KR102025409B1 - Data access management system based on blockchain and method thereof - Google Patents

Abstract

The data access management system according to the present invention creates, stores, and manages a user context based on a blockchain, creates an access tree using a user context of a data owner to grant data access rights, and uses data to access the data. By generating a cipher text and generating a secret key using the data requestor's user context, the data cipher text and the secret key can be transmitted and decrypted to the data requestor, thereby providing a highly secure data access management system.

Description

Data access management system based on blockchain and method according to blockchain

The present invention relates to a data access management system and a data access management method based on a block chain, and more particularly, an access right for accessing data of a data owner using a user context using a block chain. The present invention relates to a data access management system and a data access management method that can be flexibly assigned to each user.

Block chain, also known as public trading ledger, is a technology that prevents hacking that can occur when trading in virtual currency. Traditional financial firms keep transaction records on a centralized server, while blockchain sends transaction details to all users participating in a transaction and checks each transaction for counterfeiting. Blockchain is applied to Bitcoin, a representative online virtual currency. Bitcoin records transaction details transparently in a book that anyone can read, and several computers using Bitcoin verify this record every 10 minutes to prevent hacking.

Meanwhile, a conventional file sharing system stores and manages data or files in a cloud storage using a centralized server, and users access or request data or files by accessing the cloud storage. In this case, not only mass storage devices are required, but a centralized server for managing them is required, resulting in a complicated system design and maintenance.

In addition, various methods have been attempted to flexibly grant each user access to data generated by a plurality of nodes constituting the Internet of Things ('IoT'). Even in this case, not only distributed storage of data in each node is not easy, but also a problem arises that it is not easy to provide a search service for other users while providing security for data stored in each node.

Accordingly, the present applicant can flexibly provide access rights according to the user to access data stored in the nodes of the data owner using a user context based on the blockchain, thereby ensuring security and data integrity. We would like to propose a data access management system.

Korean Patent Publication No. 10-2016-0050876 Korean Patent Publication No. 10-1727525

An object of the present invention to solve the above-mentioned problem is to provide a user with a flexible access authority to access the data stored in the nodes of the data owner using a blockchain-based user context It is to provide a data access management system based on blockchain.

Another object of the present invention is to provide a data access management method that can be used in the data access management system based on the aforementioned blockchain.

In the data access management system for a plurality of user nodes participating in the blockchain according to the first aspect of the present invention for achieving the above technical problem,

Each of the user nodes comprises: a block chain in which a series of blocks are connected and configured; A context manager for generating user context information for a user node and storing and managing the user context information using the blockchain; An address manager for storing and managing data names for the data and address information of the data owner for the data using the blockchain when storing data generated by the data owner among user nodes in a preset shared directory; An access authorization manager for generating a data cipher text and a secret key encrypting the requested data from the data requester among the user nodes, and transmitting the generated data cipher text and the secret key to the data requester; Searching for data names stored and managed in the blockchain, extracting address information for the data owner stored with the retrieved data name from the blockchain, and using the address information for the extracted data owner in the retrieved data name. A data retrieval manager for requesting corresponding data; It is provided.

In the blockchain-based data access management system according to the first aspect, the access authorization manager uses a user context for a data owner when a data request corresponding to an arbitrary data name is generated from the data requestor. Encrypting the requested data to generate a data cipher text, extracting a user context for the data requestor from the blockchain, generating a secret key using the extracted user context for the data requestor, and generating the data Preferably, a cipher text and the secret key are transmitted to the data requester.

It is more preferable to generate an access tree for granting data access authority using the user context for the data owner, and to encrypt the requested data using the access tree to generate a data cipher text.

In the blockchain-based data access management system according to the first aspect, the access authorization manager, wherein the access tree is configured in a tree structure in which the user context for the data owner is a leaf node. Features,

If the user context for the data requestor satisfies the condition of the access tree, the data ciphertext can be decrypted using the secret key. If the user context for the data requester does not satisfy the condition of the access tree, the secret key is used. It is preferable to configure the conditions of the access tree so that the data cipher text cannot be decrypted.

In the blockchain-based data access management system according to the first aspect, if the address manager stores data generated by the data owner in a preset shared directory, the data name for the data and the address of the data owner are stored. Extract the information, create a transaction, and send it to all user nodes participating in the blockchain.

The transaction is preferably stored and managed as a block of the blockchain through the Proof-of-Work process of the user nodes participating in the blockchain.

In the blockchain-based data access management system according to the first aspect, the address manager includes a status flag in a data name for the data, and the current flag of the data corresponding to the data name in the status flag. It is desirable to record the information.

In the blockchain-based data access management system according to the first aspect, the address manager preferably extracts the IP address and TCP port number of the data owner as address information of the data owner.

In the blockchain-based data access management system according to the first aspect, the context manager extracts context information about a user of each user node, generates a transaction, and transmits it to all user nodes participating in the blockchain. In addition, the transaction is preferably stored and managed as a block of the blockchain through the Proof-of-Work process of the user nodes participating in the blockchain.

Data access management method for a plurality of user nodes participating in the blockchain according to the second aspect of the present invention, (a) generating user context information for the user node, using the blockchain, the user context Storing and managing information; (b) storing data generated by a data owner among user nodes in a preset shared directory, and storing and managing a data name for the data and address information of the data owner for the data using the blockchain; step; (c) when a data request corresponding to an arbitrary data name is generated from a data requester among user nodes, generating and transmitting a data cipher text and a secret key encrypting the requested data to the data requester; (d) searching for data names stored and managed in the blockchain, extracting address information for the data owner stored with the retrieved data name from the blockchain, and using the retrieved data information for the owner of the extracted data; Requesting data corresponding to the data name; It is provided.

In the blockchain-based data access management method according to the second aspect, in the step (c), if a data request corresponding to an arbitrary data name is generated from the data requester, the user context for the data owner is used. Generating an access tree for granting data access rights; encrypting the requested data using the access tree to generate a data cipher text; extracting a user context for the data requestor from the blockchain; And generating a secret key using the extracted user context for the data requestor, and transmitting the generated data cipher text and the secret key to the data requestor.

In the blockchain-based data access management method according to the second aspect, in the step (b), if the data generated by the data owner is stored in a preset shared directory, the data name for the data and the data owner Generating a transaction by extracting the address information of the user, transmitting the generated transaction to all user nodes participating in the blockchain, and receiving the transaction from the user nodes receiving the transaction. And storing and managing the block in the blockchain.

The data access management system according to the present invention records the context of all users participating in the blockchain network in a block, stores the name of data created in a folder designated by the data owner, along with its IP, in the blockchain, Users who participate in can identify the data owner by searching the data name and request data based on this, and the data owner creates the data ciphertext by assigning the user context for the data requestor extracted from the blockchain to the access tree set by the user. The data owner can decrypt the data ciphertext if the data requester fits the access tree established by the data owner, otherwise the data ciphertext cannot be decrypted. Approach It is possible to establish a flexible, depending on the data requester.

In addition, the data access management system according to the present invention, as well as the data sharing platform on the network, it is possible to implement a data management system that can be shared by all users and check the data list and a transmission system for granting data access rights. The system according to the present invention stores data names or information of data owners through a blockchain, thereby providing data integrity through a hash function, and user authentication and non-authentication through a signature that is a digital signature. repudiation is guaranteed, and the CP-ABE-based access tree enables the implementation of an access authority setting system where only authorized users can interpret the data.

Accordingly, the data access management system according to the present invention can provide a method of utilizing a blockchain which is infinitely applicable and provide a program development method based on the principle of blockchain.

FIG. 1 is a conceptual diagram illustrating a process of granting different access rights according to data requestors requesting access rights to data generated by a doctor who is a data owner using the data access management system according to the present invention. A schematic diagram of a medical system.
2 is a block diagram showing the configuration of each user node in a data access management system according to a preferred embodiment of the present invention. FIG. 3 is a block diagram illustrating a data access management system according to a preferred embodiment of the present invention. The configuration diagram shown.
4 is a flowchart illustrating a process of storing predetermined information in the form of blocks in a block chain in the data access management system according to the present invention.
FIG. 5 illustrates a process of storing data names and data owner address information in the blockchain by the address manager 140 after data is generated by the data owner and stored in the shared directory in the data access management system according to the present invention. 6 is a conceptual diagram illustrating the operation of the address manager 140 in sequence.
7 is a conceptual diagram illustrating a process in which the context manager 130 stores user context information about a user in a blockchain in the data access management system according to the present invention, and FIG. 8 is a context manager 130. Is a flow chart that sequentially describes the operation of.
9 is a diagram for a data access management system according to a preferred embodiment of the present invention, wherein the access authorization manager 150 sets an access tree for granting access authority using a user context extracted from a blockchain, and encrypts a secret text and a secret key. Is a conceptual diagram illustrating an algorithm for granting data access authority by confirming whether it can be decrypted by transmitting to each user, and FIG. 10 is a flowchart illustrating an operation of the access authorization manager 150 in sequence.
FIG. 11 is a conceptual diagram illustrating a process of granting data access rights to a data requestor by a data owner using a CP-ABE scheme, and FIG. 12 illustrates a CP-ABE scheme in a data access management system according to the present invention. The generated access tree is shown as an example.
FIG. 13 is a conceptual diagram illustrating the operation of the data retrieval manager 160 in the data access management system according to the preferred embodiment of the present invention.

The data access management system according to the present invention creates, stores, and manages a user context based on a blockchain, creates an access tree using a user context of a data owner to grant data access rights, and uses data to access the data. By generating a cipher text and generating a secret key using the data requestor's user context, the data cipher text and the secret key can be transmitted and decrypted to the data requestor, thereby providing a highly secure data access management system.

Hereinafter, a data access management system and a data access management method based on a blockchain according to a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.

FIG. 1 is a conceptual diagram illustrating a process of granting different access rights according to data requestors requesting access rights to data generated by a doctor who is a data owner using the data access management system according to the present invention. A schematic diagram of a medical system.

Referring to FIG. 1, in a general medical system, a doctor who treats a patient generates sensor data such as brain waves, heart rate, and body temperature generated from the patient, and actuator data such as oxygen supply, drug dose, and X-ray recording. This is stored as a medical record. If there is a user who needs medical records for these patients, the user who is the data requester should be able to easily search for the data owner who has the medical records, and the doctor who is the data owner is only available to the data requestor who has the right to see his data. Data must be transmitted, both of which require high security.

In accordance with this demand, the present invention applies the blockchain to the data access management system, so that the data requestor can easily retrieve the data owner by browsing the block and obtain the security supported by the blockchain. In addition, in the system according to the present invention, in order to be able to transmit data only to a data requester who has the authority to view the data, the data owner can check the user context information recorded in the blockchain without risk of information forgery. Using this user context, the access tree can be created to authorize data requesters to access the data.

2 is a block diagram showing the configuration of each user node in a data access management system according to a preferred embodiment of the present invention. FIG. 3 is a block diagram illustrating a data access management system according to a preferred embodiment of the present invention. The configuration diagram shown.

2 and 3, the data access management system 1 according to the preferred embodiment of the present invention utilizes a block chain without a separate central management server, so that a plurality of user nodes are the data owners as data owners. Create and store and manage or retrieve and request data stored in other user nodes as a data requestor.

Each of the user nodes 10, 20, and 30 participating in the blockchain includes a block chain 100, a data storage module 110, an IP list 120, a context manager 130, an address manager 140, An access authorization manager 150 and a data retrieval manager 160.

In the data access management system according to the present invention, in which each user node has the above-described configuration, a context manager for managing and storing context information of a user using a blockchain and a data name for the generated data may be assigned an IP address and It is created by using the address manager which stores the information of the port number in the block so that the data owner can be identified through the data name retrieval, the data ciphertext encrypted by the access tree using the user context of the data owner, and the user context of the data requestor. An access authorization manager that allows a data owner to grant access to each user node by providing a private key; retrieves data, requests retrieved data, and, upon request, decrypts the data ciphertext provided from the data owner with the private key. day Data retrieval manager is designed to check the data, and finally secure data access management system is implemented.

In the system according to the present invention, since user context information and data name and mapping information of the data owner are recorded in the blockchain, all user nodes share the same information. Therefore, in order for the malicious user node to modify the contents arbitrarily, the contents of the blockchain possessed by all the user nodes must be modified, so that arbitrary modification is virtually impossible, and as a result, the blockchain itself is excellent in security. In addition, the system according to the present invention, by encrypting the data on the basis of the CP-ABE, so that only a user with a user context that the data owner has allowed access, the data can be decrypted, thereby enabling secure access control and data When the owner sets the access tree, the access authority is granted by changing the setting context, so it is possible to flexibly adjust the access rights by changing the context.

The block chain 100 is composed of a series of blocks connected to each other, and the blocks are configured in the form of a JSON file, and a hash value of a current block, a nonce value, a hash value of a previous block, and a time stamp. (Time Stamp).

Hereinafter, a process of writing a block in the blockchain will be described with reference to FIG. 4. 4 is a flowchart illustrating a process of storing predetermined information in the form of blocks in a block chain in the data access management system according to the present invention.

Referring to FIG. 4, first, a node participating in a block chain generates a transaction including predetermined information to be stored in a block (step 400). Nodes participating in the blockchain have an IP list of all nodes, and the IP list stores IP address, TCP port number, and ECDSA public key of all participating nodes. Next, the node that created the transaction is electronically signed and attached to the transaction (step 410), and then the transaction is transmitted to all nodes using the IP and port stored in the IP list (step 420). Use Since the IP list also includes the IP and port of the transaction creation node, the transaction is sent to all nodes except themselves. During transaction transmission, the transaction generating node lists its IP address and port number for TCP socket communication and generates an encrypted digital signature using the ECDSA private key that only the transaction generating node has. The digital signature is attached to a transaction and sent to other nodes. After receiving the transaction, the node checks the IP and port of the transaction sender node, decrypts it using the public key stored in the IP list, and verifies that the output result matches the IP and port of the transaction sender node. (Step 430).

Algorithms for generating digital signatures included in blockchain transactions include RSA and ECDSA algorithms. Currently, blockchain uses ECDSA algorithms. Each node also owns its own private key, public key and other users' public keys. In the case of Cryptography, the generated message is encrypted and transmitted with the public key of the user to receive, and the received user decrypts with the private key of the user to verify the original. However, the signature generation process encrypts the message with the user's private key and sends it. The received user decrypts the message with the sender's public key to confirm that the message is sent. At this time, the receiving user accepts the transaction without error if the verification result of the signature is true, and discards the transaction if false. Using Signature ensures Authentication and Non-Repudiation. Because the private key that only you know is used to generate the signature, another user can verify the signature-generating user by applying the public key of the user who created the signature, and this private key is not known to other users. You cannot deny that you created information when you created a transaction.

Nodes that have received and validated the transaction perform a process of finding a block hash value by performing proof of work on transactions and nonce values (step 440). That is, the nodes apply the SHA-256 hash function of a random value nonce and information configured in the form of a transaction. The nonce value is a random variable applied to the hash function to find a value smaller than the hash value set as a reference to control the difficulty of block generation. The process of finding nonce that satisfies the criteria by assigning various numbers of nonce is called Proof-of-Work. The reason for using the proof-of-work is to make it impossible to know which node in the blockchain will create the block. This prevents the malicious node from attacking the malicious node by preventing the malicious node from determining which node to create the current block. The process of finding a hash value smaller than the base hash value is similar to the first-preimage attack, which is a problem of inverse operation of hash. A first-preimage attack is when a user knows a hash value but does not know the value of the input message that generated the hash. When the length of the hash is L, the attempt to find the same hash value is 2 ^L attempts and 2 ²⁵⁶ attempts for the SHA-256 hash function. It is faster to find a hash smaller than the set reference hash value than the time for finding the perfectly same hash value, and the difficulty can be increased by increasing the number of zeros of the reference hash value. In case of simple hash function application rather than inverse operation of hash, outputting hash value through a given message is completed in a short time. Data Integrity is guaranteed according to the characteristics of the hash function that outputs completely different values even if the input value is changed by only 1 bit, and the time required to inverse the hash operation and the time required to apply the simple hash function. By combining the nonce with the information of the transaction recorded in the block, it can be proved that if the same as the block hash value, the information of the stored transaction does not change.

First, the node that finds the block hash value and generates the block transmits the block to other nodes participating in the blockchain (step 450). The other nodes that were generating the block validate the transaction and the block of the received block (step 460), and when the verification is completed, generate additional blocks using the block hash value and write them to the blockchain (step 470). ). In each block, information such as the hash of the current block (Block hash in FIG. 5), the hash of the previous block (Prev hash in FIG. 5), Nonce, Time_Stamp, and the like are recorded.

5 is a conceptual diagram illustrating a process in which the address manager 140 stores data names and data owner address information in a blockchain after data generation by the data owner in the data access management system according to the present invention. 6 is a flowchart for sequentially explaining the operation of the address manager 140. 5 and 6, in the system according to the present invention, a data owner transmits a transaction including a data name and address information of the data owner, and a block generated using the same has a hash value and a nonce value. It consists of the values obtained using the hash function preset for the data name and data owner address.

7 is a conceptual diagram illustrating a process in which the context manager 130 stores user context information about a user in a blockchain in the data access management system according to the present invention, and FIG. 8 is a context manager 130. Is a flow chart that sequentially describes the operation of. Referring to FIGS. 7 and 8, in the system according to the present invention, each user node transmits a transaction including its own user context, and a block generated by using the same has the hash value and the nonce value as user context information. It consists of the values obtained using the hash function preset for.

The IP list 120 stores IP addresses and TCP port numbers for all user nodes having the blockchain and public keys for all user nodes, and is provided by all user nodes.

The data storage module 110 is a memory area in which data or files are generated and stored in a preset folder. Each user node is a folder or directory for storing data or files to be shared with other user nodes in a data storage area. Predefine The system according to the present invention enables all user nodes to request data stored in the data storage module according to access rights.

The context manager 130 generates user context information for the user node, and stores and manages the user context information using the blockchain.

5 to 8, the data access management system according to a preferred embodiment of the present invention, by storing the user context and the address information for the data in the form of a block in the block chain, distributed rather than a centralized server Enables you to store and manage user contexts in the database.

Referring to FIGS. 7 and 8, the context manager 130 extracts a user context that is identification information of a user of user nodes participating in the blockchain (step 700), and generates a transaction for generating the block from the extracted user context. Form to all user nodes (step 710). When all the user nodes receive the transaction, Proof-of Work is executed to generate the block hash value necessary for block generation to generate a block hash value that satisfies the nonce value and the predetermined number of '0's (step 720). . The user node that first generated the block transmits the block to other nodes, and after receiving the validity node, the node receives the validity check and connects the block to its block chain and stores it (step 730).

The type of user context proposed in the present invention is arbitrarily classified into three contexts (Job), location, and department according to the medical environment, but additional context input is possible according to the situation, and combinations of these contexts This allows for more diverse access tree structure designs.

The user's job can be verified using the identity information already verified by the certification authority.The user's location and field use the user's IP address.The user can distinguish the hospital and other places by checking the router and gateway through which the IP address has passed. You can identify departments divided by floor, floor, and room. Through this process, the extracted user context is recorded in a transaction and transmitted to other user nodes. The block is created in the same way as the blockchain generation method proposed in the present invention, and the user context is recorded in the block. Blocks are created in JSON format to help users read easily.

5 and 6, when the address manager 140 stores data generated by the data owner in a preset shared directory of the data storage module 110, the address manager 140 uses the blockchain to store data for the data. Store and manage name and address information for the data owner for the data.

In more detail, when the data generated by the data owner is stored in a preset shared directory of the data storage module 110, the address manager 140 may display an IP which is a data name and address information of the data owner. Create a transaction containing an address and a TCP port number (step 500) and send it to all user nodes (step 510), create a block through a proof-of-work process by all user nodes (step 520). The generated block is written to the blockchain (step 530).

Meanwhile, the address manager 140 preferably includes a status flag in the data name for the data, and records current status information of data corresponding to the data name in the status flag. The status flag adds information corresponding to "created" at the time of data generation, information corresponding to "modified" at the time of data modification, and information corresponding to "deleted" at the time of data deletion, respectively, at the beginning of the data name. . Therefore, when the user who needs the data of the corresponding name searches through the state flag of the data name, the existence of the current data can be confirmed by viewing the state of the data recorded in the last block. The data name combined with the status flag creates a transaction by listing the data owner's IP address and the TCP port number set for sharing.

When a data request corresponding to an arbitrary data name is generated from the data requestor, the access authorization manager 150 transmits a data cipher text and a secret key encrypting the requested data to the data requester.

9 is a diagram for a data access management system according to a preferred embodiment of the present invention, wherein the access authorization manager 150 sets an access tree for granting access authority using a user context extracted from a blockchain, and encrypts a secret text and a secret key. Is a conceptual diagram illustrating an algorithm for granting data access authority by confirming whether it can be decrypted by transmitting to each user, and FIG. 10 is a flowchart illustrating an operation of the access authorization manager 150 in sequence.

9 and 10, when the data request corresponding to an arbitrary data name is generated from the data requestor (step 900), the data owner may access the data. Permission is set using the access tree form in which the user context of the data owner is a leaf node (step 910), and the user context for the data requester is retrieved and extracted by searching the blockchain to obtain a secret key matching the user context of the data requestor. (Step 920). The data owner encrypts the data using the set access tree to generate a data cipher text (step 930) and transmits the data cipher text and the secret key to the data requestor (step 940). If the user requester's user context satisfies the conditions of the access tree, the secret key can decrypt the ciphertext. If the user requester's user context does not satisfy the conditions of the access tree, the ciphertext becomes undecipherable.

In the system according to the present invention, the access tree is constructed using the CP-ABE scheme. FIG. 11 is a conceptual diagram illustrating a process of granting data access rights to a data requestor by a data owner using a CP-ABE scheme, and FIG. 12 illustrates a CP-ABE scheme in a data access management system according to the present invention. The generated access tree is shown as an example.

Referring to FIGS. 11 and 12, a process of granting data access rights to a data requestor by a data owner using an access tree generated by using a ciphertext-policy attribute-based encryption (CP-ABE) scheme will be described in detail. .

First prime order The multiplicative cyclic group of p is called G ₀ , G ₁ , the generator of G ₀ is called g , and the bilinear map is e . At this time, the bilinear mapping is G ₀ × G ₀ → G ₁ Represented by

1) Setup process: In the existing CP-ABE method, the third-party certificate authority (Master Certificate, MSK) ), Create a public key ( PK ). The master key generates a secret key of the data requesting user, and the public key is used for data encryption and decryption. Arbitrary exponents α, β ∈ Zp are selected, and the master key and the public key are defined as in Equations 1 and 2 below.

2) Encrypt ( PK, M, T ) Process: Define public key ( PK ), access access tree ( T ), data plaintext ( M ) and output CT that encrypts the plaintext. 12 illustrates an access tree T including a user context. All nodes constituting the access tree have an index value ( T ) and a polynomial ( q ), and q (0) of each node is defined as in Equation 3.

Where s is the polynomial q _R (0) of the root node ( R ) of the tree, Y is the set of all leaf nodes of the access tree ( T ), and H is a hash function. At this time, the ciphertext CT is defined as in Equation 4.

3) KeyGen ( MSK , S ): Outputs the secret key ( SK ) of the data requestor by using the master key ( MSK ) and the attribute set ( S ) defined by the user context. The certification body is r ∈ Zp Generate a random number r that satisfies j ∈ Zp And r _j ∈ Zp Generate a random number r _j that satisfies. At this time, the secret key SK is defined as in Equation 5.

4) Decrypt ( CT, SK ): Apply DecryptNode ( CT, SK, x ), which is a recursive algorithm, to the ciphertext ( CT ) along with the user's secret key ( SK ). If i is a leaf node and i is a user attribute, i belongs to the attribute set S set by the certification authority ( i ∈ S ).

이면 복호화가 불가하다. 노드 x 가 leaf 노드가 아닐 경우, x를 children으로 갖는 모든 노드 z를 DecryptNode(CT,SK,z)로 계산하여 Fx를 출력한다. Sx 가 z 의 children 노드 집합일 때 Fx는 수학식 7과 같이 계산된다.

In this case, decryption is impossible. If node x is not a leaf node, compute all nodes z with x as children as DecryptNode ( CT, SK, z ) and output Fx . When Sx is a set of children nodes of z , Fx is calculated as shown in Equation 7.

When the root node R of the tree T satisfies the property set S , A is defined as shown in Equation 8.

Finally, the user receiving the SK calculates the ciphertext CT through the same process as in Equation 9 to obtain the data plaintext M.

FIG. 13 is a conceptual diagram illustrating the operation of the data retrieval manager 160 in the data access management system according to the preferred embodiment of the present invention.

Referring to FIG. 13, the data retrieval manager 160 retrieves data names stored and managed in the blockchain, extracts address information of a data owner stored with the retrieved data names, from the blockchain, The data owner is identified using the extracted address information on the data owner, and the data owner is requested for data corresponding to the retrieved data name. In response to the data request, a data cipher text and a secret key are provided, and the data cipher text is decrypted using the secret key to output data.

Although the present invention has been described above with reference to preferred embodiments thereof, this is merely an example and is not intended to limit the present invention, and those skilled in the art do not depart from the essential characteristics of the present invention. It will be appreciated that various modifications and applications which are not illustrated above in the scope are possible. And differences relating to such modifications and applications should be construed as being included in the scope of the invention as defined in the appended claims.

1: data access management system
10, 20, 30: user node
100: blockchain
110: data storage module
120: IP list
130: context manager
140: address manager
150: access authorization manager
160: data retrieval manager

Claims (12)

In the data access management system for a plurality of user nodes participating in the blockchain,
Each of the user nodes,
A block chain comprising a series of blocks connected to each other;
A context manager for generating user context information for a user node and storing and managing the user context information using the blockchain;
An address manager for storing and managing data names for the data and address information of the data owner for the data using the blockchain when storing data generated by the data owner among user nodes in a preset shared directory;
An access authorization manager for generating a data cipher text and a secret key encrypting the requested data from the data requester among the user nodes, and transmitting the generated data cipher text and the secret key to the data requester; And
Searching for data names stored and managed in the blockchain, extracting address information for the data owner stored with the retrieved data name from the blockchain, and using the address information for the extracted data owner in the retrieved data name. A data retrieval manager for requesting corresponding data;
Is provided, the access authorization manager,
When a data request corresponding to an arbitrary data name occurs from the data requester,
Encrypting the requested data using a user context for a data owner to generate a data ciphertext,
Extract a user context for the data requestor from the blockchain, generate a secret key using the extracted user context for the data requestor,
And transmitting the generated data cipher text and the secret key to the data requestor. delete The method of claim 1, wherein the access authorization manager,
Based on the blockchain, an access tree for granting data access authority is created using a user context for the data owner, and the data is encrypted by encrypting the requested data using the access tree. One data access management system. The method of claim 3, wherein the access authorization manager,
The access tree has a tree structure in which the user context for the data owner is a leaf node.
If the user context for the data requestor satisfies the conditions of the access tree, it is possible to decrypt the data cipher text using a secret key,
If the user context for the data requestor does not satisfy the condition of the access tree, the data access management based on the block chain is configured so that the condition of the access tree is configured so that the data cipher text cannot be decrypted using the secret key. system. The method of claim 1, wherein the address manager,
When data stored by the data owner is stored in a preset shared directory, the data name of the data and the address information of the data owner are extracted, a transaction is generated and transmitted to all user nodes participating in the blockchain.
The transaction is stored and managed as a block of the blockchain through the Proof-of-Work process of the user nodes participating in the blockchain block data-based data access management system. The method of claim 5, wherein the address manager,
Include a status flag in the data name for the data,
And a current state information of data corresponding to the data name is recorded in the state flag. The method of claim 1, wherein the address manager,
And extracting the IP address and TCP port number of the data owner as address information of the data owner. The method of claim 1, wherein the context manager,
Extract context information about users of each user node, create a transaction, and send it to all user nodes participating in the blockchain.
The transaction is stored and managed as a block of the blockchain through the Proof-of-Work process of the user nodes participating in the blockchain block data-based data access management system. In the data access management method for a plurality of user nodes participating in the blockchain,
(a) generating user context information for a user node, and storing and managing the user context information using the blockchain;
(b) storing data generated by a data owner among user nodes in a preset shared directory, and storing and managing a data name for the data and address information of the data owner for the data using the blockchain; step;
(c) when a data request corresponding to an arbitrary data name is generated from a data requester among user nodes, generating and transmitting a data cipher text and a secret key encrypting the requested data to the data requester;
(d) searching for data names stored and managed in the blockchain, extracting address information for the data owner stored with the retrieved data name from the blockchain, and using the retrieved data information for the owner of the extracted data; Requesting data corresponding to the data name;
And, the step (b) is,
When data stored by the data owner is stored in a preset shared directory, the data name of the data and the address information of the data owner are extracted, a transaction is generated and transmitted to all user nodes participating in the blockchain.
The transaction is a blockchain-based data access management method, characterized in that the transaction is stored and managed as a block of the blockchain through the Proof-of-Work process of the user nodes participating in the blockchain. The method of claim 9, wherein step (c) comprises:
When a data request corresponding to an arbitrary data name occurs from the data requester,
Encrypting the requested data using a user context for a data owner to generate a data ciphertext,
Extract a user context for the data requestor from the blockchain, generate a secret key using the extracted user context for the data requestor,
And transmitting the generated data cipher text and the secret key to the data requestor. The method of claim 10, wherein step (c) comprises:
Based on the blockchain, an access tree for granting data access authority is created using a user context for the data owner, and the data is encrypted by encrypting the requested data using the access tree. How to manage data access.



delete

Images