WO2023030450A1

WO2023030450A1 - Data sharing method and electronic device

Info

Publication number: WO2023030450A1
Application number: PCT/CN2022/116520
Authority: WO
Inventors: 胡志远
Original assignee: 维沃移动通信有限公司
Priority date: 2021-09-03
Filing date: 2022-09-01
Publication date: 2023-03-09
Also published as: CN113704210A

Abstract

The present application belongs to the field of blockchains, and discloses a data sharing method and an electronic device. The method comprises: sending a data access request to a server, the data access request carrying first data sharing information, and the first data sharing information being associated with data to be accessed; receiving first storage information and first permission information sent by the server on the basis of a first smart contract, wherein the first smart contract belongs to a first block in a blockchain, and the first permission information is used to indicate an access operation that a first client may perform on the data; according to the first storage information, obtaining a first encrypted data packet from a storage server; decrypting the first encrypted data packet to obtain the data, wherein the first encrypted data packet is generated on the basis of the data and metadata of the data; and performing the access operation on the data according to the first permission information.

Description

Data sharing method and electronic device

Cross References to Related Applications

This application claims priority to Chinese Patent Application No. 202111031567.1 filed in China on September 3, 2021, the entire contents of which are hereby incorporated by reference.

technical field

This application belongs to the field of blockchain, and specifically relates to a data sharing method and electronic equipment.

Background technique

Big data is called the "new oil" of the future. At present, whoever has more data resources will have more markets and users in this era of big data. However, while enjoying the convenience and benefits brought by data, it also bears the risk of personal information being leaked and personal life being disturbed. Therefore, it is necessary to introduce advanced technologies and solutions to realize the safe sharing of data resources.

In the current way of sharing data resources, the data user usually obtains the plaintext data to be shared on the storage server through the data sharing platform after obtaining access rights. In this way, after the data user obtains the plaintext data, there is a possibility of illegally forwarding the plaintext data to other users, which leads to the inability to effectively guarantee the security and privacy of the shared data.

Contents of the invention

The purpose of the embodiments of the present application is to provide a data sharing method and an electronic device, which can solve the problem that the security and privacy of shared data cannot be effectively guaranteed.

In the first aspect, the embodiment of the present application provides a data sharing method, which is applied to the first client, and the method includes:

Sending a data access request to the server, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

receiving the first storage information and first permission information sent by the server based on the first smart contract, wherein the first smart contract belongs to the first block in the blockchain, and the first permission information is used to indicate the An access operation that the first client can perform on the data to be accessed;

Acquiring a first encrypted data packet from a storage server according to the first storage information;

Decrypting the first encrypted data packet to obtain the data to be accessed, wherein the first encrypted data packet is generated based on the data to be accessed and metadata of the data to be accessed;

Perform an access operation on the data to be accessed according to the first permission information.

In the second aspect, the embodiment of the present application provides a data sharing method, which is applied to the second client, and the method includes:

Acquiring second storage information of the data to be shared, the second storage information indicating that the data to be shared corresponds to information stored in the storage server;

Sending a data sharing request to the server, the data sharing request carrying second data sharing information and the digital signature of the second client, wherein the second data sharing information is used to describe the data to be shared;

generating a third encrypted data packet based on the metadata of the data to be shared and the data to be shared;

According to the second storage information, the storage server stores the third encrypted data package and key information corresponding to the third encrypted data package.

In the third aspect, the embodiment of the present application provides a data sharing method, which is applied to the server, and the method includes:

receiving a data access request sent by the first client, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

When the first client meets the access conditions of the first smart contract, according to the first smart contract, send the first storage information and the first permission information to the first client;

Wherein, the first smart contract belongs to the first block in the block chain, the first storage information is used to obtain the data to be accessed from the storage server, and the first permission information indicates that the first user The access operation that the terminal can perform on the data to be accessed;

and / or,

receiving a data sharing request sent by a second client, where the data sharing request carries second data sharing information and a digital signature of the second client, and the second data sharing information is used to describe the data to be shared;

generating second permission information according to the second data sharing information, where the second permission information is used to indicate access operations that can be performed on the data to be shared;

generating a second block according to the second data sharing information and the digital signature of the second client;

Wherein, the second block includes a second smart contract, and the second smart contract is used to indicate that the third storage information and the second permission information are output when the access conditions of the second smart contract are met. , the third storage information is used to acquire the data to be shared from a storage server.

In the fourth aspect, the embodiment of the present application provides a data sharing device, which is applied to the first client, and the device includes:

The first sending module is configured to send a data access request to the server, the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

The first receiving module is configured to receive the first storage information and the first authority information sent by the server based on the first smart contract, wherein the first smart contract belongs to the first block in the block chain, and the first The permission information is used to indicate the access operations that the first client can perform on the data to be accessed;

A first obtaining module, configured to obtain a first encrypted data packet from a storage server according to the first storage information;

A decryption module, configured to decrypt the first encrypted data packet to obtain the data to be accessed, wherein the first encrypted data packet is generated based on the data to be accessed and metadata of the data to be accessed;

An access module, configured to perform an access operation on the data to be accessed according to the first permission information.

In the fifth aspect, the embodiment of the present application provides a data sharing device, which is applied to the second client, and the device includes:

and / or,

Receive a data sharing request sent by a second client, the data sharing request carries second data sharing information and a digital signature of the second client, and the second data sharing information is used to describe the data to be shared;

Wherein, the second block includes a second smart contract, and the second smart contract is used to indicate that the third storage information and the second permission information are output when the access conditions of the second smart contract are satisfied. , the third storage information is used to acquire the data to be shared from a storage server.

In the sixth aspect, the embodiment of the present application provides a data sharing device, which is applied to the server, and the device includes:

The second receiving module is configured to receive a data access request sent by the first client, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

The third sending module is configured to send the first storage information and the first authority information to the first smart contract according to the first smart contract when the first client meets the access conditions of the first smart contract user terminal;

Wherein, the first smart contract belongs to the first block in the block chain, the first storage information is used to obtain the data to be accessed from the storage server, and the first permission information indicates that the first user The access operation that the terminal can perform on the data to be accessed.

and / or,

The third receiving module is configured to receive the data sharing request sent by the second client, the data sharing request carries the second data sharing information and the digital signature of the second client, and the second data sharing information is used to describe the share data;

A second generating module, configured to generate second permission information according to the second data sharing information, where the second permission information is used to indicate access operations that can be performed on the data to be shared;

A third generating module, configured to generate a second block according to the second data sharing information and the digital signature of the second client;

In the seventh aspect, the embodiment of the present application provides an electronic device, the electronic device includes a processor, a memory, and a program or instruction stored in the memory and operable on the processor, and the program or instruction is executed by When executed, the processor implements the steps of the method described in the first aspect, or implements the steps of the method described in the second aspect, or implements the steps of the method described in the third aspect.

In an eighth aspect, the embodiment of the present application provides a readable storage medium, on which a program or instruction is stored, and when the program or instruction is executed by a processor, the steps of the method described in the first aspect are implemented , or implement the steps of the method described in the second aspect, or the steps of the method described in the third aspect.

In the ninth aspect, the embodiment of the present application provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run programs or instructions, so as to implement the first aspect Said method, or implements the steps of the method described in the second aspect, or implements the steps of the method described in the third aspect.

In a tenth aspect, the embodiment of the present application provides a computer program/program product, the computer program/program product is stored in a non-volatile storage medium, and the computer program/program product is executed by at least one processor to Implement the steps of the method described in the first aspect, or implement the steps of the method described in the second aspect, or implement the steps of the method described in the third aspect.

In the eleventh aspect, the embodiment of the present application provides a communication device configured to perform the steps of the method described in the first aspect, or configured to perform the steps of the method described in the second aspect, or configured to perform The steps of the method described in the third aspect.

In this embodiment of the application, the first client can send a data access request to the server, and receive the first storage information and the first permission information sent by the server based on the first smart contract, and use the first storage information to obtain data from the storage server. Obtain the first encrypted data packet, perform decryption to obtain the data to be accessed, and perform an access operation on the data to be accessed according to the first permission information, because the first permission information is used to indicate that the first client can be accessed Therefore, by controlling the access rights of the first client to the data to be accessed, it is possible to prevent the first client from illegally sending the data to be accessed to other users, reducing the risk of data leakage and improving data privacy sex and safety.

Description of drawings

Fig. 1 is one of the flow charts of the steps of the data sharing method provided by the embodiment of the present application;

Fig. 2 is the second flow chart of the steps of the data sharing method provided by the embodiment of the present application;

FIG. 3 is the third flowchart of the steps of the data sharing method provided by the embodiment of the present application;

FIG. 4 is the fourth flowchart of the steps of the data sharing method provided by the embodiment of the present application;

FIG. 5 is one of the scene architecture diagrams provided by the embodiment of the present application;

FIG. 6 is the second scenario architecture diagram provided by the embodiment of the present application;

FIG. 7 is one of the schematic diagrams of the interaction process provided by the embodiment of the present application;

Fig. 8 is the second schematic diagram of the interaction process provided by the embodiment of the present application;

FIG. 9 is one of the structural schematic diagrams of the data sharing device provided by the embodiment of the present application;

Fig. 10 is the second structural diagram of the data sharing device provided by the embodiment of the present application;

Fig. 11 is the third structural diagram of the data sharing device provided by the embodiment of the present application;

Fig. 12 is the fourth schematic diagram of the structure of the data sharing device provided by the embodiment of the present application;

Fig. 13 is the fifth structural diagram of the data sharing device provided by the embodiment of the present application;

Fig. 14 is one of the structural schematic diagrams of the electronic device provided by the embodiment of the present application;

FIG. 15 is a second schematic structural diagram of an electronic device provided by an embodiment of the present application.

Detailed ways

The following will clearly describe the technical solutions in the embodiments of the present application with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, but not all of them. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments in this application belong to the protection scope of this application.

The terms "first", "second" and the like in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific sequence or sequence. It should be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments of the application can be practiced in sequences other than those illustrated or described herein, and that references to "first," "second," etc. distinguish Objects are generally of one type, and the number of objects is not limited. For example, there may be one or more first objects. In addition, "and/or" in the specification and claims means at least one of the connected objects, and the character "/" generally means that the related objects are an "or" relationship.

The data sharing method provided by the embodiment of the present application will be described in detail below through specific embodiments and application scenarios in conjunction with the accompanying drawings.

Referring to FIG. 1, FIG. 1 is a flow chart of the steps of the data sharing method provided by the embodiment of the present application. The method can be applied to the first client, and the method includes:

Step 101. Send a data access request to a server, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed.

Step 102: Receive the first storage information and the first permission information sent by the server based on the first smart contract, wherein the first smart contract belongs to the first block in the blockchain, and the first permission information is used for An access operation that the first client can perform on the data to be accessed is indicated.

Step 103. Acquire a first encrypted data package from a storage server according to the first storage information.

Step 104: Decrypt the first encrypted data packet to obtain the data to be accessed, wherein the first encrypted data packet is generated based on the data to be accessed and metadata of the data to be accessed.

Step 105. Perform an access operation on the data to be accessed according to the first permission information.

In the above step 101, the above-mentioned first client can be understood as a data demander, specifically, it can be a mobile electronic device, or it can be a non-mobile electronic device. Exemplarily, the mobile electronic device may be a mobile phone, a tablet computer, a notebook computer, a palmtop computer, a vehicle electronic device, a wearable device, etc., which will not be listed here.

The server can be understood as a platform for sharing data. Among them, the above-mentioned server can be connected to the blockchain network, and record the relevant information of the shared data through the blocks in the blockchain, and can display it to the data demander, so that the data demander can obtain the required data. It can be understood that the above server may be composed of one or more servers, which are equivalent to different functional modules of the server.

Wherein, the above-mentioned first client end may be communicatively connected with the server end, so as to send a data access request to the server end. The above-mentioned data access request may be based on the user's input, for example, by clicking on the button or link to obtain the data to be accessed on the first user terminal. Of course, the above-mentioned data access request may also be triggered by itself according to preset conditions, which is not limited here.

It can be understood that the above-mentioned data access request may carry the identity information of the first client and the first data sharing information, wherein the identity information of the first client may include an identity (Identity Document, ID) of the first client, so as to facilitate the service The client determines the client sending the data access request. Of course, the above identity information may also include the industry information, company information and personal information of the first client to represent the industry and company represented by the first client and the information of the user of the first client. The above-mentioned identity information can be filled in by the user of the first client, for example, when registering an account, the above-mentioned identity information is filled in, so that the server can determine whether the first client has the right to access the data to be accessed.

The above-mentioned first data sharing information is used to describe the data to be accessed, and may be specifically determined by the data to be accessed. It can be understood that the server may store relevant information describing the data to be accessed, and may display part of the information to the first client. After the user determines the data to be accessed, the user may input , for example, click to obtain the interactive button or link corresponding to the data to be accessed to determine the above-mentioned first data sharing information.

Certainly, the above-mentioned first data sharing information may also be manually filled in by the user, for example, by filling in the ID or name corresponding to the data to be accessed, publisher information, etc., to determine the data to be accessed that needs to be obtained.

In the above-mentioned step 102, the above-mentioned first storage information and first permission information are sent by the server based on the first smart contract. It should be understood that the above-mentioned server is connected to the block chain network, so the above-mentioned first smart contract can be obtained from the first block in the block chain, and the above-mentioned first client meets the first access condition of the first smart contract In this case, the server can send the above-mentioned first storage information and first permission information to the first client according to the instruction of the first smart contract.

The above-mentioned first storage information is used to obtain the data to be accessed from the storage server. Specifically, the above-mentioned first storage information may include verification information, which is used to check the authority with the storage server; in order to avoid data leakage, the data to be accessed is usually encrypted and stored, so the above-mentioned first storage information may also include decryption keys and storage Address and other related information are used to obtain the decryption key and encrypted data.

The above-mentioned storage server may be the server responsible for the storage function in the above-mentioned server, and may also be an external storage server. The above-mentioned data to be shared may be stored in the above-mentioned storage server after encrypted processing, which is not limited herein.

Further, if the first client obtains the plaintext data, that is, the data to be accessed, by decrypting the ciphertext data, then the first client can share the data to be accessed with illegal or unqualified users, which undoubtedly reduces the Data privacy. Therefore, the server can send the first permission information to the first client while sending the first storage information, the first permission information is used to indicate the access operations that the first client can perform on the data to be accessed, so that the access Control the operation authority to improve the privacy of the data to be accessed and avoid data leakage.

It should be understood that the above-mentioned access operations may include read operations, edit operations, and copy operations, etc., and the above-mentioned first permission information may be provided by the data provider, for example, the data provider specifies that the data to be accessed is read-only data. Of course, the data provider may also provide the server with a permission list, including various allowed access operations, and the first client determines and receives the first permission information sent by the server according to the access operations performed as required.

Optionally, both the above-mentioned first storage information and first permission information may be transmitted in the form of encrypted data packets, so as to improve the security of data transmission.

Correspondingly, in the above step 103, the user can obtain the first encrypted data package from the storage server according to the first storage information. The above-mentioned first encrypted data packet is generated by encapsulating the data to be accessed and the metadata of the data to be accessed, and the metadata of the data to be accessed can be data information describing the data to be accessed, so that it can be determined according to the metadata of the data to be accessed The data to be accessed, and the first encrypted data packet corresponding to the data to be accessed.

Exemplarily, the above-mentioned metadata of the data to be accessed may be generated by the data provider as follows:

Generate data information, including but not limited to encrypted data packet identification, data provider identification, data provider's public key, address for executing data sharing smart contracts, etc.;

Perform Hash calculation on the generated data information and use the private key to sign the hash calculation result;

The data information and the signature on the data information together form the metadata of the data to be accessed.

It can be understood that the above-mentioned first encrypted data package is a file obtained by package processing, so it can be packaged and unpacked repeatedly, and the first client can perform the access operation on the data to be accessed after unpacking the first encrypted data package, The data to be accessed is re-stored locally in the form of an encrypted data packet, thereby avoiding data leakage caused by the first client directly sending the data to be accessed to other illegal or unauthorized users for access by other illegal or unauthorized users.

In the above step 104 and step 105, the first client can obtain the above-mentioned first encrypted data packet through the first storage information, and can use the key information in the first storage information to decrypt the above-mentioned first encrypted data packet , get the data to be accessed. At this point, the first user terminal can perform an access operation on the data to be accessed according to the first permission information.

It should be noted that there is no time sequence relationship between the

above steps

104 and 105, that is, the

above steps

104 and 105 can be executed at the same time or in time division. For example, in the process of obtaining the data to be accessed by the first user end, the first user end can read the first permission information at the same time, and only process the data to be accessed, so as to disable the data to be accessed except those indicated by the first permission information The access operation other than the access operation obtains the processed data to be accessed.

Optionally, the first storage information includes first key information and first address information, and the above step 103 includes:

acquiring second key information when the first key information is verified by the storage server;

Obtaining the first encrypted data packet from the storage server according to the first address information;

The above step 104 includes:

Decrypting the first encrypted data packet by using the second key information to obtain the data to be accessed.

In the embodiment of the present application, the above-mentioned storage server may include the above-mentioned storage server may include a key storage server and a data storage server, and the above-mentioned to-be-accessed data may be encrypted to obtain an encrypted data packet and stored in the above-mentioned data storage server. The first key information for decryption may be stored in the key storage server.

The above-mentioned first storage information may include first key information for obtaining access authority of the key server and first address information indicating a storage address of the first encrypted data packet. The above-mentioned first key information may include a key and a storage address of the second key information, and the first client may access the storage server through the key, and obtain the second key information through the storage address of the second key information.

The first user can also obtain the first encrypted data packet from the storage server according to the first address information, so that the first encrypted data packet can be decrypted by using the second key information to obtain the data to be accessed.

In the embodiment of this application, by storing the second key information and the first encrypted data package independently, the first client needs to obtain the second key information and the first encrypted data package from the storage server respectively, so as to obtain the Access to data further enhances data security.

Optionally, after the above step 105, the method further includes any of the following:

After the access operation is terminated, delete the data to be accessed and the first encrypted data package;

After the access operation is terminated, based on the data to be accessed and the metadata of the data to be accessed in the first encrypted data packet, the data to be accessed is encapsulated to obtain a second encrypted data packet, and the stored Describe the second encrypted data packet.

In this embodiment of the application, in order to prevent the first client from performing other operations on the data to be accessed locally after the first client end completes the access operation, in this embodiment of the application, after the above access operation is terminated, the first The user end can delete the data to be accessed and the first encrypted data package. Of course, after the above-mentioned access operation is terminated, the first client can also repackage the data to be accessed and the metadata of the data to be accessed in the first encrypted data packet to obtain the second encrypted data packet and store it locally to avoid the first After the client decrypts the data to be accessed, it illegally shares the data to be accessed with other users to improve the security and privacy of the data.

It should be understood that the method steps in the above embodiments can be implemented based on the application program in the first client, that is, by calling the data to be accessed in the application program and performing an access operation, it can facilitate the subsequent control of the data to be accessed by the application program.

Referring to FIG. 2, the embodiment of the present application also provides a data sharing method, which is applied to the second client, and the method includes:

Step 201. Obtain second storage information of the data to be shared, where the second storage information indicates that the data to be shared corresponds to information stored in the storage server;

Step 202: Send a data sharing request to the server, the data sharing request carries second data sharing information and the digital signature of the second client, the second data sharing information is generated based on the second storage information, and is used for describe the data to be shared;

Step 203, generating a third encrypted data packet based on the metadata of the data to be shared and the data to be shared;

Step 204. According to the second storage information, store the third encrypted data package and key information corresponding to the third encrypted data package in the storage server.

In the embodiment of the present application, the above-mentioned second client can be understood as a data provider, specifically, it can be a mobile electronic device, or it can be a non-mobile electronic device. Exemplarily, the mobile electronic device may be a mobile phone, a tablet computer, a notebook computer, a palmtop computer, a vehicle electronic device, a wearable device, etc., which will not be listed here.

The above-mentioned second client can also communicate with the server. It can be understood that the second client may or may not be the data provider of the first client. That is, the above steps 101-105 and steps 201-204 may be combined, or may be mutually independent interactive processes, which are not limited here. It can be understood that, when the second client is the data provider of the first client, the data referred to by the data to be accessed and the data referred to by the data to be shared are the same data.

In the above-mentioned step 201, the above-mentioned second storage information may be the registration information obtained by the second client from pre-registering with the storage server, which may include relevant information such as the storage address of the third encrypted data packet.

In the above step 202, the data sharing request may be based on the user's input, for example, by clicking the release data button on the first user terminal. Of course, the data sharing request may also be triggered automatically according to preset conditions, which is not limited here.

It can be understood that, in order to realize data sharing, the data sharing request may carry the second data sharing information and the digital signature of the second client. Wherein, the digital signature of the second client is a character string generated by the second client to prove the authenticity of the information sent by the second client.

The above-mentioned second data sharing information may be used to describe the data to be shared. Specifically, the above-mentioned second data sharing information may include the identity information of the second user end, and the identity information of the second user end may include the ID of the second user end, and may also include the first The public key of the second client, so that the server can determine the client sending the data sharing request. Of course, the above identity information can also include the industry information, company information and personal information of the second client to represent the industry represented by the second client , the company, and the user's own information on the second client end, when the shared data is released on the server end, it is convenient for the data demander to view the relevant information of the data provider. The above-mentioned identity information can be filled in by the user of the second client terminal, for example, when registering an account, the above-mentioned identity information is filled in, and details will not be repeated here.

The above-mentioned second data sharing information may also include data storage information, data profile information, and sharing policy information, wherein the above-mentioned data storage information may include the storage address of the data to be shared, and if the data to be shared is ciphertext data, the identification ID of the ciphertext , key ID and key storage address, etc., so that the data demander can obtain the above-mentioned data to be shared according to the data storage information.

The above data profile information is used to characterize the attributes of the data to be shared, such as the category, profile, nature, purpose, and price of the data to be shared, so that the data demander can determine the required data based on the data profile information.

The above-mentioned sharing policy information is used to represent the user group that the second client terminal intends to share. For example, the above-mentioned sharing policy information may include target industry information and target group information, so that the server can judge whether the data demander can obtain the data based on the sharing policy information. The above data to be shared.

In some embodiments, the above-mentioned second data sharing information may also include price and payment bill information to represent the revenue that the data provider intends to obtain for the above-mentioned data to be shared.

In some embodiments, the above-mentioned second data sharing information may also include authorization information indicating that the data provider allows the access operations to be performed on the shared data, so that the data provider can choose the access operations it needs and obtain the corresponding access operations through payment operations. permission information.

It can be understood that the information contained in the above-mentioned second data sharing information can be filled in by the second client, for example, an information template can be created in the application program corresponding to the second client for the user of the second client to fill in , may also be automatically generated by the second client terminal according to the acquired data, which is not limited here.

In the above-mentioned step 203, similar to the above-mentioned embodiment, the above-mentioned third encrypted data packet can be generated based on the data to be shared and the metadata of the data to be shared after packet processing, and the metadata of the above-mentioned data to be shared can be a description of the data to be shared The data information, so that the data to be shared and the third encrypted data package corresponding to the data to be shared can be determined according to the metadata of the data to be shared.

In the above step 204, the second client may upload the above-mentioned third encrypted data package and its corresponding key information to the storage server according to the second storage information registered in the storage server.

In the embodiment of the present application, when uploading the data to be shared, the second client may process the data to be shared and the metadata package of the data to be shared to obtain the third encrypted data packet, and store the third encrypted data packet in the storage server , so that when the data demander obtains the data to be shared, the third encrypted data package can be obtained from the storage server. Since the third encrypted data packet can be encapsulated and decapsulated multiple times, it is ensured that the data to be shared is always stored locally on the data demand side in encrypted data packets, preventing the data demand side from performing illegal access operations on the shared data and improving data security. sex and privacy.

Optionally, the above step 203 includes:

generating first data information corresponding to the data to be shared, where the first data information includes at least one of the following: a first identification indicating the second client, a second identification indicating the third encrypted data packet, and second address information indicating the second smart contract;

Wherein, the second address information is sent by the server, the second smart contract belongs to the second block in the block chain, and the second smart contract is used to indicate that the second smart contract is satisfied In the case of access conditions, the server outputs third storage information and second permission information, the third storage information is used to obtain the data to be shared in the storage server, and the second permission information is used to indicate Access operations that can be performed on the data to be shared;

generating metadata of the data to be shared according to the first data information and the digital signature of the second client on the first data information;

Encapsulating the metadata of the data to be shared and the data to be shared to obtain the third encrypted data package.

In this embodiment of the present application, the above-mentioned metadata of the data to be shared may be generated based on the first data information, and the first data information includes but not limited to the first identification, the second identification and the second address information. It should be understood that the above-mentioned second identifier may include an ID indicating the data provider, and may also include a public key of the data provider, which is not limited here.

The above-mentioned second smart contract is a smart contract generated by the server based on blockchain technology, which is used to indicate that the server outputs the third storage information and the second permission information when the access conditions of the second smart contract are met, That is, the third storage information and the second permission information are sent to the user terminal. The above-mentioned second address information is the address for executing the second smart contract. The above-mentioned second address information may be a Uniform Resource Locator (Uniform Resource Locator, URL) or a Uniform Resource Identifier (Uniform Resource Identifier, URI) address.

The above-mentioned third storage information is similar to the first storage information in the above-mentioned embodiment, and the above-mentioned second permission information is similar to the above-mentioned first permission information. To avoid repetition, details are not repeated here.

It can be understood that the digital signature operation performed by the second client on the first data information may specifically be that the second client first performs hash (Hash) calculation on the first data information. Then use the private key to sign the result of the hash calculation.

In the embodiment of the present application, the third encrypted data packet may be based on the first identifier indicating the second client, the second identifier indicating the third encrypted data packet, and the second address information indicating the second smart contract waiting to share data. Metadata generation ensures that the third encrypted data package can be packaged and decapsulated multiple times according to the metadata of the data to be shared, thus ensuring that the data to be shared is always stored locally on the data demand side in an encrypted data package, preventing the data demand side from treating sharing The data performs illegal access operations, which improves the security and privacy of the data.

Referring to FIG. 3 , the embodiment of the present application also provides a data sharing method, which is applied to the server, and the method includes:

Step 301. Receive a data access request sent by a first client, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

Step 302, when the first client meets the access conditions of the first smart contract, according to the first smart contract, send the first storage information and the first authority information to the first client;

and/or include:

Step 401. Receive a data sharing request sent by a second client, where the data sharing request carries second data sharing information and a digital signature of the second client, and the second data sharing information is used to describe the data to be shared;

Step 402: Generate third permission information according to the second data sharing information, the third permission information is used to determine second permission information, and the second permission information is used to indicate the actions that can be performed on the data to be shared access operation;

Step 403, generating a second block according to the second data sharing information and the digital signature of the second client;

It should be understood that, in this embodiment of the present application, the above-mentioned server may only perform the above-mentioned steps 301-302, or may only perform the above-mentioned steps 401-403, or may perform the above-mentioned steps 301-302 and steps 401-403 together. When the above-mentioned server end performs the above-mentioned steps 301-302 and the above-mentioned steps 401-403 together, the above-mentioned second client end can be the data provider of the above-mentioned first client end, and the above-mentioned first client end can be the data provider of the above-mentioned second client end The demand side, that is, the data to be shared and the data to be accessed may be the same data.

The above-mentioned step 301 corresponds to the above-mentioned step 101, and in order to avoid repetition, details are not repeated here.

In the above step 302, the server can determine whether the first client meets the access conditions of the first smart contract according to the identity information of the first client. The access conditions of the first smart contract can be determined by the data provider to represent data The user group that the provider intends to share, for example, the access conditions of the above-mentioned first smart contract can limit the target industry and target group, so that it can be judged based on the identity information of the first client whether the first client meets the requirements of the above-mentioned first smart contract. The access condition is to send the first stored information corresponding to the data to be accessed to the first client according to the first smart contract when the first client meets the access condition of the first smart contract.

It should be noted that the above-mentioned first smart contract belongs to the first block in the blockchain, and the first block can be generated based on the data sharing information sent by the data provider corresponding to the data to be accessed. The specific process can refer to the following The process of generating the second block will not be explained here. It can be understood that, if the data provider corresponding to the data to be accessed is the second client, the data sharing information is the second data sharing information.

For the above-mentioned first storage information and the above-mentioned first permission information, reference may be made to the explanation of the above-mentioned step 101, and to avoid repetition, details are not repeated here.

In this embodiment of the application, after receiving the data access request from the first client, the server can send the first storage information and the first permission information to the first client, so that the first client can obtain the data to be accessed, and can perform an access operation on the data to be accessed according to the first permission information, since the first permission information is used to indicate the access operation that the first client can perform on the data to be accessed, it is possible to control the first The access rights of the user end to the data to be accessed are used to prevent the first user end from illegally sending the data to be accessed to other users, reducing the risk of data leakage and improving the privacy and security of data.

Optionally, before the above step 301, the first client may first perform mutual authentication with the server, and the authentication credential may be a digital certificate or a key. After the authentication is successful, the above step 301 is then performed, thereby avoiding illegal user access data, improving the security of data sharing.

Optionally, before sending the first storage information and the first permission information to the first client, the above method further includes:

When the first client meets the access conditions of the first smart contract, generate a third block according to the identity information of the first client, the first data sharing information, and the digital signature of the first client, so The third block includes an access record corresponding to the data to be accessed.

In the embodiment of this application, when the first client meets the access conditions of the first smart contract, the server can form a blockchain transaction based on the above-mentioned first data sharing information, and the server can transfer the above-mentioned blockchain to The transaction is sent to the existing blockchain infrastructure platform, and the above-mentioned third block is generated based on the existing open-source blockchain platform (such as Hyperledger Fabric, Ethereum Quorum), and the above-mentioned third block can include the above-mentioned data to be accessed The corresponding access records are convenient for data providers or data demanders to query.

It should be noted that the above-mentioned blockchain transactions correspond to the above-mentioned access records and the first data sharing information, that is, each time the server receives a piece of first data sharing information, it can generate a Blockchain transactions and generate an access record. In order to avoid the waste of blockchain resources, the above-mentioned third block can also include multiple access records, that is, the server can generate M blockchain transactions after receiving M pieces of first data sharing information, and finally integrate The formed third block includes M access records.

It can be understood that M is a positive integer, and its value can be determined according to the maximum capacity of the third block. When M is greater than 1, the third block can include multiple access records, thereby avoiding the limitation of block capacity. waste.

Optionally, the above-mentioned data access request also carries the identity information of the first client and the digital signature of the first client, and before the step of sending the first stored information to the first client, the method further includes :

When the first client meets the first access condition of the first smart contract, generate a fourth Block, the fourth block includes a third smart contract, the third smart contract is associated with the first smart contract, and is used to indicate that when the payment information sent by the first client is received, sending the first storage information and the first permission information to the first client;

sending billing information associated with the data to be accessed to the first client;

After receiving the payment information sent by the first client, generating a fifth block according to the payment information and the digital signature of the first client, the fifth block includes a payment record corresponding to the payment information;

Above-mentioned step 302 comprises:

When the first client meets the access conditions of the first smart contract and receives the payment information sent by the first client, according to the first smart contract and the third smart contract, the second The stored information and the first permission information are sent to the first user terminal.

In the embodiment of this application, the server can realize payment and billing functions during data sharing, so that the data provider can obtain benefits from the data demander. That is to say, when the above-mentioned data demander sends the data sharing information to the server, it can send the billing information associated with the above-mentioned data to be accessed, so that the server can send the above-mentioned billing information to first client.

Specifically, when the server determines that the first client meets the access conditions of the first smart contract, the server can determine the data to be accessed according to the first data sharing information, and share the data with the identity information of the first client and the first data. information and the digital signature of the first client to generate a block chain transaction, the server can send the block chain transaction to the existing block chain infrastructure platform, based on the existing open source block chain platform (such as Hyperledger Fabric, Ethereum Quorum) generates the above-mentioned fourth block, the above-mentioned fourth block may include a third smart contract, the above-mentioned third smart contract is associated with the first smart contract, and is used to indicate that the payment sent by the first client is received In the case of information, the first storage information and the first permission information are sent to the first user terminal.

Similar to the above-mentioned embodiment, the above-mentioned third smart contract has a one-to-one correspondence with the above-mentioned blockchain transaction and the above-mentioned first data sharing information, and the fourth block may contain one or more third smart contracts , when the server receives multiple pieces of first data sharing information, it can generate multiple blockchain transactions, and integrate multiple third smart contracts to generate the above fourth block to improve the utilization rate of the block , to avoid the waste of block capacity, so I won’t go into details here.

After the server receives the payment information sent by the first client, it indicates that the payment is complete. At this time, the server can send the above-mentioned first storage information and first permission information to the Describe the first client. At the same time, in order to facilitate the data provider or the first client to query the payment record, the server can simultaneously generate a fifth block according to the payment information and the digital signature of the first client, the fifth block includes the payment record corresponding to the payment information, The method of generating the above-mentioned fifth block is similar to the method of generating the first block to the fourth block in the above-mentioned embodiment, and will not be repeated here to avoid repetition.

In this embodiment of the application, the server can realize payment and billing functions during data sharing, which improves user experience.

The above step 401 corresponds to the above step 201 . In the above step 402, the above-mentioned second permission information may be generated based on the second data sharing information sent by the second client, for example, when sending a data sharing request, the second client may send an access permission list corresponding to the data to be shared, It includes all access operations that can be performed on the data to be shared, so that the server can generate the second permission information according to the access permission list.

Optionally, the above step 402 may include:

generating an access authority list according to the second data sharing information, the access authority list including the second authority information;

When a permission request associated with the second permission information is received, the second permission information is acquired from the access permission list.

Optionally, the server can also display the above-mentioned access permission list to the data demander, and determine the final output second permission information through the request sent by the data demander, so that the data provider can realize the data access permission more conveniently. Control, improve data security and privacy, and benefit from it.

In a specific embodiment, the server can show the data demander that the purchase methods of the current document include the purchase of read-only rights, the purchase of shareable rights and the purchase of editable rights. After the data demander chooses the purchase method, the final document can be determined. The second permission information sent to the data requester. Of course, in other optional embodiments, the above second permission information may also be generated by the server itself according to the access permission list and preset policies.

In the above step 403, after the server receives the above-mentioned data sharing request, since the server can connect to the blockchain network, the server can form a zone based on the above-mentioned second data sharing information and the digital signature of the second client. Block chain transaction, the block chain transaction is used to realize the sharing of the data to be shared corresponding to the above second data sharing information, after which, the server can send the above block chain transaction to the existing block chain infrastructure Platform, based on the existing open source blockchain platform (such as Hyperledger Fabric, Ethereum Quorum) to generate the above second block, the above second block includes the second smart contract corresponding to the second data sharing information, and the newly generated The second block is issued to each server node connected to the blockchain network to inform of a new data sharing request.

It can be understood that the digital signature of the second client is in one-to-one correspondence with the second data sharing information, that is, whenever the second client needs to access a piece of data to be accessed, it needs to send a digital A data access request for sharing information, and for different data access requests, the digital signatures of the second client are also different.

The above-mentioned second smart contract is generated based on the second data sharing information, and may include access conditions determined according to the second data sharing information. When the data demander meets the access conditions of the second smart contract, the server can output the above-mentioned data to be shared Corresponding third storage information and second permission information. The above-mentioned third storage information is similar to the first storage information, and the above-mentioned third storage information may be generated based on the above-mentioned second data sharing information, for example, it may be address information, key information, and the like.

It should be noted that the above-mentioned blockchain transaction and the above-mentioned second smart contract are in one-to-one correspondence with the above-mentioned data sharing request, that is, each time the server receives a digital signature data carrying the second data sharing information and the second client The sharing request means that a blockchain transaction can be generated according to the second data sharing information and the digital signature of the second client, and a second smart contract can be generated. In order to avoid the waste of blockchain resources, the above-mentioned second block can also include multiple second smart contracts, that is, the server can generate N blockchain transactions after receiving N data access requests, and finally integrate The formed second block includes N second smart contracts. It can be understood that N is a positive integer, and its value can be determined according to the maximum capacity of the second block. waste.

The above method of forming the second block can be set according to the existing block generation method of the open source blockchain platform (such as Hyperledger Fabric, Ethereum Quorum), and no further description will be made here.

In this embodiment of the application, after receiving the data sharing request from the second client, the server can generate the second block according to the second data sharing information and the digital signature of the second client, since the second block includes the Two smart contracts, so that when the access conditions of the second smart contract are satisfied, the server can output the third storage information and the second permission information to instruct the data demander to obtain the data to be shared according to the third storage information , the access operation of the data to be shared is performed through the second permission information, thereby improving the security and privacy of the data through permission control.

Optionally, before the above step 401, the second client can perform mutual authentication with the server first, and the authentication credential can be a digital certificate or key. After the authentication is successful, the server can also query the identity information of the second client. Whether the second client has the authority to publish data sharing, and if it has the authority to publish data sharing, the above-mentioned second block can be generated, so that illegal or unauthorized users can be avoided as data providers, and the security of data sharing can be improved. .

Optionally, the second data sharing information includes identity information and data profile information of the second client, and after the above step 403, the above method further includes:

generating second address information indicative of the second smart contract;

Sending the identity information of the second client, the data brief information and the second address information to the subscribed client.

In this embodiment of the application, after the server generates the second block including the above-mentioned second smart contract, it can generate the second address information indicating the above-mentioned second smart contract, and the above-mentioned second address information can be a uniform resource locator ( Uniform Resource Locator, URL) or Uniform Resource Identifier (Uniform Resource Identifier, URI) address, after receiving the above-mentioned second address information, the data demander can use the user's input, such as clicking the link of the access address, to execute the above-mentioned The second smart contract, so that the third storage information and the second permission information can be output when the data demander satisfies the second access condition of the second smart contract. Of course, the second client itself may also be a subscribing client, so as described in the above embodiment, the metadata of the data to be shared can be generated based on the second address information to generate the third encrypted data package.

It should be noted that the identity information and data profile information of the second client in the above-mentioned second data sharing information can be sent together with the above-mentioned second address information to the subscribed client, and the client can display the identity of the second client Information and data profile information, so that users can know the publisher of the data to be shared and the related attributes and types of the data to be shared, so as to determine whether to access the data to be shared.

The above information sending process can be implemented based on the publish-subscribe model, with the server serving as the publisher and the subscribed client serving as the subscriber, which will not be repeated here.

In addition, referring to FIG. 5 , the embodiment of the present application also provides a data sharing system, including a server, a first client, and a second client, wherein the server is used to execute the data sharing system applied to the server as described above. In the method steps of the sharing method embodiment, the first client is used to execute the method steps of any one of the above-mentioned data sharing method embodiments applied to the first client, and the second client is used to execute the above-mentioned one applied to the second method. 2. Method steps of the embodiment of the data sharing method at the user end. That is, the data exchange/sharing platform as shown in FIG. 5 can be the above-mentioned server, the data provider can be the above-mentioned second client, and the data demander can be the above-mentioned first client.

The overall structure of the data sharing method is established through the server, the first client and the second client, providing a complete, systematic and achievable solution for data sharing based on blockchain technology, using the above data sharing system to achieve Data sharing can improve the security of data sharing.

Based on the above system, referring to Fig. 5 to Fig. 6, the specific implementation process of the embodiment of the present application may be as follows:

The above server can include a user management module, an authentication and authorization module, a data sharing policy formulation and management module, a data sharing access record module, a data sharing information release module, a data sharing information reservation module, a data sharing token management module, a data sharing Billing management module, data sharing payment management module and access rights management module.

The above functional modules can be implemented by different server nodes in the server, and the server can use the capabilities of the above functional modules for the client application software to call through the application programming interface (Application Programming Interface, API).

Among them, the user management module is used to manage the identity information of various users (such as data provider, data demander, payment center, key storage service provider, data storage service provider), such as user identity ID, digital certificate, Roles, etc., and manage the query, addition, modification, and deletion processes of various user accounts.

The authentication and authorization module is used for: mutual authentication with the client (such as data provider, data demander), authentication methods include password, shared key, digital certificate, etc.; view users (such as data provider, data demander) Whether there is permission to publish or access data, and authorize it.

The formulation and management module of the data sharing strategy is used to: receive the data access strategy (including data sharing information) and the corresponding digital signature defined by the second client, and form A blockchain transaction; submit the transaction to the underlying module blockchain infrastructure module and smart contract management module to form a smart contract for data sharing, and publish it to the nodes of each blockchain network; notify the second client and data In the shared information publishing module, the smart contract for data sharing is generated; it provides management of data sharing policy records for the second client, such as query and modification.

The data sharing access recording module is used to: receive a data access request from the first client (including data demander information, information requiring access to data, etc.), and check whether the user is eligible for access sharing according to the data sharing policy of the required access data. The conditions of the data (such as which industries the data can be used for, which users the data can use, etc.); according to the identity information of the received data user, the data information that needs to be accessed and the digital signature, a block chain system is formed. transaction; submit the transaction to the underlying blockchain infrastructure module, form a record of access to shared data, and publish it to the nodes of each blockchain network; optionally, if the system supports data sharing/transaction billing and payment, Then submit the transaction to the underlying module blockchain infrastructure module and smart contract management module, further form the corresponding billing smart contract, and publish it to the nodes of each blockchain network; notify the data sharing token management module that it needs to generate access token.

Optionally, if the system supports billing and payment for data sharing/transactions, it is also necessary to notify the data sharing billing management module that a new billing smart contract has been generated; to receive the notification from the data sharing token management module, the The notification contains the access token; the relevant information (such as address, digital certificate, etc.) and authority information of the access token, the key storage server and the data storage server are sent to the first client; Management, such as queries.

The data sharing information release module is used to: receive a notification from the formulation and management module of the data sharing policy, the notification contains new data sharing information; publish new data sharing information; notify the data sharing information subscription module that there is new data sharing information .

The data sharing information subscribing module is used to: receive a notification from the data sharing information publishing module, the notification includes new data sharing information; send the new data sharing information to the subscribing client.

The data sharing token management module is used to: receive a notification from the data sharing access record module that an access token needs to be generated; generate an access token for data access; send the generated access token to the data sharing access record module.

The data sharing billing management module is used to: receive the notification from the formulation and management module of the data sharing policy, notify the generation of a new billing smart contract, the notification contains new billing information; generate a new billing bill, and Sign the new billing bill; form the billing bill and signature into a blockchain transaction; submit the transaction to the underlying blockchain infrastructure module to form a payment smart contract, and publish it to the nodes of each blockchain network; Notify the data sharing payment management module that a new payment smart contract has been generated.

Among them, the underlying blockchain infrastructure modules are generated based on existing blockchain platforms such as Hyperledger Fabric or Ethereum Quorum and will not be described here.

The data sharing payment management module is used to: receive a notification from the data sharing billing management module, notify the generation of a new payment smart contract, the notification contains new payment information; generate a new payment bill, make a payment, and make a payment for the new payment Sign the bill; form a blockchain transaction with the payment bill and signature; submit the transaction to the underlying blockchain infrastructure module to form a payment transaction record, and publish it to the nodes of each blockchain network; notify all transaction participants , the new payment is completed.

The access rights management module is used to: receive notifications from the formulation and management module of data sharing policies, store the access rights and policies related to this shared data; receive notifications from the data sharing access/usage record module, and provide Generate access rights, encrypt the access rights with the public key of the data user to form a rights data package; send the generated rights data package to the data sharing access/use recording module.

Wherein, the first user end may be a data demander, and the application program and/or client software in the first user end may have the following functions: subscribe/sign up to release data sharing messages; search through the information release column, or book release Information, or methods recommended by others, to obtain data sharing information (such as the identity of the data publisher, which industries the data can be used for, which users the data can use, and the category of data, data content introduction, nature, use, price and other attributes), determine the data that needs to be accessed according to the published data sharing information;

Before accessing the shared data, mutual authentication with the authentication and authorization module of the server is required; its identity information, such as the identity of the data user, the public key of the data user, and the data information that needs to be accessed, such as the identity of the data publisher, The data publisher's public key, ciphertext ID, key ID, etc., as well as the digital signature of its identity information and data information to be accessed, are sent to the data sharing access record module of the server; receiving the notification from the data sharing access record module, The notification includes key storage address, data storage address, access token and permission information, etc.;

According to the address of the key storage, send the access token to the token verification module of the key storage server to obtain the decryption key; according to the address of the ciphertext storage, request to obtain the data corresponding to the ciphertext identification ID; according to the obtained data The decryption key decrypts the encrypted data packet, obtains the data to be accessed, and executes the access operation to the data to be accessed according to the authority information; deletes the data to be accessed after the access operation or repackages the data to be accessed; management Shared data records that you have accessed, such as queries.

The second client can be a data provider, and the application program and/or client software in the second client can have the following functions: collect raw data, and perform desensitization without affecting the quality of data sharing (such as anonymity, Delete private information such as bank card numbers, Alipay account numbers); generate data encryption keys; use data encryption keys to package shared data to obtain encrypted data packets; securely store encrypted data packets and encryption keys corresponding to shared data Stored in a local or remote server; mutual authentication with the authentication and authorization module of the server; fill in the data sharing information to be released, such as the identity of the data publisher, according to the formulation of the data sharing policy and the management module of the server.

In addition, optionally, the above system may also include a key storage server, and the key storage server includes:

Token verification module: receive the access token from the first client, authenticate the first client; verify the validity of the access token; optionally, when verifying the token, the token verification module of the key storage server May need to communicate with the data sharing token management module; send the verification result to the data key storage management module.

Data key storage management module: receive the request from the second client, need to store the data encryption key; authenticate the identity of the second client; securely store the encryption key; notify the second client that the encryption key is stored; A notification from the token verification module, the notification indicating the verification result of the token; returning the decryption key to the first user in a secure encrypted manner.

The above function modules can also be invoked by client application software in the form of API.

The above-mentioned system can also include a data storage server, and the data storage server includes:

The data distribution module is configured to: receive a request from the first client; authenticate the first client; and send the encrypted data packet to the first client.

The data storage management module is used to: receive a request from the second client to store the encrypted data packet of the shared data; perform identity authentication on the second client; securely store the encrypted data packet of the shared data; notify the second client that the shared data An encrypted packet of data is stored.

As shown in FIG. 6 , FIG. 6 is a scene architecture diagram provided by the embodiment of the present application for realizing access control of data to be accessed and data to be shared. As shown in the figure, the data provider can encapsulate the data to be shared and related data information with a key to obtain an encrypted data package. The data demander can obtain the encrypted data package, permission data package and key data package through the data sharing/exchange platform. After decrypting the encrypted data package through the key data package, it can execute according to the access rights in the permission data package. Access operations on data.

Referring to FIG. 7, FIG. 7 shows an interaction process between the second client and the server, that is, the data publishing process, including the following steps:

Step 501, the second client collects raw data, and performs desensitization processing (such as anonymizing, deleting sensitive information such as bank card numbers and account numbers) without affecting the quality of data sharing.

Step 502, the second client registers with the local or remote server for the data to be shared and the encryption key, specifically including:

Step 5021, register the encryption key to be stored in the key storage server, and obtain the encryption key identifier and its storage address.

Step 5022, register the encrypted data to be stored in the data storage server, and obtain the identifier and storage address of the encrypted data.

Step 503, the second client generates a data encryption key and the key ID, uses the data encryption key to encrypt the data to be shared to form a data ciphertext, and then generates data sharing information for the data to be shared: such as data Publisher identity, data publisher public key, encrypted data packet ID, encrypted data packet storage address, key ID, key storage address, which industries the data can be used for, and which access operations the data can perform , which users the data is available for, and other attributes of the data (such as category, data content introduction, nature, purpose, price, etc.).

Step 504, before issuing the data sharing policy, the second client needs to perform mutual authentication with the authentication and authorization module of the server. 2. Whether the client has permission to publish data sharing;

After successful authentication and authorization, the second client fills in the data sharing information to be released according to the data sharing policy formulation and management module requirements of the server: such as data publisher identity, data publisher public key, cipher text ID, password The address of the file storage, the key identification ID, the address of the key storage, which industries the data can be used for, which users the data can use, and other attributes of the data (such as category, data content introduction, nature, use, price, etc.) etc.); the second client forms the data sharing policy together with the data sharing information and other information, performs hash (Hash) processing on the data policy, and digitally signs it with its own private key.

Step 505, the second client sends the data sharing strategy and the corresponding digital signature to the data sharing strategy formulation and management module of the server, and the transmission of information needs to be encrypted and integrity protected;

Step 506: After receiving the data sharing policy and corresponding digital signature from the second client, the data sharing policy formulation and management module first verifies the digital signature, and then prepares to form a transaction in a block according to the data sharing policy and digital signature .

Step 507, the data sharing policy formulation and management module and the second client confirm: the second client has stored the data encryption key in the key storage server, and stored the encrypted data in the data storage server, if there is no Need to do the following:

Step 5071, the second client stores the data encryption key in the key storage server;

Step 5072, the second client will form an encrypted data packet according to the following steps, and store the encrypted data packet in the data storage server;

Step 50721, generate data information (including but not limited to): encrypted data package identifier, data provider identifier, data provider's public key, address for executing data sharing smart contract, etc.;

Step 50722, perform Hash calculation on the generated data information and sign the result obtained by the Hash calculation using its private key;

Step 50723, form metadata together with the data information and the signature on the data information;

Step 50724, encapsulating metadata and encrypted shared data to form an encrypted data package;

Step 50725, store the encrypted data package in the data storage server.

It should be noted that the above steps 5071 and 5072 are not sequenced, and only need to be completed before generating a new blockchain transaction.

Step 508, the data sharing strategy formulation and management module performs hash (Hash) processing on the received one or more transactions, and then uses the private key of the data sharing strategy formulation and management module to digitally hash (Hash) the value Sign, and then submit the one or more transactions and digital signatures to the underlying module blockchain infrastructure module and smart contract management module to form a new block, which contains one or more shared data Smart contract, and publish the newly generated block to the nodes of each blockchain network. As for how the transaction is loaded on the chain, it depends on the underlying specific implementation technology (such as Hyperledger Fabric platform, Ethereum Quorum platform), which is not discussed here. repeat.

Step 509, the formulation and management module of the data sharing strategy notifies the relevant parties that the smart contract for data sharing has been generated:

Step 5091, notify the second client that the smart contract for data sharing has been generated, and send the address for executing the smart contract.

Step 5092, notify the data sharing information release module that the data sharing smart contract has been generated, and notify the corresponding new data sharing information, and the transmission of the information needs to be encrypted and integrity protected.

Step 5093, notify the access rights management module that the smart contract for data sharing is generated (including the address for executing the smart contract), and notify to record the related access rights.

There is no sequence between the above steps 5091-5093.

Step 5094, the access rights management module receives the notification from the formulation and management module of the data sharing policy, and stores the access rights and policies related to the shared data this time.

Step 510, the data sharing information release module receives the notification from the data sharing strategy formulation and management module, and releases new data sharing information, including:

Step 5101, the data sharing information publishing module notifies the data sharing information subscription module that the smart contract for data sharing has been generated, and the notification includes the address for executing the smart contract and new data sharing information.

Step 5102, the data sharing information subscription module receives the notification from the data sharing information publishing module, and sends the address for executing the smart contract and new data sharing information to the subscribing user.

Referring to FIG. 8, FIG. 8 shows an interaction process between the first client and the server, that is, the data access process, including the following steps:

Step 601, the first client obtains the address for executing the data sharing smart contract by searching on the information release column, or ordering to release information, or recommended by others, or by forwarding the metadata of the encrypted data package, and according to the published data sharing information (such as the identity of the data publisher, which industries the data can be used for, which users the data can use, and the type of data, data content introduction, nature, purpose, price and other attributes), determine the data that needs to be accessed;

Step 602, before the first client executes the data sharing smart contract to access the shared data, it needs to perform mutual authentication with the authentication and authorization module of the data sharing/exchange platform. The authentication method is recommended to use digital certificates. After the authentication is successful, authentication and authorization The module also needs to check whether the data user has permission to access the data shared on the platform;

Step 603, after the authentication is successful and authorization is obtained, the first client sends its identity information (such as the identity of the data user, the public key of the data user, and the data information to be accessed (such as the identity of the data issuer, the public key of the data issuer) , ciphertext identification ID, key identification ID, etc.) and the digital signature of the first client's identity information and data information to be accessed are sent to the data sharing access recording module of the data sharing/exchange platform.

Step 604, the data sharing access record module receives the identity information from the first client, the data information to be accessed and the digital signature, verifies the digital signature, and then executes the data sharing smart contract according to the data access request provided by the first client to check the Whether the user meets the conditions for accessing the shared data (such as which industries the data can be used for, which users can use the data, etc.); if all policies for data sharing are met, the data sharing access record module will use the data according to the received data The identity information of the user, the data information to be accessed and the digital signature form a transaction in a block; the data sharing access record module performs hash (Hash) processing on one or more received transactions before using the data sharing access record The private key of the module digitally signs the hash (Hash) value, and then submits the one or more transactions and the digital signature to the underlying blockchain infrastructure module to form a new block. Contains one or more records of access to shared data, and publishes to the nodes of each blockchain network. As for how the transaction is loaded onto the chain, it depends on the underlying specific implementation technology (such as Hyperledger Fabric platform, Ethereum Quorum platform), here I won't go into details.

Step 6051. After the access record of the shared data is successfully uploaded to the chain, the data sharing access record module notifies the data sharing token management module that an access token needs to be generated.

Step 6052, notify the access rights management that an access rights data packet needs to be generated.

Step 6061, the data sharing token management module receives the notification from the data sharing access record module, and generates an access token for this data access.

Step 6062, the access rights management module receives the notification from the data sharing access/use recording module, generates access rights for this data access, encrypts the access rights with the public key of the data user, and forms a rights data packet.

Step 6071, the data sharing token management module sends the generated access token to the data sharing access record module.

Step 6072, the access rights management module sends the generated rights data packet to the data sharing access/use recording module.

Step 608, the data sharing access record module receives the access token from the data sharing token management module and the permission data packet from the access right management, and then correlates the access token, the permission data packet, the key storage server and the data storage server The information (such as address, digital certificate, etc.) is sent to the first client; the access token and related information of the key storage server and the data storage server need to consider confidentiality protection and integrity protection during the transmission process.

Step 609, the first client receives a notification from the data sharing access record module, the notification includes the permission data packet, the access token, the key storage server and the relevant information of the data storage server (such as address, digital certificate, etc.); then, According to the address of the key storage, the first client sends the access token to the token verification module of the key storage server to obtain the decryption key; confidentiality protection and integrity protection need to be considered during the transmission of the access token.

Step 6091, the token verification module of the key storage server receives the access token from the first client, and verifies the validity of the access token; optionally, when verifying the token, the token verification module of the key storage server may need To communicate with the data sharing token management module, the data in the communication process needs to consider confidentiality and integrity protection.

Step 6092, the token verification module sends the verification result to the data key storage management module.

Step 610, the data key storage management module receives the verification result notification of the access token from the token verification module, and then encrypts the decryption key with the public key of the data user to form a key data packet for secure encryption way to return to the first client.

Step 611, the first client receives the decryption key from the data key storage management module, and the first client requests to obtain the data corresponding to the ID of the encrypted data packet according to the address stored in the encrypted data packet.

Step 612, the data distribution module receives the encrypted data packet request from the first client, and verifies the request from the first client, such as performing identity authentication.

Step 613, the data distribution module sends the encrypted data packet corresponding to the ID to the first client;

Step 614, the first client decrypts the authority data package and the key data package, obtains the decryption key and access authority, and then decrypts the encrypted data package according to the decryption key, and presents the plaintext data to the corresponding application program; the application program is closed After that, the decrypted data still exists locally in the form of encrypted data packets.

In data sharing, the data provider may obtain certain economic benefits from the data user. The specific process is shown in Figure 8.

In FIG. 8, the above step 604 also includes:

Step 6041, the data sharing access record module checks whether the user meets the conditions for accessing shared data (such as which industries the data can be used for, which users the data can use, etc.) according to the data sharing strategy (such as price, payment method, etc.) ); if all policies of data sharing are satisfied, the data sharing access record module forms a blockchain transaction according to the received data user’s identity information, data information to be accessed and digital signature, and submits it to the underlying block The blockchain infrastructure module and the smart contract management module form a record of access to shared data, as well as the corresponding billing smart contract, and publish it to the nodes of each blockchain network.

Step 6042, the data sharing access record module notifies the data sharing billing management module that a new billing smart contract (including billing information) is generated; the data sharing billing management module generates it immediately or periodically according to the billing smart contract Pay bills, and digitally sign the payment bills to form a transaction in the block; the data sharing billing management module digitally signs one or more payment bill transactions, and then the one or more transactions and digital signatures pass through the underlying The blockchain infrastructure module and the smart contract management module form a new block, which contains one or more payment smart contracts, and publish the newly formed block to the nodes of each blockchain network;

Step 6043, the data sharing billing management module notifies the data sharing payment management module that a new payment smart contract (including payment information) is generated; the data sharing payment management module immediately or periodically pays for the payment bill according to the payment smart contract ; After the payment is completed, the data sharing payment management module signs the payment information to form a payment transaction in a block; the data sharing payment management module digitally signs one or more payment transactions, and then passes the underlying block chain basis The facility module forms a new block, which contains one or more payment records, and publishes the newly formed block to the nodes of each blockchain network.

The data sharing payment management module notifies the data sharing access record module that after the payment is completed, the next operation can be performed.

The data sharing system provided by the embodiment of the present application is designed based on the existing open source block chain platform (such as Hyperledger Fabric, Ethereum Quorum) by reusing the existing technology, which can improve the system development efficiency, reliability and stability, and at the same time The above-mentioned data sharing system is based on the security protection of data transmission, security protection of data storage, and access control of data use. Individual users or enterprise users can act as data providers and share their own data safely according to their own requirements and policies. At the same time, based on the data sharing of smart contracts, individual users or enterprise users can automatically and quasi-real-time obtain certain rewards or benefits, which improves the security of data sharing and improves the user experience. At the same time, the data demander needs to perform access operations on the data according to the access rights, avoiding the illegal dissemination of the data, and improving the security and privacy of the data.

It should be noted that, for the data sharing method provided in the embodiment of the present application, the execution subject may be a data sharing device, or a control module in the data sharing device for executing the data sharing method. In the embodiment of the present application, the data sharing device provided in the embodiment of the present application is described by taking the data sharing device executing the data sharing method as an example.

Referring to FIG. 9 , the embodiment of the present application provides a data sharing device 900, the data sharing device 900 may be a first client, and the data sharing device 900 includes:

The first sending module 901 is configured to send a data access request to the server, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

The first receiving module 902 is configured to receive the first storage information and the first authority information sent by the server based on the first smart contract, wherein the first smart contract belongs to the first block in the block chain, and the first A piece of permission information is used to indicate the access operations that the first client can perform on the data to be accessed;

The first obtaining module 903 is configured to obtain the first encrypted data package from the storage server according to the first storage information;

A decryption module 904, configured to decrypt the first encrypted data packet to obtain the data to be accessed, wherein the first encrypted data packet is generated based on the data to be accessed and the metadata of the data to be accessed ;

The access module 905 is configured to perform an access operation on the data to be accessed according to the first permission information.

In this embodiment of the application, the first client can send a data access request to the server through the first sending module 901, and receive the first storage information and the first storage information sent by the server based on the first smart contract through the first receiving module 902 Permission information, using the first storage information, through the first acquisition module 903 to obtain the first encrypted data packet from the storage server, through the decryption module 904 to decrypt the data to be accessed, and through the access module 905 according to the first permission information, execute For the access operation of the data to be accessed, since the first permission information is used to indicate the access operation that the first client can perform on the data to be accessed, it is possible to avoid the first The client illegally sends the data to be accessed to other users, which reduces the risk of data leakage and improves data privacy and security.

Optionally, the first acquiring module 903 includes:

a first obtaining unit, configured to obtain second key information when the first key information passes the verification of the storage server;

a second obtaining unit, configured to obtain the first encrypted data packet from the storage server according to the first address information;

Decryption module 904, including:

A decryption unit, configured to use the second key information to decrypt the first encrypted data packet to obtain the data to be accessed.

Optionally, the device also includes any of the following:

A deletion module, configured to delete the data to be accessed and the first encrypted data packet after the access operation is terminated;

A repackaging module, configured to encapsulate the data to be accessed based on the data to be accessed and the metadata of the data to be accessed in the first encrypted data packet after the access operation is terminated to obtain a second An encrypted data packet is used to store the second encrypted data packet.

Referring to FIG. 10 , the embodiment of the present application also provides a data sharing device 1000, which may be a second client, and the device includes:

The second acquiring module 1001 is configured to acquire second storage information of the data to be shared, where the second storage information indicates that the data to be shared corresponds to information stored in the storage server;

The second sending module 1002 is configured to send a data sharing request to the server, the data sharing request carries second data sharing information and the digital signature of the second client, the second data sharing information is based on the second storage generating information for describing the data to be shared;

A first generation module 1003, configured to generate a third encrypted data package based on the metadata of the data to be shared and the data to be shared;

The first storage module 1004 is configured to store the third encrypted data package and key information corresponding to the third encrypted data package in the storage server according to the second stored information.

Optionally, the first generating module 1003 includes:

A first generating unit, configured to generate first data information corresponding to the data to be shared, where the first data information includes at least one of the following: indicating the first identification of the second client, indicating the third encryption the second identification of the data packet, and the second address information indicating the second smart contract;

a second generating unit, configured to generate metadata of the data to be shared according to the first data information and the digital signature of the second client on the first data information;

An encapsulating unit, configured to encapsulate the metadata of the data to be shared and the data to be shared to obtain the third encrypted data package.

Referring to Figures 11-13, the embodiment of the present application also provides a data sharing device, which is applied to the server, and the device includes:

The second receiving module 1101 is configured to receive a data access request sent by a first client, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

The third sending module 1102 is configured to send the first storage information and the first permission information to the first smart contract according to the first smart contract when the first client meets the access conditions of the first smart contract. a client;

and/or include:

The third receiving module 1203 is configured to receive a data sharing request sent by a second client, the data sharing request carries second data sharing information and a digital signature of the second client, and the second data sharing information is used to describe data to be shared;

The second generation module 1204 is configured to generate second permission information according to the second data sharing information, and the second permission information is used to indicate access operations that can be performed on the data to be shared;

A third generating module 1205, configured to generate a second block according to the second data sharing information and the digital signature of the second client;

Optionally, the second generation module 1204 includes:

A third generating unit, configured to generate an access authority list according to the second data sharing information, where the access authority list includes the second authority information;

A third obtaining unit, configured to obtain the second permission information from the access permission list when receiving a permission request associated with the second permission information.

As shown in FIG. 11 to FIG. 13 , the data sharing device 1100 , the data sharing device 1200 and the data sharing device 1300 can all be the above data sharing devices applied to the server.

The data sharing device in the embodiment of the present application may be a device, or a component, an integrated circuit, or a chip in a terminal. The device may be a mobile electronic device or a non-mobile electronic device. Exemplary, the mobile electronic device can be a mobile phone, a tablet computer, a notebook computer, a handheld computer, a vehicle electronic device, a wearable device, an ultra-mobile personal computer (Ultra-Mobile Personal Computer, UMPC), a netbook or a personal digital assistant (Personal Digital Assistant). Assistant, PDA), etc., non-mobile electronic devices can be servers, network attached storage (Network Attached Storage, NAS), personal computer (Personal Computer, PC), television (TeleVision, TV), teller machine or self-service machine, etc., this application Examples are not specifically limited.

The data sharing device in the embodiment of the present application may be a device with an operating system. The operating system may be an Android operating system, an ios operating system, or other possible operating systems, which are not specifically limited in the embodiments of the present application.

The data sharing device provided by the embodiment of the present application can realize various processes realized by the method embodiments in FIG. 1 to FIG. 8 , and details are not repeated here to avoid repetition.

Optionally, as shown in FIG. 14 , the embodiment of the present application further provides an electronic device 1400, including a processor 1401, a memory 1402, and programs or instructions stored in the memory 1402 and operable on the processor 1401, When the program or instruction is executed by the processor 1401, each process of the above-mentioned data sharing method embodiment can be realized, and the same technical effect can be achieved. To avoid repetition, details are not repeated here.

It should be noted that the electronic devices in the embodiments of the present application include the above-mentioned mobile electronic devices and non-mobile electronic devices.

FIG. 15 is a schematic diagram of a hardware structure of an electronic device implementing an embodiment of the present application.

The electronic device 1500 can be a first client, a second client and a server, and the electronic device 1500 includes but not limited to: a radio frequency unit 1501, a network module 1502, an audio output unit 1503, an input unit 1504, a sensor 1505, and a display unit 1506 , a user input unit 1507, an interface unit 1508, a memory 1509, a processor 1510 and other components.

Those skilled in the art can understand that the electronic device 1500 can also include a power supply (such as a battery) for supplying power to various components, and the power supply can be logically connected to the processor 1510 through the power management system, so that the management of charging, discharging, and function can be realized through the power management system. Consumption management and other functions. The structure of the electronic device shown in FIG. 15 does not constitute a limitation to the electronic device. The electronic device may include more or fewer components than shown in the figure, or combine certain components, or arrange different components, and details will not be repeated here. .

Wherein, when the electronic device 1500 is the first client, the radio frequency unit 1501 is used to send a data access request to the server, the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed ;

It is also used to receive the first storage information and the first permission information sent by the server based on the first smart contract, wherein the first smart contract belongs to the first block in the block chain, and the first permission information is used for Instructing the first client to perform access operations on the data to be accessed;

A processor 1510, configured to acquire a first encrypted data packet from a storage server according to the first storage information;

It is also used to decrypt the first encrypted data packet to obtain the data to be accessed, wherein the first encrypted data packet is generated based on the data to be accessed and the metadata of the data to be accessed;

It is also used for performing an access operation on the data to be accessed according to the first permission information.

Optionally, the processor 1510 is further configured to obtain second key information when the first key information is verified by the storage server;

The processor 1510 is further configured to obtain the first encrypted data packet from the storage server according to the first address information;

The processor 1510 is further configured to use the second key information to decrypt the first encrypted data packet to obtain the data to be accessed.

Optionally, the processor 1510 is further configured to delete the data to be accessed and the first encrypted data package after the access operation is terminated;

The processor 1510 is further configured to, after the access operation is terminated, based on the data to be accessed and metadata of the data to be accessed in the first encrypted data packet, encapsulate the data to be accessed to obtain a second A second encrypted data packet, storing the second encrypted data packet.

When the electronic device 1500 is the second client, the processor 1510 is configured to acquire second storage information of the data to be shared, the second storage information indicating that the data to be shared corresponds to information stored in the storage server;

The radio frequency unit 1501 is configured to send a data sharing request to the server, where the data sharing request carries second data sharing information and a digital signature of the second client, and the second data sharing information is generated based on the second stored information , used to describe the data to be shared;

The processor 1510 is further configured to generate a third encrypted data package based on the metadata of the data to be shared and the data to be shared;

The processor 1510 is further configured to store the third encrypted data package and key information corresponding to the third encrypted data package in the storage server according to the second stored information.

Optionally, the processor 1510 is further configured to generate first data information corresponding to the data to be shared, where the first data information includes at least one of the following: indicating the first identifier of the second client, indicating the The second identification of the third encrypted data packet, and the second address information indicating the second smart contract;

The processor 1510 is further configured to generate metadata of the data to be shared according to the first data information and the digital signature of the second client on the first data information;

The processor 1510 is further configured to encapsulate the metadata of the data to be shared and the data to be shared to obtain the third encrypted data package.

When the electronic device 1500 is the server, the processor 1510 is configured to receive a data access request sent by the first client, the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed ;

The radio frequency unit 1501 is configured to send the first storage information and the first permission information to the first user according to the first smart contract when the first user meets the access conditions of the first smart contract end;

and / or:

The radio frequency unit 1501 is configured to receive a data sharing request sent by a second client, where the data sharing request carries second data sharing information and a digital signature of the second client, and the second data sharing information is used to describe the data to be shared data;

The processor 1510 is configured to generate second permission information according to the second data sharing information, where the second permission information is used to indicate access operations that can be performed on the data to be shared;

The processor 1510 is further configured to generate a second block according to the second data sharing information and the digital signature of the second client;

Optionally, the processor 1510 is further configured to generate an access permission list according to the second data sharing information, where the access permission list includes the second permission information;

The processor 1510 is further configured to acquire the second permission information from the access permission list when receiving the permission request associated with the second permission information.

Since the electronic device 1500 adopts all the technical solutions of the above-mentioned embodiments, it at least has all the beneficial effects brought by the technical solutions of the embodiments, which will not be repeated here.

It should be understood that, in the embodiment of the present application, the input unit 1504 may include a graphics processor (Graphics Processing Unit, GPU) 15041 and a microphone 15042, and the graphics processor 15041 is used for the image capture device ( Such as the image data of the still picture or video obtained by the camera) for processing. The display unit 1506 may include a display panel 15061, and the display panel 15061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 1507 includes a touch panel 15071 and other input devices 15072 . Touch panel 15071, also called touch screen. The touch panel 15071 may include two parts, a touch detection device and a touch controller. Other input devices 15072 may include, but are not limited to, physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, and joysticks, which will not be repeated here. The memory 1509 can be used to store software programs as well as various data, including but not limited to application programs and operating systems. The processor 1510 may integrate an application processor and a modem processor, wherein the application processor mainly processes operating systems, user interfaces, and application programs, and the modem processor mainly processes wireless communications. It can be understood that the foregoing modem processor may not be integrated into the processor 1510 .

The embodiment of the present application also provides a readable storage medium, the readable storage medium stores a program or an instruction, and when the program or instruction is executed by a processor, each process of the above-mentioned data sharing method embodiment is realized, and the same To avoid repetition, the technical effects will not be repeated here.

Wherein, the processor is the processor in the electronic device described in the above embodiments. The readable storage medium includes computer readable storage medium, such as computer read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk, etc.

The embodiment of the present application further provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the above data sharing method embodiment Each process can achieve the same technical effect, so in order to avoid repetition, it will not be repeated here.

It should be understood that the chips mentioned in the embodiments of the present application may also be called system-on-chip, system-on-chip, system-on-a-chip, or system-on-a-chip.

The present application also provides a computer program product, the computer program product is stored in a non-volatile storage medium, and the computer program product is executed by at least one processor to implement the various processes of the foregoing data sharing method embodiments, and The same technical effect can be achieved, so in order to avoid repetition, details will not be repeated here.

The present application also provides a communication device, which is configured to execute the various processes of the above data sharing method embodiment, and can achieve the same technical effect. To avoid repetition, details are not repeated here.

It should be noted that, in this document, the term "comprising", "comprising" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus comprising that element. In addition, it should be pointed out that the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, and may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved. Functions are performed, for example, the described methods may be performed in an order different from that described, and various steps may also be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on such an understanding, the technical solution of the present application can be embodied in the form of computer software products, which are stored in a storage medium (such as ROM/RAM, magnetic disk, etc.) , optical disc), including several instructions to enable a terminal (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in various embodiments of the present application.

The embodiments of the present application have been described above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific implementations. The above-mentioned specific implementations are only illustrative and not restrictive. Those of ordinary skill in the art will Under the inspiration of this application, without departing from the purpose of this application and the scope of protection of the claims, many forms can also be made, all of which belong to the protection of this application.

Claims

A data sharing method applied to a first client, the method comprising:

Sending a data access request to the server, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

receiving the first storage information and first permission information sent by the server based on the first smart contract, wherein the first smart contract belongs to the first block in the blockchain, and the first permission information is used to indicate the An access operation that the first client can perform on the data to be accessed;

Acquiring a first encrypted data packet from a storage server according to the first storage information;

Decrypting the first encrypted data packet to obtain the data to be accessed, wherein the first encrypted data packet is generated based on the data to be accessed and metadata of the data to be accessed;

Perform an access operation on the data to be accessed according to the first permission information.
The method according to claim 1, wherein the first stored information includes first key information and first address information, and the first encrypted data packet is obtained from a storage server according to the first stored information, include:

acquiring second key information when the first key information is verified by the storage server;

Obtaining the first encrypted data packet from the storage server according to the first address information;

The decrypting the first encrypted data packet to obtain the data to be accessed includes:

Decrypting the first encrypted data packet by using the second key information to obtain the data to be accessed.
The method according to claim 1, wherein, after the step of performing an access operation on the data to be accessed according to the first permission information, the method further includes any of the following:

After the access operation is terminated, delete the data to be accessed and the first encrypted data packet;

After the access operation is terminated, based on the data to be accessed and the metadata of the data to be accessed in the first encrypted data packet, the data to be accessed is encapsulated to obtain a second encrypted data packet, and the stored Describe the second encrypted data packet.
A data sharing method applied to a second client, the method comprising:

Acquiring second storage information of the data to be shared, the second storage information indicating that the data to be shared corresponds to information stored in the storage server;

Sending a data sharing request to the server, the data sharing request carrying second data sharing information and the digital signature of the second client, wherein the second data sharing information is used to describe the data to be shared;

generating a third encrypted data packet based on the metadata of the data to be shared and the data to be shared;

According to the second storage information, the storage server stores the third encrypted data package and key information corresponding to the third encrypted data package.
The method according to claim 4, wherein said generating a third encrypted data package based on the metadata of the data to be shared and the data to be shared comprises:

generating first data information corresponding to the data to be shared, where the first data information includes at least one of the following: a first identification indicating the second client, a second identification indicating the third encrypted data packet, and second address information indicating the second smart contract;

Wherein, the second address information is sent by the server, the second smart contract belongs to the second block in the block chain, and the second smart contract is used to indicate that the second smart contract is satisfied In the case of access conditions, the server outputs third storage information and second permission information, the third storage information is used to obtain the data to be shared in the storage server, and the second permission information is used to indicate Access operations that can be performed on the data to be shared;

generating metadata of the data to be shared according to the first data information and the digital signature of the second client on the first data information;

Encapsulating the metadata of the data to be shared and the data to be shared to obtain the third encrypted data package.
A data sharing method applied to a server, the method comprising:

receiving a data access request sent by the first client, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

When the first client meets the access conditions of the first smart contract, according to the first smart contract, send the first storage information and the first permission information to the first client;

Wherein, the first smart contract belongs to the first block in the block chain, the first storage information is used to obtain the data to be accessed from the storage server, and the first permission information indicates that the first user The access operation that the terminal can perform on the data to be accessed;

and / or,

receiving a data sharing request sent by a second client, where the data sharing request carries second data sharing information and a digital signature of the second client, and the second data sharing information is used to describe the data to be shared;

generating second permission information according to the second data sharing information, where the second permission information is used to indicate access operations that can be performed on the data to be shared;

generating a second block according to the second data sharing information and the digital signature of the second client;

Wherein, the second block includes a second smart contract, and the second smart contract is used to indicate that the third storage information and the second permission information are output when the access conditions of the second smart contract are satisfied. , the third storage information is used to acquire the data to be shared from a storage server.
The method according to claim 6, wherein said generating second permission information according to said second data sharing information comprises:

generating an access authority list according to the second data sharing information, the access authority list including the second authority information;

When a permission request associated with the second permission information is received, the second permission information is acquired from the access permission list.
A data sharing device, applied to a first user end, said device comprising:

The first sending module is configured to send a data access request to the server, the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

The first receiving module is configured to receive the first storage information and the first authority information sent by the server based on the first smart contract, wherein the first smart contract belongs to the first block in the block chain, and the first The permission information is used to indicate the access operations that the first client can perform on the data to be accessed;

A first obtaining module, configured to obtain a first encrypted data packet from a storage server according to the first storage information;

A decryption module, configured to decrypt the first encrypted data packet to obtain the data to be accessed, wherein the first encrypted data packet is generated based on the data to be accessed and metadata of the data to be accessed;

An access module, configured to perform an access operation on the data to be accessed according to the first permission information.
The device according to claim 8, wherein the first storage information includes first key information and first address information, and the first obtaining module includes:

a first obtaining unit, configured to obtain second key information when the first key information passes the verification of the storage server;

a second obtaining unit, configured to obtain the first encrypted data packet from the storage server according to the first address information;

Decryption module, including:

A decryption unit, configured to use the second key information to decrypt the first encrypted data packet to obtain the data to be accessed.
The device according to claim 8, wherein the device further comprises any of the following:

A deletion module, configured to delete the data to be accessed and the first encrypted data packet after the access operation is terminated;

A repackaging module, configured to encapsulate the data to be accessed based on the data to be accessed and the metadata of the data to be accessed in the first encrypted data packet after the access operation is terminated to obtain a second An encrypted data packet is used to store the second encrypted data packet.
A data sharing device applied to a second user end, the device comprising:

A second acquiring module, configured to acquire second storage information of the data to be shared, where the second storage information indicates that the data to be shared corresponds to information stored in the storage server;

The second sending module is configured to send a data sharing request to the server, the data sharing request carries second data sharing information and a digital signature of the second client, and the second data sharing information is based on the second storage information Generated to describe the data to be shared;

A first generation module, configured to generate a third encrypted data package based on the metadata of the data to be shared and the data to be shared;

The first storage module is configured to store the third encrypted data package and key information corresponding to the third encrypted data package in the storage server according to the second stored information.
The device according to claim 11, wherein the first generating module comprises:

A first generating unit, configured to generate first data information corresponding to the data to be shared, where the first data information includes at least one of the following: indicating the first identification of the second client, indicating the third encryption the second identification of the data packet, and the second address information indicating the second smart contract;

Wherein, the second address information is sent by the server, the second smart contract belongs to the second block in the block chain, and the second smart contract is used to indicate that the second smart contract is satisfied In the case of access conditions, the server outputs third storage information and second permission information, the third storage information is used to obtain the data to be shared in the storage server, and the second permission information is used to indicate Access operations that can be performed on the data to be shared;

a second generating unit, configured to generate metadata of the data to be shared according to the first data information and the digital signature of the second client on the first data information;

An encapsulating unit, configured to encapsulate the metadata of the data to be shared and the data to be shared to obtain the third encrypted data package.
A data sharing device applied to a server, the device comprising:

The second receiving module is configured to receive a data access request sent by the first client, where the data access request carries first data sharing information, and the first data sharing information is associated with the data to be accessed;

The third sending module is configured to send the first storage information and the first authority information to the first smart contract according to the first smart contract when the first client meets the access conditions of the first smart contract user terminal;

Wherein, the first smart contract belongs to the first block in the block chain, the first storage information is used to obtain the data to be accessed from the storage server, and the first permission information indicates that the first user The access operation that the terminal can perform on the data to be accessed;

and / or,

The third receiving module is configured to receive the data sharing request sent by the second client, the data sharing request carries the second data sharing information and the digital signature of the second client, and the second data sharing information is used to describe the share data;

A second generating module, configured to generate second permission information according to the second data sharing information, where the second permission information is used to indicate access operations that can be performed on the data to be shared;

A third generating module, configured to generate a second block according to the second data sharing information and the digital signature of the second client;

Wherein, the second block includes a second smart contract, and the second smart contract is used to indicate that the third storage information and the second permission information are output when the access conditions of the second smart contract are satisfied. , the third storage information is used to acquire the data to be shared from a storage server.
The device according to claim 13, wherein the second generating module comprises:

A third generating unit, configured to generate an access authority list according to the second data sharing information, where the access authority list includes the second authority information;

A third obtaining unit, configured to obtain the second permission information from the access permission list when receiving a permission request associated with the second permission information.
An electronic device, including a processor, a memory, and a program or instruction stored on the memory and operable on the processor, when the program or instruction is executed by the processor, at least one of the following Steps of the data sharing method:

The steps of the data sharing method as claimed in claims 1-3;

The steps of the data sharing method as claimed in claims 4-5;

The steps of the data sharing method as claimed in claims 6-7.
A readable storage medium, on which a program or instruction is stored, and when the program or instruction is executed by a processor, at least one of the following steps of the data sharing method is implemented:

The steps of the data sharing method as claimed in claims 1-3;

The steps of the data sharing method as claimed in claims 4-5;

The steps of the data sharing method as claimed in claims 6-7.
A chip, including a processor and a communication interface, the communication interface is coupled to the processor, the processor is used to run programs or instructions, and implement the steps of at least one of the following data sharing methods:

The steps of the data sharing method as claimed in claims 1-3;

The steps of the data sharing method as claimed in claims 4-5;

The steps of the data sharing method as claimed in claims 6-7.
A computer program product, the computer program product is stored in a non-volatile storage medium, and when the computer program product is executed by at least one processor, the steps of at least one of the following data sharing methods are implemented:

The steps of the data sharing method as claimed in claims 1-3;

The steps of the data sharing method as claimed in claims 4-5;

The steps of the data sharing method as claimed in claims 6-7.
A communication device configured to perform the steps of at least one of the following data sharing methods:

The steps of the data sharing method as claimed in claims 1-3;

The steps of the data sharing method as claimed in claims 4-5;

The steps of the data sharing method as claimed in claims 6-7.