CN120105462A

Movatterモバイル変換

Info

Publication number: CN120105462A
Application number: CN202510560784.1A
Authority: CN
Inventors: 曲金宝; 王琼霄; 张增军; 胡艳芳; 肇志伟; 舒威; 芦洪鑫
Original assignee: BEIJING CERTIFICATE AUTHORITY
Current assignee: BEIJING CERTIFICATE AUTHORITY
Priority date: 2025-04-30
Filing date: 2025-04-30
Publication date: 2025-06-06

Abstract

The embodiment of the application provides a data circulation method, a system, electronic equipment and a storage medium. The method comprises the steps of obtaining authorization data ciphertext obtained by joint encryption of authorization data by a data processing end and a data providing end, wherein the authorization data is determined by the data providing end through authorization management according to a target data range and data use permission requested by the data requesting end, triggering the data requesting end and the data providing end to jointly decrypt the authorization data ciphertext in response to an authorization data use request sent by the data requesting end to obtain the authorization data ciphertext, and calculating the authorization data plaintext according to the data processing strategy under the condition that a data processing strategy of the data processing end accords with a data use rule generated by the data providing end according to the data use permission to obtain an operation result, and returning the operation result to the data requesting end. The embodiment of the application can ensure the safe and efficient circulation of transaction data and promote benign transaction and flow of data assets.

Description

Data circulation method, system, electronic equipment and storage medium

Technical Field

The present application relates to the field of data distribution technologies, and in particular, to a data distribution method, a system, an electronic device, and a storage medium.

Background

In view of the value and characteristics of data assets, in the field of data circulation, in order to protect ownership of data assets, technologies such as multiparty secure computation, federal learning or homomorphic passwords are usually applied to realize that the availability of transaction data is invisible, a data demand party needs to perform data operation on transaction data held by a data provider by combining with a data provider based on a specific data operation protocol, so as to obtain an operation result.

However, these techniques can only support limited data operation functions, and the overhead of data operation is much higher than that of directly operating on transaction data plaintext, greatly increasing the data operation overhead, and furthermore, the data provider needs to perform data operation in cooperation with the data demander in whole course online, if one or more data requesters have different data operation requirements, the data provider locally needs to execute different data operation schemes, which increases the technical difficulty of the data provider to provide transaction data. As can be seen, these techniques have significant feasibility problems in practical applications, severely restricting benign transactions and movement of data assets.

Disclosure of Invention

An embodiment of the application aims to provide a data circulation method, a system, electronic equipment and a storage medium, which are used for realizing the technical effects of ensuring safe and efficient circulation of transaction data and promoting benign transaction and flow of data assets.

In a first aspect, an embodiment of the present application provides a data circulation method, applied to a data processing end, where the data processing end is respectively connected with a data demand end and a data providing end in a communication manner, the method includes:

The method comprises the steps of obtaining authorization data ciphertext, wherein the authorization data ciphertext is obtained by carrying out joint encryption on authorization data by a data demand end and a data providing end, and the authorization data is determined by carrying out authorization management by the data providing end according to a target data range and data use permission requested by the data demand end;

Responding to an authorization data use request sent by the data demand end, triggering the data demand end and the data providing end to perform joint decryption on the authorization data ciphertext to obtain an authorization data plaintext;

and under the condition that the data processing strategy of the data processing end accords with the data use rule of the data providing end, calculating the authorized data plaintext according to the data processing strategy to obtain an operation result, and returning the operation result to the data demand end, wherein the data use rule is generated by the data providing end according to the data use authority.

Further, the data demand end is in communication connection with the data providing end, and the authorization data is obtained by the following modes:

sending a target data authorization request to the data providing end through the data demand end, wherein the target data authorization request comprises the target data range and the data use authority;

And responding to the target data authorization request by the data providing end, determining target data according to the target data range, and determining the target data as the authorization data under the condition that the data demand end is allowed to use the target data according to the data use authority.

In the implementation process, the data providing end responds to the target data authorization request by sending the target data authorization request comprising the target data range and the data use permission to the data providing end, the data providing end determines the target data according to the target data range, and determines the target data as the authorization data under the condition that the data requiring end is allowed to use the target data according to the data use permission, so that the data providing end can be ensured to accurately perform authorization management on the target data range and the data use permission requested by the data requiring end in the data authorization stage, and the use permission of the authorization data is effectively ensured to be controllable.

Further, the data demand end is in communication connection with the data providing end, and the authorization data ciphertext is obtained by the following steps:

sending a public key of the data demand end to the data providing end through the data demand end;

the authorization data is encrypted in a hierarchical or collaborative manner by the data providing end according to the public key of the data providing end and the public key of the data demand end to obtain the authorization data ciphertext, or

Encrypting the authorization data through the data providing end according to the encryption key of the data providing end to obtain an initial data ciphertext;

the encryption key is encrypted in a hierarchical mode or in a cooperative mode through the data providing end according to the public key of the data providing end and the public key of the data demand end to obtain an encryption key ciphertext;

And obtaining the authorization data ciphertext according to the initial data ciphertext and the encryption key ciphertext through the data providing end.

In the implementation process, the public key of the data demand end is sent to the data providing end by the data demand end, the data providing end selects a hierarchical encryption mode based on the public key, a collaborative encryption mode based on the public key, a hierarchical encryption mode based on the encryption key or a collaborative encryption mode based on the encryption key to carry out joint encryption on the authorization data, so that an authorization data ciphertext is obtained, multiple encryption modes can be flexibly selected to carry out joint encryption on the authorization data, and the security of the authorization data is effectively ensured.

Further, the triggering the data demand end and the data providing end to jointly decrypt the authorization data ciphertext to obtain the authorization data ciphertext includes:

Generating a first decryption request and a second decryption request for the authorization data ciphertext according to the data authorization information corresponding to the authorization data ciphertext;

The first decryption request is sent to the data demand end, and a first decryption result returned by the data demand end is obtained;

sending the second decryption request to the data providing end to obtain a second decryption result returned by the data providing end;

and determining the authorization data plaintext according to the first decryption result and the second decryption result.

In the implementation process, the data processing end generates a first decryption request and a second decryption request for the authorization data ciphertext according to the data authorization information corresponding to the authorization data ciphertext, sends the first decryption request to the data demand end to obtain a first decryption result returned by the data demand end, sends the second decryption request to the data providing end to obtain a second decryption result returned by the data providing end, determines the authorization data plaintext according to the first decryption result and the second decryption result, can efficiently trigger the data demand end and the data providing end to jointly decrypt the authorization data ciphertext, and ensures that the authorization data ciphertext is accurately acquired.

Further, the first decryption request comprises first remote certification information of the data processing end, the second decryption request comprises second remote certification information of the data processing end, and the first decryption result and the second decryption result are obtained by the following steps:

The data demand end responds to the first decryption request, verifies the first remote proving information, and decrypts the authorization data ciphertext under the condition that the first remote proving information passes the verification to obtain the first decryption result;

And responding to the second decryption request by the data providing end, verifying the second remote proving information, and decrypting the authorization data ciphertext under the condition that the second remote proving information passes the verification to obtain the second decryption result.

In the implementation process, the first remote certification information of the data processing end is added to the first decryption request by the data processing end, and the second remote certification information of the data processing end is added to the second decryption request, so that the data demand end decrypts the authorized data ciphertext only when the first remote certification information of the data processing end is confirmed to pass verification, and the data supply end decrypts the authorized data ciphertext only when the second remote certification information of the data processing end is confirmed to pass verification, thereby effectively ensuring the safe and reliable communication environment among the three ends of the data processing end, the data demand end and the data supply end, further ensuring the safe and efficient circulation of transaction data, and promoting the benign transaction and flow of data assets.

Further, said verifying said first remote attestation information comprises:

Comparing the first remote certification information with the standard remote certification information stored locally through the data demand terminal;

Through the data demand end, if the first remote proving information is consistent with the standard remote proving information, determining that the first remote proving information is verified, otherwise, determining that the first remote proving information is not verified;

said verifying said second remote attestation information comprises:

comparing the second remote attestation information with the standard remote attestation information stored locally through the data providing end;

through the data providing end, if the second remote proving information is consistent with the standard remote proving information, determining that the second remote proving information is verified, otherwise, determining that the second remote proving information is not verified;

the standard remote attestation information is obtained by the data demand end and the data providing end through a trusted channel.

In the implementation process, the data demand end and the data providing end acquire the standard remote attestation information of the data processing end from the trusted channel in advance to carry out local storage, the data processing end adds the first remote attestation information of the data processing end in the first decryption request and adds the second remote attestation information of the data processing end in the second decryption request, so that the data demand end decrypts the authorized data ciphertext only when the first remote attestation information of the data processing end is determined to be consistent with the standard remote attestation information of the data processing end, and the data providing end decrypts the authorized data ciphertext only when the second remote attestation information of the data processing end is determined to be consistent with the standard remote attestation information of the data processing end, thereby effectively ensuring safe and reliable communication environments among the data processing end, the data demand end and the data providing end, and further ensuring safe and efficient circulation of transaction data and promoting benign and flowing of data assets.

Further, before the decrypting the authorization data ciphertext to obtain the second decrypting result, the method includes:

And determining that the data processing strategy accords with the data use rule through the data providing end.

In the implementation process, the data providing end decrypts the authorization data ciphertext to obtain a second decryption result under the condition that the second remote certification information of the data processing end passes verification and the data processing strategy of the data processing end accords with the data use rule, so that the data providing end can check the processing strategy of the data processing end on the authorization data together, the data processing end is ensured to process the authorization data within the data use authority range of the authorization data, the transaction data is further ensured to circulate safely and efficiently, and benign transaction and flow of data assets are promoted.

Further, the determining that the data processing policy meets the data usage rule includes:

Comparing the description data of the data processing strategy with the description data of the data usage rule stored locally through the data providing end;

And determining, by the data providing end, that the data processing policy conforms to the data usage rule when the description data of the data processing policy conforms to the description data of the data usage rule.

In the implementation process, the data providing end adopts a description data comparison mode to determine whether the data processing strategy accords with the data use rule, so that the data providing end can be ensured to rapidly and accurately determine whether the data processing strategy accords with the data use rule, the safe and efficient circulation of transaction data is further ensured, and benign transaction and flow of data assets are promoted.

Further, the data processing end is a terminal comprising a program running in a trusted execution environment or a service constructed based on the trusted execution environment.

In the implementation process, the terminal comprising the program running in the trusted execution environment or the service constructed based on the trusted execution environment is selected as the data processing end, so that the third party trusted terminal can be introduced to participate in the authorized data use process, the safe and efficient circulation of transaction data is further ensured, and the benign transaction and flow of data assets are promoted.

In a second aspect, an embodiment of the present application provides a data circulation system, including a data processing end, where the data processing end is connected to the data demand end and the data providing end respectively;

The data processing end is used for:

In a third aspect, an embodiment of the present application provides an electronic device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor implementing a method as described above when executing the computer program.

In a fourth aspect, an embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium includes a stored computer program, where the computer program when executed controls a device in which the computer readable storage medium is located to perform a method as described above.

In a fifth aspect, embodiments of the present application provide a computer program product comprising instructions which, when executed by a computer, cause the computer to carry out the method as described above.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flow chart of a data circulation method according to a first embodiment of the present application;

FIG. 2 is a data flow diagram of a target data grant as illustrated in a first embodiment of the present application;

FIG. 3 is a data flow diagram of an exemplary authorization data usage in a first embodiment of the application;

FIG. 4 is a data flow diagram of an exemplary data flow method in a first embodiment of the present application;

fig. 5 is a schematic structural diagram of a data flow system according to a second embodiment of the present application;

fig. 6 is a schematic structural diagram of an electronic device according to a third embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.

It should be noted that in the description of the present application, the terms "first," "second," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance. Meanwhile, step numbers herein are only for convenience of explanation of the embodiments of the present application, and are not used as limiting the order of execution of the steps.

In the current digital age, data has become a key asset, and data circulation provides unprecedented business opportunities for enterprises and individuals, and also brings great economic benefits to society. The data asset is different from the entity asset, and has the characteristics of no fixed controllable boundary, unlimited copying, random split circulation or use and the like.

However, these techniques can only support limited data operation functions, and the overhead of data operation is much higher than that of directly operating on transaction data plaintext, greatly increasing the data operation overhead, and furthermore, the data provider needs to perform data operation in cooperation with the data demander in whole course online, if one or more data requesters have a plurality of different data operation requirements, the data provider locally needs to execute a plurality of different data operation schemes, so that the technical difficulty of the data provider for providing transaction data is greatly increased. As can be seen, these techniques have significant feasibility problems in practical applications, severely restricting benign transactions and movement of data assets.

The method provided by the embodiment of the application can be executed by the related terminal equipment, and the following description takes the data processing end as an execution main body.

Referring to fig. 1, fig. 1 is a flow chart of a data circulation method according to a first embodiment of the present application. The first embodiment of the application provides a data circulation method which is applied to a data processing end, wherein the data processing end is respectively in communication connection with a data demand end and a data providing end, and the method comprises the following steps of S101-S103:

S101, acquiring an authorization data ciphertext, wherein the authorization data ciphertext is obtained by carrying out joint encryption on authorization data by a data demand end and a data supply end, and the authorization data is determined by carrying out authorization management by the data supply end according to a target data range and data use authority requested by the data demand end;

S102, responding to an authorization data use request sent by a data demand end, triggering the data demand end and a data providing end to perform joint decryption on authorization data ciphertext, and obtaining authorization data plaintext;

S103, under the condition that the data processing strategy of the data processing end accords with the data use rule of the data providing end, calculating the authorized data plaintext according to the data processing strategy to obtain an operation result, and returning the operation result to the data demand end, wherein the data use rule is generated by the data providing end according to the data use authority.

It should be noted that the data request end may be a terminal device with a communication function, such as a mobile phone, a tablet or a computer, which is held by the data request party, or may be a server device used by the data request party, the data providing end may be a terminal device with a communication function, such as a mobile phone, a tablet or a computer, which is held by the data providing party, or may be a server device used by the data providing party, and the data processing end may be a server device or a platform used by a third party. The data processing end performs trusted authentication with the data demand end and the data providing end respectively so as to establish communication connection with the data demand end and the data providing end respectively.

As an example, the data demand side applies for the authority of using the target data to the data providing side through the data demand side according to the data use demand of the data demand side, so that the data providing side performs authorization management according to the target data range and the data use authority requested by the data demand side, determines the authorization data, generates the data use rule according to the data use authority requested by the data demand side, performs joint encryption on the authorization data with the data demand side to obtain the authorization data ciphertext, and sends the authorization data ciphertext to the data processing side, so that the data processing side obtains the authorization data ciphertext.

In the data use stage, after confirming that the use target data, namely the use authority of the authorization data is obtained, the data demand side can send an authorization data use request to the data processing side through the data demand side every time the authorization data is required to be used.

After the data processing end obtains the authorization data ciphertext, waiting to receive an authorization data use request sent by the data demand end, after receiving the authorization data use request, triggering the data demand end and the data providing end to perform joint decryption on the authorization data ciphertext to obtain the authorization data plaintext, and under the condition that the data processing strategy of the data processing end is confirmed to be in accordance with the data use rule of the data providing end, calculating the authorization data plaintext according to the data processing strategy of the data processing end to obtain an operation result, returning the operation result to the data demand end, and then enabling the data demand end to receive the operation result to finish using the authorization data.

Wherein the data processing policy of the data processing end is generated by the data processing end in response to the authorization data use request.

In practical application, in order to avoid data leakage, after the data processing end returns an operation result to the data demand end, the local running state needs to be cleared, and all data information in the operation process is cleared.

In an alternative embodiment, the data demand end is in communication connection with the data providing end, the authorization data is obtained by sending a target data authorization request to the data providing end through the data demand end, wherein the target data authorization request comprises a target data range and a data use authority, determining target data according to the target data range through the data providing end in response to the target data authorization request, and determining that the target data is the authorization data under the condition that the data demand end is allowed to use the target data according to the data use authority.

Illustratively, the data-requiring side is communicatively coupled to the data-providing side.

In the data authorization stage, the data demand side inputs the target data range and the data use authority on the data demand side according to the data use demand of the data demand side. Wherein the data usage rights include one or more of a data usage manner and a data usage age. For example, the target data range is a data set A and a data set B stored on the data providing end, the data usage rights include a data usage mode and a data usage age, the data usage mode is a mode in the data set A and the data set B, and the data usage age is one month from the request day.

After the data demand end obtains the target data range and the data use authority input by the data demand side, a target data authorization request comprising the target data range and the data use authority is generated, and the target data authorization request is sent to the data supply end.

After receiving the target data authorization request, the data providing end responds to the target data authorization request, extracts a target data range and a data use authority from the target data authorization request, determines target data according to the target data range, judges whether the data demand end is allowed to use the target data according to the data use authority according to a prestored authorization management strategy, determines the target data as authorization data if the data demand end is allowed to use the target data according to the data use authority, and returns a target data authorization failure response to the data demand end if the data demand end is not allowed to use the target data.

In practical applications, the authorization management policy may be customized by the data provider.

In an alternative implementation manner of the embodiment, the target data authorization request carries the digital signature of the data demand end, and before the target data authorization request is responded, the method further comprises the step of determining that the digital signature passes verification through the data providing end.

As an example, after the data requesting end obtains the target data range and the data use authority input by the data requesting party, the data requesting end generates a target data authorization request including the target data range and the data use authority, and digitally signs the request data of the target data authorization request, so that the target data authorization request carries the digital signature of the data requesting end, so as to send the target data authorization request to the data providing end.

After receiving the target data authorization request, the data providing end verifies the digital signature of the data demand end carried by the target data authorization request, and under the condition that the digital signature of the data demand end passes the verification, the identity information of the data demand end is considered to be correctly identified, the response to the target data authorization request is allowed, and under the condition that the digital signature of the data demand end does not pass the verification, the identity information of the data demand end is considered to be incorrectly identified, the response to the target data authorization request is not allowed, and the target data authorization failure response is directly returned to the data demand end.

The data providing end allows to respond to the target data authorization request under the condition that the digital signature of the data requiring end is confirmed to pass verification by sending the target data authorization request carrying the digital signature of the data requiring end to the data providing end, thereby ensuring that the authorized legal data requiring party uses the target data and further improving the security of the authorization data.

According to the embodiment of the application, the data demand end sends the target data authorization request comprising the target data range and the data use authority to the data providing end, the data providing end responds to the target data authorization request, the target data is determined according to the target data range, and the target data is determined to be the authorization data under the condition that the data demand end is allowed to use the target data according to the data use authority, so that the data providing end can be ensured to accurately perform authorization management on the target data range and the data use authority requested by the data demand end in the data authorization stage, and the use authority of the authorization data is effectively ensured to be controllable.

In an alternative embodiment, the data demand end is in communication connection with the data supply end, the authorization data ciphertext is obtained by sending a public key of the data demand end to the data supply end through the data demand end, carrying out hierarchical encryption or collaborative encryption on the authorization data according to the public key of the data supply end and the public key of the data demand end through the data supply end to obtain the authorization data ciphertext, or sending a public key of the data demand end to the data supply end through the data demand end, carrying out encryption on the authorization data according to an encryption key of the data supply end to obtain an initial data ciphertext, carrying out hierarchical encryption or collaborative encryption on the encryption key according to the public key of the data supply end and the public key of the data demand end through the data supply end to obtain an encryption key ciphertext, and obtaining the authorization data ciphertext according to the initial data ciphertext and the encryption key ciphertext through the data supply end.

In the data authorization stage, the data demand end sends the public key of the data demand end to the data providing end.

If the data providing end adopts a hierarchical encryption mode based on a public key, the data providing end encrypts the authorization data according to the public key of the data providing end to obtain a first authorization data ciphertext, and then encrypts the first authorization data ciphertext according to the public key of the data demand end to obtain the authorization data ciphertext.

If the data providing end adopts a cooperative encryption mode based on the public key, the cooperative public key is determined according to the public key of the data providing end and the public key of the data demand end, and the authorization data is encrypted according to the cooperative public key to obtain the authorization data ciphertext.

The specific process of determining the cooperative public key is that the data providing end generates a random number d1 as a private key of the data providing end according to a public key P1= [ d1] G of the data providing end, the data demand end generates a random number d2 as a private key of the data demand end according to a public key P2= [ d2] G of the data demand end, and the data providing end calculates the cooperative public key P= [ d1] P2 according to the private key d1 of the data providing end and the public key P2 of the data demand end.

In practical application, a public key of the data processing end can be added to determine the cooperative public key, and the specific process of determining the cooperative public key is that the data demand end generates a random number d2 as a private key of the data demand end according to the public key P2= [ d2] G of the data demand end, the data processing end generates a random number d3 as a private key of the data processing end according to the public key P3= d3[ G ] of the data processing end, calculates an elliptic curve point P4= [ d3] P2, and the data providing end generates a random number d1 as a private key of the data providing end according to the public key P1= [ d1] G of the data providing end, and calculates the cooperative public key P= [ d1] P4 according to the private key d1 of the data providing end and the elliptic curve point P4 of the data processing end.

It should be noted that G represents the base point of the elliptic curve, d1, d2 and d 3. Epsilon. [1, n-1], and n represents the order of the elliptic curve.

The authorization data ciphertext C may be obtained by encrypting the authorization data M according to the cooperative public key P based on an elliptic curve cryptography algorithm, such as the SM2 algorithm, and specifically includes the following steps:

(1) Generating a first random number k, wherein k epsilon [1, n-1], n is the order of an elliptic curve, and performing scalar multiplication operation according to the first random number k and an elliptic curve base point G to obtain a first bit string C1= [ k ] G;

(2) Scalar multiplication is carried out according to the first random number k and the cooperative public key P, so that a first elliptic curve point [ k ] P= (x 1, y 1) is obtained;

(3) Determining a first security key t=kdf (x1||y1, klen) from a first elliptic curve point (x 1, y 1) based on a predefined key derivation function, wherein klen is the bit length of the authorisation data M;

(4) Under the condition that the first security key t is an all-zero bit string, reporting errors and exiting;

(5) Under the condition that the first secure key t is not an all-zero bit string, encrypting the authorization data M according to the first secure key t to obtain a second bit string C2=Mback t, wherein the back value represents bitwise exclusive OR operation;

(6) Hash operation is performed based on the first elliptic curve point (x 1, y 1) and the authorization data M, a third bit string c3=is obtained Hash (x 1M y 1);

(7) From the first bit string C1, the second bit string C2 and the third bit string C3, obtaining authorization data ciphertext c=c1||c 3C 2.

If the data providing end adopts a hierarchical encryption mode based on an encryption key, the authorization data is encrypted according to the encryption key of the data providing end to obtain an initial data ciphertext, then the encryption key is encrypted according to the public key of the data providing end to obtain a first encryption key ciphertext, then the first encryption key ciphertext is encrypted according to the public key of the data demand end to obtain an encryption key ciphertext, and finally the authorization data ciphertext is obtained according to the initial data ciphertext and the encryption key ciphertext.

If the data providing end adopts a cooperative encryption mode based on the encryption key, the authorization data is encrypted according to the encryption key of the data providing end to obtain an initial data ciphertext, then the cooperative public key is determined according to the public key of the data providing end and the public key of the data demand end, the encryption key is encrypted according to the cooperative public key to obtain an encryption key ciphertext, and finally the authorization data ciphertext is obtained according to the initial data ciphertext and the encryption key ciphertext.

In practical application, the data providing end can splice the initial data ciphertext and the encryption key ciphertext to obtain the authorization data ciphertext.

In practical applications, the type of encryption key may be a temporary symmetric key.

After the data providing end obtains the authorization data ciphertext, the data providing end can return the obtained authorization data ciphertext to the data demand end, and the data demand end forwards the authorization data ciphertext to the data processing end, or can directly send the obtained authorization data ciphertext to the data processing end.

According to the embodiment of the application, the public key of the data demand end is sent to the data providing end by the data demand end, the data providing end selects the hierarchical encryption mode based on the public key, the collaborative encryption mode based on the public key, the hierarchical encryption mode based on the encryption key or the collaborative encryption mode based on the encryption key to carry out joint encryption on the authorization data, so that the authorization data ciphertext is obtained, multiple encryption modes can be flexibly selected to carry out joint encryption on the authorization data, and the security of the authorization data is effectively ensured.

In an optional implementation manner of this embodiment, before the authorizing data is encrypted in a hierarchical manner or in a coordinated manner according to the public key of the data providing end and the public key of the data requiring end to obtain the ciphertext of the authorizing data or before the encrypting key of the data providing end encrypts the authorizing data to obtain the ciphertext of the initial data, the method further includes obtaining, by the data providing end, the key holding proving information of the data requiring end, and determining that the key holding proving information passes the verification.

As an example, the data providing end may first obtain the key holding proving information of the data demand end to verify after determining the authorization data, and then select a hierarchical encryption mode based on the public key, a cooperative encryption mode based on the public key, a hierarchical encryption mode based on the encryption key, or a cooperative encryption mode based on the encryption key to perform joint encryption on the authorization data to obtain the authorization data ciphertext when determining that the key holding proving information of the data demand end passes the verification.

It should be noted that the key holding certificate information of the data demand side includes the certificate information of the public key held by the data demand side.

In practical application, the data providing end can verify the key holding proving information of the data demand end in order to improve the data authorization processing efficiency, then authorize the target data requested by the data demand end according to the data use authority requested by the data demand end under the condition that the key holding proving information of the data demand end passes the verification, obtain authorized data, and select a public key-based hierarchical encryption mode, a public key-based collaborative encryption mode, an encryption key-based hierarchical encryption mode or an encryption key-based collaborative encryption mode to jointly encrypt the authorized data to obtain authorized data ciphertext, and directly return a data authorization failure response to the data demand end under the condition that the key holding proving information of the data demand end does not pass the verification.

The data providing end verifies the key holding proving information of the data demand end in the data authorization stage, and the public key of the data demand end is used for encrypting the authorization data only when the key holding proving information of the data demand end passes the verification, so that the effective encryption of the authorization data can be ensured, and the security of the authorization data is further improved.

In an alternative implementation of this embodiment, the target data authorization request includes a public key of the data-requiring side.

As an example, the data-requesting end may send a target data authorization request including the public key of the data-requesting end to the data-providing end, in addition to the public key of the data-requesting end alone.

In an alternative implementation of this embodiment, the target data authorization request includes the public key of the data-requiring side and the key-holding certificate information.

As an example, the data-requesting end may send, to the data-providing end, a target data authorization request including the public key and the key-holding certificate information of the data-requesting end, in addition to the key-holding certificate information of the data-requesting end alone.

For example, a data flow diagram of the data demand side negotiating the target data authorization problem with the data provider side is shown in fig. 2.

In an alternative embodiment, the triggering data demand end and the data providing end jointly decrypt the authorization data ciphertext to obtain the authorization data plaintext, and the method comprises the steps of generating a first decryption request and a second decryption request for the authorization data ciphertext according to data authorization information corresponding to the authorization data ciphertext, sending the first decryption request to the data demand end to obtain a first decryption result returned by the data demand end, sending the second decryption request to the data providing end to obtain a second decryption result returned by the data providing end, and determining the authorization data plaintext according to the first decryption result and the second decryption result.

As an example, after receiving an authorization data use request sent by a data demand end, a data processing end responds to the authorization data use request, generates a first decryption request and a second decryption request for authorization data ciphertext according to data authorization information corresponding to the previously acquired authorization data ciphertext, sends the first decryption request to the data demand end to obtain a first decryption result returned by the data demand end, sends the second decryption request to a data providing end to obtain a second decryption result returned by the data providing end, and determines authorization data plaintext according to the first decryption result and the second decryption result.

In practical applications, the authorization data ciphertext and the data authorization information corresponding to the authorization data ciphertext may be received by the data demand end from the data providing end and forwarded to the data processing end, or may be received by the data processing end directly from the data providing end.

In an optional implementation manner of this embodiment, the data authorization information includes identity information of the data providing end, identity information of the data requiring end, and associated information of the authorization data.

As an example, the data processing end responds to the authorization data usage request, invokes the authorization data ciphertext and the data authorization information corresponding to the authorization data ciphertext, extracts the identity information of the data providing end, the identity information of the data demand end and the associated information of the authorization data from the data authorization information, for example, the associated information of the authorization data includes an encryption mode selected by the data providing end for the authorization data, determines the data providing end according to the identity information of the data providing end, determines the data demand end according to the identity information of the data demand end, and determines the combined decryption request generation policy according to the associated information of the authorization data, generates a first decryption request and a second decryption request for the authorization data ciphertext based on the combined decryption request generation policy, sends the first decryption request to the data demand end, obtains a first decryption result returned by the data demand end, sends the second decryption request to the data providing end, obtains a second decryption result returned by the data providing end, and determines the authorization data plaintext according to the first decryption result and the second decryption result.

Specifically, if the encryption mode of the data providing end to the authorization data is the hierarchical encryption mode based on the public key, the data processing end firstly generates a first decryption request including the authorization data ciphertext, sends the first decryption request to the data demand end, enables the data demand end to respond to the first decryption request to decrypt the authorization data ciphertext according to the private key of the data demand end and return the obtained second authorization data ciphertext, receives the second authorization data ciphertext, generates a second decryption request including the second authorization data ciphertext, sends the second decryption request to the data providing end, enables the data providing end to respond to the second decryption request to decrypt the second authorization data ciphertext according to the private key of the data providing end and return the obtained authorization data plaintext, and finally receives the authorization data plaintext.

If the encryption mode of the data providing end for the authorization data is the collaborative encryption mode based on the public key, the data processing end firstly generates a first decryption request, sends the first decryption request to the data demand end, enables the data demand end to respond to the first decryption request and return an intermediate decryption result, regenerates a second decryption request, sends the second decryption request to the data providing end, enables the data providing end to respond to the second decryption request and return the intermediate decryption result, and finally decrypts the authorization data ciphertext according to the intermediate decryption result to obtain the authorization data plaintext.

The authorization data ciphertext may be decrypted based on an elliptic curve cryptography algorithm, such as an SM2 algorithm, and specifically includes the following steps:

(1) The data processing end takes out a first bit string C1 from the authorization data ciphertext C, verifies whether the C1 is a point on an elliptic curve, if so, enters (2), and if not, misinformation exits;

(2) The data processing end calculates an elliptic curve point S= [ h ] C1, if S is not an infinity point, the method enters (3), and if S is an infinity point, the method exits in error, wherein Yu Yinzi h refers to the proportion of the order of the whole elliptic curve group to the order of a subgroup generated by the selected base point;

(3) The data processing end generates a second random number k 'E [1, n-1], calculates Q=C1- [ k' ] G, and calculates Q3=d3Q;

(4) The data processing end sends Q3 to the data demand end, the data demand end calculates Q2 = d2Q3, and returns Q2 to the data processing end;

(5) The data processing end sends Q2 to the data providing end, the data providing end calculates Q1 = d1Q2, and returns Q1 to the data processing end;

(6) The data processing end calculates (x 2, y 2) =q1+k' P;

(7) Calculating t=KDF (x 2||y2, klen), entering (8) if t is not an all-0 bit string, and exiting by error if t is an all-0 bit string;

(8) Taking out a second bit string C2 from the authorization data ciphertext C, and calculating M' =C2;

(9) Calculating u=hash (x2|m' |y2), taking out a third bit string C3 from C, entering (10) if u=c3, and exiting the error well if u++c3;

(10) And outputting the authorization data plaintext M'.

If the encryption mode of the data providing end for the authorization data is the hierarchical encryption mode based on the encryption key, the data processing end firstly determines an initial data ciphertext and an encryption key ciphertext according to the authorization data ciphertext, regenerates a first decryption request comprising the encryption key ciphertext, sends the first decryption request to the data demand end, enables the data demand end to respond to the first decryption request to decrypt the encryption key ciphertext according to a private key of the data demand end and return the obtained third encryption key ciphertext, then receives the third encryption key ciphertext, generates a second decryption request comprising the third encryption key ciphertext, sends a second decryption request to the data providing end, enables the data providing end to respond to the second decryption request to decrypt the third encryption key ciphertext according to the private key of the data providing end and return the obtained encryption key, and finally receives the encryption key, decrypts the initial data ciphertext according to the encryption key, so as to obtain the authorization data plaintext.

If the encryption mode of the data providing end to the authorization data is the collaborative encryption mode based on the encryption key, the data processing end firstly determines an initial data ciphertext and an encryption key ciphertext according to the authorization data ciphertext, generates a first decryption request, sends the first decryption request to the data demand end, enables the data demand end to respond to the first decryption request to return an intermediate decryption result, then generates a second decryption request, sends the second decryption request to the data providing end, enables the data providing end to respond to the second decryption request to return the intermediate decryption result, then decrypts the encryption key ciphertext according to the intermediate decryption result to obtain an encryption key, and finally decrypts the initial data ciphertext according to the encryption key to obtain the authorization data plaintext.

In an alternative implementation of this embodiment, the data authorization information carries a digital signature of the data provider.

As an example, since the data authorization information corresponding to the authorization data ciphertext carries the digital signature of the data providing end, after receiving the data authorization information corresponding to the authorization data ciphertext, the data processing end needs to verify the digital signature of the data providing end carried by the data authorization information, and after determining that the digital signature of the data providing end passes the verification, the data processing end is allowed to respond to the authorization data use request sent by the data demand end.

In another optional implementation manner of this embodiment, the sending the second decryption request to the data providing end to obtain the second decryption result returned by the data providing end includes sending, by the data demand end, the second decryption request to the data providing end, and obtaining, by the data demand end, the second decryption result returned by the data providing end, where the second decryption request includes a public key of the data processing end, and the second decryption result is obtained by encrypting, by the data providing end, according to the public key of the data processing end.

As an example, to reduce the communication pressure of the data processing end, the data processing end may also send a second decryption request including the public key of the data processing end to the data demand end, send the second decryption request to the data providing end through the data demand end, so that the data providing end responds to the second decryption request to perform corresponding decryption processing, encrypt the obtained corresponding decryption result according to the public key of the data processing end, return the obtained second decryption result to the data demand end, and further receive the second decryption result through the data demand end.

The data demand end forwards the second decryption request comprising the public key of the data processing end to the data providing end, and forwards the second decryption result obtained by the data providing end according to the encryption of the public key of the data processing end to the data processing end, so that the communication pressure of the data processing end can be reduced, the data demand end can be effectively prevented from acquiring the related decryption result, and the data demand side can be ensured to use the authorization data in the authorization range.

According to the embodiment of the application, the data processing end generates the first decryption request and the second decryption request aiming at the authorization data ciphertext according to the data authorization information corresponding to the authorization data ciphertext, the first decryption request is sent to the data demand end to obtain the first decryption result returned by the data demand end, the second decryption request is sent to the data providing end to obtain the second decryption result returned by the data providing end, the authorization data plaintext is determined according to the first decryption result and the second decryption result, the data demand end and the data providing end can be triggered efficiently to jointly decrypt the authorization data ciphertext, and the authorization data ciphertext is ensured to be accurately acquired.

In an alternative embodiment, the first decryption request comprises first remote attestation information of the data processing end, the second decryption request comprises second remote attestation information of the data processing end, the first decryption result and the second decryption result are obtained by verifying the first remote attestation information through the data demand end in response to the first decryption request and decrypting the authorization data ciphertext if the first remote attestation information passes verification to obtain a first decryption result, and by responding to the second decryption request through the data providing end and decrypting the authorization data ciphertext if the second remote attestation information passes verification to obtain a second decryption result.

As an example, the data processing side adds the first remote attestation information of the data processing side to the first decryption request in the process of generating the first decryption request, such that the first decryption request includes the first remote attestation information of the data processing side. Likewise, the data processing end adds the second remote attestation information of the data processing end to the second decryption request in the process of generating the second decryption request, so that the second decryption request comprises the second remote attestation information of the data processing end.

It should be noted that the first remote attestation information and the second remote attestation information of the data processing end include information for attesting the identity of the data processing end.

After receiving a first decryption request sent by a data processing end, the data demand end responds to the first decryption request, extracts first remote certification information of the data processing end from the first decryption request, verifies the first remote certification information of the data processing end, considers that the identity information of the data processing end is correctly identified under the condition that the first remote certification information of the data processing end is verified, continues to perform corresponding decryption processing on authorized data ciphertext to obtain a first decryption result, considers that the identity information of the data processing end is incorrectly identified under the condition that the first remote certification information of the data processing end is not verified, and returns a data use failure response to the data demand end.

And after receiving a second decryption request sent by the data processing end, the data providing end responds to the second decryption request, extracts second remote certification information of the data processing end from the second decryption request, verifies the second remote certification information of the data processing end, considers that the identity information of the data processing end is correctly verified under the condition that the second remote certification information of the data processing end passes the verification, continues to carry out corresponding decryption processing on authorized data ciphertext to obtain a second decryption result, considers that the identity information of the data processing end is wrong under the condition that the second remote certification information of the data processing end does not pass the verification, and returns a data use failure response to the data demand end.

According to the embodiment of the application, the first remote certification information of the data processing end is added to the first decryption request by the data processing end, and the second remote certification information of the data processing end is added to the second decryption request, so that the data demand end decrypts the authorized data ciphertext only when the first remote certification information of the data processing end is confirmed to pass verification, and the data supply end decrypts the authorized data ciphertext only when the second remote certification information of the data processing end is confirmed to pass verification, thereby effectively ensuring the safety and credibility of the communication environment among the three ends of the data processing end, the data demand end and the data supply end, further ensuring the safe and efficient circulation of transaction data, and promoting the benign transaction and flow of data assets.

Illustratively, the data demand end and the data providing end acquire the standard remote certification information of the data processing end from the trusted channel in advance for local storage.

And the data processing end adds the first remote certification information of the data processing end in the first decryption request in the process of generating the first decryption request, so that the first decryption request comprises the first remote certification information of the data processing end. Likewise, the data processing end adds the second remote attestation information of the data processing end to the second decryption request in the process of generating the second decryption request, so that the second decryption request comprises the second remote attestation information of the data processing end.

It should be noted that, the standard remote attestation information, the first remote attestation information and the second remote attestation information of the data processing end are safe and reliable in operation environment for remote attesting the data processing end, and the execution function accords with the expected information.

In an alternative embodiment, before the decrypting the ciphertext for the authorization data to obtain the second decrypting result, the method includes determining, by the data providing end, that the data processing policy meets the data usage rule.

According to the embodiment of the application, under the condition that the second remote certification information of the data processing end is confirmed to pass verification and the data processing strategy of the data processing end accords with the data use rule, the data providing end decrypts the authorization data ciphertext to obtain the second decryption result, so that the data providing end can check the processing strategy of the data processing end on the authorization data together, the data processing end is ensured to process the authorization data within the data use authority range of the authorization data, the safe and efficient circulation of transaction data is further ensured, and the benign transaction and flow of data assets are promoted.

In an alternative embodiment, determining that the data processing policy meets the data usage rule includes comparing, by the data providing terminal, descriptive data of the data processing policy with descriptive data of the locally stored data usage rule, and determining, by the data providing terminal, that the data processing policy meets the data usage rule if the descriptive data of the data processing policy meets the descriptive data of the data usage rule.

Illustratively, the data processing side sends description data of the data processing policy to the data providing side.

In practical application, the data processing end may send the description data of the data processing policy to the data providing end separately, and may further add the description data of the data processing policy to the second decryption request in the process of generating the second decryption request, so that the second decryption request includes the description data of the data processing policy.

In practical applications, the description data of the data processing policy includes one or more of a data usage manner and a data usage time. For example, the description data of the data processing policy includes a data usage manner and a data usage time, and the data providing terminal may determine whether the description data of the data processing policy is consistent with the description data of the data usage rule by comparing whether the data usage manner in the data processing policy is consistent with the data usage manner in the data usage rule, comparing whether the data usage time in the data processing policy is within the data usage time in the data usage rule, and the like.

According to the embodiment of the application, the data providing end adopts a description data comparison mode to determine whether the data processing strategy accords with the data use rule, so that the data providing end can be ensured to rapidly and accurately determine whether the data processing strategy accords with the data use rule, the safe and efficient circulation of transaction data is further ensured, and the benign transaction and flow of data assets are promoted.

For example, a data flow diagram of the data processing side, the data requesting side and the data providing side negotiating the authorized data use problem is shown in fig. 3.

In an alternative embodiment, the data processing end is a terminal comprising a program running in a trusted execution environment or a service built based on the trusted execution environment.

As an example, according to actual application requirements, a program running in a trusted execution environment, such as a trusted execution environment TEE, may be configured in any terminal, or a service constructed based on the trusted execution environment, and this terminal is used as a data processing end, so that the data processing end performs trusted authentication with a data demand end and a data providing end respectively, so as to establish a communication connection with the data demand end and the data providing end respectively.

By selecting a terminal configured with a program running in a trusted execution environment or a service constructed based on the trusted execution environment as a data processing terminal, a third party trusted terminal trusted by a data demand terminal and a data providing terminal can be introduced, so that not only is the data processing capability authorized by the data providing terminal provided for the data demand terminal, but also core operation in the use process of the authorized data is transferred to one side of the data processing terminal for execution, and the processing pressure of the data providing terminal is effectively reduced.

In practical applications, a program running in a trusted execution environment or a service built based on the trusted execution environment may also be configured directly in the data-requiring/data-providing side.

The embodiment of the application can introduce the third party trusted terminal to participate in the authorized data using process by selecting the terminal comprising the program running in the trusted execution environment or the service constructed based on the trusted execution environment as the data processing terminal, thereby further ensuring the safe and efficient circulation of the transaction data and promoting the benign transaction and flow of the data asset.

In order to more clearly illustrate a data circulation method provided by the first embodiment of the present application, the data circulation method is applied, and a data flow diagram of the data circulation method is shown in fig. 4.

Referring to fig. 5, fig. 5 is a schematic structural diagram of a data flow system according to a second embodiment of the present application. The second embodiment of the application provides a data circulation system, which comprises a data processing end 201, wherein the data processing end 201 is respectively in communication connection with a data demand end and a data providing end, the data processing end 201 is used for acquiring authorization data ciphertext, the authorization data ciphertext is obtained by jointly encrypting authorization data by the data demand end and the data providing end, the authorization data is determined by the data providing end according to authorization management according to a target data range and data use permission requested by the data demand end, the data demand end and the data providing end are triggered to jointly decrypt the authorization data ciphertext in response to an authorization data use request sent by the data demand end to obtain authorization data plaintext, and when a data processing strategy of the data processing end 201 accords with a data use rule of the data providing end, the operation result is obtained by operating the authorization data plaintext according to the data processing strategy, and the operation result is returned to the data demand end, wherein the data use rule is generated by the data providing end according to the data use permission.

In an alternative embodiment, the system further comprises a data demand side and a data providing side, the data demand side being communicatively connected to the data providing side, the authorization data being obtained by:

the data request end is used for sending a target data authorization request to the data providing end, wherein the target data authorization request comprises a target data range and a data use authority;

the data providing end is used for responding to the target data authorization request, determining target data according to the target data range, and determining the target data as authorization data under the condition that the data demand end is allowed to use the target data according to the data use permission.

In an alternative embodiment, the system further comprises a data demand end and a data supply end, wherein the data demand end is in communication connection with the data supply end, the data demand end is used for sending a public key of the data demand end to the data supply end, the data supply end is used for conducting hierarchical encryption or collaborative encryption on authorization data according to the public key of the data supply end and the public key of the data demand end to obtain authorization data ciphertext, or the data demand end is used for sending a public key of the data demand end to the data supply end, the data supply end is used for conducting encryption on the authorization data according to an encryption key of the data supply end to obtain initial data ciphertext, the data supply end is used for conducting hierarchical encryption or collaborative encryption on the encryption key according to the public key of the data supply end and the public key of the data demand end to obtain encryption key ciphertext, and the data supply end is used for obtaining the authorization data ciphertext according to the initial data ciphertext and the encryption key ciphertext.

In an alternative embodiment, the system comprises a data demand end and a data providing end, wherein the first decryption request comprises first remote proving information of the data processing end, the second decryption request comprises second remote proving information of the data processing end, the data demand end is used for responding to the first decryption request and decrypting the authorization data ciphertext to obtain a first decryption result when the first remote proving information passes the verification, and the data providing end is used for responding to the second decryption request and verifying the second remote proving information and decrypting the authorization data ciphertext to obtain a second decryption result when the second remote proving information passes the verification.

In an alternative embodiment, the data providing end is further configured to determine that the data processing policy meets the data usage rule before the decrypting is performed on the authorization data ciphertext to obtain the second decrypting result.

In an alternative embodiment, the data providing end is configured to compare the description data of the data processing policy with the description data of the locally stored data usage rule, and determine that the data processing policy conforms to the data usage rule if the description data of the data processing policy conforms to the description data of the data usage rule.

The implementation process of the functions and roles of the data processing end 201 in the above system is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.

Referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device according to a third embodiment of the present application. The third embodiment of the present application provides an electronic device 30, including a processor 301, a memory 302, and a computer program stored in the memory 302 and configured to be executed by the processor 301, where the processor 301 implements the method according to the first embodiment of the present application and achieves the same advantageous effects as the method according to the first embodiment of the present application.

Wherein the processor 301, when reading a computer program from the memory 302 via the bus 303 and executing said computer program, may implement the method of any of the embodiments comprised by the method according to the first embodiment of the application.

The processor 301 may process digital signals and may include various computing structures. Such as a complex instruction set computer architecture, a reduced instruction set computer architecture, or an architecture that implements a combination of instruction sets. In some examples, processor 301 may be a microprocessor.

Memory 302 may be used for storing instructions to be executed by processor 301 or data relating to the execution of instructions. Such instructions and/or data may include code to implement some or all of the functions of one or more of the modules described in embodiments of the present application. The processor 301 of the disclosed embodiment may be configured to execute instructions in the memory 302 to implement the method according to the first embodiment of the present application. Memory 302 includes dynamic random access memory, static random access memory, flash memory, optical memory, or other memory known to those skilled in the art.

A fourth embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium includes a stored computer program, where the computer program when executed controls a device in which the computer readable storage medium is located to perform a method according to the first embodiment of the present application, and achieves the same advantageous effects as the method.

A fifth embodiment of the application provides a computer program product comprising instructions which, when executed by a computer, cause the computer to carry out the method according to the first embodiment of the application and achieve the same advantageous results as the method.

The method according to the first embodiment of the present application may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs or instructions. When the computer program or instructions are loaded and executed on a computer, the processes or functions described in the various embodiments of the present application are performed in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, a network device, a user device, a core network device, an OAM (Open Application Model ), or other programmable device.

The computer program or instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer program or instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired or wireless means. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that integrates one or more available media. The usable medium may be a magnetic medium such as a floppy disk, a hard disk, a magnetic tape, an optical medium such as a digital video disk, or a semiconductor medium such as a solid state disk. The computer readable storage medium may be volatile or nonvolatile storage medium, or may include both volatile and nonvolatile types of storage medium.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.

The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. The storage medium includes a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, an optical disk, or other various media capable of storing program codes.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily appreciate variations or alternatives within the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims

Translated fromChinese

1.一种数据流通方法，其特征在于，应用于数据处理端，所述数据处理端分别与数据需求端和数据提供端通信连接；所述方法包括：1. A data circulation method, characterized in that it is applied to a data processing end, wherein the data processing end is respectively connected to a data demand end and a data provider end in communication; the method comprises:

获取授权数据密文；其中，所述授权数据密文是所述数据需求端和所述数据提供端对授权数据进行联合加密得到的，所述授权数据是所述数据提供端根据所述数据需求端请求的目标数据范围和数据使用权限进行授权管理确定的；Obtaining the ciphertext of the authorization data; wherein the ciphertext of the authorization data is obtained by the data demander and the data provider jointly encrypting the authorization data, and the authorization data is determined by the data provider through authorization management according to the target data range and data usage rights requested by the data demander;

响应所述数据需求端发送的授权数据使用请求，触发所述数据需求端和所述数据提供端对所述授权数据密文进行联合解密，得到授权数据明文；In response to the authorization data use request sent by the data demander, trigger the data demander and the data provider to jointly decrypt the authorization data ciphertext to obtain the authorization data plaintext;

在所述数据处理端的数据处理策略符合所述数据提供端的数据使用规则的情况下，根据所述数据处理策略对所述授权数据明文进行运算，得到运算结果，并向所述数据需求端返回所述运算结果；其中，所述数据使用规则是所述数据提供端根据所述数据使用权限生成的。When the data processing policy of the data processing end complies with the data usage rules of the data providing end, the authorized data is plaintext operated according to the data processing policy to obtain the operation result, and the operation result is returned to the data demanding end; wherein the data usage rules are generated by the data providing end according to the data usage rights.

2.根据权利要求1所述的方法，其特征在于，所述数据需求端与所述数据提供端通信连接；所述授权数据是通过以下方式得到的：2. The method according to claim 1, characterized in that the data demander is in communication connection with the data provider; the authorization data is obtained by:

通过所述数据需求端，向所述数据提供端发送目标数据授权请求；其中，所述目标数据授权请求包括所述目标数据范围和所述数据使用权限；Sending a target data authorization request to the data provider through the data demander; wherein the target data authorization request includes the target data range and the data usage authority;

通过所述数据提供端，响应所述目标数据授权请求，根据所述目标数据范围确定目标数据，并在允许所述数据需求端按照所述数据使用权限使用所述目标数据的情况下，确定所述目标数据为所述授权数据。The target data authorization request is responded to through the data provider, the target data is determined according to the target data range, and the target data is determined to be the authorized data when the data demander is allowed to use the target data according to the data usage authority.

3.根据权利要求1所述的方法，其特征在于，所述数据需求端与所述数据提供端通信连接；所述授权数据密文是通过以下方式得到的：3. The method according to claim 1 is characterized in that the data demand end is in communication connection with the data provider end; the authorization data ciphertext is obtained by:

通过所述数据需求端，向所述数据提供端发送所述数据需求端的公钥；Sending the public key of the data demander to the data provider through the data demander;

通过所述数据提供端，根据所述数据提供端的公钥和所述数据需求端的公钥，对所述授权数据进行层次式加密或协同式加密，得到所述授权数据密文；或者，By means of the data provider, the authorization data is hierarchically encrypted or collaboratively encrypted according to the public key of the data provider and the public key of the data demander to obtain the authorization data ciphertext; or

通过所述数据提供端，根据所述数据提供端的加密密钥，对所述授权数据进行加密，得到初始数据密文；Encrypting the authorization data by the data provider according to the encryption key of the data provider to obtain an initial data ciphertext;

通过所述数据提供端，根据所述数据提供端的公钥和所述数据需求端的公钥，对所述加密密钥进行层次式加密或协同式加密，得到加密密钥密文；By means of the data provider, according to the public key of the data provider and the public key of the data demander, the encryption key is hierarchically encrypted or collaboratively encrypted to obtain an encryption key ciphertext;

通过所述数据提供端，根据所述初始数据密文和所述加密密钥密文，得到所述授权数据密文。The authorization data ciphertext is obtained through the data providing end according to the initial data ciphertext and the encryption key ciphertext.

4.根据权利要求1所述的方法，其特征在于，所述触发所述数据需求端和所述数据提供端对所述授权数据密文进行联合解密，得到授权数据明文，包括：4. The method according to claim 1, characterized in that the triggering of the data demand end and the data provider end to jointly decrypt the authorization data ciphertext to obtain the authorization data plaintext comprises:

根据所述授权数据密文对应的数据授权信息，生成针对所述授权数据密文的第一解密请求和第二解密请求；generating a first decryption request and a second decryption request for the authorization data ciphertext according to the data authorization information corresponding to the authorization data ciphertext;

向所述数据需求端发送所述第一解密请求，得到所述数据需求端返回的第一解密结果；Sending the first decryption request to the data demand end, and obtaining a first decryption result returned by the data demand end;

向所述数据提供端发送所述第二解密请求，得到所述数据提供端返回的第二解密结果；Sending the second decryption request to the data provider, and obtaining a second decryption result returned by the data provider;

根据所述第一解密结果和所述第二解密结果，确定所述授权数据明文。The authorization data plaintext is determined according to the first decryption result and the second decryption result.

5.根据权利要求4所述的方法，其特征在于，所述第一解密请求包括所述数据处理端的第一远程证明信息，所述第二解密请求包括所述数据处理端的第二远程证明信息；所述第一解密结果和所述第二解密结果是通过以下方式得到的：5. The method according to claim 4, characterized in that the first decryption request includes first remote certification information of the data processing end, and the second decryption request includes second remote certification information of the data processing end; the first decryption result and the second decryption result are obtained by:

通过所述数据需求端，响应所述第一解密请求，验证所述第一远程证明信息，并在所述第一远程证明信息通过验证的情况下，针对所述授权数据密文进行解密，得到所述第一解密结果；Responding to the first decryption request through the data demand end, verifying the first remote attestation information, and decrypting the authorization data ciphertext when the first remote attestation information passes the verification to obtain the first decryption result;

通过所述数据提供端，响应所述第二解密请求，验证所述第二远程证明信息，并在所述第二远程证明信息通过验证的情况下，针对所述授权数据密文进行解密，得到所述第二解密结果。The second decryption request is responded to through the data provider, the second remote certification information is verified, and when the second remote certification information passes the verification, the authorization data ciphertext is decrypted to obtain the second decryption result.

6.根据权利要求5所述的方法，其特征在于，所述验证所述第一远程证明信息，包括：6. The method according to claim 5, wherein the verifying the first remote attestation information comprises:

通过所述数据需求端，将所述第一远程证明信息与本地存储的标准远程证明信息进行比对；By means of the data demand end, the first remote attestation information is compared with the locally stored standard remote attestation information;

通过所述数据需求端，若所述第一远程证明信息与所述标准远程证明信息一致，则确定所述第一远程证明信息通过验证，否则确定所述第一远程证明信息未通过验证；By the data demand end, if the first remote attestation information is consistent with the standard remote attestation information, it is determined that the first remote attestation information has passed the verification; otherwise, it is determined that the first remote attestation information has not passed the verification;

所述验证所述第二远程证明信息，包括：The verifying the second remote attestation information includes:

通过所述数据提供端，将所述第二远程证明信息与本地存储的所述标准远程证明信息进行比对；By means of the data provider, the second remote attestation information is compared with the standard remote attestation information stored locally;

通过所述数据提供端，若所述第二远程证明信息与所述标准远程证明信息一致，则确定所述第二远程证明信息通过验证，否则确定所述第二远程证明信息未通过验证；By the data provider, if the second remote attestation information is consistent with the standard remote attestation information, determining that the second remote attestation information has passed the verification, otherwise determining that the second remote attestation information has not passed the verification;

其中，所述标准远程证明信息是所述数据需求端和所述数据提供端通过可信渠道获取的。The standard remote certification information is obtained by the data demander and the data provider through a trusted channel.

7.根据权利要求5所述的方法，其特征在于，在所述针对所述授权数据密文进行解密，得到所述第二解密结果之前，包括：7. The method according to claim 5, characterized in that before decrypting the authorization data ciphertext to obtain the second decryption result, it comprises:

通过所述数据提供端，确定所述数据处理策略符合所述数据使用规则。Through the data provider, it is determined that the data processing strategy complies with the data usage rule.

8.根据权利要求7所述的方法，其特征在于，所述确定所述数据处理策略符合所述数据使用规则，包括：8. The method according to claim 7, wherein determining that the data processing strategy complies with the data usage rule comprises:

通过所述数据提供端，将所述数据处理策略的描述数据与本地存储的所述数据使用规则的描述数据进行比对；By means of the data provider, the description data of the data processing strategy is compared with the description data of the data usage rules stored locally;

通过所述数据提供端，在所述数据处理策略的描述数据与所述数据使用规则的描述数据一致的情况下，确定所述数据处理策略符合所述数据使用规则。Through the data provider, when the description data of the data processing strategy is consistent with the description data of the data usage rule, it is determined that the data processing strategy complies with the data usage rule.

9.根据权利要求1至8任一项所述的方法，其特征在于，所述数据处理端为包括有运行在可信执行环境中的程序或基于可信执行环境构建的服务的终端。9. The method according to any one of claims 1 to 8, characterized in that the data processing end is a terminal including a program running in a trusted execution environment or a service built based on a trusted execution environment.

10.一种数据流通系统，其特征在于，包括数据处理端；所述数据处理端分别与所述数据需求端和所述数据提供端连接；10. A data circulation system, characterized in that it comprises a data processing end; the data processing end is connected to the data demand end and the data provider end respectively;

所述数据处理端，用于：The data processing end is used for:

11.一种电子设备，其特征在于，包括处理器、存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序；所述处理器执行所述计算机程序时实现根据权利要求1至9任一项所述的方法。11. An electronic device, comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor; when the processor executes the computer program, the method according to any one of claims 1 to 9 is implemented.

12.一种计算机可读存储介质，其特征在于，所述计算机可读存储介质包括存储的计算机程序；其中，在所述计算机程序运行时控制所述计算机可读存储介质所在设备执行根据权利要求1至9任一项所述的方法。12. A computer-readable storage medium, characterized in that the computer-readable storage medium includes a stored computer program; wherein, when the computer program is running, the device where the computer-readable storage medium is located is controlled to execute the method according to any one of claims 1 to 9.