[go: up one dir, main page]

CN111914293A - Data access authority verification method and device, computer equipment and storage medium - Google Patents

Data access authority verification method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN111914293A
CN111914293A CN202010760949.7A CN202010760949A CN111914293A CN 111914293 A CN111914293 A CN 111914293A CN 202010760949 A CN202010760949 A CN 202010760949A CN 111914293 A CN111914293 A CN 111914293A
Authority
CN
China
Prior art keywords
server
access
data
result
service end
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010760949.7A
Other languages
Chinese (zh)
Other versions
CN111914293B (en
Inventor
赵亦杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202010760949.7A priority Critical patent/CN111914293B/en
Priority to PCT/CN2020/124726 priority patent/WO2021139338A1/en
Publication of CN111914293A publication Critical patent/CN111914293A/en
Application granted granted Critical
Publication of CN111914293B publication Critical patent/CN111914293B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for verifying data access authority, computer equipment and a storage medium, wherein the method comprises the following steps: the first service end creates an access message, encrypts and digitally signs the access message, sends the encrypted access message to the block chain, and sends a data access request to the second service end; after receiving the request, the second server acquires the access message of the first server from the block chain, performs signature verification and decryption on the access message, generates a decrypted access message, performs authority verification on the decrypted access message, generates an authorization result, encrypts and digitally signs the authorization result, sends the encrypted and digitally signed authorization result to the block chain, and sends an access response to the first server; and after receiving the response, the first service end acquires the authorization result from the block chain, performs signature verification and decryption on the authorization result, generates a decrypted authorization result, and determines whether to perform data access or not based on the decrypted authorization result. Therefore, by adopting the embodiment of the application, the security risk existing in data sharing can be reduced.

Description

Data access authority verification method and device, computer equipment and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for verifying data access permissions, a computer device, and a storage medium.
Background
With the continuous development of the information age, the information exchange among different departments or different enterprises of the same company is gradually increased, and the development of the computer network technology provides guarantee for data transmission and realizes data sharing. This enables more people to more fully use the existing data resources, reducing the repetitive labor and corresponding costs of data acquisition processing and the like.
In the current data sharing, the standardization problems such as data exchange formats and the like are mainly concerned, and potential security problems are ignored. For example, company a hands over its customer data to company B for analysis, which is helped by company B to analyze customer purchasing product preferences, but from a profit perspective, company B's data analyst may sell the data to company a's competitor, company C. At this time, the benefit of company a is impaired on the basis that company a does not know that its data has been illegally accessed by company C. The current data sharing has the problem of uncontrolled data circulation, so that the security risk existing in the data sharing process is increased.
Disclosure of Invention
Based on this, it is necessary to provide a data access right verification method, an apparatus, a computer device, and a storage medium for solving the problem of uncontrolled data flow in current data sharing, thereby reducing security risks in data sharing.
A data access right verification method is applied to a first service terminal and comprises the following steps: acquiring an access rule generated in advance by a second server; determining the open time of the second server for accessing the resource based on the access rule; when the current time accords with the open time, acquiring a public key of a second server; creating access data of the authority for accessing the second service terminal and acquiring a private key of the first service terminal; encrypting the access permission data based on the public key of the second server to generate encrypted access permission data; carrying out digital signature on the encrypted access data according to the private key of the first server to generate an access message of the first server; and sending the access message of the first server to a block chain, and sending a data access request to the second server.
In one embodiment, after sending the access message of the first server to the blockchain, the method further includes: when receiving a data access response of a second server, obtaining an authorization result of the second server from the block chain; acquiring a public key of a second server and a private key of a first server; verifying the authorization result through the public key of the second server to generate a second verification result; when the second verification result is the verification result sent by the second server, decrypting the authorization result through the private key of the first server to generate a decrypted authorization result; determining whether to perform data access based on the decrypted authorization result.
A data access right verification method is applied to a second server side, and comprises the following steps: when a first service end data access request is received, acquiring an access message of the first service end from a block chain; acquiring a public key of a first server and a private key of a second server; verifying the access message of the first server according to the public key of the first server to generate a first verification result; decrypting the access message of the first server by the private key of the second server to generate a decrypted access message; auditing the verification result and the decrypted access message according to a preset auditing mode to generate an auditing result; determining an authorization result according to the auditing result; and encrypting the authorization result through the public key of the first service end, sending the encrypted authorization result to the block chain, and sending a data access response to the first service end.
In one embodiment, before acquiring the access message of the first service from the block chain, the method further includes: acquiring a public key of a second server and a parameter set of the second server; performing digital signature on the second server parameter set based on the private key of the second server to generate an access rule; and encrypting the access rule according to the second server public key and then issuing the encrypted access rule to the block chain.
In one embodiment, the preset auditing mode comprises a manual auditing mode and a server-side auditing mode; the verifying the verification result and the decrypted access message according to a preset verifying mode, and generating the verifying result comprises: when the auditing mode is manual auditing and the verification result is the access message sent by the first service terminal, receiving an instruction of the auditing result and generating the auditing result based on the instruction of the auditing result; or when the auditing mode is server auditing and the verification result is an access message sent by the first server, acquiring a preset authorization server set; and judging whether the first server exists in the authorization server set or not, and generating an audit result.
In one embodiment, the determining an authorization result according to the audit result includes: when the audit result is passed, generating an access refusing notice; encrypting the access denial notification through the public key of the first service end to obtain the encrypted access denial notification; and performing digital signature on the encrypted access denial notification through a private key of the second server to generate an authorization result.
In one embodiment, the determining an authorization result according to the audit result includes: when the auditing result is passed, generating an access certificate and access time; encrypting the access credential and the access time through the public key of the first service end to generate the encrypted access credential and the encrypted access time; and digitally signing the encrypted access credential and the access time through a private key of the second server to generate an authorization result.
A data access right verification device is applied to a first service terminal, and comprises: the access rule obtaining module is used for obtaining an access rule generated in advance by the second server; the time determining module is used for determining the open time of the second server for accessing the resource based on the access rule; the public key acquisition module is used for acquiring a public key of the second server when the current time accords with the open time; the data creating module is used for creating access data of the authority for accessing the second service end and acquiring a private key of the first service end; the data encryption module is used for encrypting the access permission data based on the public key of the second server to generate encrypted access permission data; the data signature module is used for carrying out digital signature on the encrypted access data according to the private key of the first server to generate access information of the first server; and the message sending module is used for sending the access message of the first server to the block chain.
A computer device comprising a memory and a processor, the memory having stored therein computer readable instructions which, when executed by the processor, cause the processor to perform the steps of the data access right verification method described above.
A storage medium having stored thereon computer-readable instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of the data access permission verification method described above.
According to the data access authority verification method, the data access authority verification device, the computer equipment and the storage medium, the first server side creates the access message, encrypts and digitally signs the access message, sends the encrypted access message to the block chain, and sends the data access request to the second server side. And the second server acquires the access message of the first server from the block chain after receiving the request, performs signature verification and decryption on the access message, generates a decrypted access message, performs authority verification on the decrypted access message, generates an authorization result, encrypts and digitally signs the authorization result, sends the encrypted and digitally signed authorization result to the block chain, and sends an access response to the first server. And when receiving the response, the first service end acquires the authorization result from the block chain, performs signature verification and decryption on the authorization result, generates a decrypted authorization result, and determines whether to perform data access or not based on the decrypted authorization result. According to the method and the system, the flow direction, the authorization information, the use record and the like of the data among the servers are published on the block chain, so that the data and the sharing access process are separated, and the data are prevented from being illegally leaked in the data sharing process, so that the safety risk existing in the data sharing process is reduced.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
FIG. 1 is a diagram of an implementation environment of a data access right verification method provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of an internal structure of a computer device according to an embodiment of the present application;
FIG. 3 is a diagram illustrating a method for verifying data access rights provided in an embodiment of the present application;
fig. 4 is a schematic diagram illustrating a method for generating an access request message in a data access right verification method according to an embodiment of the present application;
fig. 5 is a schematic diagram illustrating a method for generating an access rule in a data access right verification method according to an embodiment of the present application;
fig. 6 is a schematic diagram illustrating an authorization result viewing method in the data access right verification method according to an embodiment of the present application;
FIG. 7 is a schematic diagram illustrating an implementation scenario of data access right verification provided in an embodiment of the present application;
fig. 8 is a schematic diagram of a data access right verifying device according to an embodiment of the present application;
fig. 9 is a schematic device diagram of another data access right verification device provided in an embodiment of the present application;
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It will be understood that, as used herein, the terms "first," "second," and the like may be used herein to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish one element from another. For example, the first server may be referred to as the second server, and similarly, the second server may be referred to as the first server, without departing from the scope of the present application.
Fig. 1 is a diagram of an implementation environment of a data access right verification method provided in an embodiment, as shown in fig. 1, in the implementation environment, including a first service end 110, a second service end 120, and a blockchain 130.
The first service end 110 and the second service end 120 are server devices, for example, the first service end 110 is a server for storing platform data of company B, and the second service end 120 is a server for storing platform data of company a. The block chain 130 mainly records access rules issued by each platform, and other platforms apply for access rights to data, access authorization, and the like.
When the first service end 110(B company server) accesses the second service end 120(a company server), the second service end 120 verifies the access right of the first service end 110, first, the first service end 110 obtains an access rule generated in advance by the second service end 120, and the first service end 110 creates an access message based on the obtained access rule, encrypts and digitally signs the access message, sends the encrypted access message to the block chain 130, and sends a data access request to the second service end. When receiving the data access request of the first service end, the second service end 120 obtains the access message from the blockchain 130, performs signature verification and decryption on the access message, generates a decrypted access message, performs permission verification on the decrypted access message, generates an authorization result, encrypts and digitally signs the authorization result, sends the encrypted and digitally signed authorization result to the blockchain 130, and sends a data access response to the first service end. The first service end 110 receives the response, obtains the authorization result from the blockchain 130, performs signature verification and decryption on the authorization result, generates a decrypted authorization result, and determines whether to perform data access based on the decrypted authorization result.
It should be noted that the first server 110, the second server 120, and the block chain 130 may be connected through bluetooth, USB (Universal Serial Bus), or other communication connection manners, which is not limited herein.
FIG. 2 is a diagram showing an internal configuration of a computer device according to an embodiment. As shown in fig. 2, the computer device includes a processor, a non-volatile storage medium, a memory, and a network interface connected through a system bus. The non-volatile storage medium of the computer device stores an operating system, a database and computer readable instructions, the database can store control information sequences, and the computer readable instructions can enable a processor to realize a data access authority verification method when being executed by the processor. The processor of the computer device is used for providing calculation and control capability and supporting the operation of the whole computer device. The memory of the computer device may have stored therein computer readable instructions that, when executed by the processor, may cause the processor to perform a method of data access permission validation. The network interface of the computer device is used for connecting and communicating with the terminal. Those skilled in the art will appreciate that the architecture shown in fig. 2 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
The data access right verification method provided by the embodiment of the present application will be described in detail below with reference to fig. 3 to 7. The method may be implemented in dependence on a computer program operable on a data access permission validation apparatus based on the von neumann architecture. The computer program may be integrated into the application or may run as a separate tool-like application.
Referring to fig. 3, a flow chart of a data access right verification method is provided in the embodiment of the present application. As shown in fig. 3, the method of the embodiment of the present application may include the steps of:
s101, when a data access request sent by a first server aiming at a second server is received, obtaining an access message sent by the first server aiming at the second server from a block chain;
the server is a server for storing platform data of a company, that is, the server is responsible for storing the platform data of the company. The block chain is a technology which is maintained by multiple parties, guarantees data transmission and data access safety by using cryptography, and can realize data consistency, tamper resistance and repudiation resistance. The access message is generated by the first server.
In the embodiment of the present application, for example, as shown in fig. 4, fig. 4 is a flowchart of generating an access message and an access request by a first server, when generating access information and access request, the first service end firstly obtains access rule generated in advance by the second service end, then determines the open time of the second service end for accessing resource based on the access rule, and then obtains the public key of the second service end when the current time accords with the open time, then establishing authority access data for accessing the second server and obtaining a private key of the first server, encrypting the authority access data based on the public key of the second server to generate encrypted authority access data, finally performing digital signature on the encrypted authority access data according to the private key of the first server to generate access information of the first server, and sending the access message of the first server to the block chain, and sending a data access request to the second server.
It should be noted that, in the embodiment of the present application, the signature and verification may be implemented by using elliptic curve encryption and decryption, and using an ECC-secp256k1 algorithm, i.e. an asymmetric cryptographic algorithm. Where the private key is used for signing and the public key is used for decryption.
Further, after the data access request is sent to the second server, when the second server receives the access request of the first server, the access request of the first server is analyzed, the identifier of the request is obtained after the analysis, and the second server matches the access message corresponding to the identifier from the block chain according to the identifier. (i.e., the first server's access message).
S102, acquiring a public key of a first service end and a private key of a second service end;
in a possible implementation manner, for example, the first service end is a company B service end, the second service end is a company a service end, each company has its own public and private key pair to ensure security, and the public key of the company a service end is PKAThe private key is SKAAnd the public key of the company B server is PKBThe private key is SKB. When the company B server wants to access the data of the company A server, the company B server firstly obtains the access rule issued by the company A server in the block chain, and then the access rule is applied to the company B serverAnalyzing the access rule, inquiring the access time set by the company A server in the access rule, and if the current time accords with the access time set by the company A server, applying the access authority of the company B server by using the public key PK of the company AAEncrypted and SK with its private keyBSigning, preventing forgery, the signed message being
Figure BDA0002613061490000071
Subsequently, company B (i.e., the first server) records the message on the blockchain and sends a data access request to the company a server (i.e., the second server). Wherein, IDBIs the identity of company B, Self _ ConditionBFor describing the self condition, Apply _ DataSourceBFor the data resource for which access is requested. The company A server (i.e. the second server) receives the access request, acquires the access message issued by the company B from the blockchain, and then acquires the public key of the company B and the private key of the own server.
S103, verifying the access message of the first server according to the public key of the first server to generate a first verification result;
in a possible implementation manner, after the public key of company B and the private key of the server are obtained based on step S102, signature verification is performed on the access message received in step S101 by using the ECC-secp256k1 algorithm through the public key of company B, and when the access message of company B is determined, the access message is decrypted by using the ECC-secp256k1 algorithm through the private key of the server, so that the decrypted access message is generated.
Further, when the access rule is generated, for example, as shown in fig. 5, the second server first obtains its own public key and a second server parameter set, then performs digital signature on the second server parameter set based on a private key of the second server to generate the access rule, and finally encrypts the access rule according to the second server public key and then issues the encrypted access rule to the block chain.
For example, company a (the second server) will first publish on the blockchain the conditions, i.e. access rules, that all other platforms that want to access their data should satisfy
Figure BDA0002613061490000081
The rule is defined by the private key SK of company AASignatures, typically including company A's own identity IDAQualification requirements of the opposing companyAData resource available for accessAE.g. statistical data mean, open access TimeAAnd the like.
S104, when the identification mark in the first verification result is the same as the identification mark of the first service end, decrypting the access message of the first service end through the private key of the second service end to generate a decrypted access message; the identification mark is an identification parameter added when the first server generates the access message;
specifically, refer to step S103, which is not described herein again.
S105, auditing the verification result and the decrypted access message according to a preset auditing mode to generate an auditing result;
the preset auditing modes are several modes for performing permission auditing after the access message sent by the first server side is decrypted by the second server side, and the auditing modes in the application comprise manual auditing and automatic auditing of the server side.
In a possible implementation manner, when the access request is manually checked, the server side sends the access request to a terminal of a checking user for prompting, receives a checking instruction after prompting, and generates a checking result according to the instruction for feedback.
In another possible implementation manner, when the server automatically checks, a preset authorization server set is obtained first, and finally, whether the requested server access message exists in the authorization server set is judged, and a checking result is generated after the judgment is finished.
Specifically, during automatic audit, an intelligent contract is adopted, and if the intelligent contract is audited by using Hyperhedger Fabric, the intelligent contract is actually a chain code, which can automatically execute a specific business rule, can be formulated into an access control type, and only allows some approved members, such as companies A and B, to call. In implementation, a virtual machine or the like may be employed. If on the ethernet, the smart contract may be deployed by an ethernet package, or console. The implementation is numerous and not limited to this.
S106, determining an authorization result according to the auditing result;
and the authorization result is a final result generated after the second server performs auditing according to the access message of the first server, and the result comprises audit passing and audit not passing.
In a possible implementation manner, when the verification result is that the verification result is not passed, an access denial notification is generated, the access denial notification is encrypted through a public key of the first server to obtain the encrypted access denial notification, and the encrypted access denial notification is digitally signed through a private key of the second server to generate an authorization result.
In another possible implementation manner, when the audit result is that the audit result passes, generating an access credential and access time, encrypting the access credential and the access time by using a public key of the first server to generate an encrypted access credential and access time, and finally digitally signing the encrypted access credential and the encrypted access time by using a private key of the second server to generate an authorization result.
S107, the authorization result is encrypted through the public key of the first service end and then sent to the block chain, and a data access response is sent to the first service end.
For example, if the audit fails, the transaction is terminated directly and a rejection notification is issued on the blockchain
Figure BDA0002613061490000091
The public key PK of the company B server (first server) is used for the notificationBEncrypted and signed by the company a server (second server). Otherwise, the company a (second server) server will issue a message on the blockchain and issue a data access response to the company B (first server), where the message is:
Figure BDA0002613061490000092
wherein, TokenA_BAnd authorizing the distributed token from the company A server to the company B server as an access credential, wherein the expiry is the valid period of the token, and any token exceeding the valid period cannot be used for data access, so that the backward security of the accessed data is effectively ensured. Likewise, the message will use the public key PK of company BBEncrypted and signed by a. In addition, company A will record the token and the validity period of the token distributed to company B, the resources allowed to be accessed by company B, etc. on the application server, so as to facilitate the subsequent auditing.
Further, for example, as shown in fig. 6, when receiving a data access response of the second server, the first server obtains an authorization result of the second server from the block chain, then obtains a public key of the second server and a private key of the first server, verifies the authorization result through the public key of the second server, generates a second verification result, and when the second verification result is a verification result sent by the second server, decrypts the authorization result through the private key of the first server, generates a decrypted authorization result, and finally determines whether to perform data access based on the decrypted authorization result.
In the embodiment of the present application, for example, as shown in fig. 7, the block chain-based cross-platform application data security provided in the present application splits data from a shared access process, where the data is still locally stored by each platform application server, and the block chain only records access rules issued by each platform, access authority applications of other platforms to the data, authorization records of a data owner to an applicant, and the like. By distributing different tokens and other access credentials to different data applicants, the data owning platform can clearly know who and when accesses what data, and illegal leakage of applied data caused by malicious workers in the data applicants is avoided. Meanwhile, different validity periods are given to different tokens, backward security of data is effectively guaranteed, and data are prevented from being illegally leaked in data sharing, so that security risks existing in data sharing are reduced.
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention. For details which are not disclosed in the embodiments of the apparatus of the present invention, reference is made to the embodiments of the method of the present invention.
Referring to fig. 8, a schematic structural diagram of a data access right verification apparatus according to an exemplary embodiment of the present invention is shown, which is applied to a first service end. The data access permission verification system may be implemented as all or part of a computer device in software, hardware, or a combination of both. The device 1 comprises an access rule obtaining module 10, a time determining module 20, a public key obtaining module 30, a data creating module 40, a data encrypting module 50, a data signing module 60 and a message sending module 70.
An access rule obtaining module 10, configured to obtain an access rule generated in advance by a second server;
a time determining module 20, configured to determine, based on the access rule, an open time for the second server to access the resource;
a public key obtaining module 30, configured to obtain a public key of the second server when the current time meets the open time;
the data creating module 40 is configured to create access data for accessing the second service end and obtain a private key of the first service end;
the data encryption module 50 is configured to encrypt the right access data based on the public key of the second server, and generate encrypted right access data;
the data signature module 60 is configured to digitally sign the encrypted right access data according to the private key of the first server, and generate an access message of the first server;
a message sending module 70, configured to send the access message of the first server to the blockchain.
Referring to fig. 9, a schematic structural diagram of a data access right verification apparatus according to an exemplary embodiment of the present invention is shown, which is applied to a second server. The data access permission verification system may be implemented as all or part of a computer device in software, hardware, or a combination of both. The device 2 comprises a message acquisition module 10, a public key and secret key acquisition module 20, a result generation module 30, a decryption message generation module 40, an audit result generation module 50, an authorization result determination module 60 and a response module 70.
A message obtaining module 10, configured to obtain an access message of a first service end from a blockchain when receiving a data access request of the first service end;
a public key and secret key obtaining module 20, configured to obtain a public key of the first service end and a private key of the second service end;
a result generating module 30, configured to verify the access message of the first server according to the public key of the first server, and generate a first verification result;
a decryption message generating module 40, configured to decrypt the access message of the first server through the private key of the second server, and generate a decrypted access message;
the audit result generating module 50 is configured to audit the verification result and the decrypted access message according to a preset audit mode to generate an audit result;
an authorization result determining module 60, configured to determine an authorization result according to the audit result;
the response module 70 is configured to encrypt the authorization result by using the public key of the first service end, send the encrypted authorization result to the block chain, and send a data access response to the first service end.
It should be noted that, when the data access right verification system provided in the foregoing embodiment executes the data access right verification method, only the division of the functional modules is used for illustration, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the data access right verification system provided by the above embodiment and the data access right verification method embodiment belong to the same concept, and details of implementation processes thereof are referred to in the method embodiment, and are not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the embodiment of the application, the block chain-based cross-platform application data security provided by the application splits data from a shared access process, wherein the data is still locally stored by each platform application server, the block chain only records access rules issued by each platform, access authority applications of other platforms to the data, authorization records of data owners to an applicant, and the like. By distributing different tokens and other access credentials to different data applicants, the data owning platform can clearly know who and when accesses what data, and illegal leakage of applied data caused by malicious workers in the data applicants is avoided. Meanwhile, different validity periods are given to different tokens, backward security of data is effectively guaranteed, and data are prevented from being illegally leaked in data sharing, so that security risks existing in data sharing are reduced.
In one embodiment, a computer device is proposed, the computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program: the method comprises the steps that a first server side obtains an access rule generated by a second server side in advance; the first service end determines the open time of the second service end for accessing the resource based on the access rule; when the current time accords with the open time, the first server side obtains a public key of the second server side; the first service end creates authority access data for accessing the second service end and obtains a private key of the first service end; the first server encrypts the access permission data based on the public key of the second server to generate encrypted access permission data; the first server side carries out digital signature on the encrypted access data according to a private key of the first server side to generate access information of the first server side; and the first server side sends the access message of the first server side to a block chain and sends a data access request to the second server side. When receiving a data access request of a first service end, a second service end acquires an access message of the first service end from a block chain; the second server side obtains a public key of the first server side and a private key of the second server side; the second server side verifies the access message of the first server side according to the public key of the first server side to generate a first verification result; the second server decrypts the access message of the first server through the private key of the second server to generate a decrypted access message; the second server side verifies the verification result and the decrypted access message according to a preset verification mode to generate a verification result; the second server side determines an authorization result according to the auditing result; and the second service end encrypts the authorization result through the public key of the first service end and then sends the authorization result to the block chain, and sends a data access response to the first service end. When receiving a data access response of a second server, a first server acquires an authorization result of the second server from a block chain; the first server side obtains a public key of the second server side and a private key of the first server side; the first server side verifies the authorization result through the public key of the second server side to generate a second verification result; when the second verification result is the verification result sent by the second server, the first server decrypts the authorization result through the private key of the first server to generate a decrypted authorization result; and the first service end determines whether to perform data access or not based on the decrypted authorization result.
In an embodiment, before the server executed by the processor obtains the access message of the first service end from the blockchain according to the second service end, the method further includes the following steps: the second server side obtains a public key of the second server side and a parameter set of the second server side; the second server carries out digital signature on the second server parameter set based on a private key of the second server to generate an access rule; and the second server encrypts the access rule according to the second server public key and then issues the encrypted access rule to the block chain.
In one embodiment, the verifying result and the decrypted access message are verified by the server executed by the processor according to a preset verification mode by the second server, and a verification result is generated, where the verifying result and the decrypted access message are verified by the server executed by the processor, and the verifying result includes: when the auditing mode is manual auditing and the verification result is the access message sent by the first service end, the second service end receives an instruction of the auditing result and generates the auditing result based on the instruction of the auditing result; or when the auditing mode is server auditing and the verification result is the access message sent by the first server, the second server acquires a preset authorization server set; and the second server judges whether the first server exists in the authorization server set or not, and generates an audit result.
In one embodiment, the determining, by the server executed by the processor, an authorization result according to the audit result by the second server includes: when the verification result is passed, the second server side generates an access refusing notice; the second server encrypts the access denial notification through the public key of the first server to obtain an encrypted access denial notification; and the second server carries out digital signature on the encrypted access denial notification through a private key of the second server to generate an authorization result.
In one embodiment, the determining, by the server executed by the processor, the authorization result according to the audit result by the second server includes: when the auditing result is that the first server side passes the verification, the second server side generates an access credential and access time; the second service end encrypts the access credential and the access time through the public key of the first service end to generate the encrypted access credential and the encrypted access time; and the second server carries out digital signature on the encrypted access credential and the access time through a private key of the second server to generate an authorization result.
In one embodiment, a storage medium is provided that stores computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of: the method comprises the steps that a first server side obtains an access rule generated by a second server side in advance; the first service end determines the open time of the second service end for accessing the resource based on the access rule; when the current time accords with the open time, the first server side obtains a public key of the second server side; the first service end creates authority access data for accessing the second service end and obtains a private key of the first service end; the first server encrypts the access permission data based on the public key of the second server to generate encrypted access permission data; the first server side carries out digital signature on the encrypted access data according to a private key of the first server side to generate access information of the first server side; and the first server side sends the access message of the first server side to a block chain and sends a data access request to the second server side. When receiving a data access request of a first service end, a second service end acquires an access message of the first service end from a block chain; the second server side obtains a public key of the first server side and a private key of the second server side; the second server side verifies the access message of the first server side according to the public key of the first server side to generate a first verification result; the second server decrypts the access message of the first server through the private key of the second server to generate a decrypted access message; the second server side verifies the verification result and the decrypted access message according to a preset verification mode to generate a verification result; the second server side determines an authorization result according to the auditing result; and the second service end encrypts the authorization result through the public key of the first service end and then sends the authorization result to the block chain, and sends a data access response to the first service end. When receiving a data access response of a second server, a first server acquires an authorization result of the second server from a block chain; the first server side obtains a public key of the second server side and a private key of the first server side; the first server side verifies the authorization result through the public key of the second server side to generate a second verification result; when the second verification result is the verification result sent by the second server, the first server decrypts the authorization result through the private key of the first server to generate a decrypted authorization result; and the first service end determines whether to perform data access or not based on the decrypted authorization result.
In an embodiment, before the server executed by the processor obtains the access message of the first service end from the blockchain according to the second service end, the method further includes the following steps: the second server side obtains a public key of the second server side and a parameter set of the second server side; the second server carries out digital signature on the second server parameter set based on a private key of the second server to generate an access rule; and the second server encrypts the access rule according to the second server public key and then issues the encrypted access rule to the block chain.
In one embodiment, the verifying result and the decrypted access message are verified by the server executed by the processor according to a preset verification mode by the second server, and a verification result is generated, where the verifying result and the decrypted access message are verified by the server executed by the processor, and the verifying result includes: when the auditing mode is manual auditing and the verification result is the access message sent by the first service end, the second service end receives an instruction of the auditing result and generates the auditing result based on the instruction of the auditing result; or when the auditing mode is server auditing and the verification result is the access message sent by the first server, the second server acquires a preset authorization server set; and the second server judges whether the first server exists in the authorization server set or not, and generates an audit result.
In one embodiment, the determining, by the server executed by the processor, an authorization result according to the audit result by the second server includes: when the verification result is passed, the second server side generates an access refusing notice; the second server encrypts the access denial notification through the public key of the first server to obtain an encrypted access denial notification; and the second server carries out digital signature on the encrypted access denial notification through a private key of the second server to generate an authorization result.
In one embodiment, the determining, by the server executed by the processor, the authorization result according to the audit result by the second server includes: when the auditing result is that the first server side passes the verification, the second server side generates an access credential and access time; the second service end encrypts the access credential and the access time through the public key of the first service end to generate the encrypted access credential and the encrypted access time; and the second server carries out digital signature on the encrypted access credential and the access time through a private key of the second server to generate an authorization result.
The block chain-based cross-platform application data safety provided by the application splits data from a shared access process, wherein the data is still locally stored by each platform application server, only the access rules issued by each platform are recorded on the block chain, the access authority of other platforms to the data is applied, and the authorization records of data owners to an applicant are recorded. By distributing different tokens and other access credentials to different data applicants, the data owning platform can clearly know who and when accesses what data, and illegal leakage of applied data caused by malicious workers in the data applicants is avoided. Meanwhile, different validity periods are given to different tokens, backward security of data is effectively guaranteed, and data are prevented from being illegally leaked in data sharing, so that security risks existing in data sharing are reduced.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the computer program is executed. The storage medium may be a non-volatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Access Memory (RAM).
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A data access right verification method is applied to a first service end, and is characterized by comprising the following steps:
acquiring an access rule generated in advance by a second server;
determining the open time of the second server for accessing the resource based on the access rule;
when the current time accords with the open time, acquiring a public key of a second server;
creating access data of the authority for accessing the second service terminal and acquiring a private key of the first service terminal;
encrypting the access permission data based on the public key of the second server to generate encrypted access permission data;
carrying out digital signature on the encrypted access data according to the private key of the first server to generate an access message of the first server;
and sending the access message of the first server to a block chain, and sending a data access request to the second server.
2. The method of claim 1, wherein after sending the access message of the first server to a block chain, further comprising:
when a data access response generated by the second server for the data access request is received, acquiring an authorization result generated by the second server for the data access request from a block chain; the authorization result is a result generated after the second server acquires the access message from the block chain for auditing when receiving the access request; the data access response is a response sent by the second service end aiming at the first service end after the second service end generates the authorization result;
acquiring a public key of a second server and a private key of a first server;
verifying the authorization result through the public key of the second server to generate a second verification result;
when the identification mark in the second verification result is the same as the identification mark of the second server, decrypting the authorization result through the private key of the first server to generate a decrypted authorization result; the identification mark is an identification parameter added when the second server generates the authorization result;
determining whether to perform data access based on the decrypted authorization result.
3. A data access right verification method is applied to a second server side, and is characterized by comprising the following steps:
when a data access request sent by a first server aiming at a second server is received, acquiring an access message sent by the first server aiming at the second server from a block chain;
acquiring a public key of a first server and a private key of a second server;
verifying the access message of the first server according to the public key of the first server to generate a first verification result;
when the identification mark in the first verification result is the same as the identification mark of the first service end, decrypting the access message of the first service end through the private key of the second service end to generate a decrypted access message; the identification mark is an identification parameter added when the first server generates the access message;
auditing the verification result and the decrypted access message according to a preset auditing mode to generate an auditing result;
determining an authorization result according to the auditing result;
and encrypting the authorization result through the public key of the first service end, sending the encrypted authorization result to the block chain, and sending a data access response to the first service end.
4. The method of claim 3, wherein before the obtaining the access message of the first service from the blockchain, the method further comprises:
acquiring a public key of a second server and a parameter set of the second server;
performing digital signature on the second server parameter set based on the private key of the second server to generate an access rule;
and encrypting the access rule according to the second server public key and then issuing the encrypted access rule to the block chain.
5. The method according to claim 3, wherein the preset auditing modes include a manual auditing mode and a server-side auditing mode;
the verifying the verification result and the decrypted access message according to a preset verifying mode, and generating the verifying result comprises:
when the auditing mode is manual auditing and the verification result is the access message sent by the first service terminal, receiving an instruction of the auditing result and generating the auditing result based on the instruction of the auditing result; or
When the auditing mode is server auditing and the verification result is an access message sent by the first server, acquiring a preset authorization server set;
and judging whether the first server exists in the authorization server set or not, and generating an audit result.
6. The method of claim 3, wherein determining the authorization result according to the audit result comprises:
when the audit result is passed, generating an access refusing notice;
encrypting the access denial notification through the public key of the first service end to obtain the encrypted access denial notification;
and performing digital signature on the encrypted access denial notification through a private key of the second server to generate an authorization result.
7. The method of claim 3, wherein determining the authorization result according to the audit result comprises:
when the auditing result is passed, generating an access certificate and access time;
encrypting the access credential and the access time through the public key of the first service end to generate the encrypted access credential and the encrypted access time;
and digitally signing the encrypted access credential and the access time through a private key of the second server to generate an authorization result.
8. A data access right verification apparatus applied to a first service end, the apparatus comprising:
the access rule obtaining module is used for obtaining an access rule generated in advance by the second server;
the time determining module is used for determining the open time of the second server for accessing the resource based on the access rule;
the public key acquisition module is used for acquiring a public key of the second server when the current time accords with the open time;
the data creating module is used for creating access data of the authority for accessing the second service end and acquiring a private key of the first service end;
the data encryption module is used for encrypting the access permission data based on the public key of the second server to generate encrypted access permission data;
the data signature module is used for carrying out digital signature on the encrypted access data according to the private key of the first server to generate access information of the first server;
and the message sending module is used for sending the access message of the first server to the block chain.
9. A computer device comprising a memory and a processor, the memory having stored therein computer readable instructions which, when executed by the processor, cause the processor to carry out the steps of the data access rights verification method according to any one of claims 1 to 7.
10. A storage medium having stored thereon computer-readable instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of data access rights verification according to any one of claims 1 to 7.
CN202010760949.7A 2020-07-31 2020-07-31 Data access right verification method and device, computer equipment and storage medium Active CN111914293B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010760949.7A CN111914293B (en) 2020-07-31 2020-07-31 Data access right verification method and device, computer equipment and storage medium
PCT/CN2020/124726 WO2021139338A1 (en) 2020-07-31 2020-10-29 Data access permission verification method and apparatus, computer device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010760949.7A CN111914293B (en) 2020-07-31 2020-07-31 Data access right verification method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111914293A true CN111914293A (en) 2020-11-10
CN111914293B CN111914293B (en) 2024-05-24

Family

ID=73287992

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010760949.7A Active CN111914293B (en) 2020-07-31 2020-07-31 Data access right verification method and device, computer equipment and storage medium

Country Status (2)

Country Link
CN (1) CN111914293B (en)
WO (1) WO2021139338A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609221A (en) * 2021-07-27 2021-11-05 卓尔智联(武汉)研究院有限公司 Data storage method, data access device and storage medium
CN114039753A (en) * 2021-10-27 2022-02-11 中国联合网络通信集团有限公司 An access control method, device, storage medium and electronic device
CN114519044A (en) * 2020-11-20 2022-05-20 富泰华工业(深圳)有限公司 Data query method, blockchain system, sharing device and query device
CN114679264A (en) * 2022-03-16 2022-06-28 亚信科技(成都)有限公司 Password generation method, device and storage medium
CN114969801A (en) * 2021-02-25 2022-08-30 山东浪潮质量链科技有限公司 Data authorization access method, device and medium based on block chain
CN115037521A (en) * 2022-05-11 2022-09-09 广州小马智卡科技有限公司 Service data verification method, device, computer equipment and storage medium
CN115052011A (en) * 2022-07-25 2022-09-13 深圳前海环融联易信息科技服务有限公司 Information interaction method and device based on block chain, storage medium and electronic equipment
CN115514578A (en) * 2022-11-01 2022-12-23 中国信息通信研究院 Block chain based data authorization method and device, electronic equipment and storage medium
CN116055057A (en) * 2023-01-10 2023-05-02 中国民航信息网络股份有限公司 Information sharing method and device, storage medium and electronic equipment

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113704210A (en) * 2021-09-03 2021-11-26 维沃移动通信有限公司 Data sharing method and electronic equipment
CN115396452A (en) * 2022-07-11 2022-11-25 广西壮族自治区信息中心 Data management method, equipment, and medium of a data hosting platform
CN115473690B (en) * 2022-08-15 2025-03-14 北京神州新桥科技有限公司 Data transmission method, device, electronic device, medium and program product
CN120105456A (en) * 2025-02-19 2025-06-06 深圳市华洋云科技有限公司 A security protection method and system based on cloud computing and blockchain services

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107918731A (en) * 2016-10-11 2018-04-17 百度在线网络技术(北京)有限公司 Method and apparatus for controlling the authority to access to open interface
CN107979590A (en) * 2017-11-02 2018-05-01 财付通支付科技有限公司 Data sharing method, client, server, computing device and storage medium
US20180167367A1 (en) * 2016-12-14 2018-06-14 Rhidian John Key pair infrastructure for secure messaging
CN108471350A (en) * 2018-03-28 2018-08-31 电子科技大学成都研究院 Trust data computational methods based on block chain
CN109981665A (en) * 2019-04-01 2019-07-05 北京纬百科技有限公司 Resource provider method and device, resource access method and device and system
CN110569666A (en) * 2019-09-03 2019-12-13 深圳前海微众银行股份有限公司 A method and device for data statistics based on blockchain
CN111046427A (en) * 2019-12-13 2020-04-21 北京启迪区块链科技发展有限公司 Block chain-based data access control method, device, equipment and medium
US20200153637A1 (en) * 2018-11-09 2020-05-14 Tohoku University Information processing system, method for providing data, and method for building information processing system
US20200169387A1 (en) * 2019-07-31 2020-05-28 Alibaba Group Holding Limited Blockchain-based data authorization method and apparatus
CN111327643A (en) * 2020-05-15 2020-06-23 支付宝(杭州)信息技术有限公司 Multi-party data sharing method and device
CN111461883A (en) * 2020-03-31 2020-07-28 杭州溪塔科技有限公司 Transaction processing method and device based on block chain and electronic equipment

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107918731A (en) * 2016-10-11 2018-04-17 百度在线网络技术(北京)有限公司 Method and apparatus for controlling the authority to access to open interface
US20180167367A1 (en) * 2016-12-14 2018-06-14 Rhidian John Key pair infrastructure for secure messaging
CN107979590A (en) * 2017-11-02 2018-05-01 财付通支付科技有限公司 Data sharing method, client, server, computing device and storage medium
CN108471350A (en) * 2018-03-28 2018-08-31 电子科技大学成都研究院 Trust data computational methods based on block chain
US20200153637A1 (en) * 2018-11-09 2020-05-14 Tohoku University Information processing system, method for providing data, and method for building information processing system
CN109981665A (en) * 2019-04-01 2019-07-05 北京纬百科技有限公司 Resource provider method and device, resource access method and device and system
US20200169387A1 (en) * 2019-07-31 2020-05-28 Alibaba Group Holding Limited Blockchain-based data authorization method and apparatus
CN110569666A (en) * 2019-09-03 2019-12-13 深圳前海微众银行股份有限公司 A method and device for data statistics based on blockchain
CN111046427A (en) * 2019-12-13 2020-04-21 北京启迪区块链科技发展有限公司 Block chain-based data access control method, device, equipment and medium
CN111461883A (en) * 2020-03-31 2020-07-28 杭州溪塔科技有限公司 Transaction processing method and device based on block chain and electronic equipment
CN111327643A (en) * 2020-05-15 2020-06-23 支付宝(杭州)信息技术有限公司 Multi-party data sharing method and device

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114519044A (en) * 2020-11-20 2022-05-20 富泰华工业(深圳)有限公司 Data query method, blockchain system, sharing device and query device
CN114969801A (en) * 2021-02-25 2022-08-30 山东浪潮质量链科技有限公司 Data authorization access method, device and medium based on block chain
CN113609221A (en) * 2021-07-27 2021-11-05 卓尔智联(武汉)研究院有限公司 Data storage method, data access device and storage medium
CN114039753A (en) * 2021-10-27 2022-02-11 中国联合网络通信集团有限公司 An access control method, device, storage medium and electronic device
CN114039753B (en) * 2021-10-27 2024-03-12 中国联合网络通信集团有限公司 Access control method and device, storage medium and electronic equipment
CN114679264B (en) * 2022-03-16 2023-12-08 亚信科技(成都)有限公司 Password generation method, device and storage medium
CN114679264A (en) * 2022-03-16 2022-06-28 亚信科技(成都)有限公司 Password generation method, device and storage medium
CN115037521A (en) * 2022-05-11 2022-09-09 广州小马智卡科技有限公司 Service data verification method, device, computer equipment and storage medium
CN115037521B (en) * 2022-05-11 2024-02-02 广州小马智卡科技有限公司 Service data verification method, device, computer equipment and storage medium
CN115052011A (en) * 2022-07-25 2022-09-13 深圳前海环融联易信息科技服务有限公司 Information interaction method and device based on block chain, storage medium and electronic equipment
CN115052011B (en) * 2022-07-25 2024-05-10 深圳前海环融联易信息科技服务有限公司 Information interaction method and device based on blockchain, storage medium and electronic equipment
CN115514578B (en) * 2022-11-01 2023-03-21 中国信息通信研究院 Block chain based data authorization method and device, electronic equipment and storage medium
CN115514578A (en) * 2022-11-01 2022-12-23 中国信息通信研究院 Block chain based data authorization method and device, electronic equipment and storage medium
CN116055057A (en) * 2023-01-10 2023-05-02 中国民航信息网络股份有限公司 Information sharing method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN111914293B (en) 2024-05-24
WO2021139338A1 (en) 2021-07-15

Similar Documents

Publication Publication Date Title
CN111914293B (en) Data access right verification method and device, computer equipment and storage medium
CN113312664B (en) User data authorization method and user data authorization system
US8843415B2 (en) Secure software service systems and methods
CN109274652B (en) Identity information verification system, method and device and computer storage medium
US7526649B2 (en) Session key exchange
CN108684041B (en) System and method for login authentication
CN101872399B (en) Dynamic digital copyright protection method based on dual identity authentication
US11750397B2 (en) Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization
EP2328107A2 (en) Identity controlled data center
CN104767731A (en) Identity authentication protection method of Restful mobile transaction system
Zelle et al. Anonymous charging and billing of electric vehicles
KR101817152B1 (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
CN113468591A (en) Data access method, system, electronic device and computer readable storage medium
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
CN110855426A (en) Method for software use authorization
CN110020869B (en) Method, device and system for generating block chain authorization information
CN111460400A (en) Data processing method and device and computer readable storage medium
CN111880919A (en) Data scheduling method, system and computer equipment
CN111538973A (en) Personal authorization access control system based on state cryptographic algorithm
US20230376574A1 (en) Information processing device and method, and information processing system
US20240291651A1 (en) Embedded data harvesting
CN115442136A (en) Application system access method and device
TW201638826A (en) System for using trust token to make application obtain digital certificate signature from another application on device and method thereof
TWM505130U (en) System to use safety credential to obtain digital certificate signing of different programs on mobile device
CN114978771B (en) Data security sharing method and system based on blockchain technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant