WO2021170049A1 - Method and apparatus for recording access behavior - Google Patents

Method and apparatus for recording access behavior Download PDF

Info

Publication number
WO2021170049A1
WO2021170049A1 PCT/CN2021/077955 CN2021077955W WO2021170049A1 WO 2021170049 A1 WO2021170049 A1 WO 2021170049A1 CN 2021077955 W CN2021077955 W CN 2021077955W WO 2021170049 A1 WO2021170049 A1 WO 2021170049A1
Authority
WO
WIPO (PCT)
Prior art keywords
blockchain
user data
key
behavior
access device
Prior art date
Application number
PCT/CN2021/077955
Other languages
French (fr)
Chinese (zh)
Inventor
洪佳楠
张艳平
胡伟华
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021170049A1 publication Critical patent/WO2021170049A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • This application relates to the field of communication technology, and in particular to a method and device for recording access behavior.
  • the blockchain system can be used for historical access to user data.
  • This application provides a method and device for recording access behavior to provide a method for recording access behavior in a decentralized blockchain network.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the data recording network element uses a first key to encrypt user data; the data recording network element stores the first key in a database through a blockchain; the data recording network element receives the blockchain feedback The address of the first behavior in the smart contract of, the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain; the data recording network The meta stores the encrypted user data and the address of the first behavior in a cloud platform.
  • the relevant information used to obtain the user data is stored in the cloud platform, database and other equipment, which effectively reduces the attack of a certain device in the system.
  • the risk of user data leakage that cannot be traced back provides a safer method for recording access behavior based on a blockchain network.
  • the data recording network element encrypts the first key using a second key to obtain the first encrypted information, and passes the first encrypted information through the blockchain Stored in the database.
  • the second key is preconfigured by the database on the data recording network element; or the second key is the data recording network element from the database. Received.
  • the first behavior includes a storage address of the first key in the database.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the blockchain receives the first key from the data recording network element and stores the first key in the database; the blockchain records the first behavior and the address of the first behavior through the smart contract, so The first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain; the blockchain feeds back the address of the first behavior to all The data recording network element.
  • the relevant information used to obtain the user data is stored in the cloud platform, database and other equipment, thereby effectively reducing the attack caused by a certain device in the system. , which causes the risk of user data leakage and cannot be traced back. It provides a safer method for recording access behavior based on a blockchain network.
  • the blockchain receives first encrypted information from the data recording network element, and the first encrypted information is obtained by encrypting the first key with a second key ⁇ ;
  • the blockchain stores the first encrypted information in the database.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the database receives the first key from the data recording network element through the blockchain; the database stores the first key and records the storage address; the database sends the storage address to the blockchain , So that the blockchain records the first behavior according to the storage address; wherein, the first behavior is used to record that the data recording network element stores the first key in the blockchain through the blockchain State the behavior of the database.
  • the relevant part of the user data is stored in the cloud platform, database and other equipment, thereby effectively reducing the attack caused by a certain device in the system.
  • the risk of user data leakage and cannot be traced back provides a safer method for recording access behavior based on a blockchain network.
  • the database receives the first encrypted information from the data recording network element through the blockchain; wherein, the first encrypted information is used to pair the first encrypted information with a second key. Obtained after a key encryption.
  • the second key is preset by the data recording network element and the database; or the second key is generated by the database.
  • the database receives the first encrypted information from the data recording network element through the blockchain, the first key is stored, and before the storage address is recorded, the database is based on the first encrypted information.
  • the two keys decrypt the first encrypted information to obtain the first key.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the access device obtains the encrypted user data from the cloud platform and the address of the first behavior in the smart contract in the blockchain.
  • the first behavior is used to record the data recording network element transfers the first key through the blockchain.
  • the behavior stored in the database the access device applies to the blockchain for obtaining user data, and the request for obtaining user data carries the address of the first behavior; the access device is pairing with the blockchain through the blockchain After the identity of the access device is verified, the first key from the blockchain is received; the access device uses the first key to decrypt the encrypted user data.
  • the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored.
  • Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back.
  • a high-security method for recording access behavior based on a blockchain network is proposed.
  • the user data acquisition application includes a third key, and the third key is used by the database to encrypt the first key to obtain the second encrypted information.
  • the access device receives the second encrypted information from the blockchain.
  • the second encrypted information is obtained after encrypting the first key with a third key.
  • the access device decrypts the second encrypted information to obtain the first key.
  • the access device receives the first key from the blockchain after being verified by no less than a threshold number of nodes in the blockchain.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the blockchain receives an application for acquiring user data from an access device, and the application for acquiring user data carries the address of the first behavior in the smart contract, and the first behavior is used to record the data recording network element through the blockchain.
  • the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored.
  • Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back.
  • a high-security method for recording access behavior based on a blockchain network is proposed.
  • the blockchain After the blockchain determines that the access device is successfully verified, it sends the result of the successful verification and the first behavior to the database; the blockchain receives the information of the database The first key.
  • the user data acquisition application includes a third key, and the third key is used by the database to encrypt the first key to obtain the second encrypted information.
  • the blockchain After the blockchain determines that the access device is successfully verified, it sends the result of the successful verification, the first behavior, and the third key to the database.
  • the block chain obtains second encrypted information from the database according to the first behavior, and the second encrypted information is the data obtained by the database through the third key pair.
  • the first key is encrypted; the blockchain sends the second encrypted information to the access device.
  • the blockchain determines that the verification of the access device is successful.
  • the blockchain before the blockchain sends the first key to the access device, the blockchain records the second behavior in the smart contract; wherein, the The second behavior is used to record the behavior of the access device to obtain user data from the blockchain; the second behavior includes the result of the blockchain verifying the access device.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the database receives the result of successful verification of the access device from the blockchain and the first behavior in the smart contract; the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain After the database determines that the result of the successful verification is valid, it determines the first key according to the first behavior, and sends the first key to the access device via the blockchain, and the first The key is used to decrypt the encrypted user data.
  • the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored.
  • Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back.
  • a high-security method for recording access behavior based on a blockchain network is proposed.
  • the method further includes: the database further receives a third key from the blockchain, and the third key is obtained by the blockchain from the access device. Obtained in a user data application; the third key is used by the database to encrypt the first key to obtain the second encrypted information.
  • the database determines the first key according to the first behavior; the database encrypts the first key according to the third key to obtain the second encryption Information; the database sends the second encrypted information to the access device via the blockchain.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the access device obtains the encrypted user data from the cloud platform and the address of the first behavior in the smart contract in the blockchain.
  • the first behavior is used to record the data recording network element transfers the first key through the blockchain.
  • the behavior of storing in the database the access device applies to the blockchain for obtaining user data, and the request for obtaining user data carries the address of the first act and the encrypted user data block, and the user data block is all All or part of the user data; the access device receives the user data block from the blockchain after verifying the identity of the access device through the blockchain.
  • the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored.
  • Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back.
  • a high-security method for recording access behavior based on a blockchain network is proposed.
  • the embodiments of the present application can better prevent the visitor from maliciously sharing the user data with other entities after obtaining the user data.
  • the user data block received by the access device is that after the database determines the first key according to the first behavior from the blockchain,
  • the encrypted user data block of the block chain is obtained after decryption;
  • the first behavior includes the storage address of the first key in the database.
  • the access device receives the watermarked user data block from the blockchain.
  • the user data acquisition application includes a fourth key, and the fourth key is used by the database to encrypt the user data block to obtain the third encrypted information.
  • the access device receives the third encrypted information from the blockchain.
  • the access device receives the user data block from the blockchain after being verified by no less than a threshold number of nodes in the blockchain.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the blockchain receives an application for acquiring user data from an access device, and the application for acquiring user data carries the address of the first action in the smart contract and the encrypted user data block, and the first action is used to record the data that the network element passes through
  • the behavior of the blockchain storing the first key in the database; the user data block is all or part of the user data; after the blockchain determines that the access device is successfully verified, the first The behavior and the encrypted user data block are sent to the database; the blockchain receives the user data block from the database, and sends the user data block to the access device.
  • the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored.
  • Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back.
  • a high-security method for recording access behavior based on a blockchain network is proposed.
  • the embodiments of the present application can better prevent the visitor from maliciously sharing the user data with other entities after obtaining the user data.
  • the user data block is sent by the database after determining that the result of the successful verification of the access device sent from the blockchain is valid.
  • the blockchain receives the watermarked user data block from the database, and sends the watermarked user data block to the access device.
  • the method further includes: the user data acquisition application includes a fourth key, and the fourth key is used by the database to encrypt the user data block to obtain the Third encrypted information; after the blockchain determines that the access device is successfully verified, it sends the first behavior, the encrypted user data block, and the fourth key to the database.
  • the blockchain receives the third encrypted information from the database, and sends the third encrypted information to the access device.
  • the user data block from the database received by the block link is determined by the database according to the first behavior from the block chain Then, the encrypted user data block from the blockchain is obtained after decrypting; wherein, the first behavior includes the storage address of the first key in the database.
  • the blockchain determines that the verification of the access device is successful.
  • the blockchain before the blockchain sends the first key to the access device, the blockchain records the second behavior in the smart contract; wherein, the The second behavior is used to record the behavior of the access device to obtain user data from the blockchain; the second behavior includes the result of the blockchain verifying the access device.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the database receives the result of successful verification of the access device from the blockchain, the first action in the smart contract, and the encrypted user data block.
  • the act of storing the key in a database, the user data block is all or part of the user data; after the database determines that the result of the successful verification is valid, the user data block is determined according to the first act, And send the user data block to the access device through the blockchain.
  • the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored.
  • Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back.
  • a high-security method for recording access behavior based on a blockchain network is proposed.
  • the embodiments of the present application can better prevent the visitor from maliciously sharing the user data with other entities after obtaining the user data.
  • the database determines the first key according to the first behavior; the database decrypts the encrypted user data block according to the first key, and decrypts it to obtain The user data block of is sent to the access device through the blockchain.
  • the database determines the user data block according to the first behavior
  • the data block adds a watermark to the user data block, and sends the user data block with the watermark added to the access device through the blockchain.
  • the method further includes: the database further receives a fourth key from the blockchain, where the fourth key is obtained by the blockchain from the access device. Obtained in a user data application; the fourth key is used by the database to encrypt the user data block to obtain the third encrypted information.
  • the database determines the user data block according to the first behavior; the database encrypts the user data block according to the fourth key to obtain the third encryption Information; the database sends the third encrypted information to the access device through the blockchain.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the access device installs the client, and sends a first application to the authorization server through the blockchain, the first application is used to grant the client the right to open the user data obtained by the access device; the access device passes through the area
  • the block chain receives a first random number from the authorization server, the first random number is used to generate a second serial number, and the second serial number is used to verify whether the client has the right to open the user data.
  • this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
  • the first application includes the identification ID of the client; the first random number received by the access device corresponds to the identification ID of the client in a one-to-one correspondence.
  • the first application further includes a fifth key, and the fifth key is used to encrypt the first random number.
  • the access device receives fourth encrypted information from the authorization server through a blockchain, and the fourth encrypted information is that the authorization server pairs the The first random number is obtained after encryption.
  • the method further includes: the access device decrypts the fourth encrypted information according to the fifth key to obtain the first random number.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the block chain receives the first application sent by the access device, and the first application is used to grant the access device the right to open the user data obtained by the access device through the installed client; the block chain transfers the The first application is sent to the authorization server; the blockchain receives the first random number from the authorization server, and sends the first random number to the access device, where the first random number is used to generate A second serial number, where the second serial number is used to verify whether the client has the right to open the user data.
  • this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
  • the first application includes the identification ID of the client; the first random number received by the access device corresponds to the identification ID of the client in a one-to-one correspondence.
  • the first application further includes a fifth key, and the fifth key is used to encrypt the first random number.
  • the blockchain receives the fourth encrypted information from the authorization server, and sends the fourth encrypted information to the access device, and the fourth encrypted information is the Obtained after the authorization server encrypts the first random number according to the fifth key.
  • the method further includes: the blockchain recording a third behavior in the smart contract; wherein, the third behavior is used to record the access device to the database Send the first application.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the authorization server receives the first application sent by the access device through the blockchain, and the first application is used to grant the access device the right to open the user data obtained by the access device through the installed client; the authorization server generates First random number, and send the first random number to the access device, wherein the first random number is used to generate a second serial number, and the second serial number is used to verify that it is the client Do you have the right to open the user data.
  • this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
  • the first application includes the identification ID of the client; the authorization server generates the first random number according to the identification ID of the client, and the generated first random number is the same as There is a one-to-one correspondence between the identification IDs of the clients.
  • the first application further includes a fifth key, and the fifth key is used to encrypt the first random number.
  • the authorization server encrypts the first random number according to the fifth key to obtain the fourth encrypted information, and sends the fourth encrypted information to the Access the device.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the data recording network element stores the user data on the cloud platform; after the data recording network element determines that the user data is successfully stored on the cloud platform, it sends the storage status of the user data to the blockchain.
  • this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the blockchain receives the storage status of the user data sent by the data recording network element, and the storage status is used to instruct the data recording network element to store the user data on the cloud platform; the blockchain is determining the cloud platform After the user data is successfully stored in the user data, a user data ID is assigned to the user data; the blockchain sends the user data ID to the cloud platform.
  • this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the cloud platform receives user data from the data recording network element, and stores the user data locally;
  • the cloud platform receives the user data ID allocated by the blockchain for the user data, and associates the user data with the user data ID.
  • this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the access device obtains user data and user data ID from the cloud platform; the access device sends a second application to the blockchain, and the second application is used to request to read the user data through the client; the access device receives data from the district The first serial number sent by the block chain; the access device inputs the first serial number into the client; the access device determines that the client has the right to open the user data according to the first serial number Then, read the user data opened by the client.
  • this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
  • the second application includes the identification ID of the client and the user data ID.
  • the identification ID and the user data ID of the client are used to verify that the client has the Permission to describe user data.
  • the user data ID is also used to verify the authenticity of the user data.
  • the access device receives the first serial number from the authorization server through the blockchain after being verified by the number of nodes in the blockchain that is not less than a threshold.
  • the first serial number is one or more of the authorization server according to the time when the second application is received, the user data ID, or the identification ID of the client Generated.
  • the access device installs the client, and sends a first application to the authorization server through the blockchain, and the first application is used to authorize the client to open the The authority of the user data; the access device receives a first random number from the authorization server through the blockchain, the first random number is used to generate a second serial number, and the second serial number is used to verify the Whether the client has the right to open the user data.
  • the access device provides the first random number to the client to generate a first random number generator; the client sends the time of the second application, the One or more of the user data ID or the identification ID of the client is used as an input parameter of the first random number generator to generate a second serial number.
  • the access device reads the user data opened by the client.
  • the method further includes: the access device receives the first serial number and the second random number from the blockchain; the access device sends the first serial number and the second random number Two random numbers are input to the client; after the client has the right to open the user data according to the first serial number and the second random number, the access device reads all the files opened by the client Describe user data.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the block chain receives the second application sent by the access device, the second application is used to request to read the user data through the client; the block chain sends the second application to the authorization server; the block link Receiving the first serial number sent by the authorization server, and sending the first serial number to the access device.
  • this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
  • the second application includes the identification ID of the client and the user data ID.
  • the identification ID and the user data ID of the client are used to verify that the client has the According to the authority of the user data, the user data ID is also used to verify the authenticity of the user data.
  • the method before the blockchain sends the second application to the authorization server, the method further includes:
  • the blockchain determines that the identification ID of the client is valid; and/or the blockchain determines that the user data ID is valid.
  • no less than a threshold number of nodes in the blockchain determines that the identification ID of the client is valid; and/or no less than a threshold number of nodes in the blockchain determines the user data ID is valid.
  • the blockchain finds that there is a third behavior in the smart contract according to the identification ID of the client in the second application, and the third behavior is used to record the access device A first application is sent to the database, where the first application is used to grant the access device the right to open the user data obtained by the access device through the installed client terminal.
  • the blockchain finds that there is user data corresponding to the user data ID in the cloud platform according to the user data ID in the second application.
  • the blockchain receives the first serial number and the second random number sent by the authorization server, and sends the first serial number and the second random number to the access device .
  • the method further includes: the blockchain recording a fourth behavior in the smart contract; wherein the fourth behavior is used to record the authorization of the access device to the The server sends the second application.
  • an embodiment of the present application provides a method for recording access behavior, including:
  • the authorization server receives a second application from the access device through the blockchain, the second application is used to request the client to read the user data; the authorization server generates the first serial number according to the second application; The authorization server sends the first serial number to the access device through the blockchain.
  • this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
  • the second application includes the identification ID of the client and the user data ID.
  • the identification ID and the user data ID of the client are used to verify that the client has the According to the authority of the user data, the user data ID is also used to verify the authenticity of the user data.
  • the authorization server determines the first random number generator corresponding to the client according to the client identification ID in the second application; The application time and the user data ID are used as input parameters of the first random number generator to generate the first serial number; wherein, the first random number generator is generated by the authorization server according to the first random number of.
  • the method further includes: the authorization server generates a second random number, and sends the first serial number and the second random number to the access device through the blockchain.
  • the authorization server determines the first random number corresponding to the client according to the client identification ID in the second application; the authorization server determines the first random number corresponding to the client according to the first random number and the The second random number generates the second random number generator; the authorization server uses the application time of the second application and the user data ID as input parameters of the second random number generator to generate the The first serial number.
  • an embodiment of the present application provides an access behavior recording device, which has the function of realizing the data recording network element in the foregoing embodiment.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
  • the device may be the data recording network element, or a component that can be used for the data recording network element, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor.
  • the processor may be configured to support the device to perform the corresponding functions of the above-mentioned data recording network element, and the transceiver is used to support the communication between the device and the blockchain, the database, and the like.
  • the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device.
  • the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
  • an embodiment of the present application provides an access behavior recording device, which has the function of realizing the blockchain in the foregoing embodiment.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
  • the device may be the blockchain, or a component that can be used in the blockchain, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor.
  • the processor may be configured to support the device to perform the corresponding functions of the above-mentioned blockchain, and the transceiver is used to support the communication between the device and the data recording network element, the access device, the database, the authorization server, and the like.
  • the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device.
  • the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
  • an embodiment of the present application provides an access behavior recording device, which has the function of realizing the database in the foregoing embodiment.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
  • the device may be the database, or a component that can be used in the database, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor.
  • the processor may be configured to support the device to perform the corresponding functions of the above-mentioned database, and the transceiver is used to support the communication between the device and the data recording network element, the access device, the blockchain, the authorization server, and the like.
  • the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device.
  • the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
  • an embodiment of the present application provides an access behavior recording device, which has the function of implementing the access device in the foregoing embodiment.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
  • the device may be the access device, or a component that can be used for the access device, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor.
  • the processor may be configured to support the device to perform the corresponding functions of the access device described above, and the transceiver is used to support the communication between the device and the data recording network element, database, blockchain, authorization server, etc.
  • the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device.
  • the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
  • an embodiment of the present application provides an access behavior recording device, which has the function of implementing the authorization server in the foregoing embodiment.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
  • the device may be the authorization server, or a component that can be used in the authorization server, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor.
  • the processor may be configured to support the device to perform the corresponding functions of the above-mentioned authorization server, and the transceiver is used to support the communication between the device and the data recording network element, database, blockchain, access device, etc.
  • the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device.
  • the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
  • an embodiment of the present application provides an access behavior recording device, which has the function of realizing the cloud platform in the foregoing embodiment.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
  • the device may be the cloud platform, or a component that can be used in the cloud platform, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor.
  • the processor may be configured to support the device to perform the corresponding functions of the cloud platform described above, and the transceiver is used to support the communication between the device and the data recording network element, blockchain, access equipment, and the like.
  • the device may further include a memory, which may be coupled with the processor, and which stores program instructions and data necessary for the device.
  • the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
  • the embodiments of the present application also provide a data recording network element, which can be used to perform operations in any possible implementation manner of the first aspect or the thirteenth aspect.
  • the data recording network element may include modules or units for performing each operation in any possible implementation manner of the first aspect or the thirteenth aspect.
  • it includes a processing unit and a communication unit.
  • the embodiments of the present application also provide a block chain, which can be used to execute the above-mentioned second, fifth, eighth, eleventh, fourteenth and Operations in any possible implementation of the seventeenth aspect.
  • the blockchain may include various operations for performing any possible implementation of the second, fifth, eighth, eleventh, fourteenth, and seventeenth aspects described above.
  • Module or unit For example, it includes a processing unit and a communication unit.
  • the embodiments of the present application also provide a database, which can be used to perform operations in any possible implementation manner of the third aspect, the sixth aspect, and the ninth aspect.
  • the database may include modules or units for performing each operation in any possible implementation manner of the third aspect, the sixth aspect, and the ninth aspect.
  • it includes a processing unit and a communication unit.
  • the embodiments of the present application also provide an access device, which can be used to execute any of the foregoing fourth, seventh, tenth, and sixteenth aspects. operate.
  • the access device may include modules or units for performing each operation in any possible implementation manner of the foregoing fourth aspect, seventh aspect, tenth aspect, and sixteenth aspect.
  • it includes a processing unit and a communication unit.
  • an embodiment of the present application also provides an authorization server, which can be used to perform the operations in the twelfth aspect and any possible implementation manner of the eighteenth aspect.
  • the authorization server may include modules or units for performing each operation in any possible implementation manner of the above-mentioned twelfth aspect and the eighteenth aspect.
  • it includes a processing unit and a communication unit.
  • the embodiments of the present application also provide a cloud platform, which can be used to perform operations in any possible implementation manner of the fifteenth aspect described above.
  • the cloud platform may include modules or units for performing various operations in any possible implementation manner of the fifteenth aspect described above.
  • it includes a processing unit and a communication unit.
  • an embodiment of the present application provides a system for recording access behaviors.
  • the system for recording access behaviors includes a data recording network element, a blockchain, and a database.
  • the data recording network element can be used to execute any method in the first aspect or the first aspect;
  • the blockchain can be used to execute any method in the second aspect or the second aspect above ;
  • the database can be used to execute any one of the above-mentioned third aspect or the third aspect;
  • an embodiment of the present application provides a system for recording access behavior.
  • the system for recording access behavior includes an access device, a blockchain, and a database.
  • the access device can be used to execute any one of the methods in the fourth aspect or the fourth aspect;
  • the blockchain can be used to execute any one of the methods in the fifth aspect or the fifth aspect;
  • the database can be used to execute any one of the above-mentioned sixth aspect or the sixth aspect;
  • an embodiment of the present application provides a system for recording access behavior.
  • the system for recording access behavior includes an access device, a blockchain, and a database.
  • the access device can be used to execute any one of the methods in the seventh aspect or the seventh aspect;
  • the blockchain can be used to execute any one of the methods in the eighth aspect or the eighth aspect;
  • the database can be used to execute any one of the above-mentioned ninth aspect or the ninth aspect;
  • an embodiment of the present application provides a system for recording access behavior.
  • the system for recording access behavior includes an access device, a blockchain, and an authorization server.
  • the access device may be used to execute any method in the tenth aspect or the tenth aspect;
  • the blockchain may be used to execute any method in the eleventh aspect or the eleventh aspect ;
  • the authorization server can be used to execute any one of the above-mentioned twelfth aspect or the twelfth aspect;
  • an embodiment of the present application provides a system for recording access behavior.
  • the system for recording access behavior includes an access device, a blockchain, and an authorization server.
  • the access device can be used to execute any one of the aforementioned sixteenth aspect or the sixteenth aspect;
  • the blockchain can be used to execute any one of the aforementioned seventeenth aspect or the seventeenth aspect A method;
  • the authorization server can be used to execute any one of the eighteenth aspect or the eighteenth aspect;
  • an embodiment of the present application provides a system for recording access behavior, and the system for recording access behavior includes a data recording network element, a blockchain, and a cloud platform.
  • the data recording network element can be used to execute any one of the aforementioned thirteenth aspect or the thirteenth aspect
  • the blockchain can be used to execute the aforementioned fourteenth aspect or the fourteenth aspect Any method
  • the cloud platform can be used to execute any one of the fifteenth aspect or the fifteenth aspect described above.
  • the present application provides a chip system including a processor.
  • it may further include a memory, the memory is configured to store a computer program, and the processor is configured to call and run the computer program from the memory, so that the communication device installed with the chip system executes any one of the first aspect to the eighteenth aspect; Or execute any one of the methods from the first aspect to the eighteenth aspect described above.
  • an embodiment of the present application provides a computer storage medium.
  • the computer storage medium stores instructions that, when run on a communication device, cause the communication device to execute any of the first to eighteenth aspects above.
  • an embodiment of the present application provides a computer program product containing instructions that, when run on a communication device, causes the communication device to execute any one of the first aspect to the eighteenth aspect; or execute the foregoing Any one of the methods from the first aspect to the eighteenth aspect.
  • Figure 1 is a diagram of the first communication system architecture provided by this application.
  • FIG. 2 is a schematic flow chart of a method for recording access behaviors based on the data storage recording stage provided by this application;
  • FIG. 3 is a diagram of the second communication system architecture provided by this application.
  • FIG. 4 is a schematic flowchart of the first method for recording access behaviors based on the data access recording stage provided by this application;
  • FIG. 5 is a schematic flowchart of the second method for recording access behaviors based on the data access recording stage provided by this application;
  • FIG. 6 is a diagram of the third communication system architecture provided by this application.
  • FIG. 7 is a schematic flowchart of a client deployment method provided by this application.
  • FIG. 8 is a diagram of the fourth communication system architecture provided by this application.
  • FIG. 9 is a schematic flow chart of a method for recording access behaviors based on the data storage recording stage provided by this application.
  • FIG. 10 is a diagram of the fifth communication system architecture provided by this application.
  • FIG. 11 is a schematic flow chart of the first method for recording access behavior based on data access recording stage provided by this application;
  • FIG. 12 is a schematic flowchart of the second method for recording access behaviors based on the data access recording stage provided by this application;
  • FIG. 13 is a schematic diagram of the first data recording unit provided by this application.
  • FIG. 14 is a schematic diagram of the second type of data recording unit provided by this application.
  • Figure 15 is a schematic diagram of the first blockchain provided by this application.
  • Figure 16 is a schematic diagram of the second type of blockchain provided by this application.
  • Figure 17 is a schematic diagram of the first database provided by this application.
  • Figure 18 is a schematic diagram of the second type of database provided by this application.
  • Figure 19 is a schematic diagram of the first access device provided by this application.
  • Figure 20 is a schematic diagram of the second type of access device provided by this application.
  • Figure 21 is a schematic diagram of the first authorization server provided by this application.
  • Figure 22 is a schematic diagram of the second authorization server provided by this application.
  • the blockchain system can be used for historical access to user data.
  • an existing method for tracing access behavior based on blockchain is:
  • the database, blockchain system, and query system are regarded as a closed system for tracing access behavior.
  • user data is stored in the database, and only the blockchain system has an interface to call the database.
  • the blockchain system is responsible for authenticating the identity of the visitor, identifying the visitor's ability to access the accessed data, and recording the visit log.
  • the query system serves as the only external interface of the entire access behavior tracing system, which is used to filter and translate the query request of the visiting user, and redirect the request to the blockchain system, so that the blockchain can review the user's identity through a smart contract And access authority, after confirming that the user can access the requested data, obtain the data from the database system and record every data access operation.
  • this closed system for tracing access behavior does not have any blockchain features, and therefore does not have many security features of the blockchain.
  • Another existing method for tracing access behavior based on blockchain is:
  • the data is encrypted and stored in a public storage platform (usually in cloud storage), and the key is protected in the form of a blockchain smart contract.
  • the smart contract also includes a data access control model, such as which visitors can access, and the recording mode of access behavior. Such information recorded in the smart contract is called metadata.
  • a visitor applies for access to certain data, he first makes a request to the blockchain network.
  • the blockchain network calls the smart contract to identify the user's identity and access capabilities, distributes keys to the visitor, and records the visit through the state change of the contract account The visitor’s behavior.
  • the attacker needs to control the only server to achieve the purpose of the attack, while in the decentralized mode, the attacker only needs to control any node that records the ledger. Therefore, in this method, if the visitor only controls any blockchain verification node, let him execute the smart contract in a separate offline manner, call out the metadata to complete the purpose of accessing the data, and then the program will be rolled back to erase the record. There are huge security risks.
  • the embodiments of the present application provide at least one method for recording access behaviors.
  • the technical solutions of the embodiments of this application can be applied to various communication systems, such as long term evolution (LTE) systems, worldwide interoperability for microwave access (WiMAX) communication systems, and the fifth generation of the future (5th Generation, 5G) systems, such as new radio access technology (NR), and future communication systems, such as 6G systems.
  • LTE long term evolution
  • WiMAX worldwide interoperability for microwave access
  • 5G fifth generation
  • NR new radio access technology
  • 6G systems future communication systems
  • the embodiment of this application mainly uses the method of blockchain management access capability to ensure that visitors only interact with the blockchain ledger maintenance node After that, it has the ability to access data, where the ability to access data has nothing to do with access rights.
  • any device in the access behavior recording system described in the embodiment of the present application only stores part of information related to user data, and it is necessary to combine all devices in the system to obtain user data. Therefore, the system A certain device is attacked, which causes the risk of user data leakage and cannot be traced back. It provides a safer method for recording access behavior based on a blockchain network.
  • a smart contract is essentially a program that runs in the blockchain and is executed by events. It has the characteristics of determinism, real-time, autonomy, observability, verifiability, and decentralization, and has extensive research and applications in digital finance, big data, and the Internet of Things.
  • the smart contract based on the blockchain includes data reception, processing and status recording.
  • the contract account receives one or several input information that meets the trigger condition of the state transition, the contract action is selected according to the preset information to be automatically executed, and the current state is recorded. Therefore, as a kind of computer technology, smart contract can ensure the mandatory performance of the contract without introducing a trusted third party, and ensure the credibility and security of the contract procedure.
  • the smart contract in the embodiment of the application includes the behavior of the data recording network element to store user data on the cloud platform, the behavior of the access device to obtain the user data application, and the data recording network element to transfer all data through the blockchain.
  • Blockchain is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm, etc. It is essentially a decentralized database. Among them, the blockchain technology does not rely on additional third-party management agencies or hardware facilities, and there is no central control. In addition to the self-contained blockchain itself, through distributed accounting and storage, each node realizes information self-verification, transmission and management . Among them, decentralization is the most prominent and essential feature of blockchain.
  • Consensus mechanism refers to how to reach a consensus between nodes in the blockchain to determine the validity of a record. This is not only a means of identification, but also a means of preventing tampering.
  • the consensus mechanism has the characteristics of "minority obeys the majority” and “everyone is equal”, where “minority obeys the majority” does not completely refer to the number of nodes, but can also be computing power, number of shares, or other computer-comparable features . "Everyone is equal” means that when nodes meet the conditions, all nodes have the right to give priority to the consensus result, which may be the final consensus result after being directly recognized by other nodes.
  • Consensus result refers to the result of the implementation of the consensus mechanism by nodes in the blockchain that have reached a threshold number.
  • the term "at least one" in the embodiments of the present application refers to one or more, and “multiple” refers to two or more than two.
  • “And/or” describes the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A , B can be singular or plural.
  • the character “/” generally indicates that the associated objects before and after are in an “or” relationship.
  • the following at least one item (item) or its similar expressions refer to any combination of these items, including any combination of single item (item) or plural items (item).
  • at least one of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple .
  • the main process of the embodiment of the present application includes two stages: a data storage recording phase and a data access recording phase.
  • a data storage recording phase For different stages, the embodiments of the present application will be introduced by examples in conjunction with the accompanying drawings.
  • Phase one data storage and recording phase.
  • the recording system of the access behavior shown in FIG. 1 is taken as an example to describe in detail the recording system applicable to the embodiment of the present application in the data storage and recording stage.
  • the recording system includes a data recording network element 100, a blockchain 101, a database 102 and a cloud platform 103.
  • the data recording network element 100 the data storage party, is used to securely record the user data on a platform jointly trusted by the operator alliance (for example, the cloud platform 103) after obtaining the user's contextual user data, and to check the user data through the blockchain 101
  • the user data is managed.
  • Blockchain 101 is a security implementation of distributed ledger.
  • Blocks are used as data structures to store behavioral information.
  • Each block contains a block body and a block header.
  • the block body stores the behavior content, for example, the block body stores the behavior of the data recording network element 100 storing the first key in the database through the blockchain 101.
  • the content of the behavior may be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application;
  • the block header stores the timestamp and the hash summary result of the behavior, And the necessary information to make it and the previous block form a chain structure.
  • the database 102 has storage and processing functions.
  • the database 102 is used to store relevant data information in the recording system, and to update the stored data information according to the received information.
  • the database 102 may also return corresponding information according to the received information.
  • the database in the embodiment of the present application is used to store the key used to encrypt user data in the embodiment of the present application, for example, the first key.
  • the cloud platform 103 has storage and processing functions.
  • the cloud platform 103 is used to store relevant data information in the recording system, and update the stored data information according to the received information.
  • the cloud platform 103 may also return corresponding information according to the received information.
  • the cloud platform 103 in the embodiment of the present application is used to store the encrypted user data sent by the data recording network element 100 in the embodiment of the present application.
  • FIG. 1 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may also include other devices or other data recording network elements, which are not shown in FIG. 1.
  • an embodiment of the present application provides a method for recording access behaviors based on the data storage recording stage, which specifically includes the following steps:
  • Step 200 The data recording network element determines a first key, and encrypts the collected user data according to the first key.
  • the data recording network uses the symbol M to identify the collected user data. Then, the data recording network element determines a first key, and encrypts the M according to the first key to obtain the ciphertext form C of the user data.
  • Step 201 The data recording network element sends the first key to the blockchain.
  • the data recording network element may encrypt the first key that needs to be transmitted. Therefore, it is possible to effectively prevent a situation in which other devices obtain the first key and obtain the user data according to the first key during the process of the recording system transmitting the first key in plain text.
  • the data recording network element determines a second key, and encrypts the first key according to the second key to obtain the first encrypted information.
  • the first encryption information is the result of encryption by the first key by the second key. Then, the data recording network element sends the first encrypted information to the blockchain.
  • the recording network element in the embodiment of the present application may determine the second key in a variety of ways, and the details are not limited to the following.
  • Second key determination method 1 The data recording network element determines the key pre-configured on the data recording network element by the database as the second key.
  • the data recording network element and the database have agreed in advance the key used to encrypt the first key, so that when the data recording network element needs to verify the first key
  • the key is encrypted, the first key is directly encrypted according to the previously agreed key, that is, the second key.
  • Second key determination method 2 The data recording network element determines the received key sent by the database as the second key.
  • the data recording network element before the data recording network element needs to send the first encrypted information, it sends the information for obtaining the second key to the database, and the database receives the information for obtaining the second key sent by the data recording network element. After the information of the second key, the locally stored second key is sent to the data recording network element.
  • the database may generate the second key after receiving the information for obtaining the second key sent by the data recording network element; Before the information sent by the data recording network element to obtain the second key, it has been stored locally.
  • Step 202 The blockchain receives a first key from the data recording network element, and stores the first key in the database.
  • the block chain stores the first encrypted information in The database.
  • Step 203 The database receives the first key from the blockchain, and stores the first key safely locally.
  • the database if the database receives the first encrypted information from the blockchain, the database encrypts the first according to a second key Information is decrypted, the first key is obtained, and then the first key is safely stored locally, and the storage address of the first key is notified to the blockchain.
  • the database if the database receives the first encrypted information from the blockchain, the database first stores the first encrypted information in Locally, and notify the blockchain of the storage address of the first encrypted information. In the subsequent process, if the database receives an application for obtaining the first key sent by another device, at this time, the database then decrypts the first encrypted information according to the second key to obtain all the information. The first key is sending the first key to the corresponding device.
  • Step 204 The database notifies the blockchain of the storage address of the first key.
  • Step 205 The blockchain receives the storage address of the first key.
  • Step 206 The blockchain records the first behavior through a smart contract, and determines the address of the first behavior in the blockchain, and the first behavior is used to record that the data recording network element passes through the zone. The act of storing the first key in the database by the block chain.
  • the first behavior includes the storage address of the first key in the database; or the first behavior includes the storage address of the first encrypted information in the database.
  • the first behavior in the embodiment of the present application can be used as a security script for judging and recording the access device to access the user data in the future.
  • Step 207 The blockchain feeds back the address of the first behavior to the data recording network element.
  • the blockchain may directly feed back the storage address of the first key to the data recording network element.
  • the blockchain may also directly feed back the storage address of the first encrypted information to the The data recording network element.
  • Step 208 The data recording network element stores the encrypted user data and the address of the first behavior in a cloud platform.
  • the data recording network element stores the encrypted user data and the storage address of the first key in a cloud platform.
  • the data recording network element if the data recording network element receives the storage address of the first encrypted information from the blockchain, the data recording network element encrypts the The subsequent user data and the storage address of the first encrypted information are stored in the cloud platform.
  • Phase two data access recording phase.
  • the access behavior recording system shown in FIG. 3 is taken as an example to describe in detail the recording system applicable in the data access recording phase of the embodiment of the present application.
  • the communication system includes an access device 300, a blockchain 301, a database 302, and a cloud platform 303.
  • the access device 300 the data access party, is used to obtain user data.
  • the access device in the embodiment of the application may be a network element in the core network, or a third party independent of the telecommunications network.
  • the purpose of the access device to user data may include regulatory monitoring, or provide customization To improve user services, here, the embodiments of the present application are not limited.
  • the blockchain 301 is a security implementation of a distributed ledger. It uses blocks as a data structure to store behavioral information, and each block contains a block body and a block header. Among them, the block body stores the behavior content.
  • the content of the behavior can be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application; the block header stores the timestamp and the hash summary result of the behavior , And the necessary information to make it and the preamble block form a chain structure.
  • the database 302 has storage and processing functions.
  • the database 302 is used to store relevant data information in the recording system, and to update the stored data information according to the received information.
  • the database 302 may also return corresponding information according to the received information.
  • the database in the embodiment of the present application is used to store the key used to encrypt user data in the embodiment of the present application, for example, the first key.
  • the cloud platform 303 has storage and processing functions.
  • the cloud platform 303 is used to store relevant data information in the recording system, and update the stored data information according to the received information.
  • the cloud platform 303 may also return corresponding information according to the received information.
  • FIG. 3 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may also include other devices or other access devices, which are not shown in FIG. 3.
  • an embodiment of the present application provides a method for recording access behaviors based on the data access recording phase, which specifically includes the following steps:
  • Step 400 The access device obtains the encrypted user data and the address in the blockchain of the first action in the smart contract from the cloud platform.
  • the smart contract is used to record the accessed behavior of the blockchain; the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain.
  • the access device obtains encrypted user data and the storage address of the first key in the database from a cloud platform.
  • Step 401 The access device applies to the blockchain for obtaining user data, and the user data obtaining application carries the address of the first action of the smart contract.
  • the access device in the 401 mainly seeks the arbitration and recording of this access behavior through the blockchain, that is, the first behavior in the smart contract.
  • the request for obtaining user data carries a storage address of the first key in the database.
  • Step 402 The blockchain receives the user data acquisition application sent by the access device, and determines the first behavior according to the address of the first behavior carried in the user acquisition application.
  • the step 402 may be omitted.
  • Step 403 The blockchain verifies the access device, and after determining that the access device is successfully verified, sends a successful verification result and the first behavior to the database.
  • the blockchain determines that the access device is successfully verified after determining that the number of nodes in the blockchain that is not less than a threshold value successfully verify the access device. That is to say, in order to prevent tampering with a single node, the user data information is leaked and cannot be traced back, the embodiment of the present application may adopt a consensus mechanism, and the access device is determined only after the consensus result is that the access device is successfully verified. The verification is successful.
  • the blockchain may determine whether the access device is successfully verified based on a set access policy.
  • the access devices that comply with the access policy are all authorized access devices, and the authorization form may be direct authorization by the terminal device and/or authorization by the core network.
  • the authority grantor can authorize by signing the access device information, so that the blockchain node can determine whether the access device has passed the verification by judging the validity of the signature.
  • the block link receives the storage address of the first key sent from the access device
  • the block chain verifies the access device and confirms that the access device After the verification is successful, the result of the verification success and the storage address of the first key are sent to the database.
  • Step 404 The database determines the first key according to the first behavior, and sends the first key to the blockchain.
  • the database in the embodiment of the present application determines the first key according to the storage address of the first key in the database in the first behavior; or, if the database receives If it is the storage address of the first key sent from the blockchain, the database directly determines the first key according to the storage address of the first key.
  • the third key is also carried in the user data acquisition application, so that the database is determining the first After the key is obtained, the first key can be encrypted according to the third key to obtain the second encrypted information, and the second encrypted information is sent to the blockchain.
  • the database determines that the result of the successful verification is valid.
  • the database can query several blockchain endorsement nodes. If it reaches 100%, it is valid.) The content of the successful verification has been recorded on the endorsing node, and the database determines that the result of the successful verification is valid; After verifying the successful result, you can spot check the endorsing nodes you trust. If the endorsing node you trust has recorded the content of the successful verification, the database determines that the successful result of the verification is valid.
  • Step 405 The blockchain receives the first key from the database.
  • the blockchain receives the first encrypted information from the database.
  • Step 406 The blockchain sends the first key to the access device.
  • the block chain sends the second encrypted information to The access device.
  • the blockchain in order to effectively carry out later traceability, before the blockchain sends the first key to the access device, the blockchain records the second behavior to the smart contract Or, after the blockchain sends the first key to the access device, the second behavior is recorded in the smart contract.
  • the second behavior is used to record the behavior of the access device to obtain user data application from the blockchain; the second behavior includes the result of verification of the access device by the blockchain.
  • Step 407 The access device receives the first key from the blockchain.
  • the access device if the access device receives the second encrypted information from the blockchain, the access device decrypts the second encrypted information according to the third key , To obtain the first key.
  • Step 408 The access device decrypts the encrypted user data according to the first key, so as to obtain the user data.
  • an embodiment of the present application also provides another method for recording access behaviors based on the data access recording phase, which specifically includes the following steps:
  • Step 500 The access device obtains the encrypted user data and the address in the blockchain of the first action in the smart contract from the cloud platform.
  • the smart contract is used to record the accessed behavior of the blockchain; the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain.
  • the access device obtains encrypted user data and the storage address of the first key in the database from a cloud platform.
  • step 501 the access device makes an application for obtaining user data to the blockchain, and the application for obtaining user data carries the address of the first action of the smart contract and the encrypted user data block.
  • the user data block is part or all of the user data
  • the access device in step 501 mainly seeks the arbitration and recording of this access behavior through the blockchain, that is, the smart contract The first act.
  • the user obtaining application carries the storage address of the first key in the database and the encrypted user data block.
  • Step 502 The blockchain receives the user data acquisition application sent by the access device.
  • Step 503 The blockchain determines the first behavior according to the address of the first behavior carried in the obtaining user application.
  • the step 503 may be omitted.
  • Step 504 The blockchain verifies the access device, and after determining that the access device is successfully verified, sends the successful verification result, the first behavior, and the encrypted user data to the database Piece.
  • the blockchain verifies the access device, and after determining that the access device is successfully verified, sends the result of the successful verification to the database, the first The storage address of the key in the database and the encrypted user data block.
  • the embodiment of the present application may adopt a consensus mechanism, and the access device is determined only after the consensus result is that the access device is successfully verified. The verification is successful.
  • step 403 for the manner in which the blockchain determines whether the access device is successfully verified, refer to step 403 above, which is a succinct description and will not be repeated here.
  • the information sent by the blockchain to the database may not include the verification success. the result of.
  • Step 505 The database determines the first key according to the first behavior, and decrypts the encrypted user data block according to the first key to obtain the user data block.
  • the database in the embodiment of the present application determines the first key according to the storage address of the first key in the database in the first behavior.
  • the database receives the result of the successful verification sent from the blockchain, the storage address of the first key in the database And the encrypted user data block, the database directly determines the first key according to the storage address of the first key in the database.
  • the database determines the validity of the result of the successful verification received from the blockchain before performing the step 504. On the contrary, when the database determines that the result of the successful verification received from the blockchain is invalid, it terminates subsequent operations, or sends a refusal to obtain user data to the access device through the blockchain Information.
  • the database after the database receives the successful verification result sent by the blockchain, it can query several blockchain endorsement nodes. If it reaches 100%, it is valid.) The content of the successful verification has been recorded on the endorsing node, and the database determines that the result of the successful verification is valid; or, the database is After verifying the successful result, you can spot check the endorsing nodes you trust. If the endorsing node you trust has recorded the content of the successful verification, the database determines that the successful result of the verification is valid.
  • Step 506 The database adds a watermark to the user data block, and sends the watermarked user data block to the blockchain.
  • the application for obtaining user data also carries the fourth key, so that the database can be based on the fourth key.
  • the key encrypts the user data block to obtain the third encrypted information, and sends the third encrypted information to the blockchain; or,
  • the database may encrypt the watermarked user data block according to the fourth key to obtain the third encrypted information, and send the third encrypted information to the blockchain.
  • Step 507 The blockchain receives the watermarked user data block from the database.
  • the blockchain receives third encrypted information from the database, where the third encrypted information is that the database pairs the The user data block is obtained after encryption; or the third encryption information is obtained after the database encrypts the watermarked user data block according to the fourth key.
  • Step 508 The blockchain sends the watermarked user data block to the access device.
  • the block link if the block link receives the third encrypted information from the database, the block chain sends the third encrypted information to The access device.
  • the block chain in order to effectively carry out later traceability, before the block chain sends the watermarked user data block or the third encrypted information to the access device, the block chain The second behavior is recorded in the smart contract; or, after the blockchain sends the first key to the access device, the second behavior is recorded in the smart contract.
  • the second behavior is used to record the behavior of the access device to obtain user data application from the blockchain; the second behavior includes the result of verification of the access device by the blockchain.
  • Step 509 The access device receives the watermarked user data block from the blockchain.
  • the access device if the access device receives the third encrypted information from the blockchain, the access device decrypts the third encrypted information according to the fourth key , Obtain the user data block, or obtain the user data block added with a watermark.
  • the main process of the embodiment of this application includes three stages: client deployment stage, data storage recording stage, and data access recording stage.
  • client deployment stage the main process of the embodiment of this application includes three stages: client deployment stage, data storage recording stage, and data access recording stage.
  • data storage recording stage the main process of the embodiment of this application includes three stages: client deployment stage, data storage recording stage, and data access recording stage.
  • data access recording stage the main process of the embodiment of this application includes three stages: client deployment stage, data storage recording stage, and data access recording stage.
  • the embodiments of this application are given examples in conjunction with the accompanying drawings. Make an introduction.
  • Phase one client deployment phase.
  • the access behavior recording system shown in FIG. 6 is taken as an example to describe in detail the recording system applicable to the client deployment stage of the present application embodiment.
  • the communication system includes an access device 600, a client 601, a blockchain 602, and an authorization server 603.
  • the access device 600 the data access party, is used to obtain user data.
  • the access device in the embodiment of the application may be a network element in the core network, or a third party independent of the telecommunications network.
  • the purpose of the access device to user data may include regulatory monitoring, or provide customization To improve user services, here, the embodiments of the present application are not limited.
  • the client 601 is used to assist the access device 600 in reading user data, where the client needs to have permission to read and access the user data provided by the access device.
  • the client can be on the access device or connected to the access device.
  • the client is not limited to be implemented purely in software, and can also be a system based on a secure hardware platform. Therefore, the embodiments of the present application are not limited.
  • Blockchain 602 is a security implementation of distributed ledger.
  • Blocks are used as data structures to store behavioral information.
  • Each block contains a block body and a block header.
  • the block body stores the behavior content.
  • the content of the behavior can be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application;
  • the block header stores the timestamp and the hash summary result of the behavior , And the necessary information to make it and the preamble block form a chain structure.
  • the authorization server 603 has functions such as management and serial number generation.
  • the authorization server in the embodiment of this application is mainly used to deploy the client's permission to read user data, and to generate a serial number, and notify the client of the serial number So as to enable the client to determine whether it has the authority to read the user data according to the serial number.
  • the authorization server and each client realize wide synchronization in time.
  • FIG. 6 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may also include other devices or other access devices, which are not shown in FIG. 6.
  • an embodiment of the present application provides a method for recording access behaviors based on a client deployment stage, which specifically includes the following steps:
  • step 700 the access device installs a client.
  • Step 701 The access device sends a first application to the blockchain, where the first application is used to grant the client a right to open the user data obtained by the access device.
  • the first application includes the identification ID of the client.
  • Step 702 The blockchain receives the first application sent by the access device.
  • Step 703 The blockchain records a third behavior in the smart contract, where the third behavior is used to record that the access device sends the first application to the database.
  • Step 704 The blockchain sends the first application to the authorization server.
  • Step 705 The authorization server receives the first application, and generates the first random number.
  • Step 706 The authorization server associates the first random number with the client identification ID in the first application.
  • the first random number has a one-to-one correspondence with the identification ID of the client, so that the authorization server determines the corresponding first random number according to the received identification ID of the client during the data access phase.
  • Step 707 The authorization server sends the first random number to the blockchain.
  • the first application may also include a fifth key
  • the authorization server encrypts the first random number according to the fifth key to obtain fourth encrypted information, so that the authorization server sends the fourth encrypted information to the blockchain.
  • Step 708 The blockchain receives the first random number from the authorization server.
  • the blockchain receives the fourth encrypted information from the authorization server.
  • Step 709 The blockchain feeds back the first random number to the access device.
  • the block link receives the fourth encrypted information from the authorization server, the block chain feeds back the fourth encrypted information Give the access device.
  • Step 710 The access device receives the first random number from the blockchain.
  • the access device if the access device receives the fourth encrypted information from the blockchain, the access device pairs the cryptographic information according to the fifth key.
  • the fourth encrypted information is decrypted to obtain the first random number.
  • Phase two data storage and recording phase.
  • the access behavior recording system shown in FIG. 8 is taken as an example to describe in detail the recording system applicable in the data recording phase of the embodiment of the present application.
  • the communication system includes a data recording network element 800, a blockchain 801 and a cloud platform 802.
  • the data recording network element 800 is used to securely record the user data on a platform jointly trusted by the operator alliance, for example, the cloud platform 103, and manage it through the blockchain 101 after obtaining the user's contextual user data.
  • Blockchain 801 is a security implementation of distributed ledger.
  • Blocks are used as a data structure to store behavioral information.
  • Each block contains a block body and a block header.
  • the block body stores the behavior content.
  • the content of the behavior can be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application;
  • the block header stores the timestamp and the hash summary result of the behavior , And the necessary information to make it and the preamble block form a chain structure.
  • the cloud platform 802 has storage and processing functions, and is used in the recording system to store relevant data information, update the stored data information according to the received information, or return corresponding information according to the received information.
  • the cloud platform in the embodiment of the present application is used to store the encrypted user data sent by the data recording network element 800 in the embodiment of the present application.
  • FIG. 8 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may further include other devices or other data recording network elements, which are not shown in FIG. 8.
  • an embodiment of the present application provides a method for recording access behaviors based on the data storage recording stage, which specifically includes the following steps:
  • Step 900 The data recording network element stores user data in a cloud platform.
  • Step 901 The cloud platform receives user data from a data recording network element, and notifies the data recording network element after the user data is successfully stored locally;
  • Step 902 After determining that the user data is successfully stored on the cloud platform, the data recording network element sends the storage status of the user data to the blockchain.
  • Step 903 The blockchain receives the storage status of the user data sent by the data recording network element, where the storage status is used to instruct the data recording network element to store the user data on the cloud platform;
  • Step 904 After determining that the user data is successfully stored in the cloud platform, the blockchain assigns a user data ID to the user data.
  • Step 905 The blockchain sends the user data ID to the cloud platform.
  • Step 906 The cloud platform receives the user data ID allocated by the blockchain for the user data, and associates the user data with the user data ID.
  • the user data may be encrypted and transmitted, and the content described in FIG. 2 may be specifically combined, which is not performed here. Go into details.
  • Phase three data access recording phase.
  • the access behavior recording system shown in FIG. 10 is taken as an example to describe in detail the recording system applicable to the embodiment of the present application in the data recording stage.
  • the communication system includes an access device 1000, a client 1001, a blockchain 1002, an authorization server 1003, and a cloud platform 1004.
  • the access device 1000 the data access party, is used to obtain user data.
  • the access device in the embodiment of the application may be a network element in the core network, or a third party independent of the telecommunications network.
  • the purpose of the access device to user data may include regulatory monitoring, or provide customization To improve user services, here, the embodiments of the present application are not limited.
  • the client 1001 is used to assist the access device 1000 in reading user data, where the client needs to be authorized by the authorization server to be able to read and access the user data provided by the access device.
  • the client can be on the access device or connected to the access device.
  • the client is not limited to be implemented purely in software, and can also be a system based on a secure hardware platform. Therefore, the embodiments of the present application are not limited.
  • Blockchain 1002 is a security implementation of distributed ledger.
  • Blocks are used as data structures to store behavioral information.
  • Each block contains a block body and a block header.
  • the block body stores the behavior content.
  • the content of the behavior can be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application;
  • the block header stores the timestamp and the hash summary result of the behavior , And the necessary information to make it and the preamble block form a chain structure.
  • the authorization server 1003 has functions such as management and serial number generation.
  • the authorization server in the embodiment of this application is mainly used to deploy the client's permission to read user data, and to generate a serial number, and notify the client of the serial number So as to enable the client to determine whether it has the authority to read the user data according to the serial number.
  • the authorization server and each client realize wide synchronization in time.
  • the cloud platform 1004 has storage and processing functions, and is used in the recording system to store relevant data information, update the stored data information according to the received information, or return corresponding information according to the received information.
  • the cloud platform in the embodiment of the application is used to store the encrypted user data sent by the data recording network element in the embodiment of the application.
  • FIG. 10 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may also include other devices or other access devices, which are not shown in FIG. 10.
  • an embodiment of the present application provides a method for recording access behaviors based on the data access recording phase, which specifically includes the following steps:
  • Step 1100 The access device obtains user data and user data ID from the cloud platform.
  • Step 1101 The access device sends a second application to the blockchain, where the second application is used to request to read the user data through the client.
  • the second application includes the identification ID of the client and the user data ID.
  • the identification ID and the user data ID of the client are used to verify that the client has the authority to open the user data, and the user The data ID is also used to verify the authenticity of the user data.
  • Step 1102 The blockchain receives the second application sent by the access device.
  • Step 1103 The blockchain determines that the identification ID of the client is valid; and/or determines that the user data ID is valid.
  • the blockchain determines whether the third behavior exists in the smart contract according to the received identification ID of the client, that is, whether the access device has sent the first behavior to the database Application. If the third behavior is found according to the client ID, the client ID is valid, otherwise it is invalid.
  • the access device may have the authority to read the user data given by the authorization server.
  • the access device has not sent the first application, it can be determined that the access device is not authorized by the authorization server to read user data. Therefore, after the blockchain determines that the customer point identification ID is invalid, the access behavior of this time can be directly terminated, which effectively reduces the overhead of subsequent signaling and the power consumption of the system.
  • the blockchain determines whether there is user data corresponding to the user data ID in the cloud platform according to the received user data ID. If there is corresponding user data, the user data ID is valid, otherwise it is invalid.
  • the blockchain is determining the customer point After the identification ID is invalid, the access behavior of this time can be directly terminated, which effectively reduces the overhead of subsequent signaling and the power consumption of the system.
  • a consensus mechanism may also be applied, that is, nodes in the blockchain that are not less than a threshold number determine that the identification ID of the client is valid; and/or the number of nodes in the blockchain that is not less than the threshold number The node determines that the user data ID is valid.
  • Step 1104 The blockchain sends the second application to the authorization server.
  • Step 1105 The authorization server receives the second application from the access device through the blockchain.
  • Step 1106 The authorization server generates a first serial number according to the second application.
  • the authorization server determines the first random number corresponding to the client identification ID according to the identification ID of the client in the second application, and then generates a first random number according to the first random number. And then use the application time of the second application and/or the user data ID as input parameters of the first random number generator to generate the first serial number.
  • the first random number generator may be generated by the authorization server according to the first random number in advance, and the authorization server directly determines the identification ID of the client according to the second application The first random number generator.
  • Step 1107 The authorization server sends the first serial number to the blockchain.
  • Step 1108 The blockchain receives the first serial number sent by the authorization server, and sends the first serial number to the access device.
  • the block chain in order to effectively carry out later traceability, before the block chain sends the first serial number to the access device, the block chain records the fourth behavior in the smart contract Or, after the blockchain sends the first serial number to the access device, the blockchain records the fourth behavior in the smart contract.
  • the fourth behavior is used to record that the access device sends the second application to the authorization server.
  • Step 1109 The access device receives the first serial number from the blockchain, and inputs the first serial number into the client.
  • Step 1110 The access device reads the user data opened by the client after the client determines that the client has the right to open the user data according to the first serial number.
  • the client generates a second serial number, and after determining that the generated second serial number is the same as the first serial number, opens the user data, and the access device reads the opened user data by the client User data.
  • the client generates a first random number generator according to the first random number received in the deployment phase, and then uses the application time of the second application and/or the user data ID as the first random number
  • the input parameters of the number generator are used to generate the second serial number, so as to compare whether the first serial number and the second serial number are the same.
  • the first random number and/or the first sequence number may be A serial number is encrypted and transmitted, which can be specifically combined with the content described in Figure 2 above, and will not be repeated here.
  • an embodiment of the present application also provides another method for recording access behavior based on the data access recording phase, which specifically includes the following steps:
  • Step 1200 The access device obtains user data and user data ID from the cloud platform.
  • Step 1201 The access device sends a second application to the blockchain, where the second application is used to request to read the user data through the client.
  • the second application includes the identification ID of the client and the user data ID.
  • the identification ID and the user data ID of the client are used to verify that the client has the authority to open the user data, and the user The data ID is also used to verify the authenticity of the user data.
  • Step 1202 The blockchain receives the second application sent by the access device.
  • Step 1203 The blockchain determines that the identification ID of the client is valid; and/or determines that the user data ID is valid.
  • step 1103 For details, please refer to step 1103 above, which will not be repeated here.
  • Step 1204 The blockchain sends the second application to the authorization server.
  • Step 1205 The authorization server receives the second application from the access device through the blockchain.
  • Step 1206 the authorization server generates a second random number, and the authorization server generates a first serial number according to the second application.
  • the authorization server determines the first random number corresponding to the client identification ID according to the identification ID of the client in the second application, and then, according to the first random number and the second random number The number generates a first random number generator, and then uses the application time of the second application and/or the user data ID as input parameters of the first random number generator to generate the first serial number.
  • Step 1207 The authorization server sends the first serial number and the second random number to the blockchain.
  • Step 1208 The blockchain receives the first serial number and the second random number sent by the authorization server, and sends the first serial number and the second random number to the access device.
  • step 1108 For details, please refer to step 1108 above, which will not be repeated here.
  • Step 1209 The access device receives the first serial number and the second random number from the blockchain, and inputs the first serial number and the second random number to the client.
  • step 1210 the access device reads the user data opened by the client after the client has the right to open the user data according to the first serial number.
  • the client uses the application time of the second application and/or the user data ID as input parameters of the first random number generator to generate the second serial number.
  • the client opens the user data after determining that the generated second serial number is the same as the first serial number.
  • the access device reads the user data opened by the client.
  • the first random number and/or the first sequence number may be A serial number is encrypted and transmitted, which can be specifically combined with the content described in Figure 2 above, and will not be repeated here.
  • the above-mentioned realization devices include hardware structures and/or software modules corresponding to the respective functions.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
  • a data recording network element of the present application includes a processor 1300, a memory 1301, and a communication interface 1302.
  • the processor 1300 is responsible for managing the bus architecture and general processing, and the memory 1301 may store data used by the processor 1300 when performing operations.
  • the transceiver communication interface 1302 is used to receive and send data under the control of the processor 1300 for data communication with the memory 1301.
  • the processor 1300 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
  • the processor 1300 may further include a hardware chip.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
  • the memory 1301 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other various media that can store program codes.
  • the processor 1300, the memory 1301, and the communication interface 1302 are connected to each other.
  • the processor 1300, the memory 1301, and the communication interface 1302 may be connected to each other through a bus 1303; the bus 1303 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of presentation, only one thick line is used in FIG. 13, but it does not mean that there is only one bus or one type of bus.
  • the processor 1300 is configured to read the program in the memory 1301 and execute the method procedure executed by the data recording network element in S200-S207 as shown in FIG. 2; or execute S900 as shown in FIG. -The process of the method executed by the data recording network element described in S906.
  • the present application provides a data recording network element.
  • the data recording network element includes: a processing unit 1400 and a communication unit 1401;
  • processing unit 1400 and the communication unit 1401 are configured to execute the following content:
  • the processing unit 1400 is configured to use a first key to encrypt user data; store the first key in a database through a blockchain;
  • the communication unit 1401 is configured to receive the address of the first behavior in the smart contract fed back by the blockchain, and the first behavior is used to record that the data recording network element transfers the first behavior through the blockchain.
  • the processing unit 1400 is configured to store the encrypted user data and the address of the first behavior in a cloud platform.
  • processing unit 1400 and the communication unit 1401 are configured to execute the following content:
  • the processing unit 1400 is configured to store user data on a cloud platform
  • the communication unit 1401 is configured to send the storage status of the user data to the blockchain after determining that the user data is successfully stored on the cloud platform.
  • a blockchain of the present application includes a processor 1500, a memory 1501, and a communication interface 1502.
  • the processor 1500 is responsible for managing the bus architecture and general processing, and the memory 1501 can store data used by the processor 1500 when performing operations.
  • the transceiver communication interface 1502 is used to receive and send data under the control of the processor 1500 for data communication with the memory 1501.
  • the processor 1500 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
  • the processor 1300 may further include a hardware chip.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
  • the memory 1501 may include: a U disk, a mobile hard disk, a read-only memory (read-only memory, ROM), a random access memory (random access memory, RAM), a magnetic disk or an optical disk and other media that can store program codes.
  • the processor 1500, the memory 1501, and the communication interface 1502 are connected to each other.
  • the processor 1500, the memory 1501, and the communication interface 1502 may be connected to each other through a bus 1503; the bus 1503 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 15 to represent it, but it does not mean that there is only one bus or one type of bus.
  • the processor 1500 is configured to read the program in the memory 1501 and execute the method flow of the blockchain execution in S200-S207 as shown in FIG. 2; or execute S400- as shown in FIG.
  • the process of the method executed by the blockchain in S408; or the process of the method executed by the blockchain in S500-S508 as shown in FIG. 5; or the block in S700-S710 as shown in FIG. 7 The method flow of chain execution; or the method flow of blockchain execution described in S900-S906 shown in FIG. 9; or the method flow of blockchain execution described in S1100-S1111 shown in FIG. 11; Or execute the method flow of the blockchain execution in S1200-S1212 as shown in FIG. 12.
  • the present application provides a blockchain, which includes: a processing unit 1600 and a communication unit 1601;
  • processing unit 1600 and the communication unit 1601 are configured to execute the following content:
  • the communication unit is configured to receive a first key from a data recording network element, and store the first key in a database;
  • the processing unit 1600 is configured to record a first behavior and an address of the first behavior through a smart contract, and the first behavior is used to record that the data recording network element transfers the first secret through the blockchain The act of storing the key in the database;
  • the communication unit 1601 is configured to feed back the address of the first behavior to the data recording network element.
  • processing unit 1600 and the communication unit 1601 are configured to execute the following content:
  • the communication unit 1601 is configured to receive an application for acquiring user data from an access device; the address of the first action in the smart contract carried in the application for acquiring user data; The act of storing the first key in the database by the blockchain;
  • the processing unit 1600 is configured to obtain the first key from the database according to the first behavior after determining that the access device is successfully authenticated;
  • the communication unit 1601 is configured to send the first key to the access device.
  • processing unit 1600 and the communication unit 1601 are configured to execute the following content:
  • the communication unit 1601 is configured to receive an application for acquiring user data from an access device, and the application for acquiring user data carries the address of the first behavior in the smart contract and the encrypted user data block; the first behavior is used for recording The behavior of the data recording network element storing the first key in the database through the blockchain; the user data block is all or part of the user data;
  • the processing unit 1600 is configured to determine the first behavior according to the address of the first behavior
  • the communication unit 1601 is configured to send the first behavior and the encrypted user data block to the database after determining that the access device is successfully authenticated; receive the user data block from the database, And send the user data block to the access device.
  • processing unit 1600 and the communication unit 1601 are configured to execute the following content:
  • the communication unit 1601 is configured to receive a first application sent by an access device, where the first application is used to grant the access device the right to open the user data obtained by the access device through a client installed;
  • the processing unit 1600 is configured to determine that the access device passes verification
  • the communication unit 1601 is configured to send the first application to an authorization server; receive a first random number from the authorization server, and send the first random number to the access device, wherein the first random number A random number is used to generate a second serial number, and the second serial number is used to verify whether the client has the right to open the user data.
  • processing unit 1600 and the communication unit 1601 are configured to execute the following content:
  • the communication unit 1601 is configured to receive a storage state of user data sent by a data recording network element, where the storage state is used to instruct the data recording network element to store the user data in a cloud platform;
  • the processing unit 1600 is configured to allocate a user data ID to the user data after determining that the user data is successfully stored in the cloud platform;
  • the communication unit 1601 is configured to send the user data ID to the cloud platform.
  • processing unit 1600 and the communication unit 1601 are configured to execute the following content:
  • the communication unit 1601 is configured to receive a second application sent by an access device, where the second application is used to request to read the user data through the client;
  • the processing unit 1600 is configured to determine that the access device passes verification
  • the communication unit 1601 is configured to send the second application to the authorization server; receive the first serial number sent by the authorization server, and send the first serial number to the access device.
  • a database of the present application includes a processor 1700, a memory 1701, and a communication interface 1702.
  • the processor 1700 is responsible for managing the bus architecture and general processing, and the memory 1701 can store data used by the processor 1700 when performing operations.
  • the transceiver communication interface 1702 is used for receiving and sending data under the control of the processor 1700 for data communication with the memory 1701.
  • the processor 1700 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
  • the processor 1700 may further include a hardware chip.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
  • the memory 1701 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other various media that can store program codes.
  • the processor 1700, the memory 1701, and the communication interface 1702 are connected to each other.
  • the processor 1700, the memory 1701, and the communication interface 1702 may be connected to each other through a bus 1703; the bus 1703 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 17, but it does not mean that there is only one bus or one type of bus.
  • the processor 1700 is configured to read the program in the memory 1701 and execute the method flow of the database execution in S200-S207 as shown in FIG. 2; or execute the method in S400-S408 as shown in FIG. The process of the method executed by the database; or the process of the method executed by the database in S500-S508 as shown in FIG. 5.
  • the present application provides a database, which includes: a processing unit 1800 and a communication unit 1801;
  • processing unit 1800 and the communication unit 1801 are configured to execute the following content:
  • the communication unit 1801 is configured to receive the first key from the data recording network element through the blockchain;
  • the processing unit 1800 is configured to store the first key and record the storage address
  • the communication unit 1801 is configured to send the storage address to the blockchain, so that the blockchain records the first behavior according to the storage address;
  • the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain.
  • processing unit 1800 and the communication unit 1801 are configured to execute the following content:
  • the communication unit 1801 is configured to receive the successful verification result and the first behavior in the smart contract sent by the blockchain after determining that the access device is successfully verified; the first behavior is used to record that the data recording network element passes through the zone The act of storing the first key in the database by the block chain;
  • the processing unit 1800 is configured to determine a first key according to the first behavior after determining that the result of the successful verification is valid;
  • the communication unit 1801 is configured to send the first key to the access device through the blockchain;
  • the first key is used to decrypt the encrypted user data obtained by the access device from the cloud platform.
  • processing unit 1800 and the communication unit 1801 are configured to execute the following content:
  • the communication unit 1801 is configured to receive the successful verification result, the first behavior in the smart contract, and the encrypted user data block sent by the blockchain after determining that the access device is successfully verified;
  • the encrypted user data block is obtained by the block chain from the received user data acquisition application sent by the access device, and the first line is used to record the data recording network element through the block chain.
  • the act of storing the key in the database; the user data block is all or part of the user data;
  • the processing unit 1800 is configured to determine the user data block according to the first behavior after determining that the result of the successful verification is valid;
  • the communication unit 1801 is configured to send the user data block to the access device through the blockchain.
  • an access device of the present application includes a processor 1900, a memory 1901, and a communication interface 1902.
  • the processor 1900 is responsible for managing the bus architecture and general processing, and the memory 1901 can store data used by the processor 1900 when performing operations.
  • the transceiver communication interface 1902 is used to receive and send data under the control of the processor 1900 for data communication with the memory 1901.
  • the processor 1900 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
  • the processor 1900 may further include a hardware chip.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
  • the memory 1901 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program codes.
  • the processor 1900, the memory 1901, and the communication interface 1902 are connected to each other.
  • the processor 1900, the memory 1901, and the communication interface 1902 may be connected to each other through a bus 1903; the bus 1903 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of presentation, only one thick line is used to represent in FIG. 19, but it does not mean that there is only one bus or one type of bus.
  • the processor 1900 is configured to read the program in the memory 1901 and execute the method procedure executed by the access device in S400-S408 as shown in FIG. 4; or execute S500-S508 as shown in FIG.
  • the present application provides an access device, the access device includes: a processing unit 2000 and a communication unit 2001;
  • processing unit 2000 and the communication unit 2001 are configured to execute the following content:
  • the communication unit 2001 is used to obtain the encrypted user data and the address in the blockchain of the first behavior in the smart contract from the cloud platform, and the first behavior is used to record the data recording network element passing the block The act of storing the first key in the database by the chain;
  • the processing unit 2000 is configured to apply to the blockchain for obtaining user data, and the user data obtaining request carries the address of the first action;
  • the communication unit 2001 is configured to receive the first key from the blockchain after verifying the identity of the access device through the blockchain;
  • the processing unit 2000 is configured to use the first key to decrypt the encrypted user data.
  • processing unit 2000 and the communication unit 2001 are configured to execute the following content:
  • the processing unit 2000 is configured to obtain the encrypted user data and the address in the blockchain of the first behavior in the smart contract from the cloud platform, and the first behavior is used to record the data recording network element passing the block The act of storing the first key in the database by the chain;
  • the communication unit 2001 is configured to send an application for acquiring user data to the blockchain, and the application for acquiring user data carries the address of the first action and an encrypted user data block, and the user data block is the user All or part of the data; after verifying the identity of the access device by the blockchain, receiving the user data block from the blockchain.
  • processing unit 2000 and the communication unit 2001 are configured to execute the following content:
  • the processing unit 2000 is configured to install a client and send a first application to the authorization server through the blockchain, the first application being used to grant the client the right to open the user data obtained by the access device;
  • the communication unit 2001 is configured to receive a first random number from the authorization server via a blockchain, the first random number is used to generate a second serial number, and the second serial number is used to verify the client Whether the terminal has the right to open the user data.
  • processing unit 2000 and the communication unit 2001 are configured to execute the following content:
  • the processing unit 2000 is configured to obtain user data and user data ID from a cloud platform
  • the communication unit 2001 is configured to send a second application to the blockchain, where the second application is used to request the client to read the user data; receive the first serial number sent from the blockchain;
  • the processing unit 2000 is configured to input the first serial number into the client; after the client determines the right to open the user data according to the first serial number, read the user data opened by the client The user data.
  • an authorization server of the present application includes a processor 2100, a memory 2101, and a communication interface 2102.
  • the processor 2100 is responsible for managing the bus architecture and general processing, and the memory 2101 can store data used by the processor 2100 when performing operations.
  • the transceiver communication interface 2102 is used to receive and send data under the control of the processor 2100 for data communication with the memory 2101.
  • the processor 2100 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
  • the processor 2100 may further include a hardware chip.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.
  • the memory 2101 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program codes.
  • the processor 2100, the memory 2101, and the communication interface 2102 are connected to each other.
  • the processor 2100, the memory 2101, and the communication interface 2102 may be connected to each other through a bus 2103; the bus 2103 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 21 to represent it, but it does not mean that there is only one bus or one type of bus.
  • the processor 2100 is configured to read the program in the memory 2101 and execute the method flow executed by the authorization server in S700-S710 as shown in FIG. 7; or execute S1100-S1111 as shown in FIG.
  • the method flow executed by the authorization server in the above; or the method flow executed by the authorization server in S1200-S1212 shown in FIG. 12 is executed.
  • the authorization server includes: a processing unit 2200 and a communication unit 2201;
  • processing unit 2200 and the communication unit 2201 are configured to execute the following content:
  • the communication unit 2201 is configured to receive a first application sent by an access device through the blockchain, and the first application is used to grant the access device the right to open the user data obtained by the access device through the installed client terminal ;
  • the processing unit 2200 is configured to generate a first random number
  • the communication unit 2201 is configured to send the first random number to the access device, where the first random number is used for the client to verify whether it has the right to open the user data.
  • processing unit 2200 and the communication unit 2201 are configured to execute the following content:
  • the processing unit 2200 is configured to obtain user data and user data ID from the cloud platform;
  • the communication unit 2201 is configured to send a second application to the blockchain, and the second application is used to request to read the user data through the client; and receive the first serial number sent from the blockchain;
  • the processing unit 2200 is configured to input the first serial number into the client; after the client determines the right to open the user data according to the first serial number, read the client opened The user data.
  • the program product can use any combination of one or more readable media.
  • the readable medium may be a readable signal medium or a readable storage medium.
  • the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. Modifications of the readable storage medium.
  • Examples (non-exhaustive list) in one implementation of the embodiments of the present application include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read-only Memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
  • RAM random access memory
  • ROM read-only Memory
  • EPROM or flash memory erasable programmable read-only memory
  • CD-ROM compact disk read-only memory
  • magnetic storage device magnetic storage device, or any suitable combination of the above.
  • the program product for recording access behavior may adopt a portable compact disk read-only memory (CD-ROM) and include program code, and may run on a server device.
  • CD-ROM portable compact disk read-only memory
  • the program product of this application is not limited to this.
  • the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or in combination with information transmission, devices, or devices.
  • the readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including, but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing.
  • the readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with a periodic network action system, apparatus, or device.
  • the program code contained on the readable medium can be transmitted by any suitable medium, including, but not limited to, wireless, wired, optical cable, RF, etc., or any suitable combination of the above.
  • the program code used to perform the operations of this application can be written in any combination of one or more programming languages.
  • the programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural programming languages. Programming language-such as "C" language or similar programming language.
  • the program code can be executed entirely on the user's computing device, partly on the user's device, executed as an independent software package, partly on the user's computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on.
  • the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device.
  • LAN local area network
  • WAN wide area network
  • the method for recording access behaviors in the embodiments of the present application also provides a storage medium readable by a computing device, that is, the content is not lost after a power failure.
  • the storage medium stores a software program, including program code.
  • the program code runs on a computing device, the software program can implement any of the above embodiments of the present application when it is read and executed by one or more processors.
  • the scheme of the recording of the access behavior is also provided.
  • this application may take the form of a computer program product on a computer-usable or computer-readable storage medium, which has a computer-usable or computer-readable program code implemented in the medium to be used or used by the instruction execution system. Used in conjunction with the instruction execution system.
  • a computer-usable or computer-readable medium can be any medium that can contain, store, communicate, transmit, or transmit a program for use by an instruction execution system, apparatus, or device, or in combination with an instruction execution system, Device or equipment use.

Abstract

The present application relates to the technical field of communications. Disclosed are a method and apparatus for recording an access behavior. The method comprises: an access device acquiring, from a cloud platform, encrypted user data and the address of a first behavior in a smart contract in a blockchain, wherein the first behavior is used for recording the behavior of a data recording network element storing a first key in a database by means of the blockchain; the access device applying to the blockchain to acquire user data, wherein the application to acquire user data carries the address of the first behavior; and after passing verification by the blockchain, the access device receiving the first key from the blockchain, and decrypting the encrypted user data by using the first key. In this method, each apparatus only stores some user data information, thereby reducing the risk of user data leakage due to an attack on a certain apparatus. A traceable recording method based on blockchain technology and having higher security is provided.

Description

一种访问行为的记录方法、装置Method and device for recording access behavior
相关申请的交叉引用Cross-references to related applications
本申请要求在2020年02月29日提交中国专利局、申请号为202010131927.4、申请名称为“一种访问行为的记录方法、装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on February 29, 2020, the application number is 202010131927.4, and the application title is "a method and device for recording access behavior", the entire content of which is incorporated herein by reference Applying.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种访问行为的记录方法、装置。This application relates to the field of communication technology, and in particular to a method and device for recording access behavior.
背景技术Background technique
目前在通信过程中,为避免用户数据的非受控扩散等各种风险,需要对访问方针对用户数据的访问行为进行记录,以便对访问记录进行追溯。为此,在进行通信访问过程中,一方面需要保证每个访问的行为均能被如实地记录下来,另一方面还需要保证追溯的访问记录是完整的,未被破坏和修改的。At present, in the communication process, in order to avoid various risks such as uncontrolled proliferation of user data, it is necessary to record the access behavior of the visitor to the user data in order to trace the access record. For this reason, in the communication access process, on the one hand, it is necessary to ensure that each access behavior can be accurately recorded, and on the other hand, it is also necessary to ensure that the traced access record is complete and has not been damaged or modified.
与此同时,随着区块链技术的不断发展,基于区块链去中心化以及采用分布式账本技术所具有的不可篡改性等特点,使得区块链系统对于用户数据的历史访问行为具有可信记录和保存的能力。因此,在通信过程中,也逐渐致力于打造基于区块链系统进行的访问行为的追溯。At the same time, with the continuous development of blockchain technology, based on the decentralization of the blockchain and the non-tamperable characteristics of the use of distributed ledger technology, the blockchain system can be used for historical access to user data. The ability to record and preserve letters. Therefore, in the communication process, it is gradually committed to creating the traceability of access behavior based on the blockchain system.
然而,目前并没有基于在去中心化区块链网络中实现访问行为的记录方法。However, there is currently no recording method based on the realization of access behavior in a decentralized blockchain network.
发明内容Summary of the invention
本申请提供一种访问行为的记录方法、装置,用以提供在去中心化区块链网络中实现访问行为的记录方法。This application provides a method and device for recording access behavior to provide a method for recording access behavior in a decentralized blockchain network.
第一方面,本申请实施例提供一种访问行为的记录方法,包括:In the first aspect, an embodiment of the present application provides a method for recording access behavior, including:
数据记录网元使用第一密钥对用户数据进行加密;所述数据记录网元通过区块链将所述第一密钥存储到数据库中;所述数据记录网元接收所述区块链反馈的智能合约中第一行为的地址,所述第一行为用于记录所述数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为;所述数据记录网元将所述加密后的用户数据以及所述第一行为的地址存储到云平台中。The data recording network element uses a first key to encrypt user data; the data recording network element stores the first key in a database through a blockchain; the data recording network element receives the blockchain feedback The address of the first behavior in the smart contract of, the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain; the data recording network The meta stores the encrypted user data and the address of the first behavior in a cloud platform.
基于该方案,本申请实施例中在进行用户数据存储时,将用于获取所述用户数据的相关信息分别存储到云平台以及数据库等设备中,有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。Based on this solution, when user data is stored in the embodiment of the present application, the relevant information used to obtain the user data is stored in the cloud platform, database and other equipment, which effectively reduces the attack of a certain device in the system. The risk of user data leakage that cannot be traced back provides a safer method for recording access behavior based on a blockchain network.
在一种可能的实现方式中,所述数据记录网元使用第二密钥对所述第一密钥进行加密,得到第一加密信息,并将所述第一加密信息通过所述区块链存储到所述数据库中。In a possible implementation manner, the data recording network element encrypts the first key using a second key to obtain the first encrypted information, and passes the first encrypted information through the blockchain Stored in the database.
在一种可能的实现方式中,所述第二密钥为所述数据库预配置在所述数据记录网元上的;或所述第二密钥为所述数据记录网元从所述数据库处接收的。In a possible implementation, the second key is preconfigured by the database on the data recording network element; or the second key is the data recording network element from the database. Received.
在一种可能的实现方式中,所述第一行为中包括所述第一密钥在所述数据库中的存储地址。In a possible implementation manner, the first behavior includes a storage address of the first key in the database.
第二方面,本申请实施例提供一种访问行为的记录方法,包括:In the second aspect, an embodiment of the present application provides a method for recording access behavior, including:
区块链接收来自数据记录网元的第一密钥,并将所述第一密钥存储到数据库中;所述区块链通过智能合约记录第一行为以及所述第一行为的地址,所述第一行为用于记录所述数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为;所述区块链将所述第一行为的地址反馈给所述数据记录网元。The blockchain receives the first key from the data recording network element and stores the first key in the database; the blockchain records the first behavior and the address of the first behavior through the smart contract, so The first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain; the blockchain feeds back the address of the first behavior to all The data recording network element.
基于该方案,本申请实施例中在进行用户数据存储时,将用于获取所述用户数据的相关信息分别存储到云平台以及数据库等设备中,从而有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。Based on this solution, when user data is stored in the embodiment of the present application, the relevant information used to obtain the user data is stored in the cloud platform, database and other equipment, thereby effectively reducing the attack caused by a certain device in the system. , Which causes the risk of user data leakage and cannot be traced back. It provides a safer method for recording access behavior based on a blockchain network.
在一种可能的实现方式中,所述区块链接收来自所述数据记录网元的第一加密信息,所述第一加密信息是通过第二密钥对所述第一密钥加密后得到的;所述区块链将所述第一加密信息存储到所述数据库中。In a possible implementation manner, the blockchain receives first encrypted information from the data recording network element, and the first encrypted information is obtained by encrypting the first key with a second key的; The blockchain stores the first encrypted information in the database.
第三方面,本申请实施例提供一种访问行为的记录方法,包括:In a third aspect, an embodiment of the present application provides a method for recording access behavior, including:
数据库通过区块链接收来自数据记录网元的第一密钥;所述数据库存储所述第一密钥,并记录所述存储地址;所述数据库将所述存储地址发送给所述区块链,以使所述区块链根据所述存储地址记录第一行为;其中,所述第一行为用于记录所述数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为。The database receives the first key from the data recording network element through the blockchain; the database stores the first key and records the storage address; the database sends the storage address to the blockchain , So that the blockchain records the first behavior according to the storage address; wherein, the first behavior is used to record that the data recording network element stores the first key in the blockchain through the blockchain State the behavior of the database.
基于该方案,本申请实施例中在进行用户数据存储时,将所述用户数据的相关部分信息分别存储到云平台以及数据库等设备中,从而有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。Based on this solution, when user data is stored in the embodiment of this application, the relevant part of the user data is stored in the cloud platform, database and other equipment, thereby effectively reducing the attack caused by a certain device in the system. The risk of user data leakage and cannot be traced back provides a safer method for recording access behavior based on a blockchain network.
在一种可能的实现方式中,所述数据库通过所述区块链接收来自所述数据记录网元的第一加密信息;其中,所述第一加密信息是通过第二密钥对所述第一密钥加密后得到的。In a possible implementation manner, the database receives the first encrypted information from the data recording network element through the blockchain; wherein, the first encrypted information is used to pair the first encrypted information with a second key. Obtained after a key encryption.
在一种可能的实现方式中,所述第二密钥是所述数据记录网元与所述数据库预先设定的;或所述第二密钥是所述数据库生成的。In a possible implementation manner, the second key is preset by the data recording network element and the database; or the second key is generated by the database.
在一种可能的实现方式中,所述数据库通过区块链接收来自数据记录网元的第一加密信息之后,存储所述第一密钥,并记录所述存储地址之前,所述数据库根据第二密钥对所述第一加密信息进行解密,获取所述第一密钥。In a possible implementation manner, after the database receives the first encrypted information from the data recording network element through the blockchain, the first key is stored, and before the storage address is recorded, the database is based on the first encrypted information. The two keys decrypt the first encrypted information to obtain the first key.
第四方面,本申请实施例提供一种访问行为的记录方法,包括:In a fourth aspect, an embodiment of the present application provides a method for recording access behavior, including:
访问设备从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;所述访问设备向所述区块链进行获取用户数据申请,所述获取用户数据申请中携带所述第一行为的地址;所述访问设备在通过所述区块链对所述访问设备身份的验证后,接收来自所述区块链的第一密钥;所述访问设备使用所述第一密钥对所述加密后的用户数据进行解密。The access device obtains the encrypted user data from the cloud platform and the address of the first behavior in the smart contract in the blockchain. The first behavior is used to record the data recording network element transfers the first key through the blockchain. The behavior stored in the database; the access device applies to the blockchain for obtaining user data, and the request for obtaining user data carries the address of the first behavior; the access device is pairing with the blockchain through the blockchain After the identity of the access device is verified, the first key from the blockchain is received; the access device uses the first key to decrypt the encrypted user data.
基于该方案,本申请实施例中在进行用户数据存储时,将所述用户数据的相关部分信息分别存储到云平台以及数据库等设备中,从而所述访问行为的记录系统中任何一个装置只存有与用户数据相关的部分信息,需要结合所述系统中的所有装置才能获取用户数据,因此,有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。Based on this solution, in the embodiment of the application, when user data is stored, the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back. A high-security method for recording access behavior based on a blockchain network is proposed.
在一种可能的实现方式中,所述获取用户数据申请包括第三密钥,所述第三密钥用于所述数据库对所述第一密钥进行加密,得到所述第二加密信息。In a possible implementation manner, the user data acquisition application includes a third key, and the third key is used by the database to encrypt the first key to obtain the second encrypted information.
在一种可能的实现方式中,所述访问设备接收来自所述区块链的第二加密信息。In a possible implementation manner, the access device receives the second encrypted information from the blockchain.
在一种可能的实现方式中,所述第二加密信息是通过第三密钥对所述第一密钥进行加密后得到的。In a possible implementation manner, the second encrypted information is obtained after encrypting the first key with a third key.
在一种可能的实现方式中,所述访问设备对所述第二加密信息进行解密,获取所述第一密钥。In a possible implementation manner, the access device decrypts the second encrypted information to obtain the first key.
在一种可能的实现方式中,所述访问设备在通过所述区块链中不小于阈值数量的节点的验证后,接收来自所述区块链的所述第一密钥。In a possible implementation manner, the access device receives the first key from the blockchain after being verified by no less than a threshold number of nodes in the blockchain.
第五方面,本申请实施例提供一种访问行为的记录方法,包括:In a fifth aspect, an embodiment of the present application provides a method for recording access behavior, including:
区块链接收来自访问设备的获取用户数据申请,所述获取用户数据申请中携带智能合约中第一行为的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;所述区块链确定所述访问设备验证成功后,根据所述第一行为从所述数据库中获取所述第一密钥;所述区块链将所述第一密钥发送给所述访问设备。The blockchain receives an application for acquiring user data from an access device, and the application for acquiring user data carries the address of the first behavior in the smart contract, and the first behavior is used to record the data recording network element through the blockchain. The act of storing a key in the database; after the block chain determines that the access device is successfully verified, it obtains the first key from the database according to the first act; the block chain transfers the The first key is sent to the access device.
基于该方案,本申请实施例中在进行用户数据存储时,将所述用户数据的相关部分信息分别存储到云平台以及数据库等设备中,从而所述访问行为的记录系统中任何一个装置只存有与用户数据相关的部分信息,需要结合所述系统中的所有装置才能获取用户数据,因此,有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。Based on this solution, in the embodiment of the application, when user data is stored, the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back. A high-security method for recording access behavior based on a blockchain network is proposed.
在一种可能的实现方式中,所述区块链确定所述访问设备验证成功后,将验证成功的结果以及所述第一行为发送给所述数据库;所述区块链接收所述数据库的第一密钥。In a possible implementation, after the blockchain determines that the access device is successfully verified, it sends the result of the successful verification and the first behavior to the database; the blockchain receives the information of the database The first key.
在一种可能的实现方式中,所述获取用户数据申请包括第三密钥,所述第三密钥用于所述数据库对所述第一密钥进行加密,得到所述第二加密信息。In a possible implementation manner, the user data acquisition application includes a third key, and the third key is used by the database to encrypt the first key to obtain the second encrypted information.
在一种可能的实现方式中,所述区块链确定所述访问设备验证成功后,将所述验证成功的结果、所述第一行为以及所述第三密钥发送给所述数据库。In a possible implementation manner, after the blockchain determines that the access device is successfully verified, it sends the result of the successful verification, the first behavior, and the third key to the database.
在一种可能的实现方式中,所述区块链根据所述第一行为从所述数据库中获取第二加密信息,所述第二加密信息是所述数据库通过所述第三密钥对所述第一密钥加密后得到的;所述区块链将所述第二加密信息发送给所述访问设备。In a possible implementation manner, the block chain obtains second encrypted information from the database according to the first behavior, and the second encrypted information is the data obtained by the database through the third key pair. The first key is encrypted; the blockchain sends the second encrypted information to the access device.
在一种可能的实现方式中,所述访问设备在通过所述区块链中不小于阈值数量的节点的验证后,则所述区块链确定所述访问设备验证成功。In a possible implementation manner, after the access device passes the verification of no less than a threshold number of nodes in the blockchain, the blockchain determines that the verification of the access device is successful.
在一种可能的实现方式中,所述区块链将所述第一密钥发送给所述访问设备之前,所述区块链将第二行为记录到所述智能合约中;其中,所述第二行为用于记录所述访问设备向所述区块链获取用户数据申请的行为;所述第二行为中包括所述区块链对所述访问设备进行验证的结果。In a possible implementation, before the blockchain sends the first key to the access device, the blockchain records the second behavior in the smart contract; wherein, the The second behavior is used to record the behavior of the access device to obtain user data from the blockchain; the second behavior includes the result of the blockchain verifying the access device.
第六方面,本申请实施例提供一种访问行为的记录方法,包括:In a sixth aspect, an embodiment of the present application provides a method for recording access behavior, including:
数据库接收来自区块链对访问设备验证成功的结果以及智能合约中的第一行为;所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;所述数据库在确定所述验证成功的结果有效后,根据所述第一行为确定第一密钥,并将所述第一密钥通过区块链发送给所述访问设备,所述第一密钥用于解密加密后的用户数据。The database receives the result of successful verification of the access device from the blockchain and the first behavior in the smart contract; the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain After the database determines that the result of the successful verification is valid, it determines the first key according to the first behavior, and sends the first key to the access device via the blockchain, and the first The key is used to decrypt the encrypted user data.
基于该方案,本申请实施例中在进行用户数据存储时,将所述用户数据的相关部分信息分别存储到云平台以及数据库等设备中,从而所述访问行为的记录系统中任何一个装置只存有与用户数据相关的部分信息,需要结合所述系统中的所有装置才能获取用户数据,因此,有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。Based on this solution, in the embodiment of the application, when user data is stored, the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back. A high-security method for recording access behavior based on a blockchain network is proposed.
在一种可能的实现方式中,所述方法还包括:所述数据库还接收来自区块链的第三密钥,所述第三密钥是所述区块链从所述访问设备发送的获取用户数据申请中获取的;所述第三密钥用于所述数据库对所述第一密钥进行加密,得到所述第二加密信息。In a possible implementation, the method further includes: the database further receives a third key from the blockchain, and the third key is obtained by the blockchain from the access device. Obtained in a user data application; the third key is used by the database to encrypt the first key to obtain the second encrypted information.
在一种可能的实现方式中,所述数据库根据所述第一行为确定第一密钥;所述数据库根据所述第三密钥对所述第一密钥进行加密,得到所述第二加密信息;所述数据库将所述第二加密信息通过区块链发送给所述访问设备。In a possible implementation manner, the database determines the first key according to the first behavior; the database encrypts the first key according to the third key to obtain the second encryption Information; the database sends the second encrypted information to the access device via the blockchain.
第七方面,本申请实施例提供一种访问行为的记录方法,包括:In a seventh aspect, an embodiment of the present application provides a method for recording access behavior, including:
访问设备从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;所述访问设备向区块链进行获取用户数据申请,所述获取用户数据申请中携带所述第一行为的地址和加密后的用户数据块,所述用户数据块是所述用户数据的全部或部分;所述访问设备在通过所述区块链对所述访问设备身份的验证后,接收来自所述区块链的所述用户数据块。The access device obtains the encrypted user data from the cloud platform and the address of the first behavior in the smart contract in the blockchain. The first behavior is used to record the data recording network element transfers the first key through the blockchain. The behavior of storing in the database; the access device applies to the blockchain for obtaining user data, and the request for obtaining user data carries the address of the first act and the encrypted user data block, and the user data block is all All or part of the user data; the access device receives the user data block from the blockchain after verifying the identity of the access device through the blockchain.
基于该方案,本申请实施例中在进行用户数据存储时,将所述用户数据的相关部分信息分别存储到云平台以及数据库等设备中,从而所述访问行为的记录系统中任何一个装置只存有与用户数据相关的部分信息,需要结合所述系统中的所有装置才能获取用户数据,因此,有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。与此同时,通过水印的添加,本申请实施例能更好避免访问方在获得所述用户数据后将所述用户数据恶意分享给其他实体。Based on this solution, in the embodiment of the application, when user data is stored, the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back. A high-security method for recording access behavior based on a blockchain network is proposed. At the same time, through the addition of the watermark, the embodiments of the present application can better prevent the visitor from maliciously sharing the user data with other entities after obtaining the user data.
在一种可能的实现方式中,所述访问设备接收到的所述用户数据块是所述数据库根据来自所述区块链的第一行为确定所述第一密钥后,对来自所述区块链的所述加密后的用户数据块进行解密后得到的;所述第一行为中包含所述第一密钥在所述数据库中的存储地址。In a possible implementation manner, the user data block received by the access device is that after the database determines the first key according to the first behavior from the blockchain, The encrypted user data block of the block chain is obtained after decryption; the first behavior includes the storage address of the first key in the database.
在一种可能的实现方式中,所述访问设备接收来自所述区块链的添加水印标记的所述用户数据块。In a possible implementation manner, the access device receives the watermarked user data block from the blockchain.
在一种可能的实现方式中,所述获取用户数据申请包括第四密钥,所述第四密钥用于所述数据库对所述用户数据块进行加密,得到所述第三加密信息。In a possible implementation manner, the user data acquisition application includes a fourth key, and the fourth key is used by the database to encrypt the user data block to obtain the third encrypted information.
在一种可能的实现方式中,所述访问设备接收来自所述区块链的所述第三加密信息。In a possible implementation manner, the access device receives the third encrypted information from the blockchain.
在一种可能的实现方式中,所述访问设备在通过所述区块链中不小于阈值数量的节点的验证后,接收来自所述区块链的所述用户数据块。In a possible implementation manner, the access device receives the user data block from the blockchain after being verified by no less than a threshold number of nodes in the blockchain.
第八方面,本申请实施例提供一种访问行为的记录方法,包括:In an eighth aspect, an embodiment of the present application provides a method for recording access behavior, including:
区块链接收来自访问设备的获取用户数据申请,所述获取用户数据申请中携带智能合约中第一行为的地址和加密后的用户数据块,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;所述用户数据块是所述用户数据的全部或部分;所述区块链确定所述访问设备验证成功后,将所述第一行为和所述加密后的用户数据块发送给所述数据库;所述区块链接收来自所述数据库的所述用户数据块,并将所述用户数据块发送给所述访问设备。The blockchain receives an application for acquiring user data from an access device, and the application for acquiring user data carries the address of the first action in the smart contract and the encrypted user data block, and the first action is used to record the data that the network element passes through The behavior of the blockchain storing the first key in the database; the user data block is all or part of the user data; after the blockchain determines that the access device is successfully verified, the first The behavior and the encrypted user data block are sent to the database; the blockchain receives the user data block from the database, and sends the user data block to the access device.
基于该方案,本申请实施例中在进行用户数据存储时,将所述用户数据的相关部分信息分别存储到云平台以及数据库等设备中,从而所述访问行为的记录系统中任何一个装置只存有与用户数据相关的部分信息,需要结合所述系统中的所有装置才能获取用户数据,因此,有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。与此同时,通过水印的添加,本申请实施例能更好避免访问方在获得所述用户数据后将所述用户数据恶意分享给其他实体。Based on this solution, in the embodiment of the application, when user data is stored, the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back. A high-security method for recording access behavior based on a blockchain network is proposed. At the same time, through the addition of the watermark, the embodiments of the present application can better prevent the visitor from maliciously sharing the user data with other entities after obtaining the user data.
在一种可能的实现方式中,所述用户数据块是所述数据库在确定来自所述区块链发送的所述访问设备验证成功的结果有效后发送的。In a possible implementation manner, the user data block is sent by the database after determining that the result of the successful verification of the access device sent from the blockchain is valid.
在一种可能的实现方式中,所述区块链接收来自所述数据库的添加水印标记的所述用户数据块,并将添加水印标记的所述用户数据块发送给所述访问设备。In a possible implementation manner, the blockchain receives the watermarked user data block from the database, and sends the watermarked user data block to the access device.
在一种可能的实现方式中,所述方法还包括:所述获取用户数据申请包括第四密钥,所述第四密钥用于所述数据库对所述用户数据块进行加密,得到所述第三加密信息;所述区块链确定所述访问设备验证成功后,将所述第一行为、所述加密后的用户数据块以及所述第四密钥发送给所述数据库。In a possible implementation, the method further includes: the user data acquisition application includes a fourth key, and the fourth key is used by the database to encrypt the user data block to obtain the Third encrypted information; after the blockchain determines that the access device is successfully verified, it sends the first behavior, the encrypted user data block, and the fourth key to the database.
在一种可能的实现方式中,所述区块链接收来自所述数据库的所述第三加密信息,并将所述第三加密信息发送给所述访问设备。In a possible implementation manner, the blockchain receives the third encrypted information from the database, and sends the third encrypted information to the access device.
在一种可能的实现方式中,所述区块链接收到的来自所述数据库的所述用户数据块,是所述数据库根据来自所述区块链的第一行为确定所述第一密钥后,对来自所述区块链的所述加密后的用户数据块进行解密后得到的;其中,所述第一行为中包含所述第一密钥在所述数据库中的存储地址。In a possible implementation, the user data block from the database received by the block link is determined by the database according to the first behavior from the block chain Then, the encrypted user data block from the blockchain is obtained after decrypting; wherein, the first behavior includes the storage address of the first key in the database.
在一种可能的实现方式中,所述访问设备在通过所述区块链中不小于阈值数量的节点的验证后,则所述区块链确定所述访问设备验证成功。In a possible implementation manner, after the access device passes the verification of no less than a threshold number of nodes in the blockchain, the blockchain determines that the verification of the access device is successful.
在一种可能的实现方式中,所述区块链将所述第一密钥发送给所述访问设备之前,所述区块链将第二行为记录到所述智能合约中;其中,所述第二行为用于记录所述访问设备向所述区块链获取用户数据申请的行为;所述第二行为中包括所述区块链对所述访问设备进行验证的结果。In a possible implementation, before the blockchain sends the first key to the access device, the blockchain records the second behavior in the smart contract; wherein, the The second behavior is used to record the behavior of the access device to obtain user data from the blockchain; the second behavior includes the result of the blockchain verifying the access device.
第九方面,本申请实施例提供一种访问行为的记录方法,包括:In a ninth aspect, an embodiment of the present application provides a method for recording access behavior, including:
数据库接收来自区块链对访问设备验证成功的结果、智能合约中的第一行为以及加密 后的用户数据块,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为,所述用户数据块是所述用户数据的全部或部分;所述数据库在确定所述验证成功的结果有效后,根据所述第一行为确定所述用户数据块,并将所述用户数据块通过所述区块链发送给所述访问设备。The database receives the result of successful verification of the access device from the blockchain, the first action in the smart contract, and the encrypted user data block. The act of storing the key in a database, the user data block is all or part of the user data; after the database determines that the result of the successful verification is valid, the user data block is determined according to the first act, And send the user data block to the access device through the blockchain.
基于该方案,本申请实施例中在进行用户数据存储时,将所述用户数据的相关部分信息分别存储到云平台以及数据库等设备中,从而所述访问行为的记录系统中任何一个装置只存有与用户数据相关的部分信息,需要结合所述系统中的所有装置才能获取用户数据,因此,有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。与此同时,通过水印的添加,本申请实施例能更好避免访问方在获得所述用户数据后将所述用户数据恶意分享给其他实体。Based on this solution, in the embodiment of the application, when user data is stored, the relevant part of the user data is stored in the cloud platform, database and other equipment, so that only any device in the access behavior recording system is stored Some information related to user data needs to be combined with all devices in the system to obtain user data. Therefore, it effectively reduces the risk of user data leakage due to an attack on a device in the system and cannot be traced back. A high-security method for recording access behavior based on a blockchain network is proposed. At the same time, through the addition of the watermark, the embodiments of the present application can better prevent the visitor from maliciously sharing the user data with other entities after obtaining the user data.
在一种可能的实现方式中,所述数据库根据所述第一行为确定第一密钥;所述数据库根据所述第一密钥对所述加密后的用户数据块进行解密,并将解密得到的所述用户数据块通过区块链发送给所述访问设备。In a possible implementation manner, the database determines the first key according to the first behavior; the database decrypts the encrypted user data block according to the first key, and decrypts it to obtain The user data block of is sent to the access device through the blockchain.
在一种可能的实现方式中,所述数据库根据所述第一行为确定所述用户数据块;In a possible implementation manner, the database determines the user data block according to the first behavior;
所述数据块对所述用户数据块添加水印标记,并将添加水印标记的所述用户数据块通过所述区块链发送给所述访问设备。The data block adds a watermark to the user data block, and sends the user data block with the watermark added to the access device through the blockchain.
在一种可能的实现方式中,所述方法还包括:所述数据库还接收来自区块链的第四密钥,所述第四密钥是所述区块链从所述访问设备发送的获取用户数据申请中获取的;所述第四密钥用于所述数据库对所述用户数据块进行加密,得到所述第三加密信息。In a possible implementation, the method further includes: the database further receives a fourth key from the blockchain, where the fourth key is obtained by the blockchain from the access device. Obtained in a user data application; the fourth key is used by the database to encrypt the user data block to obtain the third encrypted information.
在一种可能的实现方式中,所述数据库根据所述第一行为确定所述用户数据块;所述数据库根据所述第四密钥对所述用户数据块进行加密,得到所述第三加密信息;所述数据库将所述第三加密信息通过所述区块链发送给所述访问设备。In a possible implementation manner, the database determines the user data block according to the first behavior; the database encrypts the user data block according to the fourth key to obtain the third encryption Information; the database sends the third encrypted information to the access device through the blockchain.
第十方面,本申请实施例提供一种访问行为的记录方法,包括:In a tenth aspect, an embodiment of the present application provides a method for recording access behavior, including:
访问设备安装客户端,并通过区块链向授权服务器发送第一申请,所述第一申请用于授予所述客户端打开所述访问设备获取到的用户数据的权限;所述访问设备通过区块链接收来自所述授权服务器的第一随机数,所述第一随机数用于生成第二序列号,所述第二序列号用于验证所述客户端是否有权打开所述用户数据。The access device installs the client, and sends a first application to the authorization server through the blockchain, the first application is used to grant the client the right to open the user data obtained by the access device; the access device passes through the area The block chain receives a first random number from the authorization server, the first random number is used to generate a second serial number, and the second serial number is used to verify whether the client has the right to open the user data.
基于该方案,本实施例通过将管理域延伸到访问方的客户端,进一步提升了数据访问行为记录的能力和可信度。能够进一步有效地控制所述用户数据在访问之后的利用,如将所述用户数据访发送给其他访问方,甚至是访问方本身对相同用户数据的二次访问,都将在区块链中记录下来,否则无法阅读有效信息。Based on this solution, this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
在一种可能的实现方式中,所述第一申请包括所述客户端的标识ID;所述访问设备接收到的所述第一随机数与所述客户端的标识ID一一对应。In a possible implementation manner, the first application includes the identification ID of the client; the first random number received by the access device corresponds to the identification ID of the client in a one-to-one correspondence.
在一种可能的实现方式中,所述第一申请还包括第五密钥,所述第五密钥用于加密所述第一随机数。In a possible implementation manner, the first application further includes a fifth key, and the fifth key is used to encrypt the first random number.
在一种可能的实现方式中,所述访问设备通过区块链接收来自所述授权服务器的第四加密信息,所述第四加密信息是所述授权服务器根据所述第五密钥对所述第一随机数进行加密后得到的。In a possible implementation manner, the access device receives fourth encrypted information from the authorization server through a blockchain, and the fourth encrypted information is that the authorization server pairs the The first random number is obtained after encryption.
在一种可能的实现方式中,所述方法还包括:所述访问设备根据所述第五密钥解密所述第四加密信息,获取所述第一随机数。In a possible implementation manner, the method further includes: the access device decrypts the fourth encrypted information according to the fifth key to obtain the first random number.
第十一方面,本申请实施例提供一种访问行为的记录方法,包括:In an eleventh aspect, an embodiment of the present application provides a method for recording access behavior, including:
区块链接收访问设备发送的第一申请,所述第一申请用于授予所述访问设备通过安装的客户端打开所述访问设备获取到的用户数据的权限;所述区块链将所述第一申请发送授权服务器;所述区块链接收来自所述授权服务器的第一随机数,并将所述第一随机数发送给所述访问设备,其中,所述第一随机数用于生成第二序列号,所述第二序列号用于验证所述客户端是否有权打开所述用户数据。The block chain receives the first application sent by the access device, and the first application is used to grant the access device the right to open the user data obtained by the access device through the installed client; the block chain transfers the The first application is sent to the authorization server; the blockchain receives the first random number from the authorization server, and sends the first random number to the access device, where the first random number is used to generate A second serial number, where the second serial number is used to verify whether the client has the right to open the user data.
基于该方案,本实施例通过将管理域延伸到访问方的客户端,进一步提升了数据访问行为记录的能力和可信度。能够进一步有效地控制所述用户数据在访问之后的利用,如将所述用户数据访发送给其他访问方,甚至是访问方本身对相同用户数据的二次访问,都将在区块链中记录下来,否则无法阅读有效信息。Based on this solution, this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
在一种可能的实现方式中,所述第一申请包括所述客户端的标识ID;所述访问设备接收到的所述第一随机数与所述客户端的标识ID一一对应。In a possible implementation manner, the first application includes the identification ID of the client; the first random number received by the access device corresponds to the identification ID of the client in a one-to-one correspondence.
在一种可能的实现方式中,所述第一申请还包括第五密钥,所述第五密钥用于加密所述第一随机数。In a possible implementation manner, the first application further includes a fifth key, and the fifth key is used to encrypt the first random number.
在一种可能的实现方式中,所述区块链接收来自所述授权服务器的第四加密信息,并将所述第四加密信息发送给所述访问设备,所述第四加密信息是所述授权服务器根据所述第五密钥对所述第一随机数进行加密后得到的。In a possible implementation manner, the blockchain receives the fourth encrypted information from the authorization server, and sends the fourth encrypted information to the access device, and the fourth encrypted information is the Obtained after the authorization server encrypts the first random number according to the fifth key.
在一种可能的实现方式中,所述方法还包括:所述区块链将第三行为记录到所述智能合约中;其中,所述第三行为用于记录所述访问设备向所述数据库发送所述第一申请。In a possible implementation, the method further includes: the blockchain recording a third behavior in the smart contract; wherein, the third behavior is used to record the access device to the database Send the first application.
第十二方面,本申请实施例提供一种访问行为的记录方法,包括:In a twelfth aspect, an embodiment of the present application provides a method for recording access behavior, including:
授权服务器通过区块链接收访问设备发送的第一申请,所述第一申请用于授予所述访问设备通过安装的客户端打开所述访问设备获取到的用户数据的权限;所述授权服务器生成第一随机数,并将所述第一随机数发送给所述访问设备,其中,所述第一随机数用于生成第二序列号,所述第二序列号用于验证是所述客户端否有权打开所述用户数据。The authorization server receives the first application sent by the access device through the blockchain, and the first application is used to grant the access device the right to open the user data obtained by the access device through the installed client; the authorization server generates First random number, and send the first random number to the access device, wherein the first random number is used to generate a second serial number, and the second serial number is used to verify that it is the client Do you have the right to open the user data.
基于该方案,本实施例通过将管理域延伸到访问方的客户端,进一步提升了数据访问行为记录的能力和可信度。能够进一步有效地控制所述用户数据在访问之后的利用,如将所述用户数据访发送给其他访问方,甚至是访问方本身对相同用户数据的二次访问,都将在区块链中记录下来,否则无法阅读有效信息。Based on this solution, this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
在一种可能的实现方式中,所述第一申请包括所述客户端的标识ID;所述授权服务器根据所述客户端的标识ID生成所述第一随机数,生成的所述第一随机数与所述客户端的标识ID一一对应。In a possible implementation manner, the first application includes the identification ID of the client; the authorization server generates the first random number according to the identification ID of the client, and the generated first random number is the same as There is a one-to-one correspondence between the identification IDs of the clients.
在一种可能的实现方式中,所述第一申请还包括第五密钥,所述第五密钥用于加密所述第一随机数。In a possible implementation manner, the first application further includes a fifth key, and the fifth key is used to encrypt the first random number.
在一种可能的实现方式中,所述授权服务器根据所述第五密钥对所述第一随机数进行加密,得到所述第四加密信息,并将所述第四加密信息发送给所述访问设备。In a possible implementation manner, the authorization server encrypts the first random number according to the fifth key to obtain the fourth encrypted information, and sends the fourth encrypted information to the Access the device.
第十三方面,本申请实施例提供一种访问行为的记录方法,包括:In a thirteenth aspect, an embodiment of the present application provides a method for recording access behavior, including:
数据记录网元将用户数据存储到云平台;所述数据记录网元确定所述用户数据成功存储到所述云平台后,向区块链发送所述用户数据的存储状态。The data recording network element stores the user data on the cloud platform; after the data recording network element determines that the user data is successfully stored on the cloud platform, it sends the storage status of the user data to the blockchain.
基于该方案,本实施例通过将管理域延伸到访问方的客户端,进一步提升了数据访问行为记录的能力和可信度。能够进一步有效地控制所述用户数据在访问之后的利用,如将所述用户数据访发送给其他访问方,甚至是访问方本身对相同用户数据的二次访问,都将在区块链中记录下来,否则无法阅读有效信息。Based on this solution, this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
第十四方面,本申请实施例提供一种访问行为的记录方法,包括:In a fourteenth aspect, an embodiment of the present application provides a method for recording access behavior, including:
区块链接收数据记录网元发送的用户数据的存储状态,所述存储状态用于指示所述数据记录网元将所述用户数据存储到云平台;所述区块链在确定所述云平台中成功存储所述用户数据后,为所述用户数据分配用户数据ID;所述区块链将所述用户数据ID发送给所述云平台。The blockchain receives the storage status of the user data sent by the data recording network element, and the storage status is used to instruct the data recording network element to store the user data on the cloud platform; the blockchain is determining the cloud platform After the user data is successfully stored in the user data, a user data ID is assigned to the user data; the blockchain sends the user data ID to the cloud platform.
基于该方案,本实施例通过将管理域延伸到访问方的客户端,进一步提升了数据访问行为记录的能力和可信度。能够进一步有效地控制所述用户数据在访问之后的利用,如将所述用户数据访发送给其他访问方,甚至是访问方本身对相同用户数据的二次访问,都将在区块链中记录下来,否则无法阅读有效信息。Based on this solution, this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
第十五方面,本申请实施例提供一种访问行为的记录方法,包括:In a fifteenth aspect, an embodiment of the present application provides a method for recording access behavior, including:
云平台接收来自数据记录网元的用户数据,并将所述用户数据存储到本地;The cloud platform receives user data from the data recording network element, and stores the user data locally;
所述云平台接收区块链为所述用户数据分配的用户数据ID,并将所述用户数据与所述用户数据ID关联。The cloud platform receives the user data ID allocated by the blockchain for the user data, and associates the user data with the user data ID.
基于该方案,本实施例通过将管理域延伸到访问方的客户端,进一步提升了数据访问行为记录的能力和可信度。能够进一步有效地控制所述用户数据在访问之后的利用,如将所述用户数据访发送给其他访问方,甚至是访问方本身对相同用户数据的二次访问,都将在区块链中记录下来,否则无法阅读有效信息。Based on this solution, this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
第十六方面,本申请实施例提供一种访问行为的记录方法,包括:In a sixteenth aspect, an embodiment of the present application provides a method for recording access behavior, including:
访问设备从云平台获取用户数据以及用户数据ID;所述访问设备向区块链发送第二申请,所述第二申请用于请求通过客户端阅读所述用户数据;所述访问设备接收来自区块链发送的第一序列号;所述访问设备将所述第一序列号输入所述客户端;所述访问设备在所述客户端根据所述第一序列号确定有权打开所述用户数据后,阅读所述客户端打开的所述用户数据。The access device obtains user data and user data ID from the cloud platform; the access device sends a second application to the blockchain, and the second application is used to request to read the user data through the client; the access device receives data from the district The first serial number sent by the block chain; the access device inputs the first serial number into the client; the access device determines that the client has the right to open the user data according to the first serial number Then, read the user data opened by the client.
基于该方案,本实施例通过将管理域延伸到访问方的客户端,进一步提升了数据访问行为记录的能力和可信度。能够进一步有效地控制所述用户数据在访问之后的利用,如将所述用户数据访发送给其他访问方,甚至是访问方本身对相同用户数据的二次访问,都将在区块链中记录下来,否则无法阅读有效信息。Based on this solution, this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
在一种可能的实现方式中,所述第二申请包括所述客户端的标识ID以及所述用户数据ID,所述客户端的标识ID以及所述用户数据ID用于验证所述客户端具有打开所述用户数据的权限。In a possible implementation manner, the second application includes the identification ID of the client and the user data ID. The identification ID and the user data ID of the client are used to verify that the client has the Permission to describe user data.
在一种可能的实现方式中,所述用户数据ID还用于验证所述用户数据的真实性。In a possible implementation manner, the user data ID is also used to verify the authenticity of the user data.
在一种可能的实现方式中,所述访问设备在通过所述区块链中不小于阈值数量的节点的验证后,通过所述区块链接收来自授权服务器的所述第一序列号。In a possible implementation manner, the access device receives the first serial number from the authorization server through the blockchain after being verified by the number of nodes in the blockchain that is not less than a threshold.
在一种可能的实现方式中,所述第一序列号是所述授权服务器根据接收到所述第二申请的时间、所述用户数据ID、或所述客户端的标识ID的一项或多项生成的。In a possible implementation, the first serial number is one or more of the authorization server according to the time when the second application is received, the user data ID, or the identification ID of the client Generated.
在一种可能的实现方式中,之前还包括:所述访问设备安装所述客户端,并通过区块链向授权服务器发送第一申请,所述第一申请用于授予所述客户端打开所述用户数据的权限;所述访问设备通过区块链接收来自所述授权服务器的第一随机数,所述第一随机数用于生成第二序列号,所述第二序列号用于验证所述客户端是否有权打开所述用户数据。In a possible implementation, it also includes: the access device installs the client, and sends a first application to the authorization server through the blockchain, and the first application is used to authorize the client to open the The authority of the user data; the access device receives a first random number from the authorization server through the blockchain, the first random number is used to generate a second serial number, and the second serial number is used to verify the Whether the client has the right to open the user data.
在一种可能的实现方式中,所述访问设备将所述第一随机数提供给所述客户端以生成第一随机数生成器;所述客户端将所述第二申请的时间、所述用户数据ID、或所述客户端的标识ID中的一项或多项作为第一随机数生成器的输入参数,生成第二序列号。In a possible implementation manner, the access device provides the first random number to the client to generate a first random number generator; the client sends the time of the second application, the One or more of the user data ID or the identification ID of the client is used as an input parameter of the first random number generator to generate a second serial number.
在一种可能的实现方式中,所述访问设备在所述客户端确定所述第二序列号与所述第一序号相同后,阅读所述客户端打开的所述用户数据。In a possible implementation manner, after the client determines that the second serial number is the same as the first serial number, the access device reads the user data opened by the client.
在一种可能的实现方式中,所述方法还包括:所述访问设备接收来自区块链的第一序列号以及第二随机数;所述访问设备将所述第一序列号以及所述第二随机数输入所述客户端;所述访问设备在所述客户端根据所述第一序列号以及所述第二随机数确定有权打开所述用户数据后,阅读所述客户端打开的所述用户数据。In a possible implementation, the method further includes: the access device receives the first serial number and the second random number from the blockchain; the access device sends the first serial number and the second random number Two random numbers are input to the client; after the client has the right to open the user data according to the first serial number and the second random number, the access device reads all the files opened by the client Describe user data.
第十七方面,本申请实施例提供一种访问行为的记录方法,包括:In a seventeenth aspect, an embodiment of the present application provides a method for recording access behavior, including:
区块链接收访问设备发送的第二申请,所述第二申请用于请求通过客户端阅读所述用户数据;所述区块链将所述第二申请发送给授权服务器;所述区块链接收所述授权服务器发送的第一序列号,并将所述第一序列号发送给所述访问设备。The block chain receives the second application sent by the access device, the second application is used to request to read the user data through the client; the block chain sends the second application to the authorization server; the block link Receiving the first serial number sent by the authorization server, and sending the first serial number to the access device.
基于该方案,本实施例通过将管理域延伸到访问方的客户端,进一步提升了数据访问行为记录的能力和可信度。能够进一步有效地控制所述用户数据在访问之后的利用,如将所述用户数据访发送给其他访问方,甚至是访问方本身对相同用户数据的二次访问,都将在区块链中记录下来,否则无法阅读有效信息。Based on this solution, this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
在一种可能的实现方式中,所述第二申请包括所述客户端的标识ID以及所述用户数据ID,所述客户端的标识ID以及所述用户数据ID用于验证所述客户端具有打开所述用户数据的权限,所述用户数据ID还用于验证所述用户数据的真实性。In a possible implementation manner, the second application includes the identification ID of the client and the user data ID. The identification ID and the user data ID of the client are used to verify that the client has the According to the authority of the user data, the user data ID is also used to verify the authenticity of the user data.
在一种可能的实现方式中,所述区块链将所述第二申请发送给授权服务器之前,还包括:In a possible implementation, before the blockchain sends the second application to the authorization server, the method further includes:
所述区块链确定所述客户端的标识ID有效;和/或所述区块链确定所述用户数据ID有效。The blockchain determines that the identification ID of the client is valid; and/or the blockchain determines that the user data ID is valid.
在一种可能的实现方式中,所述区块链中不小于阈值数量的节点确定所述客户端的标识ID有效;和/或所述区块链中不小于阈值数量的节点确定所述用户数据ID有效。In a possible implementation manner, no less than a threshold number of nodes in the blockchain determines that the identification ID of the client is valid; and/or no less than a threshold number of nodes in the blockchain determines the user data ID is valid.
在一种可能的实现方式中,所述区块链根据所述第二申请中的所述客户端的标识ID查询到智能合约中存在第三行为,所述第三行为用于记录所述访问设备向所述数据库发送第一申请,所述第一申请用于授予所述访问设备通过安装的客户端打开所述访问设备获取到的用户数据的权限。In a possible implementation, the blockchain finds that there is a third behavior in the smart contract according to the identification ID of the client in the second application, and the third behavior is used to record the access device A first application is sent to the database, where the first application is used to grant the access device the right to open the user data obtained by the access device through the installed client terminal.
在一种可能的实现方式中,所述区块链根据所述第二申请中的所述用户数据ID查询 到云平台中存在与所述用户数据ID对应的用户数据。In a possible implementation manner, the blockchain finds that there is user data corresponding to the user data ID in the cloud platform according to the user data ID in the second application.
在一种可能的实现方式中,所述区块链接收所述授权服务器发送的第一序列号以及第二随机数,并将所述第一序列号以及第二随机数发送给所述访问设备。In a possible implementation, the blockchain receives the first serial number and the second random number sent by the authorization server, and sends the first serial number and the second random number to the access device .
在一种可能的实现方式中,所述方法还包括:所述区块链将第四行为记录到所述智能合约中;其中,所述第四行为用于记录所述访问设备向所述授权服务器发送所述第二申请。In a possible implementation, the method further includes: the blockchain recording a fourth behavior in the smart contract; wherein the fourth behavior is used to record the authorization of the access device to the The server sends the second application.
第十八方面,本申请实施例提供一种访问行为的记录方法,包括:In an eighteenth aspect, an embodiment of the present application provides a method for recording access behavior, including:
授权服务器通过区块链接收来自访问设备的第二申请,所述第二申请用于请求通过客户端阅读所述用户数据;所述授权服务器根据所述第二申请,生成第一序列号;所述授权服务器通过所述区块链将所述第一序列号发送给所述访问设备。The authorization server receives a second application from the access device through the blockchain, the second application is used to request the client to read the user data; the authorization server generates the first serial number according to the second application; The authorization server sends the first serial number to the access device through the blockchain.
基于该方案,本实施例通过将管理域延伸到访问方的客户端,进一步提升了数据访问行为记录的能力和可信度。能够进一步有效地控制所述用户数据在访问之后的利用,如将所述用户数据访发送给其他访问方,甚至是访问方本身对相同用户数据的二次访问,都将在区块链中记录下来,否则无法阅读有效信息。Based on this solution, this embodiment further improves the ability and credibility of data access behavior recording by extending the management domain to the client of the accessing party. It can further effectively control the use of the user data after the visit, such as sending the user data visits to other visiting parties, or even the visitor's own secondary visits to the same user data, will be recorded in the blockchain Otherwise, the effective information cannot be read.
在一种可能的实现方式中,所述第二申请包括所述客户端的标识ID以及所述用户数据ID,所述客户端的标识ID以及所述用户数据ID用于验证所述客户端具有打开所述用户数据的权限,所述用户数据ID还用于验证所述用户数据的真实性。In a possible implementation manner, the second application includes the identification ID of the client and the user data ID. The identification ID and the user data ID of the client are used to verify that the client has the According to the authority of the user data, the user data ID is also used to verify the authenticity of the user data.
在一种可能的实现方式中,所述授权服务器根据所述第二申请中的客户端标识ID确定所述客户端对应的第一随机数生成器;所述授权服务器将所述第二申请的申请时间和所述用户数据ID作为所述第一随机数生成器的输入参数,生成所述第一序列号;其中,所述第一随机数生成器是所述授权服务器根据第一随机数生成的。In a possible implementation manner, the authorization server determines the first random number generator corresponding to the client according to the client identification ID in the second application; The application time and the user data ID are used as input parameters of the first random number generator to generate the first serial number; wherein, the first random number generator is generated by the authorization server according to the first random number of.
在一种可能的实现方式中,还包括:所述授权服务器生成第二随机数,并通过所述区块链将所述第一序列号以及所述第二随机数发送给所述访问设备。In a possible implementation manner, the method further includes: the authorization server generates a second random number, and sends the first serial number and the second random number to the access device through the blockchain.
在一种可能的实现方式中,所述授权服务器根据所述第二申请中的客户端标识ID确定所述客户端对应的第一随机数;所述授权服务器根据所述第一随机数以及所述第二随机数生成所述第二随机数生成器;所述授权服务器将所述第二申请的申请时间和所述用户数据ID作为所述第二随机数生成器的输入参数,生成所述第一序列号。In a possible implementation, the authorization server determines the first random number corresponding to the client according to the client identification ID in the second application; the authorization server determines the first random number corresponding to the client according to the first random number and the The second random number generates the second random number generator; the authorization server uses the application time of the second application and the user data ID as input parameters of the second random number generator to generate the The first serial number.
第十九方面,本申请实施例提供一种访问行为的记录装置,该装置具有实现上述实施例中的数据记录网元的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的单元或模块。In a nineteenth aspect, an embodiment of the present application provides an access behavior recording device, which has the function of realizing the data recording network element in the foregoing embodiment. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
其中,该装置可以是所述数据记录网元,或者是可用于所述数据记录网元的部件,例如芯片或芯片系统或者电路,该装置可以包括:收发器和处理器。该处理器可被配置为支持该装置执行以上所述数据记录网元相应功能,该收发器用于支持该装置与区块链和数据库等之间的通信。可选地,该装置还可以包括存储器,该存储器可以与处理器耦合,其保存该装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收发功能的收发器、或者是接口电路。Wherein, the device may be the data recording network element, or a component that can be used for the data recording network element, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor. The processor may be configured to support the device to perform the corresponding functions of the above-mentioned data recording network element, and the transceiver is used to support the communication between the device and the blockchain, the database, and the like. Optionally, the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device. Among them, the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
第二十方面,本申请实施例提供一种访问行为的记录装置,该装置具有实现上述实施例中的区块链的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的单元或模块。In a twentieth aspect, an embodiment of the present application provides an access behavior recording device, which has the function of realizing the blockchain in the foregoing embodiment. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
其中,该装置可以是所述区块链,或者是可用于所述区块链的部件,例如芯片或芯片系统或者电路,该装置可以包括:收发器和处理器。该处理器可被配置为支持该装置执行以上所述区块链的相应功能,该收发器用于支持该装置与数据记录网元、访问设备、数据库、授权服务器等之间的通信。可选地,该装置还可以包括存储器,该存储器可以与处理器耦合,其保存该装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收发功能的收发器、或者是接口电路。Wherein, the device may be the blockchain, or a component that can be used in the blockchain, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor. The processor may be configured to support the device to perform the corresponding functions of the above-mentioned blockchain, and the transceiver is used to support the communication between the device and the data recording network element, the access device, the database, the authorization server, and the like. Optionally, the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device. Among them, the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
第二十一方面,本申请实施例提供一种访问行为的记录装置,该装置具有实现上述实施例中的数据库的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的单元或模块。In the twenty-first aspect, an embodiment of the present application provides an access behavior recording device, which has the function of realizing the database in the foregoing embodiment. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
其中,该装置可以是所述数据库,或者是可用于所述数据库的部件,例如芯片或芯片系统或者电路,该装置可以包括:收发器和处理器。该处理器可被配置为支持该装置执行以上所述数据库的相应功能,该收发器用于支持该装置与数据记录网元、访问设备、区块链、授权服务器等之间的通信。可选地,该装置还可以包括存储器,该存储器可以与处理器耦合,其保存该装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收发功能的收发器、或者是接口电路。Wherein, the device may be the database, or a component that can be used in the database, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor. The processor may be configured to support the device to perform the corresponding functions of the above-mentioned database, and the transceiver is used to support the communication between the device and the data recording network element, the access device, the blockchain, the authorization server, and the like. Optionally, the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device. Among them, the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
第二十二方面,本申请实施例提供一种访问行为的记录装置,该装置具有实现上述实施例中的访问设备的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的单元或模块。In the twenty-second aspect, an embodiment of the present application provides an access behavior recording device, which has the function of implementing the access device in the foregoing embodiment. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
其中,该装置可以是所述访问设备,或者是可用于所述访问设备的部件,例如芯片或芯片系统或者电路,该装置可以包括:收发器和处理器。该处理器可被配置为支持该装置执行以上所述访问设备的相应功能,该收发器用于支持该装置与数据记录网元、数据库、区块链、授权服务器等之间的通信。可选地,该装置还可以包括存储器,该存储器可以与处理器耦合,其保存该装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收发功能的收发器、或者是接口电路。Wherein, the device may be the access device, or a component that can be used for the access device, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor. The processor may be configured to support the device to perform the corresponding functions of the access device described above, and the transceiver is used to support the communication between the device and the data recording network element, database, blockchain, authorization server, etc. Optionally, the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device. Among them, the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
第二十二方面,本申请实施例提供一种访问行为的记录装置,该装置具有实现上述实施例中的授权服务器的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的单元或模块。In the twenty-second aspect, an embodiment of the present application provides an access behavior recording device, which has the function of implementing the authorization server in the foregoing embodiment. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
其中,该装置可以是所述授权服务器,或者是可用于所述授权服务器的部件,例如芯片或芯片系统或者电路,该装置可以包括:收发器和处理器。该处理器可被配置为支持该装置执行以上所述授权服务器的相应功能,该收发器用于支持该装置与数据记录网元、数据库、区块链、访问设备等之间的通信。可选地,该装置还可以包括存储器,该存储器可以与处理器耦合,其保存该装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收发功能的收发器、或者是接口电路。Wherein, the device may be the authorization server, or a component that can be used in the authorization server, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor. The processor may be configured to support the device to perform the corresponding functions of the above-mentioned authorization server, and the transceiver is used to support the communication between the device and the data recording network element, database, blockchain, access device, etc. Optionally, the device may further include a memory, which may be coupled with the processor, and stores the necessary program instructions and data of the device. Among them, the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
第二十三方面,本申请实施例提供一种访问行为的记录装置,该装置具有实现上述实施例中的云平台的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的单元或模块。In the twenty-third aspect, an embodiment of the present application provides an access behavior recording device, which has the function of realizing the cloud platform in the foregoing embodiment. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above-mentioned functions.
其中,该装置可以是所述云平台,或者是可用于所述云平台的部件,例如芯片或芯片系统或者电路,该装置可以包括:收发器和处理器。该处理器可被配置为支持该装置执行以上所述云平台的相应功能,该收发器用于支持该装置与数据记录网元、区块链、访问设备等之间的通信。可选地,该装置还可以包括存储器,该存储器可以与处理器耦合,其保 存该装置必要的程序指令和数据。其中,收发器可以为独立的接收器、独立的发射器、集成收发功能的收发器、或者是接口电路。Wherein, the device may be the cloud platform, or a component that can be used in the cloud platform, such as a chip or a chip system or circuit, and the device may include a transceiver and a processor. The processor may be configured to support the device to perform the corresponding functions of the cloud platform described above, and the transceiver is used to support the communication between the device and the data recording network element, blockchain, access equipment, and the like. Optionally, the device may further include a memory, which may be coupled with the processor, and which stores program instructions and data necessary for the device. Among them, the transceiver may be an independent receiver, an independent transmitter, a transceiver with integrated transceiver functions, or an interface circuit.
第二十四方面,本申请实施例还提供了一种数据记录网元,该数据记录网元可以用来执行上述第一方面或第十三方面的任意可能的实现方式中的操作。例如,所述数据记录网元可以包括用于执行上述第一方面或第十三方面的任意可能的实现方式中的各个操作的模块或单元。比如包括处理单元和通信单元。In the twenty-fourth aspect, the embodiments of the present application also provide a data recording network element, which can be used to perform operations in any possible implementation manner of the first aspect or the thirteenth aspect. For example, the data recording network element may include modules or units for performing each operation in any possible implementation manner of the first aspect or the thirteenth aspect. For example, it includes a processing unit and a communication unit.
第二十五方面,本申请实施例还提供了一种区块链,该区块链可以用来执行上述第二方面、第五方面、第八方面、第十一方面、第十四方面以及第十七方面的任意可能的实现方式中的操作。例如,所述区块链可以包括用于执行上述第二方面、第五方面、第八方面、第十一方面、第十四方面以及第十七方面的任意可能的实现方式中的各个操作的模块或单元。比如包括处理单元和通信单元。In the twenty-fifth aspect, the embodiments of the present application also provide a block chain, which can be used to execute the above-mentioned second, fifth, eighth, eleventh, fourteenth and Operations in any possible implementation of the seventeenth aspect. For example, the blockchain may include various operations for performing any possible implementation of the second, fifth, eighth, eleventh, fourteenth, and seventeenth aspects described above. Module or unit. For example, it includes a processing unit and a communication unit.
第二十六方面,本申请实施例还提供了一种数据库,该数据库可以用来执行上述第三方面、第六方面以及第九方面的任意可能的实现方式中的操作。例如,所述数据库可以包括用于执行上述第三方面、第六方面以及第九方面的任意可能的实现方式中的各个操作的模块或单元。比如包括处理单元和通信单元。In the twenty-sixth aspect, the embodiments of the present application also provide a database, which can be used to perform operations in any possible implementation manner of the third aspect, the sixth aspect, and the ninth aspect. For example, the database may include modules or units for performing each operation in any possible implementation manner of the third aspect, the sixth aspect, and the ninth aspect. For example, it includes a processing unit and a communication unit.
第二十七方面,本申请实施例还提供了一种访问设备,该访问设备可以用来执行上述第四方面、第七方面、第十方面以及第十六方面的任意可能的实现方式中的操作。例如,所述访问设备可以包括用于执行上述第四方面、第七方面、第十方面以及第十六方面的任意可能的实现方式中的各个操作的模块或单元。比如包括处理单元和通信单元。In the twenty-seventh aspect, the embodiments of the present application also provide an access device, which can be used to execute any of the foregoing fourth, seventh, tenth, and sixteenth aspects. operate. For example, the access device may include modules or units for performing each operation in any possible implementation manner of the foregoing fourth aspect, seventh aspect, tenth aspect, and sixteenth aspect. For example, it includes a processing unit and a communication unit.
第二十八方面,本申请实施例还提供了一种授权服务器,该授权服务器可以用来执行上述第十二方面以及第十八方面的任意可能的实现方式中的操作。例如,所述授权服务器可以包括用于执行上述第十二方面以及第十八方面的任意可能的实现方式中的各个操作的模块或单元。比如包括处理单元和通信单元。In the twenty-eighth aspect, an embodiment of the present application also provides an authorization server, which can be used to perform the operations in the twelfth aspect and any possible implementation manner of the eighteenth aspect. For example, the authorization server may include modules or units for performing each operation in any possible implementation manner of the above-mentioned twelfth aspect and the eighteenth aspect. For example, it includes a processing unit and a communication unit.
第二十九方面,本申请实施例还提供了一种云平台,该云平台可以用来执行上述第十五方面的任意可能的实现方式中的操作。例如,所述云平台可以包括用于执行上述第十五方面的任意可能的实现方式中的各个操作的模块或单元。比如包括处理单元和通信单元。In the twenty-ninth aspect, the embodiments of the present application also provide a cloud platform, which can be used to perform operations in any possible implementation manner of the fifteenth aspect described above. For example, the cloud platform may include modules or units for performing various operations in any possible implementation manner of the fifteenth aspect described above. For example, it includes a processing unit and a communication unit.
第三十方面,本申请实施例提供一种访问行为的记录系统,该访问行为的记录系统包括数据记录网元、区块链和数据库。其中,所述数据记录网元可以用于执行上述第一方面或第一方面中的任意一种方法;所述区块链可以用于执行上述第二方面或第二方面中的任意一种方法;所述数据库可以用于执行上述第三方面或第三方面中的任意一种方法;In a thirtieth aspect, an embodiment of the present application provides a system for recording access behaviors. The system for recording access behaviors includes a data recording network element, a blockchain, and a database. Wherein, the data recording network element can be used to execute any method in the first aspect or the first aspect; the blockchain can be used to execute any method in the second aspect or the second aspect above ; The database can be used to execute any one of the above-mentioned third aspect or the third aspect;
本申请一种可选的方式,本申请实施例提供一种访问行为的记录系统,该访问行为的记录系统包括访问设备、区块链和数据库。其中,所述访问设备可以用于执行上述第四方面或第四方面中的任意一种方法;所述区块链可以用于执行上述第五方面或第五方面中的任意一种方法;所述数据库可以用于执行上述第六方面或第六方面中的任意一种方法;In an optional manner of the present application, an embodiment of the present application provides a system for recording access behavior. The system for recording access behavior includes an access device, a blockchain, and a database. Wherein, the access device can be used to execute any one of the methods in the fourth aspect or the fourth aspect; the blockchain can be used to execute any one of the methods in the fifth aspect or the fifth aspect; The database can be used to execute any one of the above-mentioned sixth aspect or the sixth aspect;
本申请一种可选的方式,本申请实施例提供一种访问行为的记录系统,该访问行为的记录系统包括访问设备、区块链和数据库。其中,所述访问设备可以用于执行上述第七方面或第七方面中的任意一种方法;所述区块链可以用于执行上述第八方面或第八方面中的任意一种方法;所述数据库可以用于执行上述第九方面或第九方面中的任意一种方法;In an optional manner of the present application, an embodiment of the present application provides a system for recording access behavior. The system for recording access behavior includes an access device, a blockchain, and a database. Wherein, the access device can be used to execute any one of the methods in the seventh aspect or the seventh aspect; the blockchain can be used to execute any one of the methods in the eighth aspect or the eighth aspect; The database can be used to execute any one of the above-mentioned ninth aspect or the ninth aspect;
本申请一种可选的方式,本申请实施例提供一种访问行为的记录系统,该访问行为的记录系统包括访问设备、区块链和授权服务器。其中,所述访问设备可以用于执行上述第 十方面或第十方面中的任意一种方法;所述区块链可以用于执行上述第十一方面或第十一方面中的任意一种方法;所述授权服务器可以用于执行上述第十二方面或第十二方面中的任意一种方法;In an optional manner of the present application, an embodiment of the present application provides a system for recording access behavior. The system for recording access behavior includes an access device, a blockchain, and an authorization server. Wherein, the access device may be used to execute any method in the tenth aspect or the tenth aspect; the blockchain may be used to execute any method in the eleventh aspect or the eleventh aspect ; The authorization server can be used to execute any one of the above-mentioned twelfth aspect or the twelfth aspect;
本申请一种可选的方式,本申请实施例提供一种访问行为的记录系统,该访问行为的记录系统包括访问设备、区块链和授权服务器。其中,所述访问设备可以用于执行上述第十六方面或第十六方面中的任意一种方法;所述区块链可以用于执行上述第十七方面或第十七方面中的任意一种方法;所述授权服务器可以用于执行上述第十八方面或第十八方面中的任意一种方法;In an optional manner of the present application, an embodiment of the present application provides a system for recording access behavior. The system for recording access behavior includes an access device, a blockchain, and an authorization server. Wherein, the access device can be used to execute any one of the aforementioned sixteenth aspect or the sixteenth aspect; the blockchain can be used to execute any one of the aforementioned seventeenth aspect or the seventeenth aspect A method; the authorization server can be used to execute any one of the eighteenth aspect or the eighteenth aspect;
本申请一种可选的方式,本申请实施例提供一种访问行为的记录系统,该访问行为的记录系统包括数据记录网元、区块链和云平台。其中,所述数据记录网元可以用于执行上述第十三方面或第十三方面中的任意一种方法;所述区块链可以用于执行上述第十四方面或第十四方面中的任意一种方法;所述云平台可以用于执行上述第十五方面或第十五方面中的任意一种方法。In an optional manner of the present application, an embodiment of the present application provides a system for recording access behavior, and the system for recording access behavior includes a data recording network element, a blockchain, and a cloud platform. Wherein, the data recording network element can be used to execute any one of the aforementioned thirteenth aspect or the thirteenth aspect; the blockchain can be used to execute the aforementioned fourteenth aspect or the fourteenth aspect Any method; the cloud platform can be used to execute any one of the fifteenth aspect or the fifteenth aspect described above.
第三十一方面,本申请提供了一种芯片系统,包括处理器。可选地,还可包括存储器,存储器用于存储计算机程序,处理器用于从存储器中调用并运行计算机程序,使得安装有芯片系统的通信装置执行上述第一方面至第十八方面中任意一面;或者执行上述第一方面至第十八方面中的任意一种方法。In the thirty-first aspect, the present application provides a chip system including a processor. Optionally, it may further include a memory, the memory is configured to store a computer program, and the processor is configured to call and run the computer program from the memory, so that the communication device installed with the chip system executes any one of the first aspect to the eighteenth aspect; Or execute any one of the methods from the first aspect to the eighteenth aspect described above.
第三十二方面,本申请实施例提供一种计算机存储介质,计算机存储介质中存储有指令,当其在通信装置上运行时,使得该通信装置执行上述第一方面至第十八方面中任意一面;或执行上述第一方面至第十八方面中的任意一种方法。In a thirty-second aspect, an embodiment of the present application provides a computer storage medium. The computer storage medium stores instructions that, when run on a communication device, cause the communication device to execute any of the first to eighteenth aspects above. One side; or implement any one of the methods from the first aspect to the eighteenth aspect above.
第三十三方面,本申请实施例提供一种包含指令的计算机程序产品,当其在通信装置上运行时,使得该通信装置执行上述第一方面至第十八方面中任意一面;或执行上述第一方面至第十八方面中的任意一种方法。In a thirty-third aspect, an embodiment of the present application provides a computer program product containing instructions that, when run on a communication device, causes the communication device to execute any one of the first aspect to the eighteenth aspect; or execute the foregoing Any one of the methods from the first aspect to the eighteenth aspect.
附图说明Description of the drawings
图1为本申请提供的第一种通信系统架构图;Figure 1 is a diagram of the first communication system architecture provided by this application;
图2为本申请提供的一种基于数据存储记录阶段访问行为的记录的方法流程示意图;FIG. 2 is a schematic flow chart of a method for recording access behaviors based on the data storage recording stage provided by this application;
图3为本申请提供的第二种通信系统架构图;Figure 3 is a diagram of the second communication system architecture provided by this application;
图4为本申请提供的第一种基于数据访问记录阶段访问行为的记录的方法流程示意图;FIG. 4 is a schematic flowchart of the first method for recording access behaviors based on the data access recording stage provided by this application;
图5为本申请提供的第二种基于数据访问记录阶段访问行为的记录的方法流程示意图;FIG. 5 is a schematic flowchart of the second method for recording access behaviors based on the data access recording stage provided by this application;
图6为本申请提供的第三种通信系统架构图;Figure 6 is a diagram of the third communication system architecture provided by this application;
图7为本申请提供的一种客户端部署的方法流程示意图;FIG. 7 is a schematic flowchart of a client deployment method provided by this application;
图8为本申请提供的第四种通信系统架构图;Figure 8 is a diagram of the fourth communication system architecture provided by this application;
图9为本申请提供的一种基于数据存储记录阶段访问行为的记录的方法流程示意图;FIG. 9 is a schematic flow chart of a method for recording access behaviors based on the data storage recording stage provided by this application;
图10为本申请提供的第五种通信系统架构图;FIG. 10 is a diagram of the fifth communication system architecture provided by this application;
图11为本申请提供的第一种基于数据访问记录阶段访问行为的记录的方法流程示意图;FIG. 11 is a schematic flow chart of the first method for recording access behavior based on data access recording stage provided by this application;
图12为本申请提供的第二种基于数据访问记录阶段访问行为的记录的方法流程示意图;FIG. 12 is a schematic flowchart of the second method for recording access behaviors based on the data access recording stage provided by this application;
图13为本申请提供的第一种数据记录单元示意图;FIG. 13 is a schematic diagram of the first data recording unit provided by this application;
图14为本申请提供的第二种数据记录单元示意图;FIG. 14 is a schematic diagram of the second type of data recording unit provided by this application;
图15为本申请提供的第一种区块链示意图;Figure 15 is a schematic diagram of the first blockchain provided by this application;
图16为本申请提供的第二种区块链示意图;Figure 16 is a schematic diagram of the second type of blockchain provided by this application;
图17为本申请提供的第一种数据库示意图;Figure 17 is a schematic diagram of the first database provided by this application;
图18为本申请提供的第二种数据库示意图;Figure 18 is a schematic diagram of the second type of database provided by this application;
图19为本申请提供的第一种访问设备示意图;Figure 19 is a schematic diagram of the first access device provided by this application;
图20为本申请提供的第二种访问设备示意图;Figure 20 is a schematic diagram of the second type of access device provided by this application;
图21为本申请提供的第一种授权服务器示意图;Figure 21 is a schematic diagram of the first authorization server provided by this application;
图22为本申请提供的第二种授权服务器示意图。Figure 22 is a schematic diagram of the second authorization server provided by this application.
具体实施方式Detailed ways
下面将结合附图对申请实施例的具体实施过程进行详尽的描述。The specific implementation process of the application embodiment will be described in detail below in conjunction with the accompanying drawings.
目前在通信过程中,为避免用户数据的非受控扩散等各种风险,需要对访问方针对用户数据的访问行为进行记录,以便对访问记录进行追溯。为此,在进行通信访问过程中,一方面需要保证每个访问的行为均能被如实地记录下来,另一方面还需要保证追溯的访问记录是完整的,未被破坏和修改的。At present, in the communication process, in order to avoid various risks such as uncontrolled proliferation of user data, it is necessary to record the access behavior of the visitor to the user data in order to trace the access record. For this reason, in the communication access process, on the one hand, it is necessary to ensure that each access behavior can be accurately recorded, and on the other hand, it is also necessary to ensure that the traced access record is complete and has not been damaged or modified.
与此同时,随着区块链技术的不断发展,基于区块链去中心化以及采用分布式账本技术所具有的不可篡改性等特点,使得区块链系统对于用户数据的历史访问行为具有可信记录和保存的能力。因此,在通信过程中,也逐渐致力于打造基于区块链系统进行的访问行为的追溯。At the same time, with the continuous development of blockchain technology, based on the decentralization of the blockchain and the non-tamperable characteristics of the use of distributed ledger technology, the blockchain system can be used for historical access to user data. The ability to record and preserve letters. Therefore, in the communication process, it is gradually committed to creating the traceability of access behavior based on the blockchain system.
其中,一种现有基于区块链进行访问行为追溯的方法为:Among them, an existing method for tracing access behavior based on blockchain is:
将数据库、区块链系统以及查询系统等整体作为一个封闭的用于进行访问行为追溯的系统。所述访问行为追溯系统中,所述数据库中存放用户数据,且只有区块链系统才具有调用该数据库的接口。所述区块链系统负责认证访问者的身份,鉴别访问者对被访问数据的访问能力,并记录访问日志。所述查询系统作为整个访问行为追溯系统的唯一对外接口,用于将访问用户的查询请求过滤和翻译,并将请求重定向到区块链系统,从而使区块链通过智能合约审查用户的身份以及访问权限,在确定用户能够对请求数据进行访问后,从数据库系统中获取数据,并记录每一次数据的访问操作。The database, blockchain system, and query system are regarded as a closed system for tracing access behavior. In the access behavior tracing system, user data is stored in the database, and only the blockchain system has an interface to call the database. The blockchain system is responsible for authenticating the identity of the visitor, identifying the visitor's ability to access the accessed data, and recording the visit log. The query system serves as the only external interface of the entire access behavior tracing system, which is used to filter and translate the query request of the visiting user, and redirect the request to the blockchain system, so that the blockchain can review the user's identity through a smart contract And access authority, after confirming that the user can access the requested data, obtain the data from the database system and record every data access operation.
然而,因为这个封闭架构的管理者实际上掌握了整个系统的操控,使得这个封闭的进行访问行为追溯的系统已然不具备任何区块链的特点,因此也不具备区块链的诸多安全特性。However, because the administrator of this closed architecture actually controls the entire system, this closed system for tracing access behavior does not have any blockchain features, and therefore does not have many security features of the blockchain.
另一种现有基于区块链进行访问行为追溯的方法为:Another existing method for tracing access behavior based on blockchain is:
将数据加密存放于公开存储平台(一般为云存储中),而密钥以区块链智能合约的形式进行保护。所述智能合约除包含对密钥的管理,还包含了数据的访问控制模型,例如哪些访问者可以访问,访问行为的记录模式等,这种记录在智能合约的信息称为元数据。当访问者申请访问某个数据时,首先向区块链网络提出请求,区块链网络调用智能合约鉴别用户的身份和访问能力,为访问者分发密钥,并通过合约账户的状态变迁记录访问者的访问行为。The data is encrypted and stored in a public storage platform (usually in cloud storage), and the key is protected in the form of a blockchain smart contract. In addition to the management of keys, the smart contract also includes a data access control model, such as which visitors can access, and the recording mode of access behavior. Such information recorded in the smart contract is called metadata. When a visitor applies for access to certain data, he first makes a request to the blockchain network. The blockchain network calls the smart contract to identify the user's identity and access capabilities, distributes keys to the visitor, and records the visit through the state change of the contract account The visitor’s behavior.
然而,在集中式管理中,攻击者需要控制这个唯一的服务器才能达到攻击目的,而在去中心化模式下,攻击者只需要控制任何一个记录账本的节点即可。因此,该种方式中, 若访问者只控制任意一个区块链验证节点,让其以单独离线的方式执行一遍智能合约,调出元数据完成访问数据的目的,之后回退程序抹去记录,则存在巨大安全隐患。However, in centralized management, the attacker needs to control the only server to achieve the purpose of the attack, while in the decentralized mode, the attacker only needs to control any node that records the ledger. Therefore, in this method, if the visitor only controls any blockchain verification node, let him execute the smart contract in a separate offline manner, call out the metadata to complete the purpose of accessing the data, and then the program will be rolled back to erase the record. There are huge security risks.
为解决上述问题,本申请实施例提供了至少一种访问行为的记录方法。本申请实施例的技术方案可以应用于各种通信系统,例如:长期演进(long term evolution,LTE)系统,全球互联微波接入(worldwide interoperability for microwave access,WiMAX)通信系统,未来的第五代(5th Generation,5G)系统,如新一代无线接入技术(new radio access technology,NR),及未来的通信系统,如6G系统等。In order to solve the foregoing problems, the embodiments of the present application provide at least one method for recording access behaviors. The technical solutions of the embodiments of this application can be applied to various communication systems, such as long term evolution (LTE) systems, worldwide interoperability for microwave access (WiMAX) communication systems, and the fifth generation of the future (5th Generation, 5G) systems, such as new radio access technology (NR), and future communication systems, such as 6G systems.
以5G系统(也可以称为new radio系统)为例,具体来说,本申请实施例主要通过利用区块链管理访问能力的方法,来保证访问者只有在和区块链账本维护节点进行交互之后才具有访问数据的能力,其中,所述访问数据的能力与访问权限无关。另外,本申请实施例中所述访问行为的记录系统中任何一个装置只存有与用户数据相关的部分信息,需要结合所述系统中的所有装置才能获取用户数据,因此,有效降低了因系统中某个装置被攻击,造成用户数据泄露的,且无法追溯的风险,提供了一种安全性较高的,基于区块链网络实现访问行为的记录的方法。Take the 5G system (also known as the new radio system) as an example. Specifically, the embodiment of this application mainly uses the method of blockchain management access capability to ensure that visitors only interact with the blockchain ledger maintenance node After that, it has the ability to access data, where the ability to access data has nothing to do with access rights. In addition, any device in the access behavior recording system described in the embodiment of the present application only stores part of information related to user data, and it is necessary to combine all devices in the system to obtain user data. Therefore, the system A certain device is attacked, which causes the risk of user data leakage and cannot be traced back. It provides a safer method for recording access behavior based on a blockchain network.
以下再对本申请实施例中涉及的部分用语进行解释说明,以便于理解。Hereinafter, some terms involved in the embodiments of the present application will be explained to facilitate understanding.
1)智能合约,本质上是一段在区块链中运行的程序,由事件驱动执行。具有确定性、实时性、自治性、可观察、可验证、去中心化方面的特点,在数字金融、大数据、物联网等方面具有广泛的研究和应用。1) A smart contract is essentially a program that runs in the blockchain and is executed by events. It has the characteristics of determinism, real-time, autonomy, observability, verifiability, and decentralization, and has extensive research and applications in digital finance, big data, and the Internet of Things.
其中,基于区块链的智能合约包含数据的接收、处理和状态记录。当合约账户接收到某个或某几个输入信息满足状态转移的触发条件,则根据预设信息选择合约动作自动执行,并记录当前状态。因此,智能合约作为一种计算机技术,能够保证在不引入可信第三方的条件下,强制履行合约,保证合约程序的可信安全。Among them, the smart contract based on the blockchain includes data reception, processing and status recording. When the contract account receives one or several input information that meets the trigger condition of the state transition, the contract action is selected according to the preset information to be automatically executed, and the current state is recorded. Therefore, as a kind of computer technology, smart contract can ensure the mandatory performance of the contract without introducing a trusted third party, and ensure the credibility and security of the contract procedure.
进一步的,本申请实施例中所述智能合约中包含有数据记录网元将用户数据存储到云平台的行为、访问设备获取用户数据申请的行为以及数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为等等。Further, the smart contract in the embodiment of the application includes the behavior of the data recording network element to store user data on the cloud platform, the behavior of the access device to obtain the user data application, and the data recording network element to transfer all data through the blockchain. The act of storing the first key in the database and so on.
2)区块链,是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式,它本质上是一个去中心化的数据库。其中,区块链技术不依赖额外的第三方管理机构或硬件设施,没有中心管制,除了自成一体的区块链本身,通过分布式核算和存储,各个节点实现了信息自我验证、传递和管理。其中,去中心化是区块链最突出最本质的特征。2) Blockchain is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm, etc. It is essentially a decentralized database. Among them, the blockchain technology does not rely on additional third-party management agencies or hardware facilities, and there is no central control. In addition to the self-contained blockchain itself, through distributed accounting and storage, each node realizes information self-verification, transmission and management . Among them, decentralization is the most prominent and essential feature of blockchain.
3)共识机制,是指区块链中的节点之间怎么达成共识,去认定一个记录的有效性,这既是认定的手段,也是防止篡改的手段。所述共识机制具备“少数服从多数”以及“人人平等”的特点,其中“少数服从多数”并不完全指节点个数,也可以是计算能力、股权数或者其他的计算机可以比较的特征量。“人人平等”是当节点满足条件时,所有节点都有权优先提出共识结果、直接被其他节点认同后并最后有可能成为最终共识结果。3) Consensus mechanism refers to how to reach a consensus between nodes in the blockchain to determine the validity of a record. This is not only a means of identification, but also a means of preventing tampering. The consensus mechanism has the characteristics of "minority obeys the majority" and "everyone is equal", where "minority obeys the majority" does not completely refer to the number of nodes, but can also be computing power, number of shares, or other computer-comparable features . "Everyone is equal" means that when nodes meet the conditions, all nodes have the right to give priority to the consensus result, which may be the final consensus result after being directly recognized by other nodes.
4)共识结果,是指所述区块链中达到阈值数量的节点执行共识机制的结果。4) Consensus result refers to the result of the implementation of the consensus mechanism by nodes in the blockchain that have reached a threshold number.
另外,本申请实施例中的术语“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中,A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。以下至少一项(个)下或 其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。In addition, the term "at least one" in the embodiments of the present application refers to one or more, and "multiple" refers to two or more than two. "And/or" describes the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A , B can be singular or plural. The character "/" generally indicates that the associated objects before and after are in an "or" relationship. The following at least one item (item) or its similar expressions refer to any combination of these items, including any combination of single item (item) or plural items (item). For example, at least one of a, b, or c can mean: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple .
除非有相反的说明,本申请实施例提及“第一”、“第二”等序数词是用于对多个对象进行区分,不用于限定多个对象的顺序、时序、优先级或者重要程度。Unless otherwise stated, the ordinal numbers such as "first" and "second" mentioned in the embodiments of this application are used to distinguish multiple objects, and are not used to limit the order, timing, priority, or importance of multiple objects. .
此外,本申请实施例和权利要求书及附图中的术语“包括”和“具有”不是排他的。例如,包括了一系列步骤或模块的过程、方法、系统、产品或设备,不限定于已列出的步骤或模块,还可以包括没有列出的步骤或模块。In addition, the terms "including" and "having" in the embodiments of the present application, claims and drawings are not exclusive. For example, a process, method, system, product, or device that includes a series of steps or modules is not limited to the listed steps or modules, and may also include unlisted steps or modules.
下面,针对本申请实施例提供的多种访问行为的记录方法,分别举例进行介绍。In the following, the methods for recording multiple access behaviors provided by the embodiments of the present application are respectively introduced by examples.
一、本申请实施例中第一种访问行为的记录方法:1. The first recording method of access behavior in the embodiment of this application:
其中,在该种访问行为的记录方法中,本申请实施例主要过程包括数据存储记录阶段和数据访问记录阶段两个阶段,针对不同阶段,本申请实施例结合附图分别举例进行介绍。Among them, in this access behavior recording method, the main process of the embodiment of the present application includes two stages: a data storage recording phase and a data access recording phase. For different stages, the embodiments of the present application will be introduced by examples in conjunction with the accompanying drawings.
阶段一、数据存储记录阶段。Phase one, data storage and recording phase.
为便于理解本申请实施例,首先以图1中示出的访问行为的记录系统为例,详细说明本申请实施例在数据存储记录阶段适用的记录系统。如图1所示,该记录系统包括数据记录网元100、区块链101、数据库102和云平台103。To facilitate the understanding of the embodiment of the present application, firstly, the recording system of the access behavior shown in FIG. 1 is taken as an example to describe in detail the recording system applicable to the embodiment of the present application in the data storage and recording stage. As shown in FIG. 1, the recording system includes a data recording network element 100, a blockchain 101, a database 102 and a cloud platform 103.
数据记录网元100,数据存储方,用于在获得用户的上下文用户数据后,将用户数据安全记录在运营商联盟共同信任的平台(例如,云平台103),以及通过区块链101对所述用户数据进行管理。The data recording network element 100, the data storage party, is used to securely record the user data on a platform jointly trusted by the operator alliance (for example, the cloud platform 103) after obtaining the user's contextual user data, and to check the user data through the blockchain 101 The user data is managed.
区块链101,是一种分布式账本的安全实现,以区块作为数据结构存储行为信息,每个区块包含区块体和区块头。其中,区块体存储行为内容,例如,所述区块体存储所述数据记录网元100通过所述区块链101将第一密钥存储到数据库的行为。所述行为内容根据本申请实施例一种实现方式中应用场景需要,可以为数据记录、访问记录或执行记录中的一种或多种等;区块头存储时间戳、行为的哈希汇总结果,以及使之和前序区块形成链式结构的必要信息。 Blockchain 101 is a security implementation of distributed ledger. Blocks are used as data structures to store behavioral information. Each block contains a block body and a block header. Wherein, the block body stores the behavior content, for example, the block body stores the behavior of the data recording network element 100 storing the first key in the database through the blockchain 101. The content of the behavior may be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application; the block header stores the timestamp and the hash summary result of the behavior, And the necessary information to make it and the previous block form a chain structure.
数据库102,具有存储和处理功能,其中,所述数据库102用于存储所述记录系统中的相关数据信息,以及根据接收到的信息更新存储的数据信息。另外,所述数据库102还可以根据接收到的信息返回对应信息。示例性的,本申请实施例中的数据库,用于存储本申请实施例中加密用户数据的密钥,例如,第一密钥。The database 102 has storage and processing functions. The database 102 is used to store relevant data information in the recording system, and to update the stored data information according to the received information. In addition, the database 102 may also return corresponding information according to the received information. Exemplarily, the database in the embodiment of the present application is used to store the key used to encrypt user data in the embodiment of the present application, for example, the first key.
云平台103,具有存储和处理功能,其中,所述云平台103用于存储所述记录系统中的相关数据信息,以及根据接收到的信息更新存储的数据信息。另外,所述云平台103还可以根据接收到的信息返回对应信息。示例性的,本申请实施例中的云平台103,用于存储本申请实施例中所述数据记录网元100发送的加密后的用户数据。The cloud platform 103 has storage and processing functions. The cloud platform 103 is used to store relevant data information in the recording system, and update the stored data information according to the received information. In addition, the cloud platform 103 may also return corresponding information according to the received information. Exemplarily, the cloud platform 103 in the embodiment of the present application is used to store the encrypted user data sent by the data recording network element 100 in the embodiment of the present application.
其中,本申请实施例描述的系统架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。应理解,图1仅为便于理解而示例的简化示意图,该记录系统中还可以包括其他装置或者还可以包括其他数据记录网元,图1中未予以画出。Among them, the system architecture and business scenarios described in the embodiments of the present application are intended to more clearly illustrate the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided in the embodiments of the present application. Those of ordinary skill in the art can know that With the evolution of the system architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are equally applicable to similar technical problems. It should be understood that FIG. 1 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may also include other devices or other data recording network elements, which are not shown in FIG. 1.
基于上述图1所述的记录系统,如图2所示,本申请实施例提供一种基于数据存储记 录阶段进行访问行为的记录方法,具体包括以下步骤:Based on the recording system described in Figure 1 above, as shown in Figure 2, an embodiment of the present application provides a method for recording access behaviors based on the data storage recording stage, which specifically includes the following steps:
步骤200,所述数据记录网元确定第一密钥,并根据所述第一密钥对采集到的用户数据进行加密。Step 200: The data recording network element determines a first key, and encrypts the collected user data according to the first key.
示例性的,本申请实施例中假设所述数据记录网以符号M来标识采集到的所述用户数据。然后,所述数据记录网元确定第一密钥,并根据所述第一密钥加密所述M,得到所述用户数据的密文形式C。Exemplarily, in the embodiment of the present application, it is assumed that the data recording network uses the symbol M to identify the collected user data. Then, the data recording network element determines a first key, and encrypts the M according to the first key to obtain the ciphertext form C of the user data.
步骤201,所述数据记录网元将所述第一密钥发送给区块链。Step 201: The data recording network element sends the first key to the blockchain.
本申请实施例中一种可选的方式,为了更好的保障系统的安全性,所述数据记录网元可以对需要传输的第一密钥进行加密。从而,能有效防止所述记录系统明文传输所述第一密钥的过程中,其他设备获取所述第一密钥,并根据所述第一密钥获取所述用户数据的情况。In an optional manner in the embodiment of the present application, in order to better ensure the security of the system, the data recording network element may encrypt the first key that needs to be transmitted. Therefore, it is possible to effectively prevent a situation in which other devices obtain the first key and obtain the user data according to the first key during the process of the recording system transmitting the first key in plain text.
示例性的,所述数据记录网元确定一个第二密钥,并根据所述第二密钥对所述第一密钥进行加密,得到所述第一加密信息。其中,所述第一加密信息是所述第一密钥通过所述第二密钥进行加密后的结果。然后,所述数据记录网元将所述第一加密信息发送给所述区块链。Exemplarily, the data recording network element determines a second key, and encrypts the first key according to the second key to obtain the first encrypted information. Wherein, the first encryption information is the result of encryption by the first key by the second key. Then, the data recording network element sends the first encrypted information to the blockchain.
其中,本申请实施例中所述记录网元可以通过多种方式确定所述第二密钥,具体并不限于下述几种。Among them, the recording network element in the embodiment of the present application may determine the second key in a variety of ways, and the details are not limited to the following.
第二密钥确定方式1:所述数据记录网元将所述数据库预配置在所述数据记录网元上的密钥确定为所述第二密钥。Second key determination method 1: The data recording network element determines the key pre-configured on the data recording network element by the database as the second key.
也就是说,本申请实施例中,所述数据记录网元与所述数据库事先协议了用于加密所述第一密钥的密钥,从而当所述数据记录网元需要对所述第一密钥进行加密时,直接根据所述预先协议的密钥,即第二密钥,对所述第一密钥进行加密。That is to say, in the embodiment of the present application, the data recording network element and the database have agreed in advance the key used to encrypt the first key, so that when the data recording network element needs to verify the first key When the key is encrypted, the first key is directly encrypted according to the previously agreed key, that is, the second key.
第二密钥确定方式2:所述数据记录网元将接收到的所述数据库发送的密钥确定为所述第二密钥。Second key determination method 2: The data recording network element determines the received key sent by the database as the second key.
示例性的,所述数据记录网元需要发送所述第一加密信息之前,向所述数据库发送获取第二密钥的信息,所述数据库接收到所述数据记录网元发送的获取所述第二密钥的信息后,并本地存储的第二密钥发送给所述数据记录网元。Exemplarily, before the data recording network element needs to send the first encrypted information, it sends the information for obtaining the second key to the database, and the database receives the information for obtaining the second key sent by the data recording network element. After the information of the second key, the locally stored second key is sent to the data recording network element.
其中,所述数据库可以在接收到所述数据记录网元发送的获取第二密钥的信息后,生成所述第二密钥;或者所述第二密钥是所述数据库在接收到所述数据记录网元发送的获取第二密钥的信息之前,就已经存储到本地的。Wherein, the database may generate the second key after receiving the information for obtaining the second key sent by the data recording network element; Before the information sent by the data recording network element to obtain the second key, it has been stored locally.
步骤202,所述区块链接收来自所述数据记录网元的第一密钥,并将所述第一密钥存储到所述数据库中。Step 202: The blockchain receives a first key from the data recording network element, and stores the first key in the database.
本申请一种可选的方式中,若所述区块链接收到的是所述数据记录网元发送的所述第一加密信息,则所述区块链将所述第一加密信息存储到所述数据库中。In an optional manner of the present application, if the block link receives the first encrypted information sent by the data recording network element, the block chain stores the first encrypted information in The database.
步骤203,所述数据库接收来自所述区块链的所述第一密钥,将所述第一密钥安全存储到本地。Step 203: The database receives the first key from the blockchain, and stores the first key safely locally.
本申请实施例中一种可选的方式中,若所述数据库接收到的是来自所述区块链的所述第一加密信息,则所述数据库根据第二密钥对所述第一加密信息进行解密,获取所述第一密钥,然后将所述第一密钥安全存储到本地,以及将所述第一密钥的存储地址通知给所述区块链。In an optional manner in the embodiment of the present application, if the database receives the first encrypted information from the blockchain, the database encrypts the first according to a second key Information is decrypted, the first key is obtained, and then the first key is safely stored locally, and the storage address of the first key is notified to the blockchain.
本申请实施例中另一种可选的方式中,若所述数据库接收到的是来自所述区块链的所述第一加密信息,则所述数据库先将所述第一加密信息存储到本地,并把所述第一加密信息的存储地址通知给所述区块链。后续过程中,若所述数据库接收到其他设备发送的获取所述第一密钥的申请,此时,所述数据库再根据所述第二密钥对所述第一加密信息进行解密,获取所述第一密钥,在将所述第一密钥发送给对应的装置。In another optional manner in the embodiment of the present application, if the database receives the first encrypted information from the blockchain, the database first stores the first encrypted information in Locally, and notify the blockchain of the storage address of the first encrypted information. In the subsequent process, if the database receives an application for obtaining the first key sent by another device, at this time, the database then decrypts the first encrypted information according to the second key to obtain all the information. The first key is sending the first key to the corresponding device.
步骤204,所述数据库将所述第一密钥的存储地址通知给所述区块链。Step 204: The database notifies the blockchain of the storage address of the first key.
步骤205,所述区块链接收所述第一密钥的存储地址。Step 205: The blockchain receives the storage address of the first key.
步骤206,所述区块链通过智能合约记录第一行为,并确定所述第一行为在所述区块链的地址,所述第一行为用于记录所述数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为。Step 206: The blockchain records the first behavior through a smart contract, and determines the address of the first behavior in the blockchain, and the first behavior is used to record that the data recording network element passes through the zone. The act of storing the first key in the database by the block chain.
其中,所述第一行为中包含所述第一密钥在所述数据库中的存储地址;或者所述第一行为中包含所述第一加密信息在所述数据库中的存储地址。Wherein, the first behavior includes the storage address of the first key in the database; or the first behavior includes the storage address of the first encrypted information in the database.
进一步的,本申请实施例中所述第一行为可在未来作为判断和记录访问设备访问所述用户数据的安全脚本。Further, the first behavior in the embodiment of the present application can be used as a security script for judging and recording the access device to access the user data in the future.
步骤207:所述区块链将所述第一行为的地址反馈给所述数据记录网元。Step 207: The blockchain feeds back the address of the first behavior to the data recording network element.
本申请实施例中一种可选的方式中,所述区块链可以直接将所述第一密钥的存储地址反馈给所述数据记录网元。In an optional manner in the embodiment of the present application, the blockchain may directly feed back the storage address of the first key to the data recording network element.
本申请实施例中一种可选的方式中,当所述数据库中存储的是所述第一加密信息时,所述区块链还可以直接将所述第一加密信息的存储地址反馈给所述数据记录网元。In an optional manner in the embodiment of the present application, when the first encrypted information is stored in the database, the blockchain may also directly feed back the storage address of the first encrypted information to the The data recording network element.
步骤208:所述数据记录网元将所述加密后的用户数据以及所述第一行为的地址存储到云平台中。Step 208: The data recording network element stores the encrypted user data and the address of the first behavior in a cloud platform.
本申请实施例中一种可选的方式中,所述数据记录网元将所述加密后的用户数据以及所述第一密钥的存储地址,存储到云平台中。In an optional manner in the embodiment of the present application, the data recording network element stores the encrypted user data and the storage address of the first key in a cloud platform.
本申请实施例中一种可选的方式中,若所述数据记录网元接收到来自所述区块链的所述第一加密信息的存储地址,则所述数据记录网元将所述加密后的用户数据以及所述第一加密信息的存储地址,存储到云平台中。In an optional manner in the embodiment of the present application, if the data recording network element receives the storage address of the first encrypted information from the blockchain, the data recording network element encrypts the The subsequent user data and the storage address of the first encrypted information are stored in the cloud platform.
阶段二、数据访问记录阶段。Phase two, data access recording phase.
为便于理解本申请实施例,首先以图3中示出的访问行为记录系统为例,详细说明本申请实施例在数据访问记录阶段适用的记录系统。如图3所示,该通信系统包括访问设备300、区块链301、数据库302和云平台303。In order to facilitate the understanding of the embodiment of the present application, firstly, the access behavior recording system shown in FIG. 3 is taken as an example to describe in detail the recording system applicable in the data access recording phase of the embodiment of the present application. As shown in FIG. 3, the communication system includes an access device 300, a blockchain 301, a database 302, and a cloud platform 303.
访问设备300,数据访问方,用于获取用户数据。其中,本申请实施例中所述访问设备可以为核心网中的网元,也可以是独立于电信网络以外的第三方,所述访问设备对用户数据的访问目的可以包括法规监控,或提供定制化用户服务,在此,本申请实施例并不进行限定。The access device 300, the data access party, is used to obtain user data. Among them, the access device in the embodiment of the application may be a network element in the core network, or a third party independent of the telecommunications network. The purpose of the access device to user data may include regulatory monitoring, or provide customization To improve user services, here, the embodiments of the present application are not limited.
区块链301,是一种分布式账本的安全实现,以区块作为数据结构存储行为信息,每个区块包含区块体和区块头。其中,区块体存储行为内容。所述行为内容根据本申请实施例一种实现方式中应用场景需要,可以为数据记录、访问记录、或执行记录中的一种或多种等;区块头存储时间戳、行为的哈希汇总结果,以及使之和前序区块形成链式结构的必要信息。The blockchain 301 is a security implementation of a distributed ledger. It uses blocks as a data structure to store behavioral information, and each block contains a block body and a block header. Among them, the block body stores the behavior content. The content of the behavior can be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application; the block header stores the timestamp and the hash summary result of the behavior , And the necessary information to make it and the preamble block form a chain structure.
数据库302,具有存储和处理功能,其中,所述数据库302用于存储所述记录系统中的相关数据信息,以及根据接收到的信息更新存储的数据信息。另外,所述数据库302还可以根据接收到的信息返回对应信息。示例性的,本申请实施例中的数据库,用于存储本申请实施例中加密用户数据的密钥,例如,第一密钥。The database 302 has storage and processing functions. The database 302 is used to store relevant data information in the recording system, and to update the stored data information according to the received information. In addition, the database 302 may also return corresponding information according to the received information. Exemplarily, the database in the embodiment of the present application is used to store the key used to encrypt user data in the embodiment of the present application, for example, the first key.
云平台303,具有存储和处理功能,其中,所述云平台303用于存储所述记录系统中的相关数据信息,以及根据接收到的信息更新存储的数据信息。另外,所述云平台303还可以根据接收到的信息返回对应信息。The cloud platform 303 has storage and processing functions. The cloud platform 303 is used to store relevant data information in the recording system, and update the stored data information according to the received information. In addition, the cloud platform 303 may also return corresponding information according to the received information.
其中,本申请实施例描述的系统架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。应理解,图3仅为便于理解而示例的简化示意图,该记录系统中还可以包括其他装置或者还可以包括其他访问设备,图3中未予以画出。Among them, the system architecture and business scenarios described in the embodiments of the present application are intended to more clearly illustrate the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided in the embodiments of the present application. Those of ordinary skill in the art can know that With the evolution of the system architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are equally applicable to similar technical problems. It should be understood that FIG. 3 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may also include other devices or other access devices, which are not shown in FIG. 3.
基于上述图3所述的记录系统,如图4所示,本申请实施例提供一种基于数据访问记录阶段进行访问行为的记录方法,具体包括以下步骤:Based on the recording system described in FIG. 3, as shown in FIG. 4, an embodiment of the present application provides a method for recording access behaviors based on the data access recording phase, which specifically includes the following steps:
步骤400,访问设备从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址。Step 400: The access device obtains the encrypted user data and the address in the blockchain of the first action in the smart contract from the cloud platform.
其中,所述智能合约用于记录所述区块链的被访问行为;所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为。The smart contract is used to record the accessed behavior of the blockchain; the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain.
本申请实施例中一种可选的方式,所述访问设备从云平台中获取加密后的用户数据以及所述第一密钥在所述数据库中的存储地址。In an optional manner in the embodiment of the present application, the access device obtains encrypted user data and the storage address of the first key in the database from a cloud platform.
步骤401,所述访问设备向所述区块链进行获取用户数据申请,所述获取用户数据申请中携带所述智能合约第一行为的地址。其中,所述401中所述访问设备主要通过所述区块链寻求本次访问行为的仲裁和记录,即所述智能合约中所述第一行为。Step 401: The access device applies to the blockchain for obtaining user data, and the user data obtaining application carries the address of the first action of the smart contract. Wherein, the access device in the 401 mainly seeks the arbitration and recording of this access behavior through the blockchain, that is, the first behavior in the smart contract.
可选的,所述获取用户数据申请中携带所述第一密钥在所述数据库中的存储地址。Optionally, the request for obtaining user data carries a storage address of the first key in the database.
步骤402,所述区块链接收所述访问设备发送的所述获取用户数据申请,根据所述获取用户申请中携带的所述第一行为的地址确定所述第一行为。Step 402: The blockchain receives the user data acquisition application sent by the access device, and determines the first behavior according to the address of the first behavior carried in the user acquisition application.
需要说明的是,当所述获取用户数据申请中携带所述第一密钥在所述数据库中的存储地址时,所述步骤402可以省略。It should be noted that when the user data acquisition application carries the storage address of the first key in the database, the step 402 may be omitted.
步骤403,所述区块链对所述访问设备进行验证,并在确定所述访问设备验证成功后,向所述数据库发送验证成功的结果以及所述第一行为。Step 403: The blockchain verifies the access device, and after determining that the access device is successfully verified, sends a successful verification result and the first behavior to the database.
其中,本申请实施例一种可选的方式,所述区块链在确定所述区块链中不小于阈值数量的节点成功验证所述访问设备后,则确定所述访问设备验证成功。也就是说,为了防止对单一节点的篡改,使所述用户数据信息泄露以及无法追溯,则本申请实施例可以采用共识机制,在确定共识结果为成功验证访问设备后,才确定所述访问设备验证成功。In an optional manner of the embodiment of the present application, the blockchain determines that the access device is successfully verified after determining that the number of nodes in the blockchain that is not less than a threshold value successfully verify the access device. That is to say, in order to prevent tampering with a single node, the user data information is leaked and cannot be traced back, the embodiment of the present application may adopt a consensus mechanism, and the access device is determined only after the consensus result is that the access device is successfully verified. The verification is successful.
本申请实施例中一种可选的方式,所述区块链可以基于设定的访问策略确定所述访问设备是否验证成功。In an optional manner in the embodiment of the present application, the blockchain may determine whether the access device is successfully verified based on a set access policy.
示例性的,符合所述访问策略的访问设备都是经过授权的访问设备,所述授权的形式可以为终端设备直接授权和/或核心网授权等。比如,权限赋予者可以通过对所述访问设备息进行签名的方式进行授权,从而使所述区块链节点通过判断所述签名的有效性即可以判断所述访问设备是否验证通过。Exemplarily, the access devices that comply with the access policy are all authorized access devices, and the authorization form may be direct authorization by the terminal device and/or authorization by the core network. For example, the authority grantor can authorize by signing the access device information, so that the blockchain node can determine whether the access device has passed the verification by judging the validity of the signature.
可选的,若所述区块链接收到来自所述访问设备发送的所述第一密钥的存储地址,则所述区块链对所述访问设备进行验证,并在确定所述访问设备验证成功后,向所述数据库发送验证成功的结果以及所述第一密钥的存储地址。Optionally, if the block link receives the storage address of the first key sent from the access device, the block chain verifies the access device and confirms that the access device After the verification is successful, the result of the verification success and the storage address of the first key are sent to the database.
进一步的,若所述区块链确定所述访问设备验证失败,则终止后续操作。Further, if the blockchain determines that the access device verification fails, the subsequent operations are terminated.
步骤404,所述数据库根据所述第一行为确定所述第一密钥,并将所述第一密钥发送给所述区块链。Step 404: The database determines the first key according to the first behavior, and sends the first key to the blockchain.
其中,本申请实施例中所述数据库根据所述第一行为中的所述第一密钥在所述数据库中的存储地址,确定所述第一密钥;或者,若所述数据库接收到的是来自所述区块链发送的所述第一密钥的存储地址,则所述数据库直接根据所述第一密钥的存储地址,确定所述第一密钥。Wherein, the database in the embodiment of the present application determines the first key according to the storage address of the first key in the database in the first behavior; or, if the database receives If it is the storage address of the first key sent from the blockchain, the database directly determines the first key according to the storage address of the first key.
本申请实施例中一种可选的方式中,为了更好的提升信息传递的安全性,所述获取用户数据申请中还携带所述第三密钥,从而所述数据库在确定所述第一密钥后,可以根据所述第三密钥对所述第一密钥进行加密,得到所述第二加密信息,并将所述第二加密信息发送给所述区块链。In an optional manner in the embodiment of the present application, in order to better improve the security of information transmission, the third key is also carried in the user data acquisition application, so that the database is determining the first After the key is obtained, the first key can be encrypted according to the third key to obtain the second encrypted information, and the second encrypted information is sent to the blockchain.
本申请实施例中一种可选的方式,所述数据库在执行所述步骤404之前,所述数据库确定所述验证成功的结果有效。示例性的,所述数据库在接收到所述区块链发送的所述验证成功的结果后,可以查询若干个区块链背书节点,若存在大于或等于一定比例的(如符合比例为一个阈值到100%则说明有效)背书节点上已经记录了所述验证成功的内容,则所述数据库确定所述验证成功的结果有效;或者,所述数据库在接收到所述区块链发送的所述验证成功的结果后,可以抽查自己信任的背书节点,若自己信任的背书节点已经记录了所述验证成功的内容,则所述数据库确定所述验证成功的结果有效。In an optional manner in the embodiment of the present application, before the database executes the step 404, the database determines that the result of the successful verification is valid. Exemplarily, after the database receives the successful verification result sent by the blockchain, it can query several blockchain endorsement nodes. If it reaches 100%, it is valid.) The content of the successful verification has been recorded on the endorsing node, and the database determines that the result of the successful verification is valid; After verifying the successful result, you can spot check the endorsing nodes you trust. If the endorsing node you trust has recorded the content of the successful verification, the database determines that the successful result of the verification is valid.
步骤405,所述区块链接收来自所述数据库的所述第一密钥。Step 405: The blockchain receives the first key from the database.
本申请实施例中一种可选的方式中,所述区块链接收来自所述数据库的所述第一加密信息。In an optional manner in the embodiment of the present application, the blockchain receives the first encrypted information from the database.
步骤406,所述区块链将所述第一密钥发送给所述访问设备。Step 406: The blockchain sends the first key to the access device.
本申请实施例中一种可选的方式中,若所述区块链接收到的是来自所述数据库的所述第二加密信息,则所述区块链将所述第二加密信息发送给所述访问设备。In an optional manner in the embodiment of the present application, if the block link receives the second encrypted information from the database, the block chain sends the second encrypted information to The access device.
另外,本申请实施例中为了有效的进行后期的追溯,所述区块链将所述第一密钥发送给所述访问设备之前,所述区块链将第二行为记录到所述智能合约中;或者,所述区块链将所述第一密钥发送给所述访问设备后,将所述第二行为记录到所述智能合约中。In addition, in the embodiment of the present application, in order to effectively carry out later traceability, before the blockchain sends the first key to the access device, the blockchain records the second behavior to the smart contract Or, after the blockchain sends the first key to the access device, the second behavior is recorded in the smart contract.
其中,所述第二行为用于记录所述访问设备向所述区块链获取用户数据申请的行为;所述第二行为中包括所述区块链对所述访问设备进行验证的结果。Wherein, the second behavior is used to record the behavior of the access device to obtain user data application from the blockchain; the second behavior includes the result of verification of the access device by the blockchain.
步骤407,所述访问设备接收来自所述区块链的所述第一密钥。Step 407: The access device receives the first key from the blockchain.
本申请实施例中,若所述访问设备接收到的是来自所述区块链的所述第二加密信息,则所述访问设备根据所述第三密钥对所述第二加密信息进行解密,得到所述第一密钥。In the embodiment of the present application, if the access device receives the second encrypted information from the blockchain, the access device decrypts the second encrypted information according to the third key , To obtain the first key.
步骤408,所述访问设备根据所述第一密钥对所述加密后的用户数据进行解密,从而获取所述用户数据。Step 408: The access device decrypts the encrypted user data according to the first key, so as to obtain the user data.
另外,基于上述图3所述的记录系统,如图5所示,本申请实施例还提供了另一种基于数据访问记录阶段进行访问行为的记录方法,具体包括以下步骤:In addition, based on the recording system described in FIG. 3, as shown in FIG. 5, an embodiment of the present application also provides another method for recording access behaviors based on the data access recording phase, which specifically includes the following steps:
步骤500,访问设备从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址。Step 500: The access device obtains the encrypted user data and the address in the blockchain of the first action in the smart contract from the cloud platform.
其中,所述智能合约用于记录所述区块链的被访问行为;所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为。The smart contract is used to record the accessed behavior of the blockchain; the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain.
本申请实施例中一种可选的方式,所述访问设备从云平台中获取加密后的用户数据以及所述第一密钥在所述数据库中的存储地址。In an optional manner in the embodiment of the present application, the access device obtains encrypted user data and the storage address of the first key in the database from a cloud platform.
步骤501,所述访问设备向所述区块链进行获取用户数据申请,所述获取用户数据申请中携带所述智能合约第一行为的地址以及加密后的用户数据块。In step 501, the access device makes an application for obtaining user data to the blockchain, and the application for obtaining user data carries the address of the first action of the smart contract and the encrypted user data block.
其中,所述用户数据块是所述用户数据的部分或全部,所述步骤501中所述访问设备主要通过所述区块链寻求本次访问行为的仲裁和记录,即所述智能合约中所述第一行为。Wherein, the user data block is part or all of the user data, and the access device in step 501 mainly seeks the arbitration and recording of this access behavior through the blockchain, that is, the smart contract The first act.
本申请实施例中一种可选的方式,所述获取用户申请中携带所述第一密钥在所述数据库中的存储地址以及加密后的用户数据块。In an optional manner in the embodiment of the present application, the user obtaining application carries the storage address of the first key in the database and the encrypted user data block.
步骤502,所述区块链接收所述访问设备发送的所述获取用户数据申请。Step 502: The blockchain receives the user data acquisition application sent by the access device.
步骤503,所述区块链根据所述获取用户申请中携带的所述第一行为的地址确定所述第一行为。Step 503: The blockchain determines the first behavior according to the address of the first behavior carried in the obtaining user application.
其中,需要说明的是,当所述获取用户数据申请中携带的是所述第一密钥在所述数据库中的存储地址时,所述步骤503可以省略。It should be noted that, when the user data acquisition application carries the storage address of the first key in the database, the step 503 may be omitted.
步骤504,所述区块链对所述访问设备进行验证,并在确定所述访问设备验证成功后,向所述数据库发送验证成功的结果、所述第一行为以及所述加密后的用户数据块。Step 504: The blockchain verifies the access device, and after determining that the access device is successfully verified, sends the successful verification result, the first behavior, and the encrypted user data to the database Piece.
本申请实施例中一种可选的方式,所述区块链对所述访问设备进行验证,并在确定所述访问设备验证成功后,向所述数据库发送验证成功的结果、所述第一密钥在所述数据库中的存储地址以及所述加密后的用户数据块。In an optional manner in the embodiment of the present application, the blockchain verifies the access device, and after determining that the access device is successfully verified, sends the result of the successful verification to the database, the first The storage address of the key in the database and the encrypted user data block.
进一步的,所述区块链在确定所述区块链中不小于阈值数量的节点成功验证所述访问设备后,则确定所述访问设备验证成功。也就是说,为了防止对单一节点的篡改,使所述用户数据信息泄露以及无法追溯,则本申请实施例可以采用共识机制,在确定共识结果为成功验证访问设备后,才确定所述访问设备验证成功。Further, after the blockchain determines that no less than a threshold number of nodes in the blockchain successfully verify the access device, it determines that the access device is successfully verified. That is to say, in order to prevent tampering with a single node, the user data information is leaked and cannot be traced back, the embodiment of the present application may adopt a consensus mechanism, and the access device is determined only after the consensus result is that the access device is successfully verified. The verification is successful.
其中,所述区块链确定所述访问设备是否验证成功的方式参见上述步骤403,为简洁描述,在此不进行赘述。Wherein, for the manner in which the blockchain determines whether the access device is successfully verified, refer to step 403 above, which is a succinct description and will not be repeated here.
需要说明的是,若后续所述数据库不需要验证所述区块链对所述访问设备验证结果的有效性,则所述区块链向所述数据库发送的信息中可以不包含所述验证成功的结果。It should be noted that if the subsequent database does not need to verify the validity of the verification result of the blockchain to the access device, the information sent by the blockchain to the database may not include the verification success. the result of.
步骤505,所述数据库根据所述第一行为确定所述第一密钥,并根据所述第一密钥解密所述加密后的用户数据块,得到所述用户数据块。Step 505: The database determines the first key according to the first behavior, and decrypts the encrypted user data block according to the first key to obtain the user data block.
其中,本申请实施例中所述数据库根据所述第一行为中的所述第一密钥在所述数据库中的存储地址,确定所述第一密钥。Wherein, the database in the embodiment of the present application determines the first key according to the storage address of the first key in the database in the first behavior.
本申请实施例中一种可选的方式中,若所述数据库接收到的是来自所述区块链发送的所述验证成功的结果、所述第一密钥在所述数据库中的存储地址以及所述加密后的用户数据块,则所述数据库直接根据所述第一密钥在所述数据库中的存储地址,确定所述第一密钥。In an optional manner in the embodiment of the present application, if the database receives the result of the successful verification sent from the blockchain, the storage address of the first key in the database And the encrypted user data block, the database directly determines the first key according to the storage address of the first key in the database.
进一步的,本申请实施例中,为更好的保障安全性,所述数据库在执行所述步骤504之前,确定接收到的来自所述区块链发送的所述验证成功的结果的有效。相反,当所述数 据库在确定接收到的来自所述区块链发送的所述验证成功的结果无效时,则终止后续操作,或者通过所述区块链向所述访问设备发送拒绝获取用户数据的信息。Further, in the embodiment of the present application, in order to better ensure security, the database determines the validity of the result of the successful verification received from the blockchain before performing the step 504. On the contrary, when the database determines that the result of the successful verification received from the blockchain is invalid, it terminates subsequent operations, or sends a refusal to obtain user data to the access device through the blockchain Information.
示例性的,所述数据库在接收到所述区块链发送的所述验证成功的结果后,可以查询若干个区块链背书节点,若存在大于或等于一定比例的(如符合比例为一个阈值到100%则说明有效)背书节点上已经记录了所述验证成功的内容,则所述数据库确定所述验证成功的结果有效;或者,所述数据库在接收到所述区块链发送的所述验证成功的结果后,可以抽查自己信任的背书节点,若自己信任的背书节点已经记录了所述验证成功的内容,则所述数据库确定所述验证成功的结果有效。Exemplarily, after the database receives the successful verification result sent by the blockchain, it can query several blockchain endorsement nodes. If it reaches 100%, it is valid.) The content of the successful verification has been recorded on the endorsing node, and the database determines that the result of the successful verification is valid; or, the database is After verifying the successful result, you can spot check the endorsing nodes you trust. If the endorsing node you trust has recorded the content of the successful verification, the database determines that the successful result of the verification is valid.
步骤506,所述数据库对所述用户数据块添加水印标记,并将添加水印标记的所述用户数据块发送给所述区块链。Step 506: The database adds a watermark to the user data block, and sends the watermarked user data block to the blockchain.
本申请实施例中一种可选的方式中,为了更好的提升信息传递的安全性,所述获取用户数据申请中还携带所述第四密钥,从而所述数据库可以根据所述第四密钥对所述用户数据块进行加密,得到所述第三加密信息,并将所述第三加密信息发送给所述区块链;或者,In an optional manner in the embodiment of the present application, in order to better improve the security of information transmission, the application for obtaining user data also carries the fourth key, so that the database can be based on the fourth key. The key encrypts the user data block to obtain the third encrypted information, and sends the third encrypted information to the blockchain; or,
所述数据库可以根据所述第四密钥对添加水印标记的所述用户数据块进行加密,得到所述第三加密信息,并将所述第三加密信息发送给所述区块链。The database may encrypt the watermarked user data block according to the fourth key to obtain the third encrypted information, and send the third encrypted information to the blockchain.
步骤507,所述区块链接收来自所述数据库的添加水印标记的所述用户数据块。Step 507: The blockchain receives the watermarked user data block from the database.
本申请实施例中一种可选的方式,所述区块链接收来自所述数据库的第三加密信息,其中,所述第三加密信息是所述数据库根据所述第四密钥对所述用户数据块进行加密后得到的;或者所述第三加密信息是所述数据库根据所述第四密钥对添加水印标记的所述用户数据块进行加密后得到的。In an optional manner in the embodiment of the present application, the blockchain receives third encrypted information from the database, where the third encrypted information is that the database pairs the The user data block is obtained after encryption; or the third encryption information is obtained after the database encrypts the watermarked user data block according to the fourth key.
步骤508,所述区块链将所述添加水印标记的所述用户数据块发送给所述访问设备。Step 508: The blockchain sends the watermarked user data block to the access device.
本申请实施例中一种可选的方式中,若所述区块链接收到的是来自所述数据库的所述第三加密信息,则所述区块链将所述第三加密信息发送给所述访问设备。In an optional manner in the embodiment of the present application, if the block link receives the third encrypted information from the database, the block chain sends the third encrypted information to The access device.
另外,本申请实施例中为了有效的进行后期的追溯,所述区块链将添加水印标记的所述用户数据块或者所述第三加密信息发送给所述访问设备之前,所述区块链将第二行为记录到所述智能合约中;或者,所述区块链将所述第一密钥发送给所述访问设备后,将所述第二行为记录到所述智能合约中。In addition, in the embodiment of the present application, in order to effectively carry out later traceability, before the block chain sends the watermarked user data block or the third encrypted information to the access device, the block chain The second behavior is recorded in the smart contract; or, after the blockchain sends the first key to the access device, the second behavior is recorded in the smart contract.
其中,所述第二行为用于记录所述访问设备向所述区块链获取用户数据申请的行为;所述第二行为中包括所述区块链对所述访问设备进行验证的结果。Wherein, the second behavior is used to record the behavior of the access device to obtain user data application from the blockchain; the second behavior includes the result of verification of the access device by the blockchain.
步骤509,所述访问设备接收来自所述区块链的添加水印标记的所述用户数据块。Step 509: The access device receives the watermarked user data block from the blockchain.
本申请实施例中,若所述访问设备接收到的是来自所述区块链的所述第三加密信息,则所述访问设备根据所述第四密钥对所述第三加密信息进行解密,得到所述用户数据块,或者,得到添加水印标记的所述用户数据块。In the embodiment of the present application, if the access device receives the third encrypted information from the blockchain, the access device decrypts the third encrypted information according to the fourth key , Obtain the user data block, or obtain the user data block added with a watermark.
二、本申请实施例中第二种访问行为的记录方法:2. The second method of recording access behavior in the embodiment of this application:
其中,在该种访问行为的记录方法中,本申请实施例主要过程包括客户端部署阶段、数据存储记录阶段和数据访问记录阶段三个阶段,针对不同阶段,本申请实施例结合附图分别举例进行介绍。Among them, in this access behavior recording method, the main process of the embodiment of this application includes three stages: client deployment stage, data storage recording stage, and data access recording stage. For different stages, the embodiments of this application are given examples in conjunction with the accompanying drawings. Make an introduction.
阶段一、客户端部署阶段。Phase one, client deployment phase.
为便于理解本申请实施例,首先以图6中示出的访问行为记录系统为例详细说明本申 请实施例在客户端部署阶段适用的记录系统。如图6所示,该通信系统包括访问设备600、客户端601、区块链602和授权服务器603。In order to facilitate the understanding of the embodiment of the present application, first, the access behavior recording system shown in FIG. 6 is taken as an example to describe in detail the recording system applicable to the client deployment stage of the present application embodiment. As shown in FIG. 6, the communication system includes an access device 600, a client 601, a blockchain 602, and an authorization server 603.
访问设备600,数据访问方,用于获取用户数据。其中,本申请实施例中所述访问设备可以为核心网中的网元,也可以是独立于电信网络以外的第三方,所述访问设备对用户数据的访问目的可以包括法规监控,或提供定制化用户服务,在此,本申请实施例并不进行限定。The access device 600, the data access party, is used to obtain user data. Among them, the access device in the embodiment of the application may be a network element in the core network, or a third party independent of the telecommunications network. The purpose of the access device to user data may include regulatory monitoring, or provide customization To improve user services, here, the embodiments of the present application are not limited.
客户端601,用于辅助所述访问设备600阅读用户数据,其中,所述客户端需要在具有权限的情况下才能够阅读访问所述访问设备提供的所述用户数据。本申请实施例中,所述客户端可以在所述访问设备上,也可以与所述访问设备相连,所述客户端不局限是纯粹用软件实现,还可以是基于安全硬件平台的系统,在此,本申请实施例并不进行限制。The client 601 is used to assist the access device 600 in reading user data, where the client needs to have permission to read and access the user data provided by the access device. In the embodiments of the present application, the client can be on the access device or connected to the access device. The client is not limited to be implemented purely in software, and can also be a system based on a secure hardware platform. Therefore, the embodiments of the present application are not limited.
区块链602,是一种分布式账本的安全实现,以区块作为数据结构存储行为信息,每个区块包含区块体和区块头。其中,区块体存储行为内容。所述行为内容根据本申请实施例一种实现方式中应用场景需要,可以为数据记录、访问记录、或执行记录中的一种或多种等;区块头存储时间戳、行为的哈希汇总结果,以及使之和前序区块形成链式结构的必要信息。 Blockchain 602 is a security implementation of distributed ledger. Blocks are used as data structures to store behavioral information. Each block contains a block body and a block header. Among them, the block body stores the behavior content. The content of the behavior can be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application; the block header stores the timestamp and the hash summary result of the behavior , And the necessary information to make it and the preamble block form a chain structure.
授权服务器603,具有管理以及生成序列号等功能,本申请实施例中所述授权服务器主要用于部署客户端阅读用户数据的权限,以及生成序列号,并将所述序列号通知给所述客户端,从而使所述客户端根据所述序列号确定是否有权限阅读所述用户数据。所述授权服务器和每一个客户端实现时间上的宽同步。The authorization server 603 has functions such as management and serial number generation. The authorization server in the embodiment of this application is mainly used to deploy the client's permission to read user data, and to generate a serial number, and notify the client of the serial number So as to enable the client to determine whether it has the authority to read the user data according to the serial number. The authorization server and each client realize wide synchronization in time.
其中,本申请实施例描述的系统架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。应理解,图6仅为便于理解而示例的简化示意图,该记录系统中还可以包括其他装置或者还可以包括其他访问设备,图6中未予以画出。Among them, the system architecture and business scenarios described in the embodiments of the present application are intended to more clearly illustrate the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided in the embodiments of the present application. Those of ordinary skill in the art can know that With the evolution of the system architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are equally applicable to similar technical problems. It should be understood that FIG. 6 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may also include other devices or other access devices, which are not shown in FIG. 6.
基于上述图6所述的记录系统,如图7所示,本申请实施例提供一种基于客户端部署阶段进行访问行为的记录方法,具体包括以下步骤:Based on the recording system described in FIG. 6, as shown in FIG. 7, an embodiment of the present application provides a method for recording access behaviors based on a client deployment stage, which specifically includes the following steps:
步骤700,所述访问设备安装客户端。In step 700, the access device installs a client.
步骤701,所述访问设备向区块链发送第一申请,所述第一申请用于授予所述客户端打开所述访问设备获取到的所述用户数据的权限。Step 701: The access device sends a first application to the blockchain, where the first application is used to grant the client a right to open the user data obtained by the access device.
其中,所述第一申请包括所述客户端的标识ID。Wherein, the first application includes the identification ID of the client.
步骤702,所述区块链接收访问设备发送的第一申请。Step 702: The blockchain receives the first application sent by the access device.
步骤703,所述区块链将第三行为记录到所述智能合约中,其中,所述第三行为用于记录所述访问设备向所述数据库发送所述第一申请。Step 703: The blockchain records a third behavior in the smart contract, where the third behavior is used to record that the access device sends the first application to the database.
步骤704,所述区块链将所述第一申请发送给授权服务器。Step 704: The blockchain sends the first application to the authorization server.
步骤705,所述授权服务器接收所述第一申请,并生成所述第一随机数。Step 705: The authorization server receives the first application, and generates the first random number.
步骤706,所述授权服务器将所述第一随机数与所述第一申请中的客户端标识ID进行关联。Step 706: The authorization server associates the first random number with the client identification ID in the first application.
其中,所述第一随机数与所述客户端的标识ID一一对应,从而使所述授权服务器在数据访问阶段,根据接收到的客户端的标识ID确定对应的第一随机数。Wherein, the first random number has a one-to-one correspondence with the identification ID of the client, so that the authorization server determines the corresponding first random number according to the received identification ID of the client during the data access phase.
步骤707,所述授权服务器将所述第一随机数发送给所述区块链。Step 707: The authorization server sends the first random number to the blockchain.
本申请实施例中一种可选的方式,为有效保障所述第一随机数的安全性,避免所述第一随机数被其他设备获取,所述第一申请中还可以包含第五密钥,所述授权服务器根据所述第五密钥对所述第一随机数进行加密,得到第四加密信息,从而所述授权服务器将所述第四加密信息发送给所述区块链。In an optional manner in the embodiment of this application, in order to effectively guarantee the security of the first random number and prevent the first random number from being acquired by other devices, the first application may also include a fifth key The authorization server encrypts the first random number according to the fifth key to obtain fourth encrypted information, so that the authorization server sends the fourth encrypted information to the blockchain.
步骤708,所述区块链接收来自所述授权服务器的所述第一随机数。Step 708: The blockchain receives the first random number from the authorization server.
本申请实施例中一种可选的方式,所述区块链接收来自所述授权服务器的所述第四加密信息。In an optional manner in the embodiment of the present application, the blockchain receives the fourth encrypted information from the authorization server.
步骤709:所述区块链将所述第一随机数反馈给所述访问设备。Step 709: The blockchain feeds back the first random number to the access device.
本申请实施例中一种可选的方式中,若所述区块链接收到的是来自所述授权服务器的所述第四加密信息,则所述区块链将所述第四加密信息反馈给所述访问设备。In an optional manner in the embodiment of the present application, if the block link receives the fourth encrypted information from the authorization server, the block chain feeds back the fourth encrypted information Give the access device.
步骤710:所述访问设备接收来自所述区块链的所述第一随机数。Step 710: The access device receives the first random number from the blockchain.
本申请实施例中一种可选的方式中,若所述访问设备接收到的是来自所述区块链的所述第四加密信息,则所述访问设备根据所述第五密钥对所述第四加密信息进行解密,获取所述第一随机数。In an optional manner in the embodiment of the present application, if the access device receives the fourth encrypted information from the blockchain, the access device pairs the cryptographic information according to the fifth key. The fourth encrypted information is decrypted to obtain the first random number.
阶段二、数据存储记录阶段。Phase two, data storage and recording phase.
为便于理解本申请实施例,首先以图8中示出的访问行为记录系统为例详细说明本申请实施例在数据记录阶段适用的记录系统。如图8所示,该通信系统包括数据记录网元800、区块链801和云平台802。In order to facilitate the understanding of the embodiment of the present application, first, the access behavior recording system shown in FIG. 8 is taken as an example to describe in detail the recording system applicable in the data recording phase of the embodiment of the present application. As shown in FIG. 8, the communication system includes a data recording network element 800, a blockchain 801 and a cloud platform 802.
数据记录网元800,数据存储方,用于在获得用户的上下文用户数据后,将用户数据安全记录在运营商联盟共同信任的平台,例如,云平台103,并通过区块链101进行管理。The data recording network element 800, the data storage party, is used to securely record the user data on a platform jointly trusted by the operator alliance, for example, the cloud platform 103, and manage it through the blockchain 101 after obtaining the user's contextual user data.
区块链801,是一种分布式账本的安全实现,以区块作为数据结构存储行为信息,每个区块包含区块体和区块头。其中,区块体存储行为内容。所述行为内容根据本申请实施例一种实现方式中应用场景需要,可以为数据记录、访问记录、或执行记录中的一种或多种等;区块头存储时间戳、行为的哈希汇总结果,以及使之和前序区块形成链式结构的必要信息。 Blockchain 801 is a security implementation of distributed ledger. Blocks are used as a data structure to store behavioral information. Each block contains a block body and a block header. Among them, the block body stores the behavior content. The content of the behavior can be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application; the block header stores the timestamp and the hash summary result of the behavior , And the necessary information to make it and the preamble block form a chain structure.
云平台802,具有存储和处理功能,在所述记录系统中用于存储相关数据信息,根据接收到的信息更新存储的数据信息,或者根据接收到的信息返回对应信息。其中,本申请实施例中的云平台,用于存储本申请实施例中所述数据记录网元800发送的加密后的用户数据。The cloud platform 802 has storage and processing functions, and is used in the recording system to store relevant data information, update the stored data information according to the received information, or return corresponding information according to the received information. Among them, the cloud platform in the embodiment of the present application is used to store the encrypted user data sent by the data recording network element 800 in the embodiment of the present application.
其中,本申请实施例描述的系统架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。应理解,图8仅为便于理解而示例的简化示意图,该记录系统中还可以包括其他装置或者还可以包括其他数据记录网元,图8中未予以画出。Among them, the system architecture and business scenarios described in the embodiments of the present application are intended to more clearly illustrate the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided in the embodiments of the present application. Those of ordinary skill in the art can know that With the evolution of the system architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are equally applicable to similar technical problems. It should be understood that FIG. 8 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may further include other devices or other data recording network elements, which are not shown in FIG. 8.
基于上述图8所述的记录系统,如图9所示,本申请实施例提供一种基于数据存储记录阶段进行访问行为的记录方法,具体包括以下步骤:Based on the recording system described in FIG. 8 above, as shown in FIG. 9, an embodiment of the present application provides a method for recording access behaviors based on the data storage recording stage, which specifically includes the following steps:
步骤900,所述数据记录网元将用户数据存储到云平台。Step 900: The data recording network element stores user data in a cloud platform.
步骤901,云平台接收来自数据记录网元的用户数据,并在将所述用户数据成功存储到本地后通知所述数据记录网元;Step 901: The cloud platform receives user data from a data recording network element, and notifies the data recording network element after the user data is successfully stored locally;
步骤902,所述数据记录网元确定所述用户数据成功存储到所述云平台后,向区块链发送所述用户数据的存储状态。Step 902: After determining that the user data is successfully stored on the cloud platform, the data recording network element sends the storage status of the user data to the blockchain.
步骤903,区块链接收数据记录网元发送的用户数据的存储状态,所述存储状态用于指示所述数据记录网元将所述用户数据存储到云平台;Step 903: The blockchain receives the storage status of the user data sent by the data recording network element, where the storage status is used to instruct the data recording network element to store the user data on the cloud platform;
步骤904,所述区块链在确定所述云平台中成功存储所述用户数据后,为所述用户数据分配用户数据ID。Step 904: After determining that the user data is successfully stored in the cloud platform, the blockchain assigns a user data ID to the user data.
步骤905,所述区块链将所述用户数据ID发送给所述云平台。Step 905: The blockchain sends the user data ID to the cloud platform.
步骤906,所述云平台接收区块链为所述用户数据分配的用户数据ID,并将所述用户数据与所述用户数据ID关联。Step 906: The cloud platform receives the user data ID allocated by the blockchain for the user data, and associates the user data with the user data ID.
进一步的,本申请实施例中为了更好的保障系统传输过程中所述用户数据的安全性,可对所述用户数据进行加密传输,具体可以结合上述图2所述的内容,在此不进行赘述。Further, in the embodiments of the present application, in order to better ensure the security of the user data in the system transmission process, the user data may be encrypted and transmitted, and the content described in FIG. 2 may be specifically combined, which is not performed here. Go into details.
阶段三、数据访问记录阶段。Phase three, data access recording phase.
为便于理解本申请实施例,首先以图10中示出的访问行为记录系统为例详细说明本申请实施例在数据记录阶段适用的记录系统。如图10所示,该通信系统包括访问设备1000、客户端1001、区块链1002、授权服务器1003和云平台1004。In order to facilitate the understanding of the embodiment of the present application, first, the access behavior recording system shown in FIG. 10 is taken as an example to describe in detail the recording system applicable to the embodiment of the present application in the data recording stage. As shown in FIG. 10, the communication system includes an access device 1000, a client 1001, a blockchain 1002, an authorization server 1003, and a cloud platform 1004.
访问设备1000,数据访问方,用于获取用户数据。其中,本申请实施例中所述访问设备可以为核心网中的网元,也可以是独立于电信网络以外的第三方,所述访问设备对用户数据的访问目的可以包括法规监控,或提供定制化用户服务,在此,本申请实施例并不进行限定。The access device 1000, the data access party, is used to obtain user data. Among them, the access device in the embodiment of the application may be a network element in the core network, or a third party independent of the telecommunications network. The purpose of the access device to user data may include regulatory monitoring, or provide customization To improve user services, here, the embodiments of the present application are not limited.
客户端1001,用于辅助所述访问设备1000阅读用户数据,其中,所述客户端需要在具有授权服务器授权的情况下才能够阅读访问所述访问设备提供的所述用户数据。本申请实施例中,所述客户端可以在所述访问设备上,也可以与所述访问设备相连,所述客户端不局限是纯粹用软件实现,还可以是基于安全硬件平台的系统,在此,本申请实施例并不进行限制。The client 1001 is used to assist the access device 1000 in reading user data, where the client needs to be authorized by the authorization server to be able to read and access the user data provided by the access device. In the embodiments of the present application, the client can be on the access device or connected to the access device. The client is not limited to be implemented purely in software, and can also be a system based on a secure hardware platform. Therefore, the embodiments of the present application are not limited.
区块链1002,是一种分布式账本的安全实现,以区块作为数据结构存储行为信息,每个区块包含区块体和区块头。其中,区块体存储行为内容。所述行为内容根据本申请实施例一种实现方式中应用场景需要,可以为数据记录、访问记录、或执行记录中的一种或多种等;区块头存储时间戳、行为的哈希汇总结果,以及使之和前序区块形成链式结构的必要信息。 Blockchain 1002 is a security implementation of distributed ledger. Blocks are used as data structures to store behavioral information. Each block contains a block body and a block header. Among them, the block body stores the behavior content. The content of the behavior can be one or more of data records, access records, or execution records according to the needs of the application scenario in an implementation of the embodiment of the present application; the block header stores the timestamp and the hash summary result of the behavior , And the necessary information to make it and the preamble block form a chain structure.
授权服务器1003,具有管理以及生成序列号等功能,本申请实施例中所述授权服务器主要用于部署客户端阅读用户数据的权限,以及生成序列号,并将所述序列号通知给所述客户端,从而使所述客户端根据所述序列号确定是否有权限阅读所述用户数据。所述授权服务器和每一个客户端实现时间上的宽同步。The authorization server 1003 has functions such as management and serial number generation. The authorization server in the embodiment of this application is mainly used to deploy the client's permission to read user data, and to generate a serial number, and notify the client of the serial number So as to enable the client to determine whether it has the authority to read the user data according to the serial number. The authorization server and each client realize wide synchronization in time.
云平台1004,具有存储和处理功能,在所述记录系统中用于存储相关数据信息,根据接收到的信息更新存储的数据信息,或者根据接收到的信息返回对应信息。其中,本申请实施例中的云平台,用于存储本申请实施例中所述数据记录网元发送的加密后的用户数据。The cloud platform 1004 has storage and processing functions, and is used in the recording system to store relevant data information, update the stored data information according to the received information, or return corresponding information according to the received information. Among them, the cloud platform in the embodiment of the application is used to store the encrypted user data sent by the data recording network element in the embodiment of the application.
其中,本申请实施例描述的系统架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似 的技术问题,同样适用。应理解,图10仅为便于理解而示例的简化示意图,该记录系统中还可以包括其他装置或者还可以包括其他访问设备,图10中未予以画出。Among them, the system architecture and business scenarios described in the embodiments of the present application are intended to more clearly illustrate the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided in the embodiments of the present application. Those of ordinary skill in the art can know that With the evolution of the system architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are equally applicable to similar technical problems. It should be understood that FIG. 10 is only a simplified schematic diagram of an example for ease of understanding, and the recording system may also include other devices or other access devices, which are not shown in FIG. 10.
基于上述图10所述的记录系统,如图11所示,本申请实施例提供一种基于数据访问记录阶段进行访问行为的记录方法,具体包括以下步骤:Based on the recording system described in FIG. 10, as shown in FIG. 11, an embodiment of the present application provides a method for recording access behaviors based on the data access recording phase, which specifically includes the following steps:
步骤1100,访问设备从云平台中获取用户数据以及用户数据ID。Step 1100: The access device obtains user data and user data ID from the cloud platform.
步骤1101,所述访问设备向区块链发送第二申请,所述第二申请用于请求通过客户端阅读所述用户数据。Step 1101: The access device sends a second application to the blockchain, where the second application is used to request to read the user data through the client.
所述第二申请包括所述客户端的标识ID以及所述用户数据ID,所述客户端的标识ID以及所述用户数据ID用于验证所述客户端具有打开所述用户数据的权限,所述用户数据ID还用于验证所述用户数据的真实性。The second application includes the identification ID of the client and the user data ID. The identification ID and the user data ID of the client are used to verify that the client has the authority to open the user data, and the user The data ID is also used to verify the authenticity of the user data.
步骤1102,区块链接收访问设备发送的第二申请。Step 1102: The blockchain receives the second application sent by the access device.
步骤1103,所述区块链确定所述客户端的标识ID有效;和/或确定所述用户数据ID有效。Step 1103: The blockchain determines that the identification ID of the client is valid; and/or determines that the user data ID is valid.
示例性的,所述区块链根据接收到的所述客户端的标识ID,确定所述智能合约中是否存在所述第三行为,即所述访问设备是否向所述数据库发送过所述第一申请。若根据所述客户端标识查询到所述第三行为,则所述客户端的标识ID为有效,反之无效。Exemplarily, the blockchain determines whether the third behavior exists in the smart contract according to the received identification ID of the client, that is, whether the access device has sent the first behavior to the database Application. If the third behavior is found according to the client ID, the client ID is valid, otherwise it is invalid.
因为,只有当所述访问设备发送过所述第一申请,则所述访问设备有可能具有授权服务器给予的阅读所述用户数据的权限。This is because, only when the access device has sent the first application, the access device may have the authority to read the user data given by the authorization server.
反之,若所述访问设备都没有发送过所述第一申请,则可以确定所述访问设备是没有被所述授权服务器授权阅读用户数据的。因此,所述区块链在确定所述客户点标识ID无效后,则可以直接终止此次的访问行为,有效减少了后续信令的开销以及系统的功耗。Conversely, if the access device has not sent the first application, it can be determined that the access device is not authorized by the authorization server to read user data. Therefore, after the blockchain determines that the customer point identification ID is invalid, the access behavior of this time can be directly terminated, which effectively reduces the overhead of subsequent signaling and the power consumption of the system.
示例性的,所述区块链根据接收到的所述用户数据ID,确定所述云平台中是否存在与所述用户数据ID对应的用户数据。若存在对应的用户数据,则所述用户数据ID为有效,反之无效。Exemplarily, the blockchain determines whether there is user data corresponding to the user data ID in the cloud platform according to the received user data ID. If there is corresponding user data, the user data ID is valid, otherwise it is invalid.
因为,只有当所述云平台中记录需要访问的用户数据ID对应的用户数据后,才能在确定有权限阅读所述用户数据时,阅读所述用户数据。反之,若所述云平台中并没有记录需要访问的用户数据ID对应的用户数据,则即使获得阅读权限,也无法成功获取所述用户数据,因此,所述区块链在确定所述客户点标识ID无效后,则可以直接终止此次的访问行为,有效减少了后续信令的开销以及系统的功耗。This is because only after the user data corresponding to the user data ID that needs to be accessed is recorded in the cloud platform, can the user data be read when the user data is determined to be authorized. Conversely, if the user data corresponding to the user data ID that needs to be accessed is not recorded in the cloud platform, the user data cannot be successfully obtained even if the reading permission is obtained. Therefore, the blockchain is determining the customer point After the identification ID is invalid, the access behavior of this time can be directly terminated, which effectively reduces the overhead of subsequent signaling and the power consumption of the system.
进一步的,本申请实施例中还可应用共识机制,即所述区块链中不小于阈值数量的节点确定所述客户端的标识ID有效;和/或所述区块链中不小于阈值数量的节点确定所述用户数据ID有效。Further, in the embodiments of the present application, a consensus mechanism may also be applied, that is, nodes in the blockchain that are not less than a threshold number determine that the identification ID of the client is valid; and/or the number of nodes in the blockchain that is not less than the threshold number The node determines that the user data ID is valid.
步骤1104,所述区块链将所述第二申请发送给所述授权服务器。Step 1104: The blockchain sends the second application to the authorization server.
步骤1105,授权服务器通过区块链接收来自访问设备的第二申请。Step 1105: The authorization server receives the second application from the access device through the blockchain.
步骤1106,所述授权服务器根据所述第二申请,生成第一序列号。Step 1106: The authorization server generates a first serial number according to the second application.
具体的,所述授权服务器根据所述第二申请中的所述客户端的标识ID确定所述客户端标识ID对应的第一随机数,然后,根据所述第一随机数生成第一随机数生成器,然后将所述第二申请的申请时间和/或所述用户数据ID作为所述第一随机数生成器的输入参数,生成所述第一序列号。Specifically, the authorization server determines the first random number corresponding to the client identification ID according to the identification ID of the client in the second application, and then generates a first random number according to the first random number. And then use the application time of the second application and/or the user data ID as input parameters of the first random number generator to generate the first serial number.
其中,所述第一随机数生成器可以是所述授权服务器事先根据所述第一随机数生成的, 则所述授权服务器根据所述第二申请中的所述客户端的标识ID直接确定所述第一随机数生成器。Wherein, the first random number generator may be generated by the authorization server according to the first random number in advance, and the authorization server directly determines the identification ID of the client according to the second application The first random number generator.
步骤1107,所述授权服务器将所述第一序列号发送给所述区块链。Step 1107: The authorization server sends the first serial number to the blockchain.
步骤1108,所述区块链接收所述授权服务器发送的第一序列号,并将所述第一序列号发送给所述访问设备。Step 1108: The blockchain receives the first serial number sent by the authorization server, and sends the first serial number to the access device.
另外,本申请实施例中为了有效的进行后期的追溯,所述区块链将所述第一序列号发送给所述访问设备之前,所述区块链将第四行为记录到所述智能合约中;或者,所述区块链将所述第一序列号发送给所述访问设备后,所述区块链将第四行为记录到所述智能合约中。In addition, in the embodiment of this application, in order to effectively carry out later traceability, before the block chain sends the first serial number to the access device, the block chain records the fourth behavior in the smart contract Or, after the blockchain sends the first serial number to the access device, the blockchain records the fourth behavior in the smart contract.
其中,所述第四行为用于记录所述访问设备向所述授权服务器发送所述第二申请。Wherein, the fourth behavior is used to record that the access device sends the second application to the authorization server.
步骤1109,所述访问设备接收来自所述区块链的所述第一序列号,并将所述第一序列号输入所述客户端。Step 1109: The access device receives the first serial number from the blockchain, and inputs the first serial number into the client.
步骤1110,所述访问设备在所述客户端根据所述第一序列号确定有权打开所述用户数据后,阅读所述客户端打开的所述用户数据。Step 1110: The access device reads the user data opened by the client after the client determines that the client has the right to open the user data according to the first serial number.
具体的,所述客户端生成第二序号,并在确定生成的第二序列号与所述第一序号相同后,打开的所述用户数据,所述访问设备阅读所述客户端打开的所述用户数据。Specifically, the client generates a second serial number, and after determining that the generated second serial number is the same as the first serial number, opens the user data, and the access device reads the opened user data by the client User data.
其中,所述客户端根据部署阶段接收到的所述第一随机数生成第一随机数生成器,然后将所述第二申请的申请时间和/或所述用户数据ID作为所述第一随机数生成器的输入参数,生成所述第二序列号,从而比较所述第一序列号与第二序列号是否相同。Wherein, the client generates a first random number generator according to the first random number received in the deployment phase, and then uses the application time of the second application and/or the user data ID as the first random number The input parameters of the number generator are used to generate the second serial number, so as to compare whether the first serial number and the second serial number are the same.
进一步的,本申请实施例中为了更好的保障系统传输过程中所述第一随机数和/或所述第一序列号的安全性,可对所述第一随机数和/或所述第一序列号进行加密传输,具体可以结合上述图2所述的内容,在此不进行赘述。Further, in the embodiment of the present application, in order to better guarantee the security of the first random number and/or the first sequence number during the transmission process of the system, the first random number and/or the first sequence number may be A serial number is encrypted and transmitted, which can be specifically combined with the content described in Figure 2 above, and will not be repeated here.
另外,基于上述图10所述的记录系统,如图12所示,本申请实施例还提供了另一种基于数据访问记录阶段进行访问行为的记录方法,具体包括以下步骤:In addition, based on the recording system described in FIG. 10, as shown in FIG. 12, an embodiment of the present application also provides another method for recording access behavior based on the data access recording phase, which specifically includes the following steps:
步骤1200,访问设备从云平台中获取用户数据以及用户数据ID。Step 1200: The access device obtains user data and user data ID from the cloud platform.
步骤1201,所述访问设备向区块链发送第二申请,所述第二申请用于请求通过客户端阅读所述用户数据。Step 1201: The access device sends a second application to the blockchain, where the second application is used to request to read the user data through the client.
所述第二申请包括所述客户端的标识ID以及所述用户数据ID,所述客户端的标识ID以及所述用户数据ID用于验证所述客户端具有打开所述用户数据的权限,所述用户数据ID还用于验证所述用户数据的真实性。The second application includes the identification ID of the client and the user data ID. The identification ID and the user data ID of the client are used to verify that the client has the authority to open the user data, and the user The data ID is also used to verify the authenticity of the user data.
步骤1202,区块链接收访问设备发送的第二申请。Step 1202: The blockchain receives the second application sent by the access device.
步骤1203,所述区块链确定所述客户端的标识ID有效;和/或确定所述用户数据ID有效。Step 1203: The blockchain determines that the identification ID of the client is valid; and/or determines that the user data ID is valid.
具体内容详见上述步骤1103,在此不进行赘述。For details, please refer to step 1103 above, which will not be repeated here.
步骤1204,所述区块链将所述第二申请发送给所述授权服务器。Step 1204: The blockchain sends the second application to the authorization server.
步骤1205,授权服务器通过区块链接收来自访问设备的第二申请。Step 1205: The authorization server receives the second application from the access device through the blockchain.
步骤1206,所述授权服务器生成第二随机数,以及所述授权服务器根据所述第二申请,生成第一序列号。Step 1206, the authorization server generates a second random number, and the authorization server generates a first serial number according to the second application.
具体的,所述授权服务器根据所述第二申请中的所述客户端的标识ID确定所述客户 端标识ID对应的第一随机数,然后,根据所述第一随机数以及所述第二随机数生成第一随机数生成器,然后将所述第二申请的申请时间和/或所述用户数据ID作为所述第一随机数生成器的输入参数,生成所述第一序列号。Specifically, the authorization server determines the first random number corresponding to the client identification ID according to the identification ID of the client in the second application, and then, according to the first random number and the second random number The number generates a first random number generator, and then uses the application time of the second application and/or the user data ID as input parameters of the first random number generator to generate the first serial number.
步骤1207,所述授权服务器将所述第一序列号以及所述第二随机数发送给所述区块链。Step 1207: The authorization server sends the first serial number and the second random number to the blockchain.
步骤1208,所述区块链接收所述授权服务器发送的第一序列号以及所述第二随机数,并将所述第一序列号以及所述第二随机数发送给所述访问设备。Step 1208: The blockchain receives the first serial number and the second random number sent by the authorization server, and sends the first serial number and the second random number to the access device.
具体内容详见上述步骤1108,在此不进行赘述。For details, please refer to step 1108 above, which will not be repeated here.
步骤1209,所述访问设备接收来自所述区块链的所述第一序列号以及所述第二随机数,并将所述第一序列号以及所述第二随机数输入所述客户端。Step 1209: The access device receives the first serial number and the second random number from the blockchain, and inputs the first serial number and the second random number to the client.
步骤1210,所述访问设备在所述客户端根据所述第一序列号确定有权打开所述用户数据后,阅读所述客户端打开的所述用户数据。In step 1210, the access device reads the user data opened by the client after the client has the right to open the user data according to the first serial number.
具体的,所述客户端将所述第二申请的申请时间和/或所述用户数据ID作为所述第一随机数生成器的输入参数,生成所述第二序列号。所述客户端在确定生成的第二序列号与所述第一序号相同后,打开的所述用户数据。所述访问设备阅读所述客户端打开的所述用户数据。Specifically, the client uses the application time of the second application and/or the user data ID as input parameters of the first random number generator to generate the second serial number. The client opens the user data after determining that the generated second serial number is the same as the first serial number. The access device reads the user data opened by the client.
进一步的,本申请实施例中为了更好的保障系统传输过程中所述第二随机数和/或所述第一序列号的安全性,可对所述第一随机数和/或所述第一序列号进行加密传输,具体可以结合上述图2所述的内容,在此不进行赘述。Further, in the embodiment of the present application, in order to better ensure the security of the second random number and/or the first sequence number during system transmission, the first random number and/or the first sequence number may be A serial number is encrypted and transmitted, which can be specifically combined with the content described in Figure 2 above, and will not be repeated here.
通过上述对本申请方案的介绍,可以理解的是,上述实现各设备为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Through the above introduction of the solution of the present application, it can be understood that, in order to realize the above functions, the above-mentioned realization devices include hardware structures and/or software modules corresponding to the respective functions. Those skilled in the art should easily realize that in combination with the units and algorithm steps of the examples described in the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
基于以上实施例,如图13所示,本申请一种数据记录网元,该数据记录网元包括处理器1300、存储器1301和通信接口1302。Based on the above embodiment, as shown in FIG. 13, a data recording network element of the present application includes a processor 1300, a memory 1301, and a communication interface 1302.
处理器1300负责管理总线架构和通常的处理,存储器1301可以存储处理器1300在执行操作时所使用的数据。收发机通信接口1302用于在处理器1300的控制下接收和发送数据与存储器1301进行数据通信。The processor 1300 is responsible for managing the bus architecture and general processing, and the memory 1301 may store data used by the processor 1300 when performing operations. The transceiver communication interface 1302 is used to receive and send data under the control of the processor 1300 for data communication with the memory 1301.
所述处理器1300可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。所述处理器1300还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器1301可以包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The processor 1300 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP. The processor 1300 may further include a hardware chip. The above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof. The memory 1301 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other various media that can store program codes.
所述处理器1300、所述存储器1301以及所述通信接口1302之间相互连接。可选的,所述处理器1300、所述存储器1301以及所述通信接口1302可以通过总线1303相互连接;所述总线1303可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图13中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The processor 1300, the memory 1301, and the communication interface 1302 are connected to each other. Optionally, the processor 1300, the memory 1301, and the communication interface 1302 may be connected to each other through a bus 1303; the bus 1303 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc. The bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of presentation, only one thick line is used in FIG. 13, but it does not mean that there is only one bus or one type of bus.
具体地,所述处理器1300,用于读取存储器1301中的程序并执行如图2所示的S200-S207中所述数据记录网元执行的方法流程;或执行如图9所示的S900-S906中所述数据记录网元执行的方法流程。Specifically, the processor 1300 is configured to read the program in the memory 1301 and execute the method procedure executed by the data recording network element in S200-S207 as shown in FIG. 2; or execute S900 as shown in FIG. -The process of the method executed by the data recording network element described in S906.
如图14所示,本申请提供一种数据记录网元,该数据记录网元包括:处理单元1400和通信单元1401;As shown in FIG. 14, the present application provides a data recording network element. The data recording network element includes: a processing unit 1400 and a communication unit 1401;
本申请实施例中一种可选的方式中,所述处理单元1400和所述通信单元1401用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1400 and the communication unit 1401 are configured to execute the following content:
所述处理单元1400,用于使用第一密钥对用户数据进行加密;通过区块链将所述第一密钥存储到数据库中;The processing unit 1400 is configured to use a first key to encrypt user data; store the first key in a database through a blockchain;
所述通信单元1401,用于接收所述区块链反馈的智能合约中第一行为的地址,所述第一行为用于记录所述数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为;The communication unit 1401 is configured to receive the address of the first behavior in the smart contract fed back by the blockchain, and the first behavior is used to record that the data recording network element transfers the first behavior through the blockchain. The act of storing the key in the database;
所述处理单元1400,用于将所述加密后的用户数据以及所述第一行为的地址存储到云平台中。The processing unit 1400 is configured to store the encrypted user data and the address of the first behavior in a cloud platform.
本申请实施例中一种可选的方式中,所述处理单元1400和所述通信单元1401用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1400 and the communication unit 1401 are configured to execute the following content:
所述处理单元1400,用于将用户数据存储到云平台;The processing unit 1400 is configured to store user data on a cloud platform;
所述通信单元1401,用于确定所述用户数据成功存储到所述云平台后,向区块链发送所述用户数据的存储状态。The communication unit 1401 is configured to send the storage status of the user data to the blockchain after determining that the user data is successfully stored on the cloud platform.
基于以上实施例,如图15所示,本申请一种区块链,该区块链包括处理器1500、存储器1501和通信接口1502。Based on the above embodiment, as shown in FIG. 15, a blockchain of the present application includes a processor 1500, a memory 1501, and a communication interface 1502.
处理器1500负责管理总线架构和通常的处理,存储器1501可以存储处理器1500在执行操作时所使用的数据。收发机通信接口1502用于在处理器1500的控制下接收和发送数据与存储器1501进行数据通信。The processor 1500 is responsible for managing the bus architecture and general processing, and the memory 1501 can store data used by the processor 1500 when performing operations. The transceiver communication interface 1502 is used to receive and send data under the control of the processor 1500 for data communication with the memory 1501.
所述处理器1500可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。所述处理器1300还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器1501可以包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码 的介质。The processor 1500 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP. The processor 1300 may further include a hardware chip. The above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof. The memory 1501 may include: a U disk, a mobile hard disk, a read-only memory (read-only memory, ROM), a random access memory (random access memory, RAM), a magnetic disk or an optical disk and other media that can store program codes.
所述处理器1500、所述存储器1501以及所述通信接口1502之间相互连接。可选的,所述处理器1500、所述存储器1501以及所述通信接口1502可以通过总线1503相互连接;所述总线1503可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图15中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The processor 1500, the memory 1501, and the communication interface 1502 are connected to each other. Optionally, the processor 1500, the memory 1501, and the communication interface 1502 may be connected to each other through a bus 1503; the bus 1503 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc. The bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 15 to represent it, but it does not mean that there is only one bus or one type of bus.
具体地,所述处理器1500,用于读取存储器1501中的程序并执行如图2所示的S200-S207中所述区块链执行的方法流程;或执行如图4所示的S400-S408中所述区块链执行的方法流程;或执行如图5所示的S500-S508中所述区块链执行的方法流程;或执行如图7所示的S700-S710中所述区块链执行的方法流程;或执行如图9所示的S900-S906中所述区块链执行的方法流程;或执行如图11所示的S1100-S1111中所述区块链执行的方法流程;或执行如图12所示的S1200-S1212中所述区块链执行的方法流程。Specifically, the processor 1500 is configured to read the program in the memory 1501 and execute the method flow of the blockchain execution in S200-S207 as shown in FIG. 2; or execute S400- as shown in FIG. The process of the method executed by the blockchain in S408; or the process of the method executed by the blockchain in S500-S508 as shown in FIG. 5; or the block in S700-S710 as shown in FIG. 7 The method flow of chain execution; or the method flow of blockchain execution described in S900-S906 shown in FIG. 9; or the method flow of blockchain execution described in S1100-S1111 shown in FIG. 11; Or execute the method flow of the blockchain execution in S1200-S1212 as shown in FIG. 12.
如图16所示,本申请提供一种区块链,该区块链包括:处理单元1600和通信单元1601;As shown in FIG. 16, the present application provides a blockchain, which includes: a processing unit 1600 and a communication unit 1601;
本申请实施例中一种可选的方式中,所述处理单元1600和所述通信单元1601用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1600 and the communication unit 1601 are configured to execute the following content:
所述通信单元,用于接收来自数据记录网元的第一密钥,并将所述第一密钥存储到数据库中;The communication unit is configured to receive a first key from a data recording network element, and store the first key in a database;
所述处理单元1600,用于通过智能合约记录第一行为以及所述第一行为的地址,所述第一行为用于记录所述数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为;The processing unit 1600 is configured to record a first behavior and an address of the first behavior through a smart contract, and the first behavior is used to record that the data recording network element transfers the first secret through the blockchain The act of storing the key in the database;
所述通信单元1601,用于将所述第一行为的地址反馈给所述数据记录网元。The communication unit 1601 is configured to feed back the address of the first behavior to the data recording network element.
本申请实施例中一种可选的方式中,所述处理单元1600和所述通信单元1601用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1600 and the communication unit 1601 are configured to execute the following content:
所述通信单元1601,用于接收来自访问设备的获取用户数据申请;所述获取用户数据申请中携带的智能合约中第一行为的地址;所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;The communication unit 1601 is configured to receive an application for acquiring user data from an access device; the address of the first action in the smart contract carried in the application for acquiring user data; The act of storing the first key in the database by the blockchain;
所述处理单元1600,用于确定所述访问设备验证成功后,根据所述第一行为从所述数据库中获取所述第一密钥;The processing unit 1600 is configured to obtain the first key from the database according to the first behavior after determining that the access device is successfully authenticated;
所述通信单元1601,用于将所述第一密钥发送给所述访问设备。The communication unit 1601 is configured to send the first key to the access device.
本申请实施例中一种可选的方式中,所述处理单元1600和所述通信单元1601用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1600 and the communication unit 1601 are configured to execute the following content:
所述通信单元1601,用于接收来自访问设备的获取用户数据申请,所述获取用户数据申请中携带智能合约中第一行为的地址和加密后的用户数据块;所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;所述用户数据块是所述用户数据的全部或部分;The communication unit 1601 is configured to receive an application for acquiring user data from an access device, and the application for acquiring user data carries the address of the first behavior in the smart contract and the encrypted user data block; the first behavior is used for recording The behavior of the data recording network element storing the first key in the database through the blockchain; the user data block is all or part of the user data;
所述处理单元1600,用于根据所述第一行为的地址,确定所述第一行为;The processing unit 1600 is configured to determine the first behavior according to the address of the first behavior;
所述通信单元1601,用于确定所述访问设备验证成功后,将所述第一行为和所述加密后的用户数据块发送给所述数据库;接收来自所述数据库的所述用户数据块,并将所述用 户数据块发送给所述访问设备。The communication unit 1601 is configured to send the first behavior and the encrypted user data block to the database after determining that the access device is successfully authenticated; receive the user data block from the database, And send the user data block to the access device.
本申请实施例中一种可选的方式中,所述处理单元1600和所述通信单元1601用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1600 and the communication unit 1601 are configured to execute the following content:
所述通信单元1601,用于接收访问设备发送的第一申请,所述第一申请用于授予所述访问设备通过安装的客户端打开所述访问设备获取到的用户数据的权限;The communication unit 1601 is configured to receive a first application sent by an access device, where the first application is used to grant the access device the right to open the user data obtained by the access device through a client installed;
所述处理单元1600,用于确定所述访问设备通过验证;The processing unit 1600 is configured to determine that the access device passes verification;
所述通信单元1601,用于将所述第一申请发送授权服务器;接收来自所述授权服务器的第一随机数,并将所述第一随机数发送给所述访问设备,其中,所述第一随机数用于生成第二序列号,所述第二序列号用于验证所述客户端是否有权打开所述用户数据。The communication unit 1601 is configured to send the first application to an authorization server; receive a first random number from the authorization server, and send the first random number to the access device, wherein the first random number A random number is used to generate a second serial number, and the second serial number is used to verify whether the client has the right to open the user data.
本申请实施例中一种可选的方式中,所述处理单元1600和所述通信单元1601用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1600 and the communication unit 1601 are configured to execute the following content:
所述通信单元1601,用于接收数据记录网元发送的用户数据的存储状态,所述存储状态用于指示所述数据记录网元将所述用户数据存储到云平台;The communication unit 1601 is configured to receive a storage state of user data sent by a data recording network element, where the storage state is used to instruct the data recording network element to store the user data in a cloud platform;
所述处理单元1600,用于在确定所述云平台中成功存储所述用户数据后,为所述用户数据分配用户数据ID;The processing unit 1600 is configured to allocate a user data ID to the user data after determining that the user data is successfully stored in the cloud platform;
所述通信单元1601,用于将所述用户数据ID发送给所述云平台。The communication unit 1601 is configured to send the user data ID to the cloud platform.
本申请实施例中一种可选的方式中,所述处理单元1600和所述通信单元1601用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1600 and the communication unit 1601 are configured to execute the following content:
所述通信单元1601,用于接收访问设备发送的第二申请,所述第二申请用于请求通过客户端阅读所述用户数据;The communication unit 1601 is configured to receive a second application sent by an access device, where the second application is used to request to read the user data through the client;
所述处理单元1600,用于确定所述访问设备通过验证;The processing unit 1600 is configured to determine that the access device passes verification;
所述通信单元1601,用于将所述第二申请发送给授权服务器;接收所述授权服务器发送的第一序列号,并将所述第一序列号发送给所述访问设备。The communication unit 1601 is configured to send the second application to the authorization server; receive the first serial number sent by the authorization server, and send the first serial number to the access device.
基于以上实施例,如图17所示,本申请一种数据库,该数据库包括处理器1700、存储器1701和通信接口1702。Based on the above embodiment, as shown in FIG. 17, a database of the present application includes a processor 1700, a memory 1701, and a communication interface 1702.
处理器1700负责管理总线架构和通常的处理,存储器1701可以存储处理器1700在执行操作时所使用的数据。收发机通信接口1702用于在处理器1700的控制下接收和发送数据与存储器1701进行数据通信。The processor 1700 is responsible for managing the bus architecture and general processing, and the memory 1701 can store data used by the processor 1700 when performing operations. The transceiver communication interface 1702 is used for receiving and sending data under the control of the processor 1700 for data communication with the memory 1701.
所述处理器1700可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。所述处理器1700还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器1701可以包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The processor 1700 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP. The processor 1700 may further include a hardware chip. The above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof. The memory 1701 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other various media that can store program codes.
所述处理器1700、所述存储器1701以及所述通信接口1702之间相互连接。可选的,所述处理器1700、所述存储器1701以及所述通信接口1702可以通过总线1703相互连接; 所述总线1703可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图17中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The processor 1700, the memory 1701, and the communication interface 1702 are connected to each other. Optionally, the processor 1700, the memory 1701, and the communication interface 1702 may be connected to each other through a bus 1703; the bus 1703 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc. The bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 17, but it does not mean that there is only one bus or one type of bus.
具体地,所述处理器1700,用于读取存储器1701中的程序并执行如图2所示的S200-S207中所述数据库执行的方法流程;或执行如图4所示的S400-S408中所述数据库执行的方法流程;或执行如图5所示的S500-S508中所述数据库执行的方法流程。Specifically, the processor 1700 is configured to read the program in the memory 1701 and execute the method flow of the database execution in S200-S207 as shown in FIG. 2; or execute the method in S400-S408 as shown in FIG. The process of the method executed by the database; or the process of the method executed by the database in S500-S508 as shown in FIG. 5.
如图18所示,本申请提供一种数据库,该数据库包括:处理单元1800和通信单元1801;As shown in FIG. 18, the present application provides a database, which includes: a processing unit 1800 and a communication unit 1801;
本申请实施例中一种可选的方式中,所述处理单元1800和所述通信单元1801用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1800 and the communication unit 1801 are configured to execute the following content:
所述通信单元1801,用于通过区块链接收来自数据记录网元的第一密钥;The communication unit 1801 is configured to receive the first key from the data recording network element through the blockchain;
所述处理单元1800,用于存储所述第一密钥,并记录所述存储地址;The processing unit 1800 is configured to store the first key and record the storage address;
所述通信单元1801,用于将所述存储地址发送给所述区块链,以使所述区块链根据所述存储地址记录第一行为;The communication unit 1801 is configured to send the storage address to the blockchain, so that the blockchain records the first behavior according to the storage address;
其中,所述第一行为用于记录所述数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为。Wherein, the first behavior is used to record the behavior of the data recording network element storing the first key in the database through the blockchain.
本申请实施例中一种可选的方式中,所述处理单元1800和所述通信单元1801用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1800 and the communication unit 1801 are configured to execute the following content:
所述通信单元1801,用于接收区块链在确定访问设备验证成功后发送的验证成功的结果以及智能合约中的第一行为;所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;The communication unit 1801 is configured to receive the successful verification result and the first behavior in the smart contract sent by the blockchain after determining that the access device is successfully verified; the first behavior is used to record that the data recording network element passes through the zone The act of storing the first key in the database by the block chain;
所述处理单元1800,用于在确定所述验证成功的结果有效后,根据所述第一行为确定第一密钥;The processing unit 1800 is configured to determine a first key according to the first behavior after determining that the result of the successful verification is valid;
所述通信单元1801,用于将所述第一密钥通过区块链发送给所述访问设备;The communication unit 1801 is configured to send the first key to the access device through the blockchain;
所述第一密钥用于解密访问设备从云平台获取的加密后的用户数据。The first key is used to decrypt the encrypted user data obtained by the access device from the cloud platform.
本申请实施例中一种可选的方式中,所述处理单元1800和所述通信单元1801用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 1800 and the communication unit 1801 are configured to execute the following content:
所述通信单元1801,用于接收区块链在确定访问设备验证成功后发送的验证成功的结果、智能合约中的第一行为以及加密后的用户数据块;其中,所述第一行为和所述加密后的用户数据块是所述区块链从接收到的访问设备发送的获取用户数据申请中得到的,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;所述用户数据块是所述用户数据的全部或部分;The communication unit 1801 is configured to receive the successful verification result, the first behavior in the smart contract, and the encrypted user data block sent by the blockchain after determining that the access device is successfully verified; The encrypted user data block is obtained by the block chain from the received user data acquisition application sent by the access device, and the first line is used to record the data recording network element through the block chain. The act of storing the key in the database; the user data block is all or part of the user data;
所述处理单元1800,用于确定所述验证成功的结果有效后,根据所述第一行为确定所述用户数据块;The processing unit 1800 is configured to determine the user data block according to the first behavior after determining that the result of the successful verification is valid;
所述通信单元1801,用于将所述用户数据块通过所述区块链发送给所述访问设备。The communication unit 1801 is configured to send the user data block to the access device through the blockchain.
基于以上实施例,如图19所示,本申请一种访问设备,该访问设备包括处理器1900、存储器1901和通信接口1902。Based on the above embodiment, as shown in FIG. 19, an access device of the present application includes a processor 1900, a memory 1901, and a communication interface 1902.
处理器1900负责管理总线架构和通常的处理,存储器1901可以存储处理器1900在执行操作时所使用的数据。收发机通信接口1902用于在处理器1900的控制下接收和发送数据与存储器1901进行数据通信。The processor 1900 is responsible for managing the bus architecture and general processing, and the memory 1901 can store data used by the processor 1900 when performing operations. The transceiver communication interface 1902 is used to receive and send data under the control of the processor 1900 for data communication with the memory 1901.
所述处理器1900可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。所述处理器1900还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器1901可以包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The processor 1900 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP. The processor 1900 may further include a hardware chip. The above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof. The memory 1901 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program codes.
所述处理器1900、所述存储器1901以及所述通信接口1902之间相互连接。可选的,所述处理器1900、所述存储器1901以及所述通信接口1902可以通过总线1903相互连接;所述总线1903可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图19中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The processor 1900, the memory 1901, and the communication interface 1902 are connected to each other. Optionally, the processor 1900, the memory 1901, and the communication interface 1902 may be connected to each other through a bus 1903; the bus 1903 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc. The bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of presentation, only one thick line is used to represent in FIG. 19, but it does not mean that there is only one bus or one type of bus.
具体地,所述处理器1900,用于读取存储器1901中的程序并执行如图4所示的S400-S408中所述访问设备执行的方法流程;或执行如图5所示的S500-S508中所述访问设备执行的方法流程;或执行如图7所示的S700-S710中所述访问设备执行的方法流程;或执行如图11所示的S1100-S1111中所述访问设备执行的方法流程;或执行如图12所示的S1200-S1212中所述访问设备执行的方法流程。Specifically, the processor 1900 is configured to read the program in the memory 1901 and execute the method procedure executed by the access device in S400-S408 as shown in FIG. 4; or execute S500-S508 as shown in FIG. The process of the method executed by the access device described in FIG. 7; or the process of the method executed by the access device described in S700-S710 shown in FIG. 7; or the method executed by the access device described in S1100-S1111 shown in FIG. Flow; or execute the method flow executed by the access device described in S1200-S1212 as shown in FIG. 12.
如图20所示,本申请提供一种访问设备,该访问设备包括:处理单元2000和通信单元2001;As shown in FIG. 20, the present application provides an access device, the access device includes: a processing unit 2000 and a communication unit 2001;
本申请实施例中一种可选的方式中,所述处理单元2000和所述通信单元2001用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 2000 and the communication unit 2001 are configured to execute the following content:
所述通信单元2001,用于从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;The communication unit 2001 is used to obtain the encrypted user data and the address in the blockchain of the first behavior in the smart contract from the cloud platform, and the first behavior is used to record the data recording network element passing the block The act of storing the first key in the database by the chain;
所述处理单元2000,用于向所述区块链进行获取用户数据申请,所述获取用户数据申请中携带所述第一行为的地址;The processing unit 2000 is configured to apply to the blockchain for obtaining user data, and the user data obtaining request carries the address of the first action;
所述通信单元2001,用于在通过所述区块链对所述访问设备身份的验证后,接收来自所述区块链的第一密钥;The communication unit 2001 is configured to receive the first key from the blockchain after verifying the identity of the access device through the blockchain;
所述处理单元2000,用于使用所述第一密钥对所述加密后的用户数据进行解密。The processing unit 2000 is configured to use the first key to decrypt the encrypted user data.
本申请实施例中一种可选的方式中,所述处理单元2000和所述通信单元2001用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 2000 and the communication unit 2001 are configured to execute the following content:
所述处理单元2000,用于从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储 到数据库的行为;The processing unit 2000 is configured to obtain the encrypted user data and the address in the blockchain of the first behavior in the smart contract from the cloud platform, and the first behavior is used to record the data recording network element passing the block The act of storing the first key in the database by the chain;
所述通信单元2001,用于向区块链发送获取用户数据申请,所述获取用户数据申请中携带所述第一行为的地址和加密后的用户数据块,所述用户数据块是所述用户数据的全部或部分;在通过所述区块链对所述访问设备身份的验证后,接收来自所述区块链的所述用户数据块。The communication unit 2001 is configured to send an application for acquiring user data to the blockchain, and the application for acquiring user data carries the address of the first action and an encrypted user data block, and the user data block is the user All or part of the data; after verifying the identity of the access device by the blockchain, receiving the user data block from the blockchain.
本申请实施例中一种可选的方式中,所述处理单元2000和所述通信单元2001用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 2000 and the communication unit 2001 are configured to execute the following content:
所述处理单元2000,用于安装客户端,并通过区块链向授权服务器发送第一申请,所述第一申请用于授予所述客户端打开所述访问设备获取到的用户数据的权限;The processing unit 2000 is configured to install a client and send a first application to the authorization server through the blockchain, the first application being used to grant the client the right to open the user data obtained by the access device;
所述通信单元2001,用于通过区块链接收来自所述授权服务器的第一随机数,所述第一随机数用于生成第二序列号,所述第二序列号用于验证所述客户端是否有权打开所述用户数据。The communication unit 2001 is configured to receive a first random number from the authorization server via a blockchain, the first random number is used to generate a second serial number, and the second serial number is used to verify the client Whether the terminal has the right to open the user data.
本申请实施例中一种可选的方式中,所述处理单元2000和所述通信单元2001用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 2000 and the communication unit 2001 are configured to execute the following content:
所述处理单元2000,用于从云平台获取用户数据以及用户数据ID;The processing unit 2000 is configured to obtain user data and user data ID from a cloud platform;
所述通信单元2001,用于向区块链发送第二申请,所述第二申请用于请求通过客户端阅读所述用户数据;接收来自区块链发送的第一序列号;The communication unit 2001 is configured to send a second application to the blockchain, where the second application is used to request the client to read the user data; receive the first serial number sent from the blockchain;
所述处理单元2000,用于将所述第一序列号输入所述客户端;在所述客户端根据所述第一序列号确定有权打开所述用户数据后,阅读所述客户端打开的所述用户数据。The processing unit 2000 is configured to input the first serial number into the client; after the client determines the right to open the user data according to the first serial number, read the user data opened by the client The user data.
基于以上实施例,如图21所示,本申请一种授权服务器,该授权服务器包括处理器2100、存储器2101和通信接口2102。Based on the above embodiment, as shown in FIG. 21, an authorization server of the present application includes a processor 2100, a memory 2101, and a communication interface 2102.
处理器2100负责管理总线架构和通常的处理,存储器2101可以存储处理器2100在执行操作时所使用的数据。收发机通信接口2102用于在处理器2100的控制下接收和发送数据与存储器2101进行数据通信。The processor 2100 is responsible for managing the bus architecture and general processing, and the memory 2101 can store data used by the processor 2100 when performing operations. The transceiver communication interface 2102 is used to receive and send data under the control of the processor 2100 for data communication with the memory 2101.
所述处理器2100可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。所述处理器2100还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器2101可以包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The processor 2100 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP. The processor 2100 may further include a hardware chip. The above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof. The memory 2101 may include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program codes.
所述处理器2100、所述存储器2101以及所述通信接口2102之间相互连接。可选的,所述处理器2100、所述存储器2101以及所述通信接口2102可以通过总线2103相互连接;所述总线2103可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图21中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The processor 2100, the memory 2101, and the communication interface 2102 are connected to each other. Optionally, the processor 2100, the memory 2101, and the communication interface 2102 may be connected to each other through a bus 2103; the bus 2103 may be a peripheral component interconnect (PCI) bus or an extended industry Standard structure (extended industry standard architecture, EISA) bus, etc. The bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 21 to represent it, but it does not mean that there is only one bus or one type of bus.
具体地,所述处理器2100,用于读取存储器2101中的程序并执行如图7所示的S700-S710中所述授权服务器执行的方法流程;或执行如图11所示的S1100-S1111中所述授权服务器执行的方法流程;或执行如图12所示的S1200-S1212中所述授权服务器执行的方法流程。Specifically, the processor 2100 is configured to read the program in the memory 2101 and execute the method flow executed by the authorization server in S700-S710 as shown in FIG. 7; or execute S1100-S1111 as shown in FIG. The method flow executed by the authorization server in the above; or the method flow executed by the authorization server in S1200-S1212 shown in FIG. 12 is executed.
如图22所示,本申请提供一种授权服务器,该授权服务器包括:处理单元2200和通信单元2201;As shown in FIG. 22, this application provides an authorization server. The authorization server includes: a processing unit 2200 and a communication unit 2201;
本申请实施例中一种可选的方式中,所述处理单元2200和所述通信单元2201用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 2200 and the communication unit 2201 are configured to execute the following content:
所述通信单元2201,用于通过区块链接收访问设备发送的第一申请,所述第一申请用于授予所述访问设备通过安装的客户端打开所述访问设备获取到的用户数据的权限;The communication unit 2201 is configured to receive a first application sent by an access device through the blockchain, and the first application is used to grant the access device the right to open the user data obtained by the access device through the installed client terminal ;
所述处理单元2200,用于生成第一随机数;The processing unit 2200 is configured to generate a first random number;
所述通信单元2201,用于将所述第一随机数发送给所述访问设备,其中,所述第一随机数用于所述客户端验证是否有权打开所述用户数据。The communication unit 2201 is configured to send the first random number to the access device, where the first random number is used for the client to verify whether it has the right to open the user data.
本申请实施例中一种可选的方式中,所述处理单元2200和所述通信单元2201用于执行下述内容:In an optional manner in the embodiment of the present application, the processing unit 2200 and the communication unit 2201 are configured to execute the following content:
所述处理单元2200,用于从云平台获取用户数据以及用户数据ID;The processing unit 2200 is configured to obtain user data and user data ID from the cloud platform;
所述通信单元2201,用于向区块链发送第二申请,所述第二申请用于请求通过客户端阅读所述用户数据;接收来自区块链发送的第一序列号;The communication unit 2201 is configured to send a second application to the blockchain, and the second application is used to request to read the user data through the client; and receive the first serial number sent from the blockchain;
所述处理单元2200,用于将所述第一序列号输入所述客户端;在所述客户端根据所述第一序列号确定有权打开所述用户数据后,阅读所述客户端打开的所述用户数据。The processing unit 2200 is configured to input the first serial number into the client; after the client determines the right to open the user data according to the first serial number, read the client opened The user data.
所述程序产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更本申请实施例一种实现方式中例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。The program product can use any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. Modifications of the readable storage medium. Examples (non-exhaustive list) in one implementation of the embodiments of the present application include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read-only Memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
根据本申请的实施方式的用于访问行为的记录的程序产品,其可以采用便携式紧凑盘只读存储器(CD-ROM)并包括程序代码,并可以在服务器设备上运行。然而,本申请的程序产品不限于此,在本文件中,可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被信息传输、装置或者器件使用或者与其结合使用。The program product for recording access behavior according to the embodiment of the present application may adopt a portable compact disk read-only memory (CD-ROM) and include program code, and may run on a server device. However, the program product of this application is not limited to this. In this document, the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or in combination with information transmission, devices, or devices.
可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括——但不限于——电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由周期网络动作系统、装置或者器件使用或者与其结合使用的程序。The readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including, but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing. The readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with a periodic network action system, apparatus, or device.
可读介质上包含的程序代码可以用任何适当的介质传输,包括——但不限于——无线、有线、光缆、RF等,或者上述的任意合适的组合。The program code contained on the readable medium can be transmitted by any suitable medium, including, but not limited to, wireless, wired, optical cable, RF, etc., or any suitable combination of the above.
可以以一种或多种程序设计语言的任意组合来编写用于执行本申请操作的程序代码, 所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络——包括局域网(LAN)或广域网(WAN)—连接到用户计算设备,或者,可以连接到外部计算设备。The program code used to perform the operations of this application can be written in any combination of one or more programming languages. The programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural programming languages. Programming language-such as "C" language or similar programming language. The program code can be executed entirely on the user's computing device, partly on the user's device, executed as an independent software package, partly on the user's computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device.
本申请实施例针对访问行为的记录的方法还提供一种计算设备可读存储介质,即断电后内容不丢失。该存储介质中存储软件程序,包括程序代码,当所述程序代码在计算设备上运行时,该软件程序在被一个或多个处理器读取并执行时可实现本申请实施例上面任何一种访问行为的记录的方案。The method for recording access behaviors in the embodiments of the present application also provides a storage medium readable by a computing device, that is, the content is not lost after a power failure. The storage medium stores a software program, including program code. When the program code runs on a computing device, the software program can implement any of the above embodiments of the present application when it is read and executed by one or more processors. The scheme of the recording of the access behavior.
以上参照示出根据本申请实施例的方法、装置(系统)和/或计算机程序产品的框图和/或流程图描述本申请。应理解,可以通过计算机程序指令来实现框图和/或流程图示图的一个块以及框图和/或流程图示图的块的组合。可以将这些计算机程序指令提供给通用计算机、专用计算机的处理器和/或其它可编程数据处理装置,以产生机器,使得经由计算机处理器和/或其它可编程数据处理装置执行的指令创建用于实现框图和/或流程图块中所指定的功能/动作的方法。The foregoing describes the present application with reference to block diagrams and/or flowcharts illustrating methods, devices (systems) and/or computer program products according to embodiments of the present application. It should be understood that one block of the block diagram and/or flowchart diagram and a combination of the blocks in the block diagram and/or flowchart diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, and/or other programmable data processing devices to produce a machine, so that the instructions executed via the computer processor and/or other programmable data processing device are created for A method of implementing the functions/actions specified in the block diagrams and/or flowchart blocks.
相应地,还可以用硬件和/或软件(包括固件、驻留软件、微码等)来实施本申请。更进一步地,本申请可以采取计算机可使用或计算机可读存储介质上的计算机程序产品的形式,其具有在介质中实现的计算机可使用或计算机可读程序代码,以由指令执行系统来使用或结合指令执行系统而使用。在本申请上下文中,计算机可使用或计算机可读介质可以是任意介质,其可以包含、存储、通信、传输、或传送程序,以由指令执行系统、装置或设备使用,或结合指令执行系统、装置或设备使用。Correspondingly, hardware and/or software (including firmware, resident software, microcode, etc.) can also be used to implement this application. Furthermore, this application may take the form of a computer program product on a computer-usable or computer-readable storage medium, which has a computer-usable or computer-readable program code implemented in the medium to be used or used by the instruction execution system. Used in conjunction with the instruction execution system. In the context of this application, a computer-usable or computer-readable medium can be any medium that can contain, store, communicate, transmit, or transmit a program for use by an instruction execution system, apparatus, or device, or in combination with an instruction execution system, Device or equipment use.
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包括这些改动和变型在内。Although the application has been described in combination with specific features and embodiments, it is obvious that various modifications and combinations can be made without departing from the spirit and scope of the application. Correspondingly, the specification and drawings are merely exemplary descriptions of the application as defined by the appended claims, and are deemed to cover any and all modifications, changes, combinations or equivalents within the scope of the application. Obviously, those skilled in the art can make various changes and modifications to the application without departing from the scope of the application. In this way, if these modifications and variations of this application fall within the scope of the claims of this application and their equivalent technologies, this application also intends to include these modifications and variations.

Claims (46)

  1. 一种访问行为的记录方法,其特征在于,包括:A method for recording access behavior, which is characterized in that it includes:
    访问设备从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;The access device obtains the encrypted user data from the cloud platform and the address of the first action in the smart contract in the blockchain, and the first action is used to record the data recording network element transfers the first key through the blockchain The behavior of storing to the database;
    所述访问设备向所述区块链发送获取用户数据申请,所述获取用户数据申请中携带所述第一行为的地址;The access device sends an application for obtaining user data to the blockchain, and the application for obtaining user data carries the address of the first behavior;
    所述访问设备在通过所述区块链对所述访问设备身份的验证后,接收来自所述区块链的第一密钥;The access device receives the first key from the blockchain after verifying the identity of the access device through the blockchain;
    所述访问设备使用所述第一密钥对所述加密后的用户数据进行解密。The access device uses the first key to decrypt the encrypted user data.
  2. 如权利要求1所述的方法,其特征在于,所述获取用户数据申请包括第三密钥,所述第三密钥用于所述数据库对所述第一密钥进行加密,得到所述第二加密信息。The method according to claim 1, wherein the application for obtaining user data includes a third key, and the third key is used by the database to encrypt the first key to obtain the first key. 2. Encrypted information.
  3. 如权利要求2所述的方法,其特征在于,所述访问设备接收来自所述区块链的所述第一密钥,包括:所述访问设备接收来自所述区块链的第二加密信息;The method of claim 2, wherein the access device receiving the first key from the blockchain comprises: the access device receiving second encrypted information from the blockchain ;
    所述方法还包括:所述访问设备对所述第二加密信息进行解密,获取所述第一密钥。The method further includes: the access device decrypts the second encrypted information to obtain the first key.
  4. 如权利要求1~3任一项所述的方法,其特征在于,所述访问设备在通过所述区块链的验证后,接收来自所述区块链的所述第一密钥,包括:The method according to any one of claims 1 to 3, wherein after the access device passes the verification of the blockchain, receiving the first key from the blockchain comprises:
    所述访问设备在通过所述区块链中不小于阈值数量的节点的验证后,接收来自所述区块链的所述第一密钥。The access device receives the first key from the blockchain after passing the verification of no less than a threshold number of nodes in the blockchain.
  5. 一种访问行为的记录方法,其特征在于,包括:A method for recording access behavior, which is characterized in that it includes:
    区块链接收来自访问设备的获取用户数据申请,所述获取用户数据申请中携带智能合约中第一行为的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;The blockchain receives an application for acquiring user data from an access device, and the application for acquiring user data carries the address of the first behavior in the smart contract, and the first behavior is used to record the data recording network element through the blockchain. The act of storing a key in the database;
    所述区块链确定所述访问设备验证成功后,根据所述第一行为从所述数据库中获取所述第一密钥;After the blockchain determines that the access device is successfully verified, obtain the first key from the database according to the first behavior;
    所述区块链将所述第一密钥发送给所述访问设备。The blockchain sends the first key to the access device.
  6. 如权利要求5所述的方法,其特征在于,所述区块链确定所述访问设备验证成功后,根据所述第一行为从所述数据库中获取所述第一密钥,包括:The method of claim 5, wherein after the blockchain determines that the access device is successfully verified, obtaining the first key from the database according to the first behavior comprises:
    所述区块链确定所述访问设备验证成功后,将验证成功的结果以及所述第一行为发送给所述数据库;After the blockchain determines that the access device is successfully verified, it sends the result of the successful verification and the first behavior to the database;
    所述区块链接收所述数据库的第一密钥。The blockchain receives the first key of the database.
  7. 如权利要求6所述的方法,其特征在于,所述获取用户数据申请包括第三密钥,所述第三密钥用于所述数据库对所述第一密钥进行加密,得到所述第二加密信息。The method according to claim 6, wherein the application for obtaining user data includes a third key, and the third key is used by the database to encrypt the first key to obtain the first key. 2. Encrypted information.
  8. 如权利要求7所述的方法,其特征在于,所述区块链确定所述访问设备验证成功后,将验证成功的结果以及所述第一行为发送给所述数据库,包括:The method according to claim 7, wherein after the blockchain determines that the access device is successfully verified, sending the result of the successful verification and the first behavior to the database, comprising:
    所述区块链确定所述访问设备验证成功后,将所述验证成功的结果、所述第一行为以及所述第三密钥发送给所述数据库。After the blockchain determines that the access device is successfully verified, it sends the result of the successful verification, the first behavior, and the third key to the database.
  9. 如权利要求8所述的方法,其特征在于,所述区块链根据所述第一行为从所述数据库中获取所述第一密钥,将所述第一密钥发送给所述访问设备,包括:The method of claim 8, wherein the blockchain obtains the first key from the database according to the first behavior, and sends the first key to the access device ,include:
    所述区块链根据所述第一行为从所述数据库中获取第二加密信息,所述第二加密信息是所述数据库通过所述第三密钥对所述第一密钥加密后得到的;The blockchain obtains second encrypted information from the database according to the first behavior, and the second encrypted information is obtained after the database encrypts the first key with the third key ;
    所述区块链将所述第二加密信息发送给所述访问设备。The blockchain sends the second encrypted information to the access device.
  10. 如权利要求5~9任一项所述的方法,其特征在于,所述区块链确定所述访问设备验证成功,包括:The method according to any one of claims 5 to 9, wherein the blockchain determining that the access device is successfully verified includes:
    所述访问设备在通过所述区块链中不小于阈值数量的节点的验证后,则所述区块链确定所述访问设备验证成功。After the access device passes the verification of no less than a threshold number of nodes in the blockchain, the blockchain determines that the access device is successfully verified.
  11. 如权利要求5~10任一项所述的方法,其特征在于,所述区块链将所述第一密钥发送给所述访问设备之前,还包括:The method according to any one of claims 5 to 10, wherein before the blockchain sends the first key to the access device, the method further comprises:
    所述区块链将第二行为记录到所述智能合约中;The block chain records the second behavior in the smart contract;
    其中,所述第二行为用于记录所述访问设备向所述区块链获取用户数据申请的行为;所述第二行为中包括所述区块链对所述访问设备进行验证的结果。Wherein, the second behavior is used to record the behavior of the access device to obtain user data application from the blockchain; the second behavior includes the result of verification of the access device by the blockchain.
  12. 一种访问行为的记录方法,其特征在于,包括:A method for recording access behavior, which is characterized in that it includes:
    访问设备从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;The access device obtains the encrypted user data from the cloud platform and the address of the first action in the smart contract in the blockchain, and the first action is used to record the data recording network element transfers the first key through the blockchain The behavior of storing to the database;
    所述访问设备向区块链发送获取用户数据申请,所述获取用户数据申请中携带所述第一行为的地址和加密后的用户数据块,所述用户数据块是所述用户数据的全部或部分;The access device sends an application for obtaining user data to the blockchain, and the application for obtaining user data carries the address of the first action and an encrypted user data block, and the user data block is all or all of the user data. part;
    所述访问设备在通过所述区块链对所述访问设备身份的验证后,接收来自所述区块链的所述用户数据块。The access device receives the user data block from the blockchain after verifying the identity of the access device through the blockchain.
  13. 如权利要求12所述的方法,其特征在于,所述访问设备接收来自所述区块链的所述用户数据块,包括:The method according to claim 12, wherein the receiving of the user data block from the blockchain by the access device comprises:
    所述访问设备接收来自所述区块链的添加水印标记的所述用户数据块。The access device receives the watermarked user data block from the blockchain.
  14. 如权利要求12或13所述的方法,其特征在于,所述访问设备在通过所述区块链对所述访问设备身份的验证后,接收来自所述区块链的所述用户数据块,包括:The method according to claim 12 or 13, wherein the access device receives the user data block from the blockchain after verifying the identity of the access device through the blockchain, include:
    所述访问设备在通过所述区块链中不小于阈值数量的节点的验证后,接收来自所述区块链的所述用户数据块。The access device receives the user data block from the blockchain after passing the verification of no less than a threshold number of nodes in the blockchain.
  15. 一种访问行为的记录方法,其特征在于,包括:A method for recording access behavior, which is characterized in that it includes:
    访问设备从云平台获取用户数据以及用户数据ID;The access device obtains user data and user data ID from the cloud platform;
    所述访问设备向区块链发送第二申请,所述第二申请用于请求通过客户端阅读所述用户数据;The access device sends a second application to the blockchain, where the second application is used to request to read the user data through the client;
    所述访问设备接收来自区块链发送的第一序列号;The access device receives the first serial number sent from the blockchain;
    所述访问设备将所述第一序列号输入所述客户端;The access device inputs the first serial number into the client;
    所述访问设备在所述客户端根据所述第一序列号确定有权打开所述用户数据后,阅读所述客户端打开的所述用户数据。The access device reads the user data opened by the client after determining that the client has the right to open the user data according to the first serial number.
  16. 如权利要求15所述的方法,其特征在于,之前还包括:The method according to claim 15, characterized in that it further comprises:
    所述访问设备安装所述客户端,并通过区块链向授权服务器发送第一申请,所述第一申请用于授予所述客户端打开所述用户数据的权限;The access device installs the client, and sends a first application to the authorization server through the blockchain, where the first application is used to grant the client the right to open the user data;
    所述访问设备通过区块链接收来自所述授权服务器的第一随机数,所述第一随机数用于生成第二序列号,所述第二序列号用于验证所述客户端是否有权打开所述用户数据。The access device receives a first random number from the authorization server through the blockchain, the first random number is used to generate a second serial number, and the second serial number is used to verify whether the client has the right Open the user data.
  17. 如权利要求16所述的方法,其特征在于,还包括:The method of claim 16, further comprising:
    所述访问设备将所述第一随机数提供给所述客户端以生成第一随机数生成器;The access device provides the first random number to the client to generate a first random number generator;
    所述第二序列号是所述客户端将所述第二申请的时间、所述用户数据ID、或所述客户端的标识ID中的一项或多项输入所述第一随机数生成器后生成的。The second serial number is after the client enters one or more of the time of the second application, the user data ID, or the identification ID of the client into the first random number generator Generated.
  18. 如权利要求17所述的方法,其特征在于,所述访问设备在所述客户端根据所述第一序列号确定有权打开所述用户数据后,阅读所述客户端打开的所述用户数据,包括:The method of claim 17, wherein the access device reads the user data opened by the client after the client has the right to open the user data according to the first serial number ,include:
    所述访问设备在所述客户端确定所述第二序列号与所述第一序号相同后,阅读所述客户端打开的所述用户数据。After the client determines that the second serial number is the same as the first serial number, the access device reads the user data opened by the client.
  19. 一种访问行为的记录方法,其特征在于,包括:A method for recording access behavior, which is characterized in that it includes:
    数据记录网元使用第一密钥对用户数据进行加密;The data recording network element uses the first key to encrypt user data;
    所述数据记录网元通过区块链将所述第一密钥存储到数据库中;The data recording network element stores the first key in a database through a blockchain;
    所述数据记录网元接收所述区块链反馈的智能合约中第一行为的地址,所述第一行为用于记录所述数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为;The data recording network element receives the address of the first behavior in the smart contract fed back by the blockchain, and the first behavior is used to record that the data recording network element transfers the first key through the blockchain The act of storing in the database;
    所述数据记录网元将所述加密后的用户数据以及所述第一行为的地址存储到云平台中。The data recording network element stores the encrypted user data and the address of the first behavior in a cloud platform.
  20. 如权利要求19所述的方法,其特征在于,所述数据记录网元通过区块链将所述第一密钥存储到数据库中,包括:The method of claim 19, wherein the data recording network element stores the first key in a database via a blockchain, comprising:
    所述数据记录网元使用第二密钥对所述第一密钥进行加密,得到第一加密信息,并将所述第一加密信息通过所述区块链存储到所述数据库中。The data recording network element encrypts the first key using a second key to obtain first encrypted information, and stores the first encrypted information in the database through the blockchain.
  21. 一种访问行为的记录装置,其特征在于,包括:处理单元和通信单元;An access behavior recording device, which is characterized by comprising: a processing unit and a communication unit;
    所述通信单元,用于从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;The communication unit is used to obtain encrypted user data from the cloud platform and the address of the first behavior in the smart contract in the blockchain, and the first behavior is used to record the data recording network element through the blockchain The act of storing the first key in the database;
    所述处理单元,用于向所述区块链发送获取用户数据申请,所述获取用户数据申请中携带所述第一行为的地址;The processing unit is configured to send an application for acquiring user data to the blockchain, and the application for acquiring user data carries the address of the first action;
    所述通信单元,用于在通过所述区块链对所述访问设备身份的验证后,接收来自所述区块链的第一密钥;The communication unit is configured to receive the first key from the blockchain after verifying the identity of the access device through the blockchain;
    所述处理单元,用于使用所述第一密钥对所述加密后的用户数据进行解密。The processing unit is configured to use the first key to decrypt the encrypted user data.
  22. 如权利要求21所述的装置,其特征在于,所述获取用户数据申请包括第三密钥,所述第三密钥用于所述数据库对所述第一密钥进行加密,得到所述第二加密信息。The device according to claim 21, wherein the user data acquisition application includes a third key, and the third key is used by the database to encrypt the first key to obtain the first key. 2. Encrypted information.
  23. 如权利要求22所述的装置,其特征在于,所述通信单元具体用于:The device according to claim 22, wherein the communication unit is specifically configured to:
    接收来自所述区块链的第二加密信息;Receiving second encrypted information from the blockchain;
    所述处理单元还用于:The processing unit is also used for:
    对所述第二加密信息进行解密,获取所述第一密钥。Decrypt the second encrypted information to obtain the first key.
  24. 如权利要求21~23任一项所述的装置,其特征在于,所述通信单元用于:The device according to any one of claims 21 to 23, wherein the communication unit is configured to:
    在通过所述区块链中不小于阈值数量的节点的验证后,接收来自所述区块链的所述第一密钥。After passing verification of no less than a threshold number of nodes in the blockchain, receiving the first key from the blockchain.
  25. 一种访问行为的记录装置,其特征在于,包括:处理单元和通信单元;An access behavior recording device, which is characterized by comprising: a processing unit and a communication unit;
    所述通信单元,用于接收来自访问设备的获取用户数据申请,所述获取用户数据申请中携带的智能合约中第一行为的地址,所述第一行为用于记录数据记录网元通过所述区块 链将第一密钥存储到数据库的行为;The communication unit is configured to receive an application for acquiring user data from an access device, the address of the first behavior in the smart contract carried in the request for acquiring user data, and the first behavior is used to record that the data recording network element passes through the The act of storing the first key in the database by the blockchain;
    所述处理单元,用于确定所述访问设备验证成功后,根据所述第一行为从所述数据库中获取所述第一密钥;The processing unit is configured to obtain the first key from the database according to the first behavior after determining that the access device is successfully authenticated;
    所述通信单元,用于将所述第一密钥发送给所述访问设备。The communication unit is configured to send the first key to the access device.
  26. 如权利要求25所述的装置,其特征在于,所述通信单元具体用于:The device according to claim 25, wherein the communication unit is specifically configured to:
    确定所述访问设备验证成功后,将验证成功的结果以及所述第一行为发送给所述数据库;After determining that the access device is successfully verified, sending the result of the successful verification and the first behavior to the database;
    接收所述数据库的第一密钥。The first key of the database is received.
  27. 如权利要求26所述的装置,其特征在于,所述获取用户数据申请包括第三密钥,所述第三密钥用于所述数据库对所述第一密钥进行加密,得到所述第二加密信息。The device according to claim 26, wherein the application for obtaining user data includes a third key, and the third key is used by the database to encrypt the first key to obtain the first key. 2. Encrypted information.
  28. 如权利要求27所述的装置,其特征在于,所述通信单元具体用于:The device according to claim 27, wherein the communication unit is specifically configured to:
    确定所述访问设备验证成功后,将所述验证成功的结果、所述第一行为以及所述第三密钥发送给所述数据库。After it is determined that the access device is successfully verified, the result of the successful verification, the first behavior, and the third key are sent to the database.
  29. 如权利要求28所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 28, wherein the processing unit is specifically configured to:
    根据所述第一行为从所述数据库中获取第二加密信息,所述第二加密信息是所述数据库通过所述第三密钥对所述第一密钥加密后得到的;Acquiring second encrypted information from the database according to the first behavior, where the second encrypted information is obtained by the database after encrypting the first key with the third key;
    所述通信单元具体用于:The communication unit is specifically used for:
    将所述第二加密信息发送给所述访问设备。Sending the second encrypted information to the access device.
  30. 如权利要求25~29任一项所述的装置,其特征在于,所述处理单元具体用于:The device according to any one of claims 25-29, wherein the processing unit is specifically configured to:
    确定不小于阈值数量的节点对所述访问设备验证成功。It is determined that the number of nodes that is not less than the threshold value successfully verifies the access device.
  31. 如权利要求25~30任一项所述的装置,其特征在于,所述处理单元还用于:The device according to any one of claims 25 to 30, wherein the processing unit is further configured to:
    将第二行为记录到所述智能合约中;Record the second behavior in the smart contract;
    其中,所述第二行为用于记录所述访问设备向所述区块链获取用户数据申请的行为;所述第二行为中包括所述区块链对所述访问设备进行验证的结果。Wherein, the second behavior is used to record the behavior of the access device to obtain user data application from the blockchain; the second behavior includes the result of verification of the access device by the blockchain.
  32. 一种访问行为的记录装置,其特征在于,包括:处理单元和通信单元;An access behavior recording device, which is characterized by comprising: a processing unit and a communication unit;
    所述处理单元,用于从云平台中获取加密后的用户数据以及智能合约中第一行为在区块链中的地址,所述第一行为用于记录数据记录网元通过所述区块链将第一密钥存储到数据库的行为;The processing unit is configured to obtain encrypted user data and the address of the first behavior in the smart contract in the blockchain from the cloud platform, and the first behavior is used to record the data recording network element through the blockchain The act of storing the first key in the database;
    所述通信单元,用于向区块链发送获取用户数据申请,所述获取用户数据申请中携带所述第一行为的地址和加密后的用户数据块,所述用户数据块是所述用户数据的全部或部分;在通过所述区块链对所述访问设备身份的验证后,接收来自所述区块链的所述用户数据块。The communication unit is configured to send an application for obtaining user data to the blockchain, and the application for obtaining user data carries the address of the first action and an encrypted user data block, and the user data block is the user data All or part of; after the identity of the access device is verified by the blockchain, the user data block from the blockchain is received.
  33. 如权利要求32所述的装置,其特征在于,所述通信单元具体用于:The device according to claim 32, wherein the communication unit is specifically configured to:
    接收来自所述区块链的添加水印标记的所述用户数据块。Receiving the watermarked user data block from the blockchain.
  34. 如权利要求32或33所述的装置,其特征在于,所述通信单元具体用于:The device according to claim 32 or 33, wherein the communication unit is specifically configured to:
    在通过所述区块链中不小于阈值数量的节点的验证后,接收来自所述区块链的所述用户数据块。After passing verification of no less than a threshold number of nodes in the blockchain, receiving the user data block from the blockchain.
  35. 一种访问行为的记录装置,其特征在于,包括:处理单元和通信单元;An access behavior recording device, which is characterized by comprising: a processing unit and a communication unit;
    所述处理单元,用于从云平台获取用户数据以及用户数据ID;The processing unit is used to obtain user data and user data ID from a cloud platform;
    所述通信单元,用于向区块链发送第二申请,所述第二申请用于请求通过客户端阅读 所述用户数据;The communication unit is configured to send a second application to the blockchain, where the second application is used to request to read the user data through the client;
    接收来自区块链发送的第一序列号;Receive the first serial number sent from the blockchain;
    所述处理单元,用于将所述第一序列号输入所述客户端;The processing unit is configured to input the first serial number into the client;
    在所述客户端根据所述第一序列号确定有权打开所述用户数据后,阅读所述客户端打开的所述用户数据。After the client determines that it has the right to open the user data according to the first serial number, read the user data opened by the client.
  36. 如权利要求35所述的装置,其特征在于,所述处理单元之前还用于:The device according to claim 35, wherein the processing unit was previously used for:
    安装所述客户端;Install the client;
    所述通信单元还用于:The communication unit is also used for:
    通过区块链向授权服务器发送第一申请,所述第一申请用于授予所述客户端打开所述用户数据的权限;Sending a first application to the authorization server through the blockchain, where the first application is used to grant the client the right to open the user data;
    通过区块链接收来自所述授权服务器的第一随机数,所述第一随机数用于生成第二序列号,所述第二序列号用于验证所述客户端是否有权打开所述用户数据。Receive a first random number from the authorization server through the blockchain, the first random number is used to generate a second serial number, and the second serial number is used to verify whether the client has the right to open the user data.
  37. 如权利要求36所述的装置,其特征在于,所述处理单元还用于:The device according to claim 36, wherein the processing unit is further configured to:
    将所述第一随机数提供给所述客户端以生成第一随机数生成器;Providing the first random number to the client to generate a first random number generator;
    所述第二序列号是所述客户端将所述第二申请的时间、所述用户数据ID、或所述客户端的标识ID中的一项或多项输入所述第一随机数生成器后生成的。The second serial number is after the client enters one or more of the time of the second application, the user data ID, or the identification ID of the client into the first random number generator Generated.
  38. 如权利要求37所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 37, wherein the processing unit is specifically configured to:
    在所述客户端确定生成的第二序列号与所述第一序号相同后,阅读所述客户端打开的所述用户数据。After the client determines that the generated second serial number is the same as the first serial number, read the user data opened by the client.
  39. 一种访问行为的记录装置,其特征在于,包括:处理单元和通信单元;An access behavior recording device, which is characterized by comprising: a processing unit and a communication unit;
    所述处理单元,用于使用第一密钥对用户数据进行加密;通过区块链将所述第一密钥存储到数据库中;The processing unit is configured to use a first key to encrypt user data; store the first key in a database through a blockchain;
    所述通信单元,用于接收所述区块链反馈的智能合约中第一行为的地址,所述第一行为用于记录所述数据记录网元通过所述区块链将所述第一密钥存储到所述数据库的行为;The communication unit is configured to receive the address of the first behavior in the smart contract fed back by the blockchain, and the first behavior is used to record that the data recording network element transfers the first secret through the blockchain The act of storing the key in the database;
    所述处理单元,用于将所述加密后的用户数据以及所述第一行为的地址存储到云平台中。The processing unit is configured to store the encrypted user data and the address of the first behavior in a cloud platform.
  40. 如权利要求39所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 39, wherein the processing unit is specifically configured to:
    确定第二密钥;使用第二密钥对所述第一密钥进行加密,得到第一加密信息,并将所述第一加密信息通过所述区块链存储到所述数据库中。Determine the second key; use the second key to encrypt the first key to obtain first encrypted information, and store the first encrypted information in the database through the blockchain.
  41. 一种访问行为的记录装置,其特征在于,包括:至少一个处理器;其中,所述至少一个处理器用于与存储器耦合,并读取所述存储器中存储的计算机指令,根据所述计算机指令执行如权利要求1~4中任一所述的方法步骤;或执行如权利要求5~11中任一所述的方法步骤;或执行如权利要求12~14中任一所述的方法步骤;或执行如权利要求15~18中任一所述的方法步骤;或执行如权利要求19~20中任一所述的方法步骤。An access behavior recording device, which is characterized by comprising: at least one processor; wherein the at least one processor is used to couple with a memory, read computer instructions stored in the memory, and execute according to the computer instructions The method step according to any one of claims 1 to 4; or the method step according to any one of claims 5 to 11; or the method step according to any one of claims 12 to 14; or Perform the method steps according to any one of claims 15-18; or perform the method steps according to any one of claims 19-20.
  42. 一种访问行为的记录装置,其特征在于,用于执行1~4中任一所述的方法;或用于执行5~11中任一所述的方法;或用于执行12~14中任一所述的方法;或用于执行15~18中任一所述的方法;或用于执行19~20中任一所述的方法。A recording device for access behavior, characterized in that it is used to perform any of the methods described in 1 to 4; or used to perform any of the methods described in 5 to 11; or used to perform any of 12 to 14 The method described in 1; or used to perform the method described in any one of 15-18; or used to perform the method described in any one of 19-20.
  43. 一种访问行为的记录系统,其特征在于,包括如权利要求21-24中任一项所述的装置和25-31中任一项所述的装置。A recording system for access behavior, characterized in that it comprises the device according to any one of claims 21-24 and the device according to any one of claims 25-31.
  44. 一种访问行为的记录系统,其特征在于,包括如权利要求32-34或35-38或39-40 中任意一项所述的装置。An access behavior recording system, characterized in that it comprises the device according to any one of claims 32-34 or 35-38 or 39-40.
  45. 一种计算机可读存储介质,其特征在于,包括计算机指令,当所述计算机指令在计算机上运行时,使得计算机执行如权利要求1~4中任一所述的方法步骤;或执行如权利要求5~11中任一所述的方法步骤;或执行如权利要求12~14中任一所述的方法步骤;或执行如权利要求15~18中任一所述的方法步骤;或执行如权利要求19~20中任一所述的方法步骤。A computer-readable storage medium, characterized by comprising computer instructions, when the computer instructions run on a computer, cause the computer to execute the method steps according to any one of claims 1 to 4; or execute as claimed The method step according to any one of 5 to 11; or the method step according to any one of claims 12 to 14; or the method step according to any one of claims 15 to 18; or the method step according to any one of claims 15-18; or The method steps described in any of 19-20 are required.
  46. 一种计算机程序产品,其特征在于,所述计算机程序产品包括计算机指令,当所述计算机指令在计算机上执行时,使得计算机执行如权利要求1~4中任一所述的方法步骤;或执行如权利要求5~11中任一所述的方法步骤;或执行如权利要求12~14中任一所述的方法步骤;或执行如权利要求15~18中任一所述的方法步骤;或执行如权利要求19~20中任一所述的方法步骤。A computer program product, characterized in that the computer program product includes computer instructions, when the computer instructions are executed on a computer, the computer is caused to execute the method steps according to any one of claims 1 to 4; or The method step according to any one of claims 5-11; or the method step according to any one of claims 12-14; or the method step according to any one of claims 15-18; or Perform the method steps according to any one of claims 19-20.
PCT/CN2021/077955 2020-02-29 2021-02-25 Method and apparatus for recording access behavior WO2021170049A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010131927.4 2020-02-29
CN202010131927.4A CN113328979B (en) 2020-02-29 2020-02-29 Method and device for recording access behaviors

Publications (1)

Publication Number Publication Date
WO2021170049A1 true WO2021170049A1 (en) 2021-09-02

Family

ID=77413166

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/077955 WO2021170049A1 (en) 2020-02-29 2021-02-25 Method and apparatus for recording access behavior

Country Status (2)

Country Link
CN (1) CN113328979B (en)
WO (1) WO2021170049A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500119A (en) * 2022-04-15 2022-05-13 恒生电子股份有限公司 Block chain service calling method and device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117708863B (en) * 2024-02-05 2024-04-19 四川集鲜数智供应链科技有限公司 Equipment data encryption processing method based on Internet of things

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483446A (en) * 2017-08-23 2017-12-15 上海点融信息科技有限责任公司 Encryption method, equipment and system for block chain
CN108462568A (en) * 2018-02-11 2018-08-28 西安电子科技大学 A kind of secure file storage and sharing method based on block chain
CN108985011A (en) * 2018-07-23 2018-12-11 北京聚道科技有限公司 A kind of genomic data management method and system based on block chain technology
JP2019009767A (en) * 2018-03-01 2019-01-17 株式会社エヌ・ティ・ティ・データ Information processing device
CN109951498A (en) * 2019-04-18 2019-06-28 中央财经大学 A kind of block chain access control method and device based on ciphertext policy ABE encryption

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6302592B2 (en) * 2017-06-23 2018-03-28 株式会社エヌ・ティ・ティ・データ Information processing apparatus, information processing method, and program
CN107480555B (en) * 2017-08-01 2020-03-13 中国联合网络通信集团有限公司 Database access authority control method and device based on block chain
CN108959911A (en) * 2018-06-14 2018-12-07 联动优势科技有限公司 A kind of key chain generates, verification method and its device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483446A (en) * 2017-08-23 2017-12-15 上海点融信息科技有限责任公司 Encryption method, equipment and system for block chain
CN108462568A (en) * 2018-02-11 2018-08-28 西安电子科技大学 A kind of secure file storage and sharing method based on block chain
JP2019009767A (en) * 2018-03-01 2019-01-17 株式会社エヌ・ティ・ティ・データ Information processing device
CN108985011A (en) * 2018-07-23 2018-12-11 北京聚道科技有限公司 A kind of genomic data management method and system based on block chain technology
CN109951498A (en) * 2019-04-18 2019-06-28 中央财经大学 A kind of block chain access control method and device based on ciphertext policy ABE encryption

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500119A (en) * 2022-04-15 2022-05-13 恒生电子股份有限公司 Block chain service calling method and device
CN114500119B (en) * 2022-04-15 2022-08-26 恒生电子股份有限公司 Method and device for calling block chain service

Also Published As

Publication number Publication date
CN113328979B (en) 2022-07-19
CN113328979A (en) 2021-08-31

Similar Documents

Publication Publication Date Title
CN111783075B (en) Authority management method, device and medium based on secret key and electronic equipment
US10389728B2 (en) Multi-level security enforcement utilizing data typing
US20220114249A1 (en) Systems and methods for secure and fast machine learning inference in a trusted execution environment
CN113849847B (en) Method, apparatus and medium for encrypting and decrypting sensitive data
CN109981287B (en) Code signing method and storage medium thereof
CN112235301B (en) Access right verification method and device and electronic equipment
WO2021170049A1 (en) Method and apparatus for recording access behavior
CN112532656B (en) Block chain-based data encryption and decryption method and device and related equipment
CN113826352A (en) Cryptographic key coordination between trusted containers in a multi-node cluster
CN114448648B (en) Sensitive credential management method and system based on RPA
CN113726733B (en) Encryption intelligent contract privacy protection method based on trusted execution environment
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN113329003B (en) Access control method, user equipment and system for Internet of things
CN113676330B (en) Digital certificate application system and method based on secondary secret key
CN113676446B (en) Communication network safety error-proof control method, system, electronic equipment and medium
CN112995140B (en) Safety management system and method
CN112906032B (en) File secure transmission method, system and medium based on CP-ABE and block chain
CN113132097B (en) Lightweight certificateless cross-domain authentication method, system and application suitable for Internet of things
CN114866244A (en) Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption
CN114024682A (en) Cross-domain single sign-on method, service equipment and authentication equipment
CN114928617B (en) Private network subscription data management method, device, equipment and medium
US20240048532A1 (en) Data exchange protection and governance system
US20240048361A1 (en) Key Management for Cryptography-as-a-service and Data Governance Systems
KR102162108B1 (en) Lw_pki system for nfv environment and communication method using the same
US20240048380A1 (en) Cryptography-as-a-Service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21759957

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21759957

Country of ref document: EP

Kind code of ref document: A1