Search

CN-114239046-B - Data sharing method

CN114239046BCN 114239046 BCN114239046 BCN 114239046BCN-114239046-B

Abstract

The application relates to a data sharing method, wherein a first security domain responds to a data access request of an access user to perform cross-domain security verification on the access user, if the cross-domain security verification of the access user is passed, decryption information of a target data file is sent to the access user, the decryption information is used for indicating the access user to decrypt encrypted data of the target data file to obtain the target data file, the access user is a user in a second security domain, and the first security domain and the second security domain are different security domains. The method can realize cross-domain sharing of data, ensure the safety and privacy in the process of data cross-domain sharing, and realize tracking and tracing in the process of data sharing.

Inventors

  • CHEN JUN
  • LI TAO
  • QIAN ZHENGHAO
  • LIU YE
  • PEI QIUGEN
  • PENG ZEWU

Assignees

  • 广东电网有限责任公司
  • 广东电网有限责任公司
  • 南方电网数字电网集团有限公司
  • 南方电网数字电网研究院有限公司

Dates

Publication Date
20260421
Application Date
20211102
Priority Date
20211102

Claims (10)

  1. 1. A method of data sharing, the method comprising: the method comprises the steps that a first security domain responds to a data access request of an access user to perform cross-domain security verification on the access user, wherein the data access request is used for requesting to access a target data file stored in the first security domain, the access user is a user in a second security domain, and the first security domain and the second security domain are different security domains; If the cross-domain security verification of the access user passes, the decryption information of the target data file is sent to the access user, wherein the decryption information is used for indicating the access user to decrypt the encrypted data of the target data file to obtain the target data file; the cross-domain security verification for the access user comprises the following steps: The identity authentication server of the first security domain performs identity authentication on the access user, and after the identity authentication is passed, the data access request is sent to a cross-domain alliance chain to instruct the cross-domain alliance chain to generate cross-domain access credentials and routing information of the access user and send the cross-domain access credentials to the access user; the access control center of the first security domain receives the cross-domain access credential and the data access request uploaded by the access user through a communication channel, wherein the communication channel is established for the access user according to the routing information; If the cross-domain verification of the access user passes, acquiring an attribute private key of the access user; And if the attribute private key of the access user is matched with the shared ciphertext preconfigured in the first security domain, sending the decryption information of the target data file to the access user.
  2. 2. The method of claim 1, wherein the decryption information comprises at least an encryption key, a hash value of the target data file, a private key of an attribute of the accessing user, and a public parameter of the first security domain.
  3. 3. The method according to claim 1 or 2, wherein prior to said obtaining the access user's attribute private key, the method further comprises: According to the data access request of the access user, the access control center of the first security domain searches the pre-stored cross-domain access credentials of the access user in a cross-domain alliance chain; Comparing the pre-stored cross-domain access credentials with the cross-domain access credentials of the access user acquired by the first security domain; and if the comparison results are consistent, determining that the cross-domain verification of the access user is passed.
  4. 4. The method according to claim 1 or 2, wherein said obtaining the access user's attribute private key comprises: The key management center of the first security domain obtains the cross-domain attribute of the access user; And the key management center of the first security domain generates an attribute private key of the access user according to the cross-domain attribute of the access user and a master key preset by the first security domain.
  5. 5. The method according to claim 1 or 2, characterized in that the method further comprises: The access control center of the first security domain generates a search keyword portal according to the attribute private key and the search keyword of the access user; the access control center of the first security domain matches the search keyword according to the search keyword portal and the shared ciphertext in the first security domain; and if the matching result meets the preset condition, determining the shared ciphertext of the attribute private key of the access user and the target data file in the first security domain.
  6. 6. The method according to claim 1 or 2, wherein the process of decrypting the encrypted data of the target data file by the accessing user comprises: And when the hash value of the target data file is consistent with the hash value prestored in the local alliance chain in the first security domain, the access user decrypts the encrypted data file of the target data file according to the decrypted encryption key to obtain the target data file, wherein the decrypted encryption key is determined by the access user according to the public parameter of the first security domain, the attribute private key and the encryption key.
  7. 7. The method according to claim 1 or 2, wherein the storing of the target data file in the first security domain comprises: The first security domain responds to a data storage request and stores encrypted data carried in the data storage request, wherein the encrypted data is generated by a storage user according to a data file to be stored.
  8. 8. The method according to claim 7, wherein the encrypted data includes at least an access structure of the data file to be stored, a keyword ciphertext, an encrypted data file, a hash value of the encrypted data file, and signature information of the storage user; the encrypted data is obtained by the storage user through encryption operation, wherein the encryption operation comprises the following steps: generating file keywords and an access structure according to the data file to be stored; Obtaining a keyword ciphertext according to the public parameters of the first security domain, the file keywords and the access structure; Generating hash values of the encrypted data file and the encrypted data file according to the data file to be stored and a preset secret key; And obtaining an encryption key according to the preset key, the public parameter and the access structure.
  9. 9. The method of claim 8, wherein storing the encrypted data carried in the data storage request comprises: The first security domain sends the encrypted data file to a shared cloud platform of the first security domain for storage, and sends the encrypted data to a local alliance chain of the first security domain in a preset format; after the intelligent contract is triggered, the alliance chain of the first security domain stores the encrypted data file into the local alliance chain of the first security domain.
  10. 10. A data sharing apparatus, the apparatus comprising: The system comprises a response module, a data access request and a data access module, wherein the response module is used for responding to a data access request of an access user by a first security domain and carrying out cross-domain security verification on the access user; The decryption module is used for sending decryption information of the target data file to the access user if the cross-domain security verification of the access user is passed, wherein the decryption information is used for indicating the access user to decrypt the encrypted data of the target data file to obtain the target data file; the response module comprises: The first acquisition unit is used for carrying out identity verification on the access user by the identity authentication server of the first security domain, and after the identity verification is passed, the data access request is sent to a cross-domain alliance chain to instruct the cross-domain alliance chain to generate cross-domain access credentials and routing information of the access user and send the cross-domain access credentials to the access user; The first obtaining unit is further configured to receive, by using an access control center of the first security domain, the cross-domain access credential and the data access request uploaded by the access user through a communication channel, where the communication channel is established by the access user according to the routing information; the second acquisition unit is used for acquiring the attribute private key of the access user if the cross-domain verification of the access user is passed; And the decryption unit is used for sending the decryption information of the target data file to the access user if the attribute private key of the access user is matched with the shared ciphertext pre-configured in the first security domain.

Description

Data sharing method Technical Field The application relates to the field of data processing, in particular to a data sharing method. Background The data sharing can provide reliable and credible data support for analysis visualization of the current situation problem of the power grid, programming intellectualization of a planning scheme and the like, or accelerate the incubation and landing of external service products by data. In data sharing, the method in the related art adopts a centralized manner, namely, adopts an intermediate agent to send all data to a unified sharing platform, and the method requires that the intermediate agent is absolutely trusted. Then, the centralized manner of sharing data in the related art may cause the data to be unsafe and easy to leak in the sharing process. Disclosure of Invention In view of the foregoing, it is desirable to provide a data sharing method that can improve security in a data sharing process and effectively prevent privacy disclosure. In a first aspect, an embodiment of the present application provides a data sharing method, where the method includes: The method comprises the steps that a first security domain responds to a data access request of an access user to perform cross-domain security verification on the access user, wherein the data access request is used for requesting to access a target data file stored in the first security domain, and the access user is a user in a second security domain; and if the cross-domain security verification of the access user is passed, transmitting decryption information of the target data file to the access user, wherein the decryption information is used for indicating the access user to decrypt the encrypted data of the target data file to obtain the target data file. In one embodiment, cross-domain security verification of an access user includes: The first security domain acquires a cross-domain access credential and a data access request of an access user; if the cross-domain verification of the access user is passed, acquiring an attribute private key of the access user; And if the attribute private key of the access user is matched with the shared ciphertext preconfigured in the first security domain, transmitting decryption information of the target data file to the access user, wherein the decryption information at least comprises an encryption key, a hash value of the target data file, the attribute private key of the access user and public parameters of the first security domain. In one embodiment, the first security domain obtains cross-domain access credentials and a data access request of an access user, including: The identity authentication server of the first security domain performs identity authentication on the access user, and after the identity authentication passes, a data access request is sent to a cross-domain alliance chain to instruct the cross-domain alliance chain to generate cross-domain access credentials and routing information of the access user and send the cross-domain access credentials to the access user; the access control center of the first security domain receives the cross-domain access credential and the data access request uploaded by the access user through the communication channel, wherein the communication channel is established for the access user according to the routing information. In one embodiment, before obtaining the attribute private key of the access user, the method further comprises: according to the data access request of the access user, the access control center of the first security domain searches the pre-stored cross-domain access credentials of the access user in a cross-domain alliance chain; Comparing the pre-stored cross-domain access credentials with the cross-domain access credentials of the access user acquired by the first security domain; and if the comparison results are consistent, determining that the cross-domain verification of the access user is passed. In one embodiment, obtaining the access user's attribute private key includes: The key management center of the first security domain acquires the cross-domain attribute of the access user; And the key management center of the first security domain generates an attribute private key of the access user according to the cross-domain attribute of the access user and a master key preset in the first security domain. In one embodiment, the method further comprises: the access control center of the first security domain generates a search keyword door trap according to the attribute private key and the search keyword of the access user; the access control center of the first security domain matches the search keywords according to the search keyword door trap and the shared ciphertext in the first security domain; and if the matching result meets the preset condition, determining the shared ciphertext of the attribute private key of the access user and the target data file in the first secu