[go: up one dir, main page]

WO2022193119A1 - Blockchain data protection method and system - Google Patents

Blockchain data protection method and system Download PDF

Info

Publication number
WO2022193119A1
WO2022193119A1 PCT/CN2021/081017 CN2021081017W WO2022193119A1 WO 2022193119 A1 WO2022193119 A1 WO 2022193119A1 CN 2021081017 W CN2021081017 W CN 2021081017W WO 2022193119 A1 WO2022193119 A1 WO 2022193119A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
communication
root
request
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2021/081017
Other languages
French (fr)
Chinese (zh)
Inventor
曲强
许沁琪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Institute of Advanced Technology of CAS
Original Assignee
Shenzhen Institute of Advanced Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Institute of Advanced Technology of CAS filed Critical Shenzhen Institute of Advanced Technology of CAS
Priority to PCT/CN2021/081017 priority Critical patent/WO2022193119A1/en
Publication of WO2022193119A1 publication Critical patent/WO2022193119A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • the present invention relates to the field of blockchain, and in particular, to a method and system for protecting blockchain data.
  • the blockchain in the virtual currency stage adopts the method of user anonymity to ensure the privacy of the user, while the blockchain of the alliance chain and the complex data adopts the data encryption method on the chain to ensure the security of the data.
  • the user encrypts the data with a symmetric cryptographic algorithm before submitting the data to the chain, and then decrypts the data when using the data on the chain.
  • the present invention provides a block chain data protection method and system.
  • the specific plans are as follows:
  • a blockchain data protection method applied to a system including a root key unit, a secondary key unit and a communication key unit, the method includes a data protection mode:
  • the blockchain node sends an encryption request or a decryption request
  • the root key unit updates the secondary key according to the root key according to a preset period
  • the secondary key unit updates the communication key according to the current secondary key according to the preset time
  • the communication key unit receives the encryption request or the decryption request, performs an encryption operation on the blockchain node according to the current communication key and the encryption request, and performs an encryption operation on the blockchain node according to the current communication key and the decryption request. Perform a decryption operation on the blockchain node.
  • the method further includes a data recovery mode:
  • the blockchain node sends a data recovery request containing the communication key
  • the communication key unit parses out the communication key according to the data recovery request, determines whether the communication key is correct, if not, generates a first key request, and if so, is the blockchain node perform decryption operations;
  • the secondary key unit parses out the secondary key according to the first key request, and judges whether the secondary key is correct; if not, generates a second key request; After the level key calculates the communication key, the decryption operation is performed;
  • the root key unit parses out the root key according to the second key request, and judges whether the root key is correct, and if so, calculates the secondary key and the communication key according to the root key. decryption operation.
  • the "decryption operation after calculating the communication key according to the secondary key” specifically includes:
  • the secondary key unit calculates a communication key according to the secondary key
  • the communication key unit performs the decryption operation for the blockchain node according to the communication key
  • the "decryption operation after calculating the secondary key and the communication key according to the root key” specifically includes:
  • the root key unit calculates a secondary key according to the second key request
  • the secondary key unit calculates a communication key according to the secondary key
  • the communication key unit performs the decryption operation for the blockchain node according to the communication key.
  • the root key unit only accesses the secondary key unit when the secondary key is updated
  • the secondary key unit and the communication key unit are set on different servers.
  • the root key unit includes a root key calculation module and a root key storage module;
  • the root key storage module stores all root keys, and records the number of secondary keys generated
  • the root key calculation module calculates secondary keys according to the number of secondary keys, and each secondary key corresponds to a secondary key number.
  • the secondary key unit includes a secondary key calculation module and a secondary key storage module;
  • the secondary key storage module only stores the current secondary key and its secondary key number, and records the number of communication keys generated according to the current secondary key. Cleared when the secondary key is updated;
  • the secondary key calculation module calculates a communication key according to the current secondary key and the number of the communication keys, each of the communication keys corresponds to a communication key number, and the communication key number is provided with The secondary key number.
  • the communication key unit includes an encryption/decryption module and a communication key storage module;
  • the encryption and decryption module performs encryption operation or decryption operation on the blockchain node
  • the communication key storage module only stores the current communication key and its communication key number.
  • the secondary key unit includes a plurality of key subunits, the plurality of key subunits are connected in sequence, and layer-by-layer encryption is implemented by generating subkeys.
  • a blockchain data protection system connects blockchain nodes, including,
  • Communication key unit used to receive an encryption request or decryption request sent by a blockchain node, perform an encryption operation on the blockchain node according to the current communication key and the encryption request, and perform an encryption operation on the blockchain node according to the current communication key and the encryption request. Decrypt the blockchain node according to the decryption request;
  • Root key unit used to update the secondary key according to the root key according to a preset period
  • Secondary key unit used to update the communication key according to the current secondary key according to the preset time.
  • the communication key unit further includes: receiving a data recovery request containing the communication key sent by the blockchain node, parsing the communication key according to the data recovery request, and determining the communication key. Whether the key is correct, if not, generate a first key request, if so, perform decryption operation for the blockchain node;
  • the secondary key unit further includes: for parsing out the secondary key according to the first key request, judging whether the secondary key is correct, if not, generating a second key request, if yes, Then perform a decryption operation after calculating the communication key according to the secondary key;
  • the root key unit further includes: for analyzing the root key according to the second key request, and judging whether the root key is correct, if so, calculating the secondary key and the root key according to the root key.
  • the decryption operation is performed after the communication key.
  • the root key unit includes,
  • Root key storage module used to store all the root keys and record the number of secondary keys generated
  • Root key calculation module used to calculate the secondary key according to the quantity of the secondary key.
  • the secondary key unit includes,
  • Secondary key storage module used to store the current secondary key and its secondary key number, and record the number of generated communication keys
  • Secondary key calculation module used to calculate the communication key according to the number of the communication keys.
  • the communication key unit includes,
  • Encryption and decryption module used to encrypt or decrypt the blockchain node
  • Communication key storage module used to store the current communication key and its communication key number, where the communication key number includes the secondary key number.
  • the present invention proposes a block chain data protection method and system, which encrypts and protects block chain data based on hierarchical key management, and has high security.
  • the key is expanded into the root key, secondary key and communication key, which greatly improves the security.
  • the key is isolated from the blockchain network, reducing the possibility of being attacked by hackers and further ensuring data security.
  • each key unit can actively initiate a request to the upper-level key unit to achieve data recovery.
  • the blockchain data protection system is transparent to the blockchain framework, only the traditional encryption service needs to be replaced without any changes to the blockchain framework.
  • FIG. 1 is a schematic diagram of a blockchain according to an embodiment of the present invention.
  • FIG. 2 is a flowchart of a blockchain data protection method according to Embodiment 1 of the present invention.
  • FIG. 3 is a diagram of another blockchain data protection method according to Embodiment 1 of the present invention.
  • FIG. 4 is a flowchart of a blockchain data protection method according to Embodiment 2 of the present invention.
  • Fig. 5 is the data recovery mode flow chart of Embodiment 2 of the present invention.
  • FIG. 6 is a schematic diagram of the application of the blockchain data protection system according to Embodiment 3 of the present invention.
  • the present invention proposes a block chain data protection method and system, and uses a hierarchical key management method to protect the block chain data.
  • a typical blockchain-based business system includes three parts: blockchain network, node and business system, as shown in Figure 1 of the specification.
  • a blockchain network is a linked list composed of blocks that is jointly maintained by multiple nodes. Each block in the linked list has a hash pointer to the previous block, thus ensuring that the data on the blockchain cannot be tampered with.
  • the blockchain node maintains a database locally, and the content stored in the database is the current state of the data on the blockchain.
  • the blockchain system operates the database through transactions, and the transactions on the chain will modify the contents of the database.
  • the data in the node's local database is stored in plaintext, but when the node submits the data to the blockchain, that is, when constructing a transaction, the data will be encrypted and submitted.
  • the node After the consensus of the transaction blockchain network, the node decrypts the content of the transaction and updates the local database.
  • the business system runs the unit provided by the user, selects the data to be saved on the chain, and submits it to the node. After the business system is accidentally damaged, the blockchain can restore the data on the chain of the business system, that is, the disaster recovery function of the blockchain.
  • the key in this application includes but is not limited to any data format that can provide an encryption function.
  • This embodiment proposes a blockchain data protection method, which realizes the protection of blockchain data by providing multi-level keys and modifying the keys regularly.
  • the specific process is such as accompanying drawing 2 of the description, and the specific scheme is as follows:
  • a block chain data protection method is applied to a system including a root key unit, a secondary key unit and a communication key unit.
  • the method includes a data protection mode, and the specific steps of the data protection mode are:
  • the blockchain node sends an encryption request or a decryption request
  • the root key unit updates the secondary key according to the root key according to a preset period
  • the secondary key unit updates the communication key according to the current secondary key according to the preset time
  • the communication key unit receives an encryption request or a decryption request, performs an encryption operation on the blockchain node according to the current communication key, and performs a decryption operation on the blockchain node according to the current communication key and the decryption request.
  • the communication key unit is connected to the blockchain node, the blockchain node sends an encryption request or a decryption request, and the communication key unit performs an encryption operation or a decryption operation according to the request.
  • the encryption operation includes: the communication key unit encrypts the blockchain node according to the encryption request, and the user needs to provide the correct communication key to extract the data in the blockchain node.
  • the decryption operation includes: the communication key unit unlocks the encrypted blockchain node according to the communication key provided by the blockchain node.
  • the root key unit includes a root key storage module and a root key calculation module.
  • the root key storage module stores all root keys, including currently used root keys and historical root keys, and is provided with a secondary key counter.
  • the secondary key counter is used to record the number of secondary keys that have been generated. Each time a secondary key is generated, the secondary key counter increases by 1.
  • the root key calculation module calculates the next secondary key according to the value of the secondary key counter, and increments the secondary key counter by 1.
  • the root key unit can generate one or more secondary keys at a time, select one or more secondary keys as the current secondary key and send it to the secondary key unit.
  • the root key has the highest security level.
  • the root key unit can be stored in separate hardware or offline machine, and the secondary key unit is only accessed when the secondary key is updated.
  • Offline machines include servers that are not connected to the Internet or servers that are not connected to the blockchain network.
  • Separate hardware storage includes, but is not limited to, hardware storage media, such as mobile hard disks.
  • the root key has the highest level of security. Using separate hardware storage or offline machine storage can prevent hackers from obtaining the root key through network attacks, thereby protecting blockchain data.
  • the user can update the root key through the root key unit at a preset period, or manually modify the root key.
  • root key may be set manually, or may be randomly generated by the root key unit.
  • the secondary key unit includes a secondary key storage module and a secondary key calculation module, and the secondary key unit needs to be configured on an independent machine, and not the same as the communication key unit on the server.
  • the secondary key storage module only stores the currently used secondary key, and is provided with a communication key counter.
  • the key storage module will not store the secondary key used in history, but only the currently used secondary key and the number of the secondary key.
  • the communication key counter counts the communication key generated by the current secondary key, and the communication key counter will be cleared when the secondary key is updated.
  • the secondary key calculation module calculates the next communication key according to the value of the communication key counter, and increments the communication key counter by 1.
  • the secondary key calculation module can generate multiple communication keys according to a secondary key.
  • the secondary key unit is the second-level key unit, and its security is second only to the root key.
  • the secondary key is the basis for the generation of communication keys, which further improves the security of the system. It should be noted that, since the number of secondary keys is uncertain, the secondary key unit only stores the currently used secondary keys, and the currently used secondary keys also include one or more secondary keys. In order to save storage costs and further improve the security of the system and prevent hackers from deciphering the current secondary key based on the historical secondary key, the secondary key storage module will not store the historically used secondary key, only Stores the currently used secondary key and the number of the secondary key. The secondary key unit generates one or more communication keys based on the secondary key.
  • the communication key unit includes a communication key storage module and an encryption and decryption module, and the communication key unit can be configured on a separate machine or on the same machine as the blockchain node.
  • the communication key storage module stores the currently used communication key and the serial number of the communication key.
  • this key storage module does not store historical communication keys, but only the currently used communication keys and their numbers.
  • the serial number of the communication key includes the serial number of the secondary key and the serial number in the secondary key unit corresponding to the current communication key when it is generated.
  • the encryption and decryption module obtains the input encryption request or decryption request from the blockchain node, performs encryption or decryption operations according to the parameters, and returns it to the blockchain node.
  • the communication key unit provides encryption operations and decryption operations to the blockchain nodes.
  • the secondary key unit periodically initiates a key update request to the communication key module. The period for the root key unit to update the secondary key is determined by the user. At this time, all key updates are one-way, and the upper-level key unit initiates an update request to the next-level key unit. The next-level key unit cannot actively initiate a request to the upper-level. Realize that when a communication key is lost, only part of the data will be lost, and most of the data will remain safe.
  • the secondary key unit may be omitted as an intermediate device.
  • Data encryption can be achieved through the root key unit and the communication key unit.
  • the root key unit generates a communication key within a preset period according to the root key, and the communication key unit performs encryption and decryption operations according to the communication key.
  • This embodiment is suitable for a blockchain environment with a low security level.
  • the root key unit adopts a separate storage medium, and only accesses the communication key unit when the communication key is updated.
  • the secondary key unit as an intermediate device includes a plurality of subunits. Layer-by-layer encryption is performed between multiple sub-units through the generated key.
  • the secondary key unit includes a first key unit, a second key unit, and a third key unit.
  • the first key unit generates the first key according to the current secondary key
  • the second key unit generates the first key according to the current secondary key.
  • the first key generates the second key
  • the third key unit generates the communication key according to the second key, as shown in FIG. 3 of the specification.
  • This embodiment is suitable for a blockchain environment with a high security level, and an appropriate number of subunits can be selected for encryption according to the security level.
  • this embodiment proposes a blockchain data protection method, which provides key management and data encryption and decryption, and expands the key into a root key, a secondary key, and a communication key, two of which are
  • the primary key is generated from the root key
  • the communication key is generated from the secondary key.
  • the root key has the highest level of security and can be isolated using separate hardware or stored on a separate machine, isolated from the Internet, with access to the secondary key unit only when in use.
  • the secondary key is used to periodically generate the communication key, which is stored on a different machine from the machine where the communication key is stored, isolated from the external network, and only communicates with the machine that uses the communication key to encrypt and decrypt.
  • the communication key can be stored on the blockchain node machine or other machines connected to the node machine, and the key management system provides the node with an encryption and decryption unit based on the communication key.
  • This embodiment isolates the key from the blockchain network.
  • data leakage is minimized, which solves the problem in the prior art that all data on the chain will be leaked if the key is leaked.
  • the key is isolated from the blockchain network, reducing the possibility of being attacked by hackers and further ensuring data security.
  • There is no need to store historical keys which can reduce the maintenance cost of the cryptographic system, reduce the storage space and avoid the possibility of leaking all encryption and decryption keys at one time.
  • users can also choose an appropriate password protection scheme according to the security level of the blockchain data.
  • this embodiment adds a data recovery mode to further expand the functionality of the method.
  • the process steps of the data recovery mode are as shown in Figure 4 of the description, and the specific scheme is as follows:
  • the blockchain node sends a data recovery request containing the communication key
  • the communication key unit parses out the communication key according to the data recovery request, determines whether the communication key is correct, if not, generates a first key request, and if so, performs decryption operation for the blockchain node;
  • the secondary key unit parses out the secondary key according to the first key request, and judges whether the secondary key is correct, if not, generates a second key request, and if so, performs the first decryption operation for the blockchain node ;
  • the root key unit performs a second decryption operation on the blockchain node according to the second key request key.
  • the communication key unit receives the data recovery request from the blockchain node.
  • the data recovery request is only for the data recovery mode, and the data recovery request contains the communication key.
  • the communication key unit analyzes the communication key of the data recovery request, and determines whether the communication key is correct, that is, whether the communication key is the current communication key. If the judgment is yes, the communication key is correct, and the communication key unit decrypts the blockchain node, obtains the decrypted data stored in the blockchain node, and returns it to the blockchain node to achieve data recovery. If the judgment is negative, the communication key is incorrect, and the communication key unit generates a first key request to the secondary key unit.
  • the secondary key unit receives the second key request, derives the secondary key according to the communication key, and the secondary key unit judges whether the secondary key is the currently used secondary key. If the judgment result is yes, the secondary key is correct, and the secondary key unit performs the first decryption operation.
  • the first decryption operation is: the secondary key unit calculates the communication key according to the secondary key, sets the communication key as the current communication key, and the communication key unit receives the new communication key at this time, If it is the same as the communication key in the data recovery request, the communication key unit decrypts the blockchain node, obtains the decrypted data stored in the blockchain node, and returns it to the blockchain node to achieve data recovery. If the judgment result is no, the secondary key is incorrect, and the secondary key unit generates a second key request to the root key unit.
  • the root key unit receives the second key request, derives the root key according to the secondary key, and the root key unit determines whether the root key is a used or currently used root key. If the judgment result is yes, the root key is correct, and the root key unit performs the second decryption operation.
  • the second decryption operation includes: the root key unit calculates the secondary key according to the root key, and stores the secondary key as the current secondary key. When the new secondary key received by the secondary key unit is consistent with the secondary key in the first key request, the secondary key unit performs the first decryption operation. If the judgment structure is negative, the root key is incorrect, the root key unit refuses to provide the key, and data recovery fails.
  • the secondary key unit and the communication key unit only store the currently used key, when the key is lost, it is only necessary to input the used communication key, and the root key unit can gradually deduce the key according to the key. the corresponding root key.
  • each key unit can actively initiate a request to the upper-level key unit. It is recommended that the system be offline for data recovery.
  • the communication key unit judges the key information, requests the key from the secondary key unit, the secondary key unit judges the parent key of the key, and requests the key from the root key unit.
  • the root key unit receives the key request unit, it calculates the key according to the number and returns it to the secondary key unit, and the secondary key unit calculates the communication key according to the received secondary key and key number, It is sent to the communication key unit, which uses the key to decrypt the data, and finally returns it to the blockchain node.
  • the key system After executing this process once, the key system returns the decrypted data to the blockchain node, and the blockchain node uses the decrypted data to update the local database and business system database for data recovery. Data recovery is complete until all data on the blockchain is updated to the local database and business database.
  • this embodiment adds a data recovery mode to further expand the functionality of the method. After the blockchain data is lost, each key unit can actively initiate a request to the upper-level key unit to achieve data recovery. Users only need to input the current or historically used communication key to achieve data recovery, which is highly practical.
  • this embodiment systematizes a blockchain data protection method proposed in Embodiment 2 to form a blockchain data protection system.
  • the schematic diagram of each module is shown in Figure 4 of the description.
  • the specific plans are as follows:
  • a blockchain data protection system data protection mode and data recovery mode.
  • the system includes a communication key unit, a root key unit and a secondary key unit. Specifically include:
  • Communication key unit used to receive the encryption request or decryption request sent by the blockchain node, encrypt the blockchain node according to the current communication key, and decrypt the blockchain node according to the current communication key and decryption request. operate;
  • Root key unit used to update the current secondary key according to the root key according to a preset period
  • Secondary key unit used to update the current communication key according to the current secondary key according to the preset time
  • the system includes a communication key unit, a root key unit and a secondary key unit. Specifically include:
  • Communication key unit used to receive a data recovery request containing a communication key sent by the blockchain node, parse out the communication key according to the data recovery request, determine whether the communication key is correct, if not, generate a first key request, If so, decrypt it for the blockchain node;
  • Secondary key unit used to parse out the secondary key according to the first key request, and determine whether the secondary key is correct; if not, generate a second key request; if so, perform the second key request for the blockchain node A decryption operation; the secondary key unit may include multiple key sub-units to further improve the security of the system.
  • Root key unit used to parse out the root key according to the second key request, determine whether the root key is correct, and if so, perform a second decryption operation.
  • the first decryption operation includes: the secondary key unit calculates the communication key according to the secondary key; the communication key is set as the current communication key; the communication key unit decrypts the blockchain node according to the communication key operate;
  • the second decryption operation includes: the root key unit calculates the secondary key according to the second key request; sets the secondary key as the current secondary key; and executes the first decryption operation.
  • the root key unit includes a root key storage module and a root key calculation module.
  • Root key storage module used to store all root keys and record the number of secondary keys generated; the root key storage module stores all root keys and is provided with a secondary key counter.
  • the secondary key counter is used to record the number of secondary keys that have been generated. Each time a secondary key is generated, the counter increases by 1.
  • Root key calculation module used to calculate the secondary key according to the number of secondary keys. The root key calculation module calculates the next secondary key according to the value of the secondary key counter, and increments the secondary key counter by 1.
  • the secondary key unit includes a secondary key storage module and a secondary key calculation module.
  • Secondary key storage module used to store the currently used secondary key and its secondary key number, and record the number of generated communication keys; the secondary key storage module only stores the currently used secondary key, And set a communication key counter.
  • the key storage module will not store the secondary key used in history, but only the currently used secondary key and the number of the secondary key.
  • the communication key counter is the number of communication keys generated by the current secondary key, and the communication key counter will be cleared when the secondary key is updated.
  • Secondary key calculation module used to calculate the communication key according to the number of communication keys. The secondary key calculation module calculates the next communication key according to the value of the communication key counter, and increments the communication key counter by 1.
  • the communication key unit includes an encryption/decryption module and a communication key storage module.
  • Encryption and decryption module used to encrypt or decrypt blockchain nodes
  • Communication key storage module used to store the currently used communication key and its communication key number, the communication key number including the secondary key number.
  • the blockchain data protection system proposed in this embodiment is transparent to the blockchain framework, only the traditional encryption service needs to be replaced without any changes to the blockchain framework, and the application to the blockchain is shown in Figure 6 of the specification. .
  • the present invention proposes a block chain data protection method and system, which encrypts and protects block chain data based on hierarchical key management, and has high security.
  • the key is expanded into the root key, secondary key and communication key, which greatly improves the security.
  • data leakage can be minimized, which solves the drawback of the prior art that all data on the chain will be leaked if the key is leaked.
  • the key is isolated from the blockchain network, reducing the possibility of being attacked by hackers and further ensuring data security.
  • modules or steps of the present invention can be implemented by a general-purpose computing device, and they can be centralized on a single computing device, or distributed on a network composed of multiple computing devices.
  • they may be implemented in program code executable by a computer device, so that they can be stored in a storage device and executed by the computing device, or they can be fabricated separately into individual integrated circuit modules, or a plurality of modules of them Or the steps are made into a single integrated circuit module to realize.
  • the present invention is not limited to any specific combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention provides a blockchain data protection method and system. The method comprises: a blockchain node sends an encryption request or a decryption request; a root key unit updates a secondary key according to a root key in accordance with a preset period; a secondary key unit updates a communication key according to the current secondary key in accordance with preset time; and a communication key unit receives the encryption request or the decryption request, performs an encryption operation on the blockchain node according to the current communication key and the encryption request, and performs a decryption operation on the blockchain node according to the current communication key and the decryption request. In the present invention, blockchain data is subjected to encryption and protection on the basis of hierarchical key management, thereby achieving high security; a key is expanded into a root key, a secondary key, and a communication key, such that the security of the system is greatly improved, and a small required storage space and low maintenance cost are achieved.

Description

一种区块链数据保护方法及系统A blockchain data protection method and system 技术领域technical field

本发明涉及区块链领域,具体而言,涉及一种区块链数据保护方法及系统。The present invention relates to the field of blockchain, and in particular, to a method and system for protecting blockchain data.

背景技术Background technique

2009年,比特币发行以来,其底层结构区块链得到了广泛的关注。在多年的发展中,区块链技术由仅用于数字货币到应用于金融结算,到如今扩展到金融行业之外,覆盖人类社会生活的方方面面,包括在司法、医疗、物流、政务、军事等各个领域。区块链上的内容也由仅存储用户金额扩展到多种类型的数据,包括文本数据、时空数据和日志数据等。Since the release of Bitcoin in 2009, its underlying structure, blockchain, has received extensive attention. In the years of development, blockchain technology has been used only for digital currency to be used in financial settlement, and now it has expanded beyond the financial industry, covering all aspects of human social life, including judicial, medical, logistics, government affairs, military, etc. each field. The content on the blockchain has also expanded from only storing user amounts to various types of data, including text data, spatiotemporal data, and log data.

由于区块链多方共同记账的特点,用户的数据都是公开的,因此需要特别的手段来确保用户的数据安全。虚拟货币阶段的区块链采用用户匿名的方法确保用户的隐私,而联盟链和复杂数据的区块链,则采用链上数据加密的方式确保数据的安全性。用户在将数据提交上链之前先将数据使用对称密码算法加密,在使用链上数据时再将数据解密。Due to the multi-party joint accounting feature of the blockchain, the user's data is public, so special means are needed to ensure the security of the user's data. The blockchain in the virtual currency stage adopts the method of user anonymity to ensure the privacy of the user, while the blockchain of the alliance chain and the complex data adopts the data encryption method on the chain to ensure the security of the data. The user encrypts the data with a symmetric cryptographic algorithm before submitting the data to the chain, and then decrypts the data when using the data on the chain.

但当前的区块链存在的问题是,节点仅使用一个密钥进行加解密操作,一旦该密钥泄露,则所有链上的数据都会泄露。且更换密钥仅能保护此后的数据,而泄露前的所有数据都无法再受到保护,因此密钥泄露会造成很大的损失。同时,区块链节点需要与区块链中的其他节点通信,必然会暴漏在公网之中,易于受到攻击者的攻击,密钥泄露的风险较大。But the problem with the current blockchain is that nodes only use one key for encryption and decryption operations. Once the key is leaked, all data on the chain will be leaked. And changing the key can only protect the data after that, and all the data before the leakage can no longer be protected, so the leakage of the key will cause great losses. At the same time, blockchain nodes need to communicate with other nodes in the blockchain, which will inevitably be exposed in the public network, which is easy to be attacked by attackers, and the risk of key leakage is high.

因此,需要一种针对区块链的数据保护方法,能够解决上述问题。Therefore, there is a need for a data protection method for blockchain that can solve the above problems.

发明内容SUMMARY OF THE INVENTION

基于现有技术存在的问题,本发明提供了一种区块链数据保护方法及系统。具体方案如下:Based on the problems existing in the prior art, the present invention provides a block chain data protection method and system. The specific plans are as follows:

一种区块链数据保护方法,应用于包括有根密钥单元、二级密钥单元和通信密钥单元的系统中,所述方法包括数据保护模式:A blockchain data protection method, applied to a system including a root key unit, a secondary key unit and a communication key unit, the method includes a data protection mode:

区块链节点发送加密请求或解密请求;The blockchain node sends an encryption request or a decryption request;

所述根密钥单元根据根密钥按照预设周期更新二级密钥;The root key unit updates the secondary key according to the root key according to a preset period;

所述二级密钥单元根据当前的二级密钥按照预设时间更新通信密钥;The secondary key unit updates the communication key according to the current secondary key according to the preset time;

所述通信密钥单元接收所述加密请求或所述解密请求,根据当前的通信密钥和所述加密请求对所述区块链节点进行加密操作,根据当前的通信密钥和所述解密请求对所述区块链节点进行解密操作。The communication key unit receives the encryption request or the decryption request, performs an encryption operation on the blockchain node according to the current communication key and the encryption request, and performs an encryption operation on the blockchain node according to the current communication key and the decryption request. Perform a decryption operation on the blockchain node.

在一个具体实施例中,所述方法还包括数据恢复模式:In a specific embodiment, the method further includes a data recovery mode:

所述区块链节点发送含有所述通信密钥的数据恢复请求;The blockchain node sends a data recovery request containing the communication key;

所述通信密钥单元根据所述数据恢复请求解析出所述通信密钥,判断所述通信密钥是否正确,若否,则生成第一密钥请求,若是,则为所述区块链节点进行解密操作;The communication key unit parses out the communication key according to the data recovery request, determines whether the communication key is correct, if not, generates a first key request, and if so, is the blockchain node perform decryption operations;

所述二级密钥单元根据所述第一密钥请求解析出二级密钥,判断所述二级密钥是否正确,若否,则生成第二密钥请求,若是,则根据所述二级密钥计算出通信密钥后进行解密操作;The secondary key unit parses out the secondary key according to the first key request, and judges whether the secondary key is correct; if not, generates a second key request; After the level key calculates the communication key, the decryption operation is performed;

所述根密钥单元根据所述第二密钥请求解析出根密钥,判断所述根密钥是否正确,若是,则根据所述根密钥计算出二级密钥和通信密钥后进行解密操作。The root key unit parses out the root key according to the second key request, and judges whether the root key is correct, and if so, calculates the secondary key and the communication key according to the root key. decryption operation.

在一个具体实施例中,其中,所述“根据所述二级密钥计算出通信密钥后进行解密操作”具体包括:In a specific embodiment, wherein, the "decryption operation after calculating the communication key according to the secondary key" specifically includes:

所述二级密钥单元根据所述二级密钥计算通信密钥;The secondary key unit calculates a communication key according to the secondary key;

将所述通信密钥设置为当前的通信密钥;setting the communication key as the current communication key;

所述通信密钥单元根据所述通信密钥为所述区块链节点进行所述解密操作;The communication key unit performs the decryption operation for the blockchain node according to the communication key;

其中,所述“根据所述根密钥计算出二级密钥和通信密钥后进行解密操作”具体包括:Wherein, the "decryption operation after calculating the secondary key and the communication key according to the root key" specifically includes:

所述根密钥单元根据所述第二密钥请求计算出二级密钥;The root key unit calculates a secondary key according to the second key request;

将所述二级密钥设置为当前的二级密钥;setting the secondary key as the current secondary key;

所述二级密钥单元根据所述二级密钥计算通信密钥;The secondary key unit calculates a communication key according to the secondary key;

将所述通信密钥设置为当前的通信密钥;setting the communication key as the current communication key;

所述通信密钥单元根据所述通信密钥为所述区块链节点进行所述解密操作。The communication key unit performs the decryption operation for the blockchain node according to the communication key.

在一个具体实施例中,所述根密钥单元仅在更新所述二级密钥时接入所述二级密钥单元;In a specific embodiment, the root key unit only accesses the secondary key unit when the secondary key is updated;

和/或所述二级密钥单元与所述通信密钥单元设置在不同的服务器上。And/or the secondary key unit and the communication key unit are set on different servers.

在一个具体实施例中,所述根密钥单元包括根密钥计算模块和根密钥存储模块;In a specific embodiment, the root key unit includes a root key calculation module and a root key storage module;

所述根密钥存储模块存储所有的根密钥,并记录生成的二级密钥数量;The root key storage module stores all root keys, and records the number of secondary keys generated;

所述根密钥计算模块根据所述二级密钥数量计算二级密钥,每个二级密钥对应有二级密钥编号。The root key calculation module calculates secondary keys according to the number of secondary keys, and each secondary key corresponds to a secondary key number.

在一个具体实施例中,所述二级密钥单元包括二级密钥计算模块和二级密钥存储模块;In a specific embodiment, the secondary key unit includes a secondary key calculation module and a secondary key storage module;

所述二级密钥存储模块仅存储当前的二级密钥及其二级密钥编号,并记录根据当前的二级密钥所生成的通信密钥数量,所述通信密钥数量在当前的二级密钥更新时清零;The secondary key storage module only stores the current secondary key and its secondary key number, and records the number of communication keys generated according to the current secondary key. Cleared when the secondary key is updated;

所述二级密钥计算模块根据当前的二级密钥和所述通信密钥数量计算通信密钥,每个所述通信密钥对应有通信密钥编号,所述通信密钥编号中设置有所述二级密钥编号。The secondary key calculation module calculates a communication key according to the current secondary key and the number of the communication keys, each of the communication keys corresponds to a communication key number, and the communication key number is provided with The secondary key number.

在一个具体实施例中,所述通信密钥单元包括加解密模块和通信密钥存储模块;In a specific embodiment, the communication key unit includes an encryption/decryption module and a communication key storage module;

所述加解密模块对所述区块链节点进行加密操作或解密操作;The encryption and decryption module performs encryption operation or decryption operation on the blockchain node;

所述通信密钥存储模块仅存储当前的通讯密钥及其通信密钥编号。The communication key storage module only stores the current communication key and its communication key number.

在一个具体实施例中,所述二级密钥单元包括多个密钥子单元,多个所述密钥子单元之间依次连接,通过生成子密钥实现逐层加密。In a specific embodiment, the secondary key unit includes a plurality of key subunits, the plurality of key subunits are connected in sequence, and layer-by-layer encryption is implemented by generating subkeys.

一种区块链数据保护系统,所述系统连接区块链节点,包括,A blockchain data protection system, the system connects blockchain nodes, including,

通信密钥单元:用于接收区块链节点发送的加密请求或解密请求,根据当前的通信密钥和所述加密请求对所述区块链节点进行加密操作,根据当前的通信密钥和所述解密请求对所述区块链节点进行解密操作;Communication key unit: used to receive an encryption request or decryption request sent by a blockchain node, perform an encryption operation on the blockchain node according to the current communication key and the encryption request, and perform an encryption operation on the blockchain node according to the current communication key and the encryption request. Decrypt the blockchain node according to the decryption request;

根密钥单元:用于根据根密钥按照预设周期更新二级密钥;Root key unit: used to update the secondary key according to the root key according to a preset period;

二级密钥单元:用于根据当前的二级密钥按照预设时间更新通信密钥。Secondary key unit: used to update the communication key according to the current secondary key according to the preset time.

在一个具体实施例中,In a specific embodiment,

所述通信密钥单元还包括:用于接收所述区块链节点发送的含有所述通信密钥的数据恢复请求,根据所述数据恢复请求解析出所述通信密钥,判断所述通信密钥是否正确,若否,则生成第一密钥请求,若是,则为所述区块链节点进行解密操作;The communication key unit further includes: receiving a data recovery request containing the communication key sent by the blockchain node, parsing the communication key according to the data recovery request, and determining the communication key. Whether the key is correct, if not, generate a first key request, if so, perform decryption operation for the blockchain node;

所述二级密钥单元还包括:用于根据所述第一密钥请求解析出二级密钥,判断所述二级密钥是否正确,若否,则生成第二密钥请求,若是,则根据所述二级密钥计算通信密钥后进行解密操作;The secondary key unit further includes: for parsing out the secondary key according to the first key request, judging whether the secondary key is correct, if not, generating a second key request, if yes, Then perform a decryption operation after calculating the communication key according to the secondary key;

所述根密钥单元还包括:用于根据所述第二密钥请求解析出根密钥,判断所述根密钥是否正确,若是,则根据所述根密钥计算出二级密钥和通信密钥后进行解密操作。The root key unit further includes: for analyzing the root key according to the second key request, and judging whether the root key is correct, if so, calculating the secondary key and the root key according to the root key. The decryption operation is performed after the communication key.

在一个具体实施例中,所述根密钥单元包括,In a specific embodiment, the root key unit includes,

根密钥存储模块:用于存储所有的所述根密钥,并记录生成的二级密钥数量;Root key storage module: used to store all the root keys and record the number of secondary keys generated;

根密钥计算模块:用于根据所述二级密钥数量计算所述二级密钥。Root key calculation module: used to calculate the secondary key according to the quantity of the secondary key.

在一个具体实施例中,所述二级密钥单元包括,In a specific embodiment, the secondary key unit includes,

二级密钥存储模块:用于存储当前的二级密钥及其二级密钥编号,并记录生成的通信密钥数量;Secondary key storage module: used to store the current secondary key and its secondary key number, and record the number of generated communication keys;

二级密钥计算模块:用于根据所述通信密钥数量计算所述通信密钥。Secondary key calculation module: used to calculate the communication key according to the number of the communication keys.

在一个具体实施例中,所述通信密钥单元包括,In a specific embodiment, the communication key unit includes,

加解密模块:用于对所述区块链节点进行加密操作或解密操作;Encryption and decryption module: used to encrypt or decrypt the blockchain node;

通信密钥存储模块:用于存储当前的通讯密钥及其通信密钥编号,所述通信密钥编号包括所述二级密钥编号。Communication key storage module: used to store the current communication key and its communication key number, where the communication key number includes the secondary key number.

有益效果:Beneficial effects:

本发明针对现有技术的缺陷,提出了一种区块链数据保护方法及系统,基于分级密钥管理对区块链数据进行加密保护,安全性高。Aiming at the defects of the prior art, the present invention proposes a block chain data protection method and system, which encrypts and protects block chain data based on hierarchical key management, and has high security.

通过提供密钥管理和数据加解密,将密钥扩充为根密钥、二级密钥和通信密钥,极大提升了安全性。By providing key management and data encryption and decryption, the key is expanded into the root key, secondary key and communication key, which greatly improves the security.

通过将密钥与区块链网络隔离,在密钥泄露的情况下,保证数据最小化泄露,解决了现有技术中密钥泄露则所有链上的数据都会泄露的弊端。By isolating the key from the blockchain network, in the event of a key leak, data leakage can be minimized, which solves the drawback of the prior art that all data on the chain will be leaked if the key is leaked.

密钥与区块链网络隔离,减少被黑客网络攻击的可能性,进一步保证数据安全性。The key is isolated from the blockchain network, reducing the possibility of being attacked by hackers and further ensuring data security.

无需存储历史密钥,可以减少密码系统的维护成本,减少存储空间并且避免一次性泄露全部加解密密钥的可能性。There is no need to store historical keys, which can reduce the maintenance cost of the cryptographic system, reduce the storage space and avoid the possibility of leaking all encryption and decryption keys at one time.

用户可以根据安全等级选择密码保护方案。Users can choose a password protection scheme according to the security level.

在区块链数据损失后,各密钥单元可以向上一级密钥单元主动发起请求,实现数据恢复。After the blockchain data is lost, each key unit can actively initiate a request to the upper-level key unit to achieve data recovery.

用户只需输入当前或历史使用过的通信密钥,即可实现数据恢复,实用性强。Users only need to input the current or historically used communication key to achieve data recovery, which is highly practical.

将区块链数据保护方法模块化,形成一种具体的系统,使其更具备实用性。Modularize the blockchain data protection method to form a specific system, making it more practical.

区块链数据保护系统对区块链框架透明,只需将传统的加密服务进行替换,无需对区块链框架进行任何改变。The blockchain data protection system is transparent to the blockchain framework, only the traditional encryption service needs to be replaced without any changes to the blockchain framework.

为使本发明的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, preferred embodiments are given below, and are described in detail as follows in conjunction with the accompanying drawings.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本发明的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the embodiments. It should be understood that the following drawings only show some embodiments of the present invention, and therefore do not It should be regarded as a limitation of the scope, and for those of ordinary skill in the art, other related drawings can also be obtained according to these drawings without any creative effort.

图1是本发明实施例的区块链示意图;1 is a schematic diagram of a blockchain according to an embodiment of the present invention;

图2是本发明实施例1的区块链数据保护方法流程图;2 is a flowchart of a blockchain data protection method according to Embodiment 1 of the present invention;

图3是本发明实施例1的另一种区块链数据保护方法图;3 is a diagram of another blockchain data protection method according to Embodiment 1 of the present invention;

图4是本发明实施例2的区块链数据保护方法流程图;4 is a flowchart of a blockchain data protection method according to Embodiment 2 of the present invention;

图5是本发明实施例2的数据恢复模式流程图;Fig. 5 is the data recovery mode flow chart of Embodiment 2 of the present invention;

图6是本发明实施例3的区块链数据保护系统应用示意图。FIG. 6 is a schematic diagram of the application of the blockchain data protection system according to Embodiment 3 of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本发明的一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

本发明根据区块链环境的特点,提出了一种区块链数据保护方法及系统,利用分级密钥管理的方式对区块链数据进行保护。According to the characteristics of the block chain environment, the present invention proposes a block chain data protection method and system, and uses a hierarchical key management method to protect the block chain data.

一个典型的基于区块链的业务系统包括区块链网络、节点和业务系统三个部分,如说明书附图1所示。区块链网络为多个节点共同维护的一个由区块构成的链表。该链表中每一个区块都有一个指向前一个区块的哈希指针,从而确保区块链上的数据不可篡改。区块链节点于本地维护一个数据库,该数据库存储的内容是区块链上数据的当前状态。区块链系统通过交易操作数据库,上链后的交易会修改数据库中的内容。节点本地数据库的数据采用明文存储,但节点在提交数据上区块链,即构建交易时,会将数据加密后提交。交易区块链网络的共识后,节点解密交易的内容,更新本地数据库。业务系统运行用户提供的单元,并选择需要上链保存的数据,提交给节点。在业务系统意外损坏后,区块链可以将业务系统上链的数据进行恢复,即区块链的灾备功能。A typical blockchain-based business system includes three parts: blockchain network, node and business system, as shown in Figure 1 of the specification. A blockchain network is a linked list composed of blocks that is jointly maintained by multiple nodes. Each block in the linked list has a hash pointer to the previous block, thus ensuring that the data on the blockchain cannot be tampered with. The blockchain node maintains a database locally, and the content stored in the database is the current state of the data on the blockchain. The blockchain system operates the database through transactions, and the transactions on the chain will modify the contents of the database. The data in the node's local database is stored in plaintext, but when the node submits the data to the blockchain, that is, when constructing a transaction, the data will be encrypted and submitted. After the consensus of the transaction blockchain network, the node decrypts the content of the transaction and updates the local database. The business system runs the unit provided by the user, selects the data to be saved on the chain, and submits it to the node. After the business system is accidentally damaged, the blockchain can restore the data on the chain of the business system, that is, the disaster recovery function of the blockchain.

需要说明的是,本申请中的密钥包括但不限于任何一种能够提供加密功能的数据格式。It should be noted that the key in this application includes but is not limited to any data format that can provide an encryption function.

实施例1Example 1

本实施例提出了一种区块链数据保护方法,通过提供多级密钥并定时修改密钥,实现对区块链数据的保护。具体流程如说明书附图2,具体方案如下:This embodiment proposes a blockchain data protection method, which realizes the protection of blockchain data by providing multi-level keys and modifying the keys regularly. The specific process is such as accompanying drawing 2 of the description, and the specific scheme is as follows:

一种区块链数据保护方法,应用于包括有根密钥单元、二级密钥单元和通信密钥单元的系统中。该方法包括数据保护模式,数据保护模式的具体步骤为:A block chain data protection method is applied to a system including a root key unit, a secondary key unit and a communication key unit. The method includes a data protection mode, and the specific steps of the data protection mode are:

区块链节点发送加密请求或解密请求;The blockchain node sends an encryption request or a decryption request;

根密钥单元根据根密钥按照预设周期更新二级密钥;The root key unit updates the secondary key according to the root key according to a preset period;

二级密钥单元根据当前的二级密钥按照预设时间更新通信密钥;The secondary key unit updates the communication key according to the current secondary key according to the preset time;

通信密钥单元接收加密请求或解密请求,根据当前的通信密钥对区块链节点进行加密操作,根据当前的通信密钥和解密请求对区块链节点进行解密操作。The communication key unit receives an encryption request or a decryption request, performs an encryption operation on the blockchain node according to the current communication key, and performs a decryption operation on the blockchain node according to the current communication key and the decryption request.

在本实施例中,通信密钥单元连接区块链节点,区块链节点发送加密请求或解密请求,通信密钥单元根据请求进行加密操作或解密操作。In this embodiment, the communication key unit is connected to the blockchain node, the blockchain node sends an encryption request or a decryption request, and the communication key unit performs an encryption operation or a decryption operation according to the request.

加密操作包括:通信密钥单元根据加密请求,对区块链节点进行加密,用户需提供正确的通信密钥才能提取区块链节点中的数据。解密操作包括:通信密钥单元根据区块链节点提供的通信密钥,对已经加密的区块链节点进行解锁。The encryption operation includes: the communication key unit encrypts the blockchain node according to the encryption request, and the user needs to provide the correct communication key to extract the data in the blockchain node. The decryption operation includes: the communication key unit unlocks the encrypted blockchain node according to the communication key provided by the blockchain node.

在本实施例中,根密钥单元包括根密钥存储模块和根密钥计算模块。In this embodiment, the root key unit includes a root key storage module and a root key calculation module.

根密钥存储模块存储了所有的根密钥,包括当前使用的根密钥和历史根密钥,并设置有二级密钥计数器。二级密钥计数器用于记录已经生成过的二级密钥数量,每生成一个二级密钥,二级密钥计数器增加1。The root key storage module stores all root keys, including currently used root keys and historical root keys, and is provided with a secondary key counter. The secondary key counter is used to record the number of secondary keys that have been generated. Each time a secondary key is generated, the secondary key counter increases by 1.

根密钥计算模块根据二级密钥计数器的值计算下一个二级密钥,并将二级密钥计数器增加1。The root key calculation module calculates the next secondary key according to the value of the secondary key counter, and increments the secondary key counter by 1.

特别地,根密钥单元可一次生成一个或多个二级密钥,选取一个或多个二级密钥作为当前的二级密钥发送给二级密钥单元。In particular, the root key unit can generate one or more secondary keys at a time, select one or more secondary keys as the current secondary key and send it to the secondary key unit.

根密钥的安全等级最高,根密钥单元可以采用单独硬件存储或者离线机器存储,仅在更新二级密钥时接入二级密钥单元。离线机器包括不接入互联网的服务器或者不接入区块链网络的服务器。单独的硬件存储包括但不限于硬件存储介质,如移动硬盘等。根密钥作为最初始的密钥,具备最高的安全等级,采用单独的硬件存储或离线机器存储,可以避免被黑客通过网络攻击获取根密钥,进而保护区块链数据。用户可以预设周期通过根密钥单元更新根密钥,也可人工修改根密钥。The root key has the highest security level. The root key unit can be stored in separate hardware or offline machine, and the secondary key unit is only accessed when the secondary key is updated. Offline machines include servers that are not connected to the Internet or servers that are not connected to the blockchain network. Separate hardware storage includes, but is not limited to, hardware storage media, such as mobile hard disks. As the initial key, the root key has the highest level of security. Using separate hardware storage or offline machine storage can prevent hackers from obtaining the root key through network attacks, thereby protecting blockchain data. The user can update the root key through the root key unit at a preset period, or manually modify the root key.

需要说明的时,根密钥可以是人工设置,也可以是根密钥单元随机产生。It should be noted that the root key may be set manually, or may be randomly generated by the root key unit.

在本实施例中,二级密钥单元包括二级密钥存储模块和二级密钥计算模块,二级密钥单元需配置在一台独立的机器上,且与通信密钥单元不在同一台服务器上。In this embodiment, the secondary key unit includes a secondary key storage module and a secondary key calculation module, and the secondary key unit needs to be configured on an independent machine, and not the same as the communication key unit on the server.

二级密钥存储模块仅存储当前使用的二级密钥,并设置有通信密钥计数器。密钥存储模块不会存储历史使用的二级密钥,仅存储当前使用的二级密钥及该二级密钥的编号。通信密钥计数器为当前二级密钥生成的通信密钥进行计数,通信密钥计数器在更新二级密钥时会清零。The secondary key storage module only stores the currently used secondary key, and is provided with a communication key counter. The key storage module will not store the secondary key used in history, but only the currently used secondary key and the number of the secondary key. The communication key counter counts the communication key generated by the current secondary key, and the communication key counter will be cleared when the secondary key is updated.

二级密钥计算模块根据通信密钥计数器的值计算下一个通信密钥,并将通信密钥计数器增加1。二级密钥计算模块可根据一个二级密钥生成多个通信密钥。The secondary key calculation module calculates the next communication key according to the value of the communication key counter, and increments the communication key counter by 1. The secondary key calculation module can generate multiple communication keys according to a secondary key.

二级密钥单元作为次一级的密钥单元,安全性仅次于根密钥。二级密钥是通信密钥产生的基础,进一步提升系统的安全性。需要说明的是,由于二级密钥的数量不确定,二级密钥单元仅存储当前使用的二级密钥,当前使用的二级密钥也包括一个或多个。为节约存储成本,也为了进一步提升系统的安全性,防止黑客根据历史的二级密钥破译出当前的二级密钥,二级密钥存储模块不会存储历史使用的二级密钥,仅存储当前使用的二级密钥及该二级密钥的编号。二级密钥单元根据二级密钥产生一个或多个通 信密钥。The secondary key unit is the second-level key unit, and its security is second only to the root key. The secondary key is the basis for the generation of communication keys, which further improves the security of the system. It should be noted that, since the number of secondary keys is uncertain, the secondary key unit only stores the currently used secondary keys, and the currently used secondary keys also include one or more secondary keys. In order to save storage costs and further improve the security of the system and prevent hackers from deciphering the current secondary key based on the historical secondary key, the secondary key storage module will not store the historically used secondary key, only Stores the currently used secondary key and the number of the secondary key. The secondary key unit generates one or more communication keys based on the secondary key.

通信密钥单元包括通信密钥存储模块和加解密模块,通信密钥单元可以配置一台单独的机器或者与区块链节点配置在同一台机器上。The communication key unit includes a communication key storage module and an encryption and decryption module, and the communication key unit can be configured on a separate machine or on the same machine as the blockchain node.

通信密钥存储模块存储当前使用的通信密钥及该通信密钥的编号。同二级密钥单元,此密钥存储模块不存储历史通信密钥,仅存储当前使用的通信密钥及其编号。通信密钥的编号包括二级密钥的编号和当前的通信密钥在生成时对应的二级密钥单元中的序号。The communication key storage module stores the currently used communication key and the serial number of the communication key. The same as the secondary key unit, this key storage module does not store historical communication keys, but only the currently used communication keys and their numbers. The serial number of the communication key includes the serial number of the secondary key and the serial number in the secondary key unit corresponding to the current communication key when it is generated.

加解密模块从区块链节点获取输入加密请求或解密请求,根据参数进行加密或者解密操作并返回给区块链节点。The encryption and decryption module obtains the input encryption request or decryption request from the blockchain node, performs encryption or decryption operations according to the parameters, and returns it to the blockchain node.

在数据保护模式下,即正常运行区块链系统的环境下,通信密钥单元向区块链节点提供加密操作和解密操作。二级密钥单元定期向通信密钥模块发起密钥更新请求。根密钥单元更新二级密钥的周期由用户自行判断。此时所有密钥更新都是单向的,由上一级密钥单元向下一级密钥单元发起更新请求。下一级密钥单元无法向上一级主动发起请求。实现在一个通信密钥丢失时,只有部分数据会丢失,大部分数据仍然安全。In the data protection mode, that is, the environment in which the blockchain system is running normally, the communication key unit provides encryption operations and decryption operations to the blockchain nodes. The secondary key unit periodically initiates a key update request to the communication key module. The period for the root key unit to update the secondary key is determined by the user. At this time, all key updates are one-way, and the upper-level key unit initiates an update request to the next-level key unit. The next-level key unit cannot actively initiate a request to the upper-level. Realize that when a communication key is lost, only part of the data will be lost, and most of the data will remain safe.

在一个具体的实施中,二级密钥单元作为中间装置可以省略。通过根密钥单元和通信密钥单元即可实现数据加密。根密钥单元根据根密钥在预设周期内生成通信密钥,通信密钥单元根据通信密钥进行加解密操作。该实施例适用于安全等级不高的区块链环境中。根密钥单元采用单独的存储介质,只在更新通信密钥时接入通信密钥单元。In a specific implementation, the secondary key unit may be omitted as an intermediate device. Data encryption can be achieved through the root key unit and the communication key unit. The root key unit generates a communication key within a preset period according to the root key, and the communication key unit performs encryption and decryption operations according to the communication key. This embodiment is suitable for a blockchain environment with a low security level. The root key unit adopts a separate storage medium, and only accesses the communication key unit when the communication key is updated.

在一个具体的实施中,二级密钥单元作为中间装置包括多个子单元。多个子单元之间通过生成的密钥进行逐层加密。例如,二级密钥单元包括第一密钥单元、第二密钥单元、第三密钥单元,第一密钥单元根据当前的二级密钥生成第一密钥,第二密钥单元根据第一密钥生成第二密钥,第三密钥单元根据第二密钥生成通信密钥,如说明书附图3所示。该实施例适用于安全性等级高的区块链环境,可根据安全等级选择合适数量的子单元进行加密。In a specific implementation, the secondary key unit as an intermediate device includes a plurality of subunits. Layer-by-layer encryption is performed between multiple sub-units through the generated key. For example, the secondary key unit includes a first key unit, a second key unit, and a third key unit. The first key unit generates the first key according to the current secondary key, and the second key unit generates the first key according to the current secondary key. The first key generates the second key, and the third key unit generates the communication key according to the second key, as shown in FIG. 3 of the specification. This embodiment is suitable for a blockchain environment with a high security level, and an appropriate number of subunits can be selected for encryption according to the security level.

本实施例根据区块链环境的特点,提出一种区块链数据保护方法,提 供密钥管理和数据加解密,将密钥扩充为根密钥、二级密钥和通信密钥,其中二级密钥根据根密钥生成,通信密钥根据二级密钥生成。根密钥具有最高的安全等级,可以使用单独的硬件隔离或者存储在单独的机器上,与互联网隔离,仅在使用时接入二级密钥单元。二级密钥用于定时生成通信密钥,存储在与存储通信密钥的机器不同的机器上,与外网隔离,仅与使用通信密钥加解密的机器通信。通信密钥可以存储在区块链节点机器或者其他与节点机器连接的机器上,密钥管理系统基于通信密钥为节点提供加解密单元。According to the characteristics of the blockchain environment, this embodiment proposes a blockchain data protection method, which provides key management and data encryption and decryption, and expands the key into a root key, a secondary key, and a communication key, two of which are The primary key is generated from the root key, and the communication key is generated from the secondary key. The root key has the highest level of security and can be isolated using separate hardware or stored on a separate machine, isolated from the Internet, with access to the secondary key unit only when in use. The secondary key is used to periodically generate the communication key, which is stored on a different machine from the machine where the communication key is stored, isolated from the external network, and only communicates with the machine that uses the communication key to encrypt and decrypt. The communication key can be stored on the blockchain node machine or other machines connected to the node machine, and the key management system provides the node with an encryption and decryption unit based on the communication key.

本实施例将密钥与区块链网络隔离,在密钥泄露的情况下,保证数据最小化泄露,解决了现有技术中密钥泄露则所有链上的数据都会泄露的弊端。且密钥与区块链网络隔离,减少被黑客网络攻击的可能性,进一步保证数据安全性。无需存储历史密钥,可以减少密码系统的维护成本,减少存储空间并且避免一次性泄露全部加解密密钥的可能性。此外,用户还可以根据区块链数据的安全等级选择合适的密码保护方案。This embodiment isolates the key from the blockchain network. In the event of a key leak, data leakage is minimized, which solves the problem in the prior art that all data on the chain will be leaked if the key is leaked. And the key is isolated from the blockchain network, reducing the possibility of being attacked by hackers and further ensuring data security. There is no need to store historical keys, which can reduce the maintenance cost of the cryptographic system, reduce the storage space and avoid the possibility of leaking all encryption and decryption keys at one time. In addition, users can also choose an appropriate password protection scheme according to the security level of the blockchain data.

实施例2Example 2

本实施例在实施例1的区块链数据保护方法的基础上,加入数据恢复模式,进一步扩展了该方法的功能性。数据恢复模式的流程步骤如说明书附图4,具体方案如下:On the basis of the blockchain data protection method in Embodiment 1, this embodiment adds a data recovery mode to further expand the functionality of the method. The process steps of the data recovery mode are as shown in Figure 4 of the description, and the specific scheme is as follows:

数据恢复模式:Data Recovery Mode:

区块链节点发送含有通信密钥的数据恢复请求;The blockchain node sends a data recovery request containing the communication key;

通信密钥单元根据数据恢复请求解析出通信密钥,判断通信密钥是否正确,若否,则生成第一密钥请求,若是,则为区块链节点进行解密操作;The communication key unit parses out the communication key according to the data recovery request, determines whether the communication key is correct, if not, generates a first key request, and if so, performs decryption operation for the blockchain node;

二级密钥单元根据第一密钥请求解析出二级密钥,判断二级密钥是否正确,若否,则生成第二密钥请求,若是,则为区块链节点进行第一解密操作;The secondary key unit parses out the secondary key according to the first key request, and judges whether the secondary key is correct, if not, generates a second key request, and if so, performs the first decryption operation for the blockchain node ;

根密钥单元根据第二密钥请求密钥对区块链节点进行第二解密操作。The root key unit performs a second decryption operation on the blockchain node according to the second key request key.

数据恢复模式的流程图如说明书附图5所示。The flowchart of the data recovery mode is shown in Figure 5 of the specification.

通信密钥单元接收到区块链节点的数据恢复请求。数据恢复请求只针对数据恢复模式,数据恢复请求中含有通信密钥。通信密钥单元解析数据恢复请求的通信密钥,判断该通信密钥是否正确,即该通信密钥是否为当前的通信密钥。若判断为是,则通信密钥正确,通信密钥单元对区块链节点进行解密操作,获取解密后的区块链节点内存储的数据并返回给区块链节点,实现数据恢复。若判断为否,则通信密钥不正确,通信密钥单元生成第一密钥请求给二级密钥单元。The communication key unit receives the data recovery request from the blockchain node. The data recovery request is only for the data recovery mode, and the data recovery request contains the communication key. The communication key unit analyzes the communication key of the data recovery request, and determines whether the communication key is correct, that is, whether the communication key is the current communication key. If the judgment is yes, the communication key is correct, and the communication key unit decrypts the blockchain node, obtains the decrypted data stored in the blockchain node, and returns it to the blockchain node to achieve data recovery. If the judgment is negative, the communication key is incorrect, and the communication key unit generates a first key request to the secondary key unit.

二级密钥单元接收第二密钥请求,根据通信密钥推导出二级密钥,二级密钥单元判读该二级密钥是否为当前使用的二级密钥。若判断结果为是,则二级密钥正确,二级密钥单元执行第一解密操作。第一解密操作为:二级密钥单元根据该二级密钥计算出通信密钥,将该通信密钥设置为当前的通信密钥,此时通信密钥单元接到新的通信密钥,与数据恢复请求中的通信密钥相同,则通信密钥单元对区块链节点进行解密操作,获取解密后的区块链节点内存储的数据并返回给区块链节点,实现数据恢复。若判断结果为否,则该二级密钥不正确,二级密钥单元生成第二密钥请求给根密钥单元。The secondary key unit receives the second key request, derives the secondary key according to the communication key, and the secondary key unit judges whether the secondary key is the currently used secondary key. If the judgment result is yes, the secondary key is correct, and the secondary key unit performs the first decryption operation. The first decryption operation is: the secondary key unit calculates the communication key according to the secondary key, sets the communication key as the current communication key, and the communication key unit receives the new communication key at this time, If it is the same as the communication key in the data recovery request, the communication key unit decrypts the blockchain node, obtains the decrypted data stored in the blockchain node, and returns it to the blockchain node to achieve data recovery. If the judgment result is no, the secondary key is incorrect, and the secondary key unit generates a second key request to the root key unit.

根密钥单元接收第二密钥请求,根据二级密钥推导出根密钥,根密钥单元判断该根密钥是否为使用过或正在使用的根密钥。若判断结果为是,则根密钥正确,根密钥单元执行第二解密操作。第二解密操作包括:根密钥单元根据该根密钥计算出二级密钥,并将该二级密钥存储为当前的二级密钥。二级密钥单元接收新的二级密钥与第一密钥请求中的二级密钥一致,则二级密钥单元执行第一解密操作。若判断结构为否,则该根密钥不正确,根密钥单元拒绝提供密钥,数据恢复失败。The root key unit receives the second key request, derives the root key according to the secondary key, and the root key unit determines whether the root key is a used or currently used root key. If the judgment result is yes, the root key is correct, and the root key unit performs the second decryption operation. The second decryption operation includes: the root key unit calculates the secondary key according to the root key, and stores the secondary key as the current secondary key. When the new secondary key received by the secondary key unit is consistent with the secondary key in the first key request, the secondary key unit performs the first decryption operation. If the judgment structure is negative, the root key is incorrect, the root key unit refuses to provide the key, and data recovery fails.

由于二级密钥单元和通信密钥单元只存储当前使用的密钥,当发生密钥遗失时,只需输入已经使用过的通信密钥,根密钥单元即可根据该密钥逐步推导出对应的根密钥。Since the secondary key unit and the communication key unit only store the currently used key, when the key is lost, it is only necessary to input the used communication key, and the root key unit can gradually deduce the key according to the key. the corresponding root key.

在数据恢复模式下,即由于意外发生导致区块链数据损失,各密钥单元可以向上一级密钥单元主动发起请求。建议系统离线进行数据恢复。通 信密钥单元接到解密请求后判断密钥信息,向二级密钥单元请求密钥,二级密钥单元判断该密钥的父密钥,向根密钥单元请求密钥。根密钥单元收到密钥请求单元后,根据编号计算密钥返回给二级密钥单元,二级密钥单元根据收到的二级密钥和密钥编号计算通信密钥,将密钥发送给通信密钥单元,通信密钥单元使用该密钥解密数据,最后返回给区块链节点。执行完一次该流程后,密钥系统将解密数据返回到区块链节点中,区块链节点使用解密数据更新本地数据库及业务系统数据库,进行数据恢复。数据恢复一直到所有区块链上的数据都更新到本地数据库及业务数据库中即恢复完成。In the data recovery mode, that is, due to the loss of blockchain data due to an accident, each key unit can actively initiate a request to the upper-level key unit. It is recommended that the system be offline for data recovery. After receiving the decryption request, the communication key unit judges the key information, requests the key from the secondary key unit, the secondary key unit judges the parent key of the key, and requests the key from the root key unit. After the root key unit receives the key request unit, it calculates the key according to the number and returns it to the secondary key unit, and the secondary key unit calculates the communication key according to the received secondary key and key number, It is sent to the communication key unit, which uses the key to decrypt the data, and finally returns it to the blockchain node. After executing this process once, the key system returns the decrypted data to the blockchain node, and the blockchain node uses the decrypted data to update the local database and business system database for data recovery. Data recovery is complete until all data on the blockchain is updated to the local database and business database.

本实施例在实施例1的基础上,增加了数据恢复模式,进一步扩展了该方法的功能性。在区块链数据损失后,各密钥单元可以向上一级密钥单元主动发起请求,实现数据恢复。用户只需输入当前或历史使用过的通信密钥,即可实现数据恢复,实用性强。On the basis of Embodiment 1, this embodiment adds a data recovery mode to further expand the functionality of the method. After the blockchain data is lost, each key unit can actively initiate a request to the upper-level key unit to achieve data recovery. Users only need to input the current or historically used communication key to achieve data recovery, which is highly practical.

实施例3Example 3

本实施例在实施例2的基础上,将实施例2提出的一种区块链数据保护方法系统化,形成一种区块链数据保护系统,各模块示意图如说明书附图4。具体方案如下:On the basis of Embodiment 2, this embodiment systematizes a blockchain data protection method proposed in Embodiment 2 to form a blockchain data protection system. The schematic diagram of each module is shown in Figure 4 of the description. The specific plans are as follows:

一种区块链数据保护系统,数据保护模式和数据恢复模式。A blockchain data protection system, data protection mode and data recovery mode.

在数据保护模式下,该系统包括通信密钥单元、根密钥单元和二级密钥单元。具体包括:In the data protection mode, the system includes a communication key unit, a root key unit and a secondary key unit. Specifically include:

通信密钥单元:用于接收区块链节点发送加密请求或解密请求,根据当前的通信密钥对区块链节点进行加密操作,根据当前的通信密钥和解密请求对区块链节点进行解密操作;Communication key unit: used to receive the encryption request or decryption request sent by the blockchain node, encrypt the blockchain node according to the current communication key, and decrypt the blockchain node according to the current communication key and decryption request. operate;

根密钥单元:用于根据根密钥按照预设周期更新当前的二级密钥;Root key unit: used to update the current secondary key according to the root key according to a preset period;

二级密钥单元:用于根据当前的二级密钥按照预设时间更新当前的通信密钥;Secondary key unit: used to update the current communication key according to the current secondary key according to the preset time;

在数据恢复模式下,该系统包括通信密钥单元、根密钥单元和二级密 钥单元。具体包括:In the data recovery mode, the system includes a communication key unit, a root key unit and a secondary key unit. Specifically include:

通信密钥单元:用于接收区块链节点发送含有通信密钥的数据恢复请求,根据数据恢复请求解析出通信密钥,判断通信密钥是否正确,若否,则生成第一密钥请求,若是,则为区块链节点进行解密操作;Communication key unit: used to receive a data recovery request containing a communication key sent by the blockchain node, parse out the communication key according to the data recovery request, determine whether the communication key is correct, if not, generate a first key request, If so, decrypt it for the blockchain node;

二级密钥单元:用于根据第一密钥请求解析出二级密钥,判断二级密钥是否正确,若否,则生成第二密钥请求,若是,则为区块链节点进行第一解密操作;二级密钥单元可包括多个密钥子单元,进一步提升系统的安全性。Secondary key unit: used to parse out the secondary key according to the first key request, and determine whether the secondary key is correct; if not, generate a second key request; if so, perform the second key request for the blockchain node A decryption operation; the secondary key unit may include multiple key sub-units to further improve the security of the system.

根密钥单元:用于根据所述第二密钥请求解析出根密钥,判断所述根密钥是否正确,若是,则进行第二解密操作。Root key unit: used to parse out the root key according to the second key request, determine whether the root key is correct, and if so, perform a second decryption operation.

其中,第一解密操作包括:二级密钥单元根据二级密钥计算通信密钥;将通信密钥设置为当前的通信密钥;通信密钥单元根据通信密钥为区块链节点进行解密操作;The first decryption operation includes: the secondary key unit calculates the communication key according to the secondary key; the communication key is set as the current communication key; the communication key unit decrypts the blockchain node according to the communication key operate;

其中,第二解密操作包括:根密钥单元根据第二密钥请求计算二级密钥;将二级密钥设置为当前的二级密钥;执行第一解密操作。The second decryption operation includes: the root key unit calculates the secondary key according to the second key request; sets the secondary key as the current secondary key; and executes the first decryption operation.

具体地,根密钥单元包括根密钥存储模块和根密钥计算模块。Specifically, the root key unit includes a root key storage module and a root key calculation module.

根密钥存储模块:用于存储所有根密钥,并记录生成的二级密钥数量;根密钥存储模块存储了所有的根密钥,并设置有二级密钥计数器。二级密钥计数器用于记录已经生成过的二级密钥数量,每生成一个二级密钥,计数器增加1。Root key storage module: used to store all root keys and record the number of secondary keys generated; the root key storage module stores all root keys and is provided with a secondary key counter. The secondary key counter is used to record the number of secondary keys that have been generated. Each time a secondary key is generated, the counter increases by 1.

根密钥计算模块:用于根据二级密钥数量计算二级密钥。根密钥计算模块根据二级密钥计数器的值计算下一个二级密钥,并将二级密钥计数器增加1。Root key calculation module: used to calculate the secondary key according to the number of secondary keys. The root key calculation module calculates the next secondary key according to the value of the secondary key counter, and increments the secondary key counter by 1.

具体地,二级密钥单元包括二级密钥存储模块和二级密钥计算模块。Specifically, the secondary key unit includes a secondary key storage module and a secondary key calculation module.

二级密钥存储模块:用于存储当前使用的二级密钥及其二级密钥编号,并记录生成的通信密钥数量;二级密钥存储模块仅存储当前使用的二级密钥,并设置有通信密钥计数器。密钥存储模块不会存储历史使用的二级密钥,仅存储当前使用的二级密钥及该二级密钥的编号。通信密钥计数器为 当前二级密钥生成的通信密钥数量,通信密钥计数器在更新二级密钥时会清零。Secondary key storage module: used to store the currently used secondary key and its secondary key number, and record the number of generated communication keys; the secondary key storage module only stores the currently used secondary key, And set a communication key counter. The key storage module will not store the secondary key used in history, but only the currently used secondary key and the number of the secondary key. The communication key counter is the number of communication keys generated by the current secondary key, and the communication key counter will be cleared when the secondary key is updated.

二级密钥计算模块:用于根据通信密钥数量计算通信密钥。二级密钥计算模块根据通信密钥计数器的值计算下一个通信密钥,并将通信密钥计数器增加1。Secondary key calculation module: used to calculate the communication key according to the number of communication keys. The secondary key calculation module calculates the next communication key according to the value of the communication key counter, and increments the communication key counter by 1.

具体地,通信密钥单元包括加解密模块和通信密钥存储模块。Specifically, the communication key unit includes an encryption/decryption module and a communication key storage module.

加解密模块:用于对区块链节点进行加密操作或解密操作;Encryption and decryption module: used to encrypt or decrypt blockchain nodes;

通信密钥存储模块:用于存储当前使用的通讯密钥及其通信密钥编号,通信密钥编号包括二级密钥编号。Communication key storage module: used to store the currently used communication key and its communication key number, the communication key number including the secondary key number.

本实施例提出的区块链数据保护系统对区块链框架透明,只需将传统的加密服务进行替换,无需对区块链框架进行任何改变,应用到区块链如说明书附图6所示。The blockchain data protection system proposed in this embodiment is transparent to the blockchain framework, only the traditional encryption service needs to be replaced without any changes to the blockchain framework, and the application to the blockchain is shown in Figure 6 of the specification. .

本发明针对现有技术,提出了一种区块链数据保护方法及系统,基于分级密钥管理对区块链数据进行加密保护,安全性高。通过提供密钥管理和数据加解密,将密钥扩充为根密钥、二级密钥和通信密钥,极大提升了安全性。通过将密钥与区块链网络隔离,在密钥泄露的情况下,保证数据最小化泄露,解决了现有技术中密钥泄露则所有链上的数据都会泄露的弊端。且密钥与区块链网络隔离,减少被黑客网络攻击的可能性,进一步保证数据安全性。无需存储历史密钥,可以减少密码系统的维护成本,并且避免一次性泄露全部加解密密钥的可能性。用户可以根据安全等级选择密码保护方案。在区块链数据损失后,各密钥单元可以向上一级密钥单元主动发起请求,实现数据恢复。用户只需输入当前或历史使用过的通信密钥,即可实现数据恢复,实用性强。将区块链数据保护方法模块化,形成一种具体的系统,使其更具备实用性。区块链数据保护系统对区块链框架透明,只需将传统的加密服务进行替换,无需对区块链框架进行任何改变。Aiming at the prior art, the present invention proposes a block chain data protection method and system, which encrypts and protects block chain data based on hierarchical key management, and has high security. By providing key management and data encryption and decryption, the key is expanded into the root key, secondary key and communication key, which greatly improves the security. By isolating the key from the blockchain network, in the event of a key leak, data leakage can be minimized, which solves the drawback of the prior art that all data on the chain will be leaked if the key is leaked. And the key is isolated from the blockchain network, reducing the possibility of being attacked by hackers and further ensuring data security. There is no need to store historical keys, which can reduce the maintenance cost of the cryptographic system and avoid the possibility of leaking all encryption and decryption keys at one time. Users can choose a password protection scheme according to the security level. After the blockchain data is lost, each key unit can actively initiate a request to the upper-level key unit to achieve data recovery. Users only need to input the current or historically used communication key to achieve data recovery, which is highly practical. Modularize the blockchain data protection method to form a specific system, making it more practical. The blockchain data protection system is transparent to the blockchain framework, only the traditional encryption service needs to be replaced without any changes to the blockchain framework.

本领域普通技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个计算装置上,或者分布在 多个计算装置所组成的网络上,可选地,他们可以用计算机装置可执行的程序代码来实现,从而可以将它们存储在存储装置中由计算装置来执行,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件的结合。Those of ordinary skill in the art should understand that the above-mentioned modules or steps of the present invention can be implemented by a general-purpose computing device, and they can be centralized on a single computing device, or distributed on a network composed of multiple computing devices. Optionally, they may be implemented in program code executable by a computer device, so that they can be stored in a storage device and executed by the computing device, or they can be fabricated separately into individual integrated circuit modules, or a plurality of modules of them Or the steps are made into a single integrated circuit module to realize. As such, the present invention is not limited to any specific combination of hardware and software.

注意,上述仅为本发明的较佳实施例及所运用技术原理。本领域技术人员会理解,本发明不限于这里的特定实施例,对本领域技术人员来说能够进行各种明显的变化、重新调整和替代而不会脱离本发明的保护范围。因此,虽然通过以上实施例对本发明进行了较为详细的说明,但是本发明不仅仅限于以上实施例,在不脱离本发明构思的情况下,还可以包括更多其他等效实施例,而本发明的范围由所附的权利要求范围决定。Note that the above are only preferred embodiments of the present invention and applied technical principles. Those skilled in the art will understand that the present invention is not limited to the specific embodiments herein, and various obvious changes, readjustments and substitutions can be made by those skilled in the art without departing from the protection scope of the present invention. Therefore, although the present invention has been described in detail through the above embodiments, the present invention is not limited to the above embodiments, and can also include more other equivalent embodiments without departing from the concept of the present invention. The scope is determined by the scope of the appended claims.

以上公开的仅为本发明的几个具体实施场景,但是,本发明并非局限于此,任何本领域的技术人员能思之的变化都应落入本发明的保护范围。The above disclosures are only a few specific implementation scenarios of the present invention, however, the present invention is not limited thereto, and any changes that can be conceived by those skilled in the art should fall within the protection scope of the present invention.

Claims (13)

一种区块链数据保护方法,其特征在于,应用于包括有根密钥单元、二级密钥单元和通信密钥单元的系统中,所述方法包括数据保护模式:A blockchain data protection method, characterized in that it is applied to a system including a root key unit, a secondary key unit and a communication key unit, and the method includes a data protection mode: 区块链节点发送加密请求或解密请求;The blockchain node sends an encryption request or a decryption request; 所述根密钥单元根据根密钥按照预设周期更新二级密钥;The root key unit updates the secondary key according to the root key according to a preset period; 所述二级密钥单元根据当前的二级密钥按照预设时间更新通信密钥;The secondary key unit updates the communication key according to the current secondary key according to the preset time; 所述通信密钥单元接收所述加密请求或所述解密请求,根据当前的通信密钥和所述加密请求对所述区块链节点进行加密操作,根据当前的通信密钥和所述解密请求对所述区块链节点进行解密操作。The communication key unit receives the encryption request or the decryption request, performs an encryption operation on the blockchain node according to the current communication key and the encryption request, and performs an encryption operation on the blockchain node according to the current communication key and the decryption request. Perform a decryption operation on the blockchain node. 根据权利要求1所述的方法,其特征在于,所述方法还包括数据恢复模式:The method of claim 1, wherein the method further comprises a data recovery mode: 所述区块链节点发送含有所述通信密钥的数据恢复请求;The blockchain node sends a data recovery request containing the communication key; 所述通信密钥单元根据所述数据恢复请求解析出所述通信密钥,判断所述通信密钥是否正确,若否,则生成第一密钥请求,若是,则为所述区块链节点进行解密操作;The communication key unit parses out the communication key according to the data recovery request, determines whether the communication key is correct, if not, generates a first key request, and if so, is the blockchain node perform decryption operations; 所述二级密钥单元根据所述第一密钥请求解析出二级密钥,判断所述二级密钥是否正确,若否,则生成第二密钥请求,若是,则根据所述二级密钥计算出通信密钥后进行解密操作;The secondary key unit parses out the secondary key according to the first key request, and judges whether the secondary key is correct; if not, generates a second key request; After the level key calculates the communication key, the decryption operation is performed; 所述根密钥单元根据所述第二密钥请求解析出根密钥,判断所述根密钥是否正确,若是,则根据所述根密钥计算出二级密钥和通信密钥后进行解密操作。The root key unit parses out the root key according to the second key request, and judges whether the root key is correct, and if so, calculates the secondary key and the communication key according to the root key. decryption operation. 根据权利要求2所述的方法,其特征在于,其中,所述“根据所述二级密钥计算出通信密钥后进行解密操作”具体包括:The method according to claim 2, wherein the "decryption operation after calculating the communication key according to the secondary key" specifically comprises: 所述二级密钥单元根据所述二级密钥计算通信密钥;The secondary key unit calculates a communication key according to the secondary key; 将所述通信密钥设置为当前的通信密钥;setting the communication key as the current communication key; 所述通信密钥单元根据所述通信密钥为所述区块链节点进行所述解密操作;The communication key unit performs the decryption operation for the blockchain node according to the communication key; 其中,所述“根据所述根密钥计算出二级密钥和通信密钥后进行解密操作”具体包括:Wherein, the "decryption operation after calculating the secondary key and the communication key according to the root key" specifically includes: 所述根密钥单元根据所述第二密钥请求计算出二级密钥;The root key unit calculates a secondary key according to the second key request; 将所述二级密钥设置为当前的二级密钥;setting the secondary key as the current secondary key; 所述二级密钥单元根据所述二级密钥计算通信密钥;The secondary key unit calculates a communication key according to the secondary key; 将所述通信密钥设置为当前的通信密钥;setting the communication key as the current communication key; 所述通信密钥单元根据所述通信密钥为所述区块链节点进行所述解密操作。The communication key unit performs the decryption operation for the blockchain node according to the communication key. 根据权利要求2所述的方法,其特征在于,所述根密钥单元仅在更新所述二级密钥时接入所述二级密钥单元;The method according to claim 2, wherein the root key unit accesses the secondary key unit only when the secondary key is updated; 和/或所述二级密钥单元与所述通信密钥单元设置在不同的服务器上。And/or the secondary key unit and the communication key unit are set on different servers. 根据权利要求2所述的方法,其特征在于,所述根密钥单元包括根密钥计算模块和根密钥存储模块;The method according to claim 2, wherein the root key unit comprises a root key calculation module and a root key storage module; 所述根密钥存储模块存储所有的根密钥,并记录生成的二级密钥数量;The root key storage module stores all root keys, and records the number of secondary keys generated; 所述根密钥计算模块根据所述二级密钥数量计算二级密钥,每个二级密钥对应有二级密钥编号。The root key calculation module calculates secondary keys according to the number of secondary keys, and each secondary key corresponds to a secondary key number. 根据权利要求5所述的方法,其特征在于,所述二级密钥单元包括二级密钥计算模块和二级密钥存储模块;The method according to claim 5, wherein the secondary key unit comprises a secondary key calculation module and a secondary key storage module; 所述二级密钥存储模块仅存储当前的二级密钥及其二级密钥编号,并记录根据当前的二级密钥所生成的通信密钥数量,所述通信密钥数量在当前的二级密钥更新时清零;The secondary key storage module only stores the current secondary key and its secondary key number, and records the number of communication keys generated according to the current secondary key. Cleared when the secondary key is updated; 所述二级密钥计算模块根据当前的二级密钥和所述通信密钥数量计算通信密钥,每个所述通信密钥对应有通信密钥编号,所述通信密钥编号中设置有所述二级密钥编号。The secondary key calculation module calculates a communication key according to the current secondary key and the number of the communication keys, each of the communication keys corresponds to a communication key number, and the communication key number is provided with The secondary key number. 根据权利要求6所述的方法,其特征在于,所述通信密钥单元包括加解密模块和通信密钥存储模块;The method according to claim 6, wherein the communication key unit comprises an encryption/decryption module and a communication key storage module; 所述加解密模块对所述区块链节点进行加密操作或解密操作;The encryption and decryption module performs encryption operation or decryption operation on the blockchain node; 所述通信密钥存储模块仅存储当前的通讯密钥及其通信密钥编号。The communication key storage module only stores the current communication key and its communication key number. 根据权利要求2所述的方法,其特征在于,所述二级密钥单元包括多个密钥子单元,多个所述密钥子单元之间依次连接,通过生成子密钥实现逐层加密。The method according to claim 2, wherein the secondary key unit includes a plurality of key sub-units, and the plurality of the key sub-units are connected in sequence, and layer-by-layer encryption is implemented by generating sub-keys . 一种区块链数据保护系统,其特征在于,所述系统连接区块链节点,包括,A blockchain data protection system, characterized in that the system is connected to a blockchain node, including, 通信密钥单元:用于接收区块链节点发送的加密请求或解密请求,根据当前的通信密钥和所述加密请求对所述区块链节点进行加密操作,根据当前的通信密钥和所述解密请求对所述区块链节点进行解密操作;Communication key unit: used to receive an encryption request or decryption request sent by a blockchain node, perform an encryption operation on the blockchain node according to the current communication key and the encryption request, and perform an encryption operation on the blockchain node according to the current communication key and the encryption request. Decrypt the blockchain node according to the decryption request; 根密钥单元:用于根据根密钥按照预设周期更新二级密钥;Root key unit: used to update the secondary key according to the root key according to a preset period; 二级密钥单元:用于根据当前的二级密钥按照预设时间更新通信密钥。Secondary key unit: used to update the communication key according to the current secondary key according to the preset time. 根据权利要求9所述的系统,其特征在于,The system of claim 9, wherein: 所述通信密钥单元还包括:用于接收所述区块链节点发送的含有所述通信密钥的数据恢复请求,根据所述数据恢复请求解析出所述通信密钥,判断所述通信密钥是否正确,若否,则生成第一密钥请求,若是,则为所述区块链节点进行解密操作;The communication key unit further includes: receiving a data recovery request containing the communication key sent by the blockchain node, parsing the communication key according to the data recovery request, and determining the communication key. Whether the key is correct, if not, generate a first key request, if so, perform decryption operation for the blockchain node; 所述二级密钥单元还包括:用于根据所述第一密钥请求解析出二级密钥,判断所述二级密钥是否正确,若否,则生成第二密钥请求,若是,则根据所述二级密钥计算通信密钥后进行解密操作;The secondary key unit further includes: for parsing out the secondary key according to the first key request, judging whether the secondary key is correct, if not, generating a second key request, if yes, Then perform a decryption operation after calculating the communication key according to the secondary key; 所述根密钥单元还包括:用于根据所述第二密钥请求解析出根密钥,判断所述根密钥是否正确,若是,则根据所述根密钥计算出二级密钥和通信密钥后进行解密操作。The root key unit further includes: for analyzing the root key according to the second key request, and judging whether the root key is correct, if so, calculating the secondary key and the root key according to the root key. The decryption operation is performed after the communication key. 根据权利要求10所述的系统,其特征在于,所述根密钥单元包括,The system of claim 10, wherein the root key unit comprises: 根密钥存储模块:用于存储所有的所述根密钥,并记录生成的二级密钥数量;Root key storage module: used to store all the root keys and record the number of secondary keys generated; 根密钥计算模块:用于根据所述二级密钥数量计算所述二级密钥。Root key calculation module: used to calculate the secondary key according to the quantity of the secondary key. 根据权利要求11所述的系统,其特征在于,所述二级密钥单元包括,The system of claim 11, wherein the secondary key unit comprises: 二级密钥存储模块:用于存储当前的二级密钥及其二级密钥编号,并记录生成的通信密钥数量;Secondary key storage module: used to store the current secondary key and its secondary key number, and record the number of generated communication keys; 二级密钥计算模块:用于根据所述通信密钥数量计算所述通信密钥。Secondary key calculation module: used to calculate the communication key according to the number of the communication keys. 根据权利要求12所述的系统,其特征在于,所述通信密钥单元包括,The system of claim 12, wherein the communication key unit comprises: 加解密模块:用于对所述区块链节点进行加密操作或解密操作;Encryption and decryption module: used to encrypt or decrypt the blockchain node; 通信密钥存储模块:用于存储当前的通讯密钥及其通信密钥编号,所述通信密钥编号包括所述二级密钥编号。Communication key storage module: used to store the current communication key and its communication key number, where the communication key number includes the secondary key number.
PCT/CN2021/081017 2021-03-16 2021-03-16 Blockchain data protection method and system Ceased WO2022193119A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/081017 WO2022193119A1 (en) 2021-03-16 2021-03-16 Blockchain data protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/081017 WO2022193119A1 (en) 2021-03-16 2021-03-16 Blockchain data protection method and system

Publications (1)

Publication Number Publication Date
WO2022193119A1 true WO2022193119A1 (en) 2022-09-22

Family

ID=83321297

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/081017 Ceased WO2022193119A1 (en) 2021-03-16 2021-03-16 Blockchain data protection method and system

Country Status (1)

Country Link
WO (1) WO2022193119A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109831298A (en) * 2019-01-31 2019-05-31 阿里巴巴集团控股有限公司 Method for safely updating key in block chain, node and storage medium
CN110033258A (en) * 2018-11-12 2019-07-19 阿里巴巴集团控股有限公司 Business datum encryption method and device based on block chain
CN111291399A (en) * 2020-03-05 2020-06-16 联想(北京)有限公司 Data encryption method, system, computer system and computer readable storage medium
CN111464297A (en) * 2020-03-30 2020-07-28 百度国际科技(深圳)有限公司 Transaction processing method and device based on block chain, electronic equipment and medium
US20200266997A1 (en) * 2019-02-14 2020-08-20 Anchor Labs, Inc. Cryptoasset custodial system with different cryptographic keys controlling access to separate groups of private keys

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110033258A (en) * 2018-11-12 2019-07-19 阿里巴巴集团控股有限公司 Business datum encryption method and device based on block chain
CN109831298A (en) * 2019-01-31 2019-05-31 阿里巴巴集团控股有限公司 Method for safely updating key in block chain, node and storage medium
US20200266997A1 (en) * 2019-02-14 2020-08-20 Anchor Labs, Inc. Cryptoasset custodial system with different cryptographic keys controlling access to separate groups of private keys
CN111291399A (en) * 2020-03-05 2020-06-16 联想(北京)有限公司 Data encryption method, system, computer system and computer readable storage medium
CN111464297A (en) * 2020-03-30 2020-07-28 百度国际科技(深圳)有限公司 Transaction processing method and device based on block chain, electronic equipment and medium

Similar Documents

Publication Publication Date Title
EP3682342B1 (en) Shared blockchain data storage based on error correction coding in trusted execution environments
Shivaramakrishna et al. A novel hybrid cryptographic framework for secure data storage in cloud computing: Integrating AES-OTP and RSA with adaptive key management and Time-Limited access control
CN110214325B (en) Method and system for data masking
CA3098934C (en) Consenus of shared blockchain data storage based on error correction code
KR102363271B1 (en) Data security of shared blockchain data storage based on error correction codes
US20190260715A1 (en) Computer system, connection apparatus, and processing method using transaction
CN101005357A (en) Method and system for updating certification key
US11921877B2 (en) Efficient random tokenization in the cloud
CN111104691A (en) Sensitive information processing method and device, storage medium and equipment
CN106776904A (en) The fuzzy query encryption method of dynamic authentication is supported in a kind of insincere cloud computing environment
US11588631B2 (en) Systems and methods for blockchain-based automatic key generation
Mishra et al. Enhancing privacy‐preserving mechanisms in Cloud storage: A novel conceptual framework
WO2022068360A1 (en) Shared root key-based information processing method and apparatus, and device and medium
Fu et al. Searchable encryption scheme for multiple cloud storage using double‐layer blockchain
Su et al. Efficient verifiable multi-key searchable encryption in cloud computing
CN106100834A (en) The generation in a kind of algorithm secret key storehouse and update method
Lapmoon et al. A Verifiable and Secure Industrial IoT Data Deduplication Scheme With Real-Time Data Integrity Checking in Fog-Assisted Cloud Environments
CN107733936A (en) A kind of encryption method of mobile data
Ojha et al. A method to enhance privacy preservation in cloud storage through a three-layer scheme for computational intelligence in fog computing
Wei et al. Dynamic data integrity auditing for secure outsourcing in the cloud
CN112968904B (en) A blockchain data protection method and system
CN116596089B (en) TrustZone-based federated learning method
CN117494104A (en) 3 DES-based password management method, system, equipment and medium
WO2022193119A1 (en) Blockchain data protection method and system
CN117395034A (en) A blockchain user privacy protection method based on trusted computing

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21930715

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 21930715

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC