WO2022237600A1 - Information proxy method and apparatus - Google Patents

Information proxy method and apparatus Download PDF

Info

Publication number
WO2022237600A1
WO2022237600A1 PCT/CN2022/090578 CN2022090578W WO2022237600A1 WO 2022237600 A1 WO2022237600 A1 WO 2022237600A1 CN 2022090578 W CN2022090578 W CN 2022090578W WO 2022237600 A1 WO2022237600 A1 WO 2022237600A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
encrypted information
encrypted
communication operator
key
Prior art date
Application number
PCT/CN2022/090578
Other languages
French (fr)
Chinese (zh)
Inventor
刘佳伟
林立
金戈
沈陈侃
邱俊凯
Original Assignee
支付宝(杭州)信息技术有限公司
蚂蚁区块链科技(上海)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司, 蚂蚁区块链科技(上海)有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2022237600A1 publication Critical patent/WO2022237600A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0471Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying encryption by an intermediary, e.g. receiving clear information at the intermediary and encrypting the received information at the intermediary before forwarding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Definitions

  • One or more implementations in this specification relate to the field of network communications, and in particular, to an information agent method and device.
  • the information agency service platform forwards the information sent by the information sender to the service system of the information operator designated by the information sender, and then the information operator sends the above information to the information receiver.
  • the content of the information sent by the information sender may be known by the information agent, thus causing information security issues.
  • one or more embodiments of this specification provide an information agent method, which is applied to an information agent service platform, wherein the information agent service platform is separated from the computing device of the information sender and the service system of the communication operator Communication connection; the method includes: receiving the first encrypted information and the authorization key sent by the computing device of the information sender, wherein the first encrypted information is the plaintext of the target information based on the first public key of the information sender Encrypted target information ciphertext; the authorization key is generated based on a cryptographic operation based on the first private key corresponding to the first public key and the second public key of the communication operator; for the authorization key key and the first encrypted information to perform cryptographic operations to generate second encrypted information corresponding to the first encrypted information; wherein the second encrypted information is based on the second public key pair corresponding to the communication operator
  • the ciphertext of the target information obtained by encrypting the plaintext data of the target information; sending the second encrypted information to the service system of the communication operator, so that the service system of the communication operator is based
  • a smart contract for performing cryptographic operations is deployed in the block chain network corresponding to the information agency service platform;
  • Mathematical operation generating the second encrypted information corresponding to the first encrypted information, including: calling the cryptographic operation logic contained in the contract code of the smart contract, and encrypting the authorization key and the first encrypted information generate the second encrypted information corresponding to the first encrypted information, and store the generated second encrypted information in the blockchain;
  • the service system of the communication operator includes: acquiring the second encrypted information stored in the block chain, and further sending the encrypted information to the service system of the communication operator.
  • the receiving the first encrypted information and the authorization key sent by the computing device of the information sender includes: receiving the first encrypted information and the authorization key respectively sent by the computing device of the information sender key.
  • the first encrypted information and the authorization key sent by the computing device of the information sender are digitally signed based on the private key of the information sender; Before performing cryptographic operations on the authorization key and the first encrypted information, the method further includes: verifying the authorization key and the digital signature of the first encrypted information based on the private key of the information sender ; If the verification is passed, further perform the step of performing a cryptographic operation on the authorization key and the first encrypted information.
  • the service system of the communication operator includes the computing device of the communication channel party connected to the information agency service platform, and the core equipment of the above-mentioned communication operator;
  • the communication operator's The second public key includes the public key corresponding to the communication channel party;
  • the further sending the plaintext data of the target information to the information receiver designated by the information sender includes: the computing device of the communication channel party sending the plain text data of the target information to the core equipment of the communication operator, so that the core equipment of the communication operator further sends the target information in plain text to the information receiver designated by the information sender .
  • performing cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information includes: In the trusted execution environment carried by the information agent service platform, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information; The cryptographic operation logic contained in the contract code of the smart contract in the trusted execution environment carried by the node device in the blockchain performs cryptographic operations on the authorization key and the first encrypted information to generate Second encrypted information corresponding to the first encrypted information.
  • the performing cryptographic operations on the basis of the first private key corresponding to the first public key and the second public key of the communication operator to generate the authorization key includes: Based on a proxy re-encryption algorithm, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information.
  • the target information includes SMS short messages.
  • this specification also provides an information agent device, which is applied to an information agent service platform, wherein, the information agent service platform communicates with the computing device of the information sender and the service system of the communication operator respectively;
  • the device It includes: a receiving unit, which receives the first encrypted information and the authorization key sent by the computing device of the information sender, wherein the first encrypted information is obtained by encrypting the plaintext of the target information based on the first public key of the information sender The target information ciphertext;
  • the authorization key is generated based on the first private key corresponding to the first public key and the second public key of the communication operator through cryptographic operations;
  • the calculation unit for the authorization key key and the first encrypted information to perform cryptographic operations to generate second encrypted information corresponding to the first encrypted information; wherein the second encrypted information is based on the second public key pair corresponding to the communication operator
  • the ciphertext of the target information obtained by encrypting the plaintext data of the target information
  • the sending unit sending the second encrypted information to the service system of the communication operator
  • a smart contract for performing cryptographic operations is deployed in the block chain network corresponding to the information agency service platform; the computing unit is further used to: call the smart contract
  • the cryptographic operation logic contained in the contract code performs cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information, and the generated second encrypted information
  • the encrypted information is stored in the block chain; the sending unit is further configured to: obtain the second encrypted information stored in the block chain, and further send the encrypted information to the communication operator's service system.
  • the receiving the first encrypted information and the authorization key sent by the computing device of the information sender includes: receiving the first encrypted information and the authorization key respectively sent by the computing device of the information sender key.
  • the first encrypted information and the authorization key sent by the computing device of the information sender are digitally signed based on the private key of the information sender;
  • the device also includes a verification unit, before performing cryptographic operations on the authorization key and the first encrypted information, digitally signing the authorization key and the first encrypted information based on the private key of the information sender Perform verification; if the verification is passed, further perform the step of performing cryptographic operations on the authorization key and the first encrypted information.
  • the service system of the communication operator includes the computing device of the communication channel party connected to the information agency service platform, and the core equipment of the above-mentioned communication operator;
  • the communication operator's The second public key includes the public key corresponding to the communication channel party;
  • the further sending the plaintext data of the target information to the information receiver designated by the information sender includes: the computing device of the communication channel party sending the plain text data of the target information to the core equipment of the communication operator, so that the core equipment of the communication operator further sends the target information in plain text to the information receiver designated by the information sender .
  • performing cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information includes: In the trusted execution environment carried by the information agent service platform, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information; The cryptographic operation logic contained in the contract code of the smart contract in the trusted execution environment carried by the node device in the blockchain performs cryptographic operations on the authorization key and the first encrypted information to generate Second encrypted information corresponding to the first encrypted information.
  • the computing unit is further configured to: perform cryptographic operations on the authorization key and the first encrypted information based on a proxy re-encryption algorithm to generate The second encrypted information corresponding to the information.
  • the target information includes SMS short messages.
  • this specification also provides a computer device, including: a memory and a processor; a computer program that can be run by the processor is stored in the memory; when the processor runs the computer program, it executes the The information agent method executed by the information agent service platform.
  • the information agent service platform can, under the condition of not knowing the plaintext of the target information, perform a pair of public key based on the first public key of the information sender Encrypt the ciphertext of the target information obtained by encrypting the plaintext of the target information, and the authorization key generated by cryptographic operations based on the first private key corresponding to the first public key and the second public key of the communication operator, and encrypt Mathematical calculations to generate the target information ciphertext obtained by encrypting the plaintext data of the target information based on the second public key corresponding to the communication operator, so that the communication operator can decrypt the second encrypted information to obtain the plaintext of the target information, effectively preventing reduce the risk of user information leakage.
  • Fig. 1a, Fig. 1b, and Fig. 1c are respectively schematic diagrams of the application environment of the information agent method provided by an exemplary embodiment.
  • Fig. 2 is a schematic diagram of creating and invoking smart contracts in the blockchain provided by an exemplary embodiment.
  • Fig. 3 is a flowchart of an information brokering method applied to a computing device of an information sender, a platform system of an information broker and a service system of a communication operator provided by an exemplary embodiment.
  • Fig. 4 is a schematic diagram of an information agent device applied to an information agent service platform provided by an exemplary embodiment.
  • FIG. 5 is a hardware structural diagram for running the implementation of the information agent device provided in this specification.
  • the steps of the corresponding methods may not necessarily be performed in the order shown and described in this specification.
  • the method may include more or fewer steps than those described in this specification.
  • a single step described in this specification may be decomposed into multiple steps for description in other embodiments; multiple steps described in this specification may also be combined into a single step in other embodiments describe.
  • the communication operator service system may include a computer system that provides services for direct communication between users, for example, a computer system carried by communication service operators such as China Telecom, China Mobile, and China Unicom.
  • communication service operators such as China Telecom, China Mobile, and China Unicom.
  • a large number of commercial users often need to request the service system of the communication operator to send a large amount of notification information, such as commercial promotion information, business verification code information, etc., to its customer groups.
  • an information agency service platform can be set up to integrate the information requirements of different commercial clients, and to reserve the amount of information from the communication operator at a lower communication rate; and compared
  • the communication service operator can only set up the communication coupling relationship with the information agency service platform to process the information requests of different business users, and also reduce the communication service operation cost. communication connection cost of the provider.
  • the information agency service platform forwards the information sent by the information sender to the information operator service system, and then the information operator forwards the information sent by the information operator to the service system of the information operator.
  • the above information is sent to the recipient of the information.
  • the content of the information sent by the information sender may be known by the information agent, thus causing information security issues.
  • one or more embodiments of this specification provide an information proxy method, which provides information proxy services for the information sender under the condition that the information proxy service platform does not know the plain text of the target information provided by the information sender.
  • Fig. 1a, Fig. 1b and Fig. 1c respectively illustrate the schematic diagrams of the application environment of the information agent method implemented in an exemplary embodiment provided in this specification.
  • the information agent service platform communicates with the computing device of the information sender and the service system of the communication operator respectively.
  • the information agency service platform provides information agency services for the above-mentioned information senders and communication operators.
  • the above-mentioned information agent platform may include one or more service devices, and deploy cryptographic operation logic in the above-mentioned one or more service devices to provide information agent services for the computing device of the sender and the service system of the communication operator (as shown in Fig. 1a)); in yet another illustrated embodiment, the above-mentioned information agent service platform can be docked with the block chain network (as shown in Figure 1b), or, the above-mentioned information agent service platform is deployed as a decentralized Blockchain (as shown in Figure 1c), and deploy cryptographic operation logic in the form of smart contracts in the blockchain network to provide information agency services for the sender's computing device and the communication operator's service system.
  • the block chain or block chain network described in one or more embodiments of this specification can specifically refer to a P2P network system with a distributed data storage structure achieved by each node device through a consensus mechanism.
  • the ledger data is distributed in "blocks" that are connected in time.
  • the latter block can contain the data summary of the previous block, and according to the specific consensus mechanism (such as POW, POS, DPOS or PBFT, etc.) ) to achieve full data backup of all or part of the nodes.
  • Each blockchain node can be implemented in a server or server cluster. Server clusters can be load balanced. Each blockchain node may correspond to one or more physical hardware devices or virtual devices coupled together via various types of communication methods such as TCP/IP. According to classification, blockchain nodes can also be called full nodes, Geth nodes, consensus nodes, etc.
  • the blockchain may also include light nodes.
  • Light nodes may not be able to download the full blockchain, but can only download block headers to verify the authenticity of blockchain transactions.
  • Light nodes can be served by full nodes (e.g., blockchain nodes in a blockchain network) and effectively rely on full nodes to access more functionality of the blockchain.
  • Light nodes can be implemented in electronic devices such as laptops, mobile phones, etc. by installing appropriate software.
  • Blockchains are generally divided into three types: Public Blockchain, Private Blockchain and Consortium Blockchain.
  • the computing device can construct the data into a standard transaction format supported by the blockchain, and then publish it to the blockchain, and the node devices in the blockchain will perform consensus processing on the received transaction, and after reaching a consensus , the node device as the bookkeeping node in the blockchain packs this transaction into a block, and performs persistent storage in the blockchain.
  • the accounting node can package the received transaction to generate the latest block, and send the generated latest block to other node devices for consensus verification. If other node devices receive the latest block and verify that there is no problem, the latest block can be appended to the end of the original blockchain to complete the accounting process of the blockchain. In the process of verifying the new block sent by the bookkeeping node, other nodes can also execute the transactions contained in the block.
  • the balances of the transfer-out account and transfer-in account related to the "transfer transaction” usually also Will change accordingly.
  • the "smart contract call transaction" in the block is used to call the smart contract deployed on the blockchain, and the above smart contract is called in the EVM corresponding to the node device to execute the above "smart contract call transaction", and the execution After the above-mentioned smart contract invokes the transaction, the account status of the smart contract account is updated in the account of the smart contract.
  • Smart contracts on the blockchain are contracts that can be triggered by transactions on the blockchain. Smart contracts can be defined in the form of code.
  • EVM Ethereum Virtual Machine
  • bytecode virtual machine code
  • FIG. 2 The schematic diagram of creating a smart contract and calling a smart contract is shown in Figure 2.
  • Calling a smart contract in the blockchain is to initiate a transaction pointing to the address of the smart contract.
  • the EVM of each node can execute the transaction separately, and the smart contract code is distributed and run in the virtual machine of each node in the Ethereum network.
  • each node can execute the transaction in the EVM.
  • the From field of the transaction is used to record the address of the account that initiated the call to the smart contract
  • the To field is used to record the address of the called smart contract
  • the Data field of the transaction is used to record the method and parameters of the called smart contract.
  • the account status of the contract account may change.
  • a client can view the account status of the contract account through the connected blockchain node.
  • the above account status can be stored in the Storage tree of the smart contract in the form of Key-Value pairs.
  • the execution result of the transaction calling the smart contract can be stored in the MPT receipt tree in the form of a transaction receipt (receipt).
  • Smart contracts can be independently executed on each node in the blockchain in a prescribed manner, and all execution records and data are stored on the blockchain, so when such a transaction is executed, it is stored on the blockchain and cannot be tampered with. , Transaction certificates that will not be lost.
  • the event mechanism of smart contracts is a way for smart contracts to interact with entities outside the chain.
  • smart contracts deployed on the blockchain it is usually impossible to directly interact with entities outside the chain; for example, after the smart contract is called, it usually cannot send the call result of the smart contract point-to-point to the call initiator of the smart contract .
  • the call results (including intermediate results and final call results) generated during the call of the smart contract are usually recorded in the transaction logs of the transaction that called the smart contract in the form of events.
  • An off-chain entity that needs to interact with a smart contract can obtain the invocation result of the smart contract by listening to the above-mentioned transaction log stored in the storage space of the node device; for example, the transaction log will eventually serve as the Part of the receipt for that transaction is stored in the MPT receipt tree described above.
  • the off-chain entity that interacts with the smart contract can monitor the transaction receipts on the MPT receipt tree stored in the storage space of the node device, and obtain the events generated by the smart contract from the monitored transaction receipts.
  • Fig. 3 shows a flow chart of an information proxy method provided by an exemplary embodiment, which may include: Step 302, the computing device of the information sender encrypts the plaintext of the target information based on its own first public key to generate a first encrypted information.
  • Step 304 The computing device of the information sender performs cryptographic operations based on the second public key of the communication operator used to send the plaintext of the target information and the second private key corresponding to the above-mentioned first public key, and generates a key for the target information.
  • the information sender can select one or more of the communication operator service systems to send the target information in plain text.
  • This embodiment does not limit the specific manner in which the computing device of the information sender acquires the second public key of the communication operator.
  • the information agency service platform can provide multiple alternative communication operators for the information sender, and send the corresponding public keys of the above alternative communication operators to the computing device of the information sender; in response to the information sender Based on the user's selection operation, the information agency service platform can generate an authorization for the selected communication operator based on the second public key of the selected communication operator and its own second private key corresponding to the above-mentioned first public key. key.
  • these communication operators may transmit their own second public keys to the information sender.
  • Step 306 the computing device of the information sender sends the first encrypted information and the authorization key to the information agency service platform.
  • the computing device of the information sender may send the above-mentioned first encrypted information and authorization key respectively.
  • Step 308 the information agency service platform performs cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information; wherein, the second encrypted information is based on The target information ciphertext obtained by encrypting the target information plaintext with the second public key of the communication operator.
  • the information proxy service platform can use a proxy re-encryption algorithm to perform cryptographic operations on the authorization key and the first encrypted information, thereby generating a second public key based on the communication operator.
  • Step 310 the information agency service platform sends the second encrypted information to the service system of the communication operator.
  • Step 312 the service system of the communication operator decrypts the second encrypted information based on the second private key corresponding to the second public key, obtains the plaintext of the target information, and further sends the plaintext of the target information to The information receiver corresponding to the target information in clear text.
  • the plaintext of the target information is converted into second encrypted information that can be decrypted by the communication operator, so as to be obtained by After decrypting the second encrypted information, the service system of the communication operator sends the above-mentioned target information to the corresponding user in plain text; thus, the communication operator does not need to meet the different information needs of a large number of information senders, but only needs to connect with the information agency service platform for data processing. Communication processing reduces communication connection costs for communication service operators.
  • the above-mentioned information agent service platform when the above-mentioned information agent service platform is set as a centralized service device (as shown in Figure 1a), the above-mentioned information agent service platform can call the cryptographic operation logic deployed locally, and for the above-mentioned authorization key The encryption key and the above-mentioned first encrypted information are subjected to a cryptographic operation to generate second encrypted information corresponding to the first encrypted information.
  • the information agency service platform communicates end-to-end with the service system of the information operator to send the second encrypted information to the service system of the information operator.
  • the above-mentioned information agency service platform can carry a trusted execution environment (TEE), and perform cryptographic operations on the authorization key and the first encrypted information in the carried trusted execution environment, and generate a key corresponding to the first encrypted information.
  • TEE trusted execution environment
  • the second encrypted information thereby further increasing the security of the above cryptographic operation process and results.
  • the specific process of the second encrypted information corresponding to the encrypted information may include: calling the cryptographic operation logic contained in the contract code of the smart contract, performing cryptographic operations on the authorization key and the first encrypted information, and generating the same
  • the first encrypted information corresponds to the second encrypted information, and the generated second encrypted information is stored in the block chain.
  • the sending the second encrypted information to the service system of the communication operator includes: obtaining the second encrypted information stored in the block chain, and further sending the second encrypted information to the The service system of the communication operator.
  • the blockchain node device can also be equipped with a trusted execution environment (TEE), calling the cryptographic operations contained in the contract code of the smart contract in the trusted execution environment carried by the node device in the blockchain
  • TEE trusted execution environment
  • the logic is to perform a cryptographic operation on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information.
  • the above-mentioned information agency service platform can construct a smart contract invocation transaction based on the above-mentioned first encrypted information and the authorization key, or, the above-mentioned information sender directly constructs a smart contract invocation transaction based on the above-mentioned first encrypted information and the above-mentioned authorization key, and will
  • the above-mentioned smart contract calling transaction is sent to its corresponding blockchain network, so that the node device of the blockchain network responds to the above-mentioned calling transaction, calling the cryptographic operation logic declared by the above-mentioned smart contract, based on the authorization key and the Cryptographic operations are performed on the first encrypted information to generate and store second encrypted information corresponding to the first encrypted information in the block chain.
  • the above-mentioned second encrypted information can be saved in the form of an event (Event) in the transaction log corresponding to the smart contract call transaction, so that the above-mentioned information agent service platform can obtain the above-mentioned smart contract from the block chain connected to it The execution result of the call transaction - the above-mentioned second encrypted information.
  • Event an event
  • the above-mentioned information agency service platform and Blockchain network docking may include communication coupling between the information agency service platform and the above-mentioned BaaS terminal; the above-mentioned information agency service platform can subscribe to the execution result of the above-mentioned smart contract call transaction on the above-mentioned BaaS terminal, so as to obtain the above-mentioned second encryption from the above-mentioned BaaS terminal. information.
  • the information agent service platform docking with the block chain network may include the above information agent service platform docking with any node device in the block chain network, the above The information agent service platform can subscribe to the execution result of the smart contract call transaction at the node device connected to it, so as to obtain the second encrypted information from the node device connected to it.
  • the above-mentioned information agency service platform may send the above-mentioned second encrypted information to the service system of the above-mentioned information operator in the manner of end-to-end communication.
  • the above-mentioned second encrypted information is the call execution result of the smart contract deployed on the blockchain
  • the node devices of the blockchain decentralizedly perform cryptographic operations based on the above-mentioned first encrypted information and the authorization key to generate the second encrypted information , based on the anti-tampering mechanism of the blockchain and the decentralized operation mechanism of the smart contract, the data security of the first encrypted information and the authorization key is ensured, thereby further improving the security and credibility of the above-mentioned second encrypted information sex.
  • the above-mentioned information agency service platform When the above-mentioned information agency service platform is deployed as a blockchain network in a decentralized manner, that is, the above-mentioned information agency service platform includes multiple node devices in the blockchain network, or the above-mentioned information agency service platform is used as a blockchain network A node device in the chain network. Smart contracts for encryption operations can be deployed in the above-mentioned blockchain network.
  • the computing equipment of the above-mentioned information sender and the service system of the communication operator are all connected to the above-mentioned blockchain network.
  • the computing device of the above-mentioned information sender can construct a smart contract call transaction based on the above-mentioned first encrypted information and the authorization key, and send the above-mentioned smart contract call transaction to the block chain network connected to it, so that the block chain network
  • the node device invokes the cryptographic operation logic declared by the above smart contract, and performs cryptographic operations based on the authorization key and the first encrypted information to obtain the second encrypted information corresponding to the first encrypted information. encrypted information.
  • the above-mentioned second encrypted information can be saved in the transaction log corresponding to the smart contract call transaction in the form of an event, and the node of the block chain that is connected with the service equipment of the above-mentioned communication operator to be specified by the above-mentioned communication operator
  • the device can be equipped with an SDK program to push the blockchain events subscribed by the above-mentioned communication operator to the service equipment of the above-mentioned communication operator, so that the service system of the above-mentioned communication operator can receive information from the above-mentioned blockchain connected to it.
  • the computing device of the information sender directly sends the above-mentioned first encrypted information and authorization key to the block chain in the form of parameters contained in the smart contract call transaction.
  • the proxy service platform After obtaining the above-mentioned first encrypted information and authorization key, the proxy service platform sends the smart contract call transaction to the blockchain network, which further improves the credibility of the above-mentioned first encrypted information and authorization key.
  • the service system of the communication operator directly obtains the above-mentioned second encrypted information from the blockchain network connected to it. The second encrypted information is sent to the service system of the above-mentioned communication operator by means of end-to-end communication, which further improves the security and credibility of the second encrypted information.
  • the method in order to further determine whether the identity of the information sender is legitimate, the first encrypted information and the authorization Key, based on the private key of the information sender, the digital signature processing is carried out; before the above-mentioned information agency service platform performs cryptographic operations on the authorization key and the first encrypted information, the method also includes: based on the Verify the authorization key and the digital signature of the first encrypted information with the private key of the information sender; if the verification is passed, further perform cryptographic operations on the authorization key and the first encrypted information step.
  • the service system of the communication operator in addition to the communication
  • the core equipment of the operator also includes at least one computing device of the communication channel party connected to the information agency service platform; the second public key of the communication operator includes the public key corresponding to the communication channel party.
  • the process of decrypting the second encrypted information by the service system of the communication operator based on the second private key corresponding to the second public key is actually performed by the computing device of the communication channel party based on the second private key corresponding to the second public key.
  • the second private key corresponding to the public key decrypts the second encrypted information, and obtains the plaintext of the above target information.
  • the further sending of the plaintext data of the target information to the information receiver designated by the information sender in step 312 above includes: the computing device of the communication channel party sends the plaintext data of the target information to the communication The core device of the operator, so that the core device of the communication operator further sends the target information in plain text to the information receiver designated by the information sender.
  • the above-mentioned information sender can use the selected
  • the second public key corresponding to the target channel party is sent to the information agency service platform, so that the information agency service platform forwards it to the computing device of the target channel party corresponding to the second public key based on the second public key, so as to facilitate the above-mentioned communication
  • the computing device of the target channel party corresponding to the second public key in the service system of the operator decrypts the second encrypted information based on the second private key held by itself.
  • the information proxy service platform can, under the condition that the plaintext of the target information is unknown, perform the first message containing the plaintext of the target information encrypted by the first public key
  • the encrypted information is encrypted to generate the second encrypted information including the plaintext of the target information encrypted by the second public key of the communication operator, so that the communication operator can decrypt the second encrypted information to obtain the plaintext of the target information, effectively preventing the user from Risk of Information Leakage.
  • the device 40 may be implemented by software, or by hardware or a combination of software and hardware. Taking software implementation as an example, as a device in the logical sense, it is formed by reading the corresponding computer program instructions into the memory through the CPU (Central Process Unit, central processing unit) of the device where it is located. From the perspective of hardware, in addition to the CPU, internal memory, and storage shown in Figure 5, the equipment where the above-mentioned device is located usually includes other hardware such as chips for wireless signal transmission and reception, and/or a network for implementing network communication functions. boards and other hardware.
  • CPU Central Process Unit, central processing unit
  • this specification provides an information agent device 40, which is applied to an information agent service platform, wherein the information agent service platform communicates with the computing device of the information sender and the service system of the communication operator, respectively;
  • the apparatus 40 includes: a receiving unit 402, which receives the first encrypted information and the authorization key sent by the computing device of the information sender, wherein the first encrypted information is based on the first public key pair of the information sender.
  • the party's service system decrypts the second encrypted information based on the second private key corresponding to the second public key, obtains the plaintext of the target information, and further sends the plaintext of the target information to the recipient of the information.
  • a smart contract for performing cryptographic operations is deployed in the block chain network corresponding to the information agency service platform; the computing unit 404 is further configured to: call the smart contract The cryptographic operation logic included in the contract code performs cryptographic operations on the authorization key and the first encrypted information to generate the second encrypted information corresponding to the first encrypted information, and the generated first encrypted information
  • the second encrypted information is stored in the block chain; the sending unit 406 is further configured to: obtain the second encrypted information stored in the block chain, and further send the encrypted information to the communication operator square service system.
  • the receiving unit 402 is further configured to: receive the first encrypted information and the authorization key respectively sent by the computing device of the information sender.
  • the first encrypted information and the authorization key sent by the computing device of the information sender are digitally signed based on the private key of the information sender;
  • the device 40 further includes a verification unit 408, which performs a verification of the authorization key and the first encrypted information based on the private key of the information sender before performing cryptographic operations on the authorized key and the first encrypted information.
  • the digital signature is verified; if the verification is passed, the calculation unit 404 further executes the step of performing a cryptographic operation on the authorization key and the first encrypted information.
  • the service system of the communication operator includes the computing device of the communication channel party connected to the information agency service platform, and the core equipment of the above-mentioned communication operator;
  • the communication operator's The second public key includes the public key corresponding to the communication channel party;
  • the further sending the plaintext data of the target information to the information receiver designated by the information sender includes: the computing device of the communication channel party sending the plain text data of the target information to the core equipment of the communication operator, so that the core equipment of the communication operator further sends the target information in plain text to the information receiver designated by the information sender .
  • the calculation unit 404 is further configured to: perform encryption on the authorization key and the first encrypted information in the trusted execution environment carried by the information agent service platform. generate the second encrypted information corresponding to the first encrypted information; or call the cryptographic operation contained in the contract code of the smart contract in the trusted execution environment carried by the node device running in the blockchain
  • the logic is to perform a cryptographic operation on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information.
  • the calculation unit 404 is further configured to: based on a proxy re-encryption algorithm, perform cryptographic operations on the authorization key and the first encrypted information to generate an Second encrypted information corresponding to the encrypted information.
  • the target information includes SMS short messages.
  • the device implementations described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical modules, that is, they may be located in One place, or it can be distributed to multiple network modules. Part or all of the units or modules can be selected according to actual needs to achieve the purpose of the solution in this specification. It can be understood and implemented by those skilled in the art without creative effort.
  • a typical implementing device is a computer, which may take the form of a personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media player, navigation device, e-mail device, game control device, etc. desktops, tablets, wearables, or any combination of these.
  • the implementation of this specification further provides a computer device, as shown in FIG. 5 , the computer device includes a memory and a processor.
  • a computer program that can be run by the processor is stored in the memory; when the processor runs the stored computer program, it executes each step of the information agency method described in the information agency service platform in the implementation mode of this specification.
  • the processor runs the stored computer program, it executes each step of the information agency method described in the information agency service platform in the implementation mode of this specification.
  • a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • Memory may include non-permanent storage in computer-readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read-only memory (ROM) or flash RAM. Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash random access memory
  • Computer-readable media including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information.
  • Information may be computer readable instructions, data structures, modules of a program, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
  • computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.
  • embodiments of this specification may be provided as methods, systems or computer program products. Accordingly, the embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present specification may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present description provides an information proxy method and apparatus, applied to an information proxy service platform, comprising: receiving first encrypted information and an authorization key sent by a computing device of an information sender, wherein the first encrypted information is target information ciphertext obtained by encrypting target information plaintext on the basis of a first public key of the information sender, and the authorization key is generated on the basis of a first private key corresponding to the first public key and a second public key of a communication operator; and performing a cryptographic operation on the authorization key and the first encrypted information to generate second encrypted information, which is target information ciphertext obtained by encrypting plaintext data of the target information on the basis of the second public key corresponding to the communication operator, so that a service system of the communication operator decrypts the second encrypted information on the basis of a second private key corresponding to the second public key to obtain the target information plaintext, and further sends the target information plaintext to an information receiver.

Description

信息代理方法和装置Information agent method and device 技术领域technical field
本说明书一个或多个实施方式涉及网络通信领域,尤其涉及一种信息代理方法和装置。One or more implementations in this specification relate to the field of network communications, and in particular, to an information agent method and device.
背景技术Background technique
信息代理业务中,信息代理服务平台将信息发送方发送的信息转发至信息发送方指定的信息运营方服务系统,再由信息运营方将上述信息发送至信息接收方。在上述通信方式中,信息发送方发送的信息内容可能被信息代理方获知,从而引发信息安全问题。In the information agency business, the information agency service platform forwards the information sent by the information sender to the service system of the information operator designated by the information sender, and then the information operator sends the above information to the information receiver. In the above-mentioned communication methods, the content of the information sent by the information sender may be known by the information agent, thus causing information security issues.
发明内容Contents of the invention
有鉴于此,本说明书一个或多个实施方式提供了一种信息代理方法,应用于信息代理服务平台,其中,所述信息代理服务平台与信息发送方的计算设备和通信运营方的服务系统分别通信连接;所述方法包括:接收信息发送方的计算设备发送的第一加密信息和授权密钥,其中,所述第一加密信息为基于所述信息发送方的第一公钥对目标信息明文进行加密得到的目标信息密文;所述授权密钥基于与所述第一公钥对应的第一私钥和所述通信运营方的第二公钥进行密码学运算生成;针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;其中,所述第二加密信息为基于所述通信运营方对应的第二公钥对所述目标信息的明文数据进行加密得到的目标信息密文;将所述第二加密信息发送至所述通信运营方的服务系统,以使所述通信运营方的服务系统基于与所述第二公钥对应的第二私钥解密所述第二加密信息,获得所述目标信息明文,并将所述目标信息明文进一步发送至由所述信息发送方指定的信息接收方。In view of this, one or more embodiments of this specification provide an information agent method, which is applied to an information agent service platform, wherein the information agent service platform is separated from the computing device of the information sender and the service system of the communication operator Communication connection; the method includes: receiving the first encrypted information and the authorization key sent by the computing device of the information sender, wherein the first encrypted information is the plaintext of the target information based on the first public key of the information sender Encrypted target information ciphertext; the authorization key is generated based on a cryptographic operation based on the first private key corresponding to the first public key and the second public key of the communication operator; for the authorization key key and the first encrypted information to perform cryptographic operations to generate second encrypted information corresponding to the first encrypted information; wherein the second encrypted information is based on the second public key pair corresponding to the communication operator The ciphertext of the target information obtained by encrypting the plaintext data of the target information; sending the second encrypted information to the service system of the communication operator, so that the service system of the communication operator is based on the second The second private key corresponding to the public key decrypts the second encrypted information, obtains the plaintext of the target information, and further sends the plaintext of the target information to an information receiver designated by the information sender.
在又一示出的实施方式中,与所述信息代理服务平台对应的区块链网络中部署有用于进行密码学运算的智能合约;针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,包括:调用所述智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,并将生成的所述第二加密信息在所述区块链中存储;所述将所述第二加密信息发送至所述通信运营方的服务系统,包括:获取所述区块链中存储的所述第二加密信息,将所述加密信息进一步发送至所述通信运营方的服务系统。In yet another illustrated embodiment, a smart contract for performing cryptographic operations is deployed in the block chain network corresponding to the information agency service platform; Mathematical operation, generating the second encrypted information corresponding to the first encrypted information, including: calling the cryptographic operation logic contained in the contract code of the smart contract, and encrypting the authorization key and the first encrypted information generate the second encrypted information corresponding to the first encrypted information, and store the generated second encrypted information in the blockchain; the sending the second encrypted information to the The service system of the communication operator includes: acquiring the second encrypted information stored in the block chain, and further sending the encrypted information to the service system of the communication operator.
在又一示出的实施方式中,所述接收信息发送方的计算设备发送的第一加密信息和授权密钥,包括:接收所述信息发送方的计算设备分别发送的第一加密信息和授权密钥。In yet another illustrated embodiment, the receiving the first encrypted information and the authorization key sent by the computing device of the information sender includes: receiving the first encrypted information and the authorization key respectively sent by the computing device of the information sender key.
在又一示出的实施方式中,所述信息发送方的计算设备发送的所述第一加密信息和所述授权密钥,基于所述信息发送方的私钥进行了数字签名处理;针对所述授权密钥和所述第一加密信息进行密码学运算之前,所述方法还包括:基于所述信息发送方的私钥对所述授权密钥和所述第一加密信息的数字签名进行验证;如果验证通过,进一步执行针对所述授权密钥和所述第一加密信息进行密码学运算的步骤。In yet another illustrated embodiment, the first encrypted information and the authorization key sent by the computing device of the information sender are digitally signed based on the private key of the information sender; Before performing cryptographic operations on the authorization key and the first encrypted information, the method further includes: verifying the authorization key and the digital signature of the first encrypted information based on the private key of the information sender ; If the verification is passed, further perform the step of performing a cryptographic operation on the authorization key and the first encrypted information.
在又一示出的实施方式中,所述通信运营方的服务系统包括与所述信息代理服务平台连接的通信渠道方的计算设备,和上述通信运营方的核心设备;所述通信运营方的第 二公钥包括所述通信渠道方对应的公钥;所述将所述目标信息的明文数据进一步发送至由所述信息发送方指定的信息接收方,包括:所述通信渠道方的计算设备将所述目标信息的明文数据发送至所述通信运营方的核心设备,以由所述通信运营方的核心设备,进一步将所述目标信息明文发送至由所述信息发送方指定的信息接收方。In yet another illustrated embodiment, the service system of the communication operator includes the computing device of the communication channel party connected to the information agency service platform, and the core equipment of the above-mentioned communication operator; the communication operator's The second public key includes the public key corresponding to the communication channel party; the further sending the plaintext data of the target information to the information receiver designated by the information sender includes: the computing device of the communication channel party sending the plain text data of the target information to the core equipment of the communication operator, so that the core equipment of the communication operator further sends the target information in plain text to the information receiver designated by the information sender .
在又一示出的实施方式中,所述针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,包括:在所述信息代理服务平台搭载的可信执行环境中,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;或者,调用运行在所述区块链中的节点设备搭载的可信执行环境中的智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。In yet another illustrated embodiment, performing cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information includes: In the trusted execution environment carried by the information agent service platform, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information; The cryptographic operation logic contained in the contract code of the smart contract in the trusted execution environment carried by the node device in the blockchain performs cryptographic operations on the authorization key and the first encrypted information to generate Second encrypted information corresponding to the first encrypted information.
在又一示出的实施方式中,所述基于与所述第一公钥对应的第一私钥和所述通信运营方的第二公钥进行密码学运算生成所述授权密钥,包括:基于代理重加密算法,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。In yet another illustrated embodiment, the performing cryptographic operations on the basis of the first private key corresponding to the first public key and the second public key of the communication operator to generate the authorization key includes: Based on a proxy re-encryption algorithm, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information.
在又一示出的实施方式中,所述目标信息包括SMS短消息。In yet another illustrated embodiment, the target information includes SMS short messages.
相应的,本说明书还提供了一种信息代理装置,应用于信息代理服务平台,其中,所述信息代理服务平台与信息发送方的计算设备和通信运营方的服务系统分别通信连接;所述装置包括:接收单元,接收信息发送方的计算设备发送的第一加密信息和授权密钥,其中,所述第一加密信息为基于所述信息发送方的第一公钥对目标信息明文进行加密得到的目标信息密文;所述授权密钥基于与所述第一公钥对应的第一私钥和所述通信运营方的第二公钥进行密码学运算生成;计算单元,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;其中,所述第二加密信息为基于所述通信运营方对应的第二公钥对所述目标信息的明文数据进行加密得到的目标信息密文;发送单元,将所述第二加密信息发送至所述通信运营方的服务系统,以使所述通信运营方的服务系统基于与所述第二公钥对应的第二私钥解密所述第二加密信息,获得所述目标信息明文,并将所述目标信息明文进一步发送至由所述信息发送方指定的信息接收方。Correspondingly, this specification also provides an information agent device, which is applied to an information agent service platform, wherein, the information agent service platform communicates with the computing device of the information sender and the service system of the communication operator respectively; the device It includes: a receiving unit, which receives the first encrypted information and the authorization key sent by the computing device of the information sender, wherein the first encrypted information is obtained by encrypting the plaintext of the target information based on the first public key of the information sender The target information ciphertext; the authorization key is generated based on the first private key corresponding to the first public key and the second public key of the communication operator through cryptographic operations; the calculation unit, for the authorization key key and the first encrypted information to perform cryptographic operations to generate second encrypted information corresponding to the first encrypted information; wherein the second encrypted information is based on the second public key pair corresponding to the communication operator The ciphertext of the target information obtained by encrypting the plaintext data of the target information; the sending unit, sending the second encrypted information to the service system of the communication operator, so that the service system of the communication operator is based on the The second private key corresponding to the second public key decrypts the second encrypted information, obtains the plaintext of the target information, and further sends the plaintext of the target information to the information receiver designated by the information sender.
在又一示出的实施方式中,与所述信息代理服务平台对应的区块链网络中部署有用于进行密码学运算的智能合约;所述计算单元,进一步用于:调用所述智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,并将生成的所述第二加密信息在所述区块链中存储;所述发送单元,进一步用于:获取所述区块链中存储的所述第二加密信息,将所述加密信息进一步发送至所述通信运营方的服务系统。In yet another illustrated embodiment, a smart contract for performing cryptographic operations is deployed in the block chain network corresponding to the information agency service platform; the computing unit is further used to: call the smart contract The cryptographic operation logic contained in the contract code performs cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information, and the generated second encrypted information The encrypted information is stored in the block chain; the sending unit is further configured to: obtain the second encrypted information stored in the block chain, and further send the encrypted information to the communication operator's service system.
在又一示出的实施方式中,所述接收信息发送方的计算设备发送的第一加密信息和授权密钥,包括:接收所述信息发送方的计算设备分别发送的第一加密信息和授权密钥。In yet another illustrated embodiment, the receiving the first encrypted information and the authorization key sent by the computing device of the information sender includes: receiving the first encrypted information and the authorization key respectively sent by the computing device of the information sender key.
在又一示出的实施方式中,所述信息发送方的计算设备发送的所述第一加密信息和所述授权密钥,基于所述信息发送方的私钥进行了数字签名处理;所述装置还包括验证单元,针对所述授权密钥和所述第一加密信息进行密码学运算之前,基于所述信息发送方的私钥对所述授权密钥和所述第一加密信息的数字签名进行验证;如果验证通过,进一步执行针对所述授权密钥和所述第一加密信息进行密码学运算的步骤。In yet another illustrated embodiment, the first encrypted information and the authorization key sent by the computing device of the information sender are digitally signed based on the private key of the information sender; The device also includes a verification unit, before performing cryptographic operations on the authorization key and the first encrypted information, digitally signing the authorization key and the first encrypted information based on the private key of the information sender Perform verification; if the verification is passed, further perform the step of performing cryptographic operations on the authorization key and the first encrypted information.
在又一示出的实施方式中,所述通信运营方的服务系统包括与所述信息代理服务平台连接的通信渠道方的计算设备,和上述通信运营方的核心设备;所述通信运营方的第二公钥包括所述通信渠道方对应的公钥;所述将所述目标信息的明文数据进一步发送至 由所述信息发送方指定的信息接收方,包括:所述通信渠道方的计算设备将所述目标信息的明文数据发送至所述通信运营方的核心设备,以由所述通信运营方的核心设备,进一步将所述目标信息明文发送至由所述信息发送方指定的信息接收方。In yet another illustrated embodiment, the service system of the communication operator includes the computing device of the communication channel party connected to the information agency service platform, and the core equipment of the above-mentioned communication operator; the communication operator's The second public key includes the public key corresponding to the communication channel party; the further sending the plaintext data of the target information to the information receiver designated by the information sender includes: the computing device of the communication channel party sending the plain text data of the target information to the core equipment of the communication operator, so that the core equipment of the communication operator further sends the target information in plain text to the information receiver designated by the information sender .
在又一示出的实施方式中,所述针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,包括:在所述信息代理服务平台搭载的可信执行环境中,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;或者,调用运行在所述区块链中的节点设备搭载的可信执行环境中的智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。In yet another illustrated embodiment, performing cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information includes: In the trusted execution environment carried by the information agent service platform, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information; The cryptographic operation logic contained in the contract code of the smart contract in the trusted execution environment carried by the node device in the blockchain performs cryptographic operations on the authorization key and the first encrypted information to generate Second encrypted information corresponding to the first encrypted information.
在又一示出的实施方式中,所述计算单元,进一步用于:基于代理重加密算法,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。In yet another illustrated embodiment, the computing unit is further configured to: perform cryptographic operations on the authorization key and the first encrypted information based on a proxy re-encryption algorithm to generate The second encrypted information corresponding to the information.
在又一示出的实施方式中,所述目标信息包括SMS短消息。In yet another illustrated embodiment, the target information includes SMS short messages.
相应地,本说明书还提供了一种计算机设备,包括:存储器和处理器;所述存储器上存储有可由所述处理器运行的计算机程序;所述处理器运行所述计算机程序时,执行所述信息代理服务平台所述执行的信息代理方法。Correspondingly, this specification also provides a computer device, including: a memory and a processor; a computer program that can be run by the processor is stored in the memory; when the processor runs the computer program, it executes the The information agent method executed by the information agent service platform.
基于本说明书各个实施方式提供的信息代理方法、装置、计算机设备和计算机可读存储介质,信息代理服务平台可在未知目标信息明文的条件下,对基于所述信息发送方的第一公钥对目标信息明文进行加密得到的目标信息密文,和基于与所述第一公钥对应的第一私钥和所述通信运营方的第二公钥进行密码学运算生成的授权密钥,进行密码学运算,生成基于所述通信运营方对应的第二公钥对所述目标信息的明文数据进行加密得到的目标信息密文,以便于通信运营方解密第二加密信息获得目标信息明文,有效防范了用户的信息泄露风险。Based on the information agent method, device, computer equipment, and computer-readable storage medium provided by each embodiment of this specification, the information agent service platform can, under the condition of not knowing the plaintext of the target information, perform a pair of public key based on the first public key of the information sender Encrypt the ciphertext of the target information obtained by encrypting the plaintext of the target information, and the authorization key generated by cryptographic operations based on the first private key corresponding to the first public key and the second public key of the communication operator, and encrypt Mathematical calculations to generate the target information ciphertext obtained by encrypting the plaintext data of the target information based on the second public key corresponding to the communication operator, so that the communication operator can decrypt the second encrypted information to obtain the plaintext of the target information, effectively preventing reduce the risk of user information leakage.
附图说明Description of drawings
图1a、图1b、图1c分别是一示例性实施例提供的信息代理方法的应用环境示意图。Fig. 1a, Fig. 1b, and Fig. 1c are respectively schematic diagrams of the application environment of the information agent method provided by an exemplary embodiment.
图2是一示例性实施例提供的在区块链中创建智能合约和调用智能合约的示意图。Fig. 2 is a schematic diagram of creating and invoking smart contracts in the blockchain provided by an exemplary embodiment.
图3是一示例性实施方式提供的应用于信息发送方的计算设备、信息代理方平台系统和通信运营方服务系统的信息代理方法的流程图。Fig. 3 is a flowchart of an information brokering method applied to a computing device of an information sender, a platform system of an information broker and a service system of a communication operator provided by an exemplary embodiment.
图4是一示例性实施方式提供的应用于信息代理服务平台的信息代理装置的示意图。Fig. 4 is a schematic diagram of an information agent device applied to an information agent service platform provided by an exemplary embodiment.
图5运行本说明书所提供的信息代理装置实施方式的一种硬件结构图。FIG. 5 is a hardware structural diagram for running the implementation of the information agent device provided in this specification.
具体实施方式Detailed ways
这里将详细地对示例性实施方式进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施方式中所描述的实施方式并不代表与本说明书一个或多个实施方式相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本说明书一个或多个实施方式的一些方面相一致的装置和方法的例子。Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numerals in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary implementations do not represent all implementations consistent with one or more implementations in this specification. Rather, they are merely examples of apparatuses and methods consistent with some aspects of one or more implementations of the present specification as recited in the appended claims.
需要说明的是:在其他实施方式中并不一定按照本说明书示出和描述的顺序来执行相应方法的步骤。在一些其他实施方式中,其方法所包括的步骤可以比本说明书所描述的更多或更少。此外,本说明书中所描述的单个步骤,在其他实施方式中可能被分解为 多个步骤进行描述;而本说明书中所描述的多个步骤,在其他实施方式中也可能被合并为单个步骤进行描述。It should be noted that in other implementation manners, the steps of the corresponding methods may not necessarily be performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than those described in this specification. In addition, a single step described in this specification may be decomposed into multiple steps for description in other embodiments; multiple steps described in this specification may also be combined into a single step in other embodiments describe.
通信运营方服务系统可包括为用户间直接通信提供服务的计算机系统,例如,电信、移动、联通等通信服务运营商所搭载的计算机系统。数量庞大的商业用户常需请求通信运营方服务系统向其客户人群端发送大量通知型信息,例如商业促销信息、业务验证码信息等。为了对接数量庞大的商业用户端的不同信息需求,可设置信息代理服务平台,将不同的商业用户端的信息需求进行整合,以更低的通信费率从通信运营方处预定信息数量额度;而且相比于与数量庞大的商业用户端分别设置通信耦接关系,通信服务运营商可以仅设置与信息代理服务平台的通信耦接关系,即可处理不同的商业用户的信息请求,也降低了通信服务运营商的通信连接成本。The communication operator service system may include a computer system that provides services for direct communication between users, for example, a computer system carried by communication service operators such as China Telecom, China Mobile, and China Unicom. A large number of commercial users often need to request the service system of the communication operator to send a large amount of notification information, such as commercial promotion information, business verification code information, etc., to its customer groups. In order to meet the different information requirements of a large number of commercial clients, an information agency service platform can be set up to integrate the information requirements of different commercial clients, and to reserve the amount of information from the communication operator at a lower communication rate; and compared In order to set up the communication coupling relationship with a large number of commercial users, the communication service operator can only set up the communication coupling relationship with the information agency service platform to process the information requests of different business users, and also reduce the communication service operation cost. communication connection cost of the provider.
在包含信息发送方的计算设备、信息代理服务平台,和通信运营方服务系统的通信环境中,信息代理服务平台将信息发送方发送的信息转发至信息运营方服务系统,再由信息运营方将上述信息发送至信息接收方。在上述通信方式中,信息发送方发送的信息内容可能被信息代理方获知,从而引发信息安全问题。In a communication environment including the computing device of the information sender, the information agency service platform, and the service system of the communication operator, the information agency service platform forwards the information sent by the information sender to the information operator service system, and then the information operator forwards the information sent by the information operator to the service system of the information operator. The above information is sent to the recipient of the information. In the above-mentioned communication methods, the content of the information sent by the information sender may be known by the information agent, thus causing information security issues.
有鉴于此,本说明书一个或多个实施方式提供了一种信息代理方法,在信息代理服务平台未知信息发送方提供的目标信息明文的条件下,为信息发送方提供信息代理服务。图1a、图1b和图1c分别实例了本说明书提供的一示例性实施方式中实现的信息代理方法的应用环境示意图。信息代理服务平台与信息发送方的计算设备和通信运营方的服务系统分别通信连接。信息代理服务平台作为中介平台,为上述信息发送方和通信运营方提供信息代理服务。In view of this, one or more embodiments of this specification provide an information proxy method, which provides information proxy services for the information sender under the condition that the information proxy service platform does not know the plain text of the target information provided by the information sender. Fig. 1a, Fig. 1b and Fig. 1c respectively illustrate the schematic diagrams of the application environment of the information agent method implemented in an exemplary embodiment provided in this specification. The information agent service platform communicates with the computing device of the information sender and the service system of the communication operator respectively. As an intermediary platform, the information agency service platform provides information agency services for the above-mentioned information senders and communication operators.
上述信息代理方平台可包括一个或多个服务设备,并在上述一个或多个服务设备内部署密码学运算逻辑,以为发送方的计算设备和通信运营方的服务系统提供信息代理服务(如图1a所示));在又一示出的实施方式中,上述信息代理服务平台可与区块链网络对接(如图1b所示)、或者,上述信息代理服务平台被去中心化地部署为区块链(如图1c所示),并在区块链网络中以智能合约的形式部署密码学运算逻辑,以为发送方的计算设备和通信运营方的服务系统提供信息代理服务。The above-mentioned information agent platform may include one or more service devices, and deploy cryptographic operation logic in the above-mentioned one or more service devices to provide information agent services for the computing device of the sender and the service system of the communication operator (as shown in Fig. 1a)); in yet another illustrated embodiment, the above-mentioned information agent service platform can be docked with the block chain network (as shown in Figure 1b), or, the above-mentioned information agent service platform is deployed as a decentralized Blockchain (as shown in Figure 1c), and deploy cryptographic operation logic in the form of smart contracts in the blockchain network to provide information agency services for the sender's computing device and the communication operator's service system.
本说明书一个或多个实施例所述的区块链或区块链网络,具体可指一个各节点设备通过共识机制达成的、具有分布式数据存储结构的P2P网络系统,该区块链内的账本数据分布在时间上相连的一个个“区块(block)”之内,后一区块可包含前一区块的数据摘要,且根据具体的共识机制(如POW、POS、DPOS或PBFT等)的不同,达成全部或部分节点的数据全备份。The block chain or block chain network described in one or more embodiments of this specification can specifically refer to a P2P network system with a distributed data storage structure achieved by each node device through a consensus mechanism. The ledger data is distributed in "blocks" that are connected in time. The latter block can contain the data summary of the previous block, and according to the specific consensus mechanism (such as POW, POS, DPOS or PBFT, etc.) ) to achieve full data backup of all or part of the nodes.
每个区块链节点可以在服务器或服务器集群中实现。服务器集群可以采用负载平衡。每个区块链节点可以对应于经由诸如TCP/IP的各种类型的通信方法耦接在一起的一个或多个物理硬件设备或者虚拟设备。根据分类,区块链节点还可以被称为全节点、Geth节点、共识节点等。Each blockchain node can be implemented in a server or server cluster. Server clusters can be load balanced. Each blockchain node may correspond to one or more physical hardware devices or virtual devices coupled together via various types of communication methods such as TCP/IP. According to classification, blockchain nodes can also be called full nodes, Geth nodes, consensus nodes, etc.
在一些实施例中,区块链还可以包括轻节点。轻节点可能无法下载完整的区块链,但是可以只下载区块头以验证区块链交易的真实性。轻节点可以由全节点(例如,区块链网络中的区块链节点)提供服务并有效地依赖于全节点来访问区块链的更多功能。通过安装适当的软件,可以在诸如膝上型电脑、移动电话等的电子设备中实现轻节点。In some embodiments, the blockchain may also include light nodes. Light nodes may not be able to download the full blockchain, but can only download block headers to verify the authenticity of blockchain transactions. Light nodes can be served by full nodes (e.g., blockchain nodes in a blockchain network) and effectively rely on full nodes to access more functionality of the blockchain. Light nodes can be implemented in electronic devices such as laptops, mobile phones, etc. by installing appropriate software.
区块链一般被划分为三种类型:公有链(Public Blockchain),私有链(Private Blockchain)和联盟链(Consortium Blockchain)。此外,还可以有上述多种类型的结合,比如私有链+联盟链、联盟链+公有链等。可以预期,本说明书所提供的实施方式能够在合适类型的区块链中实现。Blockchains are generally divided into three types: Public Blockchain, Private Blockchain and Consortium Blockchain. In addition, there can be a combination of the above types, such as private chain + alliance chain, alliance chain + public chain, etc. It can be expected that the implementations provided in this specification can be implemented in a suitable type of blockchain.
计算设备可将数据构建成区块链所支持的标准的交易(transaction)格式,然后发布至区块链,由区块链中的节点设备对收到的交易进行共识处理,并在达成共识后,由区块链中作为记账节点的节点设备,将这笔交易打包进区块,在区块链中进行持久化存证。The computing device can construct the data into a standard transaction format supported by the blockchain, and then publish it to the blockchain, and the node devices in the blockchain will perform consensus processing on the received transaction, and after reaching a consensus , the node device as the bookkeeping node in the blockchain packs this transaction into a block, and performs persistent storage in the blockchain.
无论区块链采用哪种共识算法,记账节点均可以将接收到的交易打包以生成最新区块,并将生成的最新区块发送至其它节点设备进行共识验证。如果其它节点设备接收到最新区块后,经验证没有问题,可以将该最新区块追加到原有的区块链末尾,从而完成区块链的记账过程。其它节点验证记账节点发来的新的区块的过程中,也可以执行该区块中的包含的交易。No matter which consensus algorithm the blockchain adopts, the accounting node can package the received transaction to generate the latest block, and send the generated latest block to other node devices for consensus verification. If other node devices receive the latest block and verify that there is no problem, the latest block can be appended to the end of the original blockchain to complete the accounting process of the blockchain. In the process of verifying the new block sent by the bookkeeping node, other nodes can also execute the transactions contained in the block.
需要说明的是,区块链每产生一个最新区块,则在该最新区块中的交易被执行之后,区块链中这些被执行交易的对应状态会随之发生变化。例如,以账户模型构架的区块链中,外部账户或者智能合约账户的账户状态,通常也会随着交易的执行而发生相应的变化。It should be noted that every time the blockchain generates a newest block, after the transactions in the latest block are executed, the corresponding states of these executed transactions in the blockchain will change accordingly. For example, in a blockchain based on an account model, the account status of external accounts or smart contract accounts usually changes with the execution of transactions.
例如,当区块中的一笔“转账交易”执行完毕后,与该“转账交易”相关的转出方账户和转入方账户的余额(即这些账户的Balance字段的字段值),通常也会随之发生变化。For example, when a "transfer transaction" in a block is executed, the balances of the transfer-out account and transfer-in account related to the "transfer transaction" (that is, the field value of the Balance field of these accounts) usually also Will change accordingly.
又如,区块中的“智能合约调用交易”则用以调用区块链上部署的智能合约,在节点设备对应的EVM内调用上述智能合约以执行上述“智能合约调用交易”,并将执行上述智能合约调用交易后、智能合约账户的账户状态更新在该智能合约的账户中。As another example, the "smart contract call transaction" in the block is used to call the smart contract deployed on the blockchain, and the above smart contract is called in the EVM corresponding to the node device to execute the above "smart contract call transaction", and the execution After the above-mentioned smart contract invokes the transaction, the account status of the smart contract account is updated in the account of the smart contract.
在实际应用中,不论是公有链、私有链还是联盟链,都可能提供智能合约(Smart contract)的功能。区块链上的智能合约是在区块链上可以被交易触发执行的合约。智能合约可以通过代码的形式定义。In practical applications, whether it is a public chain, a private chain or an alliance chain, it is possible to provide the function of a smart contract (Smart contract). Smart contracts on the blockchain are contracts that can be triggered by transactions on the blockchain. Smart contracts can be defined in the form of code.
例如,支持用户在区块链网络中创建并调用一些复杂的逻辑。作为一个可编程区块链,其核心是以太坊虚拟机(EVM),每个区块链节点都可以运行EVM。EVM是一个图灵完备的虚拟机,通过它可以实现各种复杂的逻辑。用户在区块链中发布和调用智能合约就是在EVM上运行的。实际上,EVM直接运行的是虚拟机代码(虚拟机字节码,下简称“字节码”),所以部署在区块链上的智能合约可以是字节码。For example, support users to create and call some complex logic in the blockchain network. As a programmable blockchain, its core is the Ethereum Virtual Machine (EVM), and each blockchain node can run the EVM. EVM is a Turing-complete virtual machine through which various complex logic can be realized. Users publish and call smart contracts in the blockchain that run on the EVM. In fact, EVM directly runs the virtual machine code (virtual machine bytecode, hereinafter referred to as "bytecode"), so the smart contract deployed on the blockchain can be bytecode.
创建智能合约和调用智能合约的示意图如图2所示。区块链中要创建一个智能合约,需要经过编写智能合约、变成字节码、部署到区块链等过程。区块链中调用智能合约,是发起一笔指向智能合约地址的交易,各个节点的EVM可以分别执行该交易,将智能合约代码分布式的运行在以太坊网络中每个节点的虚拟机中。The schematic diagram of creating a smart contract and calling a smart contract is shown in Figure 2. To create a smart contract in the blockchain, you need to go through the process of writing the smart contract, turning it into bytecode, and deploying it to the blockchain. Calling a smart contract in the blockchain is to initiate a transaction pointing to the address of the smart contract. The EVM of each node can execute the transaction separately, and the smart contract code is distributed and run in the virtual machine of each node in the Ethereum network.
用户将一笔包含调用智能合约信息的交易发送到以太坊网络后,各节点均可以在EVM中执行这笔交易。其中,交易的From字段用于记录发起调用智能合约的账户的地址,To字段用于记录被调用的智能合约的地址,交易的Data字段用于记录调用智能合约的方法和参数。调用智能合约后,合约账户的账户状态可能改变。后续,某个客户端可以通过接入的区块链节点查看合约账户的账户状态,例如,上述账户状态可以Key-Value对的形式存储到智能合约的Storage树中。调用智能合约的交易的执行结果,可以是以交易收据(receipt)的形式,存储到MPT收据树中。After the user sends a transaction including calling smart contract information to the Ethereum network, each node can execute the transaction in the EVM. Among them, the From field of the transaction is used to record the address of the account that initiated the call to the smart contract, the To field is used to record the address of the called smart contract, and the Data field of the transaction is used to record the method and parameters of the called smart contract. After calling the smart contract, the account status of the contract account may change. Subsequently, a client can view the account status of the contract account through the connected blockchain node. For example, the above account status can be stored in the Storage tree of the smart contract in the form of Key-Value pairs. The execution result of the transaction calling the smart contract can be stored in the MPT receipt tree in the form of a transaction receipt (receipt).
智能合约可以以规定的方式在区块链中每个节点独立的执行,所有执行记录和数据都保存在区块链上,所以当这样的交易执行完毕后,区块链上就保存了无法篡改、不会丢失的交易凭证。Smart contracts can be independently executed on each node in the blockchain in a prescribed manner, and all execution records and data are stored on the blockchain, so when such a transaction is executed, it is stored on the blockchain and cannot be tampered with. , Transaction certificates that will not be lost.
智能合约的事件机制,是智能合约与链外实体进行交互的一种方式。对于区块链上部署的智能合约来说,通常无法直接与链外实体进行交互;例如,智能合约在调用完成后,通常无法将智能合约的调用结果,点对点的发送给智能合约的调用发起方。The event mechanism of smart contracts is a way for smart contracts to interact with entities outside the chain. For smart contracts deployed on the blockchain, it is usually impossible to directly interact with entities outside the chain; for example, after the smart contract is called, it usually cannot send the call result of the smart contract point-to-point to the call initiator of the smart contract .
智能合约在调用的过程中产生的调用结果(包括中间结果和最终的调用结果),通常都会以事件(Event)的形式,记录到调用该智能合约的那笔交易的交易日志(transaction logs),在节点设备的存储空间中进行存储。而需要与智能合约进行交互的链外实体,则可以通过监听节点设备的存储空间中存储的上述交易日志的方式,来获取智能合约的调用结果;例如,交易日志最终会作为调用该智能合约的那笔交易的收据(receipt)的一部分内容,存储在以上描述的MPT收据树中。而与智能合约进行交互的链外实体,可以监听节点设备的存储空间中存储的MPT收据树上的交易收据,并从监听到的交易收据中,来获取智能合约生成的事件。The call results (including intermediate results and final call results) generated during the call of the smart contract are usually recorded in the transaction logs of the transaction that called the smart contract in the form of events. Store in the storage space of the node device. An off-chain entity that needs to interact with a smart contract can obtain the invocation result of the smart contract by listening to the above-mentioned transaction log stored in the storage space of the node device; for example, the transaction log will eventually serve as the Part of the receipt for that transaction is stored in the MPT receipt tree described above. The off-chain entity that interacts with the smart contract can monitor the transaction receipts on the MPT receipt tree stored in the storage space of the node device, and obtain the events generated by the smart contract from the monitored transaction receipts.
图3示意了一示例性实施方式提供的信息代理方法的流程图,该方法可包括:步骤302,信息发送方的计算设备基于自身的第一公钥对目标信息明文加密,以生成第一加密信息。Fig. 3 shows a flow chart of an information proxy method provided by an exemplary embodiment, which may include: Step 302, the computing device of the information sender encrypts the plaintext of the target information based on its own first public key to generate a first encrypted information.
步骤304,信息发送方的计算设备基于用以发送所述目标信息明文的通信运营方的第二公钥、和与上述第一公钥对应的第二私钥,进行密码学运算并生成针对所述通信运营方的授权密钥。Step 304: The computing device of the information sender performs cryptographic operations based on the second public key of the communication operator used to send the plaintext of the target information and the second private key corresponding to the above-mentioned first public key, and generates a key for the target information. The authorization key of the communication operator mentioned above.
由于信息代理服务平台可能对接有多个通信运营方服务系统,信息发送方可选择其中一个或多个通信运营方服务系统进行目标信息明文的发送。本实施方式并不限定信息发送方的计算设备获取通信运营方的第二公钥的具体方式。例如,信息代理服务平台可为信息发送方提供多个可供选择的通信运营方,并将上述可供选择的通信运营方的对应公钥发送至信息发送方的计算设备;响应于信息发送方用户的选择操作,信息代理服务平台可基于选择的通信运营方的第二公钥和自身持有的、与上述第一公钥对应的第二私钥,生成针对其选择的通信运营方的授权密钥。Since the information agency service platform may be connected to multiple communication operator service systems, the information sender can select one or more of the communication operator service systems to send the target information in plain text. This embodiment does not limit the specific manner in which the computing device of the information sender acquires the second public key of the communication operator. For example, the information agency service platform can provide multiple alternative communication operators for the information sender, and send the corresponding public keys of the above alternative communication operators to the computing device of the information sender; in response to the information sender Based on the user's selection operation, the information agency service platform can generate an authorization for the selected communication operator based on the second public key of the selected communication operator and its own second private key corresponding to the above-mentioned first public key. key.
或者,基于信息发送方与某些通信运营方的线下商业沟通,该些通信运营方可将自身的第二公钥传送至信息发送方。Or, based on the offline commercial communication between the information sender and certain communication operators, these communication operators may transmit their own second public keys to the information sender.
步骤306,信息发送方的计算设备将所述第一加密信息和所述授权密钥发送至所述信息代理服务平台。Step 306, the computing device of the information sender sends the first encrypted information and the authorization key to the information agency service platform.
在又一示出的实施方式中,为了避免上述第一加密信息和授权密钥被同时非法截获,引发数据安全风险,信息发送方的计算设备可分别发送上述第一加密信息和授权密钥。In yet another illustrated embodiment, in order to prevent the above-mentioned first encrypted information and authorization key from being illegally intercepted at the same time, causing data security risks, the computing device of the information sender may send the above-mentioned first encrypted information and authorization key respectively.
步骤308,信息代理服务平台针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;其中,所述第二加密信息为基于所述通信运营方的第二公钥对所述目标信息明文进行加密得到的目标信息密文。Step 308, the information agency service platform performs cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information; wherein, the second encrypted information is based on The target information ciphertext obtained by encrypting the target information plaintext with the second public key of the communication operator.
在一示出的实施方式中,信息代理服务平台可采用代理重加密算法,针对所述授权密钥和所述第一加密信息进行密码学运算,从而生成基于所述通信运营方的第二公钥对所述目标信息明文进行加密的目标信息密文——第二加密信息。In an illustrated embodiment, the information proxy service platform can use a proxy re-encryption algorithm to perform cryptographic operations on the authorization key and the first encrypted information, thereby generating a second public key based on the communication operator. The target information ciphertext that encrypts the target information plaintext with the key—the second encrypted information.
步骤310,信息代理服务平台将所述第二加密信息发送至所述通信运营方的服务系统。Step 310, the information agency service platform sends the second encrypted information to the service system of the communication operator.
步骤312,所述通信运营方的服务系统基于与所述第二公钥对应的第二私钥解密所述第二加密信息,获得所述目标信息明文,并将所述目标信息明文进一步发送至所述目标信息明文对应的信息接收方。Step 312, the service system of the communication operator decrypts the second encrypted information based on the second private key corresponding to the second public key, obtains the plaintext of the target information, and further sends the plaintext of the target information to The information receiver corresponding to the target information in clear text.
基于上述步骤302至312所述的信息代理方法,在信息代理服务平台在未知信息发送方的目标信息明文的前提下,将目标信息明文转化为通信运营方可解密的第二加密信息,以由通信运营方的服务系统在解密第二加密信息后将上述目标信息明文发送至对应用户;从而使得通信运营方无需对接数量庞大的信息发送方的不同信息需求,而只对接 信息代理服务平台进行数据通信处理,降低了通信服务运营商的通信连接成本。Based on the information agency method described in steps 302 to 312 above, under the premise that the information agency service platform does not know the target information plaintext of the information sender, the plaintext of the target information is converted into second encrypted information that can be decrypted by the communication operator, so as to be obtained by After decrypting the second encrypted information, the service system of the communication operator sends the above-mentioned target information to the corresponding user in plain text; thus, the communication operator does not need to meet the different information needs of a large number of information senders, but only needs to connect with the information agency service platform for data processing. Communication processing reduces communication connection costs for communication service operators.
基于上述信息代理服务平台的具体架构不同,上述信息代理服务平台进行密码学运算、以及上述通信运营方获取上述第二加密信息的具体方式也不同。Based on the different specific structures of the above-mentioned information agency service platforms, the specific ways in which the above-mentioned information agency service platforms perform cryptographic operations and the above-mentioned communication operators obtain the above-mentioned second encrypted information are also different.
在一示出的实施方式中,当上述信息代理服务平台被设置为中心化服务设备时(如图1a所示),上述信息代理服务平台可调用本地部署的密码学运算逻辑,针对上述授权密钥和上述第一加密信息进行密码学运算,以生成与所述第一加密信息对应的第二加密信息。此时,信息代理服务平台与信息运营方的服务系统以端对端通信的方式,以将上述第二加密信息发送至上述信息运营方的服务系统。In an illustrated embodiment, when the above-mentioned information agent service platform is set as a centralized service device (as shown in Figure 1a), the above-mentioned information agent service platform can call the cryptographic operation logic deployed locally, and for the above-mentioned authorization key The encryption key and the above-mentioned first encrypted information are subjected to a cryptographic operation to generate second encrypted information corresponding to the first encrypted information. At this time, the information agency service platform communicates end-to-end with the service system of the information operator to send the second encrypted information to the service system of the information operator.
上述信息代理服务平台可搭载可信执行环境(TEE),在搭载的可信执行环境中针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,从而进一步增加上述密码学运算过程及结果的安全性。The above-mentioned information agency service platform can carry a trusted execution environment (TEE), and perform cryptographic operations on the authorization key and the first encrypted information in the carried trusted execution environment, and generate a key corresponding to the first encrypted information. The second encrypted information, thereby further increasing the security of the above cryptographic operation process and results.
在又一示出的实施方式中,当上述信息代理服务平台与区块链网络对接时(如图1b或图1c所示),上述区块链网络中可部署有用于密码学运算的智能合约。上述信息代理服务平台在接收到信息发送方的计算设备发送的第一加密信息和授权密钥后,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息的具体过程,可包括:调用所述智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,并将生成的所述第二加密信息在所述区块链中存储。In yet another illustrated embodiment, when the above-mentioned information agency service platform is connected to the blockchain network (as shown in Figure 1b or Figure 1c), smart contracts for cryptographic operations can be deployed in the above-mentioned blockchain network . After receiving the first encrypted information and the authorization key sent by the computing device of the information sender, the above-mentioned information agency service platform performs cryptographic operations on the authorization key and the first encrypted information to generate an encryption key corresponding to the first encrypted information. The specific process of the second encrypted information corresponding to the encrypted information may include: calling the cryptographic operation logic contained in the contract code of the smart contract, performing cryptographic operations on the authorization key and the first encrypted information, and generating the same The first encrypted information corresponds to the second encrypted information, and the generated second encrypted information is stored in the block chain.
所述将所述第二加密信息发送至所述通信运营方的服务系统,包括:获取所述区块链中存储的所述第二加密信息,将所述第二加密信息进一步发送至所述通信运营方的服务系统。The sending the second encrypted information to the service system of the communication operator includes: obtaining the second encrypted information stored in the block chain, and further sending the second encrypted information to the The service system of the communication operator.
类似地,区块链节点设备中也可搭载可信执行环境(TEE),调用运行在所述区块链中的节点设备搭载的可信执行环境中的智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。Similarly, the blockchain node device can also be equipped with a trusted execution environment (TEE), calling the cryptographic operations contained in the contract code of the smart contract in the trusted execution environment carried by the node device in the blockchain The logic is to perform a cryptographic operation on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information.
上述信息代理服务平台可基于上述第一加密信息和所述授权密钥构建智能合约调用交易,或者,上述信息发送方直接基于上述第一加密信息和上述授权密钥构建智能合约调用交易,并将上述智能合约调用交易发送至其对应的区块链网络,以使区块链网络的节点设备响应于上述调用交易,调用上述智能合约声明的密码学运算逻辑,基于所述授权密钥和所述第一加密信息进行密码学运算,以生成并在所述区块链中存储与所述第一加密信息对应的第二加密信息。上述第二加密信息可以事件(Event)的形式被保存至与所述智能合约调用交易对应的交易日志中,以使所述上述信息代理服务平台可从与其对接的区块链中获取上述智能合约调用交易的执行结果——上述第二加密信息。The above-mentioned information agency service platform can construct a smart contract invocation transaction based on the above-mentioned first encrypted information and the authorization key, or, the above-mentioned information sender directly constructs a smart contract invocation transaction based on the above-mentioned first encrypted information and the above-mentioned authorization key, and will The above-mentioned smart contract calling transaction is sent to its corresponding blockchain network, so that the node device of the blockchain network responds to the above-mentioned calling transaction, calling the cryptographic operation logic declared by the above-mentioned smart contract, based on the authorization key and the Cryptographic operations are performed on the first encrypted information to generate and store second encrypted information corresponding to the first encrypted information in the block chain. The above-mentioned second encrypted information can be saved in the form of an event (Event) in the transaction log corresponding to the smart contract call transaction, so that the above-mentioned information agent service platform can obtain the above-mentioned smart contract from the block chain connected to it The execution result of the call transaction - the above-mentioned second encrypted information.
值得注意的是,一些区块链网络中可设置为区块链的用户提供服务的BaaS(Block chain as a service)端,因此,在一示出的实施方式中,上述的信息代理服务平台与区块链网络对接,可包括信息代理服务平台与上述BaaS端通信耦接;上述信息代理服务平台可在上述BaaS端订阅上述智能合约调用交易的执行结果,从而从上述BaaS端获取上述第二加密信息。一些区块链网络中可能未设置BaaS端,而由区块链的节点设备部署相应的服务(如区块链事件订阅服务、区块链数据发送、查询服务等)逻辑,为用户提供区块链服务,因此,在又一示出的实施方式中,所述的信息代理服务平台与区块链网络对接,可包括上述信息代理服务平台与区块链网络中的任一节点设备对接,上述信息代理服务平台可在与其对接的节点设备处订阅上述智能合约调用交易的执行结果,从而从其对接的节点设备处获取上述第二加密信息。It is worth noting that some blockchain networks can be set as BaaS (Block chain as a service) terminals that provide services to blockchain users. Therefore, in an illustrated embodiment, the above-mentioned information agency service platform and Blockchain network docking may include communication coupling between the information agency service platform and the above-mentioned BaaS terminal; the above-mentioned information agency service platform can subscribe to the execution result of the above-mentioned smart contract call transaction on the above-mentioned BaaS terminal, so as to obtain the above-mentioned second encryption from the above-mentioned BaaS terminal. information. Some blockchain networks may not have a BaaS terminal, and the node devices of the blockchain deploy corresponding service (such as blockchain event subscription service, blockchain data transmission, query service, etc.) logic to provide users with block Chain service, therefore, in yet another illustrated embodiment, the information agent service platform docking with the block chain network may include the above information agent service platform docking with any node device in the block chain network, the above The information agent service platform can subscribe to the execution result of the smart contract call transaction at the node device connected to it, so as to obtain the second encrypted information from the node device connected to it.
上述信息代理服务平台在获取到上述第二加密信息后,可以端对端通信的方式,将上述第二加密信息发送至上述信息运营方的服务系统。由于上述第二加密信息是区块链上部署的智能合约的调用执行结果,区块链的节点设备去中心化地基于上述第一加密信息和授权密钥进行密码学运算以生成第二加密信息,基于区块链的防篡改机制和智能合约的去中心化运行机制,确保了第一加密信息、授权密钥的数据安全性,从而进一步地提高了上述第二加密信息的安全性和可信性。After obtaining the second encrypted information, the above-mentioned information agency service platform may send the above-mentioned second encrypted information to the service system of the above-mentioned information operator in the manner of end-to-end communication. Since the above-mentioned second encrypted information is the call execution result of the smart contract deployed on the blockchain, the node devices of the blockchain decentralizedly perform cryptographic operations based on the above-mentioned first encrypted information and the authorization key to generate the second encrypted information , based on the anti-tampering mechanism of the blockchain and the decentralized operation mechanism of the smart contract, the data security of the first encrypted information and the authorization key is ensured, thereby further improving the security and credibility of the above-mentioned second encrypted information sex.
当上述信息代理服务平台被去中心化的部署为区块链网络时,亦即,上述信息代理服务平台包含区块链网络中的多个节点设备,或者,上述信息代理服务平台即作为区块链网络中的一个节点设备。上述区块链网络中可部署有用于加密运算的智能合约,此时,上述信息发送方的计算设备、以及通信运营方的服务系统均与上述区块链网络对接。上述信息发送方的计算设备可基于上述第一加密信息和所述授权密钥构建智能合约调用交易,并将上述智能合约调用交易发送至与其对接的区块链网络,以使区块链网络的节点设备响应于上述调用交易,调用上述智能合约声明的密码学运算逻辑,基于所述授权密钥和所述第一加密信息进行密码学运算,以获得与所述第一加密信息对应的第二加密信息。上述第二加密信息可以事件的形式被保存至与所述智能合约调用交易对应的交易日志中,并指定由上述通信运营方来响应,与上述通信运营方的服务设备对接的区块链的节点设备上可搭载SDK程序,以将上述通信运营方订阅的区块链事件推送至上述通信运营方的服务设备,以使所述上述通信运营方的服务系统可从与其对接的上述区块链中获取上述智能合约调用交易的执行结果——上述第二加密信息。When the above-mentioned information agency service platform is deployed as a blockchain network in a decentralized manner, that is, the above-mentioned information agency service platform includes multiple node devices in the blockchain network, or the above-mentioned information agency service platform is used as a blockchain network A node device in the chain network. Smart contracts for encryption operations can be deployed in the above-mentioned blockchain network. At this time, the computing equipment of the above-mentioned information sender and the service system of the communication operator are all connected to the above-mentioned blockchain network. The computing device of the above-mentioned information sender can construct a smart contract call transaction based on the above-mentioned first encrypted information and the authorization key, and send the above-mentioned smart contract call transaction to the block chain network connected to it, so that the block chain network In response to the above call transaction, the node device invokes the cryptographic operation logic declared by the above smart contract, and performs cryptographic operations based on the authorization key and the first encrypted information to obtain the second encrypted information corresponding to the first encrypted information. encrypted information. The above-mentioned second encrypted information can be saved in the transaction log corresponding to the smart contract call transaction in the form of an event, and the node of the block chain that is connected with the service equipment of the above-mentioned communication operator to be specified by the above-mentioned communication operator The device can be equipped with an SDK program to push the blockchain events subscribed by the above-mentioned communication operator to the service equipment of the above-mentioned communication operator, so that the service system of the above-mentioned communication operator can receive information from the above-mentioned blockchain connected to it. Obtain the execution result of the above-mentioned smart contract call transaction - the above-mentioned second encrypted information.
在该实施方式中,信息发送方的计算设备直接将上述第一加密信息和授权密钥以智能合约调用交易包含的参数的形式、发送至区块链,相对于上述实施方式所述的由信息代理服务平台在获取上述第一加密信息和授权密钥后再向区块链网络发送智能合约调用交易,更提高了上述第一加密信息和授权密钥的可信性。而且,通信运营方的服务系统直接从与其对接的区块链网络中获取上述第二加密信息,相对于上述实施方式所述的由信息代理服务平台在获取上述第二加密信息后再以端对端通信的方式将第二加密信息发送至上述通信运营方的服务系统,也进一步地提高了第二加密信息的安全可信性。In this embodiment, the computing device of the information sender directly sends the above-mentioned first encrypted information and authorization key to the block chain in the form of parameters contained in the smart contract call transaction. After obtaining the above-mentioned first encrypted information and authorization key, the proxy service platform sends the smart contract call transaction to the blockchain network, which further improves the credibility of the above-mentioned first encrypted information and authorization key. Moreover, the service system of the communication operator directly obtains the above-mentioned second encrypted information from the blockchain network connected to it. The second encrypted information is sent to the service system of the above-mentioned communication operator by means of end-to-end communication, which further improves the security and credibility of the second encrypted information.
值得注意的是,在上述示出的一种或多种实施方式中,为了进一步确定信息发送方的身份是否合法,所述信息发送方的计算设备发送的所述第一加密信息和所述授权密钥,基于所述信息发送方的私钥进行了数字签名处理;上述信息代理服务平台针对所述授权密钥和所述第一加密信息进行密码学运算之前,所述方法还包括:基于所述信息发送方的私钥对所述授权密钥和所述第一加密信息的数字签名进行验证;如果验证通过,进一步执行针对所述授权密钥和所述第一加密信息进行密码学运算的步骤。It is worth noting that, in one or more of the above-mentioned implementation manners, in order to further determine whether the identity of the information sender is legitimate, the first encrypted information and the authorization Key, based on the private key of the information sender, the digital signature processing is carried out; before the above-mentioned information agency service platform performs cryptographic operations on the authorization key and the first encrypted information, the method also includes: based on the Verify the authorization key and the digital signature of the first encrypted information with the private key of the information sender; if the verification is passed, further perform cryptographic operations on the authorization key and the first encrypted information step.
另外,在实际的业务应用中,面对数量庞大的移动端短消息(SMS短消息)业务,为了降低信息运营方的服务系统的解密运算压力,所述通信运营方的服务系统,除包含通信运营方的核心设备,还包括与所述信息代理服务平台连接的至少一个通信渠道方的计算设备;所述通信运营方的第二公钥包括所述通信渠道方对应的公钥。In addition, in actual business applications, in the face of a large number of mobile short message (SMS short message) services, in order to reduce the decryption calculation pressure of the service system of the information operator, the service system of the communication operator, in addition to the communication The core equipment of the operator also includes at least one computing device of the communication channel party connected to the information agency service platform; the second public key of the communication operator includes the public key corresponding to the communication channel party.
此时,所述通信运营方的服务系统基于与所述第二公钥对应的第二私钥解密所述第二加密信息的过程,实际是由通信渠道方的计算设备基于与所述第二公钥对应的第二私钥解密所述第二加密信息,并获得上述目标信息明文。At this time, the process of decrypting the second encrypted information by the service system of the communication operator based on the second private key corresponding to the second public key is actually performed by the computing device of the communication channel party based on the second private key corresponding to the second public key. The second private key corresponding to the public key decrypts the second encrypted information, and obtains the plaintext of the above target information.
上述步骤312所述的将所述目标信息的明文数据进一步发送至由所述信息发送方指定的信息接收方,包括:所述通信渠道方的计算设备将所述目标信息明文发送至所述通信运营商的核心设备,以由所述通信运营方的核心设备,进一步将所述目标信息明文发送至由所述信息发送方指定的信息接收方。The further sending of the plaintext data of the target information to the information receiver designated by the information sender in step 312 above includes: the computing device of the communication channel party sends the plaintext data of the target information to the communication The core device of the operator, so that the core device of the communication operator further sends the target information in plain text to the information receiver designated by the information sender.
在该实施方式中,为了方便通信运营方的服务系统分辨应由上述通信运营方的服务 系统包括的哪一渠道方的计算设备进行第二加密信息的解密,上述信息发送方可将其选择的目标渠道方对应的第二公钥发送至信息代理服务平台,以由上述信息代理服务平台基于所述第二公钥转发至上述第二公钥对应的目标渠道方的计算设备,以方便上述通信运营方的服务系统中与第二公钥对应的目标渠道方的计算设备基于自身持有的第二私钥对第二加密信息进行解密。In this embodiment, in order to facilitate the communication operator's service system to distinguish which channel party's computing device included in the communication operator's service system should decrypt the second encrypted information, the above-mentioned information sender can use the selected The second public key corresponding to the target channel party is sent to the information agency service platform, so that the information agency service platform forwards it to the computing device of the target channel party corresponding to the second public key based on the second public key, so as to facilitate the above-mentioned communication The computing device of the target channel party corresponding to the second public key in the service system of the operator decrypts the second encrypted information based on the second private key held by itself.
通过上述一个或多个实施方式所述的信息代理方法,信息代理服务平台可在未知目标信息明文的条件下,对包含被所述信息发送方的第一公钥加密的目标信息明文的第一加密信息进行加密运算,生成包含被所述通信运营方的第二公钥加密的目标信息明文的第二加密信息,以便于通信运营方解密第二加密信息获得目标信息明文,有效防范了用户的信息泄露风险。Through the information proxy method described in one or more of the above implementations, the information proxy service platform can, under the condition that the plaintext of the target information is unknown, perform the first message containing the plaintext of the target information encrypted by the first public key The encrypted information is encrypted to generate the second encrypted information including the plaintext of the target information encrypted by the second public key of the communication operator, so that the communication operator can decrypt the second encrypted information to obtain the plaintext of the target information, effectively preventing the user from Risk of Information Leakage.
与上述流程实现对应,本说明书的实施方式还提供了信息代理装置40。装置40可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。以软件实现为例,作为逻辑意义上的装置,是通过所在设备的CPU(Central Process Unit,中央处理器)将对应的计算机程序指令读取到内存中运行形成的。从硬件层面而言,除了图5所示的CPU、内存以及存储器之外,上述装置所在的设备通常还包括用于进行无线信号收发的芯片等其他硬件,和/或用于实现网络通信功能的板卡等其他硬件。Corresponding to the realization of the above process, the embodiment of this specification also provides an information agent device 40 . The device 40 may be implemented by software, or by hardware or a combination of software and hardware. Taking software implementation as an example, as a device in the logical sense, it is formed by reading the corresponding computer program instructions into the memory through the CPU (Central Process Unit, central processing unit) of the device where it is located. From the perspective of hardware, in addition to the CPU, internal memory, and storage shown in Figure 5, the equipment where the above-mentioned device is located usually includes other hardware such as chips for wireless signal transmission and reception, and/or a network for implementing network communication functions. boards and other hardware.
如图4所示,本说明书提供了一种信息代理装置40,应用于信息代理服务平台,其中,所述信息代理服务平台与信息发送方的计算设备和通信运营方的服务系统分别通信连接;所述装置40包括:接收单元402,接收信息发送方的计算设备发送的第一加密信息和授权密钥,其中,所述第一加密信息为基于所述信息发送方的第一公钥对目标信息明文进行加密得到的目标信息密文;所述授权密钥基于与所述第一公钥对应的第一私钥和所述通信运营方的第二公钥进行密码学运算生成;计算单元404,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;其中,所述第二加密信息为基于所述通信运营方对应的第二公钥对所述目标信息的明文数据进行加密得到的目标信息密文;发送单元406,将所述第二加密信息发送至所述通信运营方的服务系统,以使所述通信运营方的服务系统基于与所述第二公钥对应的第二私钥解密所述第二加密信息,获得所述目标信息明文,并将所述目标信息明文进一步发送至由所述信息发送方指定的信息接收方。As shown in FIG. 4 , this specification provides an information agent device 40, which is applied to an information agent service platform, wherein the information agent service platform communicates with the computing device of the information sender and the service system of the communication operator, respectively; The apparatus 40 includes: a receiving unit 402, which receives the first encrypted information and the authorization key sent by the computing device of the information sender, wherein the first encrypted information is based on the first public key pair of the information sender. The target information ciphertext obtained by encrypting the information plaintext; the authorization key is generated based on the first private key corresponding to the first public key and the second public key of the communication operator by performing cryptographic operations; the calculation unit 404 , performing cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information; wherein, the second encrypted information is based on the communication operator corresponding The target information ciphertext obtained by encrypting the plaintext data of the target information with the second public key of the target information; the sending unit 406 sends the second encrypted information to the service system of the communication operator, so that the communication operator The party's service system decrypts the second encrypted information based on the second private key corresponding to the second public key, obtains the plaintext of the target information, and further sends the plaintext of the target information to the recipient of the information.
在又一示出的实施方式中,与所述信息代理服务平台对应的区块链网络中部署有用于进行密码学运算的智能合约;所述计算单元404,进一步用于:调用所述智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,并将生成的所述第二加密信息在所述区块链中存储;所述发送单元406,进一步用于:获取所述区块链中存储的所述第二加密信息,将所述加密信息进一步发送至所述通信运营方的服务系统。In yet another illustrated embodiment, a smart contract for performing cryptographic operations is deployed in the block chain network corresponding to the information agency service platform; the computing unit 404 is further configured to: call the smart contract The cryptographic operation logic included in the contract code performs cryptographic operations on the authorization key and the first encrypted information to generate the second encrypted information corresponding to the first encrypted information, and the generated first encrypted information The second encrypted information is stored in the block chain; the sending unit 406 is further configured to: obtain the second encrypted information stored in the block chain, and further send the encrypted information to the communication operator square service system.
在又一示出的实施方式中,所述接收单元402,进一步用于:接收所述信息发送方的计算设备分别发送的第一加密信息和授权密钥。In yet another illustrated implementation manner, the receiving unit 402 is further configured to: receive the first encrypted information and the authorization key respectively sent by the computing device of the information sender.
在又一示出的实施方式中,所述信息发送方的计算设备发送的所述第一加密信息和所述授权密钥,基于所述信息发送方的私钥进行了数字签名处理;所述装置40还包括验证单元408,针对所述授权密钥和所述第一加密信息进行密码学运算之前,基于所述信息发送方的私钥对所述授权密钥和所述第一加密信息的数字签名进行验证;如果验证通过,进一步由所述计算单元404执行针对所述授权密钥和所述第一加密信息进行密码学运算的步骤。In yet another illustrated embodiment, the first encrypted information and the authorization key sent by the computing device of the information sender are digitally signed based on the private key of the information sender; The device 40 further includes a verification unit 408, which performs a verification of the authorization key and the first encrypted information based on the private key of the information sender before performing cryptographic operations on the authorized key and the first encrypted information. The digital signature is verified; if the verification is passed, the calculation unit 404 further executes the step of performing a cryptographic operation on the authorization key and the first encrypted information.
在又一示出的实施方式中,所述通信运营方的服务系统包括与所述信息代理服务平台连接的通信渠道方的计算设备,和上述通信运营方的核心设备;所述通信运营方的第 二公钥包括所述通信渠道方对应的公钥;所述将所述目标信息的明文数据进一步发送至由所述信息发送方指定的信息接收方,包括:所述通信渠道方的计算设备将所述目标信息的明文数据发送至所述通信运营方的核心设备,以由所述通信运营方的核心设备,进一步将所述目标信息明文发送至由所述信息发送方指定的信息接收方。In yet another illustrated embodiment, the service system of the communication operator includes the computing device of the communication channel party connected to the information agency service platform, and the core equipment of the above-mentioned communication operator; the communication operator's The second public key includes the public key corresponding to the communication channel party; the further sending the plaintext data of the target information to the information receiver designated by the information sender includes: the computing device of the communication channel party sending the plain text data of the target information to the core equipment of the communication operator, so that the core equipment of the communication operator further sends the target information in plain text to the information receiver designated by the information sender .
在又一示出的实施方式中,所述计算单元404,进一步用于:在所述信息代理服务平台搭载的可信执行环境中,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;或者,调用运行在所述区块链中的节点设备搭载的可信执行环境中的智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。In yet another illustrated embodiment, the calculation unit 404 is further configured to: perform encryption on the authorization key and the first encrypted information in the trusted execution environment carried by the information agent service platform. generate the second encrypted information corresponding to the first encrypted information; or call the cryptographic operation contained in the contract code of the smart contract in the trusted execution environment carried by the node device running in the blockchain The logic is to perform a cryptographic operation on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information.
在又一示出的实施方式中,所述计算单元404,进一步用于:基于代理重加密算法,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。In yet another illustrated embodiment, the calculation unit 404 is further configured to: based on a proxy re-encryption algorithm, perform cryptographic operations on the authorization key and the first encrypted information to generate an Second encrypted information corresponding to the encrypted information.
在又一示出的实施方式中,所述目标信息包括SMS短消息。In yet another illustrated embodiment, the target information includes SMS short messages.
上述装置40中各个单元的功能和作用的实现过程具体详见上述信息代理服务平台所述执行的信息代理方法中对应步骤的实现过程,相关之处参见方法实施方式的部分说明即可,在此不再赘述。For the implementation process of the functions and effects of each unit in the above-mentioned device 40, please refer to the implementation process of the corresponding steps in the information agency method executed by the above-mentioned information agency service platform for details. No longer.
以上所描述的装置实施方式仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部单元或模块来实现本说明书方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。The device implementations described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical modules, that is, they may be located in One place, or it can be distributed to multiple network modules. Part or all of the units or modules can be selected according to actual needs to achieve the purpose of the solution in this specification. It can be understood and implemented by those skilled in the art without creative effort.
上述实施方式阐明的装置、单元、模块,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机,计算机的具体形式可以是个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件收发设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任意几种设备的组合。The devices, units, and modules described in the above embodiments can be specifically implemented by computer chips or entities, or by products with certain functions. A typical implementing device is a computer, which may take the form of a personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media player, navigation device, e-mail device, game control device, etc. desktops, tablets, wearables, or any combination of these.
与上述方法实施方式相对应,本说明书的实施方式还提供了一种计算机设备,如图5所示,该计算机设备包括存储器和处理器。其中,存储器上存储有能够由处理器运行的计算机程序;处理器在运行存储的计算机程序时,执行本说明书实施方式中所述信息代理服务平台所述执行的信息代理方法的各个步骤。对上述信息代理服务平台所述执行的信息代理方法的各个步骤的详细描述请参见之前的内容,不再重复。Corresponding to the above method implementation, the implementation of this specification further provides a computer device, as shown in FIG. 5 , the computer device includes a memory and a processor. Wherein, a computer program that can be run by the processor is stored in the memory; when the processor runs the stored computer program, it executes each step of the information agency method described in the information agency service platform in the implementation mode of this specification. For the detailed description of each step of the information proxy method executed by the above information proxy service platform, please refer to the previous content, and will not be repeated here.
以上所述仅为本说明书的较佳实施方式而已,并不用以限制本说明书,凡在本说明书的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本说明书保护的范围之内。The above is only the preferred implementation mode of this specification, and is not intended to limit this specification. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of this specification shall be included in this specification. within the scope of protection.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in computer-readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read-only memory (ROM) or flash RAM. Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data.
计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes Other elements not expressly listed, or elements inherent in the process, method, commodity, or apparatus are also included. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.
本领域技术人员应明白,本说明书的实施方式可提供为方法、系统或计算机程序产品。因此,本说明书的实施方式可采用完全硬件实施方式、完全软件实施方式或结合软件和硬件方面的实施方式的形式。而且,本说明书的实施方式可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of this specification may be provided as methods, systems or computer program products. Accordingly, the embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present specification may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. .

Claims (17)

  1. 一种信息代理方法,应用于信息代理服务平台,其中,所述信息代理服务平台与信息发送方的计算设备和通信运营方的服务系统分别通信连接;所述方法包括:An information agency method, applied to an information agency service platform, wherein the information agency service platform communicates with a computing device of an information sender and a service system of a communication operator, respectively; the method includes:
    接收信息发送方的计算设备发送的第一加密信息和授权密钥,其中,所述第一加密信息为基于所述信息发送方的第一公钥对目标信息明文进行加密得到的目标信息密文;所述授权密钥基于与所述第一公钥对应的第一私钥和所述通信运营方的第二公钥进行密码学运算生成;receiving the first encrypted information and the authorization key sent by the computing device of the information sender, wherein the first encrypted information is the ciphertext of the target information obtained by encrypting the plaintext of the target information based on the first public key of the information sender ; The authorization key is generated by cryptographic operations based on the first private key corresponding to the first public key and the second public key of the communication operator;
    针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;其中,所述第二加密信息为基于所述通信运营方对应的第二公钥对所述目标信息的明文数据进行加密得到的目标信息密文;将所述第二加密信息发送至所述通信运营方的服务系统,以使所述通信运营方的服务系统基于与所述第二公钥对应的第二私钥解密所述第二加密信息,获得所述目标信息明文,并将所述目标信息明文进一步发送至由所述信息发送方指定的信息接收方。Perform cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information; wherein the second encrypted information is based on the information corresponding to the communication operator The target information ciphertext obtained by encrypting the plaintext data of the target information with the second public key; sending the second encrypted information to the service system of the communication operator, so that the service system of the communication operator is based on The second private key corresponding to the second public key decrypts the second encrypted information, obtains the plaintext of the target information, and further sends the plaintext of the target information to an information receiver designated by the information sender.
  2. 根据权利要求1所述的方法,与所述信息代理服务平台对应的区块链网络中部署有用于进行密码学运算的智能合约;针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,包括:According to the method according to claim 1, a smart contract for performing cryptographic operations is deployed in the block chain network corresponding to the information agency service platform; cryptographic operations are performed for the authorization key and the first encrypted information Operation, generating second encrypted information corresponding to the first encrypted information, including:
    调用所述智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,并将生成的所述第二加密信息在所述区块链中存储;calling the cryptographic operation logic contained in the contract code of the smart contract, performing cryptographic operations on the authorization key and the first encrypted information, generating second encrypted information corresponding to the first encrypted information, and The generated second encrypted information is stored in the block chain;
    所述将所述第二加密信息发送至所述通信运营方的服务系统,包括:The sending the second encrypted information to the service system of the communication operator includes:
    获取所述区块链中存储的所述第二加密信息,将所述加密信息进一步发送至所述通信运营方的服务系统。The second encrypted information stored in the block chain is obtained, and the encrypted information is further sent to the service system of the communication operator.
  3. 根据权利要求1或2所述的方法,所述接收信息发送方的计算设备发送的第一加密信息和授权密钥,包括:According to the method according to claim 1 or 2, said receiving the first encrypted information and authorization key sent by the computing device of the information sender includes:
    接收所述信息发送方的计算设备分别发送的第一加密信息和授权密钥。The first encrypted information and the authorization key respectively sent by the computing device of the information sender are received.
  4. 根据权利要求1所述的方法,所述信息发送方的计算设备发送的所述第一加密信息和所述授权密钥,基于所述信息发送方的私钥进行了数字签名处理;According to the method according to claim 1, the first encrypted information and the authorization key sent by the computing device of the information sender are digitally signed based on the private key of the information sender;
    针对所述授权密钥和所述第一加密信息进行密码学运算之前,所述方法还包括:Before performing cryptographic operations on the authorization key and the first encrypted information, the method further includes:
    基于所述信息发送方的私钥对所述授权密钥和所述第一加密信息的数字签名进行验证;如果验证通过,进一步执行针对所述授权密钥和所述第一加密信息进行密码学运算的步骤。Verify the authorization key and the digital signature of the first encrypted information based on the private key of the information sender; if the verification is passed, further perform cryptography on the authorization key and the first encrypted information operation steps.
  5. 根据权利要求1所述的方法,所述通信运营方的服务系统包括与所述信息代理服务平台连接的通信渠道方的计算设备,和上述通信运营方的核心设备;所述通信运营方的第二公钥包括所述通信渠道方对应的公钥;According to the method according to claim 1, the service system of the communication operator includes the computing device of the communication channel party connected to the information agency service platform, and the core equipment of the above-mentioned communication operator; the second communication operator of the communication operator The second public key includes the public key corresponding to the communication channel party;
    所述将所述目标信息的明文数据进一步发送至由所述信息发送方指定的信息接收方,包括:The further sending the plaintext data of the target information to the information receiver designated by the information sender includes:
    所述通信渠道方的计算设备将所述目标信息的明文数据发送至所述通信运营方的核心设备,以由所述通信运营方的核心设备,进一步将所述目标信息明文发送至由所述信息发送方指定的信息接收方。The computing device of the communication channel party sends the plain text data of the target information to the core device of the communication operator, so that the core device of the communication operator further sends the target information in plain text to the core device of the communication operator. The receiver of the message specified by the sender of the message.
  6. 根据权利要求2所述的方法,所述针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,包括:According to the method according to claim 2, performing cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information includes:
    在所述信息代理服务平台搭载的可信执行环境中,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;In the trusted execution environment carried by the information agency service platform, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information;
    或者,调用运行在所述区块链中的节点设备搭载的可信执行环境中的智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。Or, call the cryptographic operation logic included in the contract code of the smart contract in the trusted execution environment carried by the node device in the blockchain, and perform cryptographic operations on the authorization key and the first encrypted information. operation to generate second encrypted information corresponding to the first encrypted information.
  7. 根据权利要求1所述的方法,所述基于与所述第一公钥对应的第一私钥和所述通信运营方的第二公钥进行密码学运算生成所述授权密钥,包括:The method according to claim 1, said performing cryptographic operations on the basis of the first private key corresponding to the first public key and the second public key of the communication operator to generate the authorization key, comprising:
    基于代理重加密算法,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。Based on a proxy re-encryption algorithm, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information.
  8. 根据权利要求1所述的方法,所述目标信息包括SMS短消息。The method according to claim 1, said target information comprises SMS short messages.
  9. 一种信息代理装置,应用于信息代理服务平台,其中,所述信息代理服务平台与信息发送方的计算设备和通信运营方的服务系统分别通信连接;所述装置包括:An information agent device, applied to an information agent service platform, wherein the information agent service platform communicates with a computing device of an information sender and a service system of a communication operator respectively; the device includes:
    接收单元,接收信息发送方的计算设备发送的第一加密信息和授权密钥,其中,所述第一加密信息为基于所述信息发送方的第一公钥对目标信息明文进行加密得到的目标信息密文;所述授权密钥基于与所述第一公钥对应的第一私钥和所述通信运营方的第二公钥进行密码学运算生成;The receiving unit is configured to receive the first encrypted information and the authorization key sent by the computing device of the information sender, wherein the first encrypted information is the target information obtained by encrypting the plaintext of the target information based on the first public key of the information sender. Information ciphertext; the authorization key is generated based on a cryptographic operation based on the first private key corresponding to the first public key and the second public key of the communication operator;
    计算单元,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;其中,所述第二加密信息为基于所述通信运营方对应的第二公钥对所述目标信息的明文数据进行加密得到的目标信息密文;A computing unit, performing cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information; wherein the second encrypted information is based on the communication operation The target information ciphertext obtained by encrypting the plaintext data of the target information with the second public key corresponding to the party;
    发送单元,将所述第二加密信息发送至所述通信运营方的服务系统,以使所述通信运营方的服务系统基于与所述第二公钥对应的第二私钥解密所述第二加密信息,获得所述目标信息明文,并将所述目标信息明文进一步发送至由所述信息发送方指定的信息接收方。a sending unit, configured to send the second encrypted information to the service system of the communication operator, so that the service system of the communication operator can decrypt the second encrypted information based on the second private key corresponding to the second public key; Encrypting information to obtain the plaintext of the target information, and further sending the plaintext of the target information to an information receiver designated by the information sender.
  10. 根据权利要求9所述的装置,与所述信息代理服务平台对应的区块链网络中部署有用于进行密码学运算的智能合约;According to the device according to claim 9, smart contracts for performing cryptographic operations are deployed in the block chain network corresponding to the information agency service platform;
    所述计算单元,进一步用于:The calculation unit is further used for:
    调用所述智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,并将生成的所述第二加密信息在所述区块链中存储;calling the cryptographic operation logic contained in the contract code of the smart contract, performing cryptographic operations on the authorization key and the first encrypted information, generating second encrypted information corresponding to the first encrypted information, and The generated second encrypted information is stored in the block chain;
    所述发送单元,进一步用于:The sending unit is further used for:
    获取所述区块链中存储的所述第二加密信息,将所述加密信息进一步发送至所述通信运营方的服务系统。The second encrypted information stored in the block chain is obtained, and the encrypted information is further sent to the service system of the communication operator.
  11. 根据权利要求9所述的装置,所述接收信息发送方的计算设备发送的第一加密信息和授权密钥,包括:The apparatus according to claim 9, said receiving the first encrypted information and the authorization key sent by the computing device of the information sender, comprising:
    接收所述信息发送方的计算设备分别发送的第一加密信息和授权密钥。The first encrypted information and the authorization key respectively sent by the computing device of the information sender are received.
  12. 根据权利要求9所述的装置,所述信息发送方的计算设备发送的所述第一加密信息和所述授权密钥,基于所述信息发送方的私钥进行了数字签名处理;The apparatus according to claim 9, the first encrypted information and the authorization key sent by the computing device of the information sender are digitally signed based on the private key of the information sender;
    所述装置还包括验证单元,针对所述授权密钥和所述第一加密信息进行密码学运算之前,基于所述信息发送方的私钥对所述授权密钥和所述第一加密信息的数字签名进行验证;如果验证通过,进一步执行针对所述授权密钥和所述第一加密信息进行密码学运算的步骤。The device further includes a verification unit, before performing cryptographic operations on the authorization key and the first encrypted information, based on the private key of the information sender, verifying the identity of the authorization key and the first encrypted information The digital signature is verified; if the verification is passed, the step of performing a cryptographic operation on the authorization key and the first encrypted information is further performed.
  13. 根据权利要求9所述的装置,所述通信运营方的服务系统包括与所述信息代理服务平台连接的通信渠道方的计算设备,和上述通信运营方的核心设备;所述通信运营方的第二公钥包括所述通信渠道方对应的公钥;According to the device according to claim 9, the service system of the communication operator includes the computing equipment of the communication channel party connected to the information agency service platform, and the core equipment of the above-mentioned communication operator; the first communication operator of the communication operator The second public key includes the public key corresponding to the communication channel party;
    所述将所述目标信息的明文数据进一步发送至由所述信息发送方指定的信息接收方,包括:The further sending the plaintext data of the target information to the information receiver designated by the information sender includes:
    所述通信渠道方的计算设备将所述目标信息的明文数据发送至所述通信运营方的核心设备,以由所述通信运营方的核心设备,进一步将所述目标信息明文发送至由所述信息发送方指定的信息接收方。The computing device of the communication channel party sends the plain text data of the target information to the core device of the communication operator, so that the core device of the communication operator further sends the target information in plain text to the core device of the communication operator. The receiver of the message specified by the sender of the message.
  14. 根据权利要求10所述的装置,所述针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息,包括:According to the device according to claim 10, performing cryptographic operations on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information includes:
    在所述信息代理服务平台搭载的可信执行环境中,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息;In the trusted execution environment carried by the information agency service platform, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information;
    或者,调用运行在所述区块链中的节点设备搭载的可信执行环境中的智能合约的合约代码包含的密码学运算逻辑,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。Or, call the cryptographic operation logic included in the contract code of the smart contract in the trusted execution environment carried by the node device in the blockchain, and perform cryptographic operations on the authorization key and the first encrypted information. operation to generate second encrypted information corresponding to the first encrypted information.
  15. 根据权利要求9所述的装置,所述计算单元,进一步用于:The device according to claim 9, the computing unit is further configured to:
    基于代理重加密算法,针对所述授权密钥和所述第一加密信息进行密码学运算,生成与所述第一加密信息对应的第二加密信息。Based on a proxy re-encryption algorithm, cryptographic operations are performed on the authorization key and the first encrypted information to generate second encrypted information corresponding to the first encrypted information.
  16. 根据权利要求9所述的装置,所述目标信息包括SMS短消息。The apparatus according to claim 9, said target information comprising SMS short messages.
  17. 一种计算机设备,包括:存储器和处理器;所述存储器上存储有可由所述处理器运行的计算机程序;所述处理器运行所述计算机程序时,执行如权利要求1至8任意一项所述的方法。A computer device, comprising: a memory and a processor; a computer program that can be run by the processor is stored on the memory; when the processor runs the computer program, it executes the computer program described in any one of claims 1 to 8. described method.
PCT/CN2022/090578 2021-05-11 2022-04-29 Information proxy method and apparatus WO2022237600A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110510854.4 2021-05-11
CN202110510854.4A CN113315758B (en) 2021-05-11 2021-05-11 Information agent method and device

Publications (1)

Publication Number Publication Date
WO2022237600A1 true WO2022237600A1 (en) 2022-11-17

Family

ID=77372826

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/090578 WO2022237600A1 (en) 2021-05-11 2022-04-29 Information proxy method and apparatus

Country Status (2)

Country Link
CN (1) CN113315758B (en)
WO (1) WO2022237600A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113315758B (en) * 2021-05-11 2022-09-13 支付宝(杭州)信息技术有限公司 Information agent method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200028693A1 (en) * 2018-07-17 2020-01-23 Huawei Technologies Co., Ltd. Verifiable Encryption Based on Trusted Execution Environment
CN111065101A (en) * 2019-12-30 2020-04-24 全链通有限公司 5G communication information encryption and decryption method and device based on block chain and storage medium
US20200167503A1 (en) * 2019-05-30 2020-05-28 Alibaba Group Holding Limited Managing a smart contract on a blockchain
CN111222155A (en) * 2020-01-08 2020-06-02 湖南智慧政务区块链科技有限公司 Method and system for combining re-encryption and block link
CN111741028A (en) * 2020-08-24 2020-10-02 支付宝(杭州)信息技术有限公司 Service processing method, device, equipment and system
CN113315758A (en) * 2021-05-11 2021-08-27 支付宝(杭州)信息技术有限公司 Information agent method and device

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11063744B2 (en) * 2017-10-20 2021-07-13 Sap Se Document flow tracking using blockchain
CN108259169B (en) * 2018-01-09 2021-07-20 北京大学深圳研究生院 File secure sharing method and system based on block chain cloud storage
CN110290094B (en) * 2018-03-19 2022-03-11 华为技术有限公司 Method and device for controlling data access authority
CN109934599A (en) * 2019-03-20 2019-06-25 众安信息技术服务有限公司 Source tracing method based on block chain and device of tracing to the source
CN111191288B (en) * 2019-12-30 2023-10-13 中电海康集团有限公司 Block chain data access right control method based on proxy re-encryption
CN111314077B (en) * 2020-04-16 2022-06-07 丝链(常州)控股有限公司 Private data distribution method based on proxy re-encryption
CN112532580B (en) * 2020-10-23 2022-09-06 暨南大学 Data transmission method and system based on block chain and proxy re-encryption

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200028693A1 (en) * 2018-07-17 2020-01-23 Huawei Technologies Co., Ltd. Verifiable Encryption Based on Trusted Execution Environment
US20200167503A1 (en) * 2019-05-30 2020-05-28 Alibaba Group Holding Limited Managing a smart contract on a blockchain
CN111065101A (en) * 2019-12-30 2020-04-24 全链通有限公司 5G communication information encryption and decryption method and device based on block chain and storage medium
CN111222155A (en) * 2020-01-08 2020-06-02 湖南智慧政务区块链科技有限公司 Method and system for combining re-encryption and block link
CN111741028A (en) * 2020-08-24 2020-10-02 支付宝(杭州)信息技术有限公司 Service processing method, device, equipment and system
CN113315758A (en) * 2021-05-11 2021-08-27 支付宝(杭州)信息技术有限公司 Information agent method and device

Also Published As

Publication number Publication date
CN113315758B (en) 2022-09-13
CN113315758A (en) 2021-08-27

Similar Documents

Publication Publication Date Title
CA3061808C (en) Securely executing smart contract operations in a trusted execution environment
CA3061268C (en) Distributed key management for trusted execution environments
KR101894232B1 (en) Method and apparatus for cloud-assisted cryptography
US10341118B2 (en) SSL gateway with integrated hardware security module
CN110580412A (en) Permission query configuration method and device based on chain codes
WO2020073712A1 (en) Method for sharing secure application in mobile terminal, and mobile terminal
US10841096B2 (en) Encrypted self-identification using a proxy server
CN112583593B (en) Private communication method and device between users
WO2024032660A1 (en) Method and apparatus for changing account data, computer device, and storage medium
WO2022237600A1 (en) Information proxy method and apparatus
CN112887087B (en) Data management method and device, electronic equipment and readable storage medium
JP2022545809A (en) Secure environment for cryptographic key generation
CN117118628A (en) Lightweight identity authentication method and device for electric power Internet of things and electronic equipment
CN111555870B (en) Key operation method and device
US11265156B2 (en) Secrets management using key agreement
US20210243036A1 (en) Blockchain network communication management
US10382211B1 (en) Apparatus and method for automating secure email for multiple personas
CN115208630B (en) Block chain-based data acquisition method and system and block chain system
US11750570B1 (en) Decentralized messaging inbox
CN114765595B (en) Chat message display method, chat message sending device, electronic equipment and media
US11201856B2 (en) Message security
Singhal et al. Security in cloud computing-hash function
Archana et al. Security Mechanism for Android Cloud Computing
CN115174183A (en) Block chain-based digital file signing method and device
Biswas et al. A survey on data security in cloud computing: Issues and mitigation techniques

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22806568

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22806568

Country of ref document: EP

Kind code of ref document: A1