[go: up one dir, main page]

CN110784463A - A blockchain-based file storage and access method and system - Google Patents

A blockchain-based file storage and access method and system Download PDF

Info

Publication number
CN110784463A
CN110784463A CN201911020252.XA CN201911020252A CN110784463A CN 110784463 A CN110784463 A CN 110784463A CN 201911020252 A CN201911020252 A CN 201911020252A CN 110784463 A CN110784463 A CN 110784463A
Authority
CN
China
Prior art keywords
file
management module
access
user
subfile
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911020252.XA
Other languages
Chinese (zh)
Other versions
CN110784463B (en
Inventor
杨忠勋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Yuanyishu Intelligent Technology Co ltd
Original Assignee
Shenzhen Supercomputer Technology Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Supercomputer Technology Development Co Ltd filed Critical Shenzhen Supercomputer Technology Development Co Ltd
Priority to CN201911020252.XA priority Critical patent/CN110784463B/en
Publication of CN110784463A publication Critical patent/CN110784463A/en
Application granted granted Critical
Publication of CN110784463B publication Critical patent/CN110784463B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Power Engineering (AREA)
  • Automation & Control Theory (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开一种基于区块链的文件存储和访问方法及系统,包括文件划分、文件加密签名、文件信息上链、文件访问授权、文件重建与共享,最后将重建目标文件加密发送给访问用户进行相关的读或写操作。本发明采用分离式文件存储和基于区块链智能合约的文件管理机制,文件访问权限管理模块利用了区块链的公开透明、不可篡改等主要特点,有效增强了文件访问的安全性和可追溯性。通过将文件划分为多个子文件,并且用不同的私钥加密,可以防止单方面操作文件。同时,子文件相关信息加密存储于区块链中不可篡改,极大增强了文件信息的安全性。

Figure 201911020252

The invention discloses a block chain-based file storage and access method and system, including file division, file encryption signature, file information on-chain, file access authorization, file reconstruction and sharing, and finally, the reconstruction target file is encrypted and sent to the visiting user Perform the associated read or write operation. The present invention adopts separate file storage and file management mechanism based on blockchain smart contracts, and the file access authority management module utilizes the main features of blockchain, such as openness, transparency and non-tampering, which effectively enhances the security and traceability of file access. sex. Unilateral manipulation of the file is prevented by dividing the file into multiple sub-files and encrypting them with different private keys. At the same time, the relevant information of sub-files is encrypted and stored in the blockchain and cannot be tampered with, which greatly enhances the security of file information.

Figure 201911020252

Description

一种基于区块链的文件存储和访问方法及系统A blockchain-based file storage and access method and system

技术领域technical field

本发明涉及区块链技术领域,特别涉及一种基于区块链的文件存储和访问方法及系统。The present invention relates to the technical field of blockchain, in particular to a method and system for storing and accessing files based on blockchain.

背景技术Background technique

在人类社会化活动中,关于重要文件的存储、访问和保密等问题,通常采用中心化的管理机制,例如,授予管理员拥有增、删、读、写等文件管理权限,由文件管理员统一管理文件,保证文件管理效率,但是,授权管理员管理文件的这种集中式管理方法存在潜在风险,比如存在篡改、泄露信息等风险。In human socialization activities, a centralized management mechanism is usually adopted for the storage, access and confidentiality of important files. Manage files to ensure file management efficiency. However, this centralized management method of authorizing administrators to manage files has potential risks, such as risks of tampering and information leakage.

区块链技术是一种分布式账本系统,包括加解密、共识机制、对等通信网络、链式存储等系列技术,具有去中心化、自信任、不可篡改、可追溯、公开透明等特点。同时,区块链智能合约技术提供了分布式应用的执行环境和开发框架,大大扩展了区块链的业务应用空间。因此,利用区块链技术解决文件管理过程中存在管理问题具有非常高的应用潜力。Blockchain technology is a distributed ledger system, including a series of technologies such as encryption and decryption, consensus mechanism, peer-to-peer communication network, and chain storage. It has the characteristics of decentralization, self-trust, non-tampering, traceability, openness and transparency. At the same time, blockchain smart contract technology provides an execution environment and development framework for distributed applications, which greatly expands the business application space of blockchain. Therefore, the use of blockchain technology to solve management problems in the process of file management has very high application potential.

发明内容SUMMARY OF THE INVENTION

本发明提出一种基于区块链的文件存储和访问方法及系统,旨在防止管理员单方面操作文件,降低恶意或非法修改文件、泄露文件信息等风险。The present invention proposes a block chain-based file storage and access method and system, which aims to prevent administrators from unilaterally operating files and reduce risks such as malicious or illegal modification of files and leakage of file information.

为实现上述目的,本发明提出的基于区块链的文件存储和访问方法,包括以下步骤:In order to achieve the above purpose, the block chain-based file storage and access method proposed by the present invention includes the following steps:

步骤S1:文件划分,首先定义子文件划分方式集合、采用的划分方式和控制参数,将目标文件划分成若干子文件,每个子文件对应一个权限用户;Step S1: file division, first define a set of sub-file division methods, adopted division methods and control parameters, and divide the target file into several sub-files, each sub-file corresponds to an authorized user;

步骤S2:文件加密签名,权限用户将对应的子文件加密签名之后发给文件管理模块,文件管理模块进行签名验证,决策是否验证通过;Step S2: file encryption signature, the authorized user sends the corresponding sub-file encryption signature to the file management module, the file management module performs signature verification, and decides whether the verification is passed;

步骤S3:文件信息上链,文件管理模块创建区块链智能合约,对所述步骤S2中验证通过的加密子文件、加密子文件相关信息上链,存储于区块链智能合约中,并将所有加密文件和加密子文件信息备份到文件存储模块;Step S3: the file information is uploaded to the chain, the file management module creates a blockchain smart contract, uploads the encrypted sub-file and the related information of the encrypted sub-file that have passed the verification in step S2 to the chain, stores it in the blockchain smart contract, and stores the data in the blockchain smart contract. All encrypted files and encrypted sub-file information are backed up to the file storage module;

步骤S4:文件访问授权,在文件访问服务时,访问用户先向文件管理模块发起文件访问请求,文件访问权限管理模块通知各权限用户授权确认;Step S4: file access authorization, during the file access service, the access user first initiates a file access request to the file management module, and the file access rights management module notifies each authority user of authorization confirmation;

步骤S5:文件重建与共享,在所有权限用户通过区块链智能合约完成授权同意确认后,权限用户从区块链智能合约读取加密子文件之后解密为对应的子文件,并加密签名、验证成功之后发送给文件管理模块获得重建目标文件,最后将重建目标文件加密发送给访问用户进行相关的读或写操作;Step S5: File reconstruction and sharing. After all authorized users complete the authorization and consent confirmation through the blockchain smart contract, the authorized user reads the encrypted sub-file from the blockchain smart contract and decrypts it into the corresponding sub-file, and encrypts signature and verification. After success, send it to the file management module to obtain the reconstruction target file, and finally encrypt the reconstruction target file and send it to the visiting user for related read or write operations;

若访问用户为读操作,直接解密重建目标文件后即可查看;If the access user is a read operation, the target file can be viewed after directly decrypting and reconstructing it;

若访问用户为写操作,访问用户提交文件信息后,通过文件管理模块提交各权限用户审核,审核通过后,由文件管理模块从步骤S1重新执行完成文件更新。If the access user is a write operation, after the access user submits the file information, the file management module submits each authority user for review. After the review is passed, the file management module re-executes the file update from step S1.

优选地,所述步骤S1中,若干子文件分别记为A1、A2、A3…….AK,K为子文件个数,每个子文件对应一个权限用户,将Ak对应的权限用户记为k;Preferably, in the step S1, several sub-files are respectively denoted as A1, A2, A3....AK , K is the number of sub-files, each sub-file corresponds to an authorized user, and the authorized user corresponding to A k is denoted as k;

所述步骤S2至步骤S5中,权限用户通过其公、私钥处理对应的子文件,权限用户公、私钥分别记为PubKeyk、PrivKeyk,权限用户加密子文件记为Ak cypherIn the described steps S2 to S5, the authority user processes the corresponding sub-files through its public and private keys, the authority user public and private keys are respectively recorded as PubKey k and PrivKey k , and the authority user encrypted sub-file is recorded as A k cypher ;

文件管理模块通过其公、私钥进行信息判断和访问请求决策,文件管理模块的公、私钥分别为PubKeyfileManager、PrivKeyfileManager,文件管理模块对子文件Ak用私钥加密后的子文件记为Ak M,其摘要签名记为Sigk MThe file management module performs information judgment and access request decision through its public and private keys. The public and private keys of the file management module are PubKey fileManager and PrivKey fileManager respectively. The file management module records the sub-file encrypted by the private key of the sub-file Ak . is A k M , and its digest signature is denoted as Sig k M .

文件管理模块通过比对目标文件摘要和目标文件签名摘要进行验证,如果目标文件摘要和目标文件签名摘要一致,则验证成功,否则验证失败;The file management module verifies by comparing the digest of the target file and the signature digest of the target file. If the digest of the target file and the signature digest of the target file are consistent, the verification succeeds; otherwise, the verification fails;

其中,摘要由摘要计算函数获得,文件加密和签名由非对称加密函数获得,文件解密由非对称解密函数获得。Among them, the digest is obtained by the digest calculation function, the file encryption and signature are obtained by the asymmetric encryption function, and the file decryption is obtained by the asymmetric decryption function.

优选地,所述步骤S2包括如下步骤:Preferably, the step S2 includes the following steps:

a.文件管理模块加密签名a. File management module encrypted signature

先计算目标文件A的摘要,并用文件管理模块的私钥PrivKeyManager签名该摘要,记为Sig;First calculate the digest of the target file A, and sign the digest with the private key PrivKey Manager of the file management module, denoted as Sig;

再用权限用户k的公钥Pubkeyk加密子文件Ak,获得Ak MThen encrypt the sub-file A k with the public key Pubkey k of the authorized user k to obtain A k M ;

然后通过文件管理模块私钥PrivKeyManager对子文件Ak的摘要签名,获得子文件签名,记为Sigk MThen, through the private key PrivKey Manager of the file management module, the digest signature of the sub-file A k is obtained, and the signature of the sub-file is obtained, which is denoted as Sig k M ;

最后将Ak M、Sigk M发送给权限用户k;Finally, send A k M and Sig k M to the authorized user k;

b.权限用户子文件加密签名b. Encrypted signature of sub-files of authorized users

待每个权限用户k收到Ak M、Sigk M后,执行如下操作:After each authorized user k receives A k M and Sig k M , perform the following operations:

b1子文件还原b1 subfile restore

先通过权限用户k的私钥PrivKeyk对Ak M解码,获得子文件AkFirst, decode A k M through the private key PrivKey k of the authorized user k to obtain the sub-file A k ;

然后解出子文件Ak的摘要,记为Hk UThen solve the abstract of the sub-file Ak , denoted as H k U ;

再用文件管理模块的公钥PubkeyfileManager解码Sigk M得到摘要Hk MThen use the public key Pubkey fileManager of the file management module to decode Sig k M to obtain the abstract H k M ;

最后校验摘要一致性:如果Hk U=Hk M,则子文件还原成功,继续下步处理,否则,还原失败;Finally verify the consistency of the digest: if H k U =H k M , the sub-file is restored successfully, and the next step is continued, otherwise, the restoration fails;

b2.加密子文件生成b2. Encrypted sub-file generation

先用权限用户k的公钥Pubkeyk加密子文件Ak,获得Ak cypherFirst encrypt the sub-file A k with the public key Pubkey k of the authorized user k to obtain A k cypher ;

然后用文件管理模块的公钥PubKeyfileManager加密Ak cypher,获得Ak UThen encrypt A k cypher with the public key PubKey fileManager of the file management module to obtain A k U ;

再生成Ak cypher的摘要并通过权限用户k私钥PrivKeyk签名,获得Sigk URegenerate the digest of A k cypher and sign it with PrivKey k of the authorized user k private key to obtain Sig k U ;

最后将Ak U和Sigk U发送给文件管理模块。Finally, A k U and Sig k U are sent to the file management module.

其中,文件的摘要由摘要计算函数获得,文件加密和签名由非对称加密函数获得,文件的解密由非对称解密函数获得。Among them, the digest of the file is obtained by the digest calculation function, the file encryption and signature are obtained by the asymmetric encryption function, and the decryption of the file is obtained by the asymmetric decryption function.

优选地,所述步骤S3中创建区块链智能合约,即:分别定义区块链智能合约访问授权函数、区块链智能合约访问授权决策函数,对验证通过的加密子文件相关信息上链,存储于区块链智能合约中,并将所有加密文件和加密子文件信息备份到文件存储模块。Preferably, the blockchain smart contract is created in the step S3, that is, the blockchain smart contract access authorization function and the blockchain smart contract access authorization decision function are respectively defined, and the relevant information of the encrypted sub-file that has passed the verification is uploaded to the chain, It is stored in the blockchain smart contract, and all encrypted files and encrypted sub-file information are backed up to the file storage module.

优选地,所述步骤S4中,文件管理模块查询区块链智能合约获得权限用户的公钥列表,并向各权限用户发起授权审核请求,各权限用户调用区块链智能合约决策访问用户的访问请求,根据区块链智能合约中确定的所有权限用户均授权同意之后,区块链智能合约将授权决策状态置为通过,继续进行下步处理;否则,用户授权未通过。Preferably, in the step S4, the file management module queries the blockchain smart contract to obtain the public key list of the authorized user, and initiates an authorization review request to each authorized user, and each authorized user invokes the blockchain smart contract to decide the access user's access Request, according to all the permissions determined in the blockchain smart contract, after the user authorizes and agrees, the blockchain smart contract sets the authorization decision status to passed, and proceeds to the next step; otherwise, the user authorization fails.

优选地,所述步骤S5,包括如下步骤:Preferably, the step S5 includes the following steps:

a.权限用户解密子文件a. Permission user decrypts subfiles

权限用户k从区块链智能合约中读取Ak cypher,通过权限用户私钥PrivKeyk解密得到子文件AkThe authorized user k reads A k cypher from the blockchain smart contract, and obtains the sub-file A k by decrypting the authorized user's private key PrivKey k ;

b.权限用户加密子文件并发送给文件管理模块b. The privileged user encrypts the subfile and sends it to the file management module

各权限用户将子文件Ak用文件管理模块的公钥PubKeyfileManager加密获得Ak U,再生成Ak的摘要并通过权限用户k私钥PrivKeyk签名,获得Sigk U,并将Ak U、Sigk U发送给文件管理模块;Each authorized user encrypts the sub-file A k with the public key PubKey fileManager of the file management module to obtain A k U , then generates the digest of A k and signs it with the private key PrivKey k of the authorized user k to obtain Sig k U , and converts A k U . , Sig k U sent to the file management module;

c.文件管理模块从子文件重建目标文件,包括如下步骤:c. The file management module rebuilds the target file from the sub-file, including the following steps:

c1.文件管理模块先对Ak U用私钥PrivKeyManager解密得到子文件Ak、计算子文件Ak的摘要,记为Hk M,并由Sigk U解出子文件Ak的摘要Hk U,若Hk U=Hk M,则子文件Ak摘要信息验证成功;c1. The file management module first decrypts A k U with the private key PrivKey Manager to obtain the sub-file A k , calculates the digest of the sub-file A k , denoted as H k M , and solves the digest H of the sub-file A k by Sig k U k U , if H k U =H k M , the sub-file A k digest information verification is successful;

c2.文件管理模块从区块链智能合约中读取Sigk M计算摘要,通过文件管理模块的公钥解出Sigk M对应的摘要Hk BlockChain,若Hk U=Hk BlockChain,则子文件摘要Ak与区块链信息验证成功;c2. The file management module reads the calculation summary of Sig k M from the blockchain smart contract, and solves the summary H k BlockChain corresponding to Sig k M through the public key of the file management module. If H k U = H k BlockChain , then The verification of the file abstract A k and the blockchain information is successful;

c3.文件管理模块读取区块链智能合约存储的子文件划分方式配置和控制参数获得重建目标文件,记为Areconstruct,并解出重建目标文件摘要,记为HReconstruct,再用文件管理模块公钥解出区块链智能合约存储的签名摘要Sig对应的原始摘要,记为HBlockChain,若HReconstruct=HBlockChain,则重建目标文件Areconstruct与区块链智能合约储存信息验证成功;c3. The file management module reads the sub-file division configuration and control parameters stored in the blockchain smart contract to obtain the reconstruction target file, denoted as A reconstruct , and extracts the reconstruction target file abstract, denoted as H Reconstruct , and then uses the file management module The original digest corresponding to the signature digest Sig stored in the blockchain smart contract is solved by the public key, which is recorded as H BlockChain . If H Reconstruct = H BlockChain , the reconstruction target file A reconstruct and the blockchain smart contract storage information verification are successful;

d.文件管理模块加密目标文件发送给访问用户d. The file management module encrypts the target file and sends it to the access user

文件管理模块通过访问用户的公钥加密Areconstruct获得加密重建目标文件,记为Aaccess,通过管理模块的公钥获得签名记为Sigaccess,将Aaccess和Sigaccess发送给访问用户进行相关读或写操作;其中,访问用户公钥记为PubKeyaccessUserThe file management module obtains the encrypted and reconstructed target file by accessing the user's public key and encrypts A reconstruct , which is denoted as A access , and obtains the signature through the public key of the management module, denoted as Sig access , and sends A access and Sig access to the visiting user for related reading or Write operation; among them, the public key of the access user is recorded as PubKey accessUser .

本发明提出的基于区块链的文件存储和访问系统,包括:The blockchain-based file storage and access system proposed by the present invention includes:

文件管理模块,用于目标文件到子文件的生成、文件加解密、文件信息上链、文件访问授权控制;The file management module is used for the generation of target files to sub-files, file encryption and decryption, file information on-chain, and file access authorization control;

用户,包括权限用户和访问用户,权限用户指具有子文件控制权限的用户,访问用户指需要查看或变更目标文件的用户;Users, including authorized users and access users, authorized users refer to users with sub-file control rights, and access users refer to users who need to view or change the target file;

区块链智能合约,用于文件信息链上存储、授权搜集和决策等;Blockchain smart contracts for on-chain storage of file information, authorized collection and decision-making, etc.;

文件存储模块,用于文件信息备份。The file storage module is used for file information backup.

优选地,所述文件管理模块包括文件访问权限管理模块和文件信息管理模块;Preferably, the file management module includes a file access rights management module and a file information management module;

所述文件访问权限管理模块用于控制目标文件的读写操作;The file access authority management module is used to control the read and write operations of the target file;

所述文件信息管理模块用于保存文件、文件签名、权限用户公钥、文件管理模块公钥,对所述文件访问权限管理模块进行信息判断和访问请求决策。The file information management module is used to save files, file signatures, authorized user public keys, and file management module public keys, and to perform information judgment and access request decisions on the file access rights management module.

与现有技术相比,本发明的有益效果是:Compared with the prior art, the beneficial effects of the present invention are:

1、采用分离式文件存储机制,将目标文件划分为若干子文件,每个子文件由一个权限用户加密后存储以及控制该子文件的操作权限。1. Using a separate file storage mechanism, the target file is divided into several sub-files, and each sub-file is encrypted by an authorized user to store and control the operation authority of the sub-file.

2、文件相关信息存储于区块链,用于目标文件的重建及信息校验,确保信息不被篡改。2. The file-related information is stored in the blockchain, which is used for the reconstruction of the target file and information verification to ensure that the information is not tampered with.

上链存储的文件相关信息包括但不限于:目标文件的摘要信息、加密子文件、加密子文件的摘要信息、权限用户的公钥、文件管理模块的公钥、文件划分相关信息等。The file-related information stored on the chain includes but is not limited to: the abstract information of the target file, the encrypted sub-file, the abstract information of the encrypted sub-file, the public key of the authorized user, the public key of the file management module, and the related information of file division, etc.

3、通过区块链智能合约完成文件读取或变更等操作的授权,搜集每个权限用户的用户访问授权意见,并基于这些意见作出授权决策。在各权限用户完成授权同意后,从各权限用户获得所有子文件,然后完成从子文件到目标文件的重建。如果权限用户授权不同意,则授权失败。3. Complete the authorization of operations such as file reading or change through the blockchain smart contract, collect the user access authorization opinions of each authorized user, and make authorization decisions based on these opinions. After each authority user completes the authorization and consent, obtain all subfiles from each authority user, and then complete the reconstruction from the subfile to the target file. If the authorization user does not agree with the authorization, the authorization fails.

文件访问权限管理模块利用了区块链的公开透明、不可篡改等主要特点,有效增强了文件访问的安全性和可追溯性。通过将文件划分为多个子文件,并且用不同的私钥加密,可以防止单方面操作文件。同时,子文件相关信息加密存储于区块链中不可篡改,极大增强了文件信息的安全性。The file access rights management module takes advantage of the main features of blockchain, such as openness, transparency, and immutability, effectively enhancing the security and traceability of file access. Unilateral manipulation of the file is prevented by dividing the file into multiple sub-files and encrypting them with different private keys. At the same time, the relevant information of sub-files is encrypted and stored in the blockchain and cannot be tampered with, which greatly enhances the security of file information.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图示出的结构获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention, and for those of ordinary skill in the art, other drawings can also be obtained according to the structures shown in these drawings without creative efforts.

图1为本发明功能流程图;Fig. 1 is the functional flow chart of the present invention;

图2为本发明系统功能框图。FIG. 2 is a functional block diagram of the system of the present invention.

本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics and advantages of the present invention will be further described with reference to the accompanying drawings in conjunction with the embodiments.

具体实施方式Detailed ways

本发明提出的一种基于区块链的文件存储和访问方法,包括以下步骤:A block chain-based file storage and access method proposed by the present invention includes the following steps:

步骤S1:文件划分,首先定义子文件划分方式集合、采用的划分方式和控制参数,将目标文件划分成若干子文件,每个子文件对应一个权限用户;Step S1: file division, first define a set of sub-file division methods, adopted division methods and control parameters, and divide the target file into several sub-files, each sub-file corresponds to an authorized user;

步骤S2:文件加密签名,权限用户将对应的子文件加密签名之后发给文件管理模块,文件管理模块进行签名验证,决策是否验证通过;Step S2: file encryption signature, the authorized user sends the corresponding sub-file encryption signature to the file management module, the file management module performs signature verification, and decides whether the verification is passed;

步骤S3:文件信息上链,文件管理模块创建区块链智能合约,对所述步骤S2中验证通过的加密子文件、加密子文件相关信息上链,存储于区块链智能合约中,并将所有加密文件加密子文件信息备份到文件存储模块;Step S3: the file information is uploaded to the chain, the file management module creates a blockchain smart contract, uploads the encrypted sub-file and the related information of the encrypted sub-file that have passed the verification in step S2 to the chain, stores it in the blockchain smart contract, and stores the data in the blockchain smart contract. All encrypted file encrypted sub-file information is backed up to the file storage module;

步骤S4:文件访问授权,在文件访问服务时,访问用户先向文件管理模块发起文件访问请求,文件访问权限管理模块通知各权限用户授权确认;Step S4: file access authorization, during the file access service, the access user first initiates a file access request to the file management module, and the file access authority management module notifies each authority user for authorization confirmation;

步骤S5:文件重建与共享,在所有权限用户通过区块链智能合约完成授权同意确认后,权限用户从区块链智能合约读取加密子文件之后解密为对应的子文件,并加密签名、验证成功之后发送给文件管理模块获得重建目标文件,最后将重建目标文件加密发送给访问用户进行相关的读或写操作;Step S5: File reconstruction and sharing. After all authorized users complete the authorization and consent confirmation through the blockchain smart contract, the authorized user reads the encrypted sub-file from the blockchain smart contract and decrypts it into the corresponding sub-file, and encrypts signature and verification. After success, send it to the file management module to obtain the reconstruction target file, and finally encrypt the reconstruction target file and send it to the visiting user for related read or write operations;

若访问用户为读操作,直接解密重建目标文件后即可查看;If the access user is a read operation, the target file can be viewed after directly decrypting and reconstructing it;

若访问用户为写操作,访问用户提交文件信息后,通过文件管理模块提交各权限用户审核,审核通过后,由文件管理模块从步骤S1重新执行完成文件更新。If the access user is a write operation, after the access user submits the file information, the file management module submits each authority user for review. After the review is passed, the file management module re-executes the file update from step S1.

所述步骤S1中,若干子文件分别记为A1、A2、A3…….Ak,每个子文件对应一个权限用户,将Ak对应的权限用户记为k;In the step S1, several sub-files are respectively denoted as A1, A2, A3....A k , each sub-file corresponds to an authority user, and the authority user corresponding to A k is denoted as k;

所述步骤S2至步骤S5中,权限用户通过其公、私钥处理对应的子文件,权限用户公、私钥分别记为PubKeyk、PrivKeyk,权限用户加密子文件记为Ak cypherIn the described steps S2 to S5, the authority user processes the corresponding sub-files through its public and private keys, the authority user public and private keys are respectively recorded as PubKey k and PrivKey k , and the authority user encrypted sub-file is recorded as A k cypher ;

文件管理模块通过其公、私钥进行信息判断和访问请求决策,文件管理模块的公、私钥分别为PubKeyfileManager、PrivKeyfileManager,其中,文件管理模块加密子文件记为Ak M,文件管理模块对子文件Ak的摘要签名,记为Sigk MThe file management module performs information judgment and access request decision through its public and private keys. The public and private keys of the file management module are PubKey fileManager and PrivKey fileManager respectively, wherein the encrypted sub-file of the file management module is recorded as Ak M , and the file management module Digest signature for subfile Ak , denoted as Sig k M ;

文件管理模块通过比对目标文件摘要和目标文件签名摘要进行验证,如果目标文件摘要和目标文件签名摘要一致,则验证成功,否则验证失败;The file management module verifies by comparing the digest of the target file and the signature digest of the target file. If the digest of the target file and the signature digest of the target file are consistent, the verification succeeds; otherwise, the verification fails;

其中,摘要由摘要计算函数获得,摘要计算函数可以为哈希运算;Among them, the digest is obtained by the digest calculation function, and the digest calculation function can be a hash operation;

文件加密和签名由非对称加密函数获得,非对称加密函数可以为RSA加密函数或椭圆曲线加密函数;File encryption and signature are obtained by asymmetric encryption function, and the asymmetric encryption function can be RSA encryption function or elliptic curve encryption function;

文件解密由非对称解密函数获得。File decryption is obtained by an asymmetric decryption function.

本实施例中,访问用户操作为读操作:In this embodiment, the access user operation is a read operation:

选择目标文件A为Json格式文件,包括4项信息,如下:Select the target file A as a Json format file, including 4 items of information, as follows:

Figure BDA0002246430040000071
Figure BDA0002246430040000071

文件划分方式采用域模式,该划分方式记为Mode2;The file division method adopts the domain mode, and the division method is recorded as Mode2;

权限用户数为2;The number of authorized users is 2;

权限用户1的公私钥分别为PubKey1、PrivKey1The public and private keys of authorized user 1 are PubKey 1 and PrivKey 1 respectively;

权限用户2的公私钥分别为PubKey2、PrivKey2The public and private keys of authorized user 2 are PubKey 2 and PrivKey 2 respectively;

文件管理模块的公私钥分别为:PubKeyfileManager、PrivKeyfileManagerThe public and private keys of the file management module are: PubKey fileManager , PrivKey fileManager ;

访问用户的公、私钥分别为PubKeyaccessUser、PrivbKeyaccessUserThe public and private keys of the access user are PubKey accessUser and PrivbKey accessUser respectively ;

访问用户的地址为accessUserAddr;The address of the access user is accessUserAddr;

选择文件划分方式为域模式,将文件A划分为两个子文件:Select the file division method as domain mode, and divide file A into two sub-files:

子文件A1为: Subfile A1 is:

子文件A2为: Subfile A2 is:

Figure BDA0002246430040000073
Figure BDA0002246430040000073

所述步骤S2文件加密签名,具体包括如下步骤:The step S2 file encryption signature specifically includes the following steps:

a.文件管理模块加密签名:a. File management module encrypted signature:

先计算目标文件A的摘要,并用文件管理模块的私钥PrivKeyManager签名该摘要,记为Sig;First calculate the digest of the target file A, and sign the digest with the private key PrivKey Manager of the file management module, denoted as Sig;

Sig=ECC(MD5(A),PrivKeyfileManager)Sig=ECC(MD5(A), PrivKey fileManager )

其中:in:

采用摘要算法为MD5摘要算法;The digest algorithm is MD5 digest algorithm;

非对称加解密算法采用椭圆曲线加解密ECC方法。The asymmetric encryption and decryption algorithm uses the elliptic curve encryption and decryption ECC method.

对于用户k=1,2;for user k=1, 2;

再用权限用户k的公钥Pubkeyk加密子文件Ak,获得Ak MThen encrypt the subfile A k with the public key Pubkey k of the authorized user k to obtain A k M ,

Ak M=ECC(Ak,Pubkeyk)A k M =ECC(A k , Pubkey k )

然后通过文件管理模块私钥PrivKeyManager对子文件Ak的摘要签名,获得子文件签名,记为Sigk MThen use the private key of the file management module, PrivKey Manager , to sign the digest of the sub-file A k to obtain the signature of the sub-file, denoted as Sig k M ,

Sigk M=ECC(MD5(Ak),PrivKeyfileManager)Sig k M =ECC(MD5(A k ), PrivKey fileManager )

最后将Ak M、Sigk M发送给权限用户k;Finally, send A k M and Sig k M to the authorized user k;

b.权限用户子文件加密签名:b. Encrypted signature of permission user subfile:

待每个权限用户k收到Ak M、Sigk M后,执行如下操作:After each authorized user k receives A k M and Sig k M , perform the following operations:

b1.子文件还原:b1. Subfile restore:

先通过权限用户k的私钥PrivKeyk对Ak M解码,获得子文件AkFirst, decode A k M through the private key PrivKey k of the authorized user k to obtain the sub-file A k ,

Ak=ECC-1(Ak M,PrivKeyk)A k = ECC -1 (A k M , PrivKey k )

其中:ECC-1()为ECC()私钥解密函数。Among them: ECC-1() is the private key decryption function of ECC().

然后解出子文件Ak的摘要,记为Hk UThen solve the digest of the sub-file Ak , denoted as H k U ,

Hk U=MD5(Ak)H k U =MD5(A k )

再用文件管理模块的公钥PubkeyfileManager解码Sigk M得到摘要Hk MThen use the public key Pubkey fileManager of the file management module to decode Sig k M to obtain the abstract H k M ,

Hk M=ECC-1(Sigk M,PubKeyfileManager)H k M = ECC -1 (Sig k M , PubKey fileManager )

最后校验摘要一致性:如果Hk U=Hk M,则子文件还原成功,继续下步处理,否则,还原失败;Finally verify the consistency of the digest: if H k U =H k M , the sub-file is restored successfully, and the next step is continued, otherwise, the restoration fails;

b2.加密子文件生成:b2. Encrypted sub-file generation:

先用权限用户k的公钥Pubkeyk加密子文件Ak,获得Ak cypherFirst encrypt the subfile A k with the public key Pubkey k of the authorized user k to obtain A k cypher ,

Ak cypher=ECC(Ak,Pubkeyk)A k cypher =ECC(A k , Pubkey k )

然后用文件管理模块的公钥PubKeyfileManager加密Ak cypher,获得Ak UThen encrypt A k cypher with the public key PubKey fileManager of the file management module to obtain A k U ,

Ak U=ECC(Ak cypher,PubKeyfileManager)A k U =ECC(A k cypher , PubKey fileManager )

再生成Ak cypher的摘要并通过权限用户k私钥PrivKeyk签名,获得Sigk URegenerate the digest of A k cypher and sign it with PrivKey k of authorized user k to obtain Sig k U ,

Sigk U=ECC(MD5(Ak cypher),PrivKeyk)Sig k U =ECC(MD5(A k cypher ), PrivKey k )

最后将Ak U和Sigk U发送给文件管理模块。Finally, A k U and Sig k U are sent to the file management module.

其中,文件的摘要由摘要计算函数获得,文件加密和签名由非对称加密函数获得,文件的解密由非对称解密函数获得。Among them, the digest of the file is obtained by the digest calculation function, the file encryption and signature are obtained by the asymmetric encryption function, and the decryption of the file is obtained by the asymmetric decryption function.

所述步骤S3文件信息上链,创建区块链智能合约,即:分别定义区块链智能合约访问授权函数、区块链智能合约访问授权决策函数,对验证通过的加密子文件相关信息上链,存储于智能合约中,将所有加密文件和加密子文件信息备份到文件存储模块,存储的文件相关信息可包括如下内容:In the step S3, the file information is uploaded to the chain, and a blockchain smart contract is created, that is, the blockchain smart contract access authorization function and the blockchain smart contract access authorization decision function are respectively defined, and the verified encrypted sub-file related information is uploaded to the chain , stored in the smart contract, back up all encrypted files and encrypted sub-file information to the file storage module, and the stored file-related information can include the following:

目标文件的摘要信息、加密子文件、加密子文件的摘要信息、权限用户的公钥、文件管理模块的公钥、文件划分相关信息。The summary information of the target file, the encrypted sub-file, the summary information of the encrypted sub-file, the public key of the authorized user, the public key of the file management module, and the related information of file division.

其中,in,

区块链智能合约访问授权函数为:The blockchain smart contract access authorization function is:

FileApprove(TargetFile,OPCode,“Agree”or“Disagree”,accessUserAddr)区块链智能合约访问授权决策函数:FileApprove(TargetFile, OPCode, "Agree" or "Disagree", accessUserAddr) blockchain smart contract access authorization decision function:

FileDecision(TargetFile,OPCode,accessUserAddr)FileDecision(TargetFile, OPCode, accessUserAddr)

如表1所示,为区块链智能合约存储信息表。As shown in Table 1, the information table is stored for the blockchain smart contract.

表1Table 1

Figure BDA0002246430040000101
Figure BDA0002246430040000101

所述步骤S4文件访问授权,文件管理模块查询区块链智能合约获得权限用户的公钥列表,并向各权限用户发起授权审核请求,各权限用户调用区块链智能合约决策访问用户的访问请求,根据区块链智能合约中确定的所有权限用户均授权同意之后,区块链智能合约将授权决策状态置为通过,继续进行下步处理;否则,用户授权未通过。In the step S4 file access authorization, the file management module queries the blockchain smart contract to obtain the public key list of the authorized user, and initiates an authorization review request to each authorized user, and each authorized user invokes the blockchain smart contract to decide the access request of the access user , according to all the permissions determined in the blockchain smart contract, after the user has authorized and agreed, the blockchain smart contract will set the authorization decision status to passed, and proceed to the next step; otherwise, the user authorization has not passed.

具体地,包括如下操作步骤:Specifically, it includes the following steps:

(1)访问用户accessUserAddr向文件管理模块发起访问请求;(1) The access user accessUserAddr initiates an access request to the file management module;

FileRequest(TargetFile,OPCode)FileRequest(TargetFile, OPCode)

其中:若OPCode为0,则表示为读操作。Among them: If the OPCode is 0, it means a read operation.

(2)文件管理模块查询区块链智能合约获得权限用户公钥列表:PubKey1和PubKey2(2) The file management module queries the blockchain smart contract to obtain the public key list of authorized users: PubKey 1 and PubKey 2 .

(3)文件管理模块向权限用户1和权限用户2发起授权审核请求;(3) The file management module initiates an authorization review request to authorized user 1 and authorized user 2;

(4)每个权限用户调用区块链智能合约同意访问请求:(4) Each authorized user calls the blockchain smart contract to agree to the access request:

FileApprove(TargetFile,“0”,“Agree”,accessUserAddr)FileApprove(TargetFile, "0", "Agree", accessUserAddr)

(5)文件管理模块定期调用区块链智能合约(5) The file management module regularly calls the blockchain smart contract

FileDecision(TargetFile,“0”,accessUserAddr)FileDecision(TargetFile, "0", accessUserAddr)

触发文件访问授权决策,在两个权限用户完成授权同意后,区块链智能合约将授权决策状态置为“Approved”。The file access authorization decision is triggered. After the two authorized users complete the authorization and consent, the blockchain smart contract sets the authorization decision status to "Approved".

所述步骤S5文件重建与共享,包括如下步骤:The step S5 file reconstruction and sharing includes the following steps:

a.权限用户解密子文件:a. Permission user decrypts subfiles:

权限用户k从区块链智能合约中读取Ak cypher,通过权限用户私钥PrivKeyk解密得到子文件AkThe authorized user k reads A k cypher from the blockchain smart contract, and obtains the sub-file A k by decrypting the authorized user's private key PrivKey k ;

b.权限用户加密子文件并发送给文件管理模块:b. The authorized user encrypts the subfile and sends it to the file management module:

文件管理模块先将子文件Ak公钥PubKeyfileManager加密获得Ak UThe file management module first encrypts the sub-file A k public key PubKey fileManager to obtain A k U ,

Ak U=ECC(Ak,PubKeyfileManager)A k U =ECC(A k , PubKey fileManager )

再生成Ak U的摘要并通过权限用户k私钥PrivKeyk签名,获得Sigk URe-generate the digest of A k U and sign it with PrivKey k of the privileged user k to obtain Sig k U ,

Sigk U=ECC(MD5(Ak),PrivKeyk)Sig k U =ECC(MD5(A k ), PrivKey k )

并将Ak U、Sigk U发送给文件管理模块;and send A k U and Sig k U to the file management module;

c.文件管理模块从子文件重建目标文件,包括如下步骤:c. The file management module rebuilds the target file from the sub-file, including the following steps:

c1.文件管理模块先对Ak U私钥PrivKeyManager解密得到子文件Akc1. The file management module first decrypts the A k U private key PrivKey Manager to obtain the sub-file A k ,

Ak=ECC-1(Ak U,PrivKeyManager)A k = ECC -1 (A k U , PrivKey Manager )

计算Ak的摘要Hk MCalculate the digest H k M of Ak ,

Hk M=MD5(Ak)H k M =MD5(A k )

解出子文件Ak的摘要Hk USolve the digest H k U of the subfile Ak ,

Hk U=ECC-1(Sigk U,PubKeyk)H k U = ECC -1 (Sig k U , PubKey k )

若Hk U=Hk M,则子文件Ak摘要信息验证成功;If H k U =H k M , the verification of the digest information of the sub-file A k is successful;

c2.验证子文件摘要Ak与区块链信息一致性:c2. Verify the consistency of the sub-file summary A k with the blockchain information:

文件管理模块从区块链智能合约中读取Sigk M计算摘要,记为Hk BlockChainThe file management module reads the Sig k M calculation summary from the blockchain smart contract, denoted as H k BlockChain ,

Hk BlockChain=ECC-1(Sigk M,PubKeyfileManager)H k BlockChain = ECC -1 (Sig k M , PubKey fileManager )

若Hk U=Hk BlockChain,则子文件摘要Ak与区块链信息验证成功;If H k U = H k BlockChain , the sub-file digest Ak and the blockchain information are verified successfully;

c3.将各子文件恢复为目标原始文件:c3. Restore each subfile to the target original file:

(1)文件管理模块读取区块链智能合约存储的子文件划分方式配置和控制参数获得重建目标文件,记为Areconstruct(1) The file management module reads the sub-file division configuration and control parameters stored in the blockchain smart contract to obtain the reconstruction target file, denoted as A reconstruct ,

Areconstruct=Rec(A1,A2,Mode2,Null)A reconstruct = Rec(A1, A2, Mode2, Null)

重建Areconstruct如下:Reconstruct A reconstruct as follows:

Figure BDA0002246430040000111
Figure BDA0002246430040000111

解出重建目标文件摘要,记为HReconstructSolve the summary of the reconstruction object file, denoted as H Reconstruct ,

HReconstruct=MD5(Areconstruct)H Reconstruct =MD5(A reconstruct )

再用文件管理模块公钥解出区块链智能合约存储的签名摘要Sig对应的原始摘要,记为HBlockChainThen use the public key of the file management module to solve the original abstract corresponding to the signature abstract Sig stored in the blockchain smart contract, denoted as H BlockChain ,

HBlockChain=ECC-1(Sig,PubKeyfileManager)H BlockChain = ECC -1 (Sig, PubKey fileManager )

若HReconstruct=HBlockChain,则重建目标文件Areconstruct与区块链智能合约储存信息验证成功;If H Reconstruct = H BlockChain , the reconstruction target file A reconstruct and the blockchain smart contract storage information are verified successfully;

d.文件管理模块加密目标文件发送给访问用户:d. The file management module encrypts the target file and sends it to the access user:

文件管理模块通过访问用户的公钥PubKeyaccessUser加密Areconstruct获得加密重建目标文件,记为AaccessThe file management module obtains the encrypted and reconstructed target file by accessing the user's public key PubKey accessUser and encrypting A reconstruct , denoted as A access ,

Aaccess=ECC(Areconstruct,PubKeyaccessUser)A access = ECC(A reconstruct , PubKey accessUser )

再通过文件管理模块的私钥PrivKeyfileManager获得签名记为SigaccessThen obtain the signature through the private key PrivKey fileManager of the file management module and record it as Sig access ,

Sigaccess=ECC(MD5(Areconstruct),PrivKeyfileManager)Sig access = ECC(MD5(A reconstruct ), PrivKey fileManager )

将Aaccess和Sigaccess发送给访问用户进行相关读或写操作。访问用户通过该用户的私钥解密Aaccess,并通过Sigaccess验证Aaccess的信息完整性,在验证正确后,即可获得目标文件。Send A access and Sig access to the access user for related read or write operations. The access user decrypts A access through the user's private key, and verifies the information integrity of A access through Sig access . After the verification is correct, the target file can be obtained.

本发明利用区块链的公开透明、不可篡改等主要特点,有效增强了文件访问的安全性和可追溯性。通过将文件划分为多个子文件,并且用不同的私钥加密,可以防止单方面操作文件。同时,子文件相关信息加密存储于区块链中不可篡改,极大增强了文件信息的安全性。The invention effectively enhances the security and traceability of file access by utilizing the main features of the block chain, such as openness, transparency, and immutability. Unilateral manipulation of the file is prevented by dividing the file into multiple sub-files and encrypting them with different private keys. At the same time, the relevant information of the sub-file is encrypted and stored in the blockchain and cannot be tampered with, which greatly enhances the security of the file information.

本发明提出的一种基于区块链的文件存储和访问系统,如图2所示,包括:A blockchain-based file storage and access system proposed by the present invention, as shown in Figure 2, includes:

文件管理模块,用于目标文件到子文件的生成、文件加解密、文件信息上链、文件访问授权控制;The file management module is used for the generation of target files to sub-files, file encryption and decryption, file information on-chain, and file access authorization control;

用户,包括权限用户和访问用户,权限用户指具有子文件控制权限的用户,访问用户指需要查看或变更目标文件的用户;Users, including authorized users and access users, authorized users refer to users with sub-file control rights, and access users refer to users who need to view or change the target file;

区块链智能合约,用于文件信息链上存储、授权搜集和决策等;Blockchain smart contracts for on-chain storage of file information, authorized collection and decision-making, etc.;

文件存储模块,用于文件信息备份。The file storage module is used for file information backup.

具体地,所述文件管理模块包括文件访问权限管理模块和文件信息管理模块;Specifically, the file management module includes a file access rights management module and a file information management module;

所述文件访问权限管理模块用于控制目标文件的读写操作;The file access authority management module is used to control the read and write operations of the target file;

所述文件信息管理模块用于保存文件、文件签名、权限用户公钥、文件管理模块公钥,对所述文件访问权限管理模块进行信息判断和访问请求决策。The file information management module is used to save files, file signatures, authorized user public keys, and file management module public keys, and to perform information judgment and access request decisions on the file access rights management module.

本发明文件管理模块采用分离式文件存储和基于智能合约的文件管理机制;The file management module of the present invention adopts a separate file storage and a smart contract-based file management mechanism;

分离式文件存储方式为:将目标文件划分成若干子文件,目标文件和每个子文件用不同的秘钥加密,生成文件摘要并签名,并将文件信息上链确保不可篡改。The separate file storage method is: divide the target file into several sub-files, encrypt the target file and each sub-file with different secret keys, generate a file digest and sign, and upload the file information to the chain to ensure that it cannot be tampered with.

具体地,本实施例中首先定义子文件划分方式集合、采用的划分方式和控制参数,将目标文件划分成若干子文件,每个子文件对应一个权限用户,若干子文件分别记为A1、A2、A3…….AK,K为子文件个数,将Ak对应的权限用户记为k,权限用户通过其公、私钥处理对应的子文件,权限用户公、私钥分别记为PubKeyk、PrivKeyk,权限用户加密子文件记为Ak cypher;文件管理模块通过其公、私钥进行信息判断和访问请求决策,文件管理模块的公、私钥分别为PubKeyfileManager、PrivKeyfileManager,其中,文件管理模块加密子文件记为Ak M,文件管理模块对子文件Ak的摘要签名,记为Sigk MSpecifically, in this embodiment, a set of sub-file division methods, the adopted division methods and control parameters are first defined, and the target file is divided into several sub-files, each sub-file corresponds to an authorized user, and the several sub-files are respectively recorded as A1, A2, A3....AK , K is the number of sub-files, the authorized user corresponding to A k is recorded as k , the authorized user processes the corresponding sub-files through its public and private keys, and the public and private keys of the authorized user are recorded as PubKey k respectively , PrivKey k , the sub-file encrypted by the authorized user is recorded as A k cypher ; the file management module performs information judgment and access request decision through its public and private keys, and the public and private keys of the file management module are PubKey fileManager and PrivKey fileManager respectively, among which, The encrypted sub-file by the file management module is denoted as A k M , and the digest signature of the sub-file A by the file management module is denoted as Sig k M .

然后,文件管理模块通过比对目标文件摘要和目标文件签名摘要进行验证,如果目标文件摘要和目标文件签名摘要一致,则验证成功,否则验证失败。文件管理模块创建区块链智能合约,对验证通过的加密子文件相关信息上链,将所有加密子文件信息备份到文件存储模块或区块链智能合约。Then, the file management module verifies by comparing the digest of the target file with the signature digest of the target file, if the digest of the target file and the signature digest of the target file are consistent, the verification succeeds, otherwise the verification fails. The file management module creates a blockchain smart contract, uploads the relevant information of the encrypted sub-files that have passed the verification, and backs up all the encrypted sub-file information to the file storage module or blockchain smart contract.

其中,摘要由摘要计算函数获得,摘要计算函数可以为哈希运算;Among them, the digest is obtained by the digest calculation function, and the digest calculation function can be a hash operation;

文件加密和签名由非对称加密函数获得,非对称加密函数可以为RSA加密函数或椭圆曲线加密函数;File encryption and signature are obtained by asymmetric encryption function, and the asymmetric encryption function can be RSA encryption function or elliptic curve encryption function;

文件解密由非对称私钥解密函数获得。File decryption is obtained by an asymmetric private key decryption function.

基于智能合约的文件管理机制,主要包括文件信息管理、文件访问权限管理;The file management mechanism based on smart contracts mainly includes file information management and file access rights management;

所述文件访问权限管理用于控制目标文件的读写操作;访问用户先向文件访问权限管理模块发起文件访问请求,文件访问权限管理模块通过区块链智能合约获取权限用户列表,通知各权限用户授权;当所有权限用户通过区块链智能合约授权同意后,文件访问权限管理模块接收各加密子文件并恢复目标文件,最后加密发送给访问用户进行所需操作;The file access authority management is used to control the read and write operations of the target file; the access user first initiates a file access request to the file access authority management module, and the file access authority management module obtains a list of authority users through the blockchain smart contract, and notifies each authority user Authorization; After all authorized users have authorized and agreed through the blockchain smart contract, the file access rights management module receives each encrypted sub-file and restores the target file, and finally encrypts it and sends it to the access user for the required operation;

所述文件信息管理用于在文件信息管理模块中保存文件、文件签名、权限用户公私钥、文件管理模块公私钥,对所述文件访问权限管理模块进行信息判断和访问请求决策。The file information management is used to save files, file signatures, public and private keys of authorized users, and public and private keys of the file management module in the file information management module, and to perform information judgment and access request decision on the file access rights management module.

以访问用户进行读操作为例:Take the access user for read operation as an example:

选择目标文件为Json格式文件,包括4项信息,如下:Select the target file as a Json format file, including 4 items of information, as follows:

Figure BDA0002246430040000141
Figure BDA0002246430040000141

文件划分方式采用域模式,该划分方式记为Mode2;The file division method adopts the domain mode, and the division method is recorded as Mode2;

权限用户数为2;The number of authorized users is 2;

权限用户1的公私钥为PubKey1、PrivKey1The public and private keys of authorized user 1 are PubKey 1 and PrivKey 1 ;

权限用户2的公私钥为PubKey2、PrivKey2The public and private keys of authorized user 2 are PubKey 2 and PrivKey 2 ;

文件管理模块的公私钥分别为:PubKeyfileManager、PrivKeyfileManagerThe public and private keys of the file management module are: PubKey fileManager , PrivKey fileManager ;

访问用户的公、私钥分别为PubKeyaccessUser、PrivbKeyaccessUserThe public and private keys of the access user are PubKey accessUser and PrivbKey accessUser respectively ;

访问用户的地址为accessUserAddr;The address of the access user is accessUserAddr;

选择文件划分方式为域模式,将文件A划分为两个子文件:Select the file division method as domain mode, and divide file A into two sub-files:

子文件A1为: Subfile A1 is:

子文件A2为: Subfile A2 is:

Figure BDA0002246430040000143
Figure BDA0002246430040000143

文件加密签名,具体包括如下步骤:File encryption signature, including the following steps:

a.文件管理模块加密签名:a. File management module encrypted signature:

先计算目标文件A的摘要,并用文件管理模块的私钥PrivKeyManager签名该摘要,记为Sig;First calculate the digest of the target file A, and sign the digest with the private key PrivKey Manager of the file management module, denoted as Sig;

Sig=ECC(MD5(A),PrivKeyfileManager)Sig=ECC(MD5(A), PrivKey fileManager )

其中:in:

采用摘要算法为MD5摘要算法;The digest algorithm is MD5 digest algorithm;

非对称加解密算法采用椭圆曲线加解密ECC方法。The asymmetric encryption and decryption algorithm uses the elliptic curve encryption and decryption ECC method.

对于用户k=1,2;for user k=1, 2;

再用权限用户k的公钥Pubkeyk加密子文件Ak,获得Ak MThen encrypt the subfile A k with the public key Pubkey k of the authorized user k to obtain A k M ,

Ak M=ECC(Ak,Pubkeyk)A k M =ECC(A k , Pubkey k )

然后通过文件管理模块私钥PrivKeyManager对子文件Ak的摘要签名,获得子文件签名,记为Sigk MThen use the private key of the file management module, PrivKey Manager , to sign the digest of the sub-file A k to obtain the signature of the sub-file, denoted as Sig k M ,

Sigk M=ECC(MD5(Ak),PrivKeyfileManager)Sig k M =ECC(MD5(A k ), PrivKey fileManager )

最后将Ak M、Sigk M发送给权限用户k;Finally, send A k M and Sig k M to the authorized user k;

b.权限用户子文件加密签名:b. Encrypted signature of permission user subfile:

待每个权限用户k收到Ak M、Sigk M后,执行如下操作:After each authorized user k receives A k M and Sig k M , perform the following operations:

b1.子文件还原:b1. Subfile restore:

先通过权限用户k的私钥PrivKeyk对Ak M解码,获得子文件AkFirst, decode A k M through the private key PrivKey k of the authorized user k to obtain the sub-file A k ,

Ak=ECC-1(Ak M,Privkeyk)A k = ECC -1 (A k M , Privkey k )

其中:ECC-1()为ECC()私钥解密函数。Among them: ECC-1() is the private key decryption function of ECC().

然后解出子文件Ak的摘要,记为Hk UThen solve the digest of the sub-file Ak , denoted as H k U ,

Hk U=MD5(Ak)H k U =MD5(A k )

再用文件管理模块的公钥PubkeyfileManager解码Sigk M得到摘要Hk MThen use the public key Pubkey fileManager of the file management module to decode Sig k M to obtain the abstract H k M ,

Hk M=ECC-1(Sigk M,PubKeyfileManager)H k M = ECC -1 (Sig k M , PubKey fileManager )

最后校验摘要一致性:如果Hk U=Hk M,则子文件还原成功,继续下步处理,否则,还原失败;Finally verify the consistency of the digest: if H k U =H k M , the sub-file is restored successfully, and the next step is continued, otherwise, the restoration fails;

b2.加密子文件生成:b2. Encrypted sub-file generation:

先用权限用户k的公钥Pubkeyk加密子文件Ak,获得Ak cypherFirst encrypt the subfile A k with the public key Pubkey k of the authorized user k to obtain A k cypher ,

Ak cypher=ECC(Ak,Pubkeyk)A k cypher =ECC(A k , Pubkey k )

然后用文件管理模块的公钥PubKeyfileManager加密Ak cypher,获得Ak UThen encrypt A k cypher with the public key PubKey fileManager of the file management module to obtain A k U ,

Ak U=ECC(Ak cypher,PubKeyfileManager)A k U =ECC(A k cypher , PubKey fileManager )

再生成Ak cypher的摘要并通过权限用户k私钥PrivKeyk签名,获得Sigk URegenerate the digest of A k cypher and sign it with PrivKey k of authorized user k to obtain Sig k U ,

Sigk U=ECC(MD5(Ak cypher),PrivKeyk)Sig k U =ECC(MD5(A k cypher ), PrivKey k )

最后将Ak U和Sigk U发送给文件管理模块。Finally, A k U and Sig k U are sent to the file management module.

其中,文件的摘要由摘要计算函数获得,文件加密和签名由非对称加密函数获得,文件的解密由非对称解密函数获得。Among them, the digest of the file is obtained by the digest calculation function, the file encryption and signature are obtained by the asymmetric encryption function, and the decryption of the file is obtained by the asymmetric decryption function.

文件信息上链,创建区块链智能合约,即:分别定义区块链智能合约访问授权函数、区块链智能合约访问授权决策函数,对验证通过的加密子文件相关信息上链,存储于智能合约中,将所有加密文件和加密子文件信息备份到文件存储模块,存储的文件相关信息可包括如下内容:The file information is uploaded to the chain, and the blockchain smart contract is created, that is, the access authorization function of the blockchain smart contract and the access authorization decision function of the blockchain smart contract are respectively defined, and the relevant information of the encrypted sub-file that has passed the verification is uploaded to the chain and stored in the smart In the contract, all encrypted files and encrypted sub-file information are backed up to the file storage module, and the stored file-related information can include the following:

目标文件的摘要信息、加密子文件、加密子文件的摘要信息、权限用户的公钥、文件管理模块的公钥、文件划分相关信息。The summary information of the target file, the encrypted sub-file, the summary information of the encrypted sub-file, the public key of the authorized user, the public key of the file management module, and the related information of file division.

其中,in,

区块链智能合约访问授权函数为:The blockchain smart contract access authorization function is:

FileApprove(TargetFile,OPCode,“Agree”or“Disagree”,accessUserAddr)区块链智能合约访问授权决策函数:FileApprove(TargetFile, OPCode, "Agree" or "Disagree", accessUserAddr) blockchain smart contract access authorization decision function:

F ileDecision(TargetFile,OPCode,accessUserAddr)FileDecision(TargetFile, OPCode, accessUserAddr)

如表2所示,为区块链智能合约存储信息表。As shown in Table 2, the information table is stored for the blockchain smart contract.

表2Table 2

Figure BDA0002246430040000171
Figure BDA0002246430040000171

文件访问授权,具体包括如下内容:File access authorization, including the following:

文件管理模块查询区块链智能合约获得权限用户的公钥列表,并向各权限用户发起授权审核请求,各权限用户调用区块链智能合约决策访问用户的访问请求,根据区块链智能合约中确定的所有权限用户均授权同意之后,区块链智能合约将授权决策状态置为通过,继续进行下步处理;否则,用户授权未通过。The file management module queries the blockchain smart contract to obtain the public key list of the authorized user, and initiates an authorization review request to each authorized user. Each authorized user invokes the blockchain smart contract to decide the access user's access request. After all the users with the determined permissions have authorized and agreed, the blockchain smart contract will set the authorization decision status to passed, and proceed to the next step; otherwise, the user authorization has not passed.

具体地,包括如下操作步骤:Specifically, it includes the following steps:

(1)访问用户accessUserAddr向文件管理模块发起访问请求;(1) The access user accessUserAddr initiates an access request to the file management module;

FileRequest(TargetFile,OPCode)FileRequest(TargetFile, OPCode)

其中:OPCode为0表示读操作。Among them: OPCode is 0 for read operation.

(2)文件管理模块查询区块链智能合约获得权限用户公钥列表:PubKey1和PubKey2(2) The file management module queries the blockchain smart contract to obtain the public key list of authorized users: PubKey 1 and PubKey 2 .

(3)文件管理模块向权限用户1和权限用户2发起授权审核请求;(3) The file management module initiates an authorization review request to authorized user 1 and authorized user 2;

(4)每个权限用户调用区块链智能合约同意访问请求:(4) Each authorized user calls the blockchain smart contract to agree to the access request:

FileApprove(TargetFile,“0”,“Agree”,accessUserAddr)FileApprove(TargetFile, "0", "Agree", accessUserAddr)

(5)文件管理模块定期调用区块链智能合约(5) The file management module regularly calls the blockchain smart contract

FileDecision(TargetFile,“0”,accessUserAddr)FileDecision(TargetFile, "0", accessUserAddr)

并触发文件访问授权决策,在两个权限用户完成授权同意后,区块链智能合约将授权决策状态置为“Approved”。And trigger the file access authorization decision. After the two authorized users complete the authorization and consent, the blockchain smart contract sets the authorization decision status to "Approved".

文件访问授权同意之后,进行文件重建与共享,具体包括如下步骤:After the file access authorization is approved, file reconstruction and sharing are performed, including the following steps:

a.权限用户解密子文件:a. Permission user decrypts subfiles:

权限用户k从区块链智能合约中读取Ak cypher,通过权限用户私钥PrivKeyk解密得到子文件AkThe authorized user k reads A k cypher from the blockchain smart contract, and obtains the sub-file A k by decrypting the authorized user's private key PrivKey k ;

b.权限用户加密子文件并发送给文件管理模块:b. The authorized user encrypts the subfile and sends it to the file management module:

文件管理模块先将子文件Ak公钥PubKeyfileManager加密获得Ak UThe file management module first encrypts the sub-file A k public key PubKey fileManager to obtain A k U ,

Ak U=ECC(Ak,PubKeyfileManager)A k U =ECC(A k , PubKey fileManager )

再生成Ak U的摘要并通过权限用户k私钥PrivKeyk签名,获得Sigk URe-generate the digest of A k U and sign it with PrivKey k of the privileged user k to obtain Sig k U ,

Sigk U=ECC(MD5(Ak),PrivKeyk)Sig k U =ECC(MD5(A k ), PrivKey k )

并将Ak U、Sigk U发送给文件管理模块;and send A k U and Sig k U to the file management module;

c.文件管理模块从子文件重建目标文件,包括如下步骤:c. The file management module rebuilds the target file from the sub-file, including the following steps:

c1.文件管理模块先对Ak U私钥PrivKeyManager解密得到子文件Akc1. The file management module first decrypts the A k U private key PrivKey Manager to obtain the sub-file A k ,

Ak=ECC-1(Ak U,PrivKeyManager)A k = ECC -1 (A k U , PrivKey Manager )

计算Ak的摘要Hk MCompute the digest HkM for Ak :

Hk M=MD5(Ak)H k M =MD5(A k )

解出子文件Ak的摘要Hk USolve the digest H k U of the subfile Ak ,

Hk U=ECC-1(Sigk U,PubKeyk)H k U = ECC -1 (Sig k U , PubKey k )

若Hk U=Hk M,则子文件Ak摘要信息验证成功;If H k U =H k M , the verification of the digest information of the sub-file A k is successful;

c2.验证子文件摘要Ak与区块链信息一致性:c2. Verify the consistency of the sub-file summary A k with the blockchain information:

文件管理模块从区块链智能合约中读取Sigk M计算摘要,记为Hk BlockChainThe file management module reads the Sig k M calculation summary from the blockchain smart contract, denoted as H k BlockChain ,

Hk BlockChain=ECC-1(Sigk M,PubKeyfileManager)H k BlockChain = ECC -1 (Sig k M , PubKey fileManager )

若Hk U=Hk BlockChain,则子文件摘要Ak与区块链信息验证成功;If H k U = H k BlockChain , the sub-file digest Ak and the blockchain information are verified successfully;

c3.将各子文件恢复为目标原始文件:c3. Restore each subfile to the target original file:

(1)文件管理模块读取区块链智能合约存储的子文件划分方式配置和控制参数获得重建目标文件,记为Areconstruct(1) The file management module reads the sub-file division configuration and control parameters stored in the blockchain smart contract to obtain the reconstruction target file, denoted as A reconstruct ,

Areconstruct=Rec(A1,A2,Mode2,Null)A reconstruct = Rec(A1, A2, Mode2, Null)

重建Areconstruct如下:Reconstruct A reconstruct as follows:

解出重建目标文件摘要,记为HReconstructSolve the summary of the reconstruction object file, denoted as H Reconstruct ,

HReconstruct=MD5(Areconstruct)H Reconstruct =MD5(A reconstruct )

再用文件管理模块公钥解出区块链智能合约存储的签名摘要Sig对应的原始摘要,记为HBlockChainThen use the public key of the file management module to solve the original abstract corresponding to the signature abstract Sig stored in the blockchain smart contract, denoted as H BlockChain ,

HBlockChain=ECC-1(Sig,PubKeyfileManager)H BlockChain = ECC -1 (Sig, PubKey fileManager )

若HReconstruct=HBlockChain,则重建目标文件Areconstruct与区块链智能合约储存信息验证成功;If H Reconstruct = H BlockChain , the reconstruction target file A reconstruct and the blockchain smart contract storage information are verified successfully;

d.文件管理模块加密目标文件发送给访问用户:d. The file management module encrypts the target file and sends it to the access user:

文件管理模块通过访问用户的公钥PubKeyaccessUser加密Areconstruct获得加密重建目标文件,记为AaccessThe file management module obtains the encrypted and reconstructed target file by accessing the user's public key PubKey accessUser and encrypting A reconstruct , denoted as A access ,

Aaccess=ECC(Areconstruct,PubKeyaccessUser)A access = ECC(A reconstruct , PubKey accessUser )

再通过文件管理模块的私钥PrivKeyfileManager获得签名记为SigaccessThen obtain the signature through the private key PrivKey fileManager of the file management module and record it as Sig access ,

Sigaccess=ECC(MD5(Areconstruct),PrivKeyfileManager)Sig access = ECC(MD5(A reconstruct ), PrivKey fileManager )

将Aaccess和Sigaccess发送给访问用户进行相关读或写操作。访问用户通过该用户的私钥解密Aaccess,并通过Sigaccess验证Aaccess的信息完整性,在验证正确后,即可获得目标文件。Send A access and Sig access to the access user for related read or write operations. The access user decrypts A access through the user's private key, and verifies the information integrity of A access through Sig access . After the verification is correct, the target file can be obtained.

以上所述仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是在本发明的发明构思下,利用本发明说明书及附图内容所作的等效结构变换,或直接/间接运用在其他相关的技术领域均包括在本发明的专利保护范围内。The above descriptions are only the preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. Under the inventive concept of the present invention, the equivalent structural transformations made by the contents of the description and drawings of the present invention, or the direct/indirect application Other related technical fields are included in the scope of patent protection of the present invention.

Claims (8)

1. A file storage and access method based on a block chain is characterized by comprising the following steps:
step S1: file division, namely firstly defining a subfile division mode set, an adopted division mode and control parameters, and dividing a target file into a plurality of subfiles, wherein each subfile corresponds to an authority user;
step S2: the file encryption signature is realized, the authorized user sends the corresponding subfile encryption signature to the file management module, and the file management module carries out signature verification and decides whether the verification is passed;
step S3: linking the file information, creating a block chain intelligent contract by the file management module, linking the encrypted subfiles and the related information of the encrypted subfiles which pass the verification in the step S2, storing the linked information in the block chain intelligent contract, and backing up all the encrypted files and the information of the encrypted subfiles to the file storage module;
step S4: file access authorization, in the file access service, an access user firstly initiates a file access request to a file management module, and the file access authority management module informs each authority user of authorization confirmation;
step S5: file reconstruction and sharing, after all authority users finish authorization agreement confirmation through a block chain intelligent contract, the authority users read the encrypted subfiles from the block chain intelligent contract and then decrypt the encrypted subfiles into corresponding subfiles, and after the encrypted subfiles are successfully signed and verified, the encrypted subfiles are sent to a file management module to obtain a reconstructed target file, and finally the reconstructed target file is encrypted and sent to an access user for related reading or writing operation;
if the access user is in reading operation, the access user can check the target file after directly decrypting and reconstructing the target file;
if the access user is write operation, after the access user submits the file information, the access user submits the audit of each authority user through the file management module, and after the audit is passed, the file management module re-executes from step S1 to complete the file update.
2. The blockchain-based file storage and access method of claim 1, wherein in the step S1, the sub-files are respectively marked as A1, A2 and A3 … … KK is the number of subfiles, each subfile corresponds to an authority user, and A is defined as kMarking the corresponding authority user as k;
in the steps S2 to S5, the authorized user processes the corresponding subfile by the public and private keys, and the public and private keys of the authorized user are respectively marked as PubKey k、PrivKey kThe encrypted subfile of the authorized user is marked as A k cypher
The file management module carries out information judgment and access request decision through a public key and a private key thereof, and the public key and the private key of the file management module are respectively PubKey fileManager、PrivKey fileManagerThe file management module is used for sub-file A kThe subfile encrypted by the private key is marked as A k MThe digest signature is Sig k M
The file management module verifies the target file abstract and the target file signature abstract by comparing, if the target file abstract and the target file signature abstract are consistent, the verification is successful, otherwise, the verification fails;
the digest is obtained by a digest calculation function, the file encryption and signature are obtained by an asymmetric encryption function, and the file decryption is obtained by an asymmetric decryption function.
3. The block chain-based file storage and access method according to claim 2, wherein the step S2 comprises the steps of:
a. file management module encryption signature
First, the abstract of the target file A is calculated, and the private key PrivKey of the file management module is used ManagerSigning the abstract, and marking as Sig;
reusing public key Pubkey of authorized user k kEncrypted subfile A kObtaining A k M
Then the PrivKey is private key of file management module ManagerFor subfile A kTo obtain a signature of the sub-file, denoted as Sig k M
Finally, A is added k M、Sig k MSending the data to an authorized user k;
b. encrypted signature of authority user subfile
Waiting for each authorized user k to receive A k M、Sig k MThen, the following operations are performed:
b1 subfile recovery
First pass private key PrivKey of authority user k kTo A k MDecoding to obtain subfile A k
Then solve subfile A kIs marked as H k U
Reusing public key Pubkey of file management module fileManagerDecoding Sig k MGet the abstract H k M
And finally, checking the consistency of the abstract: if H is present k U=H k MIf the sub-file is successfully restored, continuing the next step of processing, otherwise, failing to restore;
b2. encrypted subfile generation
Public key Pubkey of preemptive authority user k kEncrypted subfile A kObtaining A k cypher
Then uses the public key PubKey of the file management module fileManagerEncryption A k cypherObtaining A k U
Regeneration of A k cypherThe abstract of the user and the private key PrivKey of the authorized user k kSign, obtain Sig k U
Finally, A is added k UAnd Sig k UAnd sending the file to a file management module.
The digest of the file is obtained by a digest calculation function, the file encryption and signature are obtained by an asymmetric encryption function, and the file decryption is obtained by an asymmetric decryption function.
4. The blockchain-based file storage and access method according to claim 2, wherein the step S3 creates a blockchain intelligent contract that is: and respectively defining a block chain intelligent contract access authorization function and a block chain intelligent contract access authorization decision function, chaining the relevant information of the verified encrypted subfiles, storing the related information into the block chain intelligent contract, and backing up all encrypted files and the encrypted subfile information to a file storage module.
5. The method according to claim 2, wherein in step S4, the file management module queries the intelligent block chain contract to obtain a public key list of authorized users, and sends an authorization and audit request to each authorized user, each authorized user invokes the access request of the intelligent block chain contract decision access user, and after all the authorized users determined in the intelligent block chain contract grant permission, the intelligent block chain contract sets the authorization decision state as pass, and continues the next step; otherwise, the user authorization is not passed.
6. The block chain-based file storage and access method according to claim 2, wherein said step S5 includes the steps of:
a. authorized user decrypting subfile
Authorized user k reads A from the blockchain intelligent contract k cypherBy authority user private key PrivKey kDecrypting to obtain the subfile A k
b. The authority user encrypts the subfile and sends the subfile to the file management module
Each authorized user will subfile A kPublic key PubKey using file management module fileManagerEncrypting to obtain A k URegeneration of A kThe abstract of the user and the private key PrivKey of the authorized user k kSign, obtain Sig k UAnd A is k U、Sig k USending the file to a file management module;
c. the file management module reconstructs the target file from the subfiles, comprising the steps of:
c1. the file management module firstly checks A k UPrivKey with private key ManagerDecrypting to obtain the subfile A kComputing subfile A kIs marked as H k MAnd is formed by Sig k USolve subfile A kSummary of (1) k UIf H is k U=H k MThen subfile A kThe verification of the abstract information is successful;
c2. the file management module reads Sig from the intelligent contract of the block chain k MCalculating abstract, and solving Sig by public key of file management module k MCorresponding abstract H k BlockChainIf H is k U=H k BlockChainThen subfile digest A kThe verification of the block chain information is successful;
c3. the file management module reads the subfile division mode configuration and control parameters stored by the intelligent block chain contract to obtain a reconstructed target file, which is marked as A reconstructAnd solving the summary of the reconstructed target file, which is marked as H ReconstructThen, the intelligent combination of block chains is solved by the public key of the file management moduleThe original digest corresponding to the signature digest Sig stored in the contract is marked as H BlockChainIf H is Reconstruct=H BlockChainThen rebuild the object file A reconstructThe verification with the intelligent contract storage information of the block chain is successful;
d. the file management module encrypts the target file and sends the encrypted target file to the access user
The file management module encrypts A by accessing the public key of the user reconstructObtaining an encrypted reconstruction target file, marked as A accessObtaining the signature Sig by the public key of the management module accessA is accessAnd Sig accessSending the information to an access user for related reading or writing operation; wherein, the public key of the access user is recorded as PubKey accessUser
7. A blockchain-based file storage and access system, comprising:
the file management module is used for generating a target file to a subfile, encrypting and decrypting the file, chaining file information and controlling file access authorization;
the system comprises users and a server, wherein the users comprise an authority user and an access user, the authority user refers to a user with sub-file control authority, and the access user refers to a user needing to view or change a target file;
the block chain intelligent contract is used for storing, authorized gathering, decision making and the like on the file information chain;
and the file storage module is used for backing up file information.
8. The blockchain based file storage and access system of claim 7,
the file management module comprises a file access authority management module and a file information management module;
the file access authority management module is used for controlling the read-write operation of the target file;
the file information management module is used for storing files, file signatures, authority user public keys and file management module public keys and performing information judgment and access request decision on the file access authority management module.
CN201911020252.XA 2019-10-24 2019-10-24 A blockchain-based file storage and access method Active CN110784463B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911020252.XA CN110784463B (en) 2019-10-24 2019-10-24 A blockchain-based file storage and access method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911020252.XA CN110784463B (en) 2019-10-24 2019-10-24 A blockchain-based file storage and access method

Publications (2)

Publication Number Publication Date
CN110784463A true CN110784463A (en) 2020-02-11
CN110784463B CN110784463B (en) 2021-08-31

Family

ID=69387590

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911020252.XA Active CN110784463B (en) 2019-10-24 2019-10-24 A blockchain-based file storage and access method

Country Status (1)

Country Link
CN (1) CN110784463B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111539014A (en) * 2020-03-27 2020-08-14 肾泰网健康科技(南京)有限公司 Block chain-based ethical file archiving method
CN111683082A (en) * 2020-06-04 2020-09-18 杭州溪塔科技有限公司 Data sharing method and system based on block chain and electronic equipment
CN112600898A (en) * 2020-12-07 2021-04-02 南京珥仁科技有限公司 Electronic archive storage method based on block chain technology
CN113515764A (en) * 2021-06-24 2021-10-19 南京可信区块链与算法经济研究院有限公司 Data management and control method
CN113535852A (en) * 2021-07-16 2021-10-22 中国工商银行股份有限公司 File processing method, file access method, device and system based on block chain
CN113726873A (en) * 2021-08-27 2021-11-30 平安科技(深圳)有限公司 Block chain-based file processing method, system, device and storage medium
CN113779599A (en) * 2021-08-31 2021-12-10 深圳市众诚品业科技有限公司 Conversation information protection method, server, terminal, and storage medium
CN114244838A (en) * 2021-12-17 2022-03-25 东软集团股份有限公司 Encryption method and system, decryption method, device and equipment for block chain data
CN114490541A (en) * 2021-12-24 2022-05-13 云南云电同方科技有限公司 Method and system for storing file on block chain
CN115118734A (en) * 2022-07-11 2022-09-27 京东科技信息技术有限公司 File sharing method, device and device
CN116112274A (en) * 2019-04-05 2023-05-12 思百得奥克公司 Blockchain, management group rights and integration of access in an enterprise environment
CN117032565A (en) * 2023-07-25 2023-11-10 苏州申浪信息科技有限公司 File security management system based on block chain technology
CN117640251A (en) * 2024-01-24 2024-03-01 中国信息通信研究院 Distributed network-based encryption and decryption verification methods and devices, equipment and media

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107995270A (en) * 2017-11-24 2018-05-04 成都赤乌软件技术有限公司 A kind of method that distributed document storage is realized based on block chain
CN108647523A (en) * 2018-04-28 2018-10-12 华南理工大学 A kind of electronic identification system based on block chain and deposit card, file access pattern method
US20180336552A1 (en) * 2017-05-17 2018-11-22 Nec Europe Ltd. Method and system for providing a robust blockchain with an integrated proof of storage
CN109120639A (en) * 2018-09-26 2019-01-01 众安信息技术服务有限公司 A kind of data cloud storage encryption method and system based on block chain
CN109886040A (en) * 2019-01-24 2019-06-14 北京融链科技有限公司 Data processing method, device, storage medium and processor
CN110138733A (en) * 2019-04-03 2019-08-16 华南理工大学 Object storage system based on block chain is credible to deposit card and access right control method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180336552A1 (en) * 2017-05-17 2018-11-22 Nec Europe Ltd. Method and system for providing a robust blockchain with an integrated proof of storage
CN107995270A (en) * 2017-11-24 2018-05-04 成都赤乌软件技术有限公司 A kind of method that distributed document storage is realized based on block chain
CN108647523A (en) * 2018-04-28 2018-10-12 华南理工大学 A kind of electronic identification system based on block chain and deposit card, file access pattern method
CN109120639A (en) * 2018-09-26 2019-01-01 众安信息技术服务有限公司 A kind of data cloud storage encryption method and system based on block chain
CN109886040A (en) * 2019-01-24 2019-06-14 北京融链科技有限公司 Data processing method, device, storage medium and processor
CN110138733A (en) * 2019-04-03 2019-08-16 华南理工大学 Object storage system based on block chain is credible to deposit card and access right control method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
黎祖睿等: "《计算机应用与软件》", 《VIRUS DATABASE CHAIN: 联盟式传染病数据区块链系统》 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116112274B (en) * 2019-04-05 2023-11-24 思百得奥克公司 Blockchain, management group rights and integration of access in an enterprise environment
CN116112274A (en) * 2019-04-05 2023-05-12 思百得奥克公司 Blockchain, management group rights and integration of access in an enterprise environment
US12164662B2 (en) 2019-04-05 2024-12-10 Spideroak, Inc. Integration of a block chain, managing group authority and access in an enterprise environment
CN111539014A (en) * 2020-03-27 2020-08-14 肾泰网健康科技(南京)有限公司 Block chain-based ethical file archiving method
CN111683082A (en) * 2020-06-04 2020-09-18 杭州溪塔科技有限公司 Data sharing method and system based on block chain and electronic equipment
CN112600898A (en) * 2020-12-07 2021-04-02 南京珥仁科技有限公司 Electronic archive storage method based on block chain technology
CN113515764A (en) * 2021-06-24 2021-10-19 南京可信区块链与算法经济研究院有限公司 Data management and control method
CN113535852A (en) * 2021-07-16 2021-10-22 中国工商银行股份有限公司 File processing method, file access method, device and system based on block chain
CN113726873A (en) * 2021-08-27 2021-11-30 平安科技(深圳)有限公司 Block chain-based file processing method, system, device and storage medium
CN113726873B (en) * 2021-08-27 2022-11-01 平安科技(深圳)有限公司 Block chain-based file processing method, system, device and storage medium
CN113779599A (en) * 2021-08-31 2021-12-10 深圳市众诚品业科技有限公司 Conversation information protection method, server, terminal, and storage medium
CN114244838A (en) * 2021-12-17 2022-03-25 东软集团股份有限公司 Encryption method and system, decryption method, device and equipment for block chain data
CN114244838B (en) * 2021-12-17 2024-06-04 东软集团股份有限公司 Encryption method and system, decryption method, device and equipment for block chain data
CN114490541A (en) * 2021-12-24 2022-05-13 云南云电同方科技有限公司 Method and system for storing file on block chain
CN115118734A (en) * 2022-07-11 2022-09-27 京东科技信息技术有限公司 File sharing method, device and device
CN117032565A (en) * 2023-07-25 2023-11-10 苏州申浪信息科技有限公司 File security management system based on block chain technology
CN117032565B (en) * 2023-07-25 2024-06-07 申浪信息科技(江苏)有限公司 File security management system based on block chain technology
CN117640251A (en) * 2024-01-24 2024-03-01 中国信息通信研究院 Distributed network-based encryption and decryption verification methods and devices, equipment and media
CN117640251B (en) * 2024-01-24 2024-05-31 中国信息通信研究院 Encryption and decryption verification method, device, equipment and medium based on distributed network

Also Published As

Publication number Publication date
CN110784463B (en) 2021-08-31

Similar Documents

Publication Publication Date Title
CN110784463B (en) A blockchain-based file storage and access method
JP7384914B2 (en) Double-encrypted secret parts that enable secret assembly using a subset of double-encrypted secret parts
CN111355705B (en) A blockchain-based data auditing and security deduplication cloud storage system and method
CN109377198B (en) Signing system based on multi-party consensus of alliance chain
CN109829326B (en) Cross-domain authentication and fair audit de-duplication cloud storage system based on block chain
US8997198B1 (en) Techniques for securing a centralized metadata distributed filesystem
CN111475836B (en) File management method and device based on alliance block chain
CN111859422A (en) A blockchain-based digital asset depository system
CN109194466A (en) A kind of cloud data integrity detection method and system based on block chain
US20140025948A1 (en) System and method for distributed deduplication of encrypted chunks
Thompson The preservation of digital signatures on the blockchain
CN115296838B (en) Block chain-based data sharing method, system and storage medium
CN113344222A (en) Safe and credible federal learning mechanism based on block chain
JP2023535040A (en) Master key escrow process
CN110309672B (en) A controllable data management method for privacy protection based on blockchain
CN110233729B (en) Encrypted solid-state disk key management method based on PUF
CN111917720A (en) File fragmentization encryption storage method, file fragmentization encryption acquisition method and file fragmentization encryption storage system based on block chain
US20060143477A1 (en) User identification and data fingerprinting/authentication
KR102622665B1 (en) Method and apparatus for managing data based on blockchain
TWI476629B (en) Data security and security systems and methods
CN104052592A (en) A method and system for key backup and migration based on trusted computing
US20230327859A1 (en) System and method for distributed custody access token management
CN114793237B (en) Smart city data sharing method, equipment and medium based on block chain technology
CN117294484A (en) Method, apparatus, device, medium and product for data interaction
TWI774204B (en) Storage virtualization architecture with hybrid blockchain and the method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230330

Address after: 528313 401-118, 4th Floor, Building 18, Shunlian Machinery City, No. 18, Xingye 4th Road, Guanglong Industrial Park, Chihua Neighborhood Committee, Chencun Town, Shunde District, Foshan City, Guangdong Province

Patentee after: Linker Technology (Foshan) Co.,Ltd.

Address before: 1303-1305, 13 / F, block B2, building 9, Shenzhen Bay science and technology ecological park, 1819 Shahe West Road, Yuehai street, Nanshan District, Shenzhen, Guangdong 518000

Patentee before: SHENZHEN COOS Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230605

Address after: 518000 Building A, Building 1, Shenzhen International Innovation Valley, Dashi 1st Road, Xili Community, Xili Street, Nanshan District, Shenzhen City, Guangdong Province, 1001

Patentee after: Shenzhen Qianshu Technology Co.,Ltd.

Address before: 528313 401-118, 4th Floor, Building 18, Shunlian Machinery City, No. 18, Xingye 4th Road, Guanglong Industrial Park, Chihua Neighborhood Committee, Chencun Town, Shunde District, Foshan City, Guangdong Province

Patentee before: Linker Technology (Foshan) Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20241018

Address after: Building 3, Xunmei Technology Plaza, No. 8 Keyuan Road, Science Park Community, Yuehai Street, Nanshan District, Shenzhen City, Guangdong Province, 518000, China 16293

Patentee after: Shenzhen Yuanyishu Intelligent Technology Co.,Ltd.

Country or region after: China

Address before: 518000 Building A, Building 1, Shenzhen International Innovation Valley, Dashi 1st Road, Xili Community, Xili Street, Nanshan District, Shenzhen City, Guangdong Province, 1001

Patentee before: Shenzhen Qianshu Technology Co.,Ltd.

Country or region before: China