CN115297125A - Business data processing method, apparatus, computer equipment and readable storage medium - Google Patents
Business data processing method, apparatus, computer equipment and readable storage mediumDownload PDFInfo
- Publication number
- CN115297125A CN115297125ACN202210930658.7ACN202210930658ACN115297125ACN 115297125 ACN115297125 ACN 115297125ACN 202210930658 ACN202210930658 ACN 202210930658ACN 115297125 ACN115297125 ACN 115297125A
- Authority
- CN
- China
- Prior art keywords
- data
- storage node
- storage
- encrypted
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672processing methodMethods0.000titleclaimsabstractdescription33
- 239000004744fabricSubstances0.000claimsabstractdescription56
- 238000004364calculation methodMethods0.000claimsdescription41
- 238000000034methodMethods0.000claimsdescription32
- 238000004590computer programMethods0.000claimsdescription13
- 230000008569processEffects0.000claimsdescription13
- 238000010586diagramMethods0.000description16
- 230000006870functionEffects0.000description9
- 238000009795derivationMethods0.000description3
- 230000009471actionEffects0.000description2
- 230000007246mechanismEffects0.000description2
- 238000004891communicationMethods0.000description1
- 239000000284extractSubstances0.000description1
- 230000003993interactionEffects0.000description1
- 230000002452interceptive effectEffects0.000description1
- 230000003287optical effectEffects0.000description1
- 238000006467substitution reactionMethods0.000description1
- 238000012795verificationMethods0.000description1
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
Translated fromChinese
Description
Translated fromChinese技术领域technical field
本发明涉及区块链技术领域,尤其涉及一种业务数据处理方法、装置、计算机设备及可读存储介质。The present invention relates to the technical field of block chains, in particular to a business data processing method, device, computer equipment and readable storage medium.
背景技术Background technique
在现有fabric区块链的数据处理方案中,参与业务请求的业务节点数量是根据区块链的规模决定的,在较小规模的fabric区块链架构中,业务节点的数量较小,而交易业务所使用的业务数据量很大时,业务节点无法完全对参与交易业务的业务数据进行备份处理。当业务节点中的业务数据出现数据丢失或数据损坏时,业务节点无法有效恢复业务数据。In the existing fabric blockchain data processing scheme, the number of business nodes participating in business requests is determined according to the scale of the blockchain. In a smaller-scale fabric blockchain architecture, the number of business nodes is small, and When the amount of business data used by the transaction business is large, the business node cannot completely back up the business data participating in the transaction business. When the business data in the business node is lost or damaged, the business node cannot effectively restore the business data.
因此,亟需一种业务数据处理方案,能够有效保障业务节点中业务数据的安全性。Therefore, there is an urgent need for a service data processing solution that can effectively guarantee the security of service data in service nodes.
发明内容Contents of the invention
为了解决上述技术问题,本申请实施例提供了一种业务数据处理方法、装置、计算机设备及可读存储介质,具体方案如下:In order to solve the above technical problems, the embodiment of the present application provides a business data processing method, device, computer equipment and readable storage medium, the specific scheme is as follows:
第一方面,本申请实施例提供了一种业务数据处理方法,应用于fabric区块链,所述fabric区块链包括至少一个第一存储节点和至少一个第二存储节点,所述第一存储节点包括可信执行环境,所述业务数据处理方法包括:In the first aspect, the embodiment of the present application provides a business data processing method, which is applied to a fabric block chain, and the fabric block chain includes at least one first storage node and at least one second storage node, and the first storage node The node includes a trusted execution environment, and the business data processing method includes:
获取与预设交易请求对应的加密业务数据,其中,所述加密业务数据为根据业务存储密钥加密的业务数据,所述业务存储密钥为所述可信执行环境提供的对应所述预设交易请求的对称密钥;Obtain encrypted service data corresponding to the preset transaction request, wherein the encrypted service data is encrypted according to a service storage key, and the service storage key is the corresponding preset transaction data provided by the trusted execution environment. The symmetric key of the transaction request;
根据背书签名向目标存储节点发送所述加密业务数据,以使所述目标存储节点在所述可信执行环境中获取所述加密业务数据的明文数据,并存储所述明文数据,其中,所述目标存储节点为与所述加密业务数据对应的第一存储节点,所述背书签名为对所述加密业务数据进行背书得到的签名信息;Send the encrypted service data to the target storage node according to the endorsement signature, so that the target storage node obtains the plaintext data of the encrypted service data in the trusted execution environment and stores the plaintext data, wherein the The target storage node is the first storage node corresponding to the encrypted service data, and the endorsement signature is signature information obtained by endorsing the encrypted service data;
向任一第二存储节点发送所述加密业务数据,以使所述第二存储节点存储所述加密业务数据。Sending the encrypted service data to any second storage node, so that the second storage node stores the encrypted service data.
根据本申请实施例的一种具体实施方式,所述fabric区块链还包括计算节点和背书节点,所述第一存储节点包括可信执行环境,所述获取与预设交易请求对应的加密业务数据的步骤之前,所述业务数据处理方法还包括:According to a specific implementation manner of the embodiment of the present application, the fabric block chain further includes a computing node and an endorsement node, the first storage node includes a trusted execution environment, and the acquisition of the encrypted service corresponding to the preset transaction request Before the step of data, the business data processing method also includes:
向所述计算节点发送预设交易请求;Send a preset transaction request to the computing node;
接收所述计算节点发出的计算结果,所述计算结果为所述计算节点根据所述预设交易请求进行计算处理和加密处理得到的密文业务数据;receiving the calculation result sent by the calculation node, the calculation result being the ciphertext business data obtained by the calculation node according to the preset transaction request;
向所述背书节点发送所述计算结果;sending the calculation result to the endorsement node;
接收所述背书节点发出的加密业务数据,所述加密业务数据包括所述计算结果和所述背书节点对所述计算结果进行背书得到的背书签名。Receive encrypted service data sent by the endorsement node, where the encrypted service data includes the calculation result and an endorsement signature obtained by the endorsement node endorsing the calculation result.
根据本申请实施例的一种具体实施方式,所述第一存储节点为具备业务数据查看权限的业务节点,所述第二存储节点为不具备业务数据查看权限的业务节点。According to a specific implementation manner of the embodiment of the present application, the first storage node is a service node with service data viewing authority, and the second storage node is a service node without service data viewing authority.
根据本申请实施例的一种具体实施方式,所述fabric区块链包括至少两个第二存储节点时,所述向任一第二存储节点发送所述加密业务数据的步骤,包括:According to a specific implementation of the embodiment of the present application, when the fabric block chain includes at least two second storage nodes, the step of sending the encrypted service data to any second storage node includes:
判断当前第二存储节点是否剩余存储空间;Judging whether the current second storage node has remaining storage space;
在所述当前第二存储节点剩余存储空间的情况下,向所述当前第二存储节点发送所述加密业务数据;When the current second storage node has remaining storage space, send the encrypted service data to the current second storage node;
在所述当前第二存储节点不剩余存储空间的情况下,向除所述当前第二存储节点之外的第二存储节点发送所述加密业务数据。If the current second storage node has no remaining storage space, send the encrypted service data to a second storage node other than the current second storage node.
第二方面,本申请实施例提供了一种业务数据处理方法,应用于fabric区块链的第一存储节点,所述第一存储节点包括可信执行环境,所述业务数据处理方法包括:In the second aspect, the embodiment of the present application provides a business data processing method, which is applied to the first storage node of the fabric block chain, the first storage node includes a trusted execution environment, and the business data processing method includes:
接收与预设交易请求对应的加密业务数据,其中,所述加密业务数据为根据业务存储密钥加密的业务数据;Receive encrypted business data corresponding to a preset transaction request, wherein the encrypted business data is business data encrypted according to a business storage key;
对所述加密业务数据关联的签名信息进行签名认证;Perform signature authentication on the signature information associated with the encrypted business data;
所述签名认证通过后,在所述可信执行环境中获取业务存储密钥,所述业务存储密钥为对应所述预设交易请求的对称密钥;After the signature authentication is passed, a service storage key is obtained in the trusted execution environment, and the service storage key is a symmetric key corresponding to the preset transaction request;
根据所述业务存储密钥对所述加密业务数据进行解密,以得到明文数据;Decrypting the encrypted service data according to the service storage key to obtain plaintext data;
存储所述明文数据。The plaintext data is stored.
根据本申请实施例的一种具体实施方式,所述fabric区块链还包括至少一个第二存储节点,所述根据所述业务存储密钥对所述加密业务数据进行解密,以得到明文数据的步骤之后,所述方法还包括:According to a specific implementation manner of the embodiment of the present application, the fabric block chain further includes at least one second storage node, and the encrypted service data is decrypted according to the service storage key to obtain the plaintext data After the step, the method also includes:
根据预设交易请求对历史明文数据进行处理,以得到目标明文数据,其中,所述历史明文数据为对所述加密业务数据进行解密后得到的明文数据;Process historical plaintext data according to a preset transaction request to obtain target plaintext data, wherein the historical plaintext data is plaintext data obtained after decrypting the encrypted business data;
在所述可信执行环境中获取目标业务存储密钥,其中,所述目标业务存储密钥为对应所述预设交易请求的业务存储密钥;Obtaining a target service storage key in the trusted execution environment, wherein the target service storage key is a service storage key corresponding to the preset transaction request;
根据所述业务存储密钥对所述明文数据进行加密,以得到目标加密业务数据;Encrypting the plaintext data according to the service storage key to obtain target encrypted service data;
将所述目标加密业务数据发送至所述第二存储节点,以使所述第二存储节点存储所述目标加密业务数据。sending the target encrypted service data to the second storage node, so that the second storage node stores the target encrypted service data.
第三方面,本申请实施例提供了一种业务数据处理装置,应用于fabric区块链,fabric区块链包括至少一个第一存储节点和至少一个第二存储节点,所述第一存储节点包括可信执行环境,所述业务数据处理装置包括:In a third aspect, the embodiment of the present application provides a business data processing device, which is applied to a fabric block chain, and the fabric block chain includes at least one first storage node and at least one second storage node, and the first storage node includes Trusted execution environment, the business data processing device includes:
获取模块,用于获取与预设交易请求对应的加密业务数据,其中,所述加密业务数据为根据业务存储密钥加密的业务数据,所述业务存储密钥为所述可信执行环境提供的对应所述预设交易请求的对称密钥;An acquisition module, configured to acquire encrypted business data corresponding to a preset transaction request, wherein the encrypted business data is business data encrypted according to a business storage key provided by the trusted execution environment A symmetric key corresponding to the preset transaction request;
第一存储模块,用于根据背书签名向目标存储节点发送所述加密业务数据,以使所述目标存储节点在所述可信执行环境中获取所述加密业务数据的明文数据,并存储所述明文数据,其中,所述目标存储节点为与所述加密业务数据对应的第一存储节点,所述背书签名为对所述加密业务数据进行背书得到的签名信息;The first storage module is configured to send the encrypted service data to the target storage node according to the endorsement signature, so that the target storage node obtains the plaintext data of the encrypted service data in the trusted execution environment, and stores the plaintext data, wherein the target storage node is the first storage node corresponding to the encrypted service data, and the endorsement signature is signature information obtained by endorsing the encrypted service data;
第二存储模块,用于向任一第二存储节点发送所述加密业务数据,以使所述第二存储节点存储所述加密业务数据。The second storage module is configured to send the encrypted service data to any second storage node, so that the second storage node stores the encrypted service data.
第四方面,本申请实施例提供了一种业务数据处理装置,应用于fabric区块链的第一存储节点,所述第一存储节点包括可信执行环境,所述业务数据处理装置包括:In a fourth aspect, an embodiment of the present application provides a business data processing device, which is applied to a first storage node of a fabric block chain, the first storage node includes a trusted execution environment, and the business data processing device includes:
接收模块,用于接收与预设交易请求对应的加密业务数据,其中,所述加密业务数据为根据业务存储密钥加密的业务数据;A receiving module, configured to receive encrypted business data corresponding to a preset transaction request, wherein the encrypted business data is business data encrypted according to a business storage key;
认证模块,用于对所述加密业务数据关联的签名信息进行签名认证;An authentication module, configured to perform signature authentication on the signature information associated with the encrypted business data;
密钥获取模块,用于所述签名认证通过后,在所述可信执行环境中获取业务存储密钥,所述业务存储密钥为对应所述预设交易请求的对称密钥;A key acquisition module, configured to acquire a service storage key in the trusted execution environment after the signature authentication is passed, and the service storage key is a symmetric key corresponding to the preset transaction request;
解密模块,用于根据所述业务存储密钥对所述加密业务数据进行解密,以得到明文数据;A decryption module, configured to decrypt the encrypted service data according to the service storage key to obtain plaintext data;
存储模块,用于存储所述明文数据。A storage module, configured to store the plaintext data.
第五方面,本申请实施例提供了一种计算机设备,所述计算机设备包括处理器和存储器,所述存储器存储有计算机程序,所述计算机程序在所述处理器上运行时执行前述第一方面及第二方面所述的业务数据处理方法。In the fifth aspect, the embodiment of the present application provides a computer device, the computer device includes a processor and a memory, the memory stores a computer program, and the computer program executes the aforementioned first aspect when running on the processor And the business data processing method described in the second aspect.
第六方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机程序,所述计算机程序在处理器上运行时执行前述第一方面及第二方面所述的业务数据处理方法。In the sixth aspect, the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and the computer program executes the aforementioned first aspect and second aspect when running on a processor The business data processing method.
本申请实施例提供了一种业务数据处理方法、装置、计算机设备及可读存储介质,所述fabric区块链包括至少一个第一存储节点和至少一个第二存储节点,所述第一存储节点包括可信执行环境,所述业务数据处理方法包括:获取与预设交易请求对应的加密业务数据;根据背书签名向目标存储节点发送所述加密业务数据,以使所述目标存储节点在可信执行环境中获取加密业务数据的明文数据,并存储所述明文数据;向任一第二存储节点发送所述加密业务数据,以使所述第二存储节点存储所述加密业务数据。本发明通过在区块链中配置两类存储业务数据的节点角色,从而能够在每一次存储业务数据时,对业务数据进行备份冗余,从而有效提高了业务数据的存储安全性。The embodiment of the present application provides a business data processing method, device, computer equipment and readable storage medium, the fabric block chain includes at least one first storage node and at least one second storage node, the first storage node Including a trusted execution environment, the business data processing method includes: obtaining encrypted business data corresponding to a preset transaction request; sending the encrypted business data to a target storage node according to an endorsement signature, so that the target storage node is in a trusted Obtain plaintext data of the encrypted service data in the execution environment, and store the plaintext data; send the encrypted service data to any second storage node, so that the second storage node stores the encrypted service data. The present invention configures two types of node roles for storing business data in the block chain, so that the business data can be redundantly backed up each time the business data is stored, thereby effectively improving the storage security of the business data.
附图说明Description of drawings
为了更清楚地说明本发明的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本发明的某些实施例,因此不应被看作是对本发明保护范围的限定。在各个附图中,类似的构成部分采用类似的编号。In order to illustrate the technical solution of the present invention more clearly, the following drawings will be briefly introduced in the embodiments. It should be understood that the following drawings only show some embodiments of the present invention, and therefore should not be regarded as It is regarded as limiting the protection scope of the present invention. In the respective drawings, similar components are given similar reference numerals.
图1示出了本申请实施例提供的一种fabric区块链的框架示意图;Fig. 1 shows a schematic diagram of the framework of a fabric block chain provided by the embodiment of the present application;
图2示出了本申请实施例提供的一种业务数据处理方法的方法流程示意图之一;Fig. 2 shows one of the method flow diagrams of a business data processing method provided by the embodiment of the present application;
图3示出了本申请实施例提供的一种业务数据处理方法的方法流程示意图之二;Fig. 3 shows the second schematic flow diagram of a method for processing business data provided by the embodiment of the present application;
图4示出了本申请实施例提供的一种业务数据处理装置的装置模块示意图之一;Fig. 4 shows one of the device module schematic diagrams of a service data processing device provided by the embodiment of the present application;
图5示出了本申请实施例提供的一种业务数据处理装置的装置模块示意图之二。Fig. 5 shows the second schematic diagram of the device modules of a service data processing device provided by the embodiment of the present application.
具体实施方式Detailed ways
下面将结合本发明实施例中附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention.
通常在此处附图中描述和示出的本发明实施例的组件可以以各种不同的配置来布置和设计。因此,以下对在附图中提供的本发明的实施例的详细描述并非旨在限制要求保护的本发明的范围,而是仅仅表示本发明的选定实施例。基于本发明的实施例,本领域技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。The components of the embodiments of the invention generally described and illustrated in the figures herein may be arranged and designed in a variety of different configurations. Accordingly, the following detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely represents selected embodiments of the invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without making creative efforts belong to the protection scope of the present invention.
在下文中,可在本发明的各种实施例中使用的术语“包括”、“具有”及其同源词仅意在表示特定特征、数字、步骤、操作、元件、组件或前述项的组合,并且不应被理解为首先排除一个或更多个其它特征、数字、步骤、操作、元件、组件或前述项的组合的存在或增加一个或更多个特征、数字、步骤、操作、元件、组件或前述项的组合的可能性。Hereinafter, the terms "comprising", "having" and their cognates that may be used in various embodiments of the present invention are only intended to represent specific features, numbers, steps, operations, elements, components or combinations of the foregoing, And it should not be understood as first excluding the existence of one or more other features, numbers, steps, operations, elements, components or combinations of the foregoing or adding one or more features, numbers, steps, operations, elements, components or a combination of the foregoing possibilities.
此外,术语“第一”、“第二”、“第三”等仅用于区分描述,而不能理解为指示或暗示相对重要性。In addition, the terms "first", "second", "third", etc. are only used for distinguishing descriptions, and should not be construed as indicating or implying relative importance.
除非另有限定,否则在这里使用的所有术语(包括技术术语和科学术语)具有与本发明的各种实施例所属领域普通技术人员通常理解的含义相同的含义。所述术语(诸如在一般使用的词典中限定的术语)将被解释为具有与在相关技术领域中的语境含义相同的含义并且将不被解释为具有理想化的含义或过于正式的含义,除非在本发明的各种实施例中被清楚地限定。Unless otherwise defined, all terms (including technical terms and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which various embodiments of the present invention belong. The terms (such as those defined in commonly used dictionaries) will be interpreted as having the same meaning as the contextual meaning in the relevant technical field and will not be interpreted as having an idealized meaning or an overly formal meaning, Unless clearly defined in various embodiments of the present invention.
参考图1和图2,分别为本申请实施例提供的一种fabric区块链的架构示意图,和一种应用于fabric区块链的背书节点的业务数据处理方法的方法流程示意图,本申请实施例提供的业务数据处理方法,应用于fabric区块链的用户节点,如图1所示,所述fabric区块链还包括至少一个第一存储节点和至少一个第二存储节点,所述第一存储节点包括可信执行环境。Referring to Fig. 1 and Fig. 2, they are respectively a schematic diagram of the structure of a fabric block chain provided by the embodiment of this application, and a schematic diagram of a method flow chart of a business data processing method applied to an endorsement node of a fabric block chain, which is implemented in this application The business data processing method provided by the example is applied to the user nodes of the fabric block chain, as shown in Figure 1, the fabric block chain also includes at least one first storage node and at least one second storage node, the first A storage node includes a trusted execution environment.
在具体实施例中,fabric区块链为一种包括多种类型的节点的区块链架构。具体的,每一节点可以为企业用户根据预设业务目的配置的子网,不同企业用户通过节点之间的通道,实现业务数据的交互共享。本实施例的fabric区块链包括用户节点、计算节点、背书节点、第一存储节点和第二存储节点等类型的节点。In a specific embodiment, the fabric blockchain is a blockchain architecture including multiple types of nodes. Specifically, each node can be a subnet configured by enterprise users according to preset business purposes, and different enterprise users can realize interactive sharing of business data through channels between nodes. The fabric blockchain in this embodiment includes nodes of user nodes, computing nodes, endorsement nodes, first storage nodes, and second storage nodes.
在本实施例中,所述计算节点、所述第一存储节点和所述第二存储节点均配置可信执行环境(Trusted Execution Environment,简称TEE),所述计算节点、所述第一存储节点和所述第二存储节点可以通过远程验证的方式与TEE密钥分发服务器进行交互,以得到和交易请求对应的业务存储密钥,从而实现对于参与交易请求的业务数据的加密处理和解密处理。In this embodiment, the computing node, the first storage node, and the second storage node are all configured with a Trusted Execution Environment (TEE for short), and the computing node, the first storage node The second storage node can interact with the TEE key distribution server through remote verification to obtain the service storage key corresponding to the transaction request, so as to realize the encryption and decryption of the service data participating in the transaction request.
需知的,所述用户节点和所述背书节点可以根据实际应用场景,选择性的配置可信执行环境,此处不对用户节点和背书节点作具体限定。It should be noted that the user node and the endorsement node can selectively configure a trusted execution environment according to the actual application scenario, and the user node and the endorsement node are not specifically limited here.
用户节点向计算节点发送预设交易请求后,所述计算节点可以基于挑战应答认证机制(Challenge-Response Authentication Mechanism,简称CRAM)向预设密钥分发服务器请求业务存储根密钥。所述业务存储密钥是通过预设派生函数,处理所述业务存储根密钥和对应交易请求的业务ID,得到的对称密钥。After the user node sends a preset transaction request to the computing node, the computing node may request the service storage root key from the preset key distribution server based on a Challenge-Response Authentication Mechanism (CRAM for short). The service storage key is a symmetric key obtained by processing the service storage root key and the service ID corresponding to the transaction request through a preset derivation function.
具体的,所述业务ID为与交易请求对应的认证信息,每一交易请求具有唯一对应的业务ID。所述预设派生函数可以为哈希函数或其它类型派生函数,本实施例不作限定。Specifically, the business ID is the authentication information corresponding to the transaction request, and each transaction request has a unique corresponding business ID. The preset derivation function may be a hash function or other types of derivation functions, which is not limited in this embodiment.
具体的,根据不同的交易业务的目的,在fabric区块链中配置预设数量的业务节点,每一业务节点中均存储了执行对应交易业务的执行规则和关联的业务数据。Specifically, according to the purpose of different transaction services, a preset number of service nodes are configured in the fabric block chain, and each service node stores the execution rules and associated business data for executing the corresponding transaction services.
在执行交易业务的过程中,用户节点向计算节点发送交易请求,所述计算节点会从预设的数据库或对应的业务节点中获取对应所述交易请求的业务数据,并对所述业务数据进行预设计算,以得到对应交易请求的计算结果。所述计算节点还会在可信执行环境中,根据业务存储密钥对所述计算结果进行加密处理,以得到相应的加密计算结果。In the process of executing the transaction business, the user node sends a transaction request to the computing node, and the computing node will obtain the business data corresponding to the transaction request from the preset database or the corresponding business node, and perform Preset calculations to obtain calculation results corresponding to transaction requests. The calculation node will also encrypt the calculation result according to the service storage key in the trusted execution environment, so as to obtain the corresponding encrypted calculation result.
所述计算节点在得到所述加密计算结果后,将所述加密计算结果发送给用户节点,用户节点将所述加密计算结果转发到背书节点,以使背书节点对所述加密计算结果进行背书处理。所述背书节点在验证加密计算结果的TEE签名后,对所述加密计算结果进行背书,以得到背书结果。其中,所述背书结果为经过计算处理的业务数据以及业务数据对应的背书签名。After the calculation node obtains the encrypted calculation result, it sends the encrypted calculation result to the user node, and the user node forwards the encrypted calculation result to the endorsement node, so that the endorsement node can endorse the encrypted calculation result . After the endorsement node verifies the TEE signature of the encrypted calculation result, it endorses the encrypted calculation result to obtain the endorsement result. Wherein, the endorsement result is calculated and processed business data and an endorsement signature corresponding to the business data.
具体的,所述交易请求中包括预设的业务合约,所述业务合约中规定了所述业务节点的计算规则和背书策略,所述背书节点可以根据预设的计算规则对业务数据进行计算处理,所述背书节点可以根据预设的背书策略对业务数据进行背书处理。Specifically, the transaction request includes a preset business contract, and the business contract specifies the calculation rules and endorsement policies of the business node, and the endorsement node can calculate and process the business data according to the preset calculation rules , the endorsement node may perform endorsement processing on the service data according to a preset endorsement policy.
本实施例不对计算规则和背书策略的设置作具体限定,可以根据实际应用场景进行自适应替换。This embodiment does not specifically limit the setting of calculation rules and endorsement policies, which can be adaptively replaced according to actual application scenarios.
背书节点将背书结果发送回用户节点的同时,向各业务节点发送交易请求关联的业务数据包,各业务节点在本地存储收到的业务数据。While the endorsement node sends the endorsement result back to the user node, it also sends the business data packet associated with the transaction request to each business node, and each business node stores the received business data locally.
根据本申请实施例的一种具体实施方式,所述第一存储节点为具备业务数据查看权限的业务节点,所述第二存储节点为不具备业务数据查看权限的业务节点。According to a specific implementation manner of the embodiment of the present application, the first storage node is a service node with service data viewing authority, and the second storage node is a service node without service data viewing authority.
本实施例通过对用户节点获取的业务数据进行加密,使得所有业务节点接收到的数据均为加密业务数据,同时,通过在各业务节点中配置TEE以及不同的数据解密权限,从而将业务节点的角色划分为第一存储节点和第二存储节点。In this embodiment, by encrypting the service data obtained by the user nodes, the data received by all service nodes are all encrypted service data. At the same time, by configuring TEE and different data decryption permissions in each service node, the Roles are divided into first storage node and second storage node.
具体的,本实施例在fabric区块链架构中为不同的业务节点配置不同的角色,其中,参与各企业间业务数据处理的业务节点被划分为第一存储节点,第一存储节点具备对应业务请求的隐私数据的查看权限。不参与各企业间业务数据处理的业务节点被划分为第二存储节点,第二存储节点不具备对应业务请求的隐私数据的查看权限。Specifically, this embodiment configures different roles for different business nodes in the fabric block chain architecture, wherein the business nodes participating in the business data processing between enterprises are divided into first storage nodes, and the first storage nodes have corresponding business View permission for the requested private data. Business nodes that do not participate in the processing of business data between enterprises are classified as second storage nodes, and the second storage nodes do not have the right to view private data corresponding to business requests.
不同的预设交易请求对应的业务数据并不相同,在本实施例中,对应不同用户节点发送的不同的交易请求,各业务节点的存储节点角色可能会发生转换。Different preset transaction requests correspond to different service data. In this embodiment, corresponding to different transaction requests sent by different user nodes, the roles of storage nodes of each service node may switch.
举例来说,对于A交易请求,B业务节点为第一存储节点,C业务节点为第二存储节点。对于D交易请求,C业务节点为第一存储节点,B业务节点为第二存储节点。For example, for the transaction request of A, the B service node is the first storage node, and the C service node is the second storage node. For the D transaction request, the C service node is the first storage node, and the B service node is the second storage node.
Fabric区块链在存储业务数据时,所述背书节点可以同时将业务数据发送给所述第一存储节点和所述第二存储节点,所述第一存储节点可以根据预设规则以及预设权限查看所述业务数据的明文内容,并在获取所述业务数据的明文内容后,将明文内容存储在本地磁盘中。When the Fabric blockchain stores business data, the endorsement node can send the business data to the first storage node and the second storage node at the same time, and the first storage node can Check the plaintext content of the business data, and store the plaintext content in the local disk after obtaining the plaintext content of the business data.
所述第二存储节点作为冗余备份节点,在获取所述业务数据后,无法查看业务数据的明文内容,直接将所述业务数据的密文内容存储在本地磁盘中。The second storage node, as a redundant backup node, cannot view the plaintext content of the service data after acquiring the service data, and directly stores the ciphertext content of the service data in the local disk.
需知的,第二存储节点也可以为任意不具备查看业务数据的权限的普通区块链节点。所述普通区块链节点指不参与交易业务的处理过程,且能够用于存储数据的节点。It should be known that the second storage node can also be any common blockchain node that does not have the authority to view business data. The common block chain node refers to a node that does not participate in the processing of transaction business and can be used to store data.
具体的,第一存储节点的数量根据预设交易请求相关的业务节点数量决定,当参与同一交易请求的业务节点数量越多,所述第一存储节点的数量越多。Specifically, the number of first storage nodes is determined according to the number of business nodes related to the preset transaction request, and when the number of business nodes participating in the same transaction request increases, the number of first storage nodes increases.
所述第二存储节点的数量根据fabric区块链的业务节点规模决定,当fabric区块链中的节点数量越多,所述第二存储节点的数量也会增多。所述第二存储节点的数量始终大于所述第一存储节点的数量。The number of the second storage nodes is determined according to the scale of the service nodes of the fabric block chain. When the number of nodes in the fabric block chain increases, the number of the second storage nodes will also increase. The number of the second storage nodes is always greater than the number of the first storage nodes.
本实施例通过在fabric区块链中配置预设数量的第二存储节点,能够保证存储在第一存储节点中的业务数据得到充分的备份处理,以提升业务数据在处理过程中的安全性。In this embodiment, by configuring a preset number of second storage nodes in the fabric block chain, it can ensure that the business data stored in the first storage node is fully backed up, so as to improve the security of the business data during processing.
如图2所示,应用于用户节点的所述业务数据处理方法包括:As shown in Figure 2, the business data processing method applied to the user node includes:
步骤S201,获取与预设交易请求对应的加密业务数据,其中,所述加密业务数据为根据业务存储密钥加密的业务数据,所述业务存储密钥为所述可信执行环境提供的对应所述预设交易请求的对称密钥;Step S201, obtaining encrypted service data corresponding to the preset transaction request, wherein the encrypted service data is encrypted according to the service storage key, and the service storage key is the corresponding service provided by the trusted execution environment. The symmetric key of the preset transaction request;
在具体实施例中,用户节点在与计算节点和背书节点进行多轮数据交互后,得到与预设交易请求对应的加密业务数据,其中,所述加密业务数据还与背书节点进行背书后得到的背书签名关联。In a specific embodiment, after multiple rounds of data interaction between the user node and the computing node and the endorsement node, the encrypted business data corresponding to the preset transaction request is obtained, wherein the encrypted business data is also obtained after endorsement with the endorsement node Endorsement signature association.
具体的,所述加密业务数据可以为背书节点发送到用户节点的背书结果。Specifically, the encrypted service data may be the endorsement result sent by the endorsement node to the user node.
根据本申请实施例的一种具体实施方式,所述fabric区块链还包括计算节点和背书节点,所述第一存储节点包括可信执行环境,所述获取与预设交易请求对应的加密业务数据的步骤之前,所述业务数据处理方法还包括:According to a specific implementation manner of the embodiment of the present application, the fabric block chain further includes a computing node and an endorsement node, the first storage node includes a trusted execution environment, and the acquisition of the encrypted service corresponding to the preset transaction request Before the step of data, the business data processing method also includes:
向所述计算节点发送预设交易请求;Send a preset transaction request to the computing node;
接收所述计算节点发出的计算结果,所述计算结果为所述计算节点根据所述预设交易请求进行计算处理和加密处理得到的密文业务数据;receiving the calculation result sent by the calculation node, the calculation result being the ciphertext business data obtained by the calculation node according to the preset transaction request;
向所述背书节点发送所述计算结果;sending the calculation result to the endorsement node;
接收所述背书节点发出的加密业务数据,所述加密业务数据包括所述计算结果和所述背书节点对所述计算结果进行背书得到的背书签名。Receive encrypted service data sent by the endorsement node, where the encrypted service data includes the calculation result and an endorsement signature obtained by the endorsement node endorsing the calculation result.
在具体实施例中,所述计算节点接收来自用户节点提交的交易请求,并根据交易请求中包括的合约和参数确定目标业务数据。所述计算节点从预设的数据库中提取与所述交易请求对应的目标业务数据。In a specific embodiment, the computing node receives the transaction request submitted by the user node, and determines the target business data according to the contract and parameters included in the transaction request. The calculation node extracts target service data corresponding to the transaction request from a preset database.
具体的,所述交易请求包括查询产品价格、修改产品价格等账本数据请求,此处不对交易请求的实质内容作具体限定,应用于fabric区块链架构中的任一交易请求均可包括在本实施例的可执行范围中。Specifically, the transaction request includes book data requests such as querying product prices and modifying product prices. There is no specific limitation on the substantive content of the transaction request here. Any transaction request applied to the fabric blockchain architecture can be included in this In the executable scope of the embodiment.
所述预设的数据库为fabric区块链架构的共享数据库,所述共享数据库中存储着全部企业用户的业务数据。The preset database is a shared database of the fabric block chain architecture, and the shared database stores business data of all enterprise users.
在一种可行的实施例中,所述业务数据也可以存储在相应的第一存储节点中,所述计算节点通过与第一存储节点之间建立通信通道,从所述第一存储节点中直接调用所述业务数据,并用于后续的计算处理和背书处理。In a feasible embodiment, the service data may also be stored in the corresponding first storage node, and the computing node directly obtains from the first storage node by establishing a communication channel with the first storage node. The business data is invoked and used for subsequent calculation processing and endorsement processing.
所述计算节点获取所述目标业务数据后,对所述目标业务数据进行对应所述交易请求的计算处理,再根据预设加密方法在TEE中对所述计算结果进行加密,以得到所述密文业务数据。After the calculation node obtains the target business data, it performs calculation processing on the target business data corresponding to the transaction request, and then encrypts the calculation result in the TEE according to a preset encryption method to obtain the encrypted text business data.
所述背书节点接收到所述计算节点发送的密文业务数据后,根据所述交易请求的预设合约对所述密文业务数据进行的背书,以得到包括背书签名的加密业务数据。After the endorsement node receives the ciphertext service data sent by the computing node, it endorses the ciphertext service data according to the preset contract of the transaction request, so as to obtain the encrypted service data including the endorsement signature.
所述背书节点接收所述密文业务数据后,可以通过加载TEE的方式,在背书节点中配置可信执行环境,从而能够通过业务存储密钥对所述加密业务数据进行解密,以得到业务数据的明文数据。所述背书节点在获取所述密文业务数据的明文数据后,对所述明文数据进行背书,最终得到具有背书签名的业务数据。再根据业务存储密钥对所述具有背书签名的业务数据进行加密,以得到具有背书签名的加密业务数据。After the endorsement node receives the ciphertext service data, it can configure a trusted execution environment in the endorsement node by loading TEE, so that the encrypted service data can be decrypted by the service storage key to obtain the service data plaintext data. After obtaining the plaintext data of the ciphertext service data, the endorsement node endorses the plaintext data, and finally obtains service data with an endorsement signature. Then encrypt the service data with endorsement signature according to the service storage key to obtain encrypted service data with endorsement signature.
所述背书节点向所述第一存储节点发送具有背书签名的加密业务数据。所述第一存储节点可以在TEE环境中对所述加密业务数据解密。并在本地存储所述业务数据的明文内容。The endorsement node sends encrypted service data with an endorsement signature to the first storage node. The first storage node may decrypt the encrypted service data in a TEE environment. And store the plaintext content of the business data locally.
具体的,第一存储节点可以通过远程证明的方式向TEE密钥服务器请求业务存储密钥。Specifically, the first storage node may request the service storage key from the TEE key server in a manner of remote certification.
步骤S202,根据背书签名向目标存储节点发送所述加密业务数据,以使所述目标存储节点在所述可信执行环境中获取所述加密业务数据的明文数据,并存储所述明文数据,其中,所述目标存储节点为与所述加密业务数据对应的第一存储节点,所述背书签名为对所述加密业务数据进行背书得到的签名信息;Step S202, sending the encrypted service data to the target storage node according to the endorsement signature, so that the target storage node obtains the plaintext data of the encrypted service data in the trusted execution environment, and stores the plaintext data, wherein , the target storage node is a first storage node corresponding to the encrypted service data, and the endorsement signature is signature information obtained by endorsing the encrypted service data;
在具体实施例中,所述背书节点在获取交易请求对应的业务数据后,会根据预设的背书策略对所述业务数据进行背书。In a specific embodiment, after the endorsement node acquires the business data corresponding to the transaction request, it will endorse the business data according to a preset endorsement policy.
具体的,背书策略为判断所述业务数据是否满足用户交易目的的判断条件。背书策略可以根据实际应用场景中用户交易请求的实质内容进行替换,此处不作具体限定。Specifically, the endorsement policy is a judgment condition for judging whether the business data meets the user's transaction purpose. The endorsement policy can be replaced according to the actual content of the user's transaction request in the actual application scenario, which is not specifically limited here.
具体的,背书是指验证交易请求是否有效并声明与交易请求匹配的第一存储节点的处理动作。所述背书签名用于指示所述业务数据是否有效,并指示对应的目标存储节点。Specifically, endorsement refers to a processing action of verifying whether the transaction request is valid and declaring that the first storage node matches the transaction request. The endorsement signature is used to indicate whether the service data is valid, and to indicate the corresponding target storage node.
当所述fabric区块链包括至少两个第一存储节点时,所述用户节点需根据业务数据包的背书签名,查找到与所述交易请求关联的第一存储节点,并将所述关联的第一存储节点作为目标存储节点,向其发送所述业务数据包。When the fabric block chain includes at least two first storage nodes, the user node needs to find the first storage node associated with the transaction request according to the endorsement signature of the service data packet, and send the associated The first storage node serves as the target storage node, and sends the service data packet to it.
在具体实施例中,所述目标存储节点在接收到所述业务数据包后,针对所述业务数据包进行相应的业务处理。In a specific embodiment, after receiving the service data packet, the target storage node performs corresponding service processing on the service data packet.
具体的,所述目标存储节点会向预设的密钥分发服务器发送密钥获取请求,并基于挑战应答认证机制(Challenge-Response Authentication Mechanism,简称CRAM)的方式从所述密钥分发服务器中获取对应所述交易请求的业务存储密钥。在本实施例中,每一交易请求均具有唯一对应的业务存储密钥。所述业务存储密钥为对称密钥。Specifically, the target storage node will send a key acquisition request to a preset key distribution server, and obtain the key from the key distribution server based on a Challenge-Response Authentication Mechanism (CRAM for short). The service storage key corresponding to the transaction request. In this embodiment, each transaction request has a unique corresponding service storage key. The service storage key is a symmetric key.
所述目标存储节点根据所述业务存储密钥对所述加密业务数据进行解密,以获得对应所述交易请求的明文数据。所述目标存储节点会在本地磁盘中存储所述明文数据。所述目标存储节点还可以根据预设交易请求对所述明文数据进行相应的业务处理。The target storage node decrypts the encrypted service data according to the service storage key to obtain plaintext data corresponding to the transaction request. The target storage node stores the plaintext data in a local disk. The target storage node may also perform corresponding business processing on the plaintext data according to the preset transaction request.
步骤S203,向任一第二存储节点发送所述加密业务数据,以使所述第二存储节点存储所述加密业务数据;Step S203, sending the encrypted service data to any second storage node, so that the second storage node stores the encrypted service data;
在具体实施例中,所述fabric区块链包括预设数量的第二存储节点,当用户节点发送预设交易请求后,可以根据预设交易请求对应的业务节点确定各第一存储节点,此时,其它业务节点均可以作为当前预设交易请求的第二存储节点。In a specific embodiment, the fabric block chain includes a preset number of second storage nodes. After the user node sends a preset transaction request, each first storage node can be determined according to the service node corresponding to the preset transaction request. , other business nodes can be used as the second storage node for the current preset transaction request.
需知的,全部第二存储节点的磁盘空间大于或等于全部第一存储节点的磁盘空间。It should be known that the disk space of all the second storage nodes is greater than or equal to the disk space of all the first storage nodes.
所述用户节点获取加密业务数据后,向任一第二存储节点发送所述加密业务数据,从而在第二存储节点中实现了对应交易请求的业务数据的备份,保障了业务数据的安全性。After the user node obtains the encrypted service data, it sends the encrypted service data to any second storage node, so that the backup of the service data corresponding to the transaction request is realized in the second storage node, and the security of the service data is guaranteed.
在本实施例中,所述第二存储节点直接在本地磁盘的剩余空间中存储所述加密业务数据,所述第二存储节点不对所述加密业务数据进行解密处理。In this embodiment, the second storage node directly stores the encrypted service data in the remaining space of the local disk, and the second storage node does not decrypt the encrypted service data.
在一种具体实施方式中,当第一存储节点中的业务数据出现损坏时,所述第一存储节点会检测损坏的业务数据对应的业务存储密钥的业务ID,并根据所述业务ID在第二存储节点中查询相应的备份业务数据。In a specific implementation manner, when the service data in the first storage node is damaged, the first storage node will detect the service ID of the service storage key corresponding to the damaged service data, and The corresponding backup service data is queried in the second storage node.
所述第一存储节点会从所述第二存储节点中调用所述备份业务数据,并在所述第一存储节点中重新进行解密过程,以得到完整的业务数据的明文内容,从而能够保障业务节点的正常运行。The first storage node will call the backup service data from the second storage node, and re-decrypt the process in the first storage node to obtain the complete plaintext content of the service data, thereby ensuring service normal operation of the node.
根据本申请实施例的一种具体实施方式,所述fabric区块链包括至少两个第二存储节点时,所述向任一第二存储节点发送所述加密业务数据的步骤,包括:According to a specific implementation of the embodiment of the present application, when the fabric block chain includes at least two second storage nodes, the step of sending the encrypted service data to any second storage node includes:
判断当前第二存储节点是否剩余存储空间;Judging whether the current second storage node has remaining storage space;
在所述当前第二存储节点剩余存储空间的情况下,向所述当前第二存储节点发送所述加密业务数据;When the current second storage node has remaining storage space, send the encrypted service data to the current second storage node;
在所述当前第二存储节点不剩余存储空间的情况下,向除所述当前第二存储节点之外的第二存储节点发送所述加密业务数据。If the current second storage node has no remaining storage space, send the encrypted service data to a second storage node other than the current second storage node.
在具体实施例中,所述用户节点在向所述第二存储节点备份业务数据时,会在全部第二存储节点中查找一个具有剩余存储空间的第二存储节点,以存储所述加密业务数据。In a specific embodiment, when the user node backs up service data to the second storage node, it will search for a second storage node with remaining storage space in all second storage nodes to store the encrypted service data .
具体的,所述第二存储节点中可以只存储一个第一存储节点中的业务数据,也可以同时存储多个第一存储节点中的业务数据。Specifically, the second storage node may only store service data in one first storage node, or store service data in multiple first storage nodes at the same time.
具体的,所述第二存储节点中存储的业务数据均具有与交易请求对应的唯一业务存储密钥。Specifically, the service data stored in the second storage node has a unique service storage key corresponding to the transaction request.
在一种具体实施方式中,用户可以提前在用户节点中设置第二存储节点的备份规则,根据交易业务类型建立第一存储节点和第二存储节点之间的关联关系,背书节点在向第二存储节点发送加密业务数据时,会根据第一存储节点和第二存储节点之间的关联关系进行数据备份。In a specific implementation, the user can set the backup rules of the second storage node in the user node in advance, and establish the association relationship between the first storage node and the second storage node according to the type of transaction business. When the storage node sends encrypted service data, it will perform data backup according to the association relationship between the first storage node and the second storage node.
举例来说,分别对第一存储节点和第二存储节点进行编号,并关联具有同一编号的第一存储节点和第二存储节点。For example, number the first storage node and the second storage node respectively, and associate the first storage node and the second storage node with the same number.
本实施例提出的业务数据处理方法,在背书节点向业务节点发送业务数据的过程中,会将对应一个交易请求的业务数据分别存储第一存储节点和第二存储节点,从而实现所有业务数据的安全备份处理,极大提高了fabric区块链的业务节点中业务数据的安全性。In the business data processing method proposed in this embodiment, in the process of sending business data from the endorsement node to the business node, the business data corresponding to a transaction request will be stored in the first storage node and the second storage node respectively, so as to realize the storage of all business data. Safe backup processing greatly improves the security of business data in the business nodes of the fabric blockchain.
参考图3,为本申请实施例提供的一种应用于fabric区块链的第一存储节点的业务数据方法的方法流程示意图,本申请实施例提供的业务数据方法,应用于fabric区块链的第一存储节点,如图1所示,所述fabric区块链还包括用户节点和至少一个第二存储节点,如图3所示,所述业务数据处理方法包括:Referring to FIG. 3 , it is a schematic flow diagram of a method of a business data method applied to the first storage node of the fabric blockchain provided by the embodiment of the present application. The business data method provided by the embodiment of the present application is applied to the fabric blockchain. The first storage node, as shown in Figure 1, the fabric block chain also includes a user node and at least one second storage node, as shown in Figure 3, the business data processing method includes:
步骤S301,接收与预设交易请求对应的加密业务数据,其中,所述加密业务数据为根据业务存储密钥加密的业务数据;Step S301, receiving encrypted business data corresponding to the preset transaction request, wherein the encrypted business data is business data encrypted according to the business storage key;
步骤S302,对所述加密业务数据关联的签名信息进行签名认证;Step S302, performing signature authentication on the signature information associated with the encrypted business data;
步骤S303,所述签名认证通过后,在所述可信执行环境中获取业务存储密钥,所述业务存储密钥为对应所述预设交易请求的对称密钥;Step S303, after the signature authentication is passed, obtain a business storage key in the trusted execution environment, and the business storage key is a symmetric key corresponding to the preset transaction request;
步骤S304,根据所述业务存储密钥对所述加密业务数据进行解密,以得到明文数据;Step S304, decrypting the encrypted service data according to the service storage key to obtain plaintext data;
步骤S305,存储所述明文数据。Step S305, storing the plaintext data.
本实施例中的fabric区块链框架可以参考前述实施例1中的具体实施过程,此处不再重复赘述。The fabric block chain framework in this embodiment can refer to the specific implementation process in the foregoing embodiment 1, and will not be repeated here.
在具体实施例中,所述第一存储节点为具有业务数据读取权限的业务节点。In a specific embodiment, the first storage node is a service node with permission to read service data.
所述第一存储节点在收到所述背书节点发送的包括背书签名的业务数据包后,会立刻对所述背书签名进行认证,判断所述背书签名所声明的目标存储节点是否为当前第一存储节点。After the first storage node receives the business data packet including the endorsement signature sent by the endorsement node, it will immediately authenticate the endorsement signature, and judge whether the target storage node declared by the endorsement signature is the current first storage node. Storage nodes.
所述背书签名声明的目标存储节点为当前第一存储节点的情况下,所述当前第一存储节点输出签名认证通过的结果。In a case where the target storage node of the endorsement signature statement is the current first storage node, the current first storage node outputs a result of signature authentication passing.
所述背书签名声明的目标存储节点不为当前第一存储节点或所述背书签名指示业务数据不合法的情况下,所述当前第一存储节点输出签名认证不通过的结果。If the target storage node declared by the endorsement signature is not the current first storage node or the endorsement signature indicates that the service data is illegal, the current first storage node outputs a result that the signature authentication fails.
所述第一存储节点在背书签名认证通过后,向预设的密钥分发服务器提交秘钥获取请求,以获取与交易请求对应的业务存储密钥。具体的,从密钥分发服务器中获取业务存储密钥的具体实施过程可以参考前述实施例中的具体实施过程,此处不再赘述。After passing the endorsement signature authentication, the first storage node submits a key acquisition request to a preset key distribution server, so as to acquire a service storage key corresponding to the transaction request. Specifically, for the specific implementation process of obtaining the service storage key from the key distribution server, reference may be made to the specific implementation process in the foregoing embodiments, and details are not repeated here.
在具体实施例中,预设密钥分发服务器可以为TTE密钥分发服务器。In a specific embodiment, the preset key distribution server may be a TTE key distribution server.
所述第一存储节点从预设密钥分发服务器中获取的业务存储密钥,既可以用于对背书节点发送的业务数据包进行解密处理,也可以用于对所述业务数据包进行加密处理。The service storage key obtained by the first storage node from the preset key distribution server can be used to decrypt the service data packet sent by the endorsement node, or to encrypt the service data packet .
根据本申请实施例的一种具体实施方式,所述fabric区块链还包括至少一个第二存储节点,所述根据所述业务存储密钥对所述加密业务数据进行解密,以得到明文数据的步骤之后,所述方法还包括:According to a specific implementation manner of the embodiment of the present application, the fabric block chain further includes at least one second storage node, and the encrypted service data is decrypted according to the service storage key to obtain the plaintext data After the step, the method also includes:
根据预设交易请求对历史明文数据进行处理,以得到目标明文数据,其中,所述历史明文数据为对所述加密业务数据进行解密后得到的明文数据;Process historical plaintext data according to a preset transaction request to obtain target plaintext data, wherein the historical plaintext data is plaintext data obtained after decrypting the encrypted business data;
在所述可信执行环境中获取目标业务存储密钥,其中,所述目标业务存储密钥为对应所述预设交易请求的业务存储密钥;Obtaining a target service storage key in the trusted execution environment, wherein the target service storage key is a service storage key corresponding to the preset transaction request;
根据所述业务存储密钥对所述明文数据进行加密,以得到目标加密业务数据;Encrypting the plaintext data according to the service storage key to obtain target encrypted service data;
将所述目标加密业务数据发送至所述第二存储节点,以使所述第二存储节点存储所述目标加密业务数据。sending the target encrypted service data to the second storage node, so that the second storage node stores the target encrypted service data.
在具体实施例中,所述第一存储节点对用户节点发送的加密业务数据进行解密处理后,会根据预设交易请求进一步第所述明文数据进行处理,以得到更新后的目标明文数据。In a specific embodiment, after the first storage node decrypts the encrypted service data sent by the user node, it further processes the plaintext data according to a preset transaction request to obtain updated target plaintext data.
此时,所述第一存储节点会向预设的TEE密钥分发服务器发出密钥申请,以获得对应预设交易请求的业务存储密钥,并基于所述业务存储密钥对所述目标明文数据进行加密处理,以得到更新后的目标加密业务数据。At this time, the first storage node will send a key application to the preset TEE key distribution server to obtain the service storage key corresponding to the preset transaction request, and based on the service storage key, the target plaintext The data is encrypted to obtain the updated target encrypted business data.
所述第一存储节点基于所述业务存储密钥的业务ID,在各第二存储节点中查找具有相同业务ID的加密业务数据。向具有对应历史加密业务数据的第二存储节点发送所述目标加密业务数据,以使所述第二存储节点覆盖所述历史加密业务数据存储所述目标加密业务数据。The first storage node searches the encrypted service data with the same service ID in each second storage node based on the service ID of the service storage key. Sending the target encrypted service data to a second storage node having corresponding historical encrypted service data, so that the second storage node stores the target encrypted service data over the historical encrypted service data.
本实施例提出的业务数据处理方法,第一存储节点和第二存储节点在接收用户节点发送的加密业务数据后,所述第一存储节点还会判断所述加密业务数据是否需要进行进一步处理,当所述第一存储节点对所述加密业务数据进行更新后,会随时在作为备份节点的第二存储节点中同步更新。In the service data processing method proposed in this embodiment, after the first storage node and the second storage node receive the encrypted service data sent by the user node, the first storage node will also determine whether the encrypted service data needs to be further processed, After the first storage node updates the encrypted service data, it will be updated synchronously in the second storage node as a backup node at any time.
所述第二存储节点中存储的数据随时与所述第一存储节点中的数据保持同步,当第一存储节点本地的业务数据出现损坏情况,第一存储节点可以随时从第二存储节点中调用相同的业务数据进行补充,从而极大的保障了第一存储节点的正常运行。The data stored in the second storage node is kept in sync with the data in the first storage node at any time, and when the local business data of the first storage node is damaged, the first storage node can call it from the second storage node at any time The same business data is supplemented, which greatly guarantees the normal operation of the first storage node.
另外,所述第二存储节点中存储的业务数据始终是处理加密状态的,因此可以有效避免隐私数据的泄露。因为第二存储节点不会获取加密业务数据的明文数据,因此第二存储节点的选取可以不受交易请求业务参与者的限制,可以极大的扩展fabric区块链中备份节点的数量,保证交易请求相关的业务数据得到充分备份。In addition, the service data stored in the second storage node is always processed in an encrypted state, so the leakage of private data can be effectively avoided. Because the second storage node will not obtain the plaintext data of the encrypted business data, the selection of the second storage node is not restricted by the transaction request business participants, which can greatly expand the number of backup nodes in the fabric blockchain and ensure the transaction Request related business data to be fully backed up.
参考图4,为本申请实施例提供的一种应用于fabric区块链的用户节点的业务数据处理装置400的装置模块示意图,本申请实施例提供的业务数据处理装置400,应用于fabric区块链的用户节点,如图1所示,fabric区块链包括至少一个第一存储节点和至少一个第二存储节点,所述第一存储节点包括可信执行环境,如图4所示,所述业务数据处理装置400包括:Referring to FIG. 4 , it is a schematic diagram of a device module of a service
获取模块401,用于获取与预设交易请求对应的加密业务数据,其中,所述加密业务数据为根据业务存储密钥加密的业务数据,所述业务存储密钥为所述可信执行环境提供的对应所述预设交易请求的对称密钥;An
第一存储模块402,用于根据背书签名向目标存储节点发送所述加密业务数据,以使所述目标存储节点在所述可信执行环境中获取所述加密业务数据的明文数据,并存储所述明文数据,其中,所述目标存储节点为与所述加密业务数据对应的第一存储节点,所述背书签名为对所述加密业务数据进行背书得到的签名信息;The
第二存储模块403,用于向任一第二存储节点发送所述加密业务数据,以使所述第二存储节点存储所述加密业务数据;The
参考图5,为本申请实施例提供的一种应用于fabric区块链的第一存储节点的业务数据处理装置500的装置模块示意图,本申请实施例提供的业务数据处理装置500,应用于fabric区块链的第一存储节点,所述第一存储节点包括可信执行环境,如图1所示,所述fabric区块链还包括用户节点,如图5所示,所述业务数据处理装置500包括:Referring to FIG. 5 , it is a schematic diagram of a device module of a business
接收模块501,用于接收与预设交易请求对应的加密业务数据,其中,所述加密业务数据为根据业务存储密钥加密的业务数据;A receiving
认证模块502,用于对所述加密业务数据关联的签名信息进行签名认证;An
密钥获取模块503,用于所述签名认证通过后,在所述可信执行环境中获取业务存储密钥,所述业务存储密钥为对应所述预设交易请求的对称密钥;The
解密模块504,用于根据所述业务存储密钥对所述加密业务数据进行解密,以得到明文数据;A
存储模块505,用于存储所述明文数据。A
另外,本申请实施例还提供的一种计算机设备,所述计算机设备包括处理器和存储器,所述存储器存储有计算机程序,所述计算机程序在所述处理器上运行时执行前述实施例中的业务数据处理方法。In addition, an embodiment of the present application also provides a computer device, the computer device includes a processor and a memory, and the memory stores a computer program, and when the computer program runs on the processor, it executes the steps in the preceding embodiments. Business data processing method.
本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机程序,所述计算机程序在处理器上运行时执行前述实施例中的业务数据处理方法。An embodiment of the present application also provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and the computer program executes the business data processing method in the foregoing embodiments when running on a processor.
综上所述,本申请实施例提供了一种业务数据处理方法、装置、计算机设备及可读存储介质,通过设置不参与交易业务的节点作为第二存储节点,实现了fabric区块链架构中备份节点的水平性扩展,本实施例中的第二存储节点可以对全部第一存储节点中的业务数据进行数据备份,且不会读取业务数据的明文内容,有效提高了fabric区块链中业务数据的安全。当第一存储节点中的数据出现损坏时,第一存储节点可以根据预设的业务存储密钥从第二存储节点中调用备份业务数据,为第一存储节点交易业务的稳定运行提供了数据保障。另外,上述实施例中提到的业务处理装置、计算机设备及计算机可读存储介质的具体实施过程,可以参见上述方法实施例的具体实施过程,在此不再一一赘述。To sum up, the embodiment of the present application provides a business data processing method, device, computer equipment, and readable storage medium. By setting a node that does not participate in the transaction business as the second storage node, the fabric block chain architecture is realized. The horizontal expansion of the backup node, the second storage node in this embodiment can back up all the business data in the first storage node, and will not read the plaintext content of the business data, effectively improving the fabric block chain. Security of business data. When the data in the first storage node is damaged, the first storage node can call the backup business data from the second storage node according to the preset business storage key, which provides data protection for the stable operation of the transaction business of the first storage node . In addition, for the specific implementation process of the service processing device, computer equipment, and computer-readable storage medium mentioned in the above-mentioned embodiment, reference may be made to the specific implementation process of the above-mentioned method embodiment, and details will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,也可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,附图中的流程图和结构图显示了根据本发明的多个实施例的装置、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在作为替换的实现方式中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,结构图和/或流程图中的每个方框、以及结构图和/或流程图中的方框的组合,可以用执行规定的功能或动作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may also be implemented in other ways. The device embodiments described above are only illustrative. For example, the flowcharts and structural diagrams in the accompanying drawings show the possible implementation architecture and functions of devices, methods and computer program products according to multiple embodiments of the present invention. and operation. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or part of code that includes one or more Executable instructions. It should also be noted that, in alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It is also to be noted that each block of the block diagrams and/or flow diagrams, and combinations of blocks in the block diagrams and/or flow diagrams, can be implemented by a dedicated hardware-based system that performs the specified function or action may be implemented, or may be implemented by a combination of special purpose hardware and computer instructions.
另外,在本发明各个实施例中的各功能模块或单元可以集成在一起形成一个独立的部分,也可以是各个模块单独存在,也可以两个或更多个模块集成形成一个独立的部分。In addition, each functional module or unit in each embodiment of the present invention can be integrated together to form an independent part, or each module can exist independently, or two or more modules can be integrated to form an independent part.
所述功能如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是智能手机、个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the functions are implemented in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a smart phone, a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. .
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. Should be covered within the protection scope of the present invention.
Claims (10)
Translated fromChinesePriority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210930658.7ACN115297125B (en) | 2022-08-04 | 2022-08-04 | Business data processing method, device, computer equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210930658.7ACN115297125B (en) | 2022-08-04 | 2022-08-04 | Business data processing method, device, computer equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115297125Atrue CN115297125A (en) | 2022-11-04 |
| CN115297125B CN115297125B (en) | 2024-11-26 |
Family
ID=83826982
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210930658.7AActiveCN115297125B (en) | 2022-08-04 | 2022-08-04 | Business data processing method, device, computer equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115297125B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107342858A (en)* | 2017-07-05 | 2017-11-10 | 武汉凤链科技有限公司 | A kind of intelligent contract guard method and system based on trusted context |
| CN110020855A (en)* | 2019-01-31 | 2019-07-16 | 阿里巴巴集团控股有限公司 | Method, node and storage medium for realizing privacy protection in block chain |
| CN111200589A (en)* | 2019-12-05 | 2020-05-26 | 北京数字认证股份有限公司 | Data protection method and system for alliance chain |
| CN112257085A (en)* | 2020-10-22 | 2021-01-22 | 政采云有限公司 | Bidding processing method, system, equipment and medium based on block chain |
| CN112988764A (en)* | 2021-05-14 | 2021-06-18 | 北京百度网讯科技有限公司 | Data storage method, device, equipment and storage medium |
| US20210328791A1 (en)* | 2020-07-08 | 2021-10-21 | Alipay (Hangzhou) Information Technology Co., Ltd. | Blockchain data processing methods and apparatuses based on cloud computing |
| CN114357482A (en)* | 2021-12-30 | 2022-04-15 | 支付宝(杭州)信息技术有限公司 | A method for converting historical plaintext transactions in a blockchain network to private transactions |
| CN114760325A (en)* | 2020-12-25 | 2022-07-15 | 中移动信息技术有限公司 | Business data processing method, device, storage medium and sharing platform |
- 2022
- 2022-08-04CNCN202210930658.7Apatent/CN115297125B/enactiveActive
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107342858A (en)* | 2017-07-05 | 2017-11-10 | 武汉凤链科技有限公司 | A kind of intelligent contract guard method and system based on trusted context |
| CN110020855A (en)* | 2019-01-31 | 2019-07-16 | 阿里巴巴集团控股有限公司 | Method, node and storage medium for realizing privacy protection in block chain |
| CN111200589A (en)* | 2019-12-05 | 2020-05-26 | 北京数字认证股份有限公司 | Data protection method and system for alliance chain |
| US20210328791A1 (en)* | 2020-07-08 | 2021-10-21 | Alipay (Hangzhou) Information Technology Co., Ltd. | Blockchain data processing methods and apparatuses based on cloud computing |
| CN112257085A (en)* | 2020-10-22 | 2021-01-22 | 政采云有限公司 | Bidding processing method, system, equipment and medium based on block chain |
| CN114760325A (en)* | 2020-12-25 | 2022-07-15 | 中移动信息技术有限公司 | Business data processing method, device, storage medium and sharing platform |
| CN112988764A (en)* | 2021-05-14 | 2021-06-18 | 北京百度网讯科技有限公司 | Data storage method, device, equipment and storage medium |
| CN114357482A (en)* | 2021-12-30 | 2022-04-15 | 支付宝(杭州)信息技术有限公司 | A method for converting historical plaintext transactions in a blockchain network to private transactions |
Non-Patent Citations (1)
| Title |
|---|
| 姜楠等: "基于智能合约的个人隐私数据保护方法研究", 信息网络安全, no. 11, 10 November 2020 (2020-11-10), pages 22 - 31* |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115297125B (en) | 2024-11-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112751665B (en) | Secure multi-party computing method, device, system and storage medium | |
| CN108768988B (en) | Block chain access control method, block chain access control equipment and computer readable storage medium | |
| CN109714168B (en) | Trusted remote attestation method, device and system | |
| CN110162992B (en) | Data processing method, data processing device and computer system | |
| EP4318286A1 (en) | Secure multi-party computation | |
| JP7454564B2 (en) | Methods, user devices, management devices, storage media and computer program products for key management | |
| JP2020528224A (en) | Secure execution of smart contract operations in a reliable execution environment | |
| US20180013555A1 (en) | Data transmission method and apparatus | |
| CN110519046B (en) | Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD | |
| WO2019191378A1 (en) | Threshold secret share authentication proof and secure blockchain voting with hardware security modules | |
| CN111095899A (en) | Distributed key management for trusted execution environments | |
| CN113626802B (en) | Login verification system and method for equipment password | |
| TW202015378A (en) | Cryptographic operation method, method for creating work key, and cryptographic service platform and device | |
| CN110311787B (en) | Authorization management method, system, device and computer readable storage medium | |
| CN111723384B (en) | Data processing method, system and equipment | |
| CN103152178B (en) | cloud computing verification method and system | |
| CN113239403A (en) | Data sharing method and device | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN106850232B (en) | Authorization management method and system for state maintenance | |
| CN109981576B (en) | Key migration method and device | |
| CN111414628A (en) | Data storage method and device and computing equipment | |
| CN107707562B (en) | A method and device for asymmetric dynamic token encryption and decryption algorithm | |
| CN114553557A (en) | Key calling method, key calling device, computer equipment and storage medium | |
| CN114117406B (en) | A data processing method, device, equipment and storage medium | |
| CN110784318B (en) | Group key updating method, device, electronic equipment, storage medium and communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |