CN113364735B - Data cross-link access control method, system, equipment and terminal under multi-link scene - Google Patents

Abstract

The invention belongs to the technical field of data access control, and discloses a data cross-link access control method, a system, equipment and a terminal under a multi-link scene, wherein the data cross-link access control method under the multi-link scene comprises the following steps: the method comprises a registration stage, data uploading, data chaining, data access, record chaining access and data acquisition. The invention can meet the data cross-chain access control requirement under the multi-chain-oriented scene, and provides a cross-chain access control scheme aiming at the problems of insufficient performance and capacity of a block chain technology under a single-chain framework and the asset exchange and information exchange requirements of the traditional technology which can not meet or realize complex cross-block chain service. The invention allows asset exchange, data sharing and contract calling among heterogeneous chains under a multi-chain scene; the deployment architecture can be flexibly organized according to scene guidance, has the core function characteristics of a universal cross-chain transmission protocol and a heterogeneous transaction verification engine, and provides reliable bottom-layer technical support for service block chain business safety management and block chain Internet formation.

Description

Data cross-chain access control method, system, device and terminal in multi-chain scenario

technical field

The invention belongs to the technical field of data access control, and in particular relates to a method, system, device and terminal for data cross-chain access control in a multi-chain scenario.

Background technique

At present, the current blockchain applications and underlying technology platforms are in a state of blooming, but each chain in mainstream blockchain applications is still an independent, vertical closed system. In the business application scenarios with increasingly complex business forms, there is a lack of a unified interconnection mechanism between chains, which greatly limits the liquidity of the value of digital assets on the blockchain, resulting in cross-chain demand.

Cross-chain refers to the realization of trusted interoperability of different ledgers by connecting relatively independent blockchain systems. Cross-chain can be roughly divided into digital asset exchange and information exchange according to the different exchange contents. In terms of digital asset exchange, the current asset exchange mainly relies on centralized exchanges. The centralized exchange method is neither safe nor transparent. There are also decentralized asset exchange methods in the industry, such as Uniswap, Curve, SushiSwap, etc. However, most of the current decentralized asset transactions can only realize the exchange of different contract assets on the same blockchain, and the decentralized exchange of cross-chain digital assets is still not perfect. In fact, they are still isolated from each other. It involves data synchronization between chains and corresponding cross-chain calls, and the implementation is more complicated. Therefore, the interoperability barriers between each blockchain application are extremely high, and it is impossible to effectively share information on the chain.

On the other hand, the blockchain technology itself has problems such as poor performance and insufficient capacity under the single-chain architecture. A single chain is limited by the trade-offs of decentralization, scalability and security, and it is difficult to support business scenarios with high transaction throughput and low latency. In addition, as the running time of the blockchain increases, its storage capacity will also gradually increase, and the speed of this data growth will even exceed the upper limit of the capacity of a single-chain storage medium. A multi-chain architecture is a desirable way to solve blockchain performance bottlenecks. Therefore, there is an urgent need for a data cross-chain access control method, system, device and terminal in a multi-chain scenario.

Through the above analysis, the existing problems and defects in the prior art are:

(1) The centralized exchange method is neither safe nor transparent.

(2) Most of the current decentralized asset transactions can only realize the exchange of different contract assets on the same blockchain. The decentralized exchange of cross-chain digital assets is still not perfect, and in fact is still isolated from each other.

(3) Information exchange is more complicated because it involves data synchronization between chains and corresponding cross-chain calls. Therefore, the barriers to interoperability between each blockchain application are extremely high, and it is impossible to effectively share information on the chain.

(4) The blockchain technology itself has problems such as poor performance and insufficient capacity under the single-chain architecture. The single-chain is limited by the balance of decentralization, scalability and security, and it is difficult to support high transaction throughput and low latency. Business scenario application.

(5) As the running time of the blockchain increases, its storage capacity will gradually increase, and the data growth rate will even exceed the upper limit of the capacity of a single-chain storage medium, which greatly limits the healthy development of blockchain technology.

The difficulty of solving the above problems and defects is as follows:

(1) The verification problem of cross-chain transactions, how to confirm that the block that records the transaction has been confirmed enough, that is, the problem of data consistency between the distributed networks in the transaction transaction;

(2) The atomicity of cross-chain transactions, how to manage each sub-transaction in a cross-chain transaction to ensure the complete atomicity of the cross-chain transaction as a whole, that is, there are only two states of completion or failure in the occurrence of a cross-chain transaction;

(3) Protocol adaptation between different blockchains, how to adapt blockchains with different architectures and protocols requires the design of a data structure compatible with multiple heterogeneous blockchains in the cross-chain protocol , naming conventions, and communication methods.

The significance of solving the above problems and defects is: by solving the above problems, a cross-chain data access control scheme in a multi-chain scenario, combined with the technical characteristics of blockchain decentralization, traceability, and non-tampering, build a highly scalable, Robust and easy-to-upgrade blockchain cross-chain platform, providing a communication hub for decentralized applications, supporting the efficient flow of trusted data assets on the chain, serving the security governance of blockchain business, and providing services for the formation of the blockchain Internet Reliable underlying technical support. Ensure the security, flexibility and reliability of cross-chain transactions.

SUMMARY OF THE INVENTION

In view of the problems existing in the prior art, the present invention provides a data cross-chain access control method, system, device and terminal in a multi-chain scenario.

The present invention is implemented as follows: a method for controlling data cross-chain access in a multi-chain scenario, the method for controlling data cross-chain access in a multi-chain scenario includes the following steps:

Step 1, registration phase: users or IoT devices in each domain perform identity registration and authentication in their respective domains to obtain identity attribute information, so that the data of each user or IoT can be classified and stored, facilitating access control;

Step 2, data upload: upload the encrypted data to the server for storage, the data owner DO generates a random file key k, and uses the key k to execute the symmetric encryption algorithm AES to encrypt the plaintext data M to generate the ciphertext C and upload it to the server for storage , and record data M metadata information at the same time;

Step 3, data upload to the chain: it is convenient for users to find the existing data on the server, the data owner DO sets the data access structure policy tree T, and executes the CP-ABE algorithm encryption key k in combination with the access policy to generate the encryption key of the file symmetric encryption key. In the text ET(k), the metadata information, access policy and ET(k) in step 2 are generated into blocks and updated to the data information chain;

Step 4, data access: access control is implemented through the relay chain, and the data requester DU initiates a data access request in the domain D1 where it is located; if cross-domain data is involved, D1 cross-chain applies for access to the domain D2 where the data is located by calling the relay chain; D2 makes a judgment on the applicant, if the judgment is successful, D1 transmits the ciphertext data to the DU;

Step 5: Upload the access record to the chain: record the access status of the data. After the access control determination in step 4 is completed, the domain where the data is located will record the relevant information of the access request and the result on the chain for subsequent query and audit;

Step 6, data acquisition: the user decrypts to obtain data, DU uses the CP-ABE algorithm to decrypt ET(k) in the data information chain to obtain the file key k, and then uses k to decrypt the ciphertext C through the AES algorithm to obtain the plaintext data M.

Further, in step 2, the metadata information of the data M includes hash value, upload domain, file size, upload time and owner.

Further, in step 2, the data cross-chain call includes:

(1) When performing cross-chain access, when application chain A sends a cross-chain access request to application chain B in autonomous domain D2 in its domain D1;

(2) Application chain A performs cross-chain access by calling the relay chain. The relay chain performs identity authentication and legality confirmation on the access chain, and maps the domain D1 attribute to the domain D2 attribute through attribute mapping, so that the requester can obtain the domain D2 attribute. ;

(3) The relay chain generates the public and private key pair issued by D2 according to the mapped D2 attribute set and distributes it to the data requester, and forwards the call request to application chain B;

(4) Application chain B transmits ciphertext data information to the data requester.

Further, in step 2 and step 6, the CP-ABE algorithm includes:

(1) System initialization algorithm (1 ^τ )→(PK, MK): input a security parameter τ, and output the system public key PK and master key MK;

(2) Key generation algorithm (PK, MK, S)→(SK): input an attribute set S, master key MK and public key PK, and output user private key SK;

(3) Encryption algorithm (PK, M, AS) → (CT): input a plaintext M, public key PK and access structure AS that need to be encrypted, and output the ciphertext CT containing the access policy;

(4) Decryption algorithm (PK, SK, CT) → (M): input the ciphertext CT containing the access policy AS, the public key PK and the private key SK generated by the attribute set, if the attribute set S satisfies the access policy, The user can successfully decrypt the plaintext M.

Further, the data cross-chain access control method in the multi-chain scenario further includes data cross-domain access, and the data cross-domain access includes:

(1) Complete the attribute mapping between various cloud organizations in the blockchain network, and the cross-chain service management platform maintains the attribute mapping table;

(2) The user performs identity registration, and automatically generates the user's public-private key pair and user attributes;

(3) The data owner DO generates a random file key k, uses the key k to perform a symmetric encryption algorithm to encrypt the plaintext data M, generates a ciphertext C and uploads it to the autonomous domain, and records the data M metadata information; wherein, the data M element The data information includes: the data domain FileAddr, the data keyword set Keywords and the hash value of the encrypted file;

(4) DO sets the data access structure strategy tree T, and invokes the cross-chain service management platform attribute mapping interface to complete the extension of attribute mapping between domains;

(5) DO executes the CP-ABE algorithm encryption key k to generate ET(k), generates a block with metadata information, access policy and ET(k), and uploads the generated file information to the chain through a consensus algorithm;

(6) The data user DU can retrieve all data information in multiple domains through the file information chain FIC, and call the cross-chain interface to initiate a data access request;

(7) The cross-chain service management platform automatically queries the data access policy and user attributes through the file information chain FIC and the relay chain, and makes an access judgment. If the DU attribute matches the policy, go to step (9); otherwise, the access is refused, and the process ends;

(8) The domain where the target chain is located transmits the data ciphertext C to the DU;

(9) DU first obtains the file key k by decrypting ET(k) in the data information chain, and then uses k to obtain the plaintext data by decrypting the ciphertext C.

Further, the data cross-chain access control method in the multi-chain scenario also includes the multi-cloud consensus-based consensus mechanism Raft to update the block. When there is a new proposal initiated by the user in the system, since the accounting right of the current blockchain is led by the leader. The follower node masters, and the follower node works specifically; wherein, the block update includes:

(1) The follower sends the proposal behavior to the leader node;

(2) The leader node verifies the digital signature of the certificate. After the verification is passed, the received digital certificate and operation type are packaged into a block, and the block is broadcast to all follower nodes;

(3) The follower node returns a response to the leader node after verifying the block content;

(4) After the leader node receives more than half of the node responses, it notifies all the follower nodes to confirm the writing of the block, and the follower nodes then notify the nodes in their respective domains to update the blockchain and complete the ledger update.

Another object of the present invention is to provide a data cross-chain access control system in a multi-chain scenario that applies the method for data cross-chain access control in a multi-chain scenario. The data cross-chain access control system in the multi-chain scenario includes:

User module, composed of user entities, is the actual participant of data call, used for user identity registration, access data and upload data;

The multi-chain autonomous module consists of multiple service autonomous domains D. It is responsible for user identity registration and attribute issuance, as well as key generation and distribution for attribute encryption, and records data information at the same time. Each domain has its own independently maintained data Information chain and access record chain;

The data storage module is composed of cloud service provider CSPs with powerful computing power and large storage capacity and other IoT devices, which are responsible for data storage and download services.

Further, the user module includes an authentication unit for user identity registration and attribute distribution, an operation unit for uploading, downloading, and modifying data according to user operation requirements, and for recording user access requests and corresponding results. Access Chain of Records ARC.

The access record chain ARC includes the data access user DU, the domain D where the access user is located, the data access time FileTime, the data domain FileAddr and the access result AccessResult.

The multi-chain autonomous module includes a consensus mechanism that uses the Raft protocol to make each node in the domain reach a consensus, a relay chain used for cross-chain calls and differentiated attribute mapping between domains, and is used to maintain the metadata of the data uploaded by the data owner DO. The file information link FIC.

The file information chain FIC includes the domain FileAddr where the data is located, the data keyword set Keywords, the hash value hash of the encrypted file, and the ciphertext ET of the file symmetric encryption key used by the user to encrypt the file after being encrypted by the attribute base CP-ABE. (k).

The data storage module is used to store the data encrypted and uploaded by the data owner DO, accept the request of the data visitor DU and provide the ciphertext download service.

Another object of the present invention is to provide a computer device, the computer device includes a memory and a processor, the memory stores a computer program, and when the computer program is executed by the processor, the processor executes the following step:

(1) Registration stage: users or IoT devices in each domain perform identity registration and authentication in their respective home domains to obtain identity attribute information;

(2) Data upload: The data owner DO generates a random file key k, and uses the key k to execute the symmetric encryption algorithm AES to encrypt the plaintext data M to generate the ciphertext C and upload it to the server for storage, while recording the metadata information of the data M;

(3) Data on-chain: The data owner DO sets the data access structure policy tree T, executes the CP-ABE algorithm encryption key k in combination with the access policy to generate ET(k), and combines the metadata information, access policy and ET(k) generates a block and updates it to the data information chain;

(4) Data access: The data requester DU initiates a data access request in the domain D1 where it is located; if cross-domain data is involved, D1 cross-chain applies for access to the domain D2 where the data is located by calling the relay chain; D2 makes a judgment on the applicant, if If the judgment is successful, D1 transmits the ciphertext data to the DU;

(5) The access record is uploaded to the chain: After the access control judgment in step 4 is completed, the domain where the data is located will record the relevant information of the access request and the result on the chain for subsequent query and audit;

(6) Data acquisition: DU uses the CP-ABE algorithm to decrypt ET(k) in the data information chain to obtain the file key k, and then uses k to decrypt the ciphertext C through the AES algorithm to obtain the plaintext data M.

Another object of the present invention is to provide an information data processing terminal, which is used to implement the data cross-chain access control system in the multi-chain scenario.

Combining all the above technical solutions, the advantages and positive effects of the present invention are as follows: the data cross-chain access control method in a multi-chain scenario provided by the present invention can meet the data cross-chain access control requirements in a multi-chain scenario. Blockchain technology has problems of insufficient performance and capacity under the single-chain architecture, and traditional technologies cannot meet or realize complex cross-blockchain business asset exchange and information exchange requirements. A cross-chain access control scheme is proposed. The present invention allows asset exchange, data sharing and contract invocation between heterogeneous chains in a multi-chain scenario. The deployment architecture can be flexibly organized and deployed according to the scenario orientation. It has the core functional characteristics of a general cross-chain transmission protocol and a heterogeneous transaction verification engine to ensure the security, flexibility and reliability of cross-chain transactions. This solution provides a communication hub for decentralized applications, supports the efficient flow of trusted data assets on the chain, and provides reliable underlying technical support for serving blockchain business security governance and the formation of blockchain Internet.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following will briefly introduce the accompanying drawings that need to be used in the embodiments of the present invention. Obviously, the drawings described below are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

FIG. 1 is a flowchart of a method for data cross-chain access control in a multi-chain scenario provided by an embodiment of the present invention.

FIG. 2 is a flow chart of cross-chain access of a data cross-chain access control method provided by an embodiment of the present invention.

3 is a structural block diagram of a data cross-chain access control system in a multi-chain scenario provided by an embodiment of the present invention;

In the figure: 1. User module; 2. Multi-chain autonomous module; 3. Data storage module.

FIG. 4 is a schematic structural diagram of a data cross-chain access control system in a multi-chain scenario provided by an embodiment of the present invention.

FIG. 5 is a schematic diagram of cross-domain attribute mapping of a method for data cross-chain access control provided by an embodiment of the present invention.

FIG. 6 is a flowchart of a cross-chain call of a data cross-chain access control method provided by an embodiment of the present invention.

FIG. 7 is a schematic diagram of a CP-ABE principle of a data cross-chain access control method provided by an embodiment of the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

In view of the problems existing in the prior art, the present invention provides a method, system, device and terminal for data cross-chain access control in a multi-chain scenario. The present invention is described in detail below with reference to the accompanying drawings.

As shown in FIG. 1 , the method for data cross-chain access control in a multi-chain scenario provided by an embodiment of the present invention includes the following steps:

S101, registration stage: the user or IoT device in each domain performs identity registration and authentication in its respective home domain to obtain identity attribute information;

S102, data upload: the data owner DO generates a random file key k, and uses the key k to execute the symmetric encryption algorithm AES to encrypt the plaintext data M to generate the ciphertext C and upload it to the server for storage, and record the metadata information of the data M at the same time;

S103, the data is uploaded to the chain: the data owner DO sets the data access structure policy tree T, and executes the CP-ABE algorithm encryption key k in combination with the access policy to generate the ciphertext ET(k) of the file symmetric encryption key, and converts the S102 central element Data information, access policies and ET(k) generation blocks are updated to the data information chain;

S104, data access: the data requester DU initiates a data access request in the domain D1 where it is located; if cross-domain data is involved, D1 cross-chain applies for access to the domain D2 where the data is located by calling the relay chain; D2 makes a judgment on the applicant, if the judgment is made If successful, D1 transmits ciphertext data to DU;

S105, the access record is uploaded to the chain: after the access control determination in S104 is completed, the domain where the data is located will record the relevant information of the access request and the result on the chain for subsequent query and audit;

S106, data acquisition: DU uses the CP-ABE algorithm to decrypt ET(k) in the data information chain to obtain the file key k, and then uses k to decrypt the ciphertext C through the AES algorithm to obtain plaintext data M.

The cross-chain access flowchart of the data cross-chain access control method provided by the embodiment of the present invention is shown in FIG. 2 .

As shown in FIG. 3 , the data cross-chain access control system in the multi-chain scenario provided by the embodiment of the present invention includes:

User module 1, composed of user entities, is the actual participant of data invocation, used for user identity registration, access data and upload data;

Multi-chain autonomous module 2, composed of multiple service autonomous domains D, is responsible for user identity registration and attribute issuance, as well as key generation and distribution for attribute encryption, and records data information at the same time. Each domain has its own independent maintenance. Data information chain and access record chain;

The data storage module 3 is composed of a cloud service provider CSP with powerful computing power and large storage capacity and other IoT devices, and is used for data storage and download services.

FIG. 4 is a schematic structural diagram of a data cross-chain access control system in a multi-chain scenario provided by an embodiment of the present invention.

The technical solutions of the present invention will be further described below in conjunction with the embodiments.

Example 1

The data cross-chain access control system provided by the embodiment of the present invention includes:

The user module, which is composed of user entities, is the actual participant of the data call, which is used for user identity registration, access data and upload data.

A multi-chain autonomous module composed of multiple autonomous domains (domain, D) is responsible for user identity registration and attribute issuance, as well as key generation and distribution for attribute encryption, and records data information at the same time. Each domain has its own independently maintained data Information chain and access record chain.

A data storage module composed of cloud service providers (CSPs) with powerful computing power and large storage capacity and other IoT devices, is responsible for data storage and download services.

The user module provided by the embodiment of the present invention includes an authentication unit for user identity registration and attribute allocation, an operation unit for uploading, downloading, and modifying data according to user operation requirements, and for recording user access requests and corresponding The resulting access record chain ARC.

Further, the access record chain ARC includes the data access user DU, the domain D where the access user is located, the data access time FileTime, the domain where the data is located FileAddr, and the access result AccessResult.

The multi-chain autonomous module provided by the embodiment of the present invention includes a consensus mechanism that uses the Raft protocol to make each node reach a consensus, and a file information chain FIC used to maintain the metadata of the data uploaded by the data owner DO.

The file information chain FIC provided by the embodiment of the present invention mainly includes the domain FileAddr where the data is located, the data keyword set Keywords, the hash value hash of the encrypted file, and the file symmetric encryption key used by the user to encrypt the file after the attribute-based CP-ABE encryption. The ciphertext ET(k) of the key.

The data storage module provided by the embodiment of the present invention stores data encrypted and uploaded by a data owner (DO), accepts requests from a data user (DU), and provides a ciphertext download service.

Example 2

As shown in FIG. 5 , a schematic diagram of cross-domain attribute mapping of the data cross-chain access control method provided by the embodiment of the present invention is shown. In this model, attribute-based encryption CP-ABE based on ciphertext strategy is used for data access control in each domain. The resource attributes of each domain are divided into general attributes and mapping attributes. Common attributes represent universal general attributes in each domain, such as Name, gender, age, etc.; the mapped attributes represent local attributes that are only applicable in this domain, and need to be mapped when calling across domains. When accessing data across chains, the chain where the data resides completes policy attribute mapping through the relay chain. When a user in any one of the autonomous domains D1 sends a cross-chain access request to the autonomous domain D2, the attributes in the autonomous domain D2 can be mapped to the domain D1 through the relay chain through the attribute mapping, so that the users in the domain D1 can obtain the information in the domain D2. , and then you can access some resources in domain D2.

FIG. 6 is a flowchart of the data cross-chain access call of the present invention. The specific workflow is as follows:

Step 1, when application chain A sends a cross-chain access request to application chain B in autonomous domain D2 in its domain D1;

Step 2: Application chain A performs cross-chain access by calling the relay chain. The relay chain performs identity authentication and legality confirmation on the access chain, and maps the domain D1 attribute to the domain D2 attribute through attribute mapping, so that the requester can obtain the domain D2 attribute. ;

Step 3, the relay chain generates a public-private key pair issued by D2 according to the mapped D2 attribute set and distributes it to the data requester, and forwards the call request to application chain B;

Step 4: The application chain B transmits the ciphertext data information to the data requester.

FIG. 7 is a schematic diagram of a CP-ABE principle of a data cross-chain access control method provided by an embodiment of the present invention. Specific steps are as follows:

Step 1, system initialization algorithm (1 ^τ )→(PK, MK): input a security parameter τ, output the system public key PK and master key MK;

Step 2, key generation algorithm (PK, MK, S)→(SK): input an attribute set S, master key MK and public key PK, and output the user private key SK;

Step 3, encryption algorithm (PK, M, AS) → (CT): input a plaintext M, public key PK and access structure AS that need to be encrypted, and output the ciphertext CT containing the access policy;

Step 4: Decryption algorithm (PK, SK, CT) → (M): input the ciphertext CT containing the access policy AS, the public key PK and the private key SK generated by the attribute set, if the attribute set S satisfies the access policy, The user can successfully decrypt the plaintext M.

In summary, the data cross-chain access control system can meet the data cross-chain access requirements in multi-chain scenarios. For the blockchain technology in the single-chain architecture, there are problems of insufficient performance and capacity, and traditional technologies cannot meet or achieve complex problems. The asset exchange and information exchange requirements of cross-blockchain business propose a cross-chain access control scheme. It allows asset exchange, data sharing and contract invocation between heterogeneous chains in multi-chain scenarios. The deployment architecture can be flexibly organized and deployed according to the scenario orientation. It has the core functional characteristics of a general cross-chain transmission protocol and a heterogeneous transaction verification engine to ensure the security, flexibility and reliability of cross-chain transactions. This solution provides a communication hub for decentralized applications, supports the efficient flow of trusted data assets on the chain, and provides reliable underlying technical support for serving blockchain business security governance and the formation of blockchain Internet.

In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in whole or in part in the form of a computer program product, the computer program product includes one or more computer instructions. When the computer program instructions are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of the present invention are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server or data center Transmission to another website site, computer, server, or data center by wireline (eg, coaxial cable, fiber optic, digital subscriber line (DSL), or wireless (eg, infrared, wireless, microwave, etc.)). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, etc. that includes one or more available mediums integrated. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), and the like.

The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art is within the technical scope disclosed by the present invention, and all within the spirit and principle of the present invention Any modifications, equivalent replacements and improvements made within the scope of the present invention should be included within the protection scope of the present invention.

Claims (9)

1. A data cross-link access control method under a multi-link scene is characterized by comprising the following steps:

a registration stage: the method comprises the steps that a user or Internet of things equipment in each domain performs identity registration and authentication in the home domain of the user or the Internet of things equipment to acquire identity attribute information;

and (3) data uploading: a data owner DO generates a random file key k, a symmetric encryption algorithm AES is executed by using the key k to encrypt plaintext data M to generate a ciphertext C, the ciphertext C is uploaded to a server side to be stored, and meanwhile metadata information of the data M is recorded;

data uplink: the data owner DO sets the data access structure strategy tree T, executes a CP-ABE algorithm encryption key k to generate an ET (k) by combining an access strategy, and updates the metadata information, the access strategy and an ET (k) generation block to a data information chain;

data access: the data requestor DU initiates a data access request in the domain D1; if the cross-domain data is involved, D1 cross-link applies for access to the domain D2 where the data is located by calling a relay link; d2 judges the applicant, if the judgment is successful, D2 transmits the ciphertext data to DU;

access to the record uplink: after the access control judgment is finished, the domain where the data is located records the access request and the related information uplink of the result for subsequent inquiry and audit;

data acquisition: the DU decrypts ET (k) in the data information chain by using a CP-ABE algorithm to obtain a file key k, and then decrypts the ciphertext C by using k through an AES algorithm to obtain plaintext data M;

the data cross-chain calling comprises the following steps:

(1) when cross-link access is carried out, the application chain A is in a state that the domain D1 sends a cross-link access request to the application chain B of the autonomous domain D2;

(2) the application chain A calls the relay chain to perform cross-chain access, the relay chain performs identity authentication and validity confirmation on the access chain, and the domain D1 attribute is mapped into the domain D2 attribute through attribute mapping, so that the requester acquires the domain D2 attribute;

(3) the relay chain generates a public and private key pair issued by D2 according to the mapped D2 attribute set, distributes the public and private key pair to a data requester, and forwards a call request to an application chain B;

(4) the application chain B transmits the ciphertext data message to the data requestor.

2. The method for controlling data cross-chain access in a multi-chain scenario according to claim 1, wherein the data M metadata information includes a hash value, an upload domain, a file size, an upload time, and an owner.

3. The method for controlling data cross-chain access in a multi-chain scenario according to claim 1, wherein the CP-ABE algorithm includes:

(1) system initialization algorithm (1) ^τ ) → (PK, MK): inputting a security parameter tau, and outputting a system public key PK and a master key MK;

(2) key generation algorithm (PK, MK, S) → (SK): inputting an attribute set S, a master key MK and a public key PK, and outputting a user private key SK;

(3) encryption algorithm (PK, M, AS) → (CT): inputting a plaintext M to be encrypted, a public key PK and an access structure AS, and outputting a ciphertext CT containing an access strategy;

(4) decryption algorithm (PK, SK, CT) → (M): and inputting a ciphertext CT containing an access strategy AS, a public key PK generated by the attribute set and a private key SK, and if the attribute set S meets the access strategy, successfully decrypting the plaintext M by the user.

4. The method for controlling data cross-chain access in a multi-chain scenario according to claim 1, wherein the method for controlling data cross-chain access in a multi-chain scenario further comprises data cross-domain access, and the data cross-domain access comprises:

(1) completing attribute mapping among all cloud organizations in a block chain network, and maintaining an attribute mapping table by a cross-chain service management platform;

(2) the user registers identity, and automatically generates a user public and private key pair and user attributes;

(3) a data owner DO generates a random file key k, a symmetric encryption algorithm is executed by using the key k to encrypt plaintext data M, a ciphertext C is generated and uploaded to an autonomous domain, and metadata information of the data M is recorded; wherein the data M metadata information includes: the method comprises the following steps that a field FileAddr where data are located, a data keyword set key and a hash value hash of an encrypted file are obtained;

(4) the DO sets the strategy tree T of the data access structure, and invokes a cross-chain service management platform attribute mapping interface to complete the mapping expansion of each inter-domain attribute;

(5) the DO executes the CP-ABE algorithm encryption key k to generate an ET (k), the metadata information, the access strategy and the ET (k) are generated into a block, and the generated file information is uplinked through a consensus algorithm;

(6) the data user DU can retrieve all data information under multiple domains through a file information link FIC and call a cross-link interface to initiate a data access request;

(7) automatically querying a data access strategy and user attributes through a file information chain FIC and a relay chain by the cross-link service management platform, carrying out access judgment, and if the DU attributes match the strategy, turning to the step (9); otherwise, access is refused, and the process is ended;

(8) transmitting a data ciphertext C to the DU by the domain where the target link is located;

(9) the DU first obtains a file key k by decrypting et (k) in the data information chain, and then obtains plaintext data by decrypting ciphertext C using k.

5. The method for controlling data cross-chain access in a multi-chain scene according to claim 1, further comprising a knowledge mechanism Raft update block based on multi-cloud consensus, wherein when a new proposal initiated by a user is in the system, the follower node specifically works because the accounting right of the current block chain is mastered by the leader node; wherein the block update comprises:

(1) the follower sends the proposal behavior to the leader node;

(2) the leader node verifies the digital signature of the certificate, packs the received digital certificate and the operation type into a block after the verification is passed, and broadcasts the block to all the follower nodes;

(3) the follower node returns a response to the leader node after verifying the block content;

(4) and after the leader node obtains more than half of the node responses, informing all follower nodes to confirm writing in the block, and informing the follower nodes of the nodes in each domain to update the block chain to complete the account book update.

6. A data cross-chain access control system under a multi-chain scene for implementing the data cross-chain access control method under the multi-chain scene according to any one of claims 1 to 5, wherein the data cross-chain access control system under the multi-chain scene comprises:

the user module consists of user entities, is an actual participant of data calling, and is used for registering user identities, accessing data and uploading data;

the multi-chain autonomous module consists of a plurality of service autonomous domains D and is used for being responsible for user identity registration and attribute issuance, generating and distributing a key for attribute encryption and simultaneously recording data information, and each domain has a data information chain and an access record chain which are independently maintained;

the data storage module consists of a cloud service provider CSP with strong computing capacity and large storage capacity and other Internet of things equipment and is used for being responsible for data storage and downloading services.

7. The system according to claim 6, wherein the user module includes an authentication unit for user identity registration and attribute assignment, an operation unit for uploading, downloading, modifying and the like of data according to user operation requirements, and an access record chain ARC for recording an access request of a user and a corresponding result;

the access record chain ARC comprises a data access user DU, a domain D where the access user is located, data access time FileTime, a domain FileAddr where the data is located and an access result AccessResult;

the multi-chain autonomous module comprises a consensus mechanism which adopts a Raft protocol to enable all nodes in a domain to achieve consensus, a relay chain which is used for performing cross-chain calling and inter-domain differentiated attribute mapping, and a file information chain FIC which is used for maintaining meta-information of data uploaded by a data owner DO;

the file information chain FIC comprises a field FileAddr where data are located, a data keyword set Keywords, a hash value hash of an encrypted file and a ciphertext ET (k) of a file symmetric encryption key used by a user encrypted file after being encrypted by an attribute base CP-ABE;

and the data storage module is used for storing the data which is encrypted and uploaded by the data owner DO, receiving the request of the data visitor DU and providing ciphertext downloading service.

8. A computer device, characterized in that the computer device comprises a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to carry out the steps of:

(1) a registration stage: the method comprises the steps that a user or Internet of things equipment in each domain performs identity registration and authentication in the home domain of the user or the Internet of things equipment to acquire identity attribute information;

(2) and (3) data uploading: a data owner DO generates a random file key k, a symmetric encryption algorithm AES is executed by using the key k to encrypt plaintext data M to generate a ciphertext C, the ciphertext C is uploaded to a server to be stored, and metadata information of the data M is recorded;

(3) data uplink: the data owner DO sets the data access structure policy tree T, executes the CP-ABE algorithm encryption key k to generate ET (k) by combining the access policy, and updates the metadata information, the access policy and the ET (k) generation block in the second step to the data information chain;

(4) data access: the data requester DU initiates a data access request in the located domain D1; if the cross-domain data is involved, D1 cross-link applies for access to the domain D2 where the data is located by calling a relay link; d2 judges the applicant, if the judgment is successful, D2 transmits the ciphertext data to DU;

(5) access to the record uplink: after the access control judgment in the fourth step is finished, the domain where the data is located records the access request and the related information of the result in an uplink manner for subsequent inquiry and audit;

(6) data acquisition: the DU decrypts ET (k) in the data information chain by using a CP-ABE algorithm to obtain a file key k, and then decrypts the ciphertext C by using k through an AES algorithm to obtain plaintext data M;

the data cross-chain calling comprises the following steps:

(1) when cross-link access is carried out, the application chain A is in a state that the domain D1 sends a cross-link access request to the application chain B of the autonomous domain D2;

(2) the application chain A carries out cross-chain access by calling the relay chain, the relay chain carries out identity authentication and validity confirmation on the access chain, and the attribute of the domain D1 is mapped into the attribute of the domain D2 through attribute mapping, so that a requester obtains the attribute of the domain D2;

(3) the relay chain generates a public and private key pair issued by the D2 according to the mapped D2 attribute set, distributes the public and private key pair to a data requester, and forwards a call request to an application chain B;

(4) the application chain B transmits the ciphertext data message to the data requestor.

9. An information data processing terminal, characterized in that the information data processing terminal is used for implementing the data cross-link access control system in the multi-link scenario as claimed in any one of claims 6 to 7.

Images