[go: up one dir, main page]

CN108683626B - Data access control method and device - Google Patents

Data access control method and device Download PDF

Info

Publication number
CN108683626B
CN108683626B CN201810214046.1A CN201810214046A CN108683626B CN 108683626 B CN108683626 B CN 108683626B CN 201810214046 A CN201810214046 A CN 201810214046A CN 108683626 B CN108683626 B CN 108683626B
Authority
CN
China
Prior art keywords
data
authorization
determining
data access
different
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810214046.1A
Other languages
Chinese (zh)
Other versions
CN108683626A (en
Inventor
迟祥
宋文鹏
赵阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baibao Shanghai Technology Co ltd
Zhongan Information Technology Service Co Ltd
Original Assignee
Baibao Shanghai Technology Co ltd
Zhongan Information Technology Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Baibao Shanghai Technology Co ltd, Zhongan Information Technology Service Co Ltd filed Critical Baibao Shanghai Technology Co ltd
Priority to CN201810214046.1A priority Critical patent/CN108683626B/en
Publication of CN108683626A publication Critical patent/CN108683626A/en
Application granted granted Critical
Publication of CN108683626B publication Critical patent/CN108683626B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0464Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data access control method and device, and belongs to the technical field of data security. The method comprises the following steps: setting an authorization condition for data access; determining a data access request meeting the authorization condition; performing authorization operation of the data application corresponding to the authorization condition according to the data access request; wherein the authorization condition comprises one or more of the data stored in the blockchain network. The invention realizes the safety isolation of the data and the accurate control of the safety access, meets various access requirements of users on the data, simultaneously avoids the risk problems of malicious access, tampering and the like of the data to a certain extent, overcomes the corresponding defects in the prior art and has good application prospect.

Description

Data access control method and device
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a data access control method and apparatus.
Background
The BlockChain technology is an emerging technology appearing in the field of financial technology (FinTech) in recent years, has unique properties of decentralization, information non-falsification, multi-node collective maintainability, publicity, privacy protection and the like, and can record and provide credible transaction information data in an untrusted internet. The block chain mainly comprises four components of a P2P network, cryptography, a consensus mechanism and an intelligent contract, and unique characteristics of the block chain are guaranteed through technical integration in four fields.
In the era of rapid network development today, data access is ubiquitous. However, with the current field of data access, there are the following drawbacks: the unauthorized receipt is maliciously accessed, the network information is maliciously tampered, the data is maliciously accessed, and the bad information data is left after the data is accessed, which have no problem of not influencing the security of the data access.
Disclosure of Invention
In order to solve the problems in the prior art, embodiments of the present invention provide a data access control method and apparatus. The technical scheme is as follows:
in a first aspect, a data access control method is provided, the method including: setting an authorization condition for data access; determining a data access request meeting the authorization condition; performing authorization operation of the data application corresponding to the authorization condition according to the data access request; wherein the authorization condition comprises one or more of the data stored in the blockchain network.
With reference to the first aspect, in a first possible implementation manner, setting an authorization condition for data access includes: determining a legal account information verification rule for agreeing to an authorized user; and/or determining authorization rules with different authorization degrees according to different authorized users; and/or determining an authorization rule for performing different authorization fees according to different authorized users; and/or determining an authorization rule for performing different authorization times according to different authorized users; and/or determining an authorization rule for performing different authorization times according to different authorized users.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner, the determining a valid account information verification rule that agrees to an authorized user includes: and performing legal verification of the authorized user according to the asymmetric encrypted key verification and/or the account address.
With reference to the first possible implementation manner of the first aspect, in a third possible implementation manner, determining an authorization rule with different authorization degrees according to different authorized users includes: and authorizing different authorization degrees of different authorized users according to different data application authority settings, wherein the application authority includes downloading and/or browsing.
With reference to the first possible implementation manner of the first aspect, in a fourth possible implementation manner, determining an authorization rule for performing different authorization cost conditions according to different authorized users includes: the point-payment token is subject to authorization for different authorized cost scenarios, including paid or free, for different authorized users based on the point-payment token.
With reference to the first possible implementation manner of the first aspect, in a fifth possible implementation manner, the determining an authorization rule for performing different authorization times according to different authorized users includes: and authorizing different authorized time of different authorized users according to the intelligent contract locking validity period, wherein the authorized time comprises a time period taking time, day or month as a unit, and can also be customized in other time units.
With reference to the first possible implementation manner of the first aspect, in a sixth possible implementation manner, determining an authorization rule for performing different authorization times according to different authorized users includes: and authorizing different authorization times of different authorized users according to the condition of tracing the query times by the data application layer.
With reference to the first possible implementation manner of the first aspect, in a seventh possible implementation manner, the determining a data access request meeting the authorization condition includes: and determining the data access request meeting the authorization condition according to the key verification of the asymmetric encryption, the key system verification of the multilayer asymmetric encryption and/or the account address verification.
With reference to the seventh possible implementation manner of the first aspect, in an eighth possible implementation manner, determining, according to key verification of asymmetric encryption, a data access request that meets the authorization condition includes: and encrypting data by using a public key of the asymmetric encryption key pair, and verifying through a private key of the key pair to determine the data access request meeting the authorization condition.
With reference to the first aspect, in a ninth possible implementation manner, performing, according to the data access request, an authorization operation of the data application corresponding to the authorization condition includes: acquiring data corresponding to the data application request stored in the block chain network, and encrypting the data; and decrypting the data and performing data application operation of the data access request.
With reference to the first aspect and the first to ninth possible implementation manners of the first aspect, in an eleventh to twenty possible implementation manners, performing, according to the data access request, an authorization operation of a data application corresponding to the authorization condition includes: extracting and decrypting data corresponding to the data access request from a block chain network to obtain a data plaintext of the data; encrypting the data plaintext again, and encrypting the data plaintext by using a public key of a key pair to obtain an encrypt (data) file; storing an encrypt (data) file in a middleware database; decrypting an encrypt (data) file stored in a middleware database according to the private key of the data access request to obtain the data plaintext, and accessing the data.
With reference to the eleventh to twenty possible implementation manners of the first aspect, in twenty first to thirty possible implementation manners, setting an authorization condition for data access includes: determining timeliness rules of encrypt (data) files stored in a middleware database, and setting authorization conditions of data access according to the timeliness rules.
With reference to the eleventh to twenty possible implementation manners of the first aspect, in thirty-first to forty possible implementation manners, setting an authorization condition for data access includes: and determining an identification rule for uniquely identifying the request path of the data access request in the blockchain network, and setting an authorization condition of data access according to the identification rule.
In a second aspect, there is provided a data access right control device, including: the setting module is used for setting the authorization condition of data access; the determining module is used for determining the data access request meeting the authorization condition; the authorization operation module is used for carrying out authorization operation of the data application corresponding to the authorization condition according to the data access request; wherein the authorization condition comprises one or more of the data stored in the blockchain network.
With reference to the second aspect, in a first possible implementation manner, the setting module includes: the first determining module is used for determining a legal account information verification rule which agrees to an authorized user; the second determining module is used for determining the authorization rules of different authorization degrees according to different authorized users; the third determining module is used for determining authorization rules for carrying out different authorization fees according to different authorized users; the fourth determining module is used for determining authorization rules for performing different authorization time according to different authorized users; and the fifth determining module is used for determining the authorization rules for performing different authorization times according to different authorized users.
With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner, the determining module is configured to: and determining the data access request meeting the authorization condition according to the key verification of asymmetric encryption, the key system verification of multilayer asymmetric encryption and/or account address verification.
With reference to the second aspect, in a third possible implementation manner, the authorization operation module includes: the acquisition module acquires data corresponding to the data application request stored in the block chain network; the encryption module encrypts the acquired data; and the decryption module is used for decrypting the data and performing data application operation of the data access request.
With reference to the first to three possible implementation manners of the second aspect, in a fourth to six possible implementation manners, the authorization operation module is configured to: extracting and decrypting data corresponding to the data access request from a block chain network to obtain a data plaintext of the data; encrypting the data plaintext again, and encrypting the data plaintext by using a public key of a key pair to obtain an encrypt (data) file; storing the encrypt (data) file in a middleware database; decrypting an encrypt (data) file stored in a middleware database according to the private key of the data access request to obtain the data plaintext, and accessing the data.
With reference to the fourth to sixth possible implementation manners of the second aspect, in a seventh to ninth possible implementation manners, the setting module further includes: and the sixth determining module is used for determining timeliness rules of encrypt (data) files stored in the middleware database and setting authorization conditions of data access according to the timeliness rules.
With reference to the seventh to ninth possible implementation manners of the second aspect, in tenth to twelfth possible implementation manners, the setting module further includes: and the seventh determining module is used for determining an identification rule for uniquely identifying the request path of the data access request in the blockchain network, and setting the authorization condition of data access according to the identification rule.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
1. by setting various authorization conditions for data access and calling data from a block chain network during access, various data access controls such as account limitation, time limitation and the like are performed on users who do not need to access, the security isolation of data and the accurate control of security access are realized while different user access requirements are met, and the risk problems that the data are maliciously accessed, tampered and the like are avoided to a certain extent;
2. through asymmetric encryption key verification and/or account address, different data application authority settings, a point-to-point token payment mode, an intelligent contract locking validity mode, a data application layer tracing query mode and the like, multiple data access requirement control of limited accounts, limited times, limited accounts, limited application types and limited fee use modes is better realized, and the user experience of data access is improved;
3. the data corresponding to the data access request is decrypted and then encrypted, the data plaintext is encrypted by using the public key of the key pair to obtain the encrypt (data) file, the encrypt (data) file is stored in the middleware database, the encrypt (data) file stored in the middleware database is decrypted according to the private key of the data access request to obtain the data plaintext and access the data, the data access user can obtain the required data more safely under the condition that the authorization is limited by the authorization condition layer by layer, and the security of the access data is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a data access control method provided in embodiment 1 of the present invention;
fig. 2 is a flowchart of a data access control method provided in embodiment 2 of the present invention;
FIG. 3 is a detailed flowchart of step 28 of FIG. 2;
fig. 4 is a schematic structural diagram of a data access control device according to an embodiment of the present invention;
fig. 5 is a schematic view of an application example service flow of the data access control method and apparatus provided in the embodiment of the present invention;
fig. 6 is a schematic diagram of an application example technical architecture of a data access control method and apparatus provided in an embodiment of the present invention;
fig. 7 is a schematic diagram of a specific operation flow of an application example of the data access control method and apparatus provided in the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
It should be noted that the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless specifically defined otherwise.
The embodiment of the invention determines the data access request which accords with the authorization condition by setting the authorization condition of data access for the user to access the data stored in the block chain network, carries out the authorization operation of the authorization condition corresponding to the data application according to the data access request, realizes the safety isolation of the data and the accurate control of the safety access, meets various access requirements of the user on the data, avoids the risk problems of malicious access, tampering and the like of the data to a certain extent, overcomes the corresponding defects in the prior art and has good application prospect.
Example 1
Fig. 1 is a flowchart of a data access control method according to embodiment 1 of the present invention. As shown in fig. 1, an embodiment of the present invention provides a data access control method, where the method includes the following steps:
11. setting authorization conditions for data access, wherein the authorization conditions comprise one or more authorization conditions capable of meeting different access requirements of users accessing the data, and the data for the users to access is stored in the blockchain network.
Specifically, the setting of the authorization condition for data access includes the following items:
determining a legal account information verification rule for agreeing to an authorized user; and/or determining authorization rules with different authorization degrees according to different authorized users; and/or determining authorization rules for different authorization fees according to different authorized users; and/or determining an authorization rule for performing different authorization times according to different authorized users; and/or determining an authorization rule for different authorization times according to different authorized users.
The method for determining the legal account information verification rule of the authorized user can be carried out as follows: and performing legal verification of the authorized user according to the asymmetric encrypted key verification and/or the account address.
The determination of the authorization rules for different authorization degrees according to different authorized users can be performed as follows: and authorizing different authorization degrees of different authorized users according to different data application authority settings, wherein the application authority includes downloading and/or browsing.
The determination of the authorization rules for different authorization cost situations according to different authorized users can be performed as follows: authorization of different authorized fee conditions, including paid or free, for different authorized users is performed on the point payment token upon point. The payment method is not limited to the point-to-point payment method in the block chain network, but the point-to-point token payment in the block chain network is preferably adopted, and other payment methods can be accessed through an application layer.
The determination of the authorization rules for different authorization times according to different authorized users can be performed as follows: and (4) according to the intelligent contract locking validity period, authorizing different authorized time of different authorized users, wherein the authorized time comprises a time period taking time, day or month as a unit, and customizing other time units.
The determination of the authorization rules for different authorization times according to different authorized users can be performed as follows: and authorizing different authorization times of different authorized users according to the condition of tracing the query times by the data application layer.
12. And determining the data access request meeting the authorization condition.
Specifically, the determination of the data access request meeting the authorization condition may be performed as follows: and determining the data access request meeting the authorization condition according to the key verification of the asymmetric encryption, the key system verification of the multilayer asymmetric encryption and/or the account address verification.
Further, the data access request which meets the authorization condition is determined according to the key verification of the asymmetric encryption, and the following steps are carried out: and encrypting data by using a public key of the asymmetric encryption key pair, and verifying the data by using a private key of the key pair to determine the data access request meeting the authorization condition.
13. And carrying out authorization operation of the data application corresponding to the authorization condition according to the data access request.
Specifically, data corresponding to a data application request stored in a block chain network is acquired and encrypted; and decrypting the data and performing data application operation of the data access request.
Further, the authorization operation of the data application corresponding to the authorization condition according to the data access request may be performed as follows:
extracting and decrypting data corresponding to the data access request from the block chain network to obtain a data plaintext of the data;
encrypting the data plaintext again, and encrypting the data plaintext by using a public key of a key pair to obtain an encrypt (data) file;
storing the encrypt (data) file in a middleware database;
decrypting the encrypt (data) file stored in the middleware database according to the private key of the data access request to obtain the data plaintext, and accessing the data.
In addition, the following two ways are provided here:
step 21 is performed to set an authorization condition for data access according to timeliness rules by determining timeliness rules for encrypt (data) files stored in the middleware database.
Step 21 sets an authorization condition for data access in accordance with the identification rule by determining an identification rule that uniquely identifies the request path of the data access request in the blockchain network.
In summary, the data access control method provided in the embodiment of the present invention has the following beneficial effects:
1. by setting various authorization conditions for data access and calling data from a block chain network during access, various data access controls such as account limitation, time limitation and the like are performed on users who do not need to access, the security isolation of data and the accurate control of security access are realized while different user access requirements are met, and the risk problems that the data are maliciously accessed, tampered and the like are avoided to a certain extent;
2. through asymmetric encryption key verification and/or account address, different data application authority settings, a point-to-point token payment mode, an intelligent contract locking validity mode, a data application layer tracing query mode and the like, multiple data access requirement control of limited accounts, limited times, limited accounts, limited application types and limited fee use modes is better realized, and the user experience of data access is improved;
3. the data corresponding to the data access request is decrypted and then encrypted, the data plaintext is encrypted by using the public key of the key pair to obtain the encrypt (data) file, the encrypt (data) file is stored in the middleware database, the encrypt (data) file stored in the middleware database is decrypted according to the private key of the data access request to obtain the data plaintext and access the data, the data access user can obtain the required data more safely under the condition that the authorization is limited by the authorization condition layer by layer, and the security of the access data is improved.
Example 2
Fig. 2 is a flowchart of a data access control method according to embodiment 2 of the present invention.
As shown in fig. 2, a data access control method provided in an embodiment of the present invention includes the following steps:
21. and determining a legal account information verification rule for agreeing to the authorized user.
And performing legal verification of the authorized user according to the asymmetric encrypted key verification and/or the account address.
Specifically, the public key is calculated by the private key by adopting an asymmetric encryption technology, a public and private key login authorization mode can be covered with a layer of account password system, and a public and private key can also be directly used, and then the authorized user is allowed to legally verify before login, access, application, authorization, encryption, decryption and other operations are carried out by the public and private key mode or an additional account address.
It should be noted that, when the step 21 determines that the authorized user is agreed to the valid account information verification rule, the process may be implemented in other ways besides the ways described in the above steps, and the embodiment of the present invention is not limited to a specific way.
22. And determining authorization rules of different authorization degrees according to different authorized users.
Specifically, different authorization degrees of different authorized users are authorized according to different data application permission settings, wherein the application permission includes downloading and/or browsing.
It should be noted that, step 22 determines the authorization rule for performing different authorization degrees according to different authorized users, and this process may be implemented in other ways besides the ways described in the above steps, and the specific ways are not limited in the embodiment of the present invention.
23. And determining an authorization rule for performing different authorization fees according to different authorized users.
Specifically, the authorization of different authorization cost situations of different authorized users is performed according to the point payment token, and the authorization cost situations comprise payment or free. The payment method is not limited to the point-to-point payment method in the block chain network, but the point-to-point token payment in the block chain network is preferably adopted, and other payment methods can be accessed through an application layer.
It should be noted that, step 23 determines the authorization rule for performing different authorization fees according to different authorized users, and the process may be implemented in other ways besides the way described in the above step, and the specific way is not limited in the embodiment of the present invention.
24. And determining authorization rules for performing different authorization time according to different authorized users.
Specifically, the authorization of different authorization time of different authorized users is carried out according to the locking validity period of the intelligent contract, the authorization time comprises a time period taking time, day or month as a unit, and the self-definition of other time units can also be carried out.
It should be noted that, step 24 determines the authorization rule for performing different authorization time according to different authorized users, and this process may be implemented in other ways besides the ways described in the above steps, and the specific ways are not limited in the embodiment of the present invention.
25. And determining an authorization rule for carrying out different authorization times according to different authorized users.
Specifically, authorization of different authorization times of different authorized users is carried out according to the condition of tracing query times by the data application layer.
It should be noted that, step 25 determines the authorization rule for performing different authorization times according to different authorized users, and the process may be implemented in other ways besides the ways described in the above steps, and the specific ways are not limited in the embodiment of the present invention.
26. And determining the data access request meeting the authorization condition according to the key verification of the asymmetric encryption, the key system verification of the multilayer asymmetric encryption and/or the account address verification.
Specifically, the public key of the asymmetric encryption key pair is used for encrypting data, and the data access request meeting the authorization condition is determined through the verification of the private key of the key pair.
It should be noted that, in step 26, the process may be implemented in other ways besides the above-described ways according to the key verification of asymmetric encryption, the key hierarchy verification of multi-layer asymmetric encryption, and/or the account address verification, and the data access request meeting the authorization condition is determined, and the specific way is not limited in the embodiment of the present invention.
27. And acquiring data corresponding to the data application request stored in the blockchain network, and encrypting the data.
And performing primary encryption on the data corresponding to the data application request stored in the blockchain network, wherein the encryption can adopt an asymmetric encryption mode or other possible encryption modes.
It should be noted that, in step 27, the data corresponding to the data application request stored in the blockchain network is obtained and encrypted, and besides the manner described in the above step, the process may also be implemented in other manners, and the specific manner is not limited in the embodiment of the present invention.
28. And decrypting the data and performing data application operation of the data access request.
Fig. 3 is a detailed flowchart of step 28 in fig. 2. As shown in fig. 3, step 28 further includes the steps of:
281. extracting and decrypting data corresponding to the data access request from the block chain network to obtain a data plaintext of the data;
282. encrypting the data plaintext again, and encrypting the data plaintext by using a public key of a key pair to obtain an encrypt (data) file;
283. storing the encrypt (data) file in a middleware database;
284. decrypting the encrypt (data) file stored in the middleware database according to the private key of the data access request to obtain the data plaintext, and accessing the data.
It should be noted that, the data application operation of decrypting the data and making the data access request in step 28 may also be implemented in other ways besides the ways described in the above steps, and the specific ways are not limited in the embodiment of the present invention.
Example 3
As shown in fig. 4, the data access right control apparatus provided in the embodiment of the present invention includes a setting module 31, a determining module 32, and an authorization operation module 33.
Specifically, the setting module 31 is configured to set an authorization condition for data access. Further, the setting module 31 includes: a first determining module 311, configured to determine a legal account information verification rule that agrees to an authorized user; a second determining module 312, configured to determine authorization rules with different authorization degrees according to different authorized users; a third determining module 313, configured to determine an authorization rule for performing different authorization costs according to different authorized users; a fourth determining module 314, configured to determine an authorization rule for performing different authorization time according to different authorized users; a fifth determining module 315, configured to determine an authorization rule for performing different authorization times according to different authorized users; a sixth determining module 316, configured to determine a timeliness rule of an encrypt (data) file stored in the middleware database, and set an authorization condition for data access according to the timeliness rule; a seventh determining module 317, configured to determine an identification rule for uniquely identifying a request path of the data access request in the blockchain network, and set an authorization condition for data access according to the identification rule.
A determining module 32, configured to determine a data access request meeting the authorization condition. Specifically, the determining module 32 is configured to determine the data access request meeting the authorization condition according to key verification of asymmetric encryption, key hierarchy verification of multi-layer asymmetric encryption, and/or account address verification.
And an authorization operation module 33, configured to perform an authorization operation on the data application corresponding to the authorization condition according to the data access request. Specifically, the authorization operation module 33 includes: the obtaining module 331 is configured to obtain data corresponding to the data application request stored in the blockchain network; an encryption module 332 for encrypting the acquired data; and the decryption module 333 is configured to decrypt the data and perform a data application operation of the data access request.
Wherein the authorization condition comprises one or more of the data stored in the blockchain network.
Further, the authorization operation module 33 is configured to: extracting and decrypting data corresponding to the data access request from the block chain network to obtain a data plaintext of the data; encrypting the data plaintext again, and encrypting the data plaintext by using a public key of a key pair to obtain an encrypt (data) file; storing an encrypt (data) file in a middleware database; decrypting an encrypt (data) file stored in a middleware database according to a private key of the data access request to obtain a data plaintext, and accessing the data.
Examples of the applications
Fig. 5 is a schematic view of an application example service flow of the data access control method and apparatus provided in the embodiment of the present invention. Fig. 6 is a schematic diagram of an application example technical architecture of the data access control method and apparatus provided in the embodiment of the present invention.
As shown in fig. 5-6, when the user B wants to apply for accessing the data of the data control user a, the authorized user is authorized to perform the legal authentication before the operations of login, access, application, authorization, encryption, decryption, etc. are performed through the public and private key manner or the additional account address.
Regarding the access application of the user B, the user B can initiate the application at an application layer or a middleware layer, and then the user B authorizes and agrees to obtain the plaintext information through the operation of the middleware layer, such as calling the related encrypted data in the blockchain network from the blockchain layer through the middleware layer and storing the related encrypted data in a database of the middleware layer; a then encrypts the data information by the public key of B to obtain a ciphertext, and the ciphertext is stored in the middleware, so that B can decrypt and access the data information by the private key of B.
The above is the process of performing account limited access on the access user by the data access control method and device of the application example, and through such a process, the data control user a can perform authorized access on which account user (such as the user B) is selected.
How the user a realizes the limited number control operation for the user (taking the user B as an example) will be explained below.
User B wants to access user a's information, a grants 10 times in total, and the blockchain network has 4 applications, application a, B, c, and d, respectively.
1. The access authority of the application layer is A + B + C + D =10 times;
2. after a user B logs in from an application A, the application A maps a unique identification code to record login times, and the mapped unique identification code is mainly used for recording the login times in the same way as the application A;
3. when the sum of the identification code records after any application is logged in is equal to 10, the user B has no viewing authority
Each application layer is mapped with a unique identification code, and the number of times of data requested by the same blockchain account after login without application can be tracked.
How the user a realizes the time-limited control operation for the user (taking the user B as an example) will be explained below.
User B wants to access the information of user a only wants user B to view within 24 hours,
1. after the user A encrypts the information to be accessed by the user B in the middleware, the encrypted information can be deleted after 24 hours
2. User B needs to decrypt the information within 24 hours, and after 24 hours, the data is emptied
The access time of others is controlled, and the time can be set to be day, month, year and the like. In a blockchain network, control over access time may be exposed in the form of intelligent contract programming.
Fig. 7 is a schematic diagram of a specific operation flow of an application example of the data access control method and apparatus provided in the embodiment of the present invention. As shown in fig. 7, a specific complete operation flow of the data access control method and apparatus in the application example is as follows;
assuming that a user A and a user B reach an agreement to query data information about X of the user B, wherein the A needs to see the information X of the user B;
b receives the information X viewing request of A and agrees to authorize the viewing request of A;
b, extracting the related data X from the block chain network, and decrypting to obtain a data X plaintext;
b, encrypting the plaintext after the data X is decrypted again;
b, encrypting the plaintext of the data X by using the public key of the A to obtain a value encrypt (data) file A (X);
b, storing an encrypt (data) file A (X) in a database of the middleware;
b authorizes A to view the information X at the moment;
a, decrypting an Encrypt (data) file A (X) stored in a middleware database by using a private key of the A;
a gets the plaintext of X to access the required information.
Wherein,
b, only using the public key of A to encrypt the data X, only using the corresponding private key of A to decrypt the data X, and performing account access limiting management on the authority;
b, the timeliness of an encrypt (data) file A (X) stored in the middleware can be specified, and limited management is carried out on the authority;
and B, uniquely identifying the request path of the application layer A, and managing the access times in different application layer request paths of A to realize limited management on the authority.
All the above-mentioned optional technical solutions can be combined arbitrarily to form the optional embodiments of the present invention, and are not described herein again.
As can be seen from the above description and practice, the data access control method and apparatus provided in the embodiments of the present invention have the following advantages over the prior art:
1. by setting various authorization conditions for data access and calling data from a blockchain network during access, various data access controls such as limited account, limited times, limited time and the like are performed on a user who does not need to access the data, the access requirements of different users are met, meanwhile, the safety isolation of the data and the accurate control of the safety access are realized, and the risk problems of malicious access, tampering and the like of the data are avoided to a certain extent;
2. through asymmetric encrypted secret key verification and/or account address, different data application authority settings, a point-to-point token payment mode, an intelligent contract locking validity period mode, a data application layer tracing query mode and the like, the control of various data access requirements of a limited account, a limited number of times, a limited account, a limited application type and a limited fee mode is better realized, and the user experience of data access is improved;
3. the data corresponding to the data access request is decrypted and then encrypted, the data plaintext is encrypted by using the public key of the key pair to obtain the encrypt (data) file, the encrypt (data) file is stored in the middleware database, the encrypt (data) file stored in the middleware database is decrypted according to the private key of the data access request to obtain the data plaintext and access the data, the data access user can obtain the required data more safely under the condition that the authorization is limited by the authorization condition layer by layer, and the security of the access data is improved.
It should be noted that: in the data access control device provided in the foregoing embodiment, when performing a data access control service, only the division of the functional modules is illustrated, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the data access control device and the data access control method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (16)

1. A data access control method is applied to first user equipment, and the first user equipment is user equipment requested to access data, and the method comprises the following steps:
setting an authorization condition for data access;
determining a data access request meeting the authorization condition, wherein the data access request is sent by second user equipment, and the second user equipment is user equipment which requests to access data and points to the first user equipment;
and performing authorization operation of the data application corresponding to the authorization condition according to the data access request, wherein the authorization operation comprises the following steps: extracting and decrypting data corresponding to the data access request from a block chain network to obtain a data plaintext of the data; encrypting the data plaintext by using a public key of a key pair to obtain an encrypt (data) file, wherein the key pair refers to a key pair of the second user equipment; storing the encrypt (data) file in a middleware database, so that the second user equipment can decrypt the encrypt (data) file stored in the middleware database according to the private key of the data access request to obtain the data plaintext and access the data; the private key of the data access request refers to the private key in the key pair;
wherein the authorization conditions include one or more, the data being stored in a blockchain network;
the setting of the authorization condition for data access comprises:
determining a legal account information verification rule for agreeing to an authorized user; and/or
Determining authorization rules of different authorization degrees according to different authorized users; and/or
Determining authorization rules for carrying out different authorization fees according to different authorized users; and/or
Determining authorization rules for performing different authorization time according to different authorized users; and/or
And determining an authorization rule for carrying out different authorization times according to different authorized users.
2. The method of claim 1, wherein determining the valid account information validation rules that agree to the authorized user comprises:
and performing legal verification of the authorized user according to the asymmetric encrypted key verification and/or the account address.
3. The method of claim 1, wherein determining authorization rules for different degrees of authorization based on different authorized users comprises:
and authorizing different authorization degrees of different authorized users according to different data application authority settings, wherein the application authority includes downloading and/or browsing.
4. The method of claim 1, wherein determining authorization rules for different authorization cost scenarios based on different authorized users comprises:
authorization of different authorized fee conditions, including paid or free, for different authorized users is performed on the point payment token upon point.
5. The method of claim 1, wherein determining authorization rules for different authorization times according to different authorized users comprises:
and locking the validity period according to the intelligent contract to authorize different authorized users at different authorized time, wherein the authorized time comprises a time period with a time, a day or a month as a unit.
6. The method of claim 1, wherein determining the authorization rules for different numbers of authorizations based on different authorized users comprises:
and authorizing different authorization times of different authorized users according to the condition of tracing the query times by the data application layer.
7. The method of claim 1, wherein determining that the data access request meets the authorization condition comprises:
and determining the data access request meeting the authorization condition according to the key verification of asymmetric encryption, the key system verification of multilayer asymmetric encryption and/or account address verification.
8. The method of claim 7, wherein determining the data access request meeting the authorization condition based on key verification for asymmetric encryption comprises:
and encrypting data by using a public key of the asymmetric encryption key pair, and verifying the data by using a private key of the key pair to determine the data access request meeting the authorization condition.
9. The method according to claim 1, wherein performing the authorization operation of the data application corresponding to the authorization condition according to the data access request comprises:
acquiring data corresponding to the data application request stored in a block chain network, and encrypting the data;
and decrypting the data and performing data application operation of the data access request.
10. The method of claim 1, wherein setting an authorization condition for data access comprises:
determining timeliness rules of encrypt (data) files stored in a middleware database, and setting authorization conditions of data access according to the timeliness rules.
11. The method of claim 1, wherein setting an authorization condition for data access comprises:
and determining an identification rule for uniquely identifying the request path of the data access request in the blockchain network, and setting an authorization condition of data access according to the identification rule.
12. An apparatus for controlling data access authority, wherein the apparatus is applied to a first user equipment, and the first user equipment is a user equipment that is requested to access data, the apparatus comprising:
the setting module is used for setting the authorization condition of data access;
a determining module, configured to determine a data access request meeting the authorization condition, where the data access request is sent by a second user equipment, and the second user equipment is a user equipment that requests to access data and points to the first user equipment;
the authorization operation module is configured to perform, according to the data access request, an authorization operation of the data application corresponding to the authorization condition, and includes: extracting and decrypting data corresponding to the data access request from a block chain network to obtain a data plaintext of the data; encrypting the data plaintext by using a public key of a key pair to obtain an encrypt (data) file, wherein the key pair refers to a key pair of the second user equipment; storing the encrypt (data) file in a middleware database, so that the second user equipment can decrypt the encrypt (data) file stored in the middleware database according to the private key of the data access request to obtain the data plaintext and access the data; the private key of the data access request refers to the private key in the key pair;
wherein the authorization conditions include one or more of the data stored in a blockchain network;
the setting module includes:
the first determining module is used for determining a legal account information verification rule which agrees to an authorized user;
the second determining module is used for determining authorization rules with different authorization degrees according to different authorized users;
the third determining module is used for determining the authorization rules for carrying out different authorization fees according to different authorized users;
the fourth determining module is used for determining authorization rules for performing different authorization time according to different authorized users;
and the fifth determining module is used for determining the authorization rules for carrying out different authorization times according to different authorized users.
13. The apparatus of claim 12, wherein the determining module is configured to:
and determining the data access request meeting the authorization condition according to the key verification of asymmetric encryption, the key system verification of multilayer asymmetric encryption and/or account address verification.
14. The apparatus of claim 12, wherein the authorization operation module comprises:
the acquisition module acquires data corresponding to the data application request stored in the block chain network;
the encryption module is used for encrypting the acquired data;
and the decryption module is used for decrypting the data and performing data application operation of the data access request.
15. The apparatus of claim 12, wherein the setup module further comprises:
and the sixth determining module is used for determining timeliness rules of encrypt (data) files stored in the middleware database and setting authorization conditions of data access according to the timeliness rules.
16. The apparatus of claim 12, wherein the setup module further comprises:
a seventh determining module, configured to determine an identification rule for uniquely identifying a request path of the data access request in a blockchain network, and set an authorization condition for data access according to the identification rule.
CN201810214046.1A 2018-03-15 2018-03-15 Data access control method and device Active CN108683626B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810214046.1A CN108683626B (en) 2018-03-15 2018-03-15 Data access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810214046.1A CN108683626B (en) 2018-03-15 2018-03-15 Data access control method and device

Publications (2)

Publication Number Publication Date
CN108683626A CN108683626A (en) 2018-10-19
CN108683626B true CN108683626B (en) 2023-01-31

Family

ID=63799365

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810214046.1A Active CN108683626B (en) 2018-03-15 2018-03-15 Data access control method and device

Country Status (1)

Country Link
CN (1) CN108683626B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109255255B (en) * 2018-10-22 2021-06-04 北京锐安科技有限公司 Data processing method, device, equipment and storage medium based on block chain
CN109522735B (en) * 2018-11-29 2021-06-22 上海信联信息发展股份有限公司 A method and device for data authorization verification based on smart contract
CN110222721B (en) * 2019-05-10 2021-07-30 达闼机器人有限公司 Data processing method, data processing device, block chain node and storage medium
CN110808974A (en) * 2019-10-31 2020-02-18 深圳市网心科技有限公司 Data acquisition method and device, computer device and storage medium
CN111291421A (en) * 2020-02-17 2020-06-16 深圳壹账通智能科技有限公司 Blockchain data authorization method, electronic device and computer-readable storage medium
CN111507712B (en) * 2020-04-09 2021-02-23 链博(成都)科技有限公司 User privacy data management method, system and terminal based on block chain
CN112149184A (en) * 2020-11-25 2020-12-29 南京可信区块链与算法经济研究院有限公司 Block chain external storage system and method based on time-limited access
CN113505090B (en) * 2021-06-22 2023-09-01 中国联合网络通信集团有限公司 Access control method and access control device
CN114124392B (en) * 2021-11-01 2022-09-06 广州大学 Method, system, device and medium for controlled flow of data supporting access control

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102176709A (en) * 2010-12-13 2011-09-07 北京交通大学 Method and device with privacy protection function for data sharing and publishing
CN102655508A (en) * 2012-04-19 2012-09-05 华中科技大学 Method for protecting privacy data of users in cloud environment
CN103095733A (en) * 2013-03-04 2013-05-08 淮阴工学院 Keyword cipher text retrieval method for cloud storage
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
CN103561034A (en) * 2013-11-11 2014-02-05 武汉理工大学 Secure file sharing system
CN103957109A (en) * 2014-05-22 2014-07-30 武汉大学 Cloud data privacy protection security re-encryption method
CN104158827A (en) * 2014-09-04 2014-11-19 中电长城网际系统应用有限公司 Cryptograph data sharing method and device, inquiring server and data uploading client terminal
CN104394366A (en) * 2014-11-26 2015-03-04 东南大学 Distributed video streaming media transcoding access control method and system
CN107360252A (en) * 2017-08-16 2017-11-17 上海海事大学 A kind of Data Access Security method that isomery cloud domain authorizes

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102082771B (en) * 2009-11-30 2014-04-02 中国移动通信集团福建有限公司 Service management middleware based on ESB (enterprise service bus) technology
EP2506487B1 (en) * 2011-03-30 2013-10-23 Nagravision S.A. Method of encryption with bidirectional difference propagation
US10050968B2 (en) * 2014-12-31 2018-08-14 Shenzhen University Method, apparatus, and system for access control of shared data
GB2538022B (en) * 2016-08-20 2018-07-11 PQ Solutions Ltd Multiple secrets in quorum based data processing
CN106682530A (en) * 2017-01-10 2017-05-17 杭州电子科技大学 Method and device for medical information sharing privacy protection based on blockchain technology
CN106973036B (en) * 2017-02-07 2020-04-14 杭州云象网络技术有限公司 Block chain privacy protection method based on asymmetric encryption

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102176709A (en) * 2010-12-13 2011-09-07 北京交通大学 Method and device with privacy protection function for data sharing and publishing
CN102655508A (en) * 2012-04-19 2012-09-05 华中科技大学 Method for protecting privacy data of users in cloud environment
CN103095733A (en) * 2013-03-04 2013-05-08 淮阴工学院 Keyword cipher text retrieval method for cloud storage
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
CN103561034A (en) * 2013-11-11 2014-02-05 武汉理工大学 Secure file sharing system
CN103957109A (en) * 2014-05-22 2014-07-30 武汉大学 Cloud data privacy protection security re-encryption method
CN104158827A (en) * 2014-09-04 2014-11-19 中电长城网际系统应用有限公司 Cryptograph data sharing method and device, inquiring server and data uploading client terminal
CN104394366A (en) * 2014-11-26 2015-03-04 东南大学 Distributed video streaming media transcoding access control method and system
CN107360252A (en) * 2017-08-16 2017-11-17 上海海事大学 A kind of Data Access Security method that isomery cloud domain authorizes

Also Published As

Publication number Publication date
CN108683626A (en) 2018-10-19

Similar Documents

Publication Publication Date Title
CN108683626B (en) Data access control method and device
CN101682501B (en) For performing method and the portable memory apparatus of authentication protocol
RU2501081C2 (en) Multi-factor content protection
CN111914293B (en) Data access right verification method and device, computer equipment and storage medium
US20040133797A1 (en) Rights management enhanced storage
CN112364305B (en) Digital content copyright protection method and device based on blockchain platform
US20100088236A1 (en) Secure software service systems and methods
CN103220141B (en) A kind of protecting sensitive data method and system based on group key strategy
CN112887273B (en) Key management method and related equipment
JP2000163379A (en) Control over access to stored information
WO2017008640A1 (en) Method for issuing access token and related device
KR20030096249A (en) Method for managing access and use of resources by verifying conditions and conditions for use therewith
CN112487450A (en) File server access grading method
JP3896909B2 (en) Access right management device using electronic ticket
CN117332391A (en) Power distribution network data asset security access method and system considering authority hierarchical management and control
WO2007045257A1 (en) A method for controlling access to file systems, related system, sim card and computer program product for use therein
KR100656402B1 (en) Method and device for securely distributing digital content
US12309274B2 (en) Cryptography-as-a-service
JPH05298174A (en) Remote file access system
US8321915B1 (en) Control of access to mass storage system
CN119210769A (en) A digital economy trust verification method based on blockchain
JP2009543210A5 (en)
CN101359988A (en) Method, device and system for obtaining domain license
CN117614724B (en) Industrial Internet access control method based on system fine granularity processing
JPH10105470A (en) Method for authenticating file access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20210913

Address after: 518052 Room 201, building A, 1 front Bay Road, Shenzhen Qianhai cooperation zone, Shenzhen, Guangdong

Applicant after: ZHONGAN INFORMATION TECHNOLOGY SERVICE Co.,Ltd.

Applicant after: Baibao (Shanghai) Technology Co.,Ltd.

Address before: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.)

Applicant before: ZHONGAN INFORMATION TECHNOLOGY SERVICE Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant