CN114239046A - data sharing method - Google Patents
data sharing method Download PDFInfo
- Publication number
- CN114239046A CN114239046A CN202111288488.9A CN202111288488A CN114239046A CN 114239046 A CN114239046 A CN 114239046A CN 202111288488 A CN202111288488 A CN 202111288488A CN 114239046 A CN114239046 A CN 114239046A
- Authority
- CN
- China
- Prior art keywords
- domain
- access
- cross
- security domain
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
本申请涉及一种数据共享方法,第一安全域响应于访问用户的数据访问请求,对访问用户进行跨域安全验证,若访问用户的跨域安全验证通过,则向访问用户发送目标数据文件的解密信息,解密信息用于指示访问用户对目标数据文件的加密数据进行解密,得到目标数据文件;其中,访问用户为第二安全域中的用户;第一安全域与第二安全域为不同的安全域。该方法能够实现数据的跨域共享,并保证了数据跨域共享过程中的安全性和隐私性,并且在数据共享的过程中能够实现追踪和溯源。
The present application relates to a data sharing method. In response to a data access request from an access user, a first security domain performs cross-domain security verification on the access user, and if the access user's cross-domain security verification passes, sends a target data file's Decryption information, the decryption information is used to instruct the visiting user to decrypt the encrypted data of the target data file to obtain the target data file; wherein, the visiting user is a user in the second security domain; the first security domain and the second security domain are different security domain. The method can realize cross-domain sharing of data, ensure the security and privacy in the process of data cross-domain sharing, and can realize tracking and traceability in the process of data sharing.
Description
Technical Field
The present application relates to the field of data processing, and in particular, to a data sharing method.
Background
The data sharing can provide reliable and credible data support for the analysis visualization of the current situation problem of the power grid, the intellectualization of planning schemes and the like, or realize the acceleration of the hatching and landing of data on external service products.
In data sharing, the method in the related art adopts a centralized mode, that is, all data is sent to a unified sharing platform by adopting an intermediate agent, and the mode requires that the intermediate agent is absolutely credible.
Then, sharing data in a centralized manner in the related art may cause problems that data is unsafe and privacy is easily revealed in the sharing process.
Disclosure of Invention
In view of the above, there is a need to provide a data sharing method capable of improving security during data sharing and effectively preventing privacy disclosure.
In a first aspect, an embodiment of the present application provides a data sharing method, where the method includes:
the first security domain responds to a data access request of an access user and performs cross-domain security verification on the access user; the data access request is used for requesting to access a target data file stored in the first security domain; the access user is a user in the second security domain; the first security domain and the second security domain are different security domains;
if the cross-domain security verification of the access user passes, sending decryption information of the target data file to the access user; the decryption information is used for indicating an access user to decrypt the encrypted data of the target data file to obtain the target data file.
In one embodiment, cross-domain security authentication of an accessing user includes:
the method comprises the steps that a first security domain obtains a cross-domain access certificate and a data access request of an access user;
if the cross-domain verification of the access user passes, acquiring an attribute private key of the access user;
if the attribute private key of the access user is matched with the shared ciphertext pre-configured in the first security domain, sending decryption information of the target data file to the access user; the decryption information at least includes: the encryption key, the hash value of the target data file, the attribute private key of the access user and the public parameter of the first security domain.
In one embodiment, the acquiring, by a first security domain, cross-domain access credentials and a data access request of an accessing user includes:
the identity authentication server of the first security domain performs identity authentication on the access user, and after the identity authentication is passed, the data access request is sent to the cross-domain alliance chain to indicate the cross-domain alliance chain to generate cross-domain access credentials and routing information of the access user, and the cross-domain access credentials are sent to the access user; the cross-domain access credential comprises a cross-domain attribute and an access credential;
an access control center of a first security domain receives a cross-domain access certificate and a data access request uploaded by an access user through a communication channel; the communication channel is established for the access user according to the routing information.
In one embodiment, before obtaining the attribute private key of the access user, the method further includes:
according to the data access request of the access user, the access control center of the first security domain searches a pre-stored cross-domain access certificate of the access user in a cross-domain alliance chain;
comparing the pre-stored cross-domain access credential with the cross-domain access credential of the access user acquired by the first security domain;
and if the comparison result is consistent, determining that the cross-domain verification of the access user is passed.
In one embodiment, obtaining an attribute private key of an access user comprises:
a key management center of a first security domain acquires cross-domain attributes of an access user;
and the key management center of the first security domain generates an attribute private key of the access user according to the cross-domain attribute of the access user and a main key preset by the first security domain.
In one embodiment, the method further comprises:
an access control center of the first security domain generates a search keyword threshold according to an attribute private key and a search keyword of an access user;
the access control center of the first security domain matches the search keywords according to the search keyword threshold and the shared ciphertext in the first security domain;
and if the matching result meets the preset condition, determining the shared ciphertext of the attribute private key of the access user and the target data file in the first security domain.
In one embodiment, the process of decrypting the encrypted data of the target data file by the access user comprises the following steps:
when the hash value of the target data file is consistent with the hash value prestored in the local alliance chain in the first security domain, the access user decrypts the encrypted data file of the target data file according to the decrypted encryption key to obtain the target data file; the decrypted encryption key is determined by the access user according to the public parameter, the attribute private key and the encryption key of the first security domain.
In one embodiment, the storing of the target data file in the first security domain comprises:
the first security domain responds to a data storage request and stores encrypted data carried in the data storage request; the encrypted data is generated by the storage user according to the data file to be stored.
In one embodiment, the encrypted data at least comprises an access structure of a data file to be stored, a keyword ciphertext, an encrypted data file, a hash value of the encrypted data file, and signature information of a storage user;
the encrypted data is obtained by the storage user through encryption operation; wherein the encryption operation comprises:
generating a file keyword and an access structure according to a data file to be stored;
obtaining a keyword ciphertext according to the public parameter of the first security domain, the file keyword and the access structure;
generating an encrypted data file and a hash value of the encrypted data file according to the data file to be stored and a preset secret key;
and obtaining an encryption key according to a preset key, the public parameter and the access structure.
In one embodiment, storing the encrypted data carried in the data storage request includes:
the first security domain sends the encrypted data file to a shared cloud platform of the first security domain for storage, and sends the encrypted data to a local alliance chain of the first security domain in a preset format;
and after the intelligent contract is triggered, the alliance chain of the first security domain stores the encrypted data file to the local alliance chain of the first security domain.
In a second aspect, an embodiment of the present application provides a data sharing apparatus, including:
the response module is used for responding to the data access request of the access user and performing cross-domain security verification on the access user; the data access request is used for requesting to access a target data file stored in the first security domain; the access user is a user in the second security domain; the first security domain and the second security domain are different security domains;
the decryption module is used for sending decryption information of the target data file to the access user if the cross-domain security verification of the access user passes; the decryption information is used for indicating an access user to decrypt the encrypted data of the target data file to obtain the target data file.
In a third aspect, an embodiment of the present application provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method provided in any one of the foregoing first aspects when executing the computer program.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method provided in any one of the embodiments in the first aspect.
According to the data sharing method provided by the embodiment of the application, the first security domain responds to a data access request of an access user, cross-domain security verification is conducted on the access user, if the cross-domain security verification of the access user passes, decryption information of a target data file is sent to the access user, and the decryption information is used for indicating the access user to decrypt encrypted data of the target data file, so that the target data file is obtained. In the method, a first security domain responds to a data access request of an access user in a second security domain, and the first security domain and the second security domain are different security domains, so that cross-domain sharing of data can be realized; in addition, the first security domain is used for performing cross-domain verification on the data access request, so that the security and the credibility of the identity of the data sharer among different security domains are ensured; and only after the cross-domain security verification of the access user passes, the decryption information of the target data file is sent to the access user, so that the access user can decrypt the decryption information to obtain the target data, and the security of the data sharing process is further ensured. And finally, in the data sharing process, the target data file is encrypted when being stored, and the data is decrypted by using decryption information when being accessed, so that the safety in the data sharing process is realized, and the leakage of data privacy is effectively prevented.
Drawings
FIG. 1a is a diagram of an application environment of a data sharing method in one embodiment;
FIG. 1b is a diagram illustrating an exemplary data sharing method;
FIG. 2 is a flow diagram that illustrates a method for data sharing, according to one embodiment;
FIG. 3 is a diagram illustrating a data sharing method according to another embodiment;
FIG. 4 is a diagram showing the structure of a data sharing method according to another embodiment;
FIG. 5 is a flow chart illustrating a data sharing method according to another embodiment;
FIG. 6 is a flow chart illustrating a data sharing method according to another embodiment;
FIG. 7 is a diagram showing the structure of a data sharing method according to another embodiment;
FIG. 8 is a diagram showing the structure of a data sharing method according to another embodiment;
FIG. 9 is a flow chart illustrating a data sharing method according to another embodiment;
FIG. 10 is a flowchart illustrating a data sharing method according to another embodiment;
FIG. 11 is a flowchart illustrating a data sharing method according to another embodiment;
FIG. 12 is a flowchart illustrating a data sharing method according to another embodiment;
FIG. 13 is a flowchart illustrating a data sharing method according to another embodiment;
FIG. 14 is a schematic structural diagram of a data sharing method in another embodiment;
FIG. 15 is a flowchart illustrating a data sharing method according to another embodiment;
FIG. 16 is a flowchart illustrating a data sharing method according to another embodiment;
FIG. 17 is a block diagram of a data sharing device in one embodiment;
FIG. 18 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The data sharing method provided by the application can be applied to the application environment shown in fig. 1 a. Wherein the first security domain and the second security domain in fig. 1a each comprise at least one device, or at least one type of device; and the first security domain in fig. 1a may be deployed on a computer device or a terminal device in any field, the computer device and the terminal device include, but are not limited to, various personal computers, laptops, tablets, wearable devices, and the like, and the types of the first security domain and the second security domain are not limited in the embodiments of the present application.
Based on fig. 1a, a first security domain may issue an access request to a second security domain, and then an access user in the first security domain requests to access the second security domain; the second security domain may also issue an access request to the first security domain, i.e. an accessing user in the second security domain requests access to the first security domain. The first security domain and the second security domain are only used for distinguishing different security domains and are not used for limiting other information.
The embodiment of the application provides a data sharing method, which can prevent the data leakage problem in the data sharing process and ensure the safety and credibility in the data sharing process.
The following describes in detail the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems by embodiments and with reference to the drawings. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments.
Before specifically describing the embodiments of the present application, a first security domain and an accessing user of the embodiments of the present application are described. Referring to fig. 1B, security domains a and B represent two different security domains in a data sharing process, but access request objects in the data sharing process are different, and specific references of a first security domain and a second security domain are also different, for example, in fig. 1B, when an access request object in the data sharing process is security domain a, the first security domain in the embodiment of the present application is security domain a, the second security domain is security domain B, and an access user refers to an access user in security domain B; conversely, when an object in the data sharing process is that the security domain B is a data sharing domain, the first security domain in the embodiment of the present application refers to the security domain B, the second security domain refers to the security domain a, and the accessing user refers to the accessing user in the security domain a.
It should be further noted that, when the accessing user sends the access request to the first security domain, a data access process and a data storage process are involved, and whether the security domain a shares data to the security domain B or the security domain B shares data to the security domain a, the data access process and the data storage process are the same. Specifically, before an access user in the security domain a sends an access request to the security domain B, the security domain B first needs to store data to be shared, and then the access user in the security domain a accesses the stored data in the security domain B by an access method; before an accessing user in the security domain B sends an access request to the security domain a, the security domain a first needs to store data to be shared, and then the accessing user in the security domain B accesses the stored data in the security domain a by an access method.
The data access process is described below with reference to specific embodiments.
In an embodiment, as shown in fig. 2, a data sharing method is provided, where the embodiment relates to a specific process in which a first security domain performs cross-domain security authentication on an access user in response to a data access request of the access user, and sends decryption information of a target data file to the access user if the cross-domain security authentication of the access user passes. This embodiment comprises the steps of:
s201, responding to a data access request of an access user by a first security domain, and performing cross-domain security verification on the access user; the data access request is used for requesting to access a target data file stored in the first security domain; the access user is a user in the second security domain; the first security domain and the second security domain are different security domains.
The security domains are a set of logical assets or physical assets with the same security requirements, the division principle of the security domains is to divide all computers with the same security level or the same security requirements into the same network segment, access control is carried out at the boundary of the network segment, and access between different security domains needs to be controlled by setting a policy. The access user is the user who needs to make a data access request, and the access user accesses data of other security domains by the access user.
The first security domain responds to a data access request of an access user, wherein the data access request can be data information which the access user needs to access to the first security domain, and can also be identity information of the access user.
The first security domain receives a data access request of an access user, firstly, the first security domain performs cross-domain security verification on the access user, and verifies whether the access user is a trusted access user identity.
The target data file is data which the access user needs to access to the first security domain, the form of the target data file can be at least one message or file, and the type of the target data file is not limited in practical application.
In one embodiment, the first security domain responds to a data access request of an access user, and the data access request information may be sent by the access user to the first security domain, and the data access request information of the access user may be directly received by the first security domain, where the sending may be sent by a post or a get.
Optionally, the mode that the first security domain performs cross-domain authentication on the access user may be that the first security domain sends the received data access request to a cross-domain federation chain, and the cross-domain federation chain detects whether the data access request information is correct.
In the foregoing, the access request objects in the data sharing process are different, and the specific reference of the first security domain and the specific reference of the second security domain are also different, so in the scenario of fig. 3, the first security domain refers to security domain a, the second security domain refers to security domain B, the access user refers to the access user in security domain B, and based on the scenario, after receiving the data access request of the access user in security domain B, security domain a performs cross-domain security authentication on the access user in security domain B.
In the scenario of fig. 4, the first security domain refers to security domain B, the second security domain refers to security domain a, the accessing user refers to the accessing user in security domain a, and based on the scenario, after receiving the data accessing request of the accessing user of security domain a, security domain B performs cross-domain security authentication on the accessing user of security domain B.
The cross-domain alliance chain is also called a cross-domain alliance block chain, and can store the behavior of a cross-domain data access request of an access user, and digital identity certificates and certificate authorization records of each security domain, and are commonly maintained by identity authentication service nodes and an access control center of each security domain.
S202, if the cross-domain security verification of the access user passes, sending decryption information of the target data file to the access user; the decryption information is used for indicating an access user to decrypt the encrypted data of the target data file to obtain the target data file.
In the above embodiment, the first security domain performs cross-domain security authentication on the data access request of the access data, and if the cross-domain security authentication of the access user passes, the first security domain sends decryption information of the target data file to the access user, and the access user can decrypt the encrypted data of the target data file according to the decryption information to obtain the target encrypted data requested to be accessed by the access user.
Optionally, the first security domain sends the decryption information of the target data file to the accessing user, and the sending mode may be sent by way of get or post.
In an embodiment, the decryption information may instruct the access user to decrypt the encrypted data of the target data file, and the decryption manner may be to decrypt the encrypted data of the target data file according to a preset decryption algorithm to obtain the target data file.
In another embodiment, the decryption information may indicate the access user to decrypt the encrypted data of the target data file, the decryption mode may also be decryption through a preset neural network model, the decryption information of the target data file and the encrypted data of the target data file are used as inputs of the neural network model, and the target data file is finally output through training of the neural network model.
In another embodiment, the decryption information may instruct the access user to decrypt the encrypted data of the target data file, and the decryption method may also be a preconfigured decryption program, where the decryption information of the target data file and the encrypted data of the target data file are used as input data of the decryption program, and the target data file is obtained after the preconfigured decryption program is run.
Continuing with the scenario illustrated in fig. 3 and 4 above.
In the scenario of fig. 3, if the cross-domain security authentication of the access user passes, the decryption information of the target data file is sent to the access user, specifically, the security domain a performs the cross-domain security authentication on the access user of the security domain B, and if the cross-domain security authentication of the access user in the security domain B passes, the security domain a sends the decryption information of the target data file to the access user of the security domain B, and the decryption information may indicate the access user of the security domain B to decrypt the encrypted data of the target data file.
In the scenario of fig. 4, if the cross-domain security authentication of the access user passes, the decryption information of the target data file is sent to the access user, specifically, the security domain B performs the cross-domain security authentication on the access user of the security domain a, and if the cross-domain security authentication of the access user in the security domain a passes, the security domain B sends the decryption information of the target data file to the access user of the security domain a, and the decryption information may indicate the access user of the security domain a to decrypt the encrypted data of the target data file.
According to the data sharing method provided by the embodiment of the application, the first security domain responds to a data access request of an access user, cross-domain security verification is conducted on the access user, if the cross-domain security verification of the access user passes, decryption information of a target data file is sent to the access user, and the decryption information is used for indicating the access user to decrypt encrypted data of the target data file, so that the target data file is obtained. In the method, a first security domain responds to a data access request of an access user in a second security domain, and the first security domain and the second security domain are different security domains, so that cross-domain sharing of data can be realized; in addition, the first security domain is used for performing cross-domain verification on the data access request, so that the security and the credibility of the identity of the data sharer among different security domains are ensured; and only after the cross-domain security verification of the access user passes, the decryption information of the target data file is sent to the access user, so that the access user can decrypt the decryption information to obtain the target data, and the security of the data sharing process is further ensured. And finally, in the data sharing process, the target data file is encrypted when being stored, and the data is decrypted by using decryption information when being accessed, so that the safety in the data sharing process is realized, and the leakage of data privacy is effectively prevented.
Based on any one of the foregoing embodiments, in one embodiment, as shown in fig. 5, performing cross-domain security authentication on an access user includes the following steps:
s501, the first security domain acquires a cross-domain access certificate and a data access request of an access user.
The cross-domain access certificate is a certificate which can be accessed by an access user in a cross-domain mode and can prove that the identity of the access user is credible. The cross-domain alliance link receives a data access request of an access user sent by a first security domain, and generates a cross-domain access certificate according to the data access request of the access user.
Optionally, the first security domain acquires the cross-domain access credential and the data access request of the access user, where the cross-domain access credential is acquired by the first security domain directly from the cross-domain federation chain, and the cross-domain access credential of the access user is also transmitted to the first security domain by the cross-domain federation chain.
Please continue to refer to fig. 3 and 4.
In the scenario of fig. 3, the security domain a sends a data access request sent by an access user in the security domain B to the cross-domain federation chain, and the cross-domain federation chain generates a cross-domain access credential according to the data access request of the access user, and then sends the cross-domain access credential to the security domain a. In the scenario of fig. 4, the security domain B sends the data access request sent by the access user in the security domain a to the cross-domain federation chain, and the cross-domain federation chain generates a cross-domain access credential according to the data access request of the access user, and then sends the cross-domain access credential to the security domain B.
S502, if the cross-domain verification of the access user passes, the attribute private key of the access user is obtained.
The first security domain sends the received data access request of the access user to a cross-domain alliance chain, cross-domain authentication of the access user is carried out, the data access request of the access user is authenticated according to the data access request and a preset cross-domain authentication mode, and if the cross-domain authentication of the access user is passed, the first security domain can obtain an attribute private key of the access user.
In one embodiment, the preset cross-domain verification mode may be a preset neural network model, the data access request is used as an input of the neural network model, a cross-domain verification result is finally output after training of the neural network model, and if the cross-domain verification is passed, an attribute private key of the access user is also output.
In another embodiment, the preset cross-domain authentication mode may also be a preset authentication algorithm, the data access request is used as input data of the preset authentication algorithm, the authentication algorithm is called, and finally an authentication result is output, and if the cross-domain authentication is passed, the attribute private key of the access user is obtained according to a preset generation algorithm.
S503, if the attribute private key of the access user is matched with the shared ciphertext pre-configured in the first security domain, sending decryption information of the target data file to the access user; the decryption information at least includes: the encryption key, the hash value of the target data file, the attribute private key of the access user and the public parameter of the first security domain.
And matching the attribute private key of the access user obtained in the embodiment with the preset shared ciphertext in the first security domain, and if the matching result is consistent with the preset result, sending the decryption information of the target data file to the access user of the second security domain by the first security domain.
Wherein the decryption information at least comprises: the encryption key, the hash value of the target data file, the attribute private key of the access user and the public parameter of the first security domain, the decryption information can be directly obtained by the first security domain from a local alliance block chain in the first security domain, the local alliance block chain is used for storing information such as a data file address value, a hash value of an original data file, a hash value of an encrypted data file, an access control strategy and the like stored by local resources on a shared cloud platform, and all nodes in the domain maintain together.
According to the embodiment, if the attribute private key of the access user is matched with the shared ciphertext pre-configured in the first security domain, the specific implementation manner of matching judgment is that the attribute private key of the access user and the shared ciphertext pre-configured in the first security domain are used as input of a matching algorithm, the matching algorithm is operated to finally obtain a matching result, the matching result is compared with the preset matching result, and if the matching result is consistent with the preset matching result, the attribute private key of the access user is determined to be matched with the shared ciphertext pre-configured in the first security domain.
In another embodiment, if the attribute private key of the access user is matched with the shared ciphertext pre-configured in the first security domain, the specific implementation manner of the matching judgment is to use the attribute private key of the access user and the shared ciphertext pre-configured in the first security domain as the input of the neural network model according to a pre-trained neural network model, and finally directly output the matching result by training the neural network model to determine whether the attribute private key of the access user is matched with the shared ciphertext pre-configured in the first security domain.
In the data sharing method provided by this embodiment, a first security domain acquires a cross-domain access credential and a data access request of an access user, acquires an attribute private key of the access user if cross-domain verification of the access user passes, and sends decryption information of a target data file to the access user if the attribute private key of the access user is matched with a shared ciphertext preconfigured in the first security domain; the decryption information at least includes: the encryption key, the hash value of the target data file, the attribute private key of the access user and the public parameter of the first security domain. In the method, the access user can obtain the decryption information of the target data file, and the decryption information can be used for indicating the access user to decrypt the encrypted data of the target data file so as to obtain the target data file, so that the security in the data sharing process is realized, and the leakage of the data privacy is effectively prevented.
Based on the foregoing embodiment, which is described in detail below with reference to an embodiment, the first security domain acquires cross-domain access credentials of an access user, and in an embodiment, as shown in fig. 6, the first security domain acquires the cross-domain access credentials and a data access request of the access user, including the following steps:
s601, the identity authentication server of the first security domain performs identity authentication on the access user, and after the identity authentication is passed, the identity authentication server sends a data access request to the cross-domain alliance chain to indicate the cross-domain alliance chain to generate cross-domain access credentials and routing information of the access user, and sends the cross-domain access credentials to the access user; the cross-domain access credential includes a cross-domain attribute and an access credential.
In the above embodiment, the first security domain responds to the data access request of the access user, and the identity authentication server of the first security domain responds to the data access request of the access user, and after receiving the data access request of the access user, the identity authentication server of the first security domain performs identity authentication on the access user, where the identity authentication is performed in a manner that the identity authentication server of the first security domain searches for identity information of the access user from the cross-domain federation chain, compares the identity information of the access user found from the cross-domain federation chain with the identity information in the received data access request of the access user, and if the identity information of the access user is consistent with the identity information in the data access request of the access user, it indicates that the identity authentication of the access user passes.
The method comprises the steps that an identity authentication server of a first security domain performs identity authentication on an access user, and after the identity authentication is passed, a data access request is sent to a cross-domain alliance chain to indicate the cross-domain alliance chain to generate cross-domain access credentials and routing information of the access user; when all nodes of the cross-domain alliance chain reach consensus, a cross-domain intelligent contract is triggered, and then an access certificate is generated; and sending the cross-domain attribute and the access credential to the access user as a cross-domain access credential.
In addition, after the nodes of the cross-domain alliance chain reach consensus, the cross-domain alliance chain also generates routing information, wherein the routing information is the routing information of the access control center in the first security domain.
Each security domain comprises a certificate authorization center, an identity authentication server and an access control center. And the cross-domain alliance chain comprises cross-domain attribute authorization mechanisms, and the identity authentication server domain access control centers in the security domains are accessed into the cross-domain alliance chain.
The system comprises a Cross-domain alliance chain, namely a Cross-domain alliance block chain (Cross-domain Blockchain), and is used for storing Cross-domain access behavior data, and digital identity certificates and certificate authorization records of all domains are jointly maintained by identity authentication service nodes and access control centers of all domains.
A Cross-domain Attribute Authority (CDAA) is responsible for assigning Cross-domain attributes to Cross-domain data visitors.
Authentication Server (AS): the identity authentication server is responsible for carrying out identity validity and security verification on nodes in the security domain, meanwhile, the AS is responsible for uploading an identity certificate authorization log in the security domain to a cross-domain alliance chain to enable all cross-domain identity server nodes to mutually communicate each domain identity certificate, after the verification is passed, a verification result is returned to a Certificate Authority (CA) of the security domain, and a digital identity authentication certificate is issued through the CA center; and simultaneously, the AS uploads the hash value of the digital identity certificate of all nodes in the domain, a legal user list and a certificate revocation list to a cross-domain shared block chain and a local block chain for sharing by all members in the domain and outside the domain.
Access Control Center (ACC): and the access control of the data in the security domain is responsible, including the in-domain data sharing access control among users in the security domain and the access control of the users outside the security domain to access the data in the security domain, and the cross-domain access behavior is uploaded to a cross-domain alliance chain for storage.
The users in the respective security domains include a storage user and an access user. The storage User (User) represents a producer or owner of the data, and the access User (User) represents a User who needs to access the data.
The specific reference of the first security domain and the second security domain may be different according to different access request objects in the data sharing process, as shown in fig. 7 and 8.
In the scenario shown in fig. 7, a first security domain refers to a security domain a, a second security domain refers to a security domain B, an accessing user is an accessing user in the security domain B, specifically, an identity authentication server of the first security domain performs identity authentication on the accessing user in the second security domain, after the identity authentication passes, the security domain a sends a data access request to a cross-domain federation chain to instruct a cross-domain attribute authorization mechanism in the cross-domain federation chain to generate a cross-domain attribute of the accessing user, and also stores the data access request as a block chain transaction to the cross-domain block chain, and the cross-domain block chain also generates an access credential and routing information of an access control center of the security domain a according to an intelligent contract, and sends the cross-domain attribute and the access credential as a cross-domain access credential to the accessing user in the security domain B.
In the scenario of fig. 8, the first security domain refers to a security domain B, the second security domain refers to a security domain a, the access user is an access user in the security domain a, specifically, the authentication server of the first security domain performs authentication on the access user in the second security domain, after the authentication passes, the security domain B sends the data access request to the cross-domain federation chain to instruct a cross-domain attribute authority in the cross-domain federation chain to generate a cross-domain attribute of the access user, and also stores the data access request as a block chain transaction to the cross-domain block chain, and the cross-domain block chain also generates the access credential and routing information of the access control center of the security domain B according to an intelligent contract, and sends the cross-domain attribute and the access credential as a cross-domain access credential to the access user in the security domain a.
S602, an access control center of a first security domain receives a cross-domain access certificate and a data access request uploaded by an access user through a communication channel; the communication channel is established for the access user according to the routing information.
According to the routing information obtained by the embodiment, the access user establishes a communication channel with the first security domain, and then sends the cross-domain access certificate and the data access request to the access control center of the first security domain.
Please continue to refer to fig. 7 and 8.
In the scenario of fig. 7, an accessing user in the security domain B establishes a communication channel with an access control center in the security domain a, and then sends a cross-domain access credential and a data access request to the access control center in the security domain a. In the scenario of fig. 8, the accessing user in the security domain a establishes a communication channel with the access control center in the security domain B, and then sends the cross-domain access credential and the data access request to the access control center in the security domain B.
In the data sharing method provided by this embodiment, an identity authentication server of a first security domain performs identity authentication on an access user, and after the identity authentication is passed, a data access request is sent to a cross-domain federation chain to instruct the cross-domain federation chain to generate a cross-domain access credential and routing information of the access user, and the cross-domain access credential is sent to the access user, and an access control center of the first security domain receives the cross-domain access credential and the data access request uploaded by the access user through a communication channel; the communication channel is established for the access user according to the routing information. According to the method, a cross-domain access certificate of an access user is generated according to a cross-domain alliance chain, and then the cross-domain access certificate and a data access request are sent to an access control center of a first security domain, so that trusted sharing in a data sharing process is realized, the security of data sharing is improved, and data leakage in the data sharing process is prevented; the cross-domain alliance chain stores the data access request as a block chain transaction, and tracking and tracing in the data sharing process are achieved.
Based on the foregoing embodiments, in one embodiment, as shown in fig. 9, before obtaining the attribute private key of the access user, the method further includes the following steps:
s901, according to the data access request of the access user, the access control center of the first security domain searches the pre-stored cross-domain access certificate of the access user in the cross-domain alliance chain.
The pre-stored cross-domain access credential of the access user is the cross-domain access credential of the access user generated by the cross-domain federation chain after the identity authentication server of the first security domain passes the identity authentication of the access user in the above embodiment, and the data access request of the access user is sent to the cross-domain federation chain.
The access control center of the first security domain searches the pre-stored cross-domain access credentials of the access user in the cross-domain alliance chain according to the data access request of the access user. In an embodiment, the searching may be performed by the access control center of the first security domain through a preconfigured search algorithm, and specifically, the data access request of the access user is used as input data of the search algorithm, and the pre-stored cross-domain access request of the access user is obtained by running the algorithm.
Please continue to refer to fig. 7 and 8.
The access control center of the first security domain searches for a pre-stored cross-domain access credential of an access user in a cross-domain alliance chain, and in the scenario of fig. 7, the access control center of the security domain a searches for the pre-stored cross-domain access credential of the access user in the cross-domain alliance chain; in the scenario of fig. 8, the access control center of the security domain B searches the cross-domain federation chain for the pre-stored cross-domain access credentials of the access user.
S902, comparing the pre-stored cross-domain access credential with the cross-domain access credential of the access user acquired by the first security domain.
The cross-domain access credential of the access user acquired by the first security domain is the cross-domain access credential transmitted by the access user through the communication channel and received by the access control center of the first security domain in the above embodiment.
Optionally, the pre-stored cross-domain access credential is compared with the cross-domain access credential of the access user acquired by the first security domain, and the comparison may be performed by directly comparing the pre-stored cross-domain access credential with the cross-domain access credential of the access user acquired by the first security domain, and determining whether the values are completely consistent.
And S903, if the comparison result is consistent, determining that the cross-domain verification of the access user is passed.
If the pre-stored cross-domain access credential is consistent with the cross-domain access credential of the access user acquired by the first security domain, it is indicated that the cross-domain access credential of the access user is authentic, and it can be determined that the cross-domain authentication of the access user passes.
According to the data access request of the access user, the access control center of the first security domain searches the pre-stored cross-domain access credential of the access user in the cross-domain alliance chain, compares the pre-stored cross-domain access credential with the cross-domain access credential of the access user acquired by the first security domain, and determines that the cross-domain authentication of the access user passes if the comparison result is consistent. In the method, the cross-domain access certificate of the access user is verified, so that the cross-domain access certificate of the access user is determined to be credible, and credibility in the data sharing process is realized.
Based on the foregoing embodiments, in one embodiment, as shown in fig. 10, obtaining the attribute private key of the access user comprises the following steps:
s1001, a key management center of a first security domain acquires cross-domain attributes of an access user.
A Key Manager Center (KMC) is responsible for generating a public Key and a master Key of a data access control policy, and a hardware-based security mechanism is adopted to ensure the security of the Key management Center.
According to the embodiment, the pre-stored cross-domain access certificate is compared with the cross-domain access certificate of the access user acquired by the first security domain, the cross-domain authentication of the access user is determined to be passed, and after the cross-domain authentication of the access user is passed, the key management center of the first security domain acquires the cross-domain attribute of the access user. Wherein the cross-domain access credentials include a cross-domain attribute and an access credential.
In an embodiment, the obtaining may be performed by sending a request signal to an access control center of the first security domain by the key management center of the first security domain, so that the key management center of the first security domain directly obtains the cross-domain attribute of the access user in the access control center of the first security domain.
In another embodiment, the obtaining mode may also be that after the access control center of the first security domain receives that the cross-domain authentication of the access user passes, the access control center of the first security domain directly sends the cross-domain attribute of the access user to the key management center of the first security domain.
S1002, a key management center of the first security domain generates an attribute private key of the access user according to the cross-domain attribute of the access user and a main key preset by the first security domain.
The master key may be used to generate a private key to ensure the security of the data over the transmission line.
In an embodiment, the attribute private key of the access user may be generated by using a key generation algorithm, the cross-domain attribute of the access user and a master key preset in the first security domain are used as inputs of the key generation algorithm, and the attribute private key of the access user is finally output by operating the key generation algorithm.
In another embodiment, the manner of generating the attribute private key of the access user may also be a manner of using a pre-trained neural network model, taking the cross-domain attribute of the access user and a master key preset by the first security domain as inputs of the neural network model, and outputting the attribute private key of the access user after training of the neural network model.
In the data sharing method provided in this embodiment, the key management center of the first security domain obtains the cross-domain attribute of the access user, and the key management center of the first security domain generates the attribute private key of the access user according to the cross-domain attribute of the access user and the main key preset in the first security domain. In the method, the attribute private key of the access user is generated by the cross-domain attribute of the access user, so that the security of data in the sharing process is realized, and the leakage of the data privacy is effectively prevented.
Based on the foregoing embodiments, in an embodiment, as shown in fig. 11, this embodiment relates to a specific process in which an access control center of a first security domain generates a search keyword threshold according to an attribute private key of an access user and a search keyword, the access control center of the first security domain matches the search keyword according to the search keyword threshold and a shared ciphertext in the first security domain, and if a matching result meets a preset condition, the attribute private key of the access user and the shared ciphertext of a target data file in the first security domain are determined. This embodiment comprises the steps of:
s1101, the access control center of the first security domain generates a search keyword threshold according to the attribute private key and the search keyword of the access user.
The search key word trap is generated according to the attribute private key of the access user and the search key word; the search key is a key to access data that the user needs to access to the first security domain.
According to an embodiment, the method for generating the search keyword trap can be generated according to a keyword trap generation algorithm Tradpor algorithm, an attribute private key of an access user and a search keyword are used as input of the algorithm, and the search keyword trap is obtained by operating the algorithm.
S1102, the access control center of the first security domain matches the search keywords according to the search keyword threshold and the shared ciphertext in the first security domain.
The shared ciphertext in the first security domain is a preset public parameter of the first security domain and a keyword ciphertext of the first security domain.
In one embodiment, the search keywords are matched in a matching manner according to a keyword matching algorithm, specifically, the search keyword threshold and the shared ciphertext in the first security domain are used as input of the algorithm, and the search keywords are matched through the operation of the algorithm to obtain a matching result.
S1103, if the matching result meets the preset condition, determining the attribute private key of the access user and the shared ciphertext of the target data file in the first security domain.
In an embodiment, the preset condition may be 1, the matching result may be 0 or 1, and if the matching result is 1, the attribute private key of the access user and the shared ciphertext of the target data file in the first security domain are determined.
In the data sharing method provided by this embodiment, the access control center of the first security domain generates the search keyword gatekeeper according to the attribute private key and the search keyword of the access user, matches the search keyword according to the search keyword gatekeeper and the shared ciphertext in the first security domain, and determines the attribute private key of the access user and the shared ciphertext of the target data file in the first security domain if the matching result meets a preset condition. According to the method, a search keyword threshold is obtained according to a search keyword, a shared ciphertext of a first security domain and a matching result of the keyword threshold are determined by using a shared ciphertext of the first security domain and the keyword threshold, and if the matching result meets a preset condition, an attribute private key of an access user and a shared ciphertext of a target data file in the first security domain are determined, so that trusted sharing in a data sharing process is realized, the security of data sharing is improved, and data leakage in the data sharing process is prevented.
Based on the foregoing embodiments, in one embodiment, the process of accessing the encrypted data of the user to the target data file includes: when the hash value of the target data file is consistent with the hash value prestored in the local alliance chain in the first security domain, the access user decrypts the encrypted data file of the target data file according to the decrypted encryption key to obtain the target data file; the decrypted encryption key is determined by the access user according to the public parameter, the attribute private key and the encryption key of the first security domain.
In an embodiment, the encrypted data file of the target data file is obtained in such a manner that the access user provides the access credential and the hash value of the target data file to the shared cloud platform of the first security domain, and after receiving the access credential and the hash value of the target data file, the shared cloud platform sends the encrypted data file of the target data file to the access user.
According to the embodiment, if the attribute private key of the access user is matched with the shared ciphertext pre-configured in the first security domain, the decryption information of the target data file is sent to the access user, wherein the decryption information at least comprises: the encryption key, the hash value of the target data file, the attribute private key of the access user and the public parameter of the first security domain. The hash value of the target data file obtained by the access user is the hash value of the target data file.
And the hash value pre-stored in the local alliance chain in the first security domain is the hash value of the target data file pre-stored in the local alliance chain when the target data file is stored.
And comparing the hash value of the target data file with the hash value prestored in the local alliance chain in the first security domain, and if the results of the hash value and the hash value are consistent, decrypting the encrypted data file of the target data file by the access user according to the decrypted encryption key to obtain the target data file.
According to one embodiment, the access user decrypts the encrypted data file of the target data file according to the decrypted encryption key to obtain the target data file, wherein the decryption mode can be a mode according to a pre-trained neural network model, the decrypted encryption key and the encrypted data file of the target data file are used as the input of the neural network model, and the target data file is finally output after the training of the neural network model.
Optionally, the decrypted encryption key is determined by the access user according to the public parameter, the attribute private key and the encryption key of the first security domain, and the determination method is that the public parameter, the attribute private key and the encryption key of the first security domain are used as a decryption algorithm, input data of the decript algorithm is used, and the decrypted encryption key is obtained by operating the decryption algorithm.
Based on the foregoing embodiments, in one embodiment, the storing of the target data file in the first secure domain comprises: the first security domain responds to a data storage request and stores encrypted data carried in the data storage request; the encrypted data is generated by the storage user according to the data file to be stored.
And generating encrypted data according to the data file to be stored, sending a data storage request to the first security domain by the storage user after the encrypted data is generated, and then storing the encrypted data carried in the data storage request.
In one embodiment, the encrypted data is generated by the storage user according to the data file to be stored, and the generation mode may be that a pre-configured program is used, the data to be stored is used as the input of the program, the program is called, and the encrypted data is finally output.
Optionally, the encrypted data is stored, and the encrypted data may be directly stored in a local blockchain of the first security domain.
Please continue to refer to fig. 7 and 8.
In the scenario of fig. 7, a storage user in the security domain a generates encrypted data from a data file to be stored, and stores the encrypted data in the security domain a; in the scenario of fig. 8, it is the storage user in the security domain B that generates encrypted data from the data file to be stored, and stores the encrypted data in the security domain B.
Based on the foregoing embodiments, in one embodiment, as shown in fig. 12, the encrypted data at least includes an access structure of a data file to be stored, a keyword ciphertext, an encrypted data file, a hash value of the encrypted data file, and signature information of a storage user; the encrypted data is obtained by the storage user through encryption operation; wherein the encryption operation comprises the steps of:
and S1201, generating a file keyword and an access structure according to the data file to be stored.
The file keyword is a file keyword generated according to a file to be stored, and the file to be stored can be searched according to the file keyword; the access structure is an access control strategy structure for file access control, and can ensure that a file to be stored is not illegally accessed and used.
Optionally, the file keywords may be obtained by using an extraction algorithm according to the file to be stored; the access structure can be obtained by a decision tree method according to the file to be stored.
And S1202, obtaining a keyword ciphertext according to the public parameter, the file keyword and the access structure of the first security domain.
In an embodiment, the key word ciphertext is obtained according to the common parameter, the file key word and the access structure of the first security domain, and the obtaining mode may be a mode of generating a key word ciphertext according to a key word ciphertext generation algorithm, specifically, the common parameter, the file key word and the access structure of the first security domain are used as input of the algorithm, and the key word ciphertext is obtained by running the algorithm.
Optionally, according to system parameters of a key management center of the first security domain, the public parameters and the master key may be generated through an initialization algorithm; the system parameters may be set randomly or given a value directly. And the public parameters can be sent to the local alliance chain of the first security domain in a broadcasting mode, and the master key is stored in the key management center of the first security domain.
S1203, generating an encrypted data file and a hash value of the encrypted data file according to the data file to be stored and a preset secret key.
The preset key is a preset key and is used for encrypting the data file to be stored.
According to the data file to be stored and the preset secret key, the hash value of the encrypted data file and the hash value of the encrypted data file are generated, the hash value can be generated through an encryption algorithm, the specific process is that the data file to be stored enables data to be encrypted, the preset secret key is a secret key in the encryption algorithm, and the encrypted data file to be stored, namely the hash value of the encrypted data file and the hash value of the encrypted data file are obtained according to the running encryption algorithm.
The hash value of the encrypted data file may detect whether the data file to be stored is modified.
And S1204, obtaining an encryption key according to a preset key, a public parameter and an access structure.
In an embodiment, the encryption key is obtained according to the preset key, the public parameter and the access structure, and the way of obtaining the encryption key may be by using an encryption algorithm, taking the preset key, the public parameter and the access structure as inputs of the encryption algorithm, and obtaining the encryption key by calling the encryption algorithm. In practical applications, the encryption algorithm is not limited in the embodiments of the present application.
The security and the privacy of the stored file are ensured by encrypting the preset secret key.
According to the data sharing method provided by the embodiment of the application, a file keyword and an access structure are generated according to a data file to be stored, a keyword ciphertext is obtained according to a public parameter of a first security domain, the file keyword and the access structure, a hash value of an encrypted data file and an encrypted data file is generated according to the data file to be stored and a preset key, and an encrypted key is obtained according to the preset key, the public parameter and the access structure. According to the method, the file keywords, the access structure, the encrypted data file, the hash value of the encrypted data file and the encryption key of the file to be stored are generated according to the file to be stored, and the safety and the privacy of the data in the sharing process are improved.
Based on the foregoing embodiments, in one embodiment, as shown in fig. 13, the storing the encrypted data carried in the data storage request includes the following steps:
and S1301, the first security domain sends the encrypted data file to a shared cloud platform of the first security domain for storage, and sends the encrypted data to a local alliance chain of the first security domain in a preset format.
The local alliance chain, also called a local alliance Block Chain (BC), is used for storing information such as a data file address value, a hash value of an original data file, a hash value of an encrypted data file, an access control policy and the like, which are stored in a shared cloud platform by local resources, and is commonly maintained by all nodes in the domain.
In an embodiment, the first security domain sends the encrypted data file obtained in the above embodiment to the shared cloud platform of the first security domain, and the sending mode may be through a post method.
In another embodiment, the first security domain sends the encrypted data file obtained in the above embodiment to the shared cloud platform of the first security domain, and the sending mode may be by a get method.
And taking the access structure of the data file to be stored, the keyword ciphertext, the encrypted data file, the hash value of the encrypted data file and the signature information of the storage user as encrypted data, and sending the encrypted data to the local alliance chain of the first security domain in a preset format, wherein optionally, the sending mode can be sent in a broadcasting mode.
The signature information of the stored user is the digital signature information of the stored user in the security domain, and is a valid proof of the authenticity of the encrypted data.
Optionally, the preset format may be a chain storage format or an index storage format, and in practical application, the preset format is not limited in the embodiment of the present application.
S1302, after the intelligent contract is triggered, the alliance chain of the first security domain stores the encrypted data file to the local alliance chain of the first security domain.
In an embodiment, in the above embodiment, the first security domain sends the encrypted data file to a shared cloud platform of the first security domain for storage, and after sending the encrypted data to the local federation chain of the first security domain in a preset format is completed, an intelligent contract is triggered, where the intelligent contract may be a data chaining intelligent contract, and represents that after monitoring a message of the encrypted data file, the intelligent contract stores the encrypted data file in the federation chain of the first security domain in the form of a block chain transaction record, and the transaction record format adopts a coding format of JavaScript Object Notation (JSON).
The data uplink is data packed in a block to become a new block through a common identification mechanism, and is linked to the previous block to become data which cannot be tampered on the chain.
All historical data on the local alliance chain can be traced and inquired, and the integrity of the data is guaranteed.
In the data sharing method provided by this embodiment, the first security domain sends the encrypted data file to the shared cloud platform of the first security domain for storage, and sends the encrypted data to the local federation chain of the first security domain in a preset format; and after the intelligent contract is triggered, the alliance chain of the first security domain stores the encrypted data file to the local alliance chain of the first security domain. According to the method, the encrypted data file is stored in the shared cloud platform of the first security domain, the encrypted data is stored in the local alliance chain of the first security domain, and after an intelligent contract is triggered, the encrypted data file is stored in the local alliance chain of the first security domain in a block chain transaction record mode, so that the security and privacy of the data in the sharing process are improved, and the data can be tracked and traced in the sharing process.
In one embodiment, as shown in fig. 14, fig. 14 constructs a system model diagram, in fig. 14, a security domain refers to a region managed by a CA, for example, a region composed of the southern power grid is a security domain, and a region composed of departments in other government agencies is a security domain, and they have different root CAs. The nodes in the cross-domain alliance block chain are composed of identity authentication servers and access control centers in all security domains, the identity authentication servers and the access control centers jointly maintain consistency consensus of the cross-domain alliance block chain, and identity trust consensus is transmitted in a cross-domain mode through the alliance chain. The access behavior information is uploaded to different block chains to be stored, wherein the access behavior information is not only a block chain network node in respective security domains, but also a cross-domain node.
The alliance chain is established in each security domain, authority nodes with higher security level and strong computing and storing capacity, such as identity authentication servers, access control servers and the like in each security domain, are used as cross-domain nodes to form the cross-domain alliance chain, cross-domain alliance chain members commonly maintain a cross-domain access complete record and perform common identity authentication on cross-domain visitors, centralized identity authentication cheating behaviors are avoided, each cross-domain access is stored in the alliance chain as a block chain transaction, the data access certainty right and the data use right are enhanced, and the data use right can be traced in the whole process in the data sharing process.
And the identity authentication server of each security domain is accessed into the cross-domain alliance chain, so that the credibility and the public verifiable authorization of the identity authentication between domains are realized, and the identity credibility of the data owner and the data visitor between domains in the data sharing process is realized. And then the access control center of the accessed domain performs attribute encryption access control decision based on a ciphertext strategy on the cross-domain node passing the identity authentication, and judges whether the visitor has the data operation permission.
In one embodiment, fine-grained access control is performed on shared data by an attribute-based searchable encryption method based on a ciphertext policy; the access control process is automatically executed through a block chain intelligent contract, the access process is guaranteed to be credible, and the problem that centralized access control is easy to attack is solved; the use right circulation record is recorded each time when the data is shared through the block chain, so that the traceability of the full flow circulation of the data use right is realized, and the authority of each party is convenient to be clear.
As shown in fig. 15, in one embodiment, a data sharing method is also included. For example, as shown in fig. 16, fig. 16 is a storage process of data, where the storage process includes the following S1501 to S1505. The embodiment comprises the following steps:
s1501, a system parameter is set in the key management center of the domain A, and a system public parameter and a master key are generated through an initialization algorithm.
S1502, the system public parameters and the master key are stored in the key management center, and the system public parameters are broadcasted to the federation chain of domain a.
S1503, the data owner of the domain A selects a file to be shared, and carries out encryption processing to obtain an encrypted data file and encrypted data;
the encrypted data comprise file keywords KW, an access structure T, keyword ciphertext C, a hash value HashEncfile of the encrypted file and an encryption key Enckey; the process of the encryption process is as follows:
extracting a file keyword KW by a data owner of each security domain;
setting an access structure for file access control;
determining a keyword ciphertext C by using a keyword ciphertext generation algorithm according to the file keyword KW, the system public parameter pub and the access structure;
obtaining an encrypted data file Encfile and a hash value HashEncfile of the encrypted file according to the file and the symmetric key;
and determining an encryption key Enckey according to the symmetric key, the system public parameter pub and the access structure T.
S1504, uploading the encrypted data file to a shared cloud platform of the domain A by a data owner of the domain A, and broadcasting the encrypted data and the digital signature of the data owner to the domain A in a preset format;
the preset format is a digital signature with an access structure T, a keyword ciphertext C, a hash value HashEncfile of an encrypted file and an encryption key Enckey.
And S1505, completing S1-S3, triggering a data chaining intelligent contract, and automatically generating a block chain transaction record to be stored in a local alliance chain after the intelligent contract monitors all messages related to encrypted data files on the chain.
S1506, the data accessor sends a data sharing request to the authentication server of domain a.
The data sharing request comprises a digital identity certificate of a domain B, a user identity, a digital signature, a security domain needing to be accessed and an attribute set;
s1507, the identity authentication server of the domain A receives the data sharing request and obtains the cross-domain access certificate and the cross-domain routing information according to the data sharing request.
After receiving a data sharing request, an identity authentication server of a domain A carries out identity authentication on a data visitor, after the authentication is passed, the shared request data is forwarded to a cross-domain alliance chain, after consensus nodes of the cross-domain alliance chain reach consensus, a cross-domain attribute authorization mechanism of the cross-domain alliance chain distributes cross-domain attributes to the data visitor according to user identity information of an access domain, the data sharing request information of a domain B is stored in the cross-domain alliance chain as a block chain transaction, a cross-domain intelligent contract is triggered to generate a cross-domain access certificate, and routing information of an access control center of the access domain is returned, wherein the cross-domain access certificate comprises the cross-domain attributes.
And S1508, after obtaining the cross-domain access certificate and the cross-domain routing information, the data visitor establishes communication connection with the access control center of the domain A and sends the cross-domain access certificate and the data sharing request message to the access control center of the domain A.
S1509, after receiving the data access request information, the access control center of the domain A performs cross-domain verification on the data visitor in the cross-domain alliance chain, and if the identity is not credible, returns a reject message; if the compared identities are authentic, proceed to step S1510.
And S1510, after receiving the verification passing information, the access control center of the domain A sends the cross-domain attribute of the data visitor to the key management center, and the key management center generates an attribute private key of the data visitor by using a key generation algorithm and returns the attribute private key to the access control center of the domain A.
S1511, after the access control center of the domain A receives the attribute private key of the data visitor, the key word gate trap generation algorithm is used to generate the search key word gate trap.
And S1512, the domain A access control center performs keyword matching by using each keyword ciphertext shared by the domain A local alliance chain, if the matching result is 1, the encryption key bound by the keyword ciphertext, the hash value of the bound target encryption file and the shared cloud server address are returned, and the attribute private key and the system public parameter are sent to the data visitor.
S1513, after receiving the encryption key, the data visitor decrypts the encryption key by using the decryption algorithm to obtain the decrypted key.
And S1514, the data accessor provides the access certificate and the hash value of the target encrypted file to the domain A shared cloud platform, the shared cloud platform provides encrypted data after receiving the access certificate and the hash value of the target encrypted file, the data accessor compares the hash value of the encrypted data with the hash value sent by the access control center, and if the comparison is consistent, the data accessor decrypts the encrypted data by using the decrypted key to obtain a plaintext.
The implementation principle and technical effect of each step in the data sharing method provided in this embodiment are similar to those in the previous embodiments of the data sharing method, and are not described herein again.
It should be understood that, although the respective steps in the flowcharts in the above-described embodiments are sequentially shown as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps of the flowcharts in the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
In addition, an embodiment of the present application further provides a data sharing apparatus, as shown in fig. 17, in an embodiment, the data sharing apparatus 1700 includes: a response module 1701 and a decryption module 1702, wherein:
a response module 1701, configured to perform cross-domain security verification on an access user in response to a data access request of the access user; the data access request is used for requesting to access a target data file stored in the first security domain; the access user is a user in the second security domain; the first security domain and the second security domain are different security domains;
a decryption module 1702, configured to send decryption information of the target data file to the access user if the cross-domain security verification of the access user passes; the decryption information is used for indicating an access user to decrypt the encrypted data of the target data file to obtain the target data file.
In one embodiment, response module 1701 includes:
the device comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a cross-domain access certificate and a data access request of an access user;
the second acquisition unit is used for acquiring the attribute private key of the access user after the cross-domain verification of the access user passes;
the decryption unit is used for sending decryption information of the target data file to the access user if the attribute private key of the access user is matched with the shared ciphertext of the target data file preconfigured in the first security domain; the decryption information at least includes: the encryption key, the hash value of the target data file, the attribute private key of the access user and the public parameter of the first security domain.
In one embodiment, the first obtaining unit includes:
the authentication subunit is used for performing identity authentication on the access user, sending the data access request to the cross-domain alliance chain after the identity authentication is passed so as to indicate the cross-domain alliance chain to generate a cross-domain access certificate and routing information of the access user, and sending the cross-domain access certificate to the access user; the cross-domain access credential comprises a cross-domain attribute and an access credential;
the receiving subunit is used for receiving a cross-domain access certificate and a data access request uploaded by an access user through a communication channel; the communication channel is established for the access user according to the routing information.
In one embodiment, the apparatus further comprises:
the search module is used for searching a pre-stored cross-domain access certificate of the access user in a cross-domain alliance chain by the access control center of the first security domain according to the data access request of the access user;
the comparison module is used for comparing the pre-stored cross-domain access certificate with the cross-domain access certificate of the access user acquired by the first security domain;
and the verification module is used for determining that the cross-domain verification of the access user passes if the comparison result is consistent.
In one embodiment, the second obtaining unit includes:
the acquiring subunit is used for acquiring the cross-domain attribute of the access user;
and the generating subunit is used for generating an attribute private key of the access user according to the cross-domain attribute of the access user and a preset master key of the first security domain.
In one embodiment, the apparatus further comprises:
the generating module is used for generating a search keyword threshold according to the attribute private key and the search keywords of the access user;
the matching module is used for matching the search keywords according to the search keyword threshold and the shared ciphertext in the first security domain;
and the determining module is used for determining the attribute private key of the access user and the shared ciphertext of the target data file in the first security domain if the matching result meets the preset condition.
In one embodiment, decryption module 1702 includes:
the processing unit is used for decrypting the encrypted data file of the target data file according to the decrypted encryption key to obtain the target data file when the hash value of the target data file is consistent with the hash value prestored in the local alliance chain in the first security domain; the decrypted encryption key is determined by the access user according to the public parameter, the attribute private key and the encryption key of the first security domain.
In one embodiment, the apparatus further comprises:
the storage module is used for responding to the data storage request by the first security domain and storing the encrypted data carried in the data storage request; the encrypted data is generated by the storage user according to the data file to be stored.
In one embodiment, the apparatus further comprises:
the first generation module is used for generating file keywords and an access structure according to the data file to be stored;
the first processing module is used for obtaining a keyword ciphertext according to the public parameter of the first security domain, the file keyword and the access structure;
the second generation module is used for generating the encrypted data file and the hash value of the encrypted data file according to the data file to be stored and a preset secret key;
and the second processing module is used for obtaining the encryption key according to the preset key, the public parameter and the access structure.
In one embodiment, the memory module comprises:
the first storage unit is used for sending the encrypted data file to a shared cloud platform of the first security domain for storage, and sending the encrypted data to a local alliance chain of the first security domain in a preset format;
and the second storage unit is used for storing the encrypted data file to the local alliance chain of the first security domain after the intelligent contract is triggered.
For specific limitations of the data sharing apparatus, reference may be made to the above limitations of the data sharing method, which are not described herein again. The modules in the data sharing apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 18. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a data sharing method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 18 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
responding to a data access request of an access user, and performing cross-domain security verification on the access user; the data access request is used for requesting to access a target data file stored in the first security domain; the access user is a user in the second security domain; the first security domain and the second security domain are different security domains;
if the cross-domain security verification of the access user passes, sending decryption information of the target data file to the access user; the decryption information is used for indicating an access user to decrypt the encrypted data of the target data file to obtain the target data file.
In one embodiment, the processor, when executing the computer program, performs the steps of:
acquiring a cross-domain access certificate and a data access request of an access user;
the cross-domain verification of the access user is passed, and an attribute private key of the access user is obtained;
if the attribute private key of the access user is matched with the shared ciphertext pre-configured in the first security domain, sending decryption information of the target data file to the access user; the decryption information at least includes: the encryption key, the hash value of the target data file, the attribute private key of the access user and the public parameter of the first security domain.
In one embodiment, the processor, when executing the computer program, performs the steps of:
the method comprises the steps that identity authentication is conducted on an access user, after the identity authentication is passed, a data access request is sent to a cross-domain alliance chain to indicate the cross-domain alliance chain to generate a cross-domain access certificate and routing information of the access user, and the cross-domain access certificate is sent to the access user; the cross-domain access credential comprises a cross-domain attribute and an access credential;
receiving a cross-domain access certificate and a data access request uploaded by an access user through a communication channel; the communication channel is established for the access user according to the routing information.
In one embodiment, the processor, when executing the computer program, performs the steps of:
according to a data access request of an access user, an access control center of a first security domain searches a pre-stored cross-domain access certificate of the access user in a cross-domain alliance chain;
comparing the pre-stored cross-domain access credential with the cross-domain access credential of the access user acquired by the first security domain;
and if the comparison result is consistent, determining that the cross-domain verification of the access user is passed.
In one embodiment, the processor, when executing the computer program, performs the steps of:
acquiring cross-domain attributes of access users;
and generating an attribute private key of the access user according to the cross-domain attribute of the access user and a main key preset by the first security domain.
In one embodiment, the processor, when executing the computer program, performs the steps of:
generating a search keyword threshold according to the attribute private key and the search keyword of the access user;
matching the search keyword according to the search keyword threshold and the shared ciphertext in the first security domain;
and if the matching result meets the preset condition, determining the shared ciphertext of the attribute private key of the access user and the target data file in the first security domain.
In one embodiment, the processor, when executing the computer program, performs the steps of:
when the hash value of the target data file is consistent with the hash value prestored in the local alliance chain in the first security domain, decrypting the encrypted data file of the target data file according to the decrypted encryption key to obtain the target data file; the decrypted encryption key is determined by the access user according to the public parameter, the attribute private key and the encryption key of the first security domain.
In one embodiment, the processor, when executing the computer program, performs the steps of:
responding to the data storage request, and storing the encrypted data carried in the data storage request; the encrypted data is generated by the storage user according to the data file to be stored.
In one embodiment, the processor, when executing the computer program, performs the steps of:
generating a file keyword and an access structure according to a data file to be stored;
obtaining a keyword ciphertext according to the public parameter of the first security domain, the file keyword and the access structure;
generating an encrypted data file and a hash value of the encrypted data file according to the data file to be stored and a preset secret key;
and obtaining an encryption key according to a preset key, the public parameter and the access structure.
In one embodiment, the processor, when executing the computer program, performs the steps of:
sending the encrypted data file to a shared cloud platform of the first security domain for storage, and sending the encrypted data to a local alliance chain of the first security domain in a preset format;
and after the intelligent contract is triggered, storing the encrypted data file to a local alliance chain of the first security domain.
The implementation principle and technical effect of the computer device provided by the above embodiment are similar to those of the above method embodiment, and are not described herein again.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
responding to a data access request of an access user, and performing cross-domain security verification on the access user; the data access request is used for requesting to access a target data file stored in the first security domain; the access user is a user in the second security domain; the first security domain and the second security domain are different security domains;
if the cross-domain security verification of the access user passes, sending decryption information of the target data file to the access user; the decryption information is used for indicating an access user to decrypt the encrypted data of the target data file to obtain the target data file.
In one embodiment, the computer program when executed by a processor implements the steps of:
acquiring a cross-domain access certificate and a data access request of an access user;
the cross-domain verification of the access user is passed, and an attribute private key of the access user is obtained;
if the attribute private key of the access user is matched with the shared ciphertext of the target data file preconfigured in the first security domain, sending decryption information of the target data file to the access user; the decryption information at least includes: the encryption key, the hash value of the target data file, the attribute private key of the access user and the public parameter of the first security domain.
In one embodiment, the computer program when executed by a processor implements the steps of: the method comprises the steps that identity authentication is conducted on an access user, after the identity authentication is passed, a data access request is sent to a cross-domain alliance chain to indicate the cross-domain alliance chain to generate a cross-domain access certificate and routing information of the access user, and the cross-domain access certificate is sent to the access user; the cross-domain access credential comprises a cross-domain attribute and an access credential;
receiving a cross-domain access certificate and a data access request uploaded by an access user through a communication channel; the communication channel is established for the access user according to the routing information.
In one embodiment, the computer program when executed by a processor implements the steps of:
according to a data access request of an access user, an access control center of a first security domain searches a pre-stored cross-domain access certificate of the access user in a cross-domain alliance chain;
comparing the pre-stored cross-domain access credential with the cross-domain access credential of the access user acquired by the first security domain;
and if the comparison result is consistent, determining that the cross-domain verification of the access user is passed.
In one embodiment, the computer program when executed by a processor implements the steps of:
acquiring cross-domain attributes of access users;
and generating an attribute private key of the access user according to the cross-domain attribute of the access user and a main key preset by the first security domain.
In one embodiment, the computer program when executed by a processor implements the steps of:
generating a search keyword threshold according to the attribute private key and the search keyword of the access user;
matching the search keyword according to the search keyword threshold and the shared ciphertext in the first security domain;
and if the matching result meets the preset condition, determining the shared ciphertext of the attribute private key of the access user and the target data file in the first security domain.
In one embodiment, the computer program when executed by a processor implements the steps of:
when the hash value of the target data file is consistent with the hash value prestored in the local alliance chain in the first security domain, decrypting the encrypted data file of the target data file according to the decrypted encryption key to obtain the target data file; the decrypted encryption key is determined by the access user according to the public parameter, the attribute private key and the encryption key of the first security domain.
In one embodiment, the computer program when executed by a processor implements the steps of:
responding to the data storage request, and storing the encrypted data carried in the data storage request; the encrypted data is generated by the storage user according to the data file to be stored.
In one embodiment, the computer program when executed by a processor implements the steps of:
generating a file keyword and an access structure according to a data file to be stored;
obtaining a keyword ciphertext according to the public parameter of the first security domain, the file keyword and the access structure;
generating an encrypted data file and a hash value of the encrypted data file according to the data file to be stored and a preset secret key;
and obtaining an encryption key according to a preset key, the public parameter and the access structure.
In one embodiment, the computer program when executed by a processor implements the steps of:
sending the encrypted data file to a shared cloud platform of the first security domain for storage, and sending the encrypted data to a local alliance chain of the first security domain in a preset format;
and after the intelligent contract is triggered, storing the encrypted data file to a local alliance chain of the first security domain.
The implementation principle and technical effect of the computer-readable storage medium provided by the above embodiments are similar to those of the above method embodiments, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A method for data sharing, the method comprising:
the method comprises the steps that a first security domain responds to a data access request of an access user and conducts cross-domain security verification on the access user; the data access request is used for requesting to access a target data file stored in the first security domain; the access user is a user in a second security domain; the first security domain and the second security domain are different security domains;
if the cross-domain security verification of the access user passes, sending decryption information of the target data file to the access user; and the decryption information is used for indicating the access user to decrypt the encrypted data of the target data file to obtain the target data file.
2. The method of claim 1, wherein the cross-domain security authentication of the accessing user comprises:
the first security domain acquires cross-domain access credentials of the access user and the data access request;
if the cross-domain verification of the access user passes, acquiring an attribute private key of the access user;
if the attribute private key of the access user is matched with the shared ciphertext pre-configured in the first security domain, sending decryption information of the target data file to the access user; the decryption information at least includes: an encryption key, a hash value of the target data file, an attribute private key of the access user, and public parameters of the first security domain.
3. The method of claim 2, wherein the first security domain obtaining cross-domain access credentials of the accessing user and the data access request comprises:
the identity authentication server of the first security domain performs identity authentication on the access user, and after the identity authentication passes, the data access request is sent to a cross-domain alliance chain so as to instruct the cross-domain alliance chain to generate a cross-domain access credential and routing information of the access user, and the cross-domain access credential is sent to the access user; the cross-domain access credential comprises a cross-domain attribute and an access credential;
the access control center of the first security domain receives the cross-domain access certificate and the data access request uploaded by the access user through a communication channel; and the communication channel is established for the access user according to the routing information.
4. The method of claim 2 or 3, wherein before obtaining the attribute private key of the accessing user, the method further comprises:
according to the data access request of the access user, the access control center of the first security domain searches a pre-stored cross-domain access certificate of the access user in a cross-domain alliance chain;
comparing the pre-stored cross-domain access credential with the cross-domain access credential of the access user acquired by the first security domain;
and if the comparison result is consistent, determining that the cross-domain verification of the access user passes.
5. The method of claim 2 or 3, wherein the obtaining of the attribute private key of the access user comprises:
a key management center of the first security domain acquires cross-domain attributes of the access user;
and the key management center of the first security domain generates an attribute private key of the access user according to the cross-domain attribute of the access user and a main key preset by the first security domain.
6. A method according to claim 2 or 3, characterized in that the method further comprises:
the access control center of the first security domain generates a search keyword threshold according to the attribute private key and the search keyword of the access user;
the access control center of the first security domain matches the search keyword according to the search keyword threshold and the shared ciphertext in the first security domain;
and if the matching result meets a preset condition, determining the attribute private key of the access user and the shared ciphertext of the target data file in the first security domain.
7. The method according to claim 2 or 3, wherein the process of decrypting the encrypted data of the target data file by the accessing user comprises:
when the hash value of the target data file is consistent with the hash value prestored in the local alliance chain in the first security domain, the access user decrypts the encrypted data file of the target data file according to the decrypted encryption key to obtain the target data file; the decrypted encryption key is determined by the access user according to the public parameter of the first security domain, the attribute private key and the encryption key.
8. The method of any of claims 1-3, wherein storing the target data file in the first secure domain comprises:
the first security domain responds to a data storage request and stores encrypted data carried in the data storage request; the encrypted data is generated by the storage user according to the data file to be stored.
9. The method according to claim 8, wherein the encrypted data at least comprises an access structure of the data file to be stored, a keyword ciphertext, an encrypted data file, a hash value of the encrypted data file, and signature information of the storage user;
the encrypted data is obtained by the storage user through encryption operation; wherein the encryption operation comprises:
generating a file keyword and an access structure according to the data file to be stored;
obtaining a keyword ciphertext according to the public parameter of the first security domain, the file keyword and the access structure;
generating hash values of the encrypted data file and the encrypted data file according to the data file to be stored and a preset secret key;
and obtaining the encryption key according to the preset key, the public parameter and the access structure.
10. The method according to claim 9, wherein the storing the encrypted data carried in the data storage request comprises:
the first security domain sends the encrypted data file to a shared cloud platform of the first security domain for storage, and sends the encrypted data to a local alliance chain of the first security domain in a preset format;
and after the intelligent contract is triggered, the alliance chain of the first security domain stores the encrypted data file to a local alliance chain of the first security domain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111288488.9A CN114239046A (en) | 2021-11-02 | 2021-11-02 | data sharing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111288488.9A CN114239046A (en) | 2021-11-02 | 2021-11-02 | data sharing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114239046A true CN114239046A (en) | 2022-03-25 |
Family
ID=80743561
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111288488.9A Pending CN114239046A (en) | 2021-11-02 | 2021-11-02 | data sharing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114239046A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065679A (en) * | 2022-06-02 | 2022-09-16 | 湖南天河国云科技有限公司 | Block chain based electronic health profile sharing model, method, system, and medium |
| CN115150142A (en) * | 2022-06-24 | 2022-10-04 | 深圳市北科瑞声科技股份有限公司 | Data access processing method, system, equipment and storage medium |
| CN115250205A (en) * | 2022-09-22 | 2022-10-28 | 湖北省楚天云有限公司 | Data sharing method, system, electronic device and storage medium based on alliance chain |
| CN115277168A (en) * | 2022-07-25 | 2022-11-01 | 绿盟科技集团股份有限公司 | Method, device and system for accessing server |
| CN115473713A (en) * | 2022-09-02 | 2022-12-13 | 南方电网数字电网研究院有限公司 | Key safety management system and management method based on cloud service |
| CN115801418A (en) * | 2022-11-22 | 2023-03-14 | 杭州安恒信息技术股份有限公司 | Cross-platform security event notification method, device, system and storage medium |
| CN115834166A (en) * | 2022-11-10 | 2023-03-21 | 网易宝有限公司 | Shared data processing method, medium, apparatus and computing device |
| CN116992494A (en) * | 2023-09-27 | 2023-11-03 | 四川启明芯智能科技有限公司 | Security protection method, equipment and medium for scenic spot data circulation |
| CN117834304A (en) * | 2024-03-05 | 2024-04-05 | 东方电气风电股份有限公司 | Autonomous controllable master control network safety protection system |
| CN119652672A (en) * | 2025-02-14 | 2025-03-18 | 湖南天河国云科技有限公司 | Cross-domain data sharing method, system, device and storage medium based on blockchain |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010244432A (en) * | 2009-04-08 | 2010-10-28 | Nippon Telegr & Teleph Corp <Ntt> | File sharing system, shared file server device, file sharing method, shared file server device access control method, and programs thereof |
| CN104885093A (en) * | 2012-12-12 | 2015-09-02 | 思杰系统有限公司 | Encryption-based data access management |
| CN106341399A (en) * | 2016-08-29 | 2017-01-18 | 锐捷网络股份有限公司 | User access control method and system |
| CN108737436A (en) * | 2018-05-31 | 2018-11-02 | 西安电子科技大学 | Based on the cross-domain services device identity identifying method for trusting alliance's block chain |
| CN110636500A (en) * | 2019-08-27 | 2019-12-31 | 西安电子科技大学 | Access control system and method supporting cross-domain data sharing, and wireless communication system |
| CN111092882A (en) * | 2019-12-12 | 2020-05-01 | 中国船舶工业系统工程研究院 | Cross-domain multi-party information secure sharing method based on block chain and IPFS (Internet protocol File System) |
| CN112883406A (en) * | 2021-03-24 | 2021-06-01 | 南京邮电大学 | Remote medical cross-domain authentication method based on alliance chain |
| CN113132103A (en) * | 2021-03-11 | 2021-07-16 | 西安电子科技大学 | Data cross-domain security sharing system and method |
-
2021
- 2021-11-02 CN CN202111288488.9A patent/CN114239046A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010244432A (en) * | 2009-04-08 | 2010-10-28 | Nippon Telegr & Teleph Corp <Ntt> | File sharing system, shared file server device, file sharing method, shared file server device access control method, and programs thereof |
| CN104885093A (en) * | 2012-12-12 | 2015-09-02 | 思杰系统有限公司 | Encryption-based data access management |
| CN106341399A (en) * | 2016-08-29 | 2017-01-18 | 锐捷网络股份有限公司 | User access control method and system |
| CN108737436A (en) * | 2018-05-31 | 2018-11-02 | 西安电子科技大学 | Based on the cross-domain services device identity identifying method for trusting alliance's block chain |
| CN110636500A (en) * | 2019-08-27 | 2019-12-31 | 西安电子科技大学 | Access control system and method supporting cross-domain data sharing, and wireless communication system |
| CN111092882A (en) * | 2019-12-12 | 2020-05-01 | 中国船舶工业系统工程研究院 | Cross-domain multi-party information secure sharing method based on block chain and IPFS (Internet protocol File System) |
| CN113132103A (en) * | 2021-03-11 | 2021-07-16 | 西安电子科技大学 | Data cross-domain security sharing system and method |
| CN112883406A (en) * | 2021-03-24 | 2021-06-01 | 南京邮电大学 | Remote medical cross-domain authentication method based on alliance chain |
Non-Patent Citations (1)
| Title |
|---|
| 高芹;邢薇;: "一种基于安全域的企业信息门户单点登录系统的设计", 智能计算机与应用, no. 05, 1 October 2013 (2013-10-01) * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065679B (en) * | 2022-06-02 | 2024-06-07 | 湖南天河国云科技有限公司 | Electronic health record sharing model, method, system and medium based on blockchain |
| CN115065679A (en) * | 2022-06-02 | 2022-09-16 | 湖南天河国云科技有限公司 | Block chain based electronic health profile sharing model, method, system, and medium |
| CN115150142A (en) * | 2022-06-24 | 2022-10-04 | 深圳市北科瑞声科技股份有限公司 | Data access processing method, system, equipment and storage medium |
| CN115277168A (en) * | 2022-07-25 | 2022-11-01 | 绿盟科技集团股份有限公司 | Method, device and system for accessing server |
| CN115277168B (en) * | 2022-07-25 | 2023-05-26 | 绿盟科技集团股份有限公司 | Method, device and system for accessing server |
| CN115473713A (en) * | 2022-09-02 | 2022-12-13 | 南方电网数字电网研究院有限公司 | Key safety management system and management method based on cloud service |
| CN115250205A (en) * | 2022-09-22 | 2022-10-28 | 湖北省楚天云有限公司 | Data sharing method, system, electronic device and storage medium based on alliance chain |
| CN115250205B (en) * | 2022-09-22 | 2023-01-24 | 湖北省楚天云有限公司 | Data sharing method, system, electronic equipment and storage medium based on consortium chain |
| CN115834166A (en) * | 2022-11-10 | 2023-03-21 | 网易宝有限公司 | Shared data processing method, medium, apparatus and computing device |
| CN115801418A (en) * | 2022-11-22 | 2023-03-14 | 杭州安恒信息技术股份有限公司 | Cross-platform security event notification method, device, system and storage medium |
| CN116992494B (en) * | 2023-09-27 | 2023-12-08 | 四川启明芯智能科技有限公司 | Security protection method, equipment and medium for scenic spot data circulation |
| CN116992494A (en) * | 2023-09-27 | 2023-11-03 | 四川启明芯智能科技有限公司 | Security protection method, equipment and medium for scenic spot data circulation |
| CN117834304A (en) * | 2024-03-05 | 2024-04-05 | 东方电气风电股份有限公司 | Autonomous controllable master control network safety protection system |
| CN117834304B (en) * | 2024-03-05 | 2024-05-03 | 东方电气风电股份有限公司 | Autonomous controllable master control network safety protection system |
| CN119652672A (en) * | 2025-02-14 | 2025-03-18 | 湖南天河国云科技有限公司 | Cross-domain data sharing method, system, device and storage medium based on blockchain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114239046A (en) | data sharing method | |
| US11606352B2 (en) | Time-based one time password (TOTP) for network authentication | |
| CN111488598B (en) | Access control method, device, computer equipment and storage medium | |
| Michalas | The lord of the shares: Combining attribute-based encryption and searchable encryption for flexible data sharing | |
| US10735202B2 (en) | Anonymous consent and data sharing on a blockchain | |
| KR102025409B1 (en) | Data access management system based on blockchain and method thereof | |
| JP6547079B1 (en) | Registration / authorization method, device and system | |
| US9673979B1 (en) | Hierarchical, deterministic, one-time login tokens | |
| US12289310B2 (en) | Decentralized application authentication | |
| CN107579958A (en) | Data management method, device and system | |
| US8977857B1 (en) | System and method for granting access to protected information on a remote server | |
| CN114826652A (en) | Traceable access control method based on double block chains | |
| Tu et al. | A secure, efficient and verifiable multimedia data sharing scheme in fog networking system | |
| Fugkeaw et al. | Secure and fine-grained access control with optimized revocation for outsourced IoT EHRs with adaptive load-sharing in fog-assisted cloud environment | |
| Khan et al. | A brief review on cloud computing authentication frameworks | |
| Almutairi et al. | Survey of centralized and decentralized access control models in cloud computing | |
| Guo et al. | Using blockchain to control access to cloud data | |
| Kwon et al. | A secure and efficient audit mechanism for dynamic shared data in cloud storage | |
| Duan et al. | Data storage security for the internet of things | |
| CN105518696B (en) | Operation is executed to data storage | |
| CN118174941A (en) | Access control method, device, storage medium and electronic equipment | |
| Adlam et al. | Applying blockchain technology to security-related aspects of electronic healthcare record infrastructure | |
| CN117879819A (en) | Key management method, device, storage medium, equipment and computing power service system | |
| CN117473551A (en) | A data sharing method based on blockchain and access control | |
| Rastogi et al. | Secured identity management system for preserving data privacy and transmission in cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: 510030 no.757, Dongfeng East Road, Yuexiu District, Guangzhou City, Guangdong Province Applicant after: GUANGDONG POWER GRID Co.,Ltd. Applicant after: Southern Power Grid Digital Grid Research Institute Co.,Ltd. Address before: 510030 no.757, Dongfeng East Road, Yuexiu District, Guangzhou City, Guangdong Province Applicant before: GUANGDONG POWER GRID Co.,Ltd. Country or region before: China Applicant before: Southern Power Grid Digital Grid Research Institute Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20241114 Address after: 510030 no.757, Dongfeng East Road, Yuexiu District, Guangzhou City, Guangdong Province Applicant after: GUANGDONG POWER GRID Co.,Ltd. Country or region after: China Applicant after: Southern Power Grid Digital Grid Group Co.,Ltd. Address before: 510030 no.757, Dongfeng East Road, Yuexiu District, Guangzhou City, Guangdong Province Applicant before: GUANGDONG POWER GRID Co.,Ltd. Country or region before: China Applicant before: Southern Power Grid Digital Grid Research Institute Co.,Ltd. |
|
| TA01 | Transfer of patent application right |