CN-121984668-A - Data security sharing method, device, equipment, medium and product

Abstract

The application provides a data security sharing method, a device, equipment, a medium and a product, which comprise the steps of acquiring an on-chain identity credential of a data requester from a blockchain and extracting a public key and an authority level thereof; and then, performing a plurality of key encapsulation operations in advance to generate a plurality of key encapsulation results, thereby constructing a pre-encapsulation key pool. When a data access request is received, a target key packaging result is selected from a key pool, and a structured access token is dynamically constructed according to a target shared key and the authority level of a requester. And sending the token and the target encapsulation ciphertext to a data requester, generating and sending a data ciphertext, and decrypting the data ciphertext by the data requester to obtain shared data by combining the received token and the encapsulation ciphertext. By fusing the blockchain identity verification, the pre-calculation key encapsulation and the structured token mechanism, fine-granularity and dynamically adjustable security access control is realized while the security is ensured and the multiparty data sharing efficiency is improved.

Inventors

• YU XIAOJIE
• ZHOU XIAOYANG
• LIU YUANYUAN
• QIAN YI
• WANG ZIKAI

Assignees

• 中国移动紫金(江苏)创新研究院有限公司
• 中国移动通信集团江苏有限公司
• 中国移动通信集团有限公司

Dates

Publication Date

20260505

Application Date

20260129

Claims (16)

1. 1. A method of secure sharing of data, the method being applied to a data owner, the method comprising: acquiring an on-chain identity credential of a data requester from a blockchain, and extracting a public key and a permission level of the data requester from the on-chain identity credential; Executing a plurality of key encapsulation operations in advance based on the public key to generate a plurality of key encapsulation results, and forming a pre-encapsulation key pool based on the key encapsulation results, wherein the key encapsulation results comprise encapsulation ciphertext and a corresponding shared key; Receiving a data access request sent by the data requester, responding to the data access request, selecting a target key encapsulation result from the pre-encapsulation key pool, constructing a structured access token according to a target shared key in the target key encapsulation result and the authority level, and sending the structured access token and a target encapsulation ciphertext in the target key encapsulation result to the data requester; The method comprises the steps of obtaining pre-stored data to be shared, encrypting the data to be shared according to the target shared secret key to obtain a data ciphertext, and sending the data ciphertext to a data requester, wherein the data requester is used for decrypting the data ciphertext according to the structured access token and the target encapsulation ciphertext to obtain the data to be shared.
2. 2. The method of claim 1, wherein performing a plurality of key encapsulation operations in advance based on the public key, generating a plurality of key encapsulation results, and forming a pre-encapsulated key pool based on a plurality of the key encapsulation results, comprises: Based on the public key, a quantum key encapsulation mechanism is called to execute multiple rounds of key encapsulation operation, and multiple key encapsulation results are generated; Generating a unique identifier for each key encapsulation result, setting an initial value of a use state mark of the shared key as unused, setting expiration time of the shared key, and taking the unique identifier, the use state mark and the expiration time as metadata of the key encapsulation result; And caching each key encapsulation result and the corresponding metadata to a local storage to form the pre-encapsulation key pool.
3. 3. The method of claim 1, wherein selecting a target key encapsulation result from the pre-encapsulation key pool, and constructing a structured access token from a target shared key in the target key encapsulation result and the permission level, comprises: Traversing the pre-packaged key pool, and screening key packaging results with unused use state marks according to the use state marks in the metadata corresponding to each key packaging result to obtain an available key packaging result set; Selecting any one from the available key encapsulation result set as the target key encapsulation result, and updating a use state mark in the metadata corresponding to the target key encapsulation result to be used; Generating a token unique identifier for the structured access token according to the authority level, and taking the current time as a time stamp; Splicing the target shared secret key, the token unique identifier, the time stamp and the authority level, and then executing hash operation to obtain a token hash value; determining the value of a delegation authorization identification field according to a preset delegation authorization policy; And packaging the unique token identifier, the authority level, the timestamp, the token hash value, the delegated authority identifier field and the target packaging ciphertext into the structured access token.
4. 4. The method of claim 3, wherein after sending the structured access token and the target encapsulated ciphertext to the data requestor, the method further comprises: Receiving a sub-token deriving request sent by the data requesting party, wherein the sub-token deriving request carries a token unique identifier and an authorization strategy of the structured access token; Inquiring the structured access token according to the token unique identifier, reading the delegated authorization identifier field from the structured access token, and judging whether the value of the delegated authorization identifier field is allowable delegation; if the value of the delegation authorization identification field is the permission delegation, acquiring a permission level from the structured access token, and determining the permission range of the structured access token according to the permission level; Determining a sub-authority range in the authority range according to the authorization strategy, wherein the sub-authority range is a subset of the authority range; Generating a child token based on the child authority range, setting a parent token identification field in the child token, and writing the unique token identification of the structured access token into the parent token identification field. The parent token identification field is used for recording the derived source of the child token, and writing the unique token identification of the structured access token into the parent token identification field; Setting an initial authorization state as a valid state for the child token, and recording the initial authorization state of the child token and the parent token identification field into a blockchain to form a token authorization chain between the child token and the structured access token; and sending the sub-token to the data requester, wherein the data requester is used for forwarding the sub-token to an authorized party.
5. 5. The method of claim 4, wherein determining a sub-scope of rights within the scope of rights according to the authorization policy comprises at least one of: extracting a field-level access control parameter from the authorization policy under the condition that the field-level access control parameter is contained in the authorization policy, screening a sub-accessible field set from accessible field sets corresponding to the authority range according to the field-level access control parameter, and taking the sub-accessible field set as a field dimension constraint of the sub-authority range; Under the condition that the authorization policy comprises an timeliness limiting parameter, extracting the timeliness limiting parameter from the authorization policy, determining the effective starting time and the effective expiration time of the sub-token according to the timeliness limiting parameter, and taking the effective starting time and the effective expiration time as time dimension constraint of the sub-permission range; Under the condition that the authorization policy contains access frequency control parameters, extracting the access frequency control parameters from the authorization policy, setting the maximum accessible times of the sub-tokens according to the access frequency control parameters, and taking the maximum accessible times as the frequency dimension constraint of the sub-permission range; Extracting an environment binding parameter from the authorization policy under the condition that the environment binding parameter is contained in the authorization policy, limiting the sub-token to only take effect under a specified device identifier or network address according to the environment binding parameter, and taking the specified device identifier or network address as an environment dimension constraint of the sub-authority range; and under the condition that the authorization policy comprises a usage binding parameter, extracting the usage binding parameter from the authorization policy, limiting the allowed operation type of the sub-token according to the usage binding parameter, and restricting the allowed operation type as a usage dimension of the sub-authority range.
6. 6. The method of claim 4, wherein after forming a token authorization chain between the sub-token and the structured access token, the method further comprises: receiving a cancellation request for a target token sent by the data requesting party or the authorized party, and extracting a token identifier to be cancelled and a cancellation reason from the cancellation request, wherein the target token is the structured access token or the sub-token; inquiring the target token corresponding to the token identifier to be revoked from the blockchain according to the token identifier to be revoked, and acquiring the current authorization state of the target token; Updating the current authorization state of the target token into a revocation state, acquiring the current time as the revocation time, and writing the revocation time and the revocation reason into a blockchain to form a revocation record; According to the parent token identification field in the token authorization chain, recursively traversing the parent token identification field by taking the token to be revoked as a starting point, and determining all subordinate tokens taking the target token as a derivative source; Synchronously updating the authorization states of all the lower tokens obtained through traversing into cancellation states, and respectively generating corresponding cancellation records for each lower token and writing the cancellation records into a blockchain.
7. 7. The method of any of claims 1-6, wherein, in the event that there are multiple data requesters, sending the data ciphertext to the data requesters comprises: Acquiring user identification lists of a plurality of data requesters, inquiring on-chain identity credentials corresponding to each data requester from the blockchain according to the user identification lists, and respectively extracting public keys of each data requester from each on-chain identity credential to form a public key set; Obtaining a locally stored private key, traversing the public key set, and generating a corresponding re-encryption key according to the private key and the public key aiming at each public key in the public key set to obtain a re-encryption key set; traversing the re-encryption key set, and aiming at each re-encryption key in the re-encryption key set, executing proxy re-encryption conversion operation on the data ciphertext to generate a decryptable ciphertext of a data requester corresponding to the re-encryption key; And respectively sending the generated decryptable ciphertext to a corresponding data requester.
8. 8. A method of secure sharing of data, the method being applied to a data requestor, the method comprising: Generating a key pair based on a key generation algorithm of a post quantum key encapsulation mechanism, wherein the key pair comprises a public key and a private key, and storing the private key to a local place; Determining the authority level of an application, generating a registration request according to the public key and the authority level, and sending the registration request to an authorization center, wherein the authorization center distributes an anonymous identity for the data requesting party and records the binding relationship among the anonymous identity, the authority level and the public key as an on-chain identity credential to a blockchain; generating a data access request and sending the data access request to a data owner; receiving a structured access token and a target encapsulation ciphertext returned by the data owner; And obtaining the private key from the local, performing unpacking operation on the target encapsulation ciphertext according to the private key to obtain a target shared key, receiving the data ciphertext sent by the data owner, and decrypting the data ciphertext according to the target shared key to obtain data to be shared.
9. 9. The method of claim 8, wherein obtaining the private key locally, and performing an unpacking operation on the target packed ciphertext according to the private key to obtain the target shared key comprises: extracting a token hash value, a token unique identifier, a time stamp and authority information corresponding to the authority level from the structured access token; performing deblocking operation on the target encapsulation ciphertext according to the private key to obtain a candidate shared key; splicing the candidate shared key, the unique token identifier, the time stamp and the authority information, and then executing hash operation to obtain a verification hash value; Judging whether the verification hash value is consistent with the extracted token hash value or not; And if the verification hash value is consistent with the token hash value, determining that the structured access token is valid and not tampered, and taking the candidate shared key as the target shared key.
10. 10. The method of claim 9, wherein after receiving the structured access token returned by the data owner and the target package ciphertext, the method further comprises: reading a delegation authorization identification field from the structured access token, and judging whether the value of the delegation authorization identification field is a delegation permission or not; Determining an authorized party to be authorized, and determining a sub-authority range to be granted to the authorized party in the authority range, wherein the sub-authority range is a subset of the authority range; generating an authorization policy according to the sub-authority range, wherein the authorization policy is used for describing constraint conditions of the sub-authority range; combining the token unique identification with the authorization policy to generate a sub-token derived request; transmitting the sub-token derived request to the data owner, wherein the data owner is used for generating a sub-token according to the sub-token derived request; And receiving the sub-token returned by the data owner, determining the receiving address of the authorized party, and sending the sub-token to the authorized party according to the receiving address, wherein the authorized party is used for requesting data access from the data owner based on the sub-token.
11. 11. The method of claim 10, wherein after transmitting the sub-token to the authorized party according to the received address, the method further comprises: determining a target token to be revoked in case that the structured access token or the sub-token needs to be revoked; Extracting a token unique identifier from the target token, and taking the extracted token unique identifier as a token identifier to be revoked; determining a cancellation reason of the target token, and combining the token identifier to be cancelled with the cancellation reason to generate a cancellation request; And sending the cancellation request to the data owner, wherein the data owner is used for updating the authorization state of the target token into the cancellation state according to the cancellation request and synchronously updating the authorization states of all lower tokens taking the target token as a derivative source into the cancellation state.
12. 12. A data security sharing apparatus, the apparatus being applied to a data owner, the apparatus comprising: the acquisition module is used for acquiring an on-chain identity credential of the data requester from the blockchain and extracting a public key and a permission level of the data requester from the on-chain identity credential; The first execution module is used for executing multiple rounds of key encapsulation operation in advance based on the public key, generating a plurality of key encapsulation results and forming a pre-encapsulation key pool based on the key encapsulation results, wherein the key encapsulation results comprise encapsulation ciphertext and a corresponding shared key; Receiving a data access request sent by the data requester, responding to the data access request, selecting a target key encapsulation result from the pre-encapsulation key pool, constructing a structured access token according to a target shared key in the target key encapsulation result and the authority level, and sending the structured access token and a target encapsulation ciphertext in the target key encapsulation result to the data requester; The method comprises the steps of obtaining pre-stored data to be shared, encrypting the data to be shared according to the target shared secret key to obtain a data ciphertext, and sending the data ciphertext to a data requester, wherein the data requester is used for decrypting the data ciphertext according to the structured access token and the target encapsulation ciphertext to obtain the data to be shared.
13. 13. A data security sharing apparatus, the apparatus being applied to a data requester, the apparatus comprising: The generation module is used for generating a key pair based on a key generation algorithm of a post quantum key encapsulation mechanism, wherein the key pair comprises a public key and a private key, and the private key is stored locally; The second execution module is used for determining the authority level of the application, generating a registration request according to the public key and the authority level, and sending the registration request to an authorization center, wherein the authorization center distributes anonymous identity identifiers for the data requesting party and records the binding relation among the anonymous identity identifiers, the authority level and the public key as an on-chain identity credential to a blockchain; generating a data access request and sending the data access request to a data owner; receiving a structured access token and a target encapsulation ciphertext returned by the data owner; And obtaining the private key from the local, performing unpacking operation on the target encapsulation ciphertext according to the private key to obtain a target shared key, receiving the data ciphertext sent by the data owner, and decrypting the data ciphertext according to the target shared key to obtain data to be shared.
14. 14. A network device comprising a processor, a memory and a program stored on the memory and executable on the processor, the program implementing the steps of a data security sharing method according to any one of claims 1 to 7 when executed by the processor or the steps of a data security sharing method according to any one of claims 8 to 11 when executed by the processor.
15. 15. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of a data security sharing method according to any of claims 1 to 7 or which, when executed by the processor, implements the steps of a data security sharing method according to any of claims 8 to 11.
16. 16. A computer program product comprising computer instructions which when executed by the processor implement the steps of a data security sharing method as claimed in any one of claims 1 to 7, or which when executed by the processor implement the steps of a data security sharing method as claimed in any one of claims 8 to 11.

Description

Data security sharing method, device, equipment, medium and product Technical Field The embodiment of the application relates to the technical field of Block Chain (Block Chain), in particular to a data security sharing method, a device, equipment, a medium and a product. Background With the penetration of digital transformation, data has become a key production element for promoting the development of society, and how to safely share data and protect privacy in a scene of multiparty participation has become an important challenge in the current information technology field. In the inter-organization business such as government affair intercommunication, medical collaboration, financial joint wind control and the like, all parties need to exchange data efficiently to create value, and the data must be ensured not to be revealed, abused or tampered, so that various data security sharing and privacy protection technologies are promoted. The main technical route at present mainly comprises three types, namely a centralized data sharing scheme based on a traditional public key system, access control realized by means of mature public key infrastructure and centralized authority management, a block chain-based intelligent contract sharing scheme, an audit transparency and decentralization trust improvement by means of a distributed account book and an intelligent contract, an authority model of the intelligent contract sharing scheme is hard to be solidified and difficult to support fine-granularity access control, and an access control model based on a static key and a disposable token, is simple to realize, has weak authorization capability and cannot adapt to complex authority inheritance and minimum authorization requirements in a multi-organization cooperative scene. Although the existing scheme has a certain application effect in different scenes, the key problems are faced in common, namely, firstly, the security foundation depends on the traditional asymmetric encryption algorithm and is vulnerable to quantum computing attack in the future and lacks sustainable security guarantee, secondly, the key negotiation process is usually carried out on line in real time, the computing and communication expenditure is large and is difficult to be applied to the edge terminal with limited resources, thirdly, the access token has a simple structure and lacks the capability of expressing complex strategies (such as time, times and field level authorities), and a transmissible and traceable authorization chain cannot be formed. Therefore, the existing data security sharing and privacy protecting method has the technical problems of lower security, lower efficiency and poorer flexibility. Disclosure of Invention The embodiment of the application provides a data security sharing method, a device, equipment, a medium and a product, which are used for solving the technical problems of lower security, lower efficiency and poorer flexibility of the existing data security sharing and privacy protection method. In order to solve the technical problems, the application is realized as follows: in a first aspect, an embodiment of the present application provides a method for securely sharing data, where the method is applied to a data owner, and the method includes: acquiring an on-chain identity credential of a data requester from a blockchain, and extracting a public key and a permission level of the data requester from the on-chain identity credential; Executing a plurality of key encapsulation operations in advance based on the public key to generate a plurality of key encapsulation results, and forming a pre-encapsulation key pool based on the key encapsulation results, wherein the key encapsulation results comprise encapsulation ciphertext and a corresponding shared key; Receiving a data access request sent by the data requester, responding to the data access request, selecting a target key encapsulation result from the pre-encapsulation key pool, constructing a structured access token according to a target shared key in the target key encapsulation result and the authority level, and sending the structured access token and a target encapsulation ciphertext in the target key encapsulation result to the data requester; The method comprises the steps of obtaining pre-stored data to be shared, encrypting the data to be shared according to the target shared secret key to obtain a data ciphertext, and sending the data ciphertext to a data requester, wherein the data requester is used for decrypting the data ciphertext according to the structured access token and the target encapsulation ciphertext to obtain the data to be shared. Optionally, performing a plurality of rounds of key encapsulation operations in advance based on the public key, generating a plurality of key encapsulation results, and forming a pre-encapsulated key pool based on the plurality of key encapsulation results, including: Based on the public key, a quantu