CN110851851B - Authority management method, device and equipment in block chain type account book - Google Patents
Authority management method, device and equipment in block chain type account book Download PDFInfo
- Publication number
- CN110851851B CN110851851B CN202010039770.2A CN202010039770A CN110851851B CN 110851851 B CN110851851 B CN 110851851B CN 202010039770 A CN202010039770 A CN 202010039770A CN 110851851 B CN110851851 B CN 110851851B
- Authority
- CN
- China
- Prior art keywords
- user
- data
- account book
- key
- block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title description 32
- 238000000034 method Methods 0.000 claims abstract description 23
- 230000000903 blocking effect Effects 0.000 claims description 17
- 238000012795 verification Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 claims description 8
- 238000013475 authorization Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000005034 decoration Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 101100134058 Caenorhabditis elegans nth-1 gene Proteins 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
A method, a device and equipment for managing authority in a block chain type account book are disclosed. Through the scheme provided by the embodiment of the specification, when the user creates the account book, besides the administrator user corresponding to the user identifier is generated according to the instruction of the user, an authority management user for managing the user key is also generated at the same time, if the first key of the user is lost, the new second key can be reestablished based on the authority management user, and a new role with certain authority is created to digitally sign the data record in the account book based on the second key.
Description
Technical Field
The embodiment of the specification relates to the technical field of information, in particular to a method, a device and equipment for managing permissions in a block chain type account book.
Background
When a centralized database server side provides services to the outside through a block chain type account book, a user generally needs to perform digital signature on data records generated by the user, specifically public key encryption and private key decryption; or the private key is encrypted, the public key is decrypted, and the specific expression is that the user needs a certain level of authorization to use the related secret key. And if the user's key is lost in the block chain ledger, the use of the ledger is greatly influenced.
Based on this, a solution is needed that can effectively manage user permissions in a blockchain ledger.
Disclosure of Invention
The embodiment of the application aims to provide a scheme for effectively managing user permissions in a block chain type account book.
In order to solve the above technical problem, the embodiment of the present application is implemented as follows:
a method for managing authority in a block chain type account book is applied to a centralized database server side for storing data through the block chain type account book, and comprises the following steps:
receiving an instruction for creating an account book sent by a client, wherein the instruction comprises a user identifier;
creating an initial data block of a block chain type account book, and determining the administrator authority of the user identification in the block chain type account book;
and acquiring and storing a first key of the user identifier, and generating an authority management user for managing the first key, wherein the first key is used for the user identifier to perform digital signature in the block chain type account book, and the first key comprises a first private key and/or a first public key.
Correspondingly, an embodiment of the present specification further provides an authority management device in a block chain type account book, which is applied to a centralized database server side that stores data through the block chain type account book, and includes:
the receiving module is used for receiving an instruction for creating an account book sent by a client, wherein the instruction comprises a user identifier;
the determining module is used for creating an initial data block of a block chain type account book and determining the administrator authority of the user identification in the block chain type account book;
and the generation module is used for acquiring and storing a first key of the user identifier, and generating an authority management user for managing the first key, wherein the first key is used for the user identifier to perform digital signature in the block chain type account book, and the first key comprises a first private key and/or a first public key.
Through the scheme provided by the embodiment of the specification, when the user creates the account book, besides the administrator user corresponding to the user identifier is generated according to the instruction of the user, an authority management user for managing the user key is also generated at the same time, if the first key of the user is lost, the new second key can be reestablished based on the authority management user, and a new role with certain authority is created to digitally sign the data record in the account book based on the second key, so that the effective management of the user authority is realized.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of embodiments of the invention.
In addition, any one of the embodiments in the present specification is not required to achieve all of the effects described above.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic flowchart of a method for managing permissions in a block-chained ledger according to an embodiment of the present specification;
fig. 2 is a schematic diagram of a block header of a data block provided in an embodiment of the present specification;
fig. 3 is a schematic flowchart of a method for generating a data block in a chained ledger according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a rights management apparatus in a block chain ledger provided by an embodiment of the present specification;
fig. 5 is a schematic structural diagram of an apparatus for configuring a method according to an embodiment of the present disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of protection.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings. As shown in fig. 1, fig. 1 is a schematic flowchart of a method for managing permissions in a block chain type ledger provided in an embodiment of the present specification, and is applied to a centralized database server that stores data in the block chain type ledger, where the process specifically includes the following steps:
s101, receiving an account book creating instruction sent by a client, wherein the instruction comprises a user identifier.
In the database server, the user may send an instruction to create the ledger. For example, NEW (LGNAME, Admin, UserID), where LGNAME is the name of the account book, "Admin" represents the administrator authority specified by the user, and "UserID" is the user identifier specified by the user as the account book with the administrator authority, including an identity card number, a mobile phone number, or a unique client identifier. In the instruction, the "UserID" may be a set including a plurality of user ids, that is, a plurality of users having administrator rights may be simultaneously specified in one account book.
Meanwhile, after the account book is created, under one user identifier, multiple roles may be corresponded to, and multiple roles may have different levels of permissions.
S103, an initial data block of the block chain type account book is created, and the administrator permission of the user identification in the block chain type account book is determined.
And the database server receives an instruction for creating the account book. I.e. create an ledger named "LGNAME". In the embodiment of the present specification, since the ledger is block-chained (i.e. a plurality of data blocks are chained in sequence), actually, for a newly created ledger, only one initial data block needs to be created at this time. The subsequent data blocks are generated in sequence after a certain blocking condition is reached.
The data block in the block chain type account book can comprise a block head and a block body. The block body can be used for storing plaintext of splicing data, or hash values of the splicing data, and the like; the block header may be used to store metadata about the data block, such as a version number of the ledger, a hash value of a previous data block, a root hash value of a merkel tree composed of the concatenated data in the data block itself, a hash value of the data block itself, a state array for recording an operated state of the concatenated data, and the like. As shown in fig. 2, fig. 2 is a schematic diagram of a block header of a data block according to an embodiment of the present disclosure.
After the initial data block is created, the subsequent data records of the user may be generated as follows, so as to generate a corresponding block chain ledger, as shown in fig. 3, fig. 3 is a schematic flow diagram of a data block generation method in a chain ledger provided by an embodiment of this specification, and the flow specifically includes the following steps:
s301, receiving data records to be stored, and determining hash values of the data records. The data records to be stored here may be various consumption records of individual users of the client, and also may be business results, intermediate states, operation records, and the like generated by the application server when executing business logic based on instructions of the users. Specific business scenarios may include consumption records, audit logs, supply chains, government regulatory records, medical records, and the like. And S303, when the preset blocking condition is reached, determining each data record to be written into the data block, and generating the Nth data block containing the hash value of the data block and the data record.
The preset blocking condition comprises the following steps: when the number of data records to be stored reaches a number threshold, for example, a new data block is generated every time one thousand data records are received, and one thousand data records are written into the block; alternatively, a time interval from the last blocking time reaches a time threshold, e.g., every 5 minutes, a new data block is generated, and the data records received within the 5 minutes are written into the block.
N here refers to a sequence number of the data block, that is, in the embodiment of the present specification, the data block is arranged in a block chain manner, and is arranged in sequence based on the blocking time, so that the data block has a strong timing characteristic. The block height of the data block is monotonically increased based on the sequence of the blocking time. The block height may be a sequence number, and at this time, the block height of the nth data block is N; the chunk height may also be generated in other ways, such as converting a chunk timestamp of the data chunk to monotonically increasing large integer data, with the large integer data as the chunk height of the data chunk.
When N =1, the data block at this time is the initial data block. The hash value and the block height of the initial data block are given based on a preset mode. For example, the initial data block does not contain data records, the hash value is any given hash value, and the block height blknum = 0; for another example, the trigger condition for generation of the initial data block is consistent with the trigger conditions of other data blocks, but the hash value of the initial data block is determined by hashing all of the contents in the initial data block.
When N >1, since the content and hash value of the previous data block have already been determined, at this time, the hash value of the current data block (nth data block) may be generated based on the hash value of the previous data block (i.e., nth-1 data block).
Specifically, the hash value of each data record to be written into the nth block may be determined, a merkel tree may be generated according to the sequence in the blocks, the root hash value of the merkel tree and the hash value of the previous data block may be concatenated together, the hash value of the current block may be generated again by using the hash algorithm, and the hash value of the current block may also be generated based on the root hash value of the merkel tree and some other metadata (e.g., version number, generation time stamp of the data block, etc.). And writing the data record into a block body of a data block, and writing the root hash into a block head of the data block, wherein the block height of the data block is monotonically increased based on the sequence of blocking time.
By the above-mentioned manner of generating data blocks, each data block is determined by a hash value, and the hash value of the data block is determined by the content and the sequence of data records in the data block and the hash value of the previous data block. The user can initiate verification at any time based on the hash value of the data block or the hash value of the data record, and modification of any content in the data block (including modification of the content or sequence of the data record in the data block) can cause inconsistency between the hash value of the data block calculated during verification and the hash value generated during data block generation, so that verification failure is caused, and thus centralized non-tampering is realized.
After the user successfully uploads the data, the hash value of the corresponding data record and the hash value of the located data block can be obtained and stored, and integrity verification can be initiated based on the hash values.
The integrity verification comprises integrity verification of a data block, namely, reconstructing a Mercker tree according to the hash values of data records in the data block, calculating a root hash value of the Mercker tree, recalculating the hash value of the data block according to the root hash value of the Mercker tree and the hash value of the previous data block, and performing consistency comparison with the hash value of the data block saved in advance.
The integrity verification may also include integrity verification for several consecutive data blocks, i.e. the hash value of a data block is recalculated from the root hash value of the merkel tree stored in the block header of the data block and the hash value of the previous data block and compared with the hash values of the previously stored data blocks.
S105, acquiring and storing the first key of the user identifier, and generating an authority management user for managing the first key.
As described above, in the account, the user id included in the command is used as an originator of the account and is assigned with corresponding administrator rights. Specifically, the administrator rights have at least the rights of inquiry, authentication, clearing, and hiding. While the general user only has inquiry and verification rights and does not have clearing and hiding rights.
In other words, one user identification may correspond to a plurality of users of different rights. Some of the users may be able to use the key and others may not be able to use the key (users with read-only rights).
In the centralized block chain type account book, in order to prevent tampering, the data records uploaded by the user side and any operation performed on the data records are digitally signed by the user side correspondingly. For example, a first key (including a first private key and/or a first public key) is determined for digital signing in the ledger upon creation of an administrator user.
For example, the user first uploads the first public key to the server and stores the first public key, then the data uploaded by the user are all encrypted data signed by the first private key, and the server can decrypt the encrypted data uploaded by the user by using the first public key. For another example, when the server returns data, the public key of the user is firstly used for encryption to generate encrypted data, and the user receives the encrypted data and then decrypts the encrypted data by using the private key, so that decrypted data is obtained, and data leakage and the like are prevented.
In this embodiment of the present specification, the following ways for the server to obtain the first key of the user are provided:
first, a first public key of the user is uploaded by the user after obtaining administrator rights, but is stored locally at the user in a first private key.
Second, after the administrator user is created, i.e., in a Trusted Execution Environment (TEE), a corresponding first public and private key pair is generated. The TEE can play a role of a black box in hardware, a code and data operating system layer executed in the TEE cannot be peeped, and the TEE can be operated only through an interface defined in advance in the code. The trusted execution environment is a secure extension based on CPU hardware and is completely isolated from the outside. TEE was originally proposed by Global Platform to address the secure isolation of resources on mobile devices, providing a trusted and secure execution environment for applications parallel to the operating system. The Trust Zone technology of ARM realizes the real commercial TEE technology at the earliest.
Along with the rapid development of the internet, the security requirement is higher and higher, and more requirements are provided for the TEE by mobile equipment, cloud equipment and a data center. The concept of TEE has also been developed and expanded at a high rate. The concept now referred to as TEE has been a more generalized TEE than the concept originally proposed. For example, server chip manufacturers Intel, AMD, etc. have introduced hardware-assisted TEE in turn and enriched the concept and characteristics of TEE, which have gained wide acceptance in the industry. The mention of TEE now is more generally directed to such hardware assisted TEE techniques. Unlike the mobile terminal, the cloud access requires remote access, and the end user is not visible to the hardware platform, so the first step of using the TEE is to confirm the authenticity and credibility of the TEE. Therefore, the current TEE technology introduces a remote attestation mechanism which is endorsed by a hardware manufacturer (mainly a CPU manufacturer) and ensures that a user can verify the TEE state through a digital signature technology. In other words, the results of the execution in the TEE may result in a digital signature of the hardware vendor.
Meanwhile, the security requirement which cannot be met by only safe resource isolation is also met, and further data privacy protection is also provided. Commercial TEE including Intel SGX, AMD SEV also provide memory encryption techniques, limiting trusted hardware within the CPU, with the data of the bus and memory being ciphertext to prevent snooping by malicious users. For example, TEE technology such as intel's software protection extensions (SGX) isolates code execution, remote attestation, secure configuration, secure storage of data, and trusted paths for executing code. Applications running in the TEE are secured and are almost impossible to access by third parties.
Taking the Intel SGX technology as an example, SGX provides an enclosure (also called enclave), that is, an encrypted trusted execution area in memory, and a CPU protects data from being stolen. Taking an SGX-supporting CPU as an example, a server may allocate a part of an EPC (enclosure Page Cache, Enclave Page Cache, or Enclave Page Cache) in a memory by using a newly added processor instruction, and encrypt data therein by using an Encryption engine mee (memory Encryption engine) in the CPU. The encrypted content in the EPC is decrypted into plaintext only after entering the CPU. Therefore, in the SGX, a user may not trust an operating System, a VMM (Virtual Machine Monitor), or even a BIOS (Basic Input Output System), and only need to trust the CPU to ensure the execution of the code.
In this embodiment of the present specification, a preset key generation algorithm may be executed in a trusted execution environment, and the first private key is stored in the TEE, and only the first public key needs to be disclosed to the outside. The true authenticity of the first key is guaranteed by the hardware provider of the trusted execution environment.
After determining the first key, the server may generate a rights management user for managing the first key, where the rights management user is mainly used as a layer of key rights guarantee provided by the server to the user.
Specifically, the user is unaware of the rights management user, who has only a management function on the user's rights, but no other rights, for example, cannot perform any operation on the data records in the ledger.
The specific representation that the rights managing user has a management function for the first key may include that the rights managing user may perform a corresponding function such as GRANT or create. For example, the server can manage the user input instruction through the authority, GRANT (user id, & v) and the user weight value v corresponding to the user id; i.e. assigned a certain value of authority to a certain user, to create a new user with a certain authority, and if the weight exceeds a certain value, the new user may be given the right to use the key, so that the user may digitally sign based on the key.
For another example, if the user's key is lost, the user may initiate an instruction to request re-authorization of an available key in the block chain ledger to the server through the client, the server may input an instruction create (userid, pubkey) to the userid in the TEE environment by invoking the right management user, create a second key pair available for the user in the ledger, and so on, so that the user may digitally sign in the ledger based on the second key.
In summary, the generated right management user may directly or indirectly perform corresponding creation or authorization on the first private key and/or the first public key of the user, and create a new second key pair and user authorization, thereby implementing corresponding right management.
Further, the first key (especially the private key) based on the user is lost, and since the historical data records in the user account book are encrypted based on the first key, if the historical data records of the user need to be verified, the situation that the historical data records cannot be decrypted without the private key on the user side can occur.
Based on this, since the first key may be generated in the TEE environment, when the TEE generates the first key, the administrator user of the user identifier and the created authority management user may be associated at the same time, so that even if the first private key of the administrator user corresponding to the user identifier is lost, the first private key still has an association relationship with the authority management user in the TEE, and at this time, if the user needs to verify the history data, the authority management user may be invoked to perform decryption verification in the TEE.
After the verification is completed, the server side carries out digital signature on the verification result, so that the verification result of the historical data records can be proved to be the signature endorsement of the server side even if the historical data records cannot be decrypted by the user in the verification process any more, and the authenticity and the usability of the historical data records of the user are guaranteed.
Through the scheme provided by the embodiment of the specification, when the user creates the account book, besides the administrator user corresponding to the user identifier is generated according to the instruction of the user, an authority management user for managing the user key is also generated at the same time, if the first key of the user is lost, the new second key can be reestablished based on the authority management user, and a new role with certain authority is created to digitally sign the data record in the account book based on the second key, so that the effective management of the user authority is realized.
Correspondingly, an embodiment of the present specification further provides an authority management device in a block chain type account book, which is applied to a centralized database server that stores data through the block chain type account book, as shown in fig. 4, fig. 4 is a schematic structural diagram of the authority management device in the block chain type account book provided in the embodiment of the present specification, and the authority management device includes:
the receiving module 401 receives an instruction for creating an account book sent by a client, where the instruction includes a user identifier;
the determining module 403 is configured to create an initial data block of a block chain type account book, and determine administrator permission of the user identifier in the block chain type account book;
the generating module 405 obtains and stores a first key of the user identifier, and generates an authority management user for managing the first key, where the first key is used for the user identifier to perform digital signature in the block chain ledger, and the first key includes a first private key and/or a first public key.
Further, the generating module 405 creates and obtains a first key associated with the user identifier in a trusted execution environment of the server; or receiving a first public key sent by the client.
Further, the apparatus further includes a creating module 407, configured to receive an instruction sent by the client to request authorization in the block chained ledger; and calling the authority management user, and recreating a second secret key associated with the user identification in the block chained account book.
Further, the apparatus further includes a verification module 409, which invokes the rights management user to verify the data record containing the first private key signature in the block chained account book.
Further, the data processing system further includes a data block generating module 411, which receives a data record to be stored sent by a user, and determines a hash value of the data record; when a preset blocking condition is reached, determining each data record to be written into the data block, and generating an Nth data block containing the hash value of the data block and the data record:
when N =1, the hash value and the block height of the initial data block are given based on a preset mode;
and when N is greater than 1, determining the hash value of the Nth data block according to the hash values of the data records to be written in the data block and the (N-1) th data block, and generating the Nth data block comprising the hash value of the Nth data block and the data records, wherein the block height of the data block is monotonically increased based on the sequence of the blocking time.
Further, the preset blocking condition in the apparatus includes: the number of data records to be stored reaches a number threshold; alternatively, the time interval from the last chunking time reaches a time threshold.
Embodiments of the present specification further provide a computer device, which at least includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the rights management method shown in fig. 1.
Fig. 5 is a schematic diagram illustrating a more specific hardware structure of a computing device according to an embodiment of the present disclosure, where the computing device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Embodiments of the present specification also provide a computer-readable storage medium on which a computer program is stored, where the computer program is executed by a processor to implement the rights management method shown in fig. 1.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
From the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present disclosure can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present specification may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The systems, methods, modules or units described in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the method embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to the partial description of the method embodiment for relevant points. The above-described method embodiments are merely illustrative, wherein the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present specification. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is only a specific embodiment of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, a plurality of modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as the protection scope of the embodiments of the present disclosure.
Claims (7)
1. A method for managing authority in a block chain type account book is applied to a centralized database server side for storing data through the block chain type account book, and comprises the following steps:
receiving an instruction for creating an account book sent by a client, wherein the instruction comprises a user identifier;
creating an initial data block of a block chain type account book, and determining the administrator authority of the user identification in the block chain type account book; the user corresponding to the user identification is an account book management user;
creating and acquiring a first key associated with the user identifier in a trusted execution environment of the database server, storing the first key, and generating an authority management user for managing the first key, wherein the first key is used for the ledger administration user to digitally sign in the block chain ledger, the first key comprises a first private key and/or a first public key, the authority management user only has a management function on the user authority, and the authority management user is not the same user as the ledger administration user;
after the first key of the account book management user is lost, receiving an instruction which is sent by a client and requests authorization in the block chain type account book, calling the authority management user, and recreating a second key associated with the user identifier in the trusted execution environment, wherein the second key is used for the account book management user to digitally sign in the account book;
and calling the authority management user, and verifying the historical data record contained in the block chain type account book in the trusted execution environment, wherein the historical data is the historical data which needs to be decrypted by using the lost first key.
2. The method of claim 1, wherein in the block-chained ledger, a data block is generated by:
receiving a data record to be stored sent by a user, and determining a hash value of the data record;
when a preset blocking condition is reached, determining each data record to be written into the data block, and generating an Nth data block containing the hash value of the data block and the data record:
when N is 1, the hash value and the block height of the initial data block are given based on a preset mode;
and when N is greater than 1, determining the hash value of the Nth data block according to the hash values of the data records to be written in the data block and the (N-1) th data block, and generating the Nth data block comprising the hash value of the Nth data block and the data records, wherein the block height of the data block is monotonically increased based on the sequence of the blocking time.
3. The method of claim 2, the preset blocking condition comprising:
the number of data records to be stored reaches a number threshold; or,
the time interval from the last blocking instant reaches a time threshold.
4. The utility model provides a permission management device in block chain account book, is applied to in the database server side through the centralization of block chain account book memory data, includes:
the receiving module is used for receiving an instruction for creating an account book sent by a client, wherein the instruction comprises a user identifier;
the determining module is used for creating an initial data block of a block chain type account book and determining the administrator authority of the user identification in the block chain type account book; the user corresponding to the user identification is an account book management user;
the generation module is used for creating and acquiring a first secret key associated with the user identifier in a trusted execution environment of the database server and storing the first secret key, and generating an authority management user for managing the first secret key, wherein the first secret key is used for the ledger management user to digitally sign in the block chain ledger, the first secret key comprises a first private key and/or a first public key, the authority management user only has a management function on the user authority, and the authority management user and the ledger management user are not the same user;
the creating module is used for receiving an instruction which is sent by a client and requests authorization in the block chain type account book after a first key of the account book management user is lost, calling the authority management user, and re-creating a second key which is associated with the user identifier in the trusted execution environment, wherein the second key is used for the account book management user to digitally sign in the account book;
and the verification module is used for calling the authority management user and verifying the historical data record contained in the block chain type account book in the trusted execution environment, wherein the historical data is the historical data which needs to be decrypted by using the lost first key.
5. The apparatus of claim 4, further comprising a data block generation module to: receiving a data record to be stored sent by a user, and determining a hash value of the data record; when a preset blocking condition is reached, determining each data record to be written into the data block, and generating an Nth data block containing the hash value of the data block and the data record:
when N is 1, the hash value and the block height of the initial data block are given based on a preset mode;
and when N is greater than 1, determining the hash value of the Nth data block according to the hash values of the data records to be written in the data block and the (N-1) th data block, and generating the Nth data block comprising the hash value of the Nth data block and the data records, wherein the block height of the data block is monotonically increased based on the sequence of the blocking time.
6. The apparatus of claim 5, the preset blocking condition comprising: the number of data records to be stored reaches a number threshold; alternatively, the time interval from the last chunking time reaches a time threshold.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 3 when executing the program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010039770.2A CN110851851B (en) | 2020-01-15 | 2020-01-15 | Authority management method, device and equipment in block chain type account book |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010039770.2A CN110851851B (en) | 2020-01-15 | 2020-01-15 | Authority management method, device and equipment in block chain type account book |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110851851A CN110851851A (en) | 2020-02-28 |
CN110851851B true CN110851851B (en) | 2020-11-06 |
Family
ID=69610736
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010039770.2A Active CN110851851B (en) | 2020-01-15 | 2020-01-15 | Authority management method, device and equipment in block chain type account book |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110851851B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111400756A (en) * | 2020-03-13 | 2020-07-10 | 杭州复杂美科技有限公司 | Private data uplink method, device and storage medium |
CN112287023B (en) * | 2020-06-12 | 2024-04-02 | 支付宝(杭州)信息技术有限公司 | Weight distribution method, device and equipment in block chain type account book |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110492990B (en) * | 2018-05-15 | 2021-10-15 | 华为技术有限公司 | Private key management method, device and system under block chain scene |
CN108964905B (en) * | 2018-07-18 | 2024-07-26 | 胡祥义 | Safe and efficient block chain implementation method |
CN109508561A (en) * | 2018-10-18 | 2019-03-22 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | Block chain network and right management method |
CN109447647A (en) * | 2018-11-19 | 2019-03-08 | 上海趣链信息科技有限公司 | A kind of safety payment system based on block chain |
CN109768987B (en) * | 2019-02-26 | 2022-01-28 | 重庆邮电大学 | Block chain-based data file safe and private storage and sharing method |
CN110445827B (en) * | 2019-06-06 | 2021-05-18 | 中国科学院上海微系统与信息技术研究所 | Security management method and security system of sensor network based on distributed account book technology |
-
2020
- 2020-01-15 CN CN202010039770.2A patent/CN110851851B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN110851851A (en) | 2020-02-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110457898B (en) | Operation record storage method, device and equipment based on trusted execution environment | |
CN113240519B (en) | Intelligent contract management method and device based on block chain and electronic equipment | |
CN108076057B (en) | Data security system and method based on block chain | |
WO2020211496A1 (en) | Method, system and apparatus for verifying signature in blockchain ledger, and device | |
WO2020238248A1 (en) | Data storage method, apparatus and device | |
US11283622B2 (en) | Signature verification for a blockchain ledger | |
US11108573B2 (en) | Blockchain ledger authentication | |
CN110334153B (en) | Authorization method, system, device and equipment in block chain type account book | |
US10783277B2 (en) | Blockchain-type data storage | |
CN112953930A (en) | Cloud storage data processing method and device and computer system | |
CN110347745B (en) | Time service authentication method, device and equipment for block chain type account book | |
CN110580412A (en) | Permission query configuration method and device based on chain codes | |
CN110474775B (en) | User creating method, device and equipment in block chain type account book | |
US10783054B2 (en) | Method, apparatus, and device for storing operation record based on trusted execution environment | |
WO2022116761A1 (en) | Self auditing blockchain | |
CN110851851B (en) | Authority management method, device and equipment in block chain type account book | |
CN111292082B (en) | Public key management method, device and equipment in block chain type account book | |
CN114722410A (en) | Cipher module, cipher operation method, CPU chip and electronic equipment | |
CN110717172B (en) | Permission transfer method, device and equipment in block chain type account book | |
CN114866409B (en) | Password acceleration method and device based on password acceleration hardware | |
US20240119168A1 (en) | Blind subpoena protection | |
CN115617323A (en) | Low-code development framework-based security component generation method and related equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20200702 Address after: Unit 02, 20 / F, block a, building 4, Lane 838, Huangpi South Road, Huangpu District, Shanghai 200025 Applicant after: Ant blockchain Technology (Shanghai) Co., Ltd Address before: 801-11, Section B, 8th floor, No. 556, Xixi Road, Xihu District, Hangzhou City, Zhejiang Province Applicant before: Alipay (Hangzhou) Information Technology Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |