[go: up one dir, main page]

CN119272305B - A data rights confirmation method, data management method and system - Google Patents

A data rights confirmation method, data management method and system

Info

Publication number
CN119272305B
CN119272305B CN202411384546.1A CN202411384546A CN119272305B CN 119272305 B CN119272305 B CN 119272305B CN 202411384546 A CN202411384546 A CN 202411384546A CN 119272305 B CN119272305 B CN 119272305B
Authority
CN
China
Prior art keywords
data
authority
client
blockchain
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411384546.1A
Other languages
Chinese (zh)
Other versions
CN119272305A (en
Inventor
齐伊宁
李瑞轩
付宇
王中旭
王号召
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN202411384546.1A priority Critical patent/CN119272305B/en
Publication of CN119272305A publication Critical patent/CN119272305A/en
Application granted granted Critical
Publication of CN119272305B publication Critical patent/CN119272305B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种数据确权方法、数据管理方法及系统,属于数据确权技术领域;通过将授权机构的分布式数字身份标识符作为属性嵌入预设访问策略以约定授权机构具有解密数据并审查数据明文的权利,将数据所有者的分布式数字身份标识作为属性嵌入预设访问策略以明确对确权数据的所有权,然后采用全局参数和属性嵌入后的预设访问策略对确权数据进行加密,并将所得数据密文提交到授权机构中进行确权,保证了数据的安全性和隐私性;同时,所得数据所有权声明中直接携带有授权机构的分布式数字身份标识符信息,使得在后续对数据所有权声明进行认证的过程中无需再联合进行数据确权的授权机构进行认证,使得数据所有权声明能够在不同平台间易于互通互认。

The present invention discloses a data rights confirmation method, a data management method and a system, which belong to the technical field of data rights confirmation. The method embeds the distributed digital identity identifier of an authorization agency as an attribute into a preset access policy to stipulate that the authorization agency has the right to decrypt data and review the data plaintext, embeds the distributed digital identity identifier of a data owner as an attribute into the preset access policy to clarify the ownership of the rights confirmation data, and then encrypts the rights confirmation data using the preset access policy after global parameters and attributes are embedded, and submits the obtained data ciphertext to the authorization agency for rights confirmation, thereby ensuring the security and privacy of the data. At the same time, the obtained data ownership statement directly carries the distributed digital identity identifier information of the authorization agency, so that in the subsequent authentication process of the data ownership statement, there is no need to jointly authenticate the authorization agency that performs data rights confirmation, so that the data ownership statement can be easily communicated and recognized between different platforms.

Description

Data right determining method, data management method and system
Technical Field
The invention belongs to the technical field of data right verification, and particularly relates to a data right verification method, a data management method and a data management system.
Background
With the rapid development of internet technology and the advancement of informatization, data security and privacy protection become important issues to be solved. Because the existing data rights registration and release depends on the traditional management mode of 'manual registration-expert review', and cannot cope with digital attack modes such as tampering, replacement and the like, the existing data transaction market is still plagued by the problems of difficult control of the data rights, hidden infringement and the like, a data right confirming method is needed to be researched so as to provide a feasible technical guarantee means to face the related data transaction market with multiple benefit subjects and higher complexity of the data rights.
In order to solve the above problems, the existing data validation method usually encrypts the data to be validated and then validates the data, while the security and privacy in the data output process can be ensured, the validation records obtained by the method need multiparty joint validation in the authentication process of other platforms, for example, the platforms need to be authenticated by an authority which is combined with the validation records in the authentication process, the whole process is complex, the validation records are difficult to mutually validate among different platforms, and a data island is easy to form, so that the method is not applicable to complex data transaction markets.
Disclosure of Invention
Aiming at the defects or improvement demands of the prior art, the invention provides a data right confirmation method, a data management method and a system, which aim to ensure that the obtained right confirmation records can simply and conveniently realize intercommunication and mutual confirmation among different platforms on the premise of ensuring the safety and privacy of data.
In order to achieve the above object, in a first aspect, the present invention provides a data validation method applied to a blockchain-based data validation system, the data validation system comprising a client, an authority, a blockchain and a data storage server;
the data right determining method comprises the following steps:
The data owner obtains the distributed digital identity identifier of the authorization mechanism and requests the authorization mechanism to obtain global parameters required by encryption through the client;
The data owner embeds the distributed digital identity identifiers of the data owner and the authorization mechanism as attributes into a preset access strategy, encrypts the authorization data by adopting the global parameters and the preset access strategy with the embedded attributes to obtain a data ciphertext;
The authorization mechanism receives the data ciphertext and the right confirmation request, decrypts the data ciphertext by using an attribute key of the authorization mechanism, and inspects the obtained data plaintext, when the data ciphertext passes the inspection, the authorization mechanism extracts a hash value of the data plaintext, generates a distributed digital identity for the data plaintext, embeds the hash value into the distributed digital identity of the data plaintext and uploads the hash value to the blockchain, embeds a distributed digital identity identifier of a data owner and the data plaintext into a data ownership statement and uploads the data ownership statement to the blockchain, stores the data ciphertext into a data storage server, informs the data owner that the right confirmation is completed through a client, and when the data plaintext does not pass the inspection, informs the data owner that the right confirmation fails through the client.
Further preferably, the preset access policy includes access rights, usage scope and time limit of the validation data uploaded by the data owner.
Further preferably, the data right-confirming method further comprises the following steps executed after the right-confirming is completed:
the data owner sends a request for obtaining verifiable credentials of the validation data to an authorization mechanism through a client;
After receiving the request, the authority acquires the data ownership statement of the validation data from the blockchain, and carries out digital signature by adopting a private key of the authority, constructs verifiable credentials comprising the digital signature, the data ownership statement of the validation data and a distributed digital identity identifier of the authority, and sends the verifiable credentials to a data owner through a client, extracts a hash value of the verifiable credentials, and uploads the hash value of the verifiable credentials to the blockchain for certification.
In a second aspect, the present invention provides a data validation system, a client, an authority, a blockchain, and a data storage server:
the client, authority and blockchain perform the data validation method provided by the first aspect of the present invention.
The invention provides a data management method which is applied to a data management system, wherein the data management system comprises a client, N authorized mechanisms, a blockchain and a data storage server, wherein N is more than or equal to 1;
The data management method comprises the following steps:
when the data owner performs data right confirmation, the client, the first authority and the blockchain execute the data right confirmation method provided by the first aspect of the invention, wherein the first authority is any authority in N authorities;
When the data user requests to use the data, the data user requests to acquire the attribute key of the data user from the second authority through the client, downloads the data ciphertext from the data storage server through the second authority, decrypts the data ciphertext by using the attribute key of the data user, and obtains the data plaintext successfully when the attribute of the data user accords with a preset access strategy in the data ciphertext, otherwise, the data user fails to decrypt, wherein the second authority is any authority of N authorities.
Further preferably, the data management method further includes:
when a verifier proposes to verify the authenticity of a verifiable credential of certain credentials data:
the verifier sends verifiable credentials to a third authority through the client, wherein the third authority is any authority in N authorities;
After receiving the verifiable certificate, the third authority analyzes the digital signature, the distributed digital identity identifier and the data ownership statement of the authority for performing the right-confirming operation on the right-confirming data from the verifiable certificate, and inquires whether the authority for performing the right-confirming operation has the evidence-issuing qualification or not through a block chain;
If the certification qualification exists, verifying the authenticity of the digital signature obtained by analysis, continuously extracting the hash value of the verifiable certificate when the verification passes, comparing the hash value with the hash value of the verifiable certificate inquired by the blockchain, and obtaining a verification result that the verifiable certificate has the authenticity when the comparison is consistent;
If the certification qualification is not met, a verification result that the verifiable certificate does not have authenticity is obtained;
the verification of the authenticity of the digital signature obtained by analysis comprises the following steps:
And calculating the public key of the authority for performing the right-confirming operation by using the digital signature and the data ownership statement which are obtained through analysis, comparing the public key with the public key of the authority for performing the right-confirming operation which is obtained through block chain inquiry, judging that the verification is passed when the comparison is consistent, and otherwise, judging that the verification is not passed.
Further preferably, the data management method further includes:
When the user performs identity registration, the user sends a request for creating the distributed digital identity to a fourth authorization mechanism through a client;
after receiving the request, the fourth authority generates a distributed digital identity for the user and uploads the distributed digital identity of the user to the blockchain;
The user comprises a data owner, a data user and a verifier, and the fourth authority is any authority in N authorities.
In a third aspect, the invention provides a data management system, comprising a client, N authorizing mechanisms, a blockchain and a data storage server, wherein N is more than or equal to 1;
the client, the N authorities and the blockchain are used to perform the data management method provided by the third aspect of the invention.
In general, through the above technical solutions conceived by the present invention, the following beneficial effects can be obtained:
1. The invention provides a data right-confirming method, which is characterized in that a distributed digital identity identifier of an authorization mechanism is used as an attribute to be embedded into a preset access strategy to agree that the authorization mechanism has the right to decrypt data and examine data plaintext, a distributed digital identity identifier of a data owner is used as the attribute to be embedded into the preset access strategy to definitely confirm the ownership of right-confirming data, then the global parameter and the preset access strategy with the embedded attribute are adopted to encrypt the right-confirming data, the obtained data ciphertext is submitted to the authorization mechanism to confirm the right, the leakage risk of the data in the right-confirming process is avoided, and the safety and privacy of the data are ensured, meanwhile, the obtained data ownership statement directly carries the distributed digital identity identifier information of the authorization mechanism, so that the authorization mechanism for data right-confirming is not required to be jointly authenticated in the subsequent data ownership statement authentication process, the authentication process can be realized only by acquiring the information of the authorization mechanism for data right-confirming statement from the data ownership statement, the authentication process is simplified, and the data ownership can be easily and conveniently realized in different platforms to realize mutual right-confirming and complicated data trading.
2. Further, the data right confirming method provided by the invention has the advantages that the preset access strategy comprises the access right, the use range and the time limit of the right-confirmed data uploaded by the data owner, and the use mode of the data can be independently regulated, so that in the subsequent data access process, a user can ensure that only an authorized user can access the data without depending on a centralized service provider, the distributed access control is realized, single-point faults are reduced, and the safety of the subsequent data access is improved.
3. Furthermore, the data right-confirming method provided by the invention has the advantages that when the data owner makes a request for obtaining the verifiable certificate of the right-confirming data to the authorization mechanism, the authorization mechanism also extracts the hash value of the verifiable certificate and uploads the hash value of the verifiable certificate to the blockchain for storing the certificate, so that on one hand, the storage cost of the blockchain is higher, the direct storage of the certificate data can influence the performance, the hash value of the verifiable certificate is only a character string with a fixed length, the data quantity is greatly reduced, and on the other hand, the hash abstract value can be changed by any change of the data, so that whether the verifiable certificate is tampered or not can be verified only by the hash value of the verifiable certificate under the condition that the verifiable certificate is not stored.
4. The invention provides a data management method, when a data owner carries out data right, the data right confirming method is adopted to carry out right confirming operation, so that the obtained right confirming records can simply and conveniently realize intercommunication and mutual confirmation among different platforms on the premise of ensuring the safety and privacy of data, when the data user requests to use the data, the data ciphertext is decrypted based on the attribute key of the data user, only the data user meeting the preset access strategy can finish decryption, fine-granularity access control is realized, and a complex key management flow is not needed.
5. Further, according to the data management method provided by the invention, when a verifier verifies the authenticity of a verifiable certificate of certain authorization data, a digital signature is analyzed from the verifiable certificate, a distributed digital identity identifier and a data ownership statement of an authority for performing authorization operation on the authorization data are inquired by a block chain to determine whether the authority for performing authorization operation has certification qualification, the authenticity of the certificate is verified by using the digital signature, and then the information of the certificate on a chain is verified by using a block chain certificate verification method, so that the authenticity of the verifiable certificate is ensured by a layer-by-layer verification mode.
Drawings
FIG. 1 is a flow chart of a data authorization method according to an embodiment of the present invention;
FIG. 2 is a process diagram of data validation provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of a data management system according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a data management flow according to an embodiment of the present invention;
fig. 5 is a process diagram of verifying the authenticity of a verifiable credential of certain validation data provided by an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
In order to achieve the above object, in a first aspect, the present invention provides a data validation method applied to a blockchain-based data validation system, the data validation system comprising a client, an authority, a blockchain and a data storage server;
As shown in fig. 1, the data right determining method includes:
the data owner obtains a distributed digital identity identifier of the authorization mechanism and requests the authorization mechanism to obtain global parameters required by encryption through a client, wherein the global parameters comprise mathematical domains and parameters for encryption and decryption;
The data owner embeds the distributed digital identity identifiers of the data owner and the authorization mechanism as attributes into a preset access strategy, encrypts the authorization data by adopting the global parameters and the preset access strategy with the embedded attributes to obtain a data ciphertext;
The authorization mechanism receives the data ciphertext and the right confirmation request, decrypts the data ciphertext by using an attribute key of the authorization mechanism, and inspects the obtained data plaintext, when the data ciphertext passes the inspection, the authorization mechanism extracts a hash value of the data plaintext, generates a distributed digital identity for the data plaintext, embeds the hash value into the distributed digital identity of the data plaintext and uploads the hash value to a blockchain to realize the binding of the data and the distributed digital identity, embeds a distributed digital identity identifier of a data owner and the data plaintext into a data ownership statement and uploads the data ownership statement to the blockchain to ensure the transparency and the safety of ownership through a consensus mechanism, stores the data ciphertext into a data storage server, informs the data owner that the right confirmation is completed through a client, and informs the data owner that the right confirmation fails through the client when the inspection fails.
A schematic diagram of the specific process of the above process is shown in fig. 2.
In an alternative embodiment, after the authorization mechanism passes the verification of the decrypted data plaintext, the hash value of the data plaintext is extracted, a distributed digital identity is generated for the data plaintext, the hash value is embedded into the distributed digital identity of the data plaintext and uploaded to a blockchain, a record containing a data position is generated after the uploading is completed and used for acquiring data, and finally, a record is generated for the data information filled by the data owner, such as the data name, the data type, the usage scenario and the like, so that a subsequent verifier searches the data position from the record when reviewing the data, and the data is acquired by using an external interface of the data storage server. The process of generating the distributed digital identity of the data is the same as the process of generating the distributed digital identity of the data owner described above, and therefore will not be described in detail. And finally, recording the ownership information of the data owner, namely the data ownership statement, on the blockchain through the intelligent contract. It should be noted that there are various methods for extracting the hash value, and algorithms such as SHA-1, SHA-3, SHA-256, BLAKE2 may be used, and preferably, in an alternative embodiment, the authority uses the SHA-256 algorithm to generate a data fingerprint, that is, a hash value of the data plaintext, for the data.
In an alternative embodiment, the primary process of encrypting the authentication data includes:
The initialization process is performed by an authority that performs the global parameters and master keys necessary to be responsible for generating the encryption. The global parameters include mathematical fields and parameters for encryption and decryption, while the master key is used for subsequent key derivation and verification.
The key generation process is also performed by the authority that generates an attribute key for each user (e.g., data owner, user) that is associated with a set of attributes of the user. The generation of the attribute key depends on the master key generated during the initialization process;
The encryption process is that the data owner defines a preset access strategy when encrypting the data, the preset access strategy is a character string with a specific format and describes which attribute combinations can decrypt the data, on the basis, the data owner embeds the distributed digital identity identifiers of the data owner and the authorization mechanism into the preset access strategy as the attribute, and the preset access strategy encrypts the data with the authorization data to form the data ciphertext. The encryption process uses the preset access strategy with the embedded global system parameters and attributes to encrypt the authorization data, and generates a data ciphertext, so that only a secret key meeting the requirement of the preset access strategy can decrypt the data. When a user holding an attribute key attempts to decrypt the ciphertext, it is checked whether the attribute in the key satisfies the access policy in the ciphertext. If satisfied, the data will be decrypted, and if not, the decryption process will fail, the data remaining encrypted.
It should be noted that, the data owner may also set other attributes (such as access rights, use range, time limit, etc. of the data) in the preset access policy to autonomously specify the use manner of the data. Specifically, in an alternative embodiment, the preset access policy includes access rights, usage range and time limit of the validation data uploaded by the data owner.
The invention supports user-defined access strategy, distributes the key according to the attribute, reduces the complexity of key management, only generates the key according to the attribute, does not need complex key management flow, and can decrypt all data conforming to the access strategy by using a single attribute key without generating a separate decryption key for each encryption task. Dynamic rights change is supported in that the user's attributes need only be updated as they change without the need to redistribute keys.
In an alternative embodiment, the data right-determining method further includes the following steps performed after the right-determining is completed:
the data owner sends a request for obtaining verifiable credentials of the validation data to an authorization mechanism through a client;
After receiving the request, the authority acquires the data ownership statement of the validation data from the blockchain, and carries out digital signature by adopting a private key of the authority, constructs verifiable credentials comprising the digital signature, the data ownership statement of the validation data and a distributed digital identity identifier of the authority, and sends the verifiable credentials to a data owner through a client, extracts a hash value of the verifiable credentials, and uploads the hash value of the verifiable credentials to the blockchain for certification.
Specifically, under one embodiment, the digital signature, the data ownership statement of the validation data, and the distributed digital identity of the authority are directly combined as verifiable credentials. In another embodiment, a unique identifier of the verifiable credential is generated as an ID, and the digital signature, the data ownership statement of the validation data, the distributed digital identity identifier of the authority, the ID, and metadata such as the generation time, expiration time, etc. are packaged to form a complete verifiable credential.
Specifically, when the authority issues the verifiable certificate, the authority firstly confirms the right information from the blockchain, then packages the distributed identity identifier of the data owner, the distributed identity identifier of the authority, the generation time and expiration time of the certificate, uses the private key of the authority to generate a digital signature on the packaged information through a cryptography algorithm, packages all the information into the verifiable certificate, and returns the verifiable certificate to the data owner in a text document mode. The authorization mechanism also generates a hash digest for the verifiable certificate, records the hash digest on the blockchain for storing the certificate, and the purpose of storing the hash digest is to ensure that on one hand, the storage cost of the blockchain is higher, the performance is influenced by directly storing the certificate data, the hash digest is only a hexadecimal character string with a fixed length, the data quantity is greatly reduced, on the other hand, the hash digest is generated by original data through a cryptographic algorithm, and any change to the data can change the value of the hash digest, so that whether the verifiable certificate is tampered or not can be verified only through the hash digest under the condition that the verifiable certificate is not stored.
In an optional implementation manner, the data right determining method further comprises the pre-executed identity registering operation of the data owner;
when the data owner carries out identity registration, the data owner sends a request for creating the distributed digital identity to an authorization mechanism through a client;
After receiving the request, the authorization mechanism generates a distributed digital identity for the user and uploads the distributed digital identity of the user to the blockchain;
Specifically, in this embodiment, when the authority creates the distributed digital identity of the data owner, a cryptographic algorithm is used to generate a private key and a public key, the public key is embedded into the distributed digital identity of the user and uploaded to the blockchain, the private key is returned to the data owner, the data owner stores the private key, and the attribute information of the data owner is recorded in the distributed digital identity. In one embodiment, the authority creates a public-private key pair for the owner of the data using a cryptographic algorithm, wherein the public key appears as an ethernet wallet address, the public key is part of a distributed digital identity, the authority invokes the smart contract to register it on the blockchain, the private key is a hexadecimal string, the private key functions to verify the distributed digital identity of the owner of the data and create a digital signature, and the private key is kept by the owner of the data and is protected from leakage.
In conclusion, the invention strengthens the protection of the data copyright and ensures the non-tamper property and transparency of the right-determining process. In addition, the invention realizes fine granularity access control without depending on a centralization mechanism, and enhances the safety management of data.
In a second aspect, the present invention provides a data validation system, a client, an authority, a blockchain, and a data storage server:
the client, authority and blockchain perform the data validation method provided by the first aspect of the present invention.
The related technical solution is the same as the data right determining method provided in the first aspect of the present invention, and will not be described herein.
In a third aspect, the invention provides a data management method applied to a data management system, as shown in FIG. 3, wherein the data management system comprises a client, N authorized mechanisms, a blockchain and a data storage server, wherein N is more than or equal to 1;
as shown in fig. 4, the data management method includes:
when the data owner performs data right confirmation, the client, the first authority and the blockchain execute the data right confirmation method provided by the first aspect of the invention, wherein the first authority is any authority in N authorities;
When the data user requests to use the data, the data user requests to acquire the attribute key of the data user from the second authority through the client, downloads the data ciphertext from the data storage server through the second authority, decrypts the data ciphertext by using the attribute key of the data user, and obtains the data plaintext successfully when the attribute of the data user accords with a preset access strategy in the data ciphertext, otherwise, the data user fails to decrypt, wherein the second authority is any authority of N authorities.
In an alternative embodiment, as shown in fig. 5, the data management method further includes:
when a verifier proposes to verify the authenticity of a verifiable credential of certain credentials data:
the verifier sends verifiable credentials to a third authority through the client, wherein the third authority is any authority in N authorities;
After receiving the verifiable certificate, the third authority analyzes the digital signature, the distributed digital identity identifier and the data ownership statement of the authority for performing the right-confirming operation on the right-confirming data from the verifiable certificate, and inquires whether the authority for performing the right-confirming operation has the evidence-issuing qualification or not through a block chain;
If the certification qualification exists, verifying the authenticity of the digital signature obtained by analysis, continuously extracting the hash value of the verifiable certificate when the verification passes, comparing the hash value with the hash value of the verifiable certificate inquired by the blockchain, and obtaining a verification result that the verifiable certificate has the authenticity when the comparison is consistent;
If the certification qualification is not met, a verification result that the verifiable certificate does not have authenticity is obtained;
the verification of the authenticity of the digital signature obtained by analysis comprises the following steps:
And calculating the public key of the authority for performing the right-confirming operation by using the digital signature and the data ownership statement which are obtained through analysis, comparing the public key with the public key of the authority for performing the right-confirming operation which is obtained through block chain inquiry, judging that the verification is passed when the comparison is consistent, and otherwise, judging that the verification is not passed.
It should be noted that in the above process, the third authority first analyzes the distributed digital identifier and digital signature of the issuing party (authority for performing the right-determining operation on the right-determining data) from the verifiable certificate, and queries whether the issuing party has the certification qualification through the blockchain, and then verifies the authenticity of the certificate by using the digital signature, and then verifies the information of the certificate on the chain through the certificate verification method of the blockchain, so as to further verify the authenticity of the verifiable certificate.
The information contained in the verifiable credential can support the verifier to independently finish checking the credential, but needs to have certain knowledge, so that the verifier often gives the verifiable credential to an authorized mechanism for proxy verification, the verification process is that firstly, a declaration part in the verifiable credential, especially the rights information in the declaration, is checked, then a message needing signature verification is extracted from the verifiable credential, the message is hashed to generate a hash value of the message, then the message and the signature are used for recovering an Ethernet address of the signer from the signature, whether the signer accords with a sender field described in the credential or not is checked through an intelligent contract, and finally, the hash value of the verifiable credential stored on a comparison chain is checked through the intelligent contract, so that the non-falsification of the credential is further ensured.
In an optional embodiment, the data management method further includes:
When the user performs identity registration, the user sends a request for creating the distributed digital identity to a fourth authorization mechanism through a client;
after receiving the request, the fourth authority generates a distributed digital identity for the user and uploads the distributed digital identity of the user to the blockchain;
The user comprises a data owner, a data user and a verifier, and the fourth authority is any authority in N authorities.
Specifically, in this embodiment, when the authority creates the distributed digital identity of the user, a private key and a public key are generated by using a cryptographic algorithm, the public key is embedded in the distributed digital identity and uploaded to the blockchain, the private key is returned to the user, the user saves the private key, and attribute information of the user is recorded in the distributed digital identity. In one embodiment, the authority uses a cryptographic algorithm to create a public-private key pair for the user, the public key representing an ethernet wallet address, the public key being part of the distributed digital identity, the authority invoking the smart contract to register it on the blockchain, the private key being a hexadecimal string, the private key acting to verify the distributed digital identity of the user and to create the digital signature, the private key being kept by the user and protected from leakage.
The first authority, the second authority, the third authority, and the fourth authority may be the same or different, and are not limited herein.
In a third aspect, the invention provides a data management system, comprising a client, N authorizing mechanisms, a blockchain and a data storage server, wherein N is more than or equal to 1;
the client, the N authorities and the blockchain are used to perform the data management method provided by the third aspect of the invention.
The user can be used as the owner of the data, namely the initiator of the right-confirming operation, encrypt the data to generate a data ciphertext and submit the data ciphertext to the authority and use the verifiable certificate to prove the right of ownership, the user can also be used as the data user to download the data ciphertext and acquire an attribute key from the authority, the user attribute with the right of ownership can only meet the access policy to finish the decryption operation, and the user attribute with the right of ownership can also be used as the verifier of the right of ownership to submit the verifiable certificate to the authority to verify the authenticity of the right of ownership.
The authorization mechanism is directly connected with the blockchain, stores service information of the user to the blockchain, has distributed digital identities, can endorse data ownership of the user, and plays roles of generating and releasing global parameters required by encryption of the user and attribute keys required by decryption;
The blockchain can store distributed digital identity and verifiable credential information and assist an authorization mechanism in completing the operations of credential verification and attribute key generation;
the data storage server is responsible for storing the encrypted data of the user and providing an interface for uploading and downloading to the authority.
The related technical solution is the same as the data management method provided in the third aspect of the present invention, and will not be described herein.
In summary, the invention provides a data right-confirming method, a data management method and a system, which are used for data right-confirming, wherein the distributed digital identity has the characteristics of cross-platform identity verification and privacy protection, the data right-confirming process is not only dependent on a centralized identity provider, a user can independently manage the identity, partial private data is selectively disclosed, and meanwhile, the island of the data is broken, so that unified management and sharing of the data are realized. And the security of the data is ensured by introducing attribute-based encryption, a user does not need to trust an authorized mechanism or worry about data leakage in the process of authorization, and fine-grained access control of the data is realized.
The distributed digital identity is used as the attribute, the distributed digital identity and the right information of the user and the data are stored on the blockchain, the user independently determines the access strategy during encryption, the user attribute is read from the blockchain during decryption to generate the decryption key, only the user meeting the access strategy can finish decryption, fine-granularity access control is realized, the risk of revealing the data in the right confirming process is avoided, the non-tamper property and transparency of the right confirming process are ensured, the user can ensure that only the authorized user can access the data without trust of a centralized service provider, the distributed access control is realized, single-point faults are reduced, and the security of the system is improved.
It will be readily appreciated by those skilled in the art that the foregoing description is merely a preferred embodiment of the invention and is not intended to limit the invention, but any modifications, equivalents, improvements or alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (8)

1. The data right-confirming method is characterized by being applied to a block chain-based data right-confirming system, wherein the data right-confirming system comprises a client, an authorized mechanism, a block chain and a data storage server;
the data right determining method comprises the following steps:
the data owner obtains the distributed digital identity identifier of the authorization mechanism and requests the authorization mechanism to obtain global parameters required by encryption through the client;
The data owner embeds the distributed digital identity identifiers of the data owner and the authorization mechanism as attributes into a preset access strategy, encrypts the authorization data by adopting the global parameters and the preset access strategy with the embedded attributes to obtain a data ciphertext;
The authorization mechanism receives the data ciphertext and the right confirmation request, decrypts the data ciphertext by using an attribute key of the authorization mechanism, and inspects the obtained data plaintext, when the data ciphertext passes the inspection, the authorization mechanism extracts a hash value of the data plaintext, generates a distributed digital identity for the data plaintext, embeds the hash value into the distributed digital identity of the data plaintext and uploads the hash value to the blockchain, embeds a distributed digital identity identifier of the data owner and the data plaintext into a data ownership statement and uploads the data ownership statement to the blockchain, stores the data ciphertext into the data storage server, informs the data owner that the right confirmation is completed through the client, and when the data ciphertext fails the inspection, informs the data owner that the right confirmation fails through the client.
2. The method for data validation according to claim 1, wherein the preset access policy includes access rights, a range of use, and a time limit for the validation data.
3. The data authentication method according to claim 1 or 2, further comprising the steps of, after the authentication is completed:
the data owner makes a request to the authority through the client to acquire verifiable credentials of the validation data;
After receiving the request, the authority acquires the data ownership statement of the right-confirming data from the blockchain, and adopts a private key of the authority to carry out digital signature, constructs a verifiable certificate comprising the digital signature, the data ownership statement of the right-confirming data and a distributed digital identity identifier of the authority, and sends the verifiable certificate to the data owner through the client, extracts the hash value of the verifiable certificate, and uploads the hash value of the verifiable certificate to the blockchain for storing.
4. The data right confirming system is characterized by comprising a client, an authorized mechanism, a blockchain and a data storage server:
The client, the authority and the blockchain perform the data validation method of any of claims 1-3.
5. The data management method is characterized by being applied to a data management system, wherein the data management system comprises a client, N authorized mechanisms, a block chain and a data storage server, wherein N is more than or equal to 1;
The data management method comprises the following steps:
When the data owner performs data validation, the client, the first authority and the blockchain execute the data validation method of any one of claims 1-3, wherein the first authority is any one authority of the N authorities;
when a data user requests to use data, the data user requests to acquire an attribute key of the data user from a second authority through the client, downloads a data ciphertext from the data storage server through the second authority, decrypts the data ciphertext by using the attribute key of the data user, and obtains a data plaintext successfully when the attribute of the data user accords with a preset access strategy in the data ciphertext, otherwise, the data user fails to decrypt, and the second authority is any authority in the N authorities.
6. The method for data management as defined in claim 5, further comprising, when the verifier proposes verification of authenticity of a verifiable credential of certain validation data:
the verifier sends a verifiable certificate to a third authorization mechanism through the client, wherein the third authorization mechanism is any one of N authorization mechanisms;
After the third authority receives the verifiable certificate, resolving a digital signature from the verifiable certificate, carrying out a distributed digital identity identifier and a data ownership statement of the authority which carries out the right-confirming operation on the right-confirming data, and inquiring whether the authority which carries out the right-confirming operation has a certification qualification or not through the blockchain;
If the verification is qualified, verifying the authenticity of the digital signature obtained by analysis, continuously extracting the hash value of the verifiable certificate when the verification is passed, comparing the hash value with the hash value of the verifiable certificate inquired by the blockchain, and obtaining a verification result that the verifiable certificate has authenticity when the comparison is consistent;
If the certification qualification is not met, a verification result that the verifiable certificate does not have the authenticity is obtained;
The verification and analysis method comprises the steps of:
and calculating the public key of the authority for performing the right-confirming operation by using the digital signature and the data ownership statement which are obtained through analysis, comparing the public key with the public key of the authority for performing the right-confirming operation which is obtained through the blockchain inquiry, judging that the verification is passed when the comparison is consistent, and otherwise, judging that the verification is not passed.
7. The data management method according to claim 5 or 6, characterized by further comprising:
when the user performs identity registration, the user sends a request for creating the distributed digital identity to a fourth authorization mechanism through the client;
After the fourth authority receives the request, generating a distributed digital identity for the user, and uploading the distributed digital identity of the user to the blockchain;
the user comprises a data owner, a data user and a verifier, wherein the fourth authority is any authority in the N authorities.
8. A data management system is characterized by comprising a client, N authorizing mechanisms, a block chain and a data storage server, wherein N is more than or equal to 1;
The client, the N authorities and the blockchain are for performing the data management method of any of claims 5-7.
CN202411384546.1A 2024-09-30 2024-09-30 A data rights confirmation method, data management method and system Active CN119272305B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411384546.1A CN119272305B (en) 2024-09-30 2024-09-30 A data rights confirmation method, data management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411384546.1A CN119272305B (en) 2024-09-30 2024-09-30 A data rights confirmation method, data management method and system

Publications (2)

Publication Number Publication Date
CN119272305A CN119272305A (en) 2025-01-07
CN119272305B true CN119272305B (en) 2025-10-03

Family

ID=94114683

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411384546.1A Active CN119272305B (en) 2024-09-30 2024-09-30 A data rights confirmation method, data management method and system

Country Status (1)

Country Link
CN (1) CN119272305B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115906181A (en) * 2022-12-30 2023-04-04 中国工商银行股份有限公司 Encrypted file right confirming method, device and system based on block chain attribute
CN117294496A (en) * 2023-09-25 2023-12-26 湖北工业大学 Intelligent home monitoring data safety management method based on blockchain

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110874464B (en) * 2018-09-03 2025-02-25 巍乾全球技术有限责任公司 User authentication data management method and device
CN113973016B (en) * 2020-04-17 2024-07-16 支付宝(杭州)信息技术有限公司 Authorization processing method, device, equipment and system based on verifiable statement
CN112417510B (en) * 2020-12-09 2022-12-13 南威软件股份有限公司 Credible sharing method for protecting government affair private data based on block chain
CN113204783B (en) * 2021-04-23 2022-07-05 中南民族大学 Privacy protection safety decentralized self-ownership identity authentication protocol method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115906181A (en) * 2022-12-30 2023-04-04 中国工商银行股份有限公司 Encrypted file right confirming method, device and system based on block chain attribute
CN117294496A (en) * 2023-09-25 2023-12-26 湖北工业大学 Intelligent home monitoring data safety management method based on blockchain

Also Published As

Publication number Publication date
CN119272305A (en) 2025-01-07

Similar Documents

Publication Publication Date Title
CN110750803B (en) Method and device for providing and fusing data
CN101872399B (en) Dynamic digital copyright protection method based on dual identity authentication
US9912485B2 (en) Method and apparatus for embedding secret information in digital certificates
US7797544B2 (en) Attesting to establish trust between computer entities
KR101010040B1 (en) Method for encrypting and decrypting files, apparatus, program, and computer-readable recording medium recording the program
US7526649B2 (en) Session key exchange
CN112528250B (en) System and method for realizing data privacy and digital identity through block chain
WO2020119258A1 (en) Data processing method and device
US20080301436A1 (en) Method and apparatus for performing authentication between clients using session key shared with server
US20100257363A1 (en) Method and system for secure communication
US20200412554A1 (en) Id as service based on blockchain
CN113497709A (en) Trusted data source management method based on block chain, signature device and verification device
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
JP2009541817A (en) Single sign-on between systems
CN118694541B (en) A distributed zero-knowledge identity authentication method and system based on verifiable credentials
CN103138939A (en) Secret key use time management method based on credible platform module under cloud storage mode
JP2010514000A (en) Method for securely storing program state data in an electronic device
CN102143178A (en) Network teaching management system
Win et al. Privacy enabled digital rights management without trusted third party assumption
US20240348592A1 (en) Apparatus and method for managing credentials
CN115913513A (en) Distributed trusted data transaction method, system and device supporting privacy protection
CN113886781B (en) Multi-authentication encryption method, system, electronic equipment and medium based on block chain
JP2004248220A (en) Public key certificate issuing device, public key certificate recording medium, authentication terminal device, public key certificate issuing method, and program
CN102270285A (en) Key authorization information management method and device
CN116167017A (en) Shoe original design AI digital copyright management system based on blockchain technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant