurality of ciphertexts corresponding to the plurality of subdata one to one;
  • the first sending module 14 is configured to send multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node;
  • the determining module 15 is used to determine whether the data supervisory terminal has the supervisory authority of all sub-data, if not, determine the first sub-data of the data supervisory end with supervisory authority among the multiple sub-data;
  • the second sending module 16 is configured to send the first subkey corresponding to the first subdata among the plurality of subkeys to the secondary node corresponding to the data supervisory terminal, so that the secondary node corresponding to the data supervisory terminal can adopt the first subkey A subkey decrypts the ciphertext corresponding to the first subdata to obtain the plaintext and returns the plaintext to the data supervisory terminal.
  • the dividing module 11 includes:
  • the judging unit is used to judge whether the original data is in JSON format
  • the conversion unit is used to convert the original data into the JSON format when the original data is not in the JSON format
  • the dividing unit is used to treat each key-value pair in the converted original data in the JSON format as a sub-data to divide the original data into multiple sub-data.
  • the first generating module 12 includes:
  • the generating unit is used to generate the root key, initial parameters and agreed step value corresponding to the original data
  • the first arithmetic unit is configured to perform iterative operations on the root key, initial parameters, and agreed step values based on a preset sub-key derivation mechanism to generate multiple sub-keys corresponding to multiple sub-data one-to-one.
  • the generating unit includes:
  • the obtaining subunit is used to obtain the password entered by the user and generate a random number
  • the operation subunit is used to randomly select the first preset algorithm from a plurality of preset algorithms, and calculate the password and the random number based on the first preset algorithm to obtain the root key, wherein each of the plurality of preset algorithms Each preset algorithm corresponds to a unique algorithm identifier;
  • the saving subunit is used to save the random number and the algorithm identifier corresponding to the first preset algorithm in the corresponding secondary node.
  • the data encryption device 1 further includes: a third sending module, configured to send the generated root key, initial parameters and agreed step value to the data supervisory end when the data supervisory end has supervisory authority for all sub-data , Enabling the data supervisor to perform iterative operations on the root key, initial parameters, and agreed step value according to the sub-key derivation mechanism to obtain the sub-key corresponding to each sub-data, and save each sub-key in its corresponding Within the secondary node.
  • a third sending module configured to send the generated root key, initial parameters and agreed step value to the data supervisory end when the data supervisory end has supervisory authority for all sub-data , Enabling the data supervisor to perform iterative operations on the root key, initial parameters, and agreed step value according to the sub-key derivation mechanism to obtain the sub-key corresponding to each sub-data, and save each sub-key in its corresponding Within the secondary node.
  • the embodiment of the present application provides a storage medium.
  • the storage medium may be non-volatile or volatile.
  • the storage medium includes a stored program, wherein the device where the storage medium is located is controlled to execute the implementation while the program is running. Data processing methods in.
  • an embodiment of the present application provides a computer device.
  • the computer device 50 of this embodiment includes a processor 51, a memory 52, and a computer program 53 stored in the memory 52 and running on the processor 51.
  • the computer program 53 is executed by the processor 51, the blockchain-based data processing method in the embodiment is implemented. In order to avoid repetition, it will not be repeated here.
  • the computer program is executed by the processor 51, the function of each model/unit in the data processing apparatus 1 in the embodiment is realized. In order to avoid repetition, it will not be repeated here.
  • the computer device 50 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • the computer device 50 may include but is not limited to a processor 51 and a memory 52.
  • FIG. 3 is only an example of the computer device 50, and does not constitute a limitation on the computer device 50. It may include more or less components than shown, or a combination of certain components, or different components.
  • computer equipment may also include input and output devices, network access devices, buses, and so on.
  • the so-called processor 51 may be a central processing unit (Central Processing Unit, CPU), other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the memory 52 may be an internal storage unit of the computer device 50, such as a hard disk or memory of the computer device 50.
  • the memory 52 may also be an external storage device of the computer device 50, such as a plug-in hard disk equipped on the computer device 50, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, and a flash memory card (Flash). Card) and so on.
  • the memory 52 may also include both an internal storage unit of the computer device 50 and an external storage device.
  • the memory 52 is used to store computer programs and other programs and data required by the computer equipment.
  • the memory 52 can also be used to temporarily store data that has been output or will be output.
  • the disclosed system, device, and method can be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional units.
  • the above-mentioned integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium.
  • the above-mentioned software functional unit is stored in a storage medium and includes several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (Processor) execute part of the steps of the methods in the various embodiments of the present application .
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disks or optical disks and other media that can store program codes. .

Abstract

Embodiments of the present application provide a blockchain-based data processing method, a device, and a computer apparatus. First-level nodes and second-level nodes of a blockchain are deployed at a data supervision end and a data providing end. The method comprises: dividing original data into multiple pieces of subdata; generating multiple sub-keys corresponding to the multiple pieces of sub-data; encrypting, by using the sub-keys, the multiple pieces of sub-data, respectively, and generating multiple ciphertexts; sending to the first-level nodes of the blockchain the ciphertexts; determining whether the data supervision end has supervision permission of all of the pieces of subdata, and if not, determining, from the multiple pieces of subdata, first subdata of which the data supervision end has supervision permission; and sending to a second-level node corresponding to the data supervision end a first sub-key corresponding to the first subdata, such that the second-level node corresponding to the data supervision end is capable of decrypting, by using the first sub-key, a ciphertext corresponding to the first subdata. The method enables dividing original data and independently uploading the divided data to a blockchain, thereby enhancing flexibility of encryption data processing.

Description

基于区块链的数据处理方法、装置及计算机设备Block chain-based data processing method, device and computer equipment
本申请要求于2019年11月21日提交中国专利局、申请号为201911149572.5,发明名称为“基于区块链的数据处理方法、装置及计算机设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on November 21, 2019, the application number is 201911149572.5, and the invention title is "Blockchain-based data processing methods, devices, and computer equipment". The entire content of the application is approved The reference is incorporated in this application.
技术领域Technical field
本申请涉及区块链领域,具体涉及一种基于区块链的数据处理方法、装置及计算机设备。This application relates to the field of blockchain, and in particular to a data processing method, device and computer equipment based on blockchain.
背景技术Background technique
针对设置有监管机制的区块链网络中,数据提供方上传的数据需要受到数据监管方的监控,为了防止自己的敏感数据被区块链中的其它非监管方随意访问,必须将自己的数据加密上链,对需要获取数据采取授权密钥的方式,监管方在拿到密钥后可以查看在链上的密钥对应的加密数据。传统的加密授权方式,必须是整条业务数据同时被授权给监管方,这样保证了每条加密数据的整体安全性和独立性。但在实际业务需求中,发明人意识到针对有多个监管方且每个监管方监管权限不同的情况下,若希望不同监管方在同一条业务数据中监管不同内容,例如同一条业务数据中具有不同属性的内容,就必须将同一条业务数据拆分开来发送到区块链上,并且由于这些多条数据属于同一条业务数据且相互关联,且拆分开来还需要管理这些多条数据之间的关系,这样的操作比较复杂,给业务端的加密数据处理带来了很大的麻烦,降低了加密数据处理的灵活性。For a blockchain network with a supervision mechanism, the data uploaded by the data provider needs to be monitored by the data supervisor. In order to prevent your sensitive data from being randomly accessed by other non-supervisors in the blockchain, you must keep your own data Encrypted on the chain, the authorization key is adopted for the data that needs to be obtained, and the supervisor can view the encrypted data corresponding to the key on the chain after obtaining the key. In the traditional encryption authorization method, the entire piece of business data must be authorized to the supervisor at the same time, which ensures the overall security and independence of each piece of encrypted data. However, in actual business requirements, the inventor realized that in the case where there are multiple supervisors and each supervisor has different supervisory authority, if you want different supervisors to supervise different content in the same piece of business data, for example, in the same piece of business data For content with different attributes, the same piece of business data must be split and sent to the blockchain, and because these multiple pieces of data belong to the same piece of business data and are related to each other, and they need to be managed after being split. The relationship between data, such an operation is more complicated, which brings a lot of trouble to the encrypted data processing of the business side, and reduces the flexibility of encrypted data processing.
发明内容Summary of the invention
本申请实施例提供一种基于区块链的数据处理方法、装置、存储介质及计算机设备,用于解决现有技术中的加密数据处理的灵活性低的问题。The embodiments of the present application provide a blockchain-based data processing method, device, storage medium, and computer equipment, which are used to solve the problem of low flexibility in encrypted data processing in the prior art.
第一方面,本申请实施例提供了一种基于区块链的数据处理方法,所述区块链包括一级节点和二级节点,数据监管端及数据提供端均配置有对应的一级节点及二级节点,其中,所述数据监管端所对应的二级节点用于建立所述数据监管端与其所对应的一级节点之间的连接,所述数据提供端所对应的二级节点用于建立所述数据提供端与其所对应的一级节点之间的连接;所述方法应用于数据提供端,所述方法包括:In the first aspect, the embodiments of the present application provide a data processing method based on a blockchain. The blockchain includes a first-level node and a second-level node, and both the data monitoring end and the data providing end are configured with corresponding first-level nodes And a secondary node, wherein the secondary node corresponding to the data supervisory terminal is used to establish a connection between the data supervisory terminal and its corresponding primary node, and the secondary node corresponding to the data provider uses To establish a connection between the data provider and its corresponding first-level node; the method is applied to the data provider, and the method includes:
获取原始数据,将所述原始数据划分为多个子数据;Acquiring original data, and dividing the original data into multiple sub-data;
生成多个与所述多个子数据一一对应的子密钥;Generating a plurality of sub-keys corresponding to the plurality of sub-data in a one-to-one manner;
采用所述多个子密钥分别对所述多个子数据中每个子数据进行加密, 生成多个与所述多个子数据一一对应的密文;Respectively encrypting each sub-data of the plurality of sub-data by using the plurality of sub-keys to generate a plurality of ciphertexts corresponding to the plurality of sub-data in a one-to-one manner;
通过对应的二级节点将所述多个密文发送至所述区块链的各个一级节点;Sending the multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node;
判断所述数据监管端是否具有全部所述子数据的监管权限,若否,则在所述多个子数据中确定所述数据监管端具有监管权限的第一子数据;Determine whether the data supervisory terminal has supervisory authority for all the sub-data, and if not, determine the first sub-data for which the data supervisory end has supervisory authority among the plurality of sub-data;
将所述多个子密钥中与所述第一子数据对应的第一子密钥发送给所述数据监管端对应的二级节点,以使得所述数据监管端对应的二级节点能够采用所述第一子密钥对所述第一子数据对应的密文进行解密,以获得明文并将所述明文返回给所述数据监管端。The first subkey corresponding to the first subdata among the plurality of subkeys is sent to the secondary node corresponding to the data supervisory end, so that the secondary node corresponding to the data supervisory end can use all The first subkey decrypts the ciphertext corresponding to the first subdata to obtain the plaintext and returns the plaintext to the data supervisory end.
第二方面,本申请实施例提供了一种一种基于区块链的数据加密装置,包括:In the second aspect, an embodiment of the present application provides a block chain-based data encryption device, including:
所述区块链包括一级节点和二级节点,数据监管端及数据提供端均配置有对应的一级节点及二级节点,其中,所述数据监管端所对应的二级节点用于建立所述数据监管端与其所对应的一级节点之间的连接,所述数据提供端所对应的二级节点用于建立所述数据提供端与其所对应的一级节点之间的连接;所述数据加密装置应用于数据提供端,所述数据加密装置包括:The blockchain includes a first-level node and a second-level node. The data monitoring end and the data providing end are both configured with corresponding first-level nodes and second-level nodes, wherein the second-level node corresponding to the data monitoring end is used to establish The connection between the data supervisory terminal and its corresponding primary node, and the secondary node corresponding to the data provider is used to establish a connection between the data provider and its corresponding primary node; The data encryption device is applied to the data provider, and the data encryption device includes:
划分模块,用于获取原始数据,将所述原始数据划分为多个子数据;The dividing module is used to obtain original data and divide the original data into multiple sub-data;
第一生成模块,用于生成多个与所述多个子数据一一对应的子密钥;The first generating module is configured to generate a plurality of sub-keys corresponding to the plurality of sub-data in a one-to-one manner;
第二生成模块,用于采用所述多个子密钥分别对所述多个子数据中每个子数据进行加密,生成多个与所述多个子数据一一对应的密文;A second generation module, configured to use the plurality of subkeys to respectively encrypt each subdata in the plurality of subdata, and generate a plurality of ciphertexts corresponding to the plurality of subdata in a one-to-one manner;
第一发送模块,用于通过对应的二级节点将所述多个密文发送至所述区块链的各个一级节点;The first sending module is configured to send the multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node;
确定模块,用于判断所述数据监管端是否具有全部所述子数据的监管权限,若否,则在所述多个子数据中确定所述数据监管端具有监管权限的第一子数据;及The determining module is used to determine whether the data monitoring terminal has the monitoring authority of all the sub-data, and if not, determining the first sub-data for which the data monitoring terminal has the monitoring authority among the plurality of sub-data; and
第二发送模块,用于将所述多个子密钥中与所述第一子数据对应的第一子密钥发送给所述数据监管端对应的二级节点,以使得所述数据监管端对应的二级节点能够采用所述第一子密钥对所述第一子数据对应的密文进行解密,以获得明文并将所述明文返回给所述数据监管端。The second sending module is configured to send the first subkey corresponding to the first subdata among the plurality of subkeys to the secondary node corresponding to the data supervisory end, so that the data supervisory end corresponds to The secondary node of can use the first subkey to decrypt the ciphertext corresponding to the first subdata to obtain the plaintext and return the plaintext to the data supervisory end.
第三方面,本申请实施例提供了一种存储介质,所述存储介质包括存储的程序,其中,在所述程序运行时控制所述存储介质所在设备执行上述方法。In a third aspect, an embodiment of the present application provides a storage medium, the storage medium includes a stored program, wherein the device where the storage medium is located is controlled to execute the above method when the program is running.
第四方面,本申请实施例提供了一种计算机设备,包括存储器和处理器,所述存储器用于存储包括程序指令的信息,所述处理器用于控制程序指令的执行,所述程序指令被处理器加载并执行时实现上述方法。In a fourth aspect, an embodiment of the present application provides a computer device, including a memory and a processor, the memory is used to store information including program instructions, the processor is used to control the execution of the program instructions, and the program instructions are processed. The above method is implemented when the processor is loaded and executed.
可以理解,本申请实施例通过在实现数据加密时,通过根据预设规则将所述原始数据划分为不同子数据,然后生出多个子密钥,使用所述子密 钥对多个所述子数据进行加密,以实现对一条原始数据的多个子数据进行分开加密,从而实现对同一条业务数据的多个子数据使用对应的子密钥单独解密,进一步实现对同一条业务数据的不同子数据实现单独访问,相对于传统技术,在同一条业务数据中,若仅希望监管端只能访问部分内容的需求而必须将数据进行拆分以单独上链的处理方式,可以大大提高加密数据处理的效率和访问的便捷性。It can be understood that, in the embodiment of the present application, when data encryption is implemented, the original data is divided into different sub-data according to preset rules, and then multiple sub-keys are generated, and the sub-keys are used to pair multiple sub-data. Encryption, to realize separate encryption of multiple sub-data of a piece of original data, so that multiple sub-data of the same piece of business data can be decrypted separately using corresponding sub-keys, and further realize the separate realization of different sub-data of the same piece of business data. Compared with traditional technology, in the same piece of business data, if you only want the supervisor to access only part of the content, you must split the data into a separate processing method on the chain, which can greatly improve the efficiency and efficiency of encrypted data processing. Ease of access.
除此之外,本申请设置二级节点对接一级节点与数据监管端及数据提供端,使得数据监管端及数据提供端仅需要通过节点对接区块链,这种对接方式降低了数据监管端及数据提供端对应的对接区块链的改造难度,节省了实施的时间和人力,同时,数据监管端及数据提供端均不直接与区块链的一级节点对接,能够进一步保证一级节点内保存的数据的安全性。In addition, this application sets up the second-level node to connect the first-level node with the data supervisory end and the data provider, so that the data supervisory end and the data provider only need to connect to the blockchain through the node. This connection method reduces the data supervisory end. The difficulty of docking the blockchain transformation corresponding to the data provider, saving implementation time and manpower. At the same time, the data monitoring terminal and the data provider are not directly connected to the first-level nodes of the blockchain, which can further ensure the first-level nodes The security of the data stored inside.
附图说明Description of the drawings
图1为本申请实施例提供的一种基于区块链的数据处理方法的流程图;Figure 1 is a flowchart of a blockchain-based data processing method provided by an embodiment of the application;
图2为本申请实施例提供的一种数据加密装置的示意框图;2 is a schematic block diagram of a data encryption device provided by an embodiment of the application;
图3为本申请实施例提供的一种计算机设备的示意框图。Fig. 3 is a schematic block diagram of a computer device provided by an embodiment of the application.
具体实施例Specific embodiment
为了更好的理解本申请的技术方案,下面结合附图对本申请实施例进行详细描述。In order to better understand the technical solutions of the present application, the embodiments of the present application will be described in detail below with reference to the accompanying drawings.
本申请实施例提供一种基于区块链的数据处理方法,其中,所述区块链包括一级节点和二级节点,数据监管端及数据提供端均配置有对应的一级节点及二级节点,其中,数据监管端所配置的二级节点用于建立数据监管端与其所配置的一级节点之间的连接,数据提供端所配置的二级节点用于建立数据提供端与其所配置的一级节点之间的连接。The embodiment of the application provides a data processing method based on a blockchain, wherein the blockchain includes a first-level node and a second-level node, and the data monitoring end and the data providing end are both configured with corresponding first-level nodes and second-level nodes. Nodes, where the secondary node configured by the data supervisory terminal is used to establish the connection between the data supervisory terminal and its configured primary node, and the secondary node configured by the data provider terminal is used to establish the data provider and its configured primary node The connection between the first-level nodes.
本申请实施中的区块链,具体可指一个各节点通过共识机制达成的、具有分布式数据存储结构的P2P网络系统,该区块链内的数据分布在时间上相连的一个个“区块(block)”之内,后一区块包含前一区块的数据摘要,且根据具体的共识机制(如POW、POS、DPOS或PBFT等)的不同,达成全部或部分节点的数据全备份。本领域的技术人员熟知,由于区块链系统在相应共识机制下运行,已收录至区块链数据库内的数据很难被任意的节点篡改,因此区块链系统有着其他中心化数据库系统所法比拟的保证数据安全、防攻击篡改的特性。由此可知,在本说明书所提供的实施例中,由数据提供端提供的、被该区块链的一级节点收录的“信息”不会被攻击或篡改,从而保证了监管的真实与公正性。The blockchain in the implementation of this application can specifically refer to a P2P network system with a distributed data storage structure reached by each node through a consensus mechanism. The data in the blockchain is distributed in time-connected “blocks”. Within (block)”, the next block contains the data summary of the previous block, and according to the specific consensus mechanism (such as POW, POS, DPOS, or PBFT, etc.), a full backup of all or part of the node data is achieved. Those skilled in the art are well aware that because the blockchain system operates under the corresponding consensus mechanism, the data that has been included in the blockchain database is difficult to be tampered with by any node, so the blockchain system has other centralized database systems. Comparable to ensure data security, anti-attack and tamper-proof features. It can be seen that in the embodiments provided in this specification, the "information" provided by the data provider and included by the first-level nodes of the blockchain will not be attacked or tampered with, thereby ensuring the authenticity and fairness of supervision Sex.
本申请实施例中区块链的一级节点为存储区块链上的链上数据的电子设备,例如,平板电脑、个人计算机(Personal Computer,PC)或者其他智能 设备等,区块链的二级节点为用于建立数据监管端/数据提供端与一级节点之间的连接以及存储密钥的服务器或者终端。The primary node of the blockchain in the embodiment of the application is an electronic device that stores data on the blockchain, such as a tablet computer, a personal computer (PC) or other smart devices, etc., the second of the blockchain The level node is a server or terminal used to establish the connection between the data supervisory end/data provider and the level one node and to store the key.
本申请实施例中的数据监管端为信息监管中履行监管职责的机构所在的终端,本方案中提供的实施例的数据提供端具体可以为信息监管中的被监管终端,也可为与被监管终端发生数据连接的其他终端,终端例如可以为智能手机、平板电脑、个人计算机(Personal Computer,PC)或者其他智能设备等,数据提供端提供的“信息”即为被监管的对象信息数据。The data supervision terminal in the embodiment of this application is the terminal where the institution performing supervision duties in the information supervision is located. The data provider of the embodiment provided in this solution can be the supervised terminal in the information supervision or the supervised terminal. Other terminals that have a data connection to the terminal, such as a smart phone, a tablet, a personal computer (PC) or other smart devices, etc., and the "information" provided by the data provider is the object information data to be supervised.
在本申请实施例中,接入区块链的数据监管端或者数据提供端可以为多个,每个接入区块链的数据监管端或者数据提供端配置有一个对应的独立的二级节点,每个接入区块链的数据监管端或者数据提供端可以配置独立的一级节点,也可以是多个数据监管端或者数据提供端共用一个节点。In the embodiment of the present application, there may be multiple data supervisory terminals or data providers connected to the blockchain, and each data supervisory terminal or data provider connected to the blockchain is configured with a corresponding independent secondary node. , Each data supervisory end or data provider connected to the blockchain can be configured with an independent first-level node, or multiple data supervisory end or data provider can share one node.
在本申请实施例中,中央财政部系统(Public-Private-Partnership,PPP)及省级财政部系统为数据监管端,各个社会资本方、金融机构、项目公司、中介机构、股东方系统为不同的数据提供端。In the embodiment of this application, the central Ministry of Finance system (Public-Private-Partnership, PPP) and the provincial Ministry of Finance system are the data supervision end, and each social capital party, financial institution, project company, intermediary institution, and shareholder system are different Data provider.
在本申请实施例中,区块链还包括管理节点,区块链的管理节点会通过CA数字证书对各个二级节点进行管理,验证其合法性。当二级节点连入区块链时,会校验二级节点的CA数字证书的合法性,如果合法则建立二级节点与一级节点之间的连接,在保持连接的时间内不再对CA数字证书进行校验。如果二级节点断开与一级节点的连接,再次请求连接的时候就需要对CA数字证书的合法性进行校验。其中,CA数字证书拥有一个证书(内含公钥)和私钥,通过验证CA数字证书的签字从而信任CA数字证书对应的二级节点。In the embodiment of the present application, the blockchain also includes a management node, and the management node of the blockchain will manage each secondary node through the CA digital certificate to verify its legitimacy. When the secondary node is connected to the blockchain, the legality of the CA digital certificate of the secondary node will be verified. If it is legal, the connection between the secondary node and the primary node will be established, and the connection will no longer be correct during the time the connection is maintained. The CA digital certificate is verified. If the secondary node disconnects from the primary node, it needs to verify the validity of the CA digital certificate when requesting the connection again. Among them, the CA digital certificate has a certificate (including a public key) and a private key, and the secondary node corresponding to the CA digital certificate is trusted by verifying the signature of the CA digital certificate.
在本申请实施例中,数据处理方法以数据提供端为执行主体,数据处理方法包括:In the embodiment of the present application, the data processing method takes the data provider as the execution subject, and the data processing method includes:
步骤S01:获取原始数据,将原始数据划分为多个子数据。Step S01: Obtain original data, and divide the original data into multiple sub-data.
步骤S02:生成多个与多个子数据一一对应的子密钥。Step S02: Generate multiple sub-keys corresponding to multiple sub-data one-to-one.
步骤S03:采用多个子密钥分别对多个子数据中每个子数据进行加密,生成多个与多个子数据一一对应的密文。Step S03: Encrypt each sub-data in the multiple sub-data by using multiple sub-keys to generate multiple ciphertexts corresponding to the multiple sub-data one-to-one.
步骤S04:通过对应的二级节点将多个密文发送至区块链的各个一级节点,使得各个一级节点保存密文。Step S04: Send multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node, so that each first-level node saves the ciphertext.
步骤S05:判断数据监管端是否具有全部子数据的监管权限,若数据监管端没有具有全部子数据的监管权限,则在子数据中确定第一子数据,第一子数据为数据监管端具有监管权限的数据;Step S05: Determine whether the data supervisory terminal has supervisory authority for all sub-data. If the data supervisory end does not have supervisory authority for all sub-data, then the first sub-data is determined in the sub-data. The first sub-data is that the data supervisory end has supervisory authority Permission data;
步骤S06:将多个子密钥中与第一子数据对应的第一子密钥发送给数据监管端对应的二级节点,以使得数据监管端对应的二级节点能够采用第一子密钥对第一子数据对应的密文进行解密,以获得明文并将明文返回给数据监管端。Step S06: Send the first subkey corresponding to the first subdata among the multiple subkeys to the secondary node corresponding to the data supervisory terminal, so that the secondary node corresponding to the data supervisory terminal can use the first subkey pair The ciphertext corresponding to the first sub-data is decrypted to obtain the plaintext and return the plaintext to the data supervisory end.
可以理解,本申请实施例通过在实现数据加密时,通过根据预设规则 将原始数据划分为不同子数据,然后生出多个子密钥,使用子密钥对多个子数据进行加密,以实现对一条原始数据的多个子数据进行分开加密,从而实现对同一条业务数据的多个子数据使用对应的子密钥单独解密,进一步实现对同一条业务数据的不同子数据实现单独访问,相对于传统技术,在同一条业务数据中,若仅希望监管端只能访问部分内容的需求而必须将数据进行拆分以单独上链的处理方式,可以大大提高加密数据处理的效率和访问的便捷性。It can be understood that, when implementing data encryption, the embodiment of the present application divides the original data into different sub-data according to preset rules, and then generates multiple sub-keys, and uses the sub-keys to encrypt multiple sub-data, so as to realize one piece of data. Separately encrypt multiple sub-data of the original data, so that multiple sub-data of the same piece of business data can be decrypted separately using the corresponding sub-key, and further realize separate access to different sub-data of the same piece of business data. Compared with traditional technology, In the same piece of business data, if the supervisor only wants to access part of the content and must split the data into a separate processing method, it can greatly improve the efficiency of encrypted data processing and the convenience of access.
除此之外,本申请设置二级节点对接一级节点与数据监管端及数据提供端,使得数据监管端及数据提供端仅需要通过节点对接区块链,这种对接方式降低了数据监管端及数据提供端对应的对接区块链的改造难度,节省了实施的时间和人力,同时,数据监管端及数据提供端均不直接与区块链的一级节点对接,能够进一步保证一级节点内保存的数据的安全性。In addition, this application sets up the second-level node to connect the first-level node with the data supervisory end and the data provider, so that the data supervisory end and the data provider only need to connect to the blockchain through the node. This connection method reduces the data supervisory end. The difficulty of docking the blockchain transformation corresponding to the data provider, saving implementation time and manpower. At the same time, the data monitoring terminal and the data provider are not directly connected to the first-level nodes of the blockchain, which can further ensure the first-level nodes The security of the data stored inside.
下面结合附图1,对本申请实施例提供的一种基于区块链的数据处理方法具体实现方式进行更加详尽的说明。The specific implementation of a blockchain-based data processing method provided by an embodiment of the present application will be described in more detail below with reference to FIG. 1.
首先,执行步骤S01:获取原始数据,将原始数据划分为多个子数据。First, perform step S01: obtain original data, and divide the original data into multiple sub-data.
具体地,在本实施方式中,原始数据包括但不限于项目名称、项目类型、项目金额、项目可行性报告、环评报告、物有所值评估报告等项目过程中产生的数据等。Specifically, in this embodiment, the original data includes, but is not limited to, data generated during the project process such as project name, project type, project amount, project feasibility report, environmental impact assessment report, value for money assessment report, etc.
进一步地,步骤S01:将原始数据划分为多个子数据,具体可以包括:Further, step S01: dividing the original data into multiple sub-data, which may specifically include:
步骤S011:判断原始数据是否为JSON格式;Step S011: Determine whether the original data is in JSON format;
步骤S012:若否,将原始数据转换为JSON格式;Step S012: If not, convert the original data into JSON format;
步骤S013:将转换后的JSON格式的原始数据中的每一个键值对作为一个子数据,以将原始数据划分为多个子数据。Step S013: Use each key-value pair in the converted original data in the JSON format as a sub-data to divide the original data into multiple sub-data.
进一步地,若原始数据采用JSON格式,可以根据JSON格式中的键值对将原始数据拆分为不同的部分以得到不同的子数据,也就是将JSON格式中的每一个键值对作为一个子数据。若原始数据不是JSON格式,则将原始数据转换成键值对的格式,也就是将原始数据中的对象作为Key,将对象的值或者属性作为Value。例如,若原始数据为数组格式,将此数据的数组格式转化成JSON对象后,Key值是数组中的索引,Value是数组对应的值。将待加密数据转换成键值对后,以每一个键值对作为一个子数据,将待加密数据划分为多个子数据以进一步通过对不同子数据的加密实现对子数据对应的数据的灵活授权。划分子数据的方式可以是根据数据的属性来划分,比如,将同一个业务属性的数据采用JSON的格式,对于JSON的每一个键值对(也就是Key-Value对)作为一个子数据(英文为Field)。Further, if the original data is in the JSON format, the original data can be split into different parts according to the key-value pairs in the JSON format to obtain different sub-data, that is, each key-value pair in the JSON format is used as a sub-data. data. If the original data is not in JSON format, the original data is converted into a key-value pair format, that is, the object in the original data is used as the Key, and the value or attribute of the object is used as the Value. For example, if the original data is in an array format, after converting the array format of this data into a JSON object, the Key value is the index in the array, and the Value is the value corresponding to the array. After converting the data to be encrypted into key-value pairs, each key-value pair is used as a sub-data, and the data to be encrypted is divided into multiple sub-data to further realize the flexible authorization of the data corresponding to the sub-data by encrypting different sub-data . The way to divide the sub-data can be based on the attributes of the data. For example, the data of the same business attribute is in JSON format, and each key-value pair (that is, a key-value pair) of JSON is used as a sub-data (in English) For Field).
需要知道的是,子数据是指使用一个密钥进行加密以进行独立授权的数据范围,比如说项目名称和货单价两列数据可以分别为一个子数据。其中,JSON,英文为JavaScript Object Notation,JS对象简谱,是一种轻量级的数据交换格式,JSON数据的书写格式是:名称/值对。What you need to know is that sub-data refers to the data range that is encrypted with a key for independent authorization. For example, the two columns of item name and unit price can each be a sub-data. Among them, JSON, English is JavaScript Object Notation, JS Object Notation, is a lightweight data exchange format, and the writing format of JSON data is: name/value pair.
然后,执行步骤S02:生成多个与多个子数据一一对应的子密钥。Then, step S02 is performed: multiple subkeys corresponding to the multiple subdata one-to-one are generated.
具体地,步骤S02:生成多个与多个子数据一一对应的子密钥,具体可以包括:Specifically, step S02: generating multiple sub-keys corresponding to multiple sub-data in one-to-one correspondence may specifically include:
步骤S021:生成与原始数据对应的根密钥、初始参数及约定步进值;Step S021: Generate the root key, initial parameters and agreed step value corresponding to the original data;
具体地,初始参数可以是数据提供端内部的随机数生成器即时产生的具有固定长度的随机数,例如342,初始参数及约定步进值可以是预先设置的,也可以是如初始参数一样即时生成。Specifically, the initial parameter can be a random number with a fixed length generated instantly by the random number generator inside the data provider, such as 342. The initial parameter and the agreed step value can be preset or instantaneous like the initial parameter. generate.
步骤S022:基于预设的子密钥派生机制,将根密钥、初始参数及约定步进值进行迭代运算,生成多个与多个子数据一一对应的子密钥。Step S022: Based on the preset sub-key derivation mechanism, perform iterative operations on the root key, the initial parameters, and the agreed step value to generate multiple sub-keys corresponding to multiple sub-data one-to-one.
具体地,在本申请实施例中,将根密钥、初始参数及约定步进值进行迭代运算,生成多个与多个子数据一一对应的子密钥的过程具体为:将根密钥及初始参数代入到预设的第一函数中,得到第一子密钥,同时将初始参数与约定步进值做相加运算,得到第一变量;然后再将根密钥及第一变量代入到预设的第一函数中,得到第二子密钥,同时将第一变量与约定步进值做相加运算,得到第二变量;然后再将根密钥及第二变量代入到预设的第一函数中,得到第三子密钥,如此反复,直到生成预设数量的子密钥。Specifically, in the embodiment of the present application, the process of performing iterative operations on the root key, initial parameters, and agreed step value to generate multiple sub-keys corresponding to multiple sub-data is specifically: combining the root key and The initial parameters are substituted into the preset first function to obtain the first subkey. At the same time, the initial parameters and the agreed step value are added together to obtain the first variable; then the root key and the first variable are substituted into In the preset first function, the second subkey is obtained, and the first variable and the agreed step value are added together to obtain the second variable; then the root key and the second variable are substituted into the preset In the first function, the third subkey is obtained, and so on, until a preset number of subkeys are generated.
举例来说,当子数据的数量为3时,计算Key1=BootKey+f(V0),其中,BootKey为根密钥,V0为初始参数,进而得到第一子密钥Key1;接着,计算V1=V0+StepFactor,其中,StepFactor为约定步进值,得到第一变量V1,计算Key2=BootKey+f(V1),得到第二子密钥Key2;接着,计算V2=V1+StepFactor,得到第一变量V2,计算Key3=BootKey+f(V2),得到第三子密钥Key3。For example, when the number of sub-data is 3, calculate Key1=BootKey+f(V0), where BootKey is the root key, and V0 is the initial parameter to obtain the first sub-key Key1; then, calculate V1= V0+StepFactor, where StepFactor is the agreed step value, the first variable V1 is obtained, and Key2=BootKey+f(V1) is calculated to obtain the second subkey Key2; then, V2=V1+StepFactor is calculated to obtain the first variable V2, calculate Key3=BootKey+f(V2) to obtain the third subkey Key3.
更进一步地,步骤S021:生成与原始数据对应的根密钥,具体可以包括:Furthermore, step S021: generating a root key corresponding to the original data may specifically include:
步骤S0211:获取用户输入的密码,以及生成随机数;Step S0211: Obtain the password entered by the user and generate a random number;
密码可以通过用户可以在可触摸显示屏上进行按压或者点击,或者通过物理键盘进行输入得到,随机数通过数据提供端内部的随机数生成单元生成。The password can be obtained by the user pressing or clicking on the touchable display screen, or inputting through the physical keyboard, and the random number is generated by the random number generating unit inside the data provider.
在本申请实施方式中,可以是先获取用户输入的密码,再生成随机数,或者,先生成随机数再获取用户输入的密码,本申请对此不做限定。In the implementation of the present application, the password entered by the user may be obtained first, and then the random number is generated, or the random number is generated first, and then the password entered by the user is obtained, which is not limited in this application.
步骤S0212:在多个预设算法中随机选择第一预设算法,基于第一预设算法将密码与随机数进行运算,得到根密钥,其中,多个预设算法中的每个预设算法对应唯一的算法标识;Step S0212: randomly select a first preset algorithm from a plurality of preset algorithms, and calculate a password and a random number based on the first preset algorithm to obtain a root key, wherein each of the plurality of preset algorithms is preset The algorithm corresponds to a unique algorithm identifier;
多个预设算法例如可以包括但不限于KDF(Key Derivation Function,密钥导出算法)算法、bcrypt加密算法、Blowfish算法、DES算法、DESede算法、HmacMD5算法或HmacSHA1算法等,每种算法对应一个唯一的算法标识,例如1,2,3等等,将用户输入的密码及随机数作为预设算法的输入数据,进而得到根密钥。以KDF算法为第一预算法为例,计算 BootKey=PBKDF2(Password,Salt,it),其中Password为用户输入的密码,Salt为内部产生的随机数,it为迭代次数,迭代次数可以根据用户需求指定。Multiple preset algorithms may include, but are not limited to, KDF (Key Derivation Function, key derivation algorithm) algorithm, bcrypt encryption algorithm, Blowfish algorithm, DES algorithm, DESede algorithm, HmacMD5 algorithm, or HmacSHA1 algorithm. Each algorithm corresponds to a unique algorithm. The algorithm ID of the algorithm, such as 1, 2, 3, etc., uses the password and random number input by the user as the input data of the preset algorithm, and then obtains the root key. Taking KDF algorithm as the first budget method as an example, calculate BootKey=PBKDF2(Password, Salt, it), where Password is the password entered by the user, Salt is a random number generated internally, it is the number of iterations, and the number of iterations can be based on user needs Specify.
步骤S0213:将随机数及第一预设算法对应的算法标识保存在对应的二级节点内。Step S0213: Store the random number and the algorithm identifier corresponding to the first preset algorithm in the corresponding secondary node.
进一步地,数据提供端在将生成的子密钥发送给对应具有监管权限的数据监管端之后,数据提供端还会删除计算得到的第一根密钥。Further, after the data provider sends the generated subkey to the corresponding data supervisory end with supervisory authority, the data provider also deletes the calculated first root key.
当数据提供端自身需要查询原始数据中的一个或者多个子数据时,数据提供端从其所配置的二级节点获取需要查询的子数据对应的密文,然后进行解密,解密的过程包括:生成提示信息,以提示用户输入对应的密码,该密码是用户在上传对应的原始数据时输入的密码,根据存储的第一预设算法对应的算法标识确定在多个预设算法中确定第一预设算法,然后将用户输入的密码、存储的随机数作为第一预设算法的输入数据,得到根密钥,进而再通过根密钥运算得到对应的子密钥,通过子密钥进行解密,得到对应的明文,即子数据。When the data provider itself needs to query one or more sub-data in the original data, the data provider obtains the ciphertext corresponding to the sub-data that needs to be queried from its configured secondary node, and then decrypts it. The decryption process includes: generation Prompt information to prompt the user to enter the corresponding password. The password is the password the user entered when uploading the corresponding original data. According to the stored algorithm identifier corresponding to the first preset algorithm, it is determined that the first preset algorithm is determined in the plurality of preset algorithms. Set the algorithm, and then use the password input by the user and the stored random number as the input data of the first preset algorithm to obtain the root key, and then obtain the corresponding subkey through the root key operation, and then decrypt it by the subkey. Get the corresponding plaintext, that is, the sub-data.
可以理解,由于根密钥是整条原始数据密钥体系建立的根本,存储根密钥会带来根密钥的安全性保护隐患,增加安全风险。因此,本申请不直接存储根密钥,而是存储生成根密钥的参数(例如随机数)以及算法标识,会使得整个系统的安全性大大提高。攻击者无法窃取根密钥,也就无法破解整个密钥体系中的其它密钥。同时,数据提供端生成的二级节点无法保存全部的子密钥等信息,可以减少对存储空间的使用。除此之外,本申请通过根据用户的输入密码作为根密钥的生成参数,增加的生成根密钥的灵活性及安全性。It can be understood that since the root key is the foundation of the entire original data key system, storing the root key will bring hidden dangers to the security protection of the root key and increase security risks. Therefore, this application does not directly store the root key, but instead stores the parameters (such as random numbers) and algorithm identifications for generating the root key, which will greatly improve the security of the entire system. Attackers cannot steal the root key, and cannot crack other keys in the entire key system. At the same time, the secondary node generated by the data provider cannot store all the sub-keys and other information, which can reduce the use of storage space. In addition, this application increases the flexibility and security of generating the root key by using the user's input password as the root key generation parameter.
接着,执行步骤S03:采用多个子密钥分别对多个子数据中每个子数据进行加密,生成多个与多个子数据一一对应的密文。Then, step S03 is performed: each sub-data in the multiple sub-data is respectively encrypted with multiple sub-keys to generate multiple ciphertexts corresponding to the multiple sub-data one-to-one.
具体地,举例来说,若多个子数据分别为项目名称、项目金额及企业名称,则可以使用Key1对项目名称进行加密,因此使用Key1可以对项目名称进行单独访问;使用Key2对项目金额进行加密,因此使用Key2可以对项目金额进行单独访问,使用Key3对企业名称进行加密,因此使用Key3可以对企业名称进行单独访问,从而对不同的子数据使用不同的子密钥分别对应加密,进而实现对同一条业务数据的不同子数据使用单独的密钥进行单独授权和访问。Specifically, for example, if multiple sub-data are respectively the project name, project amount, and company name, then Key1 can be used to encrypt the project name, so Key1 can be used to access the project name separately; Key2 is used to encrypt the project amount Therefore, Key2 can be used to access the project amount separately, and Key3 can be used to encrypt the company name. Therefore, Key3 can be used to access the company name individually, so that different sub-data can be respectively encrypted with different sub-keys to realize the pairing. Different sub-data of the same piece of business data use separate keys for separate authorization and access.
接着,执行步骤S04:通过对应的二级节点将多个密文发送至区块链的各个一级节点,区块链的各个一级节点接收到密文后将密文保存。Next, perform step S04: send multiple ciphertexts to each primary node of the blockchain through the corresponding secondary node, and each primary node of the blockchain saves the ciphertext after receiving the ciphertext.
更具体地,每个一级节点保存密文时,会将不同密文分别建立不同的索引,以使得数据监管端及数据提供端均能够根据不同的索引查询到对应的密文。More specifically, when each first-level node saves the ciphertext, different indexes will be established for different ciphertexts, so that the data supervisory end and the data provider can both query the corresponding ciphertext according to different indexes.
接着,执行步骤S05:判断数据监管端是否具有全部子数据的监管权限,若否,则在多个子数据中确定数据监管端具有监管权限的第一子数据。Next, perform step S05: determine whether the data supervisory terminal has supervisory authority for all sub-data, and if not, determine the first sub-data for which the data supervisory end has supervisory authority among the multiple sub-data.
在本申请实施方式中,数据监管端对子数据的监管权限可以是通过用户设定的,例如,数据提供端将原始数据划分为多个子数据后,将各个子数据在显示界面上显示,供用户查看和选择每个数据监管端要授权的子数据。In the implementation of the present application, the data monitoring terminal's monitoring authority for the sub-data may be set by the user. For example, after the data provider divides the original data into multiple sub-data, each sub-data is displayed on the display interface for The user views and selects the sub-data to be authorized by each data supervisory terminal.
进一步地,数据处理方法还包括:若数据监管端具有全部子数据的监管权限,则将生成的根密钥、初始参数及约定步进值发送给数据监管端,使得数据监管端能够根据子密钥派生机制,将根密钥、初始参数及约定步进值进行迭代运算,得到每个子数据对应的子密钥并将每个子数据对应的子密钥保存在其对应的二级节点内,然后删除根密钥,其中,数据监管端及数据提供端均配置有子密钥派生机制对应的算法。Further, the data processing method further includes: if the data supervisory end has supervisory authority for all sub-data, sending the generated root key, initial parameters, and agreed step value to the data supervisory end, so that the data supervisory end can according to the sub-secret. The key derivation mechanism performs iterative operations on the root key, initial parameters, and agreed step values to obtain the sub-key corresponding to each sub-data and save the sub-key corresponding to each sub-data in its corresponding secondary node, and then Delete the root key, where both the data supervisory terminal and the data provider are configured with algorithms corresponding to the subkey derivation mechanism.
可以理解,若数据监管端具有全部子数据的监管权限,则将生成的根密钥、初始参数及约定步进值发送给数据监管端对应的二级节点,使得对应的数据监管端能够自身根据根密钥、初始参数及约定步进值得到每个子数据对应的子密钥,从而获得每个子数据的明文。无需数据提供端将每个子数据对应的子密钥都发送给数据监管端对应的二级节点,以减少通信网络的数据传输负载及各个二级节点的存储空间的使用。It can be understood that if the data supervisory end has the supervisory authority of all sub-data, the generated root key, initial parameters and agreed step value will be sent to the corresponding secondary node of the data supervisory end, so that the corresponding data supervisory end can be based on The root key, the initial parameters and the agreed step value obtain the sub-key corresponding to each sub-data, thereby obtaining the plaintext of each sub-data. There is no need for the data provider to send the subkey corresponding to each subdata to the corresponding secondary node of the data supervisory terminal, so as to reduce the data transmission load of the communication network and the storage space usage of each secondary node.
接着,执行步骤S06:将多个子密钥中与第一子数据对应的第一子密钥发送给数据监管端对应的二级节点,以使得数据监管端对应的二级节点能够采用第一子密钥对第一子数据对应的密文进行解密获得明文并将明文返回给数据监管端。Then, step S06 is performed: the first subkey corresponding to the first subdata among the multiple subkeys is sent to the secondary node corresponding to the data supervisory end, so that the secondary node corresponding to the data supervisory end can adopt the first subkey The key decrypts the ciphertext corresponding to the first sub-data to obtain the plaintext and returns the plaintext to the data supervisory end.
进一步的,为了更进一步提高安全性,在数据提供端将生成的根密钥、初始参数及约定步进值发送给数据监管端对应的二级节点之前,或者,将多个子密钥中与第一子数据对应的第一子密钥发送给数据监管端所配置的二级节点之前,数据监管端对应的二级节点以及数据提供端对应的二级节点还会分别对数据监管端及数据提供端进行验证,其中,数据提供端对应的二级节点对数据提供端进行验证的具体过程包括:数据提供端对应的二级节点判断数据提供端是否在合法期限内,若否,则向数据提供端发送令牌验证请求,数据提供端对应的二级节点接收数据提供端的token(令牌),并判断数据提供端的token(令牌)是否合法,若数据提供端的token(令牌)合法,则确定数据提供端通过验证;同样的,数据监管端对应的二级节点对数据监管端进行验证具体过程包括:数据监管端对应的二级节点判断数据监管端是否在合法期限内,若否,向数据监管端发送令牌验证请求,数据监管端对应的二级节点接收数据监管端的token(令牌),并判断数据监管端的token(令牌)是否合法,若数据监管端的token(令牌)合法,则确定数据监管端通过验证。当数据提供端及数据监管端的均通过验证后,数据提供端才将生成的根密钥、初始参数及约定步进值发送给数据监管端对应的二级节点,或者将多个子密钥中与第一子数据对应的第一子密钥发送给数据监管端所配置的二级节点。Further, in order to further improve security, before the data provider sends the generated root key, initial parameters, and agreed step value to the corresponding secondary node of the data supervisory end, or the subkeys are combined with the first Before the first subkey corresponding to a subdata is sent to the secondary node configured by the data supervisory terminal, the secondary node corresponding to the data supervisory terminal and the secondary node corresponding to the data provider will also provide the data supervisory terminal and the data provider respectively. The specific process for the secondary node corresponding to the data provider to verify the data provider includes: the secondary node corresponding to the data provider determines whether the data provider is within the legal period, and if not, the data provider The end sends a token verification request, and the secondary node corresponding to the data provider receives the token of the data provider and judges whether the token of the data provider is legal. If the token of the data provider is legal, then Confirm that the data provider has passed the verification; similarly, the specific process for the secondary node corresponding to the data monitoring terminal to verify the data monitoring terminal includes: the secondary node corresponding to the data monitoring terminal judges whether the data monitoring terminal is within the legal period, if not, to The data supervisory end sends a token verification request, and the corresponding secondary node of the data supervisory end receives the token (token) of the data supervisory end, and judges whether the token of the data supervisory end is legal, if the token of the data supervisory end is legal , It is determined that the data supervisory terminal has passed the verification. After both the data provider and the data supervisory end have passed the verification, the data provider will send the generated root key, initial parameters and agreed step value to the corresponding secondary node of the data supervisory end, or combine multiple subkeys with The first subkey corresponding to the first subdata is sent to the secondary node configured by the data supervisory end.
需要说明的是,上述各个实施例的数据加密方法,可以根据需要将不同实施例中包含的技术特征重新进行组合,以获取组合后的实施方案,但都在本申请要求的保护范围之内。It should be noted that, in the data encryption method of each of the foregoing embodiments, the technical features contained in different embodiments can be recombined as needed to obtain a combined implementation solution, but they are all within the scope of protection required by this application.
请参阅附图2,本申请提供一种基于区块链的数据加密装置1,包括:Please refer to Figure 2. This application provides a block chain-based data encryption device 1, including:
区块链包括一级节点和二级节点,数据监管端及数据提供端均配置有对应的一级节点及二级节点,其中,数据监管端所对应的二级节点用于建立数据监管端与其所对应的一级节点之间的连接,数据提供端所对应的二级节点用于建立数据提供端与其所对应的一级节点之间的连接;数据加密装置应用于数据提供端,数据加密装置1包括:The blockchain includes a first-level node and a second-level node. The data monitoring terminal and the data providing terminal are equipped with corresponding first-level nodes and second-level nodes. Among them, the second-level node corresponding to the data monitoring terminal is used to establish the data monitoring terminal and For the connection between the corresponding primary nodes, the secondary node corresponding to the data provider is used to establish the connection between the data provider and its corresponding primary node; the data encryption device is applied to the data provider, and the data encryption device 1 includes:
划分模块11,用于获取原始数据,将原始数据划分为多个子数据;The dividing module 11 is used to obtain original data and divide the original data into multiple sub-data;
第一生成模块12,用于生成多个与多个子数据一一对应的子密钥;The first generating module 12 is configured to generate a plurality of sub-keys corresponding to a plurality of sub-data in a one-to-one manner;
第二生成模块13,用于采用多个子密钥分别对多个子数据中每个子数据进行加密,生成多个与多个子数据一一对应的密文;The second generating module 13 is configured to use a plurality of subkeys to respectively encrypt each subdata of the plurality of subdata, and generate a plurality of ciphertexts corresponding to the plurality of subdata one to one;
第一发送模块14,用于通过对应的二级节点将多个密文发送至区块链的各个一级节点;The first sending module 14 is configured to send multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node;
确定模块15,用于判断数据监管端是否具有全部子数据的监管权限,若否,则在多个子数据中确定数据监管端具有监管权限的第一子数据;及The determining module 15 is used to determine whether the data supervisory terminal has the supervisory authority of all sub-data, if not, determine the first sub-data of the data supervisory end with supervisory authority among the multiple sub-data; and
第二发送模块16,用于将多个子密钥中与第一子数据对应的第一子密钥发送给数据监管端对应的二级节点,以使得数据监管端对应的二级节点能够采用第一子密钥对第一子数据对应的密文进行解密,以获得明文并将明文返回给数据监管端。The second sending module 16 is configured to send the first subkey corresponding to the first subdata among the plurality of subkeys to the secondary node corresponding to the data supervisory terminal, so that the secondary node corresponding to the data supervisory terminal can adopt the first subkey A subkey decrypts the ciphertext corresponding to the first subdata to obtain the plaintext and returns the plaintext to the data supervisory terminal.
进一步地,划分模块11包括:Further, the dividing module 11 includes:
判断单元,用于判断原始数据是否为JSON格式;The judging unit is used to judge whether the original data is in JSON format;
转换单元,用于当原始数据不为JSON格式时,将原始数据转换为JSON格式;及The conversion unit is used to convert the original data into the JSON format when the original data is not in the JSON format; and
划分单元,用于将转换后的JSON格式的原始数据中的每一个键值对作为一个子数据,以将原始数据划分为多个子数据。The dividing unit is used to treat each key-value pair in the converted original data in the JSON format as a sub-data to divide the original data into multiple sub-data.
进一步地,第一生成模块12包括:Further, the first generating module 12 includes:
生成单元,用于生成与原始数据对应的根密钥、初始参数及约定步进值;及The generating unit is used to generate the root key, initial parameters and agreed step value corresponding to the original data; and
第一运算单元,用于基于预设的子密钥派生机制,将根密钥、初始参数及约定步进值进行迭代运算,生成多个与多个子数据一一对应的子密钥。The first arithmetic unit is configured to perform iterative operations on the root key, initial parameters, and agreed step values based on a preset sub-key derivation mechanism to generate multiple sub-keys corresponding to multiple sub-data one-to-one.
进一步地,生成单元包括:Further, the generating unit includes:
获取子单元,用于获取用户输入的密码,以及生成随机数;The obtaining subunit is used to obtain the password entered by the user and generate a random number;
运算子单元,用于在多个预设算法中随机选择第一预设算法,基于第一预设算法将密码与随机数进行运算,得到根密钥,其中,多个预设算法中的每个预设算法对应唯一的算法标识;及The operation subunit is used to randomly select the first preset algorithm from a plurality of preset algorithms, and calculate the password and the random number based on the first preset algorithm to obtain the root key, wherein each of the plurality of preset algorithms Each preset algorithm corresponds to a unique algorithm identifier; and
保存子单元,用于将随机数及第一预设算法对应的算法标识保存在对 应的二级节点内。The saving subunit is used to save the random number and the algorithm identifier corresponding to the first preset algorithm in the corresponding secondary node.
可选地,数据加密装置1还包括:第三发送模块,用于当数据监管端具有全部子数据的监管权限时,将生成的根密钥、初始参数及约定步进值发送给数据监管端,使得数据监管端能够根据子密钥派生机制,将根密钥、初始参数及约定步进值进行迭代运算,得到每个子数据对应的子密钥,并将每个子密钥保存在其对应的二级节点内。Optionally, the data encryption device 1 further includes: a third sending module, configured to send the generated root key, initial parameters and agreed step value to the data supervisory end when the data supervisory end has supervisory authority for all sub-data , Enabling the data supervisor to perform iterative operations on the root key, initial parameters, and agreed step value according to the sub-key derivation mechanism to obtain the sub-key corresponding to each sub-data, and save each sub-key in its corresponding Within the secondary node.
本申请实施例提供了一种存储介质,该存储介质可以是非易失性,也可以是易失性,该存储介质包括存储的程序,其中,在程序运行时控制存储介质所在设备执行实现实施例中的数据处理方法。The embodiment of the present application provides a storage medium. The storage medium may be non-volatile or volatile. The storage medium includes a stored program, wherein the device where the storage medium is located is controlled to execute the implementation while the program is running. Data processing methods in.
请参阅附图3,本申请实施例提供了一种计算机设备,该实施例的计算机设备50包括:处理器51、存储器52以及存储在存储器52中并可在处理器51上运行的计算机程序53,该计算机程序53被处理器51执行时实现实施例中的基于区块链的数据处理方法,为避免重复,此处不一一赘述。或者,该计算机程序被处理器51执行时实现实施例中数据处理装置1中各模型/单元的功能,为避免重复,此处不一一赘述。Referring to FIG. 3, an embodiment of the present application provides a computer device. The computer device 50 of this embodiment includes a processor 51, a memory 52, and a computer program 53 stored in the memory 52 and running on the processor 51. When the computer program 53 is executed by the processor 51, the blockchain-based data processing method in the embodiment is implemented. In order to avoid repetition, it will not be repeated here. Alternatively, when the computer program is executed by the processor 51, the function of each model/unit in the data processing apparatus 1 in the embodiment is realized. In order to avoid repetition, it will not be repeated here.
计算机设备50可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。计算机设备50可包括但不仅限于处理器51、存储器52。本领域技术人员可以理解,图3仅仅是计算机设备50的示例,并不构成对计算机设备50的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如计算机设备还可以包括输入输出设备、网络接入设备、总线等。The computer device 50 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. The computer device 50 may include but is not limited to a processor 51 and a memory 52. Those skilled in the art can understand that FIG. 3 is only an example of the computer device 50, and does not constitute a limitation on the computer device 50. It may include more or less components than shown, or a combination of certain components, or different components. For example, computer equipment may also include input and output devices, network access devices, buses, and so on.
所称处理器51可以是中央处理单元(Central Processing Unit,CPU),还可以是其它通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其它可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The so-called processor 51 may be a central processing unit (Central Processing Unit, CPU), other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
存储器52可以是计算机设备50的内部存储单元,例如计算机设备50的硬盘或内存。存储器52也可以是计算机设备50的外部存储设备,例如计算机设备50上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,存储器52还可以既包括计算机设备50的内部存储单元也包括外部存储设备。存储器52用于存储计算机程序以及计算机设备所需的其它程序和数据。存储器52还可以用于暂时地存储已经输出或者将要输出的数据。The memory 52 may be an internal storage unit of the computer device 50, such as a hard disk or memory of the computer device 50. The memory 52 may also be an external storage device of the computer device 50, such as a plug-in hard disk equipped on the computer device 50, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, and a flash memory card (Flash). Card) and so on. Further, the memory 52 may also include both an internal storage unit of the computer device 50 and an external storage device. The memory 52 is used to store computer programs and other programs and data required by the computer equipment. The memory 52 can also be used to temporarily store data that has been output or will be output.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of the description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置 和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method can be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional units.
上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机装置(可以是个人计算机,服务器,或者网络装置等)或处理器(Processor)执行本申请各个实施例方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-mentioned integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The above-mentioned software functional unit is stored in a storage medium and includes several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (Processor) execute part of the steps of the methods in the various embodiments of the present application . The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disks or optical disks and other media that can store program codes. .
以上仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。The above are only preferred embodiments of this application, and are not intended to limit this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the protection of this application. Within range.

Claims (20)

  1. 一种基于区块链的数据处理方法,所述区块链包括一级节点和二级节点,数据监管端及数据提供端均配置有对应的一级节点及二级节点,其中,所述数据监管端所对应的二级节点用于建立所述数据监管端与其所对应的一级节点之间的连接,所述数据提供端所对应的二级节点用于建立所述数据提供端与其所对应的一级节点之间的连接;所述方法应用于数据提供端,所述方法包括:A data processing method based on a blockchain. The blockchain includes a first-level node and a second-level node. Both the data monitoring end and the data-providing end are configured with corresponding first-level nodes and second-level nodes, wherein the data The secondary node corresponding to the supervisory terminal is used to establish a connection between the data supervisory terminal and its corresponding primary node, and the secondary node corresponding to the data provider is used to establish the data provider and its corresponding The connection between the first-level nodes; the method is applied to the data provider, and the method includes:
    获取原始数据,将所述原始数据划分为多个子数据;Acquiring original data, and dividing the original data into multiple sub-data;
    生成多个与所述多个子数据一一对应的子密钥;Generating a plurality of sub-keys corresponding to the plurality of sub-data in a one-to-one manner;
    采用所述多个子密钥分别对所述多个子数据中每个子数据进行加密,生成多个与所述多个子数据一一对应的密文;Respectively encrypting each sub-data of the plurality of sub-data by using the plurality of sub-keys to generate a plurality of ciphertexts corresponding to the plurality of sub-data one-to-one;
    通过对应的二级节点将所述多个密文发送至所述区块链的各个一级节点;Sending the multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node;
    判断所述数据监管端是否具有全部所述子数据的监管权限,若否,则在所述多个子数据中确定所述数据监管端具有监管权限的第一子数据;Determine whether the data supervisory terminal has supervisory authority for all the sub-data, and if not, determine the first sub-data for which the data supervisory end has supervisory authority among the plurality of sub-data;
    将所述多个子密钥中与所述第一子数据对应的第一子密钥发送给所述数据监管端对应的二级节点,以使得所述数据监管端对应的二级节点能够采用所述第一子密钥对所述第一子数据对应的密文进行解密,以获得明文并将所述明文返回给所述数据监管端。The first subkey corresponding to the first subdata among the plurality of subkeys is sent to the secondary node corresponding to the data supervisory end, so that the secondary node corresponding to the data supervisory end can use all The first subkey decrypts the ciphertext corresponding to the first subdata to obtain the plaintext and returns the plaintext to the data supervisory end.
  2. 如权利要求1所述的方法,所述将所述原始数据划分为多个子数据,包括:The method of claim 1, wherein the dividing the original data into a plurality of sub-data includes:
    判断所述原始数据是否为JSON格式;Determine whether the original data is in JSON format;
    若否,将所述原始数据转换为JSON格式;If not, convert the original data into JSON format;
    将转换后的所述JSON格式的原始数据中的每一个键值对作为一个子数据,以将所述原始数据划分为多个所述子数据。Each key-value pair in the converted original data in the JSON format is used as a sub-data to divide the original data into a plurality of sub-data.
  3. 如权利要求1所述的方法,所述生成多个与所述多个子数据一一对应的子密钥,包括:The method according to claim 1, wherein said generating a plurality of sub-keys corresponding to said plurality of sub-data includes:
    生成与所述原始数据对应的根密钥、初始参数及约定步进值;Generating a root key, initial parameters, and agreed step value corresponding to the original data;
    基于预设的子密钥派生机制,将所述根密钥、所述初始参数及所述约定步进值进行迭代运算,生成多个与所述多个子数据一一对应的子密钥。Based on a preset sub-key derivation mechanism, the root key, the initial parameter, and the agreed step value are iteratively operated to generate a plurality of sub-keys corresponding to the plurality of sub-data one-to-one.
  4. 如权利要求3所述的方法,所述生成与所述原始数据对应的根密钥,包括:The method according to claim 3, wherein said generating a root key corresponding to said original data comprises:
    获取用户输入的密码,以及生成随机数;Obtain the password entered by the user and generate a random number;
    在多个预设算法中随机选择第一预设算法,基于所述第一预设算法将所述密码与所述随机数进行运算,得到所述根密钥,其中,所述多个预设算法中的每个预设算法对应唯一的算法标识;A first preset algorithm is randomly selected from a plurality of preset algorithms, and the password and the random number are calculated based on the first preset algorithm to obtain the root key, wherein the plurality of preset algorithms Each preset algorithm in the algorithm corresponds to a unique algorithm identifier;
    将所述随机数及所述第一预设算法对应的算法标识保存在对应的二级节点内。The random number and the algorithm identifier corresponding to the first preset algorithm are stored in the corresponding secondary node.
  5. 如权利要求1所述的方法,所述方法还包括:若所述数据监管端具有全部所述子数据的监管权限,则将生成的所述根密钥、所述初始参数及所述约定步进值发送给所述数据监管端,使得所述数据监管端能够根据所述子密钥派生机制,将所述根密钥、所述初始参数及所述约定步进值进行迭代运算,得到每个子数据对应的子密钥,并将每个所述子密钥保存在其对应的二级节点内。The method according to claim 1, the method further comprising: if the data supervisory terminal has supervisory authority for all the sub-data, then the generated root key, the initial parameters and the agreed step The input value is sent to the data supervisory end, so that the data supervisory end can perform iterative operations on the root key, the initial parameters, and the agreed step value according to the sub-key derivation mechanism to obtain each Sub-keys corresponding to each sub-data, and each sub-key is stored in its corresponding secondary node.
  6. 一种基于区块链的数据加密装置,所述区块链包括一级节点和二级节点,数据监管端及数据提供端均配置有对应的一级节点及二级节点,其中,所述数据监管端所对应的二级节点用于建立所述数据监管端与其所对应的一级节点之间的连接,所述数据提供端所对应的二级节点用于建立所述数据提供端与其所对应的一级节点之间的连接;所述数据加密装置应用于数据提供端,所述数据加密装置包括:A data encryption device based on a block chain. The block chain includes a first-level node and a second-level node. Both the data monitoring end and the data providing end are configured with corresponding first-level nodes and second-level nodes, wherein the data The secondary node corresponding to the supervisory terminal is used to establish a connection between the data supervisory terminal and its corresponding primary node, and the secondary node corresponding to the data provider is used to establish the data provider and its corresponding The connection between the first-level nodes; the data encryption device is applied to the data provider, and the data encryption device includes:
    划分模块,用于获取原始数据,将所述原始数据划分为多个子数据;The dividing module is used to obtain original data and divide the original data into multiple sub-data;
    第一生成模块,用于生成多个与所述多个子数据一一对应的子密钥;The first generating module is configured to generate a plurality of sub-keys corresponding to the plurality of sub-data in a one-to-one manner;
    第二生成模块,用于采用所述多个子密钥分别对所述多个子数据中每个子数据进行加密,生成多个与所述多个子数据一一对应的密文;A second generation module, configured to use the plurality of subkeys to respectively encrypt each subdata in the plurality of subdata, and generate a plurality of ciphertexts corresponding to the plurality of subdata in a one-to-one manner;
    第一发送模块,用于通过对应的二级节点将所述多个密文发送至所述区块链的各个一级节点;The first sending module is configured to send the multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node;
    确定模块,用于判断所述数据监管端是否具有全部所述子数据的监管权限,若否,则在所述多个子数据中确定所述数据监管端具有监管权限的第一子数据;及The determining module is used to determine whether the data monitoring terminal has the monitoring authority of all the sub-data, and if not, determining the first sub-data for which the data monitoring terminal has the monitoring authority among the plurality of sub-data; and
    第二发送模块,用于将所述多个子密钥中与所述第一子数据对应的第一子密钥发送给所述数据监管端对应的二级节点,以使得所述数据监管端对应的二级节点能够采用所述第一子密钥对所述第一子数据对应的密文进行解密,以获得明文并将所述明文返回给所述数据监管端。The second sending module is configured to send the first subkey corresponding to the first subdata among the plurality of subkeys to the secondary node corresponding to the data supervisory end, so that the data supervisory end corresponds to The secondary node of can use the first subkey to decrypt the ciphertext corresponding to the first subdata to obtain the plaintext and return the plaintext to the data supervisory end.
  7. 如权利要求6所述的数据加密装置,所述划分模块包括:7. The data encryption device according to claim 6, wherein the dividing module comprises:
    判断单元,用于判断所述原始数据是否为JSON格式;The judging unit is used to judge whether the original data is in JSON format;
    转换单元,用于当所述原始数据不为JSON格式时,将所述原始数据转换为JSON格式;及The conversion unit is configured to convert the original data into the JSON format when the original data is not in the JSON format; and
    划分单元,用于将转换后的所述JSON格式的原始数据中的每一个键值对作为一个子数据,以将所述原始数据划分为多个所述子数据The dividing unit is configured to use each key-value pair in the converted original data in the JSON format as a sub-data, so as to divide the original data into a plurality of the sub-data
  8. 如权利要求6所述的数据加密装置,所述第一生成模块包括:7. The data encryption device according to claim 6, wherein the first generating module comprises:
    生成单元,用于生成与所述原始数据对应的根密钥、初始参数及约定步进值;及A generating unit for generating the root key, initial parameters, and agreed step value corresponding to the original data; and
    第一运算单元,用于基于预设的子密钥派生机制,将所述根密钥、所述初始参数及所述约定步进值进行迭代运算,生成多个与所述多个子数据一一对应的子密钥。The first arithmetic unit is configured to perform iterative operations on the root key, the initial parameter, and the agreed step value based on a preset sub-key derivation mechanism, and generate a plurality of one-to-one with the plurality of sub-data The corresponding subkey.
  9. 如权利要求8所述的数据加密装置,所述生成单元包括:8. The data encryption device according to claim 8, wherein the generating unit comprises:
    获取子单元,用于获取用户输入的密码,以及生成随机数;The obtaining subunit is used to obtain the password entered by the user and generate a random number;
    运算子单元,用于在多个预设算法中随机选择第一预设算法,基于所述第一预设算法将所述密码与所述随机数进行运算,得到所述根密钥,其中,所述多个预设算法中的每个预设算法对应唯一的算法标识;The operation subunit is configured to randomly select a first preset algorithm from a plurality of preset algorithms, and perform operations on the password and the random number based on the first preset algorithm to obtain the root key, wherein: Each of the plurality of preset algorithms corresponds to a unique algorithm identifier;
    保存子单元,用于将所述随机数及所述第一预设算法对应的算法标识保存在对应的二级节点内。The saving subunit is configured to save the random number and the algorithm identifier corresponding to the first preset algorithm in the corresponding secondary node.
  10. 如权利要求6所述的数据加密装置,所述数据加密装置还包括:7. The data encryption device according to claim 6, the data encryption device further comprising:
    第三发送模块,用于当所述数据监管端具有全部所述子数据的监管权限时,将生成的所述根密钥、所述初始参数及所述约定步进值发送给所述数据监管端,使得所述数据监管端能够根据所述子密钥派生机制,将所述根密钥、所述初始参数及所述约定步进值进行迭代运算,得到每个子数据对应的子密钥,并将每个所述子密钥保存在其对应的二级节点内。The third sending module is configured to send the generated root key, the initial parameter, and the agreed step value to the data supervisor when the data supervisory terminal has supervisory authority for all the sub-data Terminal, enabling the data supervisory terminal to perform iterative operations on the root key, the initial parameters, and the agreed step value according to the subkey derivation mechanism to obtain the subkey corresponding to each subdata, And save each said subkey in its corresponding secondary node.
  11. 一种存储介质,所述存储介质包括存储的程序,其中,在所述程序运行时控制所述存储介质所在设备执行一种基于区块链的数据处理方法:A storage medium, the storage medium includes a stored program, wherein, when the program is running, the device where the storage medium is located is controlled to execute a blockchain-based data processing method:
    其中,所述区块链包括一级节点和二级节点,数据监管端及数据提供端均配置有对应的一级节点及二级节点,其中,所述数据监管端所对应的二级节点用于建立所述数据监管端与其所对应的一级节点之间的连接,所述数据提供端所对应的二级节点用于建立所述数据提供端与其所对应的一级节点之间的连接;所述方法应用于数据提供端,所述方法包括:Wherein, the blockchain includes a first-level node and a second-level node, and the data monitoring end and the data providing end are configured with corresponding first-level nodes and second-level nodes, and the second-level node corresponding to the data monitoring end is used for To establish a connection between the data supervisory terminal and its corresponding primary node, the secondary node corresponding to the data provider is used to establish a connection between the data provider and its corresponding primary node; The method is applied to the data provider, and the method includes:
    获取原始数据,将所述原始数据划分为多个子数据;Acquiring original data, and dividing the original data into multiple sub-data;
    生成多个与所述多个子数据一一对应的子密钥;Generating a plurality of sub-keys corresponding to the plurality of sub-data in a one-to-one manner;
    采用所述多个子密钥分别对所述多个子数据中每个子数据进行加密,生成多个与所述多个子数据一一对应的密文;Respectively encrypting each sub-data of the plurality of sub-data by using the plurality of sub-keys to generate a plurality of ciphertexts corresponding to the plurality of sub-data one-to-one;
    通过对应的二级节点将所述多个密文发送至所述区块链的各个一级节点;Sending the multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node;
    判断所述数据监管端是否具有全部所述子数据的监管权限,若否,则在所述多个子数据中确定所述数据监管端具有监管权限的第一子数据;Determine whether the data supervisory terminal has supervisory authority for all the sub-data, and if not, determine the first sub-data for which the data supervisory end has supervisory authority among the plurality of sub-data;
    将所述多个子密钥中与所述第一子数据对应的第一子密钥发送给所述数据监管端对应的二级节点,以使得所述数据监管端对应的二级节点能够采用所述第一子密钥对所述第一子数据对应的密文进行解密,以获得明文并将所述明文返回给所述数据监管端。The first subkey corresponding to the first subdata among the plurality of subkeys is sent to the secondary node corresponding to the data supervisory end, so that the secondary node corresponding to the data supervisory end can use all The first subkey decrypts the ciphertext corresponding to the first subdata to obtain the plaintext and returns the plaintext to the data supervisory end.
  12. 如权利要求11所述的存储介质,所述将所述原始数据划分为多个子数据,包括:11. The storage medium of claim 11, wherein the dividing the original data into a plurality of sub-data includes:
    判断所述原始数据是否为JSON格式;Determine whether the original data is in JSON format;
    若否,将所述原始数据转换为JSON格式;If not, convert the original data into JSON format;
    将转换后的所述JSON格式的原始数据中的每一个键值对作为一个子数据,以将所述原始数据划分为多个所述子数据。Each key-value pair in the converted original data in the JSON format is used as a sub-data to divide the original data into a plurality of sub-data.
  13. 如权利要求11所述的存储介质,所述生成多个与所述多个子数据 一一对应的子密钥,包括:11. The storage medium of claim 11, wherein the generating a plurality of subkeys corresponding to the plurality of subdata one-to-one includes:
    生成与所述原始数据对应的根密钥、初始参数及约定步进值;Generating a root key, initial parameters, and agreed step value corresponding to the original data;
    基于预设的子密钥派生机制,将所述根密钥、所述初始参数及所述约定步进值进行迭代运算,生成多个与所述多个子数据一一对应的子密钥。Based on a preset sub-key derivation mechanism, the root key, the initial parameter, and the agreed step value are iteratively operated to generate a plurality of sub-keys corresponding to the plurality of sub-data one-to-one.
  14. 如权利要求13所述的存储介质,所述生成与所述原始数据对应的根密钥,包括:The storage medium according to claim 13, wherein said generating a root key corresponding to said original data comprises:
    获取用户输入的密码,以及生成随机数;Obtain the password entered by the user and generate a random number;
    在多个预设算法中随机选择第一预设算法,基于所述第一预设算法将所述密码与所述随机数进行运算,得到所述根密钥,其中,所述多个预设算法中的每个预设算法对应唯一的算法标识;A first preset algorithm is randomly selected from a plurality of preset algorithms, and the password and the random number are calculated based on the first preset algorithm to obtain the root key, wherein the plurality of preset algorithms Each preset algorithm in the algorithm corresponds to a unique algorithm identifier;
    将所述随机数及所述第一预设算法对应的算法标识保存在对应的二级节点内。The random number and the algorithm identifier corresponding to the first preset algorithm are stored in the corresponding secondary node.
  15. 如权利要求11所述的存储介质,所述方法还包括:若所述数据监管端具有全部所述子数据的监管权限,则将生成的所述根密钥、所述初始参数及所述约定步进值发送给所述数据监管端,使得所述数据监管端能够根据所述子密钥派生机制,将所述根密钥、所述初始参数及所述约定步进值进行迭代运算,得到每个子数据对应的子密钥,并将每个所述子密钥保存在其对应的二级节点内。The storage medium according to claim 11, the method further comprising: if the data supervisory terminal has supervisory authority for all the sub-data, then the generated root key, the initial parameters, and the agreement The step value is sent to the data supervisory end, so that the data supervisory end can perform iterative operations on the root key, the initial parameters, and the agreed step value according to the sub-key derivation mechanism to obtain Each sub-data corresponds to a sub-key, and each sub-key is stored in its corresponding secondary node.
  16. 一种计算机设备,包括存储器和处理器,所述存储器用于存储包括程序指令的信息,所述处理器用于控制程序指令的执行,所述程序指令被处理器加载并执行时实现一种基于区块链的数据处理方法:A computer device includes a memory and a processor, the memory is used to store information including program instructions, the processor is used to control the execution of the program instructions, and the program instructions are loaded and executed by the processor to implement a zone-based Data processing method of block chain:
    其中,所述区块链包括一级节点和二级节点,数据监管端及数据提供端均配置有对应的一级节点及二级节点,其中,所述数据监管端所对应的二级节点用于建立所述数据监管端与其所对应的一级节点之间的连接,所述数据提供端所对应的二级节点用于建立所述数据提供端与其所对应的一级节点之间的连接;所述方法应用于数据提供端,所述方法包括:Wherein, the blockchain includes a first-level node and a second-level node, and the data monitoring end and the data providing end are configured with corresponding first-level nodes and second-level nodes, and the second-level node corresponding to the data monitoring end is used for To establish a connection between the data supervisory terminal and its corresponding primary node, the secondary node corresponding to the data provider is used to establish a connection between the data provider and its corresponding primary node; The method is applied to the data provider, and the method includes:
    获取原始数据,将所述原始数据划分为多个子数据;Acquiring original data, and dividing the original data into multiple sub-data;
    生成多个与所述多个子数据一一对应的子密钥;Generating a plurality of sub-keys corresponding to the plurality of sub-data in a one-to-one manner;
    采用所述多个子密钥分别对所述多个子数据中每个子数据进行加密,生成多个与所述多个子数据一一对应的密文;Respectively encrypting each sub-data of the plurality of sub-data by using the plurality of sub-keys to generate a plurality of ciphertexts corresponding to the plurality of sub-data one-to-one;
    通过对应的二级节点将所述多个密文发送至所述区块链的各个一级节点;Sending the multiple ciphertexts to each first-level node of the blockchain through the corresponding second-level node;
    判断所述数据监管端是否具有全部所述子数据的监管权限,若否,则在所述多个子数据中确定所述数据监管端具有监管权限的第一子数据;Determine whether the data supervisory terminal has supervisory authority for all the sub-data, and if not, determine the first sub-data for which the data supervisory end has supervisory authority among the plurality of sub-data;
    将所述多个子密钥中与所述第一子数据对应的第一子密钥发送给所述数据监管端对应的二级节点,以使得所述数据监管端对应的二级节点能够采用所述第一子密钥对所述第一子数据对应的密文进行解密,以获得明文并将所述明文返回给所述数据监管端。The first subkey corresponding to the first subdata among the plurality of subkeys is sent to the secondary node corresponding to the data supervisory end, so that the secondary node corresponding to the data supervisory end can use all The first subkey decrypts the ciphertext corresponding to the first subdata to obtain the plaintext and returns the plaintext to the data supervisory end.
  17. 如权利要求16所述的计算机设备,所述将所述原始数据划分为多个子数据,包括:The computer device according to claim 16, wherein the dividing the original data into a plurality of sub-data includes:
    判断所述原始数据是否为JSON格式;Determine whether the original data is in JSON format;
    若否,将所述原始数据转换为JSON格式;If not, convert the original data into JSON format;
    将转换后的所述JSON格式的原始数据中的每一个键值对作为一个子数据,以将所述原始数据划分为多个所述子数据。Each key-value pair in the converted original data in the JSON format is used as a sub-data to divide the original data into a plurality of sub-data.
  18. 如权利要求16所述的计算机设备,所述生成多个与所述多个子数据一一对应的子密钥,包括:The computer device according to claim 16, wherein said generating a plurality of subkeys corresponding to the plurality of subdata one-to-one comprises:
    生成与所述原始数据对应的根密钥、初始参数及约定步进值;Generating a root key, initial parameters, and agreed step value corresponding to the original data;
    基于预设的子密钥派生机制,将所述根密钥、所述初始参数及所述约定步进值进行迭代运算,生成多个与所述多个子数据一一对应的子密钥。Based on a preset sub-key derivation mechanism, the root key, the initial parameter, and the agreed step value are iteratively operated to generate a plurality of sub-keys corresponding to the plurality of sub-data one-to-one.
  19. 如权利要求18所述的计算机设备,所述生成与所述原始数据对应的根密钥,包括:The computer device according to claim 18, wherein said generating a root key corresponding to said original data comprises:
    获取用户输入的密码,以及生成随机数;Obtain the password entered by the user and generate a random number;
    在多个预设算法中随机选择第一预设算法,基于所述第一预设算法将所述密码与所述随机数进行运算,得到所述根密钥,其中,所述多个预设算法中的每个预设算法对应唯一的算法标识;A first preset algorithm is randomly selected from a plurality of preset algorithms, and the password and the random number are calculated based on the first preset algorithm to obtain the root key, wherein the plurality of preset algorithms Each preset algorithm in the algorithm corresponds to a unique algorithm identifier;
    将所述随机数及所述第一预设算法对应的算法标识保存在对应的二级节点内。The random number and the algorithm identifier corresponding to the first preset algorithm are stored in the corresponding secondary node.
  20. 如权利要求16所述的计算机设备,所述方法还包括:若所述数据监管端具有全部所述子数据的监管权限,则将生成的所述根密钥、所述初始参数及所述约定步进值发送给所述数据监管端,使得所述数据监管端能够根据所述子密钥派生机制,将所述根密钥、所述初始参数及所述约定步进值进行迭代运算,得到每个子数据对应的子密钥,并将每个所述子密钥保存在其对应的二级节点内。The computer device according to claim 16, the method further comprising: if the data supervisory terminal has supervisory authority of all the sub-data, then the generated root key, the initial parameters and the agreement The step value is sent to the data supervisory end, so that the data supervisory end can perform iterative operations on the root key, the initial parameters, and the agreed step value according to the sub-key derivation mechanism to obtain Each sub-data corresponds to a sub-key, and each sub-key is stored in its corresponding secondary node.
PCT/CN2020/087739 2019-11-21 2020-04-29 Blockchain-based data processing method, device, and computer apparatus WO2021098152A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911149572.5 2019-11-21
CN201911149572.5A CN111212026A (en) 2019-11-21 2019-11-21 Data processing method and device based on block chain and computer equipment

Publications (1)

Publication Number Publication Date
WO2021098152A1 true WO2021098152A1 (en) 2021-05-27

Family

ID=70788016

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/087739 WO2021098152A1 (en) 2019-11-21 2020-04-29 Blockchain-based data processing method, device, and computer apparatus

Country Status (2)

Country Link
CN (1) CN111212026A (en)
WO (1) WO2021098152A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111212026A (en) * 2019-11-21 2020-05-29 深圳壹账通智能科技有限公司 Data processing method and device based on block chain and computer equipment
CN112133386A (en) * 2020-09-29 2020-12-25 深圳壹账通智能科技有限公司 Block chain-based information processing method, device, equipment and medium
CN113660270B (en) * 2021-08-17 2024-02-06 区块动力(广州)科技有限公司 Blockchain transaction processing and authority management method thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10114969B1 (en) * 2015-08-04 2018-10-30 Jordan White Chaney Ultra-secure blockchain-based electronic information transfer system
CN109639753A (en) * 2018-10-26 2019-04-16 众安信息技术服务有限公司 A kind of data sharing method and system based on block chain
CN109977697A (en) * 2019-04-03 2019-07-05 陕西医链区块链集团有限公司 A kind of data grant method of block chain
CN110083372A (en) * 2019-03-07 2019-08-02 上海七印信息科技有限公司 A kind of block chain data version upgrading method
CN111212026A (en) * 2019-11-21 2020-05-29 深圳壹账通智能科技有限公司 Data processing method and device based on block chain and computer equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE60024941T8 (en) * 1999-08-31 2006-08-10 Matsushita Electric Industrial Co., Ltd., Kadoma Encryption method and apparatus, decryption method and apparatus
KR20200108024A (en) * 2018-03-14 2020-09-16 지에치엔 정 Blockchain data processing method, management group, user group, conversion device and medium
CN110061840B (en) * 2019-03-12 2022-10-28 平安科技(深圳)有限公司 Data encryption method and device, computer equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10114969B1 (en) * 2015-08-04 2018-10-30 Jordan White Chaney Ultra-secure blockchain-based electronic information transfer system
CN109639753A (en) * 2018-10-26 2019-04-16 众安信息技术服务有限公司 A kind of data sharing method and system based on block chain
CN110083372A (en) * 2019-03-07 2019-08-02 上海七印信息科技有限公司 A kind of block chain data version upgrading method
CN109977697A (en) * 2019-04-03 2019-07-05 陕西医链区块链集团有限公司 A kind of data grant method of block chain
CN111212026A (en) * 2019-11-21 2020-05-29 深圳壹账通智能科技有限公司 Data processing method and device based on block chain and computer equipment

Also Published As

Publication number Publication date
CN111212026A (en) 2020-05-29

Similar Documents

Publication Publication Date Title
CN108292402B (en) Determination of a common secret and hierarchical deterministic keys for the secure exchange of information
US20200084027A1 (en) Systems and methods for encryption of data on a blockchain
Sanka et al. Secure data access in cloud computing
Hota et al. Capability-based cryptographic data access control in cloud computing
JP2020528224A (en) Secure execution of smart contract operations in a reliable execution environment
KR101977109B1 (en) Large simultaneous digital signature service system based on hash function and method thereof
USRE49673E1 (en) Systems and methods for secure data exchange
WO2018045568A1 (en) Access control method oriented to cloud storage service platform and system thereof
JP2019535153A (en) Method and system for quantum key distribution based on trusted computing
JP2019531630A (en) Method and system for data security based on quantum communication and trusted computing
WO2021098152A1 (en) Blockchain-based data processing method, device, and computer apparatus
US20210357914A1 (en) Constructing a Distributed Ledger Transaction on a Cold Hardware Wallet
JP6363032B2 (en) Key change direction control system and key change direction control method
CN113037484B (en) Data transmission method, device, terminal, server and storage medium
CN108696518B (en) Block chain user communication encryption method and device, terminal equipment and storage medium
US11367065B1 (en) Distributed ledger system for electronic transactions
KR101615137B1 (en) Data access method based on attributed
CN115495768A (en) Secret-related information processing method and system based on block chain and multi-party security calculation
CN112100144A (en) Block chain file sharing method and device, storage medium and electronic equipment
US20210194694A1 (en) Data processing system
CN114268447B (en) File transmission method and device, electronic equipment and computer readable medium
Nicholas et al. Enhancing trust in cloud computing using MD5 hashing algorithm and RSA encryption standard
Salem et al. An efficient privacy preserving public auditing mechanism for secure cloud storage
Yasmin et al. Decentralized Entrance Power with Secret Endorsement of Data Stored in Clouds
KR102526114B1 (en) Apparatus and method for encryption and decryption

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20891121

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20891121

Country of ref document: EP

Kind code of ref document: A1