CN113849558B - Method and device for deploying data sharing service - Google Patents

Method and device for deploying data sharing service Download PDF

Info

Publication number
CN113849558B
CN113849558B CN202111022347.2A CN202111022347A CN113849558B CN 113849558 B CN113849558 B CN 113849558B CN 202111022347 A CN202111022347 A CN 202111022347A CN 113849558 B CN113849558 B CN 113849558B
Authority
CN
China
Prior art keywords
service
data
shared data
caller
shared
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111022347.2A
Other languages
Chinese (zh)
Other versions
CN113849558A (en
Inventor
全方磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Ant Blockchain Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ant Blockchain Technology Shanghai Co Ltd filed Critical Ant Blockchain Technology Shanghai Co Ltd
Priority to CN202111022347.2A priority Critical patent/CN113849558B/en
Publication of CN113849558A publication Critical patent/CN113849558A/en
Application granted granted Critical
Publication of CN113849558B publication Critical patent/CN113849558B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Medical Informatics (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本说明书一个或多个实施例提供一种部署数据共享服务的方法和装置,其中,该方法包括:接收数据提供方的服务部署请求,所述服务部署请求中包括共享数据集信息和配置信息,所述共享数据集信息用于描述共享数据集,所述配置信息用于通过至少一种预设配置策略对所述共享数据集中的共享数据进行配置;基于所述配置信息部署可供调用的数据共享服务,所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标配置方式包含于所述至少一种预设配置策略的情况下,向所述服务调用方提供按照所述目标配置方式对所述共享数据集中的共享数据进行配置得到的配置后共享数据。

One or more embodiments of the present specification provide a method and apparatus for deploying a data sharing service, wherein the method comprises: receiving a service deployment request from a data provider, wherein the service deployment request comprises shared data set information and configuration information, wherein the shared data set information is used to describe the shared data set, and the configuration information is used to configure the shared data in the shared data set through at least one preset configuration strategy; deploying a callable data sharing service based on the configuration information, wherein the data sharing service is used to provide the service caller with configured shared data obtained by configuring the shared data in the shared data set according to the target configuration method when it is determined that the target configuration method indicated in the service call request initiated by the service caller is included in the at least one preset configuration strategy.

Description

一种部署数据共享服务的方法和装置A method and device for deploying data sharing services

技术领域Technical Field

本说明书一个或多个实施例涉及数据共享技术领域,尤其涉及一种部署数据共享服务的方法和装置。One or more embodiments of the present specification relate to the field of data sharing technology, and more particularly, to a method and apparatus for deploying a data sharing service.

背景技术Background Art

随着信息化的发展,越来越多的企业或个人都建立有一套独立的信息系统,然而不同的信息系统之间又彼此隔绝,这就在网络信息空间中形成了大量的信息孤岛。With the development of informatization, more and more enterprises or individuals have established an independent information system. However, different information systems are isolated from each other, which has formed a large number of information islands in the network information space.

在相关技术中,如果一个信息系统希望实现数据共享,那么就需要在作为共享方的信息系统与被共享方之间建立的安全通讯连接,并通过事先建立的安全通讯连接将共享方所需共享的数据发送至被共享方。In the related art, if an information system wishes to achieve data sharing, it is necessary to establish a secure communication connection between the information system as the sharing party and the shared party, and send the data that the sharing party needs to share to the shared party through the pre-established secure communication connection.

发明内容Summary of the invention

本说明书一个或多个实施例提供一种获取区块链数据的方法、装置、电子设备及存储介质。One or more embodiments of this specification provide a method, device, electronic device, and storage medium for obtaining blockchain data.

根据本说明书一个或多个实施例的第一方面,提出了一种部署数据共享服务的方法,应用于服务端,包括:According to a first aspect of one or more embodiments of this specification, a method for deploying a data sharing service is proposed, which is applied to a server and includes:

接收数据提供方的服务部署请求,所述服务部署请求中包括共享数据集信息和配置信息,所述共享数据集信息用于描述共享数据集,所述配置信息用于通过至少一种预设配置策略对所述共享数据集中的共享数据进行配置;Receive a service deployment request from a data provider, the service deployment request including shared data set information and configuration information, the shared data set information is used to describe the shared data set, and the configuration information is used to configure the shared data in the shared data set through at least one preset configuration strategy;

基于所述配置信息部署可供调用的数据共享服务,所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标配置方式包含于所述至少一种预设配置策略的情况下,向所述服务调用方提供按照所述目标配置方式对所述共享数据集中的共享数据进行配置得到的配置后共享数据。A callable data sharing service is deployed based on the configuration information. The data sharing service is used to provide the service caller with configured shared data obtained by configuring the shared data in the shared data set according to the target configuration method when it is determined that the target configuration method indicated in the service call request initiated by the service caller is included in the at least one preset configuration policy.

根据本说明书一个或多个实施例的第二方面,提出了一种部署数据共享服务的装置,应用于服务端,包括:According to a second aspect of one or more embodiments of this specification, a device for deploying a data sharing service is proposed, which is applied to a server and includes:

请求接收单元,用于接收数据提供方的服务部署请求,所述服务部署请求中包括共享数据集信息和配置信息,所述共享数据集信息用于描述共享数据集,所述配置信息用于通过至少一种预设配置策略对所述共享数据集中的共享数据进行配置;a request receiving unit, configured to receive a service deployment request from a data provider, wherein the service deployment request includes shared data set information and configuration information, wherein the shared data set information is used to describe the shared data set, and the configuration information is used to configure the shared data in the shared data set through at least one preset configuration strategy;

服务部署单元,用于基于所述配置信息部署可供调用的数据共享服务,所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标配置方式包含于所述至少一种预设配置策略的情况下,向所述服务调用方提供按照所述目标配置方式对所述共享数据集中的共享数据进行配置得到的配置后共享数据。A service deployment unit is used to deploy a callable data sharing service based on the configuration information. The data sharing service is used to provide the service caller with configured shared data obtained by configuring the shared data in the shared data set according to the target configuration method when it is determined that the target configuration method indicated in the service call request initiated by the service caller is included in the at least one preset configuration policy.

根据本说明书一个或多个实施例的第三方面,提出了一种电子设备,包括:According to a third aspect of one or more embodiments of this specification, an electronic device is provided, including:

处理器;用于存储处理器可执行指令的存储器;其中,所述处理器通过运行所述可执行指令以实现上述部署数据共享服务的方法的步骤。A processor; a memory for storing processor executable instructions; wherein the processor implements the steps of the above-mentioned method for deploying data sharing services by running the executable instructions.

根据本说明书一个或多个实施例的第四方面,提出了一种计算机可读存储介质,其上储存有可执行指令;其中,该指令被处理器执行时,实现上述部署数据共享服务的方法的步骤。According to a fourth aspect of one or more embodiments of the present specification, a computer-readable storage medium is proposed, on which executable instructions are stored; wherein, when the instructions are executed by a processor, the steps of the above-mentioned method for deploying a data sharing service are implemented.

应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本说明书。It is to be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present specification.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本说明书的实施例,并与说明书一起用于解释本说明书的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and, together with the description, serve to explain the principles of the specification.

图1是本说明书提供的一种与区块链相关的网络环境的示意图。FIG1 is a schematic diagram of a blockchain-related network environment provided in this specification.

图2是本说明书根据一示例性实施例提供的一种网络架构图。FIG. 2 is a network architecture diagram provided in this specification according to an exemplary embodiment.

图3是本说明书根据一示例性实施例提供的一种部署数据共享服务的方法的流程图。FIG. 3 is a flow chart of a method for deploying a data sharing service provided in this specification according to an exemplary embodiment.

图4是本说明书根据一示例性实施例提供的另一种部署数据共享服务的方法的流程图。FIG. 4 is a flowchart of another method for deploying a data sharing service provided by this specification according to an exemplary embodiment.

图5是一示例性实施例提供的一种设备的结构示意图。FIG. 5 is a schematic structural diagram of a device provided by an exemplary embodiment.

图6是本说明书根据一示例性实施例提供的一种部署数据共享服务的装置的框图。FIG6 is a block diagram of an apparatus for deploying a data sharing service according to an exemplary embodiment of the present specification.

具体实施方式DETAILED DESCRIPTION

这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本说明书一个或多个实施例相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本说明书一个或多个实施例的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, examples of which are shown in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of this specification. Instead, they are merely examples of devices and methods consistent with some aspects of one or more embodiments of this specification as detailed in the appended claims.

需要说明的是:在其他实施例中并不一定按照本说明书示出和描述的顺序来执行相应方法的步骤。在一些其他实施例中,其方法所包括的步骤可以比本说明书所描述的更多或更少。此外,本说明书中所描述的单个步骤,在其他实施例中可能被分解为多个步骤进行描述;而本说明书中所描述的多个步骤,在其他实施例中也可能被合并为单个步骤进行描述。It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the steps included in the method may be more or less than those described in this specification. In addition, a single step described in this specification may be decomposed into multiple steps for description in other embodiments; and multiple steps described in this specification may be combined into a single step for description in other embodiments.

请参考图1,图1是本说明书示出的一种与区块链相关的网络环境的示意图。Please refer to Figure 1, which is a schematic diagram of a network environment related to blockchain shown in this specification.

在如图1所示的网络环境中,可以包括客户端侧计算设备101、服务器端102,以及至少一个区块链系统;例如,区块链系统103、区块链系统104和区块链系统105。In the network environment shown in FIG. 1 , a client-side computing device 101 , a server 102 , and at least one blockchain system may be included; for example, blockchain system 103 , blockchain system 104 , and blockchain system 105 .

在一种实施方式中,客户端侧计算设备101,可以包括各种不同类型的客户端侧计算设备;例如,客户端侧终端设备可以包括诸如PC终端设备、移动终端设备、物联网设备,以及其它形式的具有一定的计算能力的智能设备,等等。In one embodiment, the client-side computing device 101 may include various types of client-side computing devices; for example, the client-side terminal device may include PC terminal devices, mobile terminal devices, Internet of Things devices, and other forms of smart devices with certain computing capabilities, etc.

在一种实施方式中,客户端侧终端设备101中的至少部分计算设备,可以通过各种通信网络连接到服务器端102;例如,图1中示出的设备1和设备2与服务器端102进行了连接。In one implementation, at least some of the computing devices in the client-side terminal device 101 may be connected to the server 102 via various communication networks; for example, device 1 and device 2 shown in FIG. 1 are connected to the server 102 .

不难理解,客户端侧终端设备101中的部分终端设备,也可以不与服务器端102进行连接,而是作为区块链节点通过各种通信网络直接连接到区块链系统;例如,图1中示出的设备4,可以作为区块链节点连接到区块链系统。It is not difficult to understand that some of the client-side terminal devices 101 may not be connected to the server-side 102, but may be directly connected to the blockchain system through various communication networks as blockchain nodes; for example, the device 4 shown in FIG. 1 may be connected to the blockchain system as a blockchain node.

其中,上述通信网络可以包括有线和/或无线通信网络;例如,可以是基于运营商提供的有线接入网络或者无线接入网络(比如移动蜂窝网络)实现的局域网(Local AreaNetwork,LAN)、广域网(Wide Area Network,WAN)、因特网或其组合。Among them, the above-mentioned communication network may include wired and/or wireless communication networks; for example, it may be a local area network (LAN), a wide area network (WAN), the Internet or a combination thereof implemented based on a wired access network or a wireless access network (such as a mobile cellular network) provided by an operator.

在一种实施方式中,客户端侧计算设备101,还可以包括一个或多个用户侧服务器;例如,图1中示出的设备5。客户端侧终端设备101中的至少部分计算设备,可以连接到该用户侧服务器,而该用户侧服务器可以进一步与上述服务端102进行连接;例如,图1中示出的设备1和设备2连接到设备5,设备5进一步连接服务器端102。In one embodiment, the client-side computing device 101 may further include one or more user-side servers; for example, device 5 shown in FIG1 . At least some computing devices in the client-side terminal device 101 may be connected to the user-side server, and the user-side server may be further connected to the above-mentioned service end 102; for example, device 1 and device 2 shown in FIG1 are connected to device 5, and device 5 is further connected to the server end 102.

在一种实施方式中,上述用户侧服务器可以由搭建了用户账户体系的服务实体来实现;上述服务实体可以包括面向用户提供各种线上和/或线下服务的服务载体的运营实体;In one implementation, the user-side server may be implemented by a service entity that has built a user account system; the service entity may include an operating entity of a service carrier that provides various online and/or offline services to users;

其中,上述服务载体可以包括软件形式的服务载体,也可以包括硬件形式的服务载体。The above service carrier may include a service carrier in the form of software or a service carrier in the form of hardware.

在一种实施方式中,上述服务载体可以包括提供线上互联网服务的各种客户端软件;例如,网站、网页、APP等。In one embodiment, the above-mentioned service carrier may include various client software that provides online Internet services; for example, a website, a webpage, an APP, etc.

在一种实施方式中,上述服务载体也可以包括部署在线下的,能够提供线下服务的各种智能设备;例如,部署在居住区、办公区、公共场所的智能快递柜。In one embodiment, the above-mentioned service carrier may also include various smart devices deployed offline that can provide offline services; for example, smart express cabinets deployed in residential areas, office areas, and public places.

相应的,上述运营实体可以包括上述服务载体对应的运营方;例如,上述运营实体可以包括对上述服务载体进行运营和管理的个人、组织、公司和企业,等等。Correspondingly, the above-mentioned operating entity may include the operator corresponding to the above-mentioned service carrier; for example, the above-mentioned operating entity may include individuals, organizations, companies and enterprises that operate and manage the above-mentioned service carrier, etc.

在一种实施方式中,服务器端102也可以通过各种通信网络连接到一个或者多个区块链系统;例如,图1中示出的服务器端102可以分别连接到区块链系统103、区块链系统104和区块链系统105,等等。In one embodiment, the server end 102 can also be connected to one or more blockchain systems through various communication networks; for example, the server end 102 shown in Figure 1 can be connected to blockchain system 103, blockchain system 104 and blockchain system 105, etc.

在一种实施方式中,每个区块链系统都可以维护一个或多个区块链(例如,公有区块链、私有区块链、联盟区块链等),并包括用于承载上述一个或多个区块链的多个区块链节点;例如,如图1中示出的区块链节点1、区块链节点2、区块链节点3、区块链节点4、区块链节点i等可以共同承载一个或者多个区块链。各个区块链系统包含的区块链之间,以及各个区块链系统之间,还可以进行跨链的数据访问。In one embodiment, each blockchain system can maintain one or more blockchains (e.g., public blockchains, private blockchains, alliance blockchains, etc.), and include multiple blockchain nodes for carrying the above one or more blockchains; for example, blockchain node 1, blockchain node 2, blockchain node 3, blockchain node 4, blockchain node i, etc. shown in FIG. 1 can jointly carry one or more blockchains. Cross-chain data access can also be performed between the blockchains included in each blockchain system and between each blockchain system.

在一种实施方式中,区块链节点可以包括全节点和轻节点。全节点可以全量下载区块链中的每个区块所包含的区块链交易,并可以根据搭载的区块链共识算法,对每个区块链中所包含的区块链交易进行共识验证。In one embodiment, the blockchain node may include a full node and a light node. The full node may download all blockchain transactions contained in each block in the blockchain, and may perform consensus verification on the blockchain transactions contained in each blockchain according to the blockchain consensus algorithm installed.

而轻节点可以不下载完整的区块链,而是可以只下载区块链中的每个区块的区块头数据,并将区块头所包含的数据作为验证根,用于以验证区块链交易的真实性。轻节点可以依附于全节点来访问区块链的更多功能。Instead of downloading the entire blockchain, a light node can only download the block header data of each block in the blockchain and use the data contained in the block header as a verification root to verify the authenticity of blockchain transactions. Light nodes can be attached to full nodes to access more functions of the blockchain.

例如,图1中示出的区块链系统103中的各个区块链节点都可以作为全节点;而图1中示出的直接连接到区块链系统的设备4,就可以作为轻节点,依附于区块链系统103中的各个全节点。For example, each blockchain node in the blockchain system 103 shown in Figure 1 can be used as a full node; and the device 4 directly connected to the blockchain system shown in Figure 1 can be used as a light node, attached to each full node in the blockchain system 103.

在一种实施方式中,区块链节点可以是物理设备,也可以是在服务器或者服务器集群中实现的虚拟设备;In one embodiment, a blockchain node may be a physical device or a virtual device implemented in a server or server cluster;

例如,区块链节点设备可以是服务器集群中的一台物理主机,也可以是基于虚拟化技术对服务器或者服务器集群搭载的硬件资源进行虚拟化后,创建的虚拟机。每个区块链节点之间,可以通过各种类型的通信方法(比如TCP/IP)连接在一起形成网络,来承载一个或者多个区块链。For example, a blockchain node device can be a physical host in a server cluster, or a virtual machine created by virtualizing the hardware resources of a server or server cluster based on virtualization technology. Each blockchain node can be connected to form a network through various types of communication methods (such as TCP/IP) to carry one or more blockchains.

在一种实施方式中,服务器端102可以包括用于提供区块链即服务(BaaS,Blockchain as a Service)的BaaS平台(也称之为BaaS云)。BaaS平台可以通过为区块链上发生的活动(诸如订阅和通知、用户验证、数据库管理和远程更新),提供预先编写的软件的方式,面向与BaaS平台连接的客户端侧计算设备,提供简单易用,一键部署,快速验证,灵活可定制的区块链服务,进而可以加速区块链业务应用开发、测试、上线,助力各行业区块链商业应用场景的落地。In one embodiment, the server 102 may include a BaaS platform (also referred to as a BaaS cloud) for providing blockchain as a service (BaaS, Blockchain as a Service). The BaaS platform can provide pre-written software for activities occurring on the blockchain (such as subscriptions and notifications, user verification, database management and remote updates), and provide easy-to-use, one-click deployment, fast verification, and flexible and customizable blockchain services for client-side computing devices connected to the BaaS platform, thereby accelerating the development, testing, and launch of blockchain business applications, and helping the implementation of blockchain business application scenarios in various industries.

例如,在一个例子中,与BaaS平台可以提供诸如MQ(Message Queue,消息队列)服务之类的软件;与BaaS平台连接的客户端侧计算设备,可以订阅BaaS平台连接的区块链系统中某一区块链上部署的智能合约,在触发执行后在区块链上产生的合约事件;而BaaS平台可以监听该智能合约在触发执行后在区块链上产生的事件,再基于MQ服务相关的软件,将该合约事件以通知消息的形式添加到消息队列中,使得订阅该消息队列的客户端侧计算设备,能够得到与上述合约事件相关的通知。For example, in one example, the BaaS platform can provide software such as MQ (Message Queue) services; the client-side computing device connected to the BaaS platform can subscribe to a smart contract deployed on a blockchain in the blockchain system connected to the BaaS platform, and the contract events generated on the blockchain after the execution is triggered; and the BaaS platform can monitor the events generated on the blockchain after the smart contract is triggered, and then based on the software related to the MQ service, add the contract events to the message queue in the form of notification messages, so that the client-side computing device that subscribes to the message queue can obtain notifications related to the above contract events.

在一种实施方式中,BaaS平台还可以提供基于区块链技术的企业级平台服务,以帮助企业级客户构建安全且稳定的区块链环境,并轻松管理区块链的部署、操作、维护和开发。In one embodiment, the BaaS platform can also provide enterprise-level platform services based on blockchain technology to help enterprise-level customers build a secure and stable blockchain environment and easily manage the deployment, operation, maintenance and development of blockchain.

例如,在一个例子中,BaaS平台可以基于云技术实现丰富的安全策略和多租户的隔离环境、基于芯片加密技术来提供高级的安全保护、基于高度可靠的数据存储,提供可以快速扩展,而不会中断的端到端的高可用性服务;For example, in one example, the BaaS platform can implement rich security policies and multi-tenant isolation environments based on cloud technology, provide advanced security protection based on chip encryption technology, and provide end-to-end high-availability services that can be quickly expanded without interruption based on highly reliable data storage;

在另一个例子中,还可以提供增强的管理功能,以帮助客户构建企业级区块链网络环境;以及,还可以为标准区块链应用和数据提供本地支持,支持例如HyperledgerFabric和Enterprise Ethereum-Quorum的主流开源区块链技术,以构建开放且包容的技术生态系统。In another example, enhanced management capabilities can also be provided to help customers build an enterprise-level blockchain network environment; and native support can be provided for standard blockchain applications and data, supporting mainstream open source blockchain technologies such as Hyperledger Fabric and Enterprise Ethereum-Quorum to build an open and inclusive technology ecosystem.

在本说明书实施例中,服务器端102部署有若干数据共享服务以供客户端侧计算设备101进行调用,并且这些数据共享服务同时也是由客户端侧计算设备101发送服务部署请求从而部署在服务器端102上,例如作为客户端侧计算设备101的设备5可以在服务器端102上部署新的数据共享服务,而作为客户端侧计算设备101的设备3则可以调用设备5所部署的数据共享服务,以从服务器端102获取将设备5共享的共享数据进行配置得到的配置后共享数据,从而实现自定义配置的数据共享。从另一角度上来说,这相当于图1中示出的服务器端102可以看作本说明书涉及的服务端,客户端侧计算设备101中与服务器端102直接连接的设备5可以看作本说明书涉及的数据提供方,与服务器端102直接连接的设备3可以看做本说明书涉及的服务调用方。In the embodiments of the present specification, the server side 102 is deployed with several data sharing services for the client side computing device 101 to call, and these data sharing services are also deployed on the server side 102 by the client side computing device 101 sending a service deployment request. For example, device 5 as the client side computing device 101 can deploy a new data sharing service on the server side 102, and device 3 as the client side computing device 101 can call the data sharing service deployed by device 5 to obtain the configured shared data obtained by configuring the shared data shared by device 5 from the server side 102, thereby realizing the sharing of data with customized configuration. From another perspective, this is equivalent to the server side 102 shown in FIG. 1 being regarded as the server side involved in the present specification, the device 5 in the client side computing device 101 directly connected to the server side 102 being regarded as the data provider involved in the present specification, and the device 3 directly connected to the server side 102 being regarded as the service caller involved in the present specification.

图2是本说明书根据一示例性实施例示出的网络架构图,该网络架构包括部署有若干数据共享服务的服务端、若干服务调用方和若干数据提供方,其中,数据共享服务1-3可以是由三个数据提供方1-3所分别部署的,也可以仅由一个数据提供方1、2或3所部署,当然也可以是由服务端自身所部署;服务调用方1-3可以向服务端发送服务调用请求,以用于指示所需调用的数据共享服务,服务端进而执行相应的数据共享服务,并将服务调用方所需的共享数据加密后提供至调用该数据共享服务的服务调用方。服务端可以并行地接收来自多个数据提供方的服务部署请求,以同时部署多个数据共享服务,以及,服务端还可以并行地接收来自多个服务调用方的服务调用请求,以同时进行执行多个相同或不同的数据共享服务。FIG2 is a network architecture diagram according to an exemplary embodiment of the present specification, wherein the network architecture includes a server side with several data sharing services deployed, several service callers and several data providers, wherein the data sharing services 1-3 may be deployed by three data providers 1-3 respectively, or may be deployed by only one data provider 1, 2 or 3, or may be deployed by the server side itself; the service callers 1-3 may send a service call request to the server side to indicate the data sharing service to be called, and the server side then executes the corresponding data sharing service, and encrypts the shared data required by the service caller and provides it to the service caller that calls the data sharing service. The server side may receive service deployment requests from multiple data providers in parallel to deploy multiple data sharing services at the same time, and the server side may also receive service call requests from multiple service callers in parallel to execute multiple identical or different data sharing services at the same time.

图3是本说明书根据一示例性实施例示出的一种部署数据共享服务的方法的流程图,该方法应用于图2所示的服务端,所述方法包括以下步骤:FIG3 is a flow chart of a method for deploying a data sharing service according to an exemplary embodiment of the present specification. The method is applied to the server shown in FIG2 , and the method includes the following steps:

S302:接收数据提供方的服务部署请求,所述服务部署请求中包括共享数据集信息和配置信息,所述共享数据集信息用于描述共享数据集,所述配置信息用于通过至少一种预设配置策略对所述共享数据集中的共享数据进行配置;S302: Receive a service deployment request from a data provider, wherein the service deployment request includes shared data set information and configuration information, wherein the shared data set information is used to describe the shared data set, and the configuration information is used to configure the shared data in the shared data set through at least one preset configuration strategy;

S304:基于所述配置信息部署可供调用的数据共享服务,所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标配置方式包含于所述至少一种预设配置策略的情况下,向所述服务调用方提供按照所述目标配置方式对所述共享数据集中的共享数据进行配置得到的配置后共享数据。S304: Deploy a callable data sharing service based on the configuration information, the data sharing service being used to provide the service caller with configured shared data obtained by configuring the shared data in the shared data set according to the target configuration method when it is determined that the target configuration method indicated in the service call request initiated by the service caller is included in the at least one preset configuration policy.

通过本说明书实施例所涉及的部署数据共享服务的方法,数据提供方可以根据业务场景的实际需求进行灵活地配置,服务调用方也可以根据自身的需求进行灵活地调用,以在满足服务调用方的调用需求的情况下尽可能地降低数据共享服务的复杂度,节省数据共享服务在部署和维护时所需消耗的计算资源或存储资源。Through the method of deploying data sharing services involved in the embodiments of this specification, the data provider can flexibly configure according to the actual needs of the business scenario, and the service caller can also flexibly call according to its own needs, so as to reduce the complexity of the data sharing service as much as possible while meeting the calling requirements of the service caller, and save the computing resources or storage resources required for the deployment and maintenance of the data sharing service.

可选的,共享数据集信息可以为共享数据集本身,因此服务端将在接收到服务调用方的服务部署请求的情况下,同时也会从该服务部署请求中获取得到完整的共享数据集以存储在服务端的云端存储空间,并将该共享数据集与后续根据该服务调用请求成功部署的数据共享服务进行绑定,以使该数据共享服务在被调用的情况下,从云端存储空间中获取与该数据共享服务绑定的共享数据集,在本实施例中,由于共享数据集已经预先存储在服务端,因此可以更加迅速地获取共享数据集,从而加快数据共享服务被调用时的执行过程;在另一实施例中,共享数据集信息可以为共享数据集对应的元数据,服务端可以通过该元数据获取共享数据集,例如,该元数据可以为数据提供方所维护的数据库表的IP地址、端口信息等,该数据库表中存储有共享数据集,服务端可以在任意时刻通过数据库表的IP地址、端口信息从该数据库表中下载得到完整的共享数据集,在本实施例中,服务端可以在数据共享服务被调用的情况下,即时地通过元数据从数据提供方获取对应的共享数据集,因此服务端无需在云端存储共享数据集,从而节省了存储资源。Optionally, the shared data set information may be the shared data set itself, so when the server receives the service deployment request from the service caller, it will also obtain the complete shared data set from the service deployment request to store it in the cloud storage space of the server, and bind the shared data set to the data sharing service that is subsequently successfully deployed according to the service call request, so that when the data sharing service is called, it can obtain the shared data set bound to the data sharing service from the cloud storage space. In this embodiment, since the shared data set has been pre-stored on the server, the shared data set can be obtained more quickly, thereby speeding up the execution process when the data sharing service is called; in another embodiment, the shared data set information may be metadata corresponding to the shared data set, and the server may obtain the shared data set through the metadata. For example, the metadata may be the IP address and port information of a database table maintained by the data provider, and the shared data set is stored in the database table. The server may download the complete shared data set from the database table at any time through the IP address and port information of the database table. In this embodiment, the server may obtain the corresponding shared data set from the data provider through the metadata in real time when the data sharing service is called, so the server does not need to store the shared data set in the cloud, thereby saving storage resources.

可选的,所述配置信息还包括数据流转策略,所述数据流转策略用于配置所述数据共享服务针对所述配置后共享数据的数据流转模式,所述数据流转模式包括API(Application Programming Interface,应用程序接口)网关模式或数据库表模式;在所述数据共享服务的数据流转模式为API网关模式的情况下,所述配置后共享数据通过所述服务端的API网关提供至所述服务调用方的客户端;在所述数据共享服务的数据流转模式为数据库表模式的情况下,所述配置后共享数据通过数据库同步插件提供至所述服务调用方的数据库。Optionally, the configuration information also includes a data flow strategy, which is used to configure a data flow mode of the data sharing service for the configured shared data, and the data flow mode includes an API (Application Programming Interface) gateway mode or a database table mode; when the data flow mode of the data sharing service is an API gateway mode, the configured shared data is provided to the client of the service caller through the API gateway of the server; when the data flow mode of the data sharing service is a database table mode, the configured shared data is provided to the database of the service caller through a database synchronization plug-in.

在本说明书实施例中,数据提供方可以对数据共享服务的数据流转模式进行灵活地配置,以适应不同的实际服务调用场景。其中,在数据共享服务的数据流转模式为API网关模式的情况下,服务端维护有API网关以供服务调用方进行调用,服务调用方可以通过客户端来访问API网关,从而将服务调用请求发送至服务端,同样的,服务端也会将准备好配置后共享数据通过API网关提供至服务调用方的客户端。在数据共享服务的数据流转模式为数据库表模式的情况下,服务端在接收到服务调用方的服务调用请求后,会将准备好的配置后共享数据通过数据库同步插件直接提供至所述服务调用方的数据库,本说明书实施例涉及的数据库同步插件可以包括部署在服务端的DataX插件。在一实施例中,本申请所涉及的数据共享服务实例基于SpringBoot实现,因此在服务端对数据共享服务的数据流转模式进行配置时,可以通过系统环境变量注入的方式来配置,也可以通过外置的application-profile.properties文件来配置。In the embodiments of this specification, the data provider can flexibly configure the data flow mode of the data sharing service to adapt to different actual service call scenarios. Among them, when the data flow mode of the data sharing service is the API gateway mode, the server maintains an API gateway for the service caller to call, and the service caller can access the API gateway through the client, thereby sending the service call request to the server. Similarly, the server will also provide the prepared shared data after configuration to the client of the service caller through the API gateway. In the case where the data flow mode of the data sharing service is a database table mode, after receiving the service call request from the service caller, the server will directly provide the prepared shared data after configuration to the database of the service caller through the database synchronization plug-in. The database synchronization plug-in involved in the embodiments of this specification may include a DataX plug-in deployed on the server. In one embodiment, the data sharing service instance involved in this application is implemented based on SpringBoot. Therefore, when the data flow mode of the data sharing service is configured on the server, it can be configured by injecting system environment variables, or it can be configured by an external application-profile.properties file.

可选的,所述配置信息还包括权限管理策略,所述权限管理策略用于配置所述数据共享服务针对服务调用方的权限管理模型,以使所述数据共享服务用于在确定所述服务调用方具有所述数据共享服务的调用权限的情况下,响应所述服务调用方发出的所述服务调用请求。所述权限管理模型包括OpenAPI(开放的应用程序接口)模型或IAM(Identityand Access Management,身份识别与访问管理)模型;所述确定所述服务调用方具有所述数据共享服务的调用权限,包括:在所述数据共享服务的权限管理模型为OpenAPI模型的情况下,根据所述数据共享服务对应的公钥列表中的公钥对所述服务调用请求中包含的签名进行验签,并在验签成功的情况下,确定所述服务调用方具有所述数据共享服务的调用权限,例如,对于某服务调用方而言,其首先需要按照自身的私钥对服务调用请求进行签名,并将携带有该签名的服务调用请求发送给服务端,服务端会按照该服务调用请求所需调用的数据共享服务找到对应的公钥列表,然后按照该公钥列表中的若干公钥对该服务调用请求中携带的签名逐一进行验签,只要存在某一个公钥验签成功,则可以确定所述服务调用方具有所述数据共享服务的调用权限;在所述数据共享服务的权限管理模型为IAM模型的情况下,查询处于登录状态的所述服务调用方对应的服务权限列表,并在所述服务权限列表中包含所述数据共享服务的情况下,确定所述服务调用方具有所述数据共享服务的调用权限,例如,对于某服务调用方而言,其首先需要进行登录操作以接入服务端,登陆成功后服务端会检查该服务调用方对应服务权限列表,该服务权限列表中记录有各个可供该服务调用方进行调用的数据共享服务的服务ID,因此可以将服务调用方可以调用的服务展示给服务调用方对应的客户端,服务调用方进而通过客户端发起针对某一数据共享服务的服务调用请求,以使服务端进一步根据该服务调用请求所需调用的数据共享服务的服务ID是否包含在服务权限列表中,从而确定该服务调用方是否具有所述数据共享服务的调用权限。Optionally, the configuration information also includes a rights management policy, which is used to configure the rights management model of the data sharing service for the service caller, so that the data sharing service is used to respond to the service call request issued by the service caller when it is determined that the service caller has the right to call the data sharing service. The rights management model includes an OpenAPI (open application programming interface) model or an IAM (Identity and Access Management) model. Management, Identity Identification and Access Management) model; the determining that the service caller has the right to call the data sharing service includes: when the permission management model of the data sharing service is an OpenAPI model, verifying the signature contained in the service call request according to the public key in the public key list corresponding to the data sharing service, and when the verification is successful, determining that the service caller has the right to call the data sharing service. For example, for a certain service caller, it first needs to sign the service call request according to its own private key, and send the service call request carrying the signature to the server. The server will find the corresponding public key list according to the data sharing service to be called by the service call request, and then verify the signatures carried in the service call request one by one according to the several public keys in the public key list. As long as there is a public key that succeeds in the verification, it can be determined that the service caller has the right to call the data sharing service; When the permission management model of the data sharing service is an IAM model, the service permission list corresponding to the service caller in the logged-in state is queried, and when the data sharing service is included in the service permission list, it is determined that the service caller has the calling permission for the data sharing service. For example, for a certain service caller, it first needs to log in to access the server. After the login is successful, the server will check the service permission list corresponding to the service caller. The service permission list records the service ID of each data sharing service that can be called by the service caller. Therefore, the services that the service caller can call can be displayed to the client corresponding to the service caller. The service caller then initiates a service call request for a certain data sharing service through the client, so that the server can further determine whether the service caller has the calling permission for the data sharing service based on whether the service ID of the data sharing service to be called by the service call request is included in the service permission list.

在本说明书实施例中,数据提供方可以对数据共享服务的权限管理模型进行灵活地配置,从而向服务调用方要求不同的鉴权方式,以更好地适应不同的实际服务调用场景,满足各方需求。In the embodiments of this specification, the data provider can flexibly configure the authority management model of the data sharing service, thereby requiring different authentication methods from the service caller to better adapt to different actual service call scenarios and meet the needs of all parties.

可选的,所述权限管理策略还用于配置所述数据共享服务针对服务调用方的合法调用方列表。例如,所述权限管理策略中携带有针对服务调用方的合法调用方列表,那么在所述数据共享服务的权限管理模型为OpenAPI模型的情况下,所述合法调用方列表中记录有若干公钥,以使服务端在部署数据共享服务时,将合法调用方列表中记录的若干公钥写入所述数据共享服务对应的公钥列表;在所述数据共享服务的权限管理模型为IAM模型的情况下,所述合法调用方列表中记录有若干服务调用方的ID信息,以使服务端在部署数据共享服务时,根据合法调用方列表中记录有若干服务调用方的ID信息找到各个服务调用方对应的服务权限列表,并将数据共享服务的服务ID写入各个服务调用方对应的服务权限列表。Optionally, the permission management policy is also used to configure the data sharing service for a list of legal callers of service callers. For example, if the permission management policy carries a list of legal callers for service callers, then when the permission management model of the data sharing service is an OpenAPI model, several public keys are recorded in the legal caller list, so that when the server deploys the data sharing service, the several public keys recorded in the legal caller list are written into the public key list corresponding to the data sharing service; when the permission management model of the data sharing service is an IAM model, the legal caller list records the ID information of several service callers, so that when the server deploys the data sharing service, it finds the service permission list corresponding to each service caller according to the ID information of several service callers recorded in the legal caller list, and writes the service ID of the data sharing service into the service permission list corresponding to each service caller.

在本说明书实施例中,数据提供方可以对数据共享服务的合法调用方列表进行灵活地配置,从而限制能够调用该数据共享服务的服务调用方,以确保数据提供方能够自由地决定数据共享服务的服务对象。In the embodiment of the present specification, the data provider can flexibly configure the list of legal callers of the data sharing service, thereby limiting the service callers who can call the data sharing service to ensure that the data provider can freely determine the service objects of the data sharing service.

可选的,还包括:调用区块链存证服务,将所述服务部署请求和/或服务调用请求进行上链存证。在本说明书实施例中,通过在服务端部署区块链存证服务,从而使得服务端能够对整个数据共享服务的生命周期进行存证,以确保系统中数据和操作的透明性和可追溯性。Optionally, it also includes: calling a blockchain evidence service to store the service deployment request and/or service call request on the chain. In the embodiment of this specification, by deploying a blockchain evidence service on the server, the server can store the entire life cycle of the data sharing service to ensure the transparency and traceability of data and operations in the system.

在另一实施例中,所述预设配置策略包括数据安全策略,所述数据安全策略包括用于对所述共享数据集中的共享数据进行加密的至少一种加密方式,所述至少一种加密方式中包含同态加密方式,同样以图2为例,作为客户端侧计算设备101的设备5可以在服务器端102上部署新的数据共享服务,而作为客户端侧计算设备101的设备3则可以调用设备5所部署的数据共享服务,以从服务器端102获取将设备5共享的共享数据进行加密得到的加密数据,从而实现基于加密数据的隐私计算,以下将详细讨论该实施例的具体执行过程。In another embodiment, the preset configuration strategy includes a data security policy, which includes at least one encryption method for encrypting the shared data in the shared data set, and the at least one encryption method includes a homomorphic encryption method. Taking Figure 2 as an example, device 5 as a client-side computing device 101 can deploy a new data sharing service on the server side 102, and device 3 as a client-side computing device 101 can call the data sharing service deployed by device 5 to obtain encrypted data obtained by encrypting the shared data shared by device 5 from the server side 102, thereby realizing privacy computing based on encrypted data. The specific execution process of this embodiment will be discussed in detail below.

图4是本说明书根据一示例性实施例示出的另一种部署数据共享服务的方法的流程图,该方法应用于图2所示的服务端,所述方法包括以下步骤:FIG4 is a flowchart of another method for deploying a data sharing service according to an exemplary embodiment of the present specification. The method is applied to the server shown in FIG2 , and the method includes the following steps:

S402:接收数据提供方的服务部署请求,所述服务部署请求中包括共享数据集信息和配置信息,所述共享数据集信息用于描述共享数据集,所述配置信息包括数据安全策略,所述数据安全策略包括用于对所述共享数据集中的共享数据进行加密的至少一种加密方式,所述至少一种加密方式中包含同态加密方式。S402: Receive a service deployment request from a data provider, wherein the service deployment request includes shared data set information and configuration information, wherein the shared data set information is used to describe the shared data set, and the configuration information includes a data security policy, and the data security policy includes at least one encryption method for encrypting shared data in the shared data set, wherein the at least one encryption method includes a homomorphic encryption method.

在本说明书实施例中,作为客户端的服务调用方本地预先维护有SDK(SoftwareDevelopment Kit,软件开发工具包)或UDF(Userdefined function,用户自定义函数)以用于对加密数据进行使用,本说明书实施例涉及的对加密数据的使用包括密文检索、密文计算和密文解密这三种类型,其中,密文检索和密文计算可以由服务调用方在获取服务端提供的加密数据后在本地完成,而密文解密则可能需要服务调用方与服务端进行二次交互才能够实现,例如对于不涉及TEE(Trusted Execution Environment,可信执行环境)架构服务调用方而言,如果需要对某加密数据进行密文解密,则必须向与服务端发起针对该加密数据的解密请求,在服务端鉴权成功后会通过服务端或服务调用方对该加密数据进行解密后最终提供至服务调用方。In the embodiments of the present specification, the service caller as a client locally maintains a SDK (Software Development Kit) or UDF (User defined function) in advance for the use of encrypted data. The use of encrypted data involved in the embodiments of the present specification includes three types of ciphertext retrieval, ciphertext calculation and ciphertext decryption. Among them, ciphertext retrieval and ciphertext calculation can be completed locally by the service caller after obtaining the encrypted data provided by the server, while ciphertext decryption may require the service caller to interact with the server for a second time to be realized. For example, for a service caller that does not involve a TEE (Trusted Execution Environment) architecture, if it is necessary to decrypt certain encrypted data, a decryption request for the encrypted data must be initiated to the server. After the server is successfully authenticated, the encrypted data will be decrypted by the server or the service caller and finally provided to the service caller.

本说明书实施例涉及的可信执行环境(TEE)可以为软件提供安全的执行环境,TEE是基于CPU硬件的安全扩展,且与外部完全隔离的可信执行环境。TEE最早是由GlobalPlatform提出的概念,用于解决移动设备上资源的安全隔离,平行于操作系统为应用程序提供可信安全的执行环境。目前工业界十分关注TEE的方案,几乎所有主流的芯片和软件联盟都有自己的TEE解决方案,比如软件方面的TPM(Trusted Platform Module,可信赖平台模块)以及硬件方面的Intel SGX、ARM Trustzone(信任区)和AMD PSP(Platform SecurityProcessor,平台安全处理器)等。The trusted execution environment (TEE) involved in the embodiments of this specification can provide a secure execution environment for software. TEE is a trusted execution environment based on the security extension of CPU hardware and completely isolated from the outside. TEE was first proposed by Global Platform to solve the security isolation of resources on mobile devices and provide a trusted and secure execution environment for applications in parallel with the operating system. At present, the industry is paying close attention to the TEE solution. Almost all mainstream chip and software alliances have their own TEE solutions, such as TPM (Trusted Platform Module) in software and Intel SGX, ARM Trustzone (Trust Zone) and AMD PSP (Platform Security Processor) in hardware.

以Intel SGX(以下简称SGX)技术为例。可信计算节点可以基于SGX技术创建enclave(围圈或飞地),以作为用于执行区块链交易的TEE。其中,区块链节点利用CPU中新增的处理器指令,在内存中可以分配一部分区域EPC(Enclave Page Cache,围圈页面缓存或飞地页面缓存),以用于驻留上述的enclave。上述EPC对应的内存区域被CPU内部的内存加密引擎MEE(Memory Encryption Engine)加密,该内存区域中的内容(enclave中的代码和数据)只有在CPU内核中才能够被解密,且用于加解密的密钥只有在EPC启动时生成并存储在CPU中。可见,enclave的安全边界只包含其自身和CPU,无论是特权或非特权软件都无法访问enclave,即便是操作系统管理员和VMM(virtual machine monitor,虚拟机监视器;或称为,Hypervisor)也无法影响enclave中的代码和数据,因而具有极高的安全性,并且在上述安全性保障的前提下,CPU能够在enclave中对明文形式的区块链交易进行处理,具有极高的运算效率,从而兼顾了数据安全性和计算效率。Take Intel SGX (hereinafter referred to as SGX) technology as an example. Trusted computing nodes can create enclaves (enclaves or enclaves) based on SGX technology as TEEs for executing blockchain transactions. Among them, blockchain nodes use the newly added processor instructions in the CPU to allocate a part of the area EPC (Enclave Page Cache, enclave page cache or enclave page cache) in the memory to reside in the above enclave. The memory area corresponding to the above EPC is encrypted by the memory encryption engine MEE (Memory Encryption Engine) inside the CPU. The content in this memory area (code and data in the enclave) can only be decrypted in the CPU core, and the key used for encryption and decryption is only generated and stored in the CPU when the EPC is started. It can be seen that the security boundary of the enclave only includes itself and the CPU. No privileged or non-privileged software can access the enclave. Even the operating system administrator and VMM (virtual machine monitor; also known as Hypervisor) cannot affect the code and data in the enclave. Therefore, it has extremely high security. Under the premise of the above security guarantee, the CPU can process blockchain transactions in plain text in the enclave with extremely high computing efficiency, thus taking into account both data security and computing efficiency.

在本说明书实施例中,作为客户端的数据提供方可以主动向服务端申请部署数据共享服务,为此数据提供方需要在发送给服务端的服务部署请求中携带共享数据集信息和配置信息,其中,共享数据集信息用于描述由数据提供方所维护的共享数据集,配置信息用于对数据提供方所需部署的数据共享服务进行配置。本说明书实施例所涉及的共享数据集为数据提供方所希望进行共享的共享数据的集合,且共享数据集中的共享数据是明文状态的。In the embodiments of this specification, the data provider as a client can actively apply to the server to deploy a data sharing service. To this end, the data provider needs to carry shared data set information and configuration information in the service deployment request sent to the server, wherein the shared data set information is used to describe the shared data set maintained by the data provider, and the configuration information is used to configure the data sharing service that the data provider needs to deploy. The shared data set involved in the embodiments of this specification is a collection of shared data that the data provider wants to share, and the shared data in the shared data set is in plain text.

在本说明书实施例中,所述配置信息包括数据安全策略,所述数据安全策略包括用于对所述共享数据集中的共享数据进行加密的至少一种加密方式,所述至少一种加密方式中包含同态加密方式。本说明书实施例中涉及的同态加密方式可以包括BFV(全同态加密算法)、CKKS(近似计算同态加密算法)和SM4(分组密码算法)等,并且通过不同的同态加密方式加密得到的加密数据支持进行不同类型的密文计算,例如,通过BFV加密得到的加密数据支持求子串、求两个密文字符串的连接、大小写转换等密文计算,通过CKKS加密得到的加密数据则支持加、减、乘、除、幂函数、指数函数、对数函数等密文计算,通过SM4加密得到的加密数据支持求日期的年、月、日、时、分、秒等密文计算。由于在本说明书实施例中,数据提供方可以在配置信息的数据安全策略中指定一种或多种同态加密方式,而通过不同的同态加密方式加密得到的加密数据又支持不同类型的密文计算,因此数据提供方可以通过控制共享数据集中共享数据的加密方式,以对最终提供给服务调用方的加密数据的密文计算类型进行限制,从而相当于数据提供方可以对部署的数据共享服务对应的密文计算类型进行配置。因此,服务调用方可以通过查看部署在服务端上的数据共享服务的描述信息,以获知该数据共享服务所能够支持的密文计算类型,从而在向服务端请求该数据共享服务时,可以从数据共享服务所能够支持的密文计算类型中进行选择,进而获取所需的加密数据以进行相应类型的密文计算。在本说明书实施例中,数据提供方可以根据业务场景的实际需求进行灵活地配置,以在满足服务调用方的调用需求的情况下尽可能地降低数据共享服务的复杂度,节省数据共享服务在部署和维护时所需消耗的计算资源或存储资源。In an embodiment of the present specification, the configuration information includes a data security policy, and the data security policy includes at least one encryption method for encrypting the shared data in the shared data set, and the at least one encryption method includes a homomorphic encryption method. The homomorphic encryption methods involved in the embodiments of the present specification may include BFV (fully homomorphic encryption algorithm), CKKS (approximate computational homomorphic encryption algorithm) and SM4 (block cipher algorithm), etc., and the encrypted data encrypted by different homomorphic encryption methods support different types of ciphertext calculations. For example, the encrypted data encrypted by BFV supports ciphertext calculations such as substrings, concatenation of two ciphertext strings, and case conversion. The encrypted data encrypted by CKKS supports ciphertext calculations such as addition, subtraction, multiplication, division, power function, exponential function, and logarithmic function. The encrypted data encrypted by SM4 supports ciphertext calculations such as year, month, day, hour, minute, and second of the date. Since in the embodiment of the present specification, the data provider can specify one or more homomorphic encryption methods in the data security policy of the configuration information, and the encrypted data encrypted by different homomorphic encryption methods supports different types of ciphertext calculations, the data provider can control the encryption method of the shared data in the shared data set to limit the ciphertext calculation type of the encrypted data finally provided to the service caller, which is equivalent to the data provider being able to configure the ciphertext calculation type corresponding to the deployed data sharing service. Therefore, the service caller can view the description information of the data sharing service deployed on the server to learn the ciphertext calculation type that the data sharing service can support, so that when requesting the data sharing service from the server, it can choose from the ciphertext calculation type that the data sharing service can support, and then obtain the required encrypted data to perform the corresponding type of ciphertext calculation. In the embodiment of the present specification, the data provider can be flexibly configured according to the actual needs of the business scenario, so as to reduce the complexity of the data sharing service as much as possible while meeting the calling requirements of the service caller, and save the computing resources or storage resources required for the data sharing service to be consumed during deployment and maintenance.

在一说明书实施例中,所述数据安全策略还包括用于对加密数据生成检索索引的至少一种检索方式,本说明书实施例中涉及的检索方式可以包括全等查询和模糊查询,其中,全等查询可以检索得到与检索关键词完全匹配的加密数据,而模糊查询可以检索到与检索关键词部分匹配或具有相关性的加密数据。由于在本说明书实施例中,数据提供方可以在配置信息的数据安全策略中指定一种或多种检索方式,从而使加密数据通过不同的检索方式生成不同类型的检索索引,以用于进行不同方式的检索。因此,数据提供方可以通过控制加密数据的检索索引的生成方式,以对最终提供给服务调用方的加密数据的检索索引类型进行限制,从而相当于数据提供方可以对部署的数据共享服务对应的加密数据检索方式进行配置,使得服务调用方获取的加密数据能够支持一种或多种方式的加密数据检索。因此,服务调用方可以通过查看部署在服务端上的数据共享服务的描述信息,以获知该数据共享服务所能够支持的加密数据检索方式,从而在向服务端请求该数据共享服务时,可以从数据共享服务所能够支持的加密数据检索方式中进行选择,进而利用获取的检索索引以进行相应方式的加密数据检索。在本说明书实施例中,数据提供方可以对数据共享服务所支持的加密数据检索方式进行灵活地配置,从而使服务调用方可以利用密文检索技术对获取的加密数据进行加密数据检索。In one embodiment of the specification, the data security policy also includes at least one retrieval method for generating a retrieval index for encrypted data. The retrieval methods involved in the embodiment of the specification may include a congruent query and a fuzzy query, wherein the congruent query can retrieve encrypted data that completely matches the retrieval keyword, and the fuzzy query can retrieve encrypted data that partially matches or has a correlation with the retrieval keyword. Since in the embodiment of the specification, the data provider can specify one or more retrieval methods in the data security policy of the configuration information, so that the encrypted data generates different types of retrieval indexes through different retrieval methods for different retrieval methods. Therefore, the data provider can control the generation method of the retrieval index of the encrypted data to limit the retrieval index type of the encrypted data ultimately provided to the service caller, which is equivalent to the data provider being able to configure the encrypted data retrieval method corresponding to the deployed data sharing service, so that the encrypted data obtained by the service caller can support one or more methods of encrypted data retrieval. Therefore, the service caller can view the description information of the data sharing service deployed on the server to learn the encrypted data retrieval methods that the data sharing service can support, so that when requesting the data sharing service from the server, it can select from the encrypted data retrieval methods that the data sharing service can support, and then use the obtained retrieval index to perform encrypted data retrieval in the corresponding manner. In the embodiment of this specification, the data provider can flexibly configure the encrypted data retrieval methods supported by the data sharing service, so that the service caller can use the ciphertext retrieval technology to perform encrypted data retrieval on the obtained encrypted data.

在一说明书实施例中,所述数据安全策略还包括服务调用频次,所述服务调用频次用于配置所述数据共享服务的周期性调用次数上限和/或永久性调用次数上限,其中,周期性调用次数上限指的是在一个周期性的时间段(如每小时、每日、每周、每月等)内可被服务调用方调用的次数上限,而永久性调用次数上限指的是自该数据共享服务部署完成后,总共能够被服务调用方所调用的次数上限。服务端将针对成功部署的数据共享服务维护一个调用次数表,其中记录有当前的周期性调用次数和/或永久性调用次数,而每次服务端接收到针对该数据共享服务的服务调用请求时,服务端会对该数据共享服务对应的调用次数表中的信息进行更新,假设该调用次数表中的周期性调用次数达到周期性调用次数上限或永久性调用次数达到永久性调用次数上限,那么服务器将暂停响应针对该数据共享服务的服务调用请求,当然,数据共享服务的管理员(例如该数据共享服务的数据提供方)可以对调用次数表中的数据进行管理,以实现相关调用次数的清零、更改等操作。在本说明书实施例中,数据提供方可以对数据共享服务的服务调用频次进行灵活地配置,从而限制服务调用方对数据共享服务的调用频次,以适应不同的实际服务调用场景。In an embodiment of the specification, the data security policy also includes a service call frequency, which is used to configure the upper limit of the periodic call times and/or the upper limit of the permanent call times of the data sharing service, wherein the upper limit of the periodic call times refers to the upper limit of the number of times that can be called by the service caller within a periodic time period (such as hourly, daily, weekly, monthly, etc.), and the upper limit of the permanent call times refers to the upper limit of the number of times that can be called by the service caller after the data sharing service is deployed. The server will maintain a call times table for the successfully deployed data sharing service, which records the current periodic call times and/or permanent call times, and each time the server receives a service call request for the data sharing service, the server will update the information in the call times table corresponding to the data sharing service. If the periodic call times in the call times table reach the upper limit of the periodic call times or the permanent call times reach the upper limit of the permanent call times, then the server will suspend responding to the service call requests for the data sharing service. Of course, the administrator of the data sharing service (such as the data provider of the data sharing service) can manage the data in the call times table to achieve operations such as clearing and changing the relevant call times. In the embodiments of the present specification, the data provider can flexibly configure the service call frequency of the data sharing service, thereby limiting the call frequency of the service caller to the data sharing service to adapt to different actual service call scenarios.

S404:基于所述配置信息部署可供调用的数据共享服务,所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标加密方式包含于所述至少一种加密方式的情况下,向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据。S404: Deploy a callable data sharing service based on the configuration information, the data sharing service being used to provide the service caller with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method when it is determined that the target encryption method indicated in the service call request initiated by the service caller is included in the at least one encryption method.

在本说明书实施例中,服务端首先会注册并加载一个数据共享服务实例,并根据所述配置信息和共享数据集信息来配置数据共享服务实例中的不同模块以使数据共享服务能够支持不同的功能,例如,数据共享服务实例在刚加载时有一个空字段需要填充服务所需调取的数据源信息,那么可以将共享数据集信息直接填入该空字段中,以使该数据共享服务在被调用时可以正确地获取共享数据集;又例如数据共享服务实例中的数据加密模块在刚加载时缺少配置,那么可以将配置信息的数据安全策略中的至少一种加密方式写入该数据加密模块中的配置中,从而开启对应的加密功能,以使该数据共享服务在被调用时可以按照数据提供方所配置的至少一种加密方式进行加密得到加密数据。In an embodiment of the present specification, the server first registers and loads a data sharing service instance, and configures different modules in the data sharing service instance according to the configuration information and shared data set information so that the data sharing service can support different functions. For example, when the data sharing service instance is just loaded, there is an empty field that needs to be filled with the data source information required by the service. In this case, the shared data set information can be directly filled into the empty field so that the data sharing service can correctly obtain the shared data set when it is called. For example, when the data encryption module in the data sharing service instance lacks configuration when it is just loaded, at least one encryption method in the data security policy of the configuration information can be written into the configuration of the data encryption module, thereby enabling the corresponding encryption function, so that when the data sharing service is called, it can encrypt and obtain encrypted data according to at least one encryption method configured by the data provider.

在本说明书实施例中,数据共享服务部署完成后会维护有一个服务ID,服务调用方可以通过发起针对该服务ID的服务调用请求从而调用并执行相应数据共享服务。如图2所示,服务调用方1可以在服务调用请求中携带服务ID字段“2”以及数据安全策略中加密方式字段“CKKS”,从而使服务端获取该服务调用请求后,首先根据服务ID字段“2”确定服务调用方2所需调用的数据共享服务为“数据共享服务2”,以及所需的加密方式为“CKKS”,那么服务端就会进一步执行数据共享服务2,以获取数据共享服务2对应的共享数据集,并按照CKKS的加密方式对共享数据集中的共享数据进行加密以得到加密数据,最后将加密数据提供至服务调用方2。In the embodiment of the present specification, a service ID will be maintained after the data sharing service is deployed, and the service caller can call and execute the corresponding data sharing service by initiating a service call request for the service ID. As shown in Figure 2, the service caller 1 can carry the service ID field "2" and the encryption method field "CKKS" in the data security policy in the service call request, so that after the server obtains the service call request, it first determines that the data sharing service that the service caller 2 needs to call is "data sharing service 2" and the required encryption method is "CKKS" according to the service ID field "2". Then the server will further execute data sharing service 2 to obtain the shared data set corresponding to data sharing service 2, and encrypt the shared data in the shared data set according to the encryption method of CKKS to obtain encrypted data, and finally provide the encrypted data to the service caller 2.

在一些场景下,服务调用方可能只需要进行某一种类型的密文计算,因此只会调用按照某一种加密方式进行加密的加密数据,这对于支持各类不同的加密方式的数据共享服务而言无疑是一种资源的浪费,还会造成服务调用方获取本不需要的加密数据,而通过本说明书实施例所涉及的部署数据共享服务的方法,数据提供方可以根据业务场景的实际需求进行灵活地配置,服务调用方也可以根据自身的需求进行灵活地调用,以在满足服务调用方的调用需求的情况下尽可能地降低数据共享服务的复杂度,节省数据共享服务在部署和维护时所需消耗的计算资源或存储资源。In some scenarios, the service caller may only need to perform a certain type of ciphertext calculation, and therefore will only call encrypted data encrypted according to a certain encryption method. This is undoubtedly a waste of resources for data sharing services that support various different encryption methods, and will also cause the service caller to obtain encrypted data that is not needed. Through the method for deploying data sharing services involved in the embodiments of this specification, the data provider can flexibly configure according to the actual needs of the business scenario, and the service caller can also flexibly call according to its own needs, so as to reduce the complexity of the data sharing service as much as possible while meeting the service caller's calling requirements, and save the computing resources or storage resources required for the deployment and maintenance of the data sharing service.

可选的,所述向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据,包括:向所述服务调用方提供按照所述目标加密方式对所述共享数据集中由所述服务调用请求中所指示的目标共享数据进行加密得到的加密数据。在本说明书实施例中,服务调用方可以在服务调用请求中指定目标共享数据,例如可以在服务调用请求中携带关键词、数据类型、文件ID等描述信息,然后服务端可以在该数据共享服务对应的共享数据集中,根据服务调用请求中携带的描述信息进行检索,并将查询得到的共享数据确定为目标共享数据,进而将目标共享数据加密后提供至服务调用方,于是服务端便可以在向服务调用方提供加密数据时,无需提供将共享数据集中的全部共享数据进行加密后得到的加密数据,而是可以根据服务调用方的实际需求,提供将共享数据集中的服务调用方所需的部分共享数据进行加密后得到的加密数据,在更加精确地满足服务调用方的数据需求的同时尽可能地减少不必要的数据加密和网络交互的过程。Optionally, the providing of the encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method to the service caller includes: providing the encrypted data obtained by encrypting the target shared data indicated in the service call request in the shared data set according to the target encryption method to the service caller. In an embodiment of the present specification, the service caller can specify the target shared data in the service call request, for example, the service call request can carry description information such as keywords, data types, and file IDs, and then the server can search the shared data set corresponding to the data sharing service according to the description information carried in the service call request, and determine the shared data obtained by the query as the target shared data, and then encrypt the target shared data and provide it to the service caller. Therefore, when providing encrypted data to the service caller, the server does not need to provide the encrypted data obtained by encrypting all the shared data in the shared data set, but can provide the encrypted data obtained by encrypting part of the shared data required by the service caller in the shared data set according to the actual needs of the service caller, so as to more accurately meet the data needs of the service caller while reducing unnecessary data encryption and network interaction processes as much as possible.

可选的,所述向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据,包括:向所述服务调用方提供预先存储在所述服务端的加密数据集中的所述加密数据,所述加密数据集由所述服务端按照所述至少一个加密方式对所述共享数据集中的所有共享数据预先进行加密得到;或者,向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据即时进行加密得到的所述加密数据。Optionally, the providing the service caller with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method includes: providing the service caller with the encrypted data pre-stored in an encrypted data set on the server side, the encrypted data set being obtained by pre-encrypting all the shared data in the shared data set by the server side according to the at least one encryption method; or, providing the service caller with the encrypted data obtained by instantly encrypting the shared data in the shared data set according to the target encryption method.

在本说明书实施例中,服务端在接收到服务调用方发起的服务调用请求时,提供多种不同的加密数据提供方式:在第一种加密数据提供方式中,数据共享服务在部署阶段中还会在服务端维护一个加密数据集,这个加密数据集是按照所述数据安全策略中记录的所有加密方式对所述共享数据集中的所有共享数据进行加密后得到,例如,在数据安全策略中记录的加密方式一共有M种、而共享数据集中的共享数据有N个的情况下,服务端会对N个共享数据进行M次加密,最终将获得M×N个加密数据以作为加密数据集。因此,服务端在接收到服务调用方发起的针对目标加密方式的服务调用请求时,能够直接从预先存储的加密数据集中取出按照目标加密方式加密得到的加密数据。由于加密共享数据的过程在接收到服务调用请求之前就已经完成,因此这种加密数据提供方式可以节约数据共享服务的执行时间,从而减少服务调用方等待加密数据返回的等待时长,提高用户体验。In the embodiment of the present specification, when the server receives the service call request initiated by the service caller, it provides a variety of different encrypted data provision methods: in the first encrypted data provision method, the data sharing service will also maintain an encrypted data set on the server during the deployment phase. This encrypted data set is obtained by encrypting all the shared data in the shared data set according to all the encryption methods recorded in the data security policy. For example, when there are M encryption methods recorded in the data security policy and there are N shared data in the shared data set, the server will encrypt the N shared data M times, and finally obtain M×N encrypted data as the encrypted data set. Therefore, when the server receives the service call request initiated by the service caller for the target encryption method, it can directly retrieve the encrypted data encrypted according to the target encryption method from the pre-stored encrypted data set. Since the process of encrypting the shared data is completed before receiving the service call request, this encrypted data provision method can save the execution time of the data sharing service, thereby reducing the waiting time for the service caller to wait for the encrypted data to be returned, and improving the user experience.

在第二种加密数据提供方式中,服务端不会预先存储有加密数据集,而是会根据接收到的服务调用请求首先获知服务调用方所需的目标加密方式,然后再按照目标加密方式对共享数据集中的共享数据即时进行加密得到加密数据,并将加密数据提供至服务调用方。由于在本加密数据提供方式下服务端是即时加密的,因此无需在服务端预先存储大量的加密数据,从而减少服务端存储资源的消耗。In the second encrypted data provision method, the server does not pre-store an encrypted data set, but first learns the target encryption method required by the service caller according to the received service call request, and then instantly encrypts the shared data in the shared data set according to the target encryption method to obtain encrypted data, and then provides the encrypted data to the service caller. Since the server encrypts instantly in this encrypted data provision method, there is no need to pre-store a large amount of encrypted data on the server, thereby reducing the consumption of storage resources on the server.

在第三种加密数据提供方式中,服务端维护有已经部署的各个数据共享服务对应的热度列表,其中,任一数据共享服务对应的热度列表中记录有该数据共享服务的被调用情况,包括服务调用频率和执行过程中按照不同加密方式对共享数据进行加密的加密频率等,服务调用频率反映了该数据共享服务近期被调用的热度,而不同加密方式对共享数据进行加密的频率则反映了服务调用方对各个加密方式的需求热度。服务端可以根据数据共享服务的被调用情况决定是否在服务端存储加密数据集,从而在不同的加密数据提供方式之间进行转换。例如,在该数据共享服务的服务调用频率高于第一预设阈值的情况下,服务端首先会根据该数据共享服务的配置信息和共享数据集建立完整的加密数据集,并在加密数据集建立完成并存储在服务端后,对指定该数据共享服务的服务调用请求采用上述的第一种加密数据提供方式;而在某一数据共享服务的服务调用频率低于第二预设阈值的情况下,服务端将采用上述的第二种加密数据提供方式,此时如果服务端存储有该数据共享服务对应的加密数据集,则会将其进行删除。又例如,在某一数据共享服务对应的热度列表中,实时监控不同加密方式对共享数据进行加密的加密频率,在某一加密方式对应的加密频率高于第一预设阈值后,会在服务端存储将共享数据集中的共享数据按照该加密方式进行加密得到的加密数据所构成的加密数据集,并对指定该加密方式的服务调用请求采用上述的第一种加密数据提供方式;而在某一加密方式对应的加密频率低于第二预设阈值时,则会对指定该加密方式的服务调用请求采用上述的第二种加密数据提供方式,并检查服务端存储的加密数据集中是否包含通过该加密方式加密得到的加密数据,如果存在则将这部分加密数据从加密数据集中删除,在本例中,服务端会动态维护加密数据集的内容,使其中保留有经常被服务调用方所调用的加密数据,而及时删除不常被调用的加密数据。在本加密数据提供方式下,服务端会根据共享服务的被调用情况智能地调节加密数据提供方式和服务端存储的加密数据集中的内容,从而在节省存储资源和提高调用效率之间取得一个平衡。In the third encrypted data provision method, the server maintains a heat list corresponding to each deployed data sharing service, wherein the heat list corresponding to any data sharing service records the calling situation of the data sharing service, including the service calling frequency and the encryption frequency of encrypting the shared data according to different encryption methods during the execution process, etc. The service calling frequency reflects the popularity of the recent calling of the data sharing service, and the frequency of encrypting the shared data by different encryption methods reflects the demand heat of the service caller for each encryption method. The server can decide whether to store the encrypted data set on the server according to the calling situation of the data sharing service, so as to switch between different encrypted data provision methods. For example, when the service calling frequency of the data sharing service is higher than the first preset threshold, the server will first establish a complete encrypted data set according to the configuration information and shared data set of the data sharing service, and after the encrypted data set is established and stored on the server, the service call request of the specified data sharing service will adopt the above-mentioned first encrypted data provision method; and when the service calling frequency of a certain data sharing service is lower than the second preset threshold, the server will adopt the above-mentioned second encrypted data provision method, and if the server stores the encrypted data set corresponding to the data sharing service, it will delete it. For another example, in a popularity list corresponding to a data sharing service, the encryption frequency of different encryption methods for encrypting shared data is monitored in real time. When the encryption frequency corresponding to a certain encryption method is higher than a first preset threshold, an encrypted data set consisting of encrypted data obtained by encrypting the shared data in the shared data set according to the encryption method will be stored on the server side, and the first encryption data provision method mentioned above will be adopted for the service call request specifying the encryption method; and when the encryption frequency corresponding to a certain encryption method is lower than a second preset threshold, the second encryption data provision method mentioned above will be adopted for the service call request specifying the encryption method, and it will be checked whether the encrypted data set stored on the server side contains the encrypted data obtained by the encryption method. If it exists, this part of the encrypted data will be deleted from the encrypted data set. In this example, the server side will dynamically maintain the content of the encrypted data set, so that the encrypted data that is frequently called by the service caller is retained, and the encrypted data that is not frequently called is deleted in time. Under this encrypted data provision method, the server side will intelligently adjust the encryption data provision method and the content of the encrypted data set stored on the server side according to the calling situation of the shared service, so as to achieve a balance between saving storage resources and improving calling efficiency.

可选的,所述配置信息还包括加密数据存储策略,用于配置所述数据共享服务针对服务调用方的加密数据提供方式。如前所述,服务端在接收到服务调用方发起的服务调用请求时,可以提供多种不同的加密数据提供方式,包括前述的第一、第二或第三种加密数据提供方式,本说明书实施例中,数据共享服务的加密数据提供方式可以由数据提供方进行配置,从而增加服务部署的灵活度,以更好地适应不同的实际服务调用场景。Optionally, the configuration information also includes an encrypted data storage strategy, which is used to configure the encrypted data provision method of the data sharing service for the service caller. As mentioned above, when the server receives a service call request initiated by the service caller, it can provide a variety of different encrypted data provision methods, including the first, second or third encrypted data provision method mentioned above. In the embodiment of this specification, the encrypted data provision method of the data sharing service can be configured by the data provider, thereby increasing the flexibility of service deployment to better adapt to different actual service call scenarios.

可选的,所述向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据,包括:在确定所述服务调用方为部署在可信执行环境中的可信应用的情况下,向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据以及解密密钥密文,所述解密密钥密文由解密密钥通过所述可信应用对应的公钥加密得到,所述解密密钥用于对所述加密数据进行解密。Optionally, the providing the service caller with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method includes: when it is determined that the service caller is a trusted application deployed in a trusted execution environment, providing the service caller with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method and a decryption key ciphertext, the decryption key ciphertext being encrypted by a decryption key using a public key corresponding to the trusted application, and the decryption key being used to decrypt the encrypted data.

在本说明书实施例中,服务端可以对服务调用方的TEE架构进行检查,并在确定服务调用方为部署在可信执行环境中可信应用的情况下,向服务调用方额外提供通过服务调用方对应的公钥加密得到的解密密钥密文,服务调用方可以根据自身私钥对解密密钥密文进行解密以获取解密密钥,从而使服务调用方在获取加密数据后,将所需参与密文计算的加密数据通过解密密钥在可信执行环境中进行解密,并对解密得到的共享数据执行明文计算,从而将密文计算任务转化为明文计算任务,由于明文计算任务所需花费的计算资源远小于密文计算任务,因此能够节省计算资源、提高隐私计算效率。另外,由于服务调用方直接获取有解密密钥,因此服务调用方可以在本地实现密文解密而无需与服务端进行二次交互,从而减轻了服务端的系统压力。在本说明书实施例中,服务端可以对服务调用方的TEE架构进行识别以智能调整隐私计算的实现方式,在确定服务调用方为可信执行环境中的可信应用的情况下,将解密密钥加密提供给服务调用方以在确保安全,同时适配TEE场景下隐私计算的实现方式,从而通过同一个数据共享服务向不同类型的服务调用方提供不同的隐私计算解决方案,充分利用服务调用方的TEE架构以节省计算资源、提高隐私计算效率并减轻服务端的系统压力。In the embodiments of this specification, the server can check the TEE architecture of the service caller, and when it is determined that the service caller is a trusted application deployed in a trusted execution environment, it can provide the service caller with an additional decryption key ciphertext encrypted by the public key corresponding to the service caller. The service caller can decrypt the decryption key ciphertext according to its own private key to obtain the decryption key, so that after obtaining the encrypted data, the service caller can decrypt the encrypted data required to participate in the ciphertext calculation in the trusted execution environment through the decryption key, and perform plaintext calculation on the shared data obtained by decryption, thereby converting the ciphertext calculation task into a plaintext calculation task. Since the computing resources required for the plaintext calculation task are far less than those for the ciphertext calculation task, it can save computing resources and improve the efficiency of privacy computing. In addition, since the service caller directly obtains the decryption key, the service caller can implement ciphertext decryption locally without secondary interaction with the server, thereby reducing the system pressure on the server. In the embodiments of this specification, the server can identify the TEE architecture of the service caller to intelligently adjust the implementation method of privacy computing. When it is determined that the service caller is a trusted application in a trusted execution environment, the decryption key is encrypted and provided to the service caller to ensure security while adapting to the implementation method of privacy computing in the TEE scenario. This provides different privacy computing solutions to different types of service callers through the same data sharing service, making full use of the TEE architecture of the service caller to save computing resources, improve privacy computing efficiency and reduce system pressure on the server.

可选的,所述确定所述服务调用方为部署在可信执行环境中的可信应用,包括:对所述服务调用请求中包含的签名进行验签,并在验签结果表明所述服务调用方为已通过远程认证的可信应用的情况下,确定所述服务调用方为部署在可信执行环境中的可信应用。Optionally, determining that the service caller is a trusted application deployed in a trusted execution environment includes: verifying the signature contained in the service call request, and if the verification result indicates that the service caller is a trusted application that has passed remote authentication, determining that the service caller is a trusted application deployed in the trusted execution environment.

在本说明书实施例中,服务端维护有所有已通过远程认证的可信应用的公钥,从而可以利用这些公钥对服务调用请求中包含的签名逐一进行验签,只要存在某一公钥对签名验签成功,则可以证明服务调用方为该公钥所属的可信应用,即表明所述服务调用方为已通过远程认证的可信应用,部署在可信执行环境中。本说明书实施例通过在服务端维护有已通过远程认证的可信应用的公钥,因此相当于维护有服务调用方是否具有TEE架构的列表,通过该列表可以对服务调用方的TEE架构进行识别,另外,上述列表中除了记录有服务调用方的公钥以及远程认证通过情况以外,还会记录认证失效时间,该认证失效时间是指服务端获取的远程认证报告中记录的认证时间与一个预设固定值之和,从而使得通过认证的服务调用方需要定时地重新向服务端进行远程认证,以更新认证失效时间才能保证身份的有效性,避免暴露解密密钥给非TEE架构的服务调用方,最大限度地保证了数据安全。In the embodiment of the present specification, the server maintains the public keys of all trusted applications that have passed the remote authentication, so that the signatures contained in the service call request can be verified one by one using these public keys. As long as there is a public key pair signature verification success, it can be proved that the service caller is the trusted application to which the public key belongs, that is, it indicates that the service caller is a trusted application that has passed the remote authentication and is deployed in a trusted execution environment. The embodiment of the present specification maintains the public keys of trusted applications that have passed the remote authentication on the server, so it is equivalent to maintaining a list of whether the service caller has a TEE architecture, and the TEE architecture of the service caller can be identified through the list. In addition, in addition to recording the public key of the service caller and the remote authentication pass status, the above list also records the authentication expiration time, which refers to the sum of the authentication time recorded in the remote authentication report obtained by the server and a preset fixed value, so that the authenticated service caller needs to re-authenticate remotely to the server regularly to update the authentication expiration time to ensure the validity of the identity, avoid exposing the decryption key to the service caller of the non-TEE architecture, and maximize the data security.

在另一实施例中,服务调用请求中还会携带远程认证挑战,以使服务端将该远程认证挑战发往第三方认证系统,如IAS(Intel Attestation Service,英特尔认证服务器),第三方认证系统会对远程认证挑战中携带的服务调用方持有的可信硬件的公钥进行验签并生成远程认证报告,服务端接收第三方认证系统返回的远程认证报告,并根据远程认证报告中记载的远程认证结果以确定服务调用方是否为部署在可信执行环境中的可信应用,在确定服务调用方为可信应用的情况下,服务端还会进一步从远程认证报告中获取作为服务调用方的可信应用的公钥,并将其维护在已通过远程认证的可信应用公钥列表中。在本实施例中,可以在服务调用方对数据共享服务进行调用的情况下,即时进行远程认证过程,从而根据获取得到的远程认证报告记载的远程认证结果验证服务调用方是否为部署在可信执行环境中的可信应用,因此无需预先维护有已通过远程认证的可信应用的公钥列表,就能够确定服务调用方是否为部署在可信执行环境中的可信应用。In another embodiment, the service call request also carries a remote authentication challenge, so that the server sends the remote authentication challenge to a third-party authentication system, such as IAS (Intel Attestation Service). The third-party authentication system verifies the public key of the trusted hardware held by the service caller carried in the remote authentication challenge and generates a remote authentication report. The server receives the remote authentication report returned by the third-party authentication system, and determines whether the service caller is a trusted application deployed in a trusted execution environment based on the remote authentication result recorded in the remote authentication report. In the case where the service caller is determined to be a trusted application, the server will further obtain the public key of the trusted application as the service caller from the remote authentication report, and maintain it in the public key list of trusted applications that have passed the remote authentication. In this embodiment, the remote authentication process can be performed immediately when the service caller calls the data sharing service, so as to verify whether the service caller is a trusted application deployed in a trusted execution environment based on the remote authentication result recorded in the remote authentication report. Therefore, it is not necessary to maintain a public key list of trusted applications that have passed the remote authentication in advance, and it is possible to determine whether the service caller is a trusted application deployed in a trusted execution environment.

可选的,所述数据安全策略还包括至少一种检索方式,以使所述数据共享服务用于在确定所述服务调用请求中所指示的目标检索方式包含于所述至少一种检索方式的情况下,向所述服务调用方提供的所述加密数据中包括根据所述目标检索方式生成的检索索引,所述检索索引用于使所述加密数据支持加密数据检索。如前所述,数据提供方可以对数据共享服务所支持的加密数据检索方式进行灵活地配置,从而使服务调用方可以在服务调用请求中指定目标检索方式,从而使得提供至服务调用方的加密数据中包含根据所述目标检索方式生成的检索索引,使服务调用方能够利用其所需的密文检索技术对获取的加密数据进行加密数据检索。Optionally, the data security policy also includes at least one retrieval method, so that when the data sharing service determines that the target retrieval method indicated in the service call request is included in the at least one retrieval method, the encrypted data provided to the service caller includes a retrieval index generated according to the target retrieval method, and the retrieval index is used to enable the encrypted data to support encrypted data retrieval. As mentioned above, the data provider can flexibly configure the encrypted data retrieval methods supported by the data sharing service, so that the service caller can specify the target retrieval method in the service call request, so that the encrypted data provided to the service caller includes the retrieval index generated according to the target retrieval method, so that the service caller can use the ciphertext retrieval technology it needs to perform encrypted data retrieval on the acquired encrypted data.

可选的,所述数据安全策略还包括服务调用频次,所述服务调用频次用于配置所述数据共享服务的周期性调用次数上限和/或永久性调用次数上限。如前所述,数据提供方可以对数据共享服务的服务调用频次进行灵活地配置,从而限制服务调用方对数据共享服务的调用频次,以适应不同的实际服务调用场景。Optionally, the data security policy also includes a service call frequency, which is used to configure an upper limit on the number of periodic calls and/or permanent calls to the data sharing service. As mentioned above, the data provider can flexibly configure the service call frequency of the data sharing service, thereby limiting the service caller's call frequency of the data sharing service to adapt to different actual service call scenarios.

可选的,还包括:调用区块链存证服务,将所述服务部署请求和/或服务调用请求进行上链存证。本说明书实施例涉及的服务端与至少一个区块链系统相连接,并且服务端部署有与所述至少一个区块链系统对应的区块链存证服务,于是服务端可以通过调用区块链存证服务实现对各类材料进行上链存证。如前所述,本说明书所涉及的服务端可以为BaaS平台,因此服务端可以利用BaaS平台上已经部署的区块链存证服务对所述服务部署请求和/或服务调用请求进行上链存证,当然,对于包括密文检索、密文计算和密文解密的针对加密数据的使用过程,虽然其中部分如密文计算的使用过程仅涉及客户端侧的行为,但同样也能够实现上链存证,具体而言,是通过将服务调用方对应的客户端记录的有关加密数据使用的日志转发给服务端,然后服务端再调用区块链存证服务对相关日志进行上链存证,从而实现对加密数据的使用过程的间接存证。在本说明书实施例中,通过在服务端部署区块链存证服务,从而使得服务端能够对整个数据共享服务的生命周期进行存证,以确保系统中数据和操作的透明性和可追溯性。Optionally, it also includes: calling a blockchain evidence service to store the service deployment request and/or service call request on the chain. The server involved in the embodiment of this specification is connected to at least one blockchain system, and the server is deployed with a blockchain evidence service corresponding to the at least one blockchain system, so the server can store various materials on the chain by calling the blockchain evidence service. As mentioned above, the server involved in this specification can be a BaaS platform, so the server can use the blockchain evidence service deployed on the BaaS platform to store the service deployment request and/or service call request on the chain. Of course, for the use process of encrypted data including ciphertext retrieval, ciphertext calculation and ciphertext decryption, although some of them, such as the use process of ciphertext calculation, only involve the behavior on the client side, it can also be stored on the chain. Specifically, the log of the use of encrypted data recorded by the client corresponding to the service caller is forwarded to the server, and then the server calls the blockchain evidence service to store the relevant logs on the chain, thereby realizing indirect evidence of the use process of encrypted data. In the embodiments of this specification, by deploying a blockchain evidence service on the server side, the server side can store evidence for the entire life cycle of the data sharing service to ensure the transparency and traceability of data and operations in the system.

可选的,对于已经部署在服务端上的数据共享服务,服务端上维护有数据共享服务对应的共享数据集和配置信息,可以由相应的管理员进行共享数据集信息或配置信息的修改,从而使该数据共享服务根据修改后的共享数据集信息和配置信息在服务端上进行重新部署,以实现对已部署的数据共享服务在共享数据层面或功能层面的更新,来适应不断变化的服务调用场景,其中,数据共享服务的管理员可以包括部署该数据共享服务的数据提供方或者服务端的管理员用户,本说明书对此并不做任何限制。Optionally, for a data sharing service that has been deployed on a server, the server maintains a shared data set and configuration information corresponding to the data sharing service. The corresponding administrator may modify the shared data set information or configuration information so that the data sharing service is redeployed on the server according to the modified shared data set information and configuration information, so as to update the deployed data sharing service at the shared data level or the functional level to adapt to the ever-changing service call scenarios. The administrator of the data sharing service may include the data provider who deploys the data sharing service or the administrator user of the server, and this specification does not impose any restrictions on this.

与前述方法的实施例相对应,本说明书还提供了装置、电子设备以及存储介质的实施例。Corresponding to the embodiments of the aforementioned method, this specification also provides embodiments of an apparatus, an electronic device, and a storage medium.

图5是一示例性实施例提供的一种设备的示意结构图。请参考图5,在硬件层面,该设备包括处理器502、内部总线504、网络接口506、内存508以及非易失性存储器510,当然还可能包括其他业务所需要的硬件。本说明书一个或多个实施例可以基于软件方式来实现,比如由处理器502从非易失性存储器510中读取对应的计算机程序到内存508中然后运行。当然,除了软件实现方式之外,本说明书一个或多个实施例并不排除其他实现方式,比如逻辑器件抑或软硬件结合的方式等等,也就是说以下处理流程的执行主体并不限定于各个逻辑单元,也可以是硬件或逻辑器件。FIG5 is a schematic diagram of a device provided by an exemplary embodiment. Please refer to FIG5. At the hardware level, the device includes a processor 502, an internal bus 504, a network interface 506, a memory 508, and a non-volatile memory 510. Of course, it may also include hardware required for other services. One or more embodiments of this specification can be implemented based on software, such as the processor 502 reading the corresponding computer program from the non-volatile memory 510 into the memory 508 and then running it. Of course, in addition to the software implementation, one or more embodiments of this specification do not exclude other implementations, such as logic devices or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but can also be hardware or logic devices.

如图6所示,图6是本说明书根据一示例性实施例示出的一种获取区块链数据的装置框图,该装置可以应用于如图4所示的设备中,以实现本说明书的技术方案,该装置应用于服务端,包括:As shown in FIG. 6 , FIG. 6 is a block diagram of a device for obtaining blockchain data according to an exemplary embodiment of this specification. The device can be applied to the device shown in FIG. 4 to implement the technical solution of this specification. The device is applied to the server, including:

请求接收单元601,用于接收数据提供方的服务部署请求,所述服务部署请求中包括共享数据集信息和配置信息,所述共享数据集信息用于描述共享数据集,所述配置信息用于通过至少一种预设配置策略对所述共享数据集中的共享数据进行配置;The request receiving unit 601 is used to receive a service deployment request from a data provider, wherein the service deployment request includes shared data set information and configuration information, wherein the shared data set information is used to describe the shared data set, and the configuration information is used to configure the shared data in the shared data set through at least one preset configuration strategy;

服务部署单元602,用于基于所述配置信息部署可供调用的数据共享服务,所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标配置方式包含于所述至少一种预设配置策略的情况下,向所述服务调用方提供按照所述目标配置方式对所述共享数据集中的共享数据进行配置得到的配置后共享数据。The service deployment unit 602 is used to deploy a callable data sharing service based on the configuration information. The data sharing service is used to provide the service caller with the configured shared data obtained by configuring the shared data in the shared data set according to the target configuration method when it is determined that the target configuration method indicated in the service call request initiated by the service caller is included in the at least one preset configuration policy.

可选的,所述预设配置策略包括数据安全策略,所述数据安全策略包括用于对所述共享数据集中的共享数据进行加密的至少一种加密方式;所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标配置方式包含于所述至少一种预设配置策略的情况下,向所述服务调用方提供按照所述目标配置方式对所述共享数据集中的共享数据进行配置得到的配置后共享数据,包括:Optionally, the preset configuration policy includes a data security policy, and the data security policy includes at least one encryption method for encrypting the shared data in the shared data set; the data sharing service is used to provide the service caller with the configured shared data obtained by configuring the shared data in the shared data set according to the target configuration method when it is determined that the target configuration method indicated in the service call request initiated by the service caller is included in the at least one preset configuration policy, including:

所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标加密方式包含于所述至少一种加密方式的情况下,向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据。The data sharing service is used to provide the service caller with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method when it is determined that the target encryption method indicated in the service call request initiated by the service caller is included in the at least one encryption method.

可选的,所述至少一种加密方式中包含同态加密方式。Optionally, the at least one encryption method includes a homomorphic encryption method.

可选的,所述服务部署单元602具体用于:Optionally, the service deployment unit 602 is specifically used to:

向所述服务调用方提供按照所述目标加密方式对所述共享数据集中由所述服务调用请求中所指示的目标共享数据进行加密得到的加密数据。The service caller is provided with encrypted data obtained by encrypting the target shared data indicated in the service call request in the shared data set according to the target encryption method.

可选的,所述服务部署单元602具体用于:Optionally, the service deployment unit 602 is specifically used to:

向所述服务调用方提供预先存储在所述服务端的加密数据集中的所述加密数据,所述加密数据集由所述服务端按照所述至少一个加密方式对所述共享数据集中的所有共享数据预先进行加密得到;或者,Providing the service caller with the encrypted data pre-stored in the encrypted data set of the server, where the encrypted data set is obtained by the server pre-encrypting all the shared data in the shared data set according to the at least one encryption method; or

向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据即时进行加密得到的所述加密数据。The encrypted data obtained by instantly encrypting the shared data in the shared data set according to the target encryption method is provided to the service caller.

可选的,所述服务部署单元602具体用于:Optionally, the service deployment unit 602 is specifically used to:

在确定所述服务调用方为部署在可信执行环境中的可信应用的情况下,向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据以及解密密钥密文,所述解密密钥密文由解密密钥通过所述可信应用的公钥加密得到,所述解密密钥用于对所述加密数据进行解密。When it is determined that the service caller is a trusted application deployed in a trusted execution environment, the service caller is provided with encrypted data and a decryption key ciphertext obtained by encrypting the shared data in the shared data set according to the target encryption method. The decryption key ciphertext is obtained by encrypting the decryption key using the public key of the trusted application, and the decryption key is used to decrypt the encrypted data.

可选的,所述服务部署单元602具体用于:Optionally, the service deployment unit 602 is specifically used to:

对所述服务调用请求中包含的签名进行验签,并在验签结果表明所述服务调用方为已通过远程认证的可信应用的情况下,确定所述服务调用方为部署在可信执行环境中的可信应用。The signature included in the service call request is verified, and if the verification result shows that the service caller is a trusted application that has passed remote authentication, it is determined that the service caller is a trusted application deployed in a trusted execution environment.

可选的,所述数据安全策略还包括至少一种检索方式,以使所述数据共享服务用于在确定所述服务调用请求中所指示的目标检索方式包含于所述至少一种检索方式的情况下,向所述服务调用方提供的所述加密数据中包括根据所述目标检索方式生成的检索索引,所述检索索引用于使所述加密数据支持加密数据检索。Optionally, the data security policy also includes at least one retrieval method, so that when the data sharing service determines that the target retrieval method indicated in the service call request is included in the at least one retrieval method, the encrypted data provided to the service caller includes a retrieval index generated according to the target retrieval method, and the retrieval index is used to enable the encrypted data to support encrypted data retrieval.

可选的,所述数据安全策略还包括服务调用频次,所述服务调用频次用于配置所述数据共享服务的周期性调用次数上限和/或永久性调用次数上限。Optionally, the data security policy also includes a service call frequency, and the service call frequency is used to configure an upper limit on the number of periodic calls and/or an upper limit on the number of permanent calls to the data sharing service.

可选的,所述共享数据集信息包括所述共享数据集或者用于获取所述共享数据集的元数据。Optionally, the shared dataset information includes the shared dataset or metadata used to obtain the shared dataset.

可选的,所述配置信息还包括数据流转策略,所述数据流转策略用于配置所述数据共享服务针对所述配置后共享数据的数据流转模式。Optionally, the configuration information further includes a data flow strategy, and the data flow strategy is used to configure a data flow mode of the data sharing service for the configured shared data.

可选的,所述数据流转模式包括API网关模式或数据库表模式;Optionally, the data flow mode includes an API gateway mode or a database table mode;

在所述数据共享服务的数据流转模式为API网关模式的情况下,所述配置后共享数据通过所述服务端的API网关提供至所述服务调用方的客户端;In the case where the data flow mode of the data sharing service is the API gateway mode, the configured shared data is provided to the client of the service caller through the API gateway of the service end;

在所述数据共享服务的数据流转模式为数据库表模式的情况下,所述配置后共享数据通过数据库同步插件提供至所述服务调用方的数据库。In the case where the data flow mode of the data sharing service is a database table mode, the configured shared data is provided to the database of the service caller through a database synchronization plug-in.

可选的,所述配置信息还包括权限管理策略,所述权限管理策略用于配置所述数据共享服务针对服务调用方的权限管理模型,以使所述数据共享服务用于在确定所述服务调用方具有所述数据共享服务的调用权限的情况下,响应所述服务调用方发出的所述服务调用请求。Optionally, the configuration information also includes a permission management policy, which is used to configure the permission management model of the data sharing service for the service caller, so that the data sharing service responds to the service call request issued by the service caller when it is determined that the service caller has the permission to call the data sharing service.

可选的,所述权限管理模型包括OpenAPI模型或IAM模型;所述确定所述服务调用方具有所述数据共享服务的调用权限,包括:Optionally, the permission management model includes an OpenAPI model or an IAM model; and determining that the service caller has the permission to call the data sharing service includes:

在所述数据共享服务的权限管理模型为OpenAPI模型的情况下,根据所述数据共享服务对应的公钥列表中的公钥对所述服务调用请求中包含的签名进行验签,并在验签成功的情况下,确定所述服务调用方具有所述数据共享服务的调用权限;In the case where the authority management model of the data sharing service is an OpenAPI model, the signature contained in the service call request is verified according to the public key in the public key list corresponding to the data sharing service, and if the signature verification is successful, it is determined that the service caller has the authority to call the data sharing service;

在所述数据共享服务的权限管理模型为IAM模型的情况下,查询处于登录状态的所述服务调用方对应的服务权限列表,并在所述服务权限列表中包含所述数据共享服务的情况下,确定所述服务调用方具有所述数据共享服务的调用权限。When the permission management model of the data sharing service is an IAM model, the service permission list corresponding to the service caller in the logged-in state is queried, and when the data sharing service is included in the service permission list, it is determined that the service caller has the calling permission for the data sharing service.

可选的,所述权限管理策略还用于配置所述数据共享服务针对服务调用方的合法调用方列表。Optionally, the rights management policy is also used to configure a legal caller list of the data sharing service for service callers.

可选的,还包括:Optionally, also include:

区块链服务调用单元603,用于调用区块链存证服务,将所述服务部署请求和/或服务调用请求进行上链存证。The blockchain service calling unit 603 is used to call the blockchain evidence service and store the service deployment request and/or service call request on the chain.

相应的,本说明书还提供一种装置,所述装置包括有处理器;用于存储处理器可执行指令的存储器;其中,所述处理器被配置为实现上述全部方法实施例提供的部署数据共享服务的方法的步骤。Accordingly, the present specification also provides a device, which includes a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the steps of the method for deploying a data sharing service provided by all the above method embodiments.

相应的,本说明书还提供一种计算机可读存储介质,其上存储有可执行的指令;其中,该指令被处理器执行时,实现上述全部方法实施例提供的部署数据共享服务的方法的步骤。Accordingly, the present specification also provides a computer-readable storage medium on which executable instructions are stored; wherein, when the instructions are executed by a processor, the steps of the method for deploying a data sharing service provided in all the above method embodiments are implemented.

对于装置实施例而言,由于其基本对应于方法实施例,所以相关之处参见方法实施例的部分说明即可。以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本说明书方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。For the device embodiment, since it basically corresponds to the method embodiment, the relevant parts can refer to the partial description of the method embodiment. The device embodiment described above is only schematic, wherein the modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in one place, or they may be distributed on multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the scheme of this specification. A person of ordinary skill in the art can understand and implement it without paying creative labor.

上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机,计算机的具体形式可以是个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件收发设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任意几种设备的组合。The systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer, which may be in the form of a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email transceiver, a game console, a tablet computer, a wearable device or a combination of any of these devices.

在一个典型的配置中,计算机包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computer includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.

内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。The memory may include non-permanent storage in a computer-readable medium, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash RAM. The memory is an example of a computer-readable medium.

计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带、磁盘存储、量子存储器、基于石墨烯的存储介质或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media include permanent and non-permanent, removable and non-removable media that can be used to store information by any method or technology. Information can be computer-readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, disk storage, quantum memory, graphene-based storage media or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media does not include temporary computer-readable media (transitory media), such as modulated data signals and carrier waves.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, commodity or device. In the absence of more restrictions, the elements defined by the sentence "comprises a ..." do not exclude the existence of other identical elements in the process, method, commodity or device including the elements.

上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The above is a description of a specific embodiment of the specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recorded in the claims can be performed in an order different from that in the embodiments and still achieve the desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or continuous order shown to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

在本说明书一个或多个实施例使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本说明书一个或多个实施例。在本说明书一个或多个实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terms used in one or more embodiments of this specification are only for the purpose of describing specific embodiments, and are not intended to limit one or more embodiments of this specification. The singular forms of "a", "said" and "the" used in one or more embodiments of this specification and the appended claims are also intended to include plural forms, unless the context clearly indicates other meanings. It should also be understood that the term "and/or" used herein refers to and includes any or all possible combinations of one or more associated listed items.

应当理解,尽管在本说明书一个或多个实施例可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本说明书一个或多个实施例范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although the terms first, second, third, etc. may be used to describe various information in one or more embodiments of this specification, these information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of one or more embodiments of this specification, the first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information. Depending on the context, the word "if" as used herein may be interpreted as "at the time of" or "when" or "in response to determining".

以上所述仅为本说明书一个或多个实施例的较佳实施例而已,并不用以限制本说明书一个或多个实施例,凡在本说明书一个或多个实施例的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本说明书一个或多个实施例保护的范围之内。The above description is merely a preferred embodiment of one or more embodiments of the present specification and is not intended to limit one or more embodiments of the present specification. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of one or more embodiments of the present specification shall be included in the scope of protection of one or more embodiments of the present specification.

Claims (18)

1.一种部署数据共享服务的方法,应用于服务端,包括:1. A method for deploying a data sharing service, applied to a server, comprising: 接收数据提供方的服务部署请求,所述服务部署请求中包括共享数据集信息和配置信息,所述共享数据集信息用于描述共享数据集,所述配置信息用于通过至少一种预设配置策略对所述共享数据集中的共享数据进行配置;所述预设配置策略包括数据安全策略,所述数据安全策略包括用于对所述共享数据集中的共享数据进行加密的至少一种加密方式;Receive a service deployment request from a data provider, the service deployment request including shared data set information and configuration information, the shared data set information is used to describe the shared data set, the configuration information is used to configure the shared data in the shared data set through at least one preset configuration policy; the preset configuration policy includes a data security policy, and the data security policy includes at least one encryption method for encrypting the shared data in the shared data set; 基于所述配置信息部署可供调用的数据共享服务,所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标配置方式包含于所述至少一种预设配置策略的情况下,向所述服务调用方提供按照所述目标配置方式对所述共享数据集中的共享数据进行配置得到的配置后共享数据,包括:所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标加密方式包含于所述至少一种加密方式的情况下,向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据。A callable data sharing service is deployed based on the configuration information. The data sharing service is used to provide the service caller with configured shared data obtained by configuring the shared data in the shared data set according to the target configuration method when it is determined that the target configuration method indicated in the service call request initiated by the service caller is included in the at least one preset configuration policy, including: the data sharing service is used to provide the service caller with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method when it is determined that the target encryption method indicated in the service call request initiated by the service caller is included in the at least one encryption method. 2.根据权利要求1所述的方法,所述至少一种加密方式中包含同态加密方式。2. According to the method of claim 1, the at least one encryption method includes a homomorphic encryption method. 3.根据权利要求1所述的方法,所述向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据,包括:3. According to the method of claim 1, the providing to the service caller encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method comprises: 向所述服务调用方提供按照所述目标加密方式对所述共享数据集中由所述服务调用请求中所指示的目标共享数据进行加密得到的加密数据。The service caller is provided with encrypted data obtained by encrypting the target shared data indicated in the service call request in the shared data set according to the target encryption method. 4.根据权利要求1所述的方法,所述向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据,包括:4. The method according to claim 1, wherein providing the service caller with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method comprises: 向所述服务调用方提供预先存储在所述服务端的加密数据集中的所述加密数据,所述加密数据集由所述服务端按照所述至少一个加密方式对所述共享数据集中的所有共享数据预先进行加密得到;或者,Providing the service caller with the encrypted data pre-stored in the encrypted data set of the server, where the encrypted data set is obtained by the server pre-encrypting all the shared data in the shared data set according to the at least one encryption method; or 向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据即时进行加密得到的所述加密数据。The encrypted data obtained by instantly encrypting the shared data in the shared data set according to the target encryption method is provided to the service caller. 5.根据权利要求1所述的方法,所述向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据,包括:5. The method according to claim 1, wherein providing the service caller with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method comprises: 在确定所述服务调用方为部署在可信执行环境中的可信应用的情况下,向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据以及解密密钥密文,所述解密密钥密文由解密密钥通过所述可信应用对应的公钥加密得到,所述解密密钥用于对所述加密数据进行解密。When it is determined that the service caller is a trusted application deployed in a trusted execution environment, the service caller is provided with encrypted data and a decryption key ciphertext obtained by encrypting the shared data in the shared data set according to the target encryption method. The decryption key ciphertext is obtained by encrypting the decryption key using the public key corresponding to the trusted application, and the decryption key is used to decrypt the encrypted data. 6.根据权利要求5所述的方法,所述确定所述服务调用方为部署在可信执行环境中的可信应用,包括:6. The method according to claim 5, wherein determining that the service caller is a trusted application deployed in a trusted execution environment comprises: 对所述服务调用请求中包含的签名进行验签,并在验签结果表明所述服务调用方为已通过远程认证的可信应用的情况下,确定所述服务调用方为部署在可信执行环境中的可信应用。The signature included in the service call request is verified, and if the verification result shows that the service caller is a trusted application that has passed remote authentication, it is determined that the service caller is a trusted application deployed in a trusted execution environment. 7.根据权利要求1所述的方法,所述数据安全策略还包括至少一种检索方式,以使所述数据共享服务用于在确定所述服务调用请求中所指示的目标检索方式包含于所述至少一种检索方式的情况下,向所述服务调用方提供的所述加密数据中包括根据所述目标检索方式生成的检索索引,所述检索索引用于使所述加密数据支持加密数据检索。7. According to the method described in claim 1, the data security policy also includes at least one retrieval method, so that when the data sharing service determines that the target retrieval method indicated in the service call request is included in the at least one retrieval method, the encrypted data provided to the service caller includes a retrieval index generated according to the target retrieval method, and the retrieval index is used to enable the encrypted data to support encrypted data retrieval. 8.根据权利要求1所述的方法,所述数据安全策略还包括服务调用频次,所述服务调用频次用于配置所述数据共享服务的周期性调用次数上限和/或永久性调用次数上限。8. According to the method of claim 1, the data security policy also includes a service call frequency, and the service call frequency is used to configure an upper limit of periodic calls and/or an upper limit of permanent calls to the data sharing service. 9.根据权利要求1所述的方法,所述共享数据集信息包括所述共享数据集或者用于获取所述共享数据集的元数据。9 . The method according to claim 1 , wherein the shared dataset information includes the shared dataset or metadata used to obtain the shared dataset. 10.根据权利要求1所述的方法,所述配置信息还包括数据流转策略,所述数据流转策略用于配置所述数据共享服务针对所述配置后共享数据的数据流转模式。10. The method according to claim 1, wherein the configuration information further comprises a data flow strategy, and the data flow strategy is used to configure a data flow mode of the data sharing service for the configured shared data. 11.根据权利要求10所述的方法,所述数据流转模式包括API网关模式或数据库表模式;11. According to the method of claim 10, the data flow mode includes an API gateway mode or a database table mode; 在所述数据共享服务的数据流转模式为API网关模式的情况下,所述配置后共享数据通过所述服务端的API网关提供至所述服务调用方的客户端;In the case where the data flow mode of the data sharing service is the API gateway mode, the configured shared data is provided to the client of the service caller through the API gateway of the service end; 在所述数据共享服务的数据流转模式为数据库表模式的情况下,所述配置后共享数据通过数据库同步插件提供至所述服务调用方的数据库。In the case where the data flow mode of the data sharing service is a database table mode, the configured shared data is provided to the database of the service caller through a database synchronization plug-in. 12.根据权利要求1所述的方法,所述配置信息还包括权限管理策略,所述权限管理策略用于配置所述数据共享服务针对服务调用方的权限管理模型,以使所述数据共享服务用于在确定所述服务调用方具有所述数据共享服务的调用权限的情况下,响应所述服务调用方发出的所述服务调用请求。12. According to the method described in claim 1, the configuration information also includes a permission management policy, and the permission management policy is used to configure the permission management model of the data sharing service for the service caller, so that the data sharing service is used to respond to the service call request issued by the service caller when it is determined that the service caller has the calling permission of the data sharing service. 13.根据权利要求12所述的方法,所述权限管理模型包括OpenAPI模型或IAM模型;所述确定所述服务调用方具有所述数据共享服务的调用权限,包括:13. The method according to claim 12, wherein the permission management model comprises an OpenAPI model or an IAM model; and the determining that the service caller has the permission to call the data sharing service comprises: 在所述数据共享服务的权限管理模型为OpenAPI模型的情况下,根据所述数据共享服务对应的公钥列表中的公钥对所述服务调用请求中包含的签名进行验签,并在验签成功的情况下,确定所述服务调用方具有所述数据共享服务的调用权限;In the case where the authority management model of the data sharing service is an OpenAPI model, the signature contained in the service call request is verified according to the public key in the public key list corresponding to the data sharing service, and if the signature verification is successful, it is determined that the service caller has the authority to call the data sharing service; 在所述数据共享服务的权限管理模型为IAM模型的情况下,查询处于登录状态的所述服务调用方对应的服务权限列表,并在所述服务权限列表中包含所述数据共享服务的情况下,确定所述服务调用方具有所述数据共享服务的调用权限。When the permission management model of the data sharing service is an IAM model, the service permission list corresponding to the service caller in the logged-in state is queried, and when the data sharing service is included in the service permission list, it is determined that the service caller has the calling permission for the data sharing service. 14.根据权利要求12所述的方法,所述权限管理策略还用于配置所述数据共享服务针对服务调用方的合法调用方列表。14. According to the method of claim 12, the permission management policy is also used to configure the legal caller list of the data sharing service for the service caller. 15.根据权利要求1所述的方法,还包括:15. The method according to claim 1, further comprising: 调用区块链存证服务,将所述服务部署请求和/或服务调用请求进行上链存证。Call the blockchain evidence service to store the service deployment request and/or service call request on the chain. 16.一种部署数据共享服务的装置,应用于服务端,包括:16. A device for deploying a data sharing service, applied to a server, comprising: 请求接收单元,用于接收数据提供方的服务部署请求,所述服务部署请求中包括共享数据集信息和配置信息,所述共享数据集信息用于描述共享数据集,所述配置信息用于通过至少一种预设配置策略对所述共享数据集中的共享数据进行配置;所述预设配置策略包括数据安全策略,所述数据安全策略包括用于对所述共享数据集中的共享数据进行加密的至少一种加密方式;a request receiving unit, configured to receive a service deployment request from a data provider, wherein the service deployment request includes shared data set information and configuration information, wherein the shared data set information is used to describe the shared data set, and the configuration information is used to configure the shared data in the shared data set through at least one preset configuration policy; the preset configuration policy includes a data security policy, and the data security policy includes at least one encryption method for encrypting the shared data in the shared data set; 服务部署单元,用于基于所述配置信息部署可供调用的数据共享服务,所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标配置方式包含于所述至少一种预设配置策略的情况下,向所述服务调用方提供按照所述目标配置方式对所述共享数据集中的共享数据进行配置得到的配置后共享数据,包括:所述数据共享服务用于在确定服务调用方发起的服务调用请求中所指示的目标加密方式包含于所述至少一种加密方式的情况下,向所述服务调用方提供按照所述目标加密方式对所述共享数据集中的共享数据进行加密得到的加密数据。A service deployment unit, used to deploy a callable data sharing service based on the configuration information, the data sharing service being used to provide the service caller with configured shared data obtained by configuring the shared data in the shared data set according to the target configuration method when it is determined that the target configuration method indicated in the service call request initiated by the service caller is included in the at least one preset configuration policy, including: the data sharing service being used to provide the service caller with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption method when it is determined that the target encryption method indicated in the service call request initiated by the service caller is included in the at least one encryption method. 17.一种电子设备,其特征在于,包括:17. An electronic device, comprising: 处理器;processor; 用于存储处理器可执行指令的存储器;a memory for storing processor-executable instructions; 其中,所述处理器通过运行所述可执行指令以实现如权利要求1-15中任一项所述的方法。The processor implements the method according to any one of claims 1 to 15 by running the executable instructions. 18.一种计算机可读存储介质,其上存储有计算机指令,其特征在于,该指令被处理器执行时实现如权利要求1-15中任一项所述方法的步骤。18. A computer-readable storage medium having computer instructions stored thereon, wherein when the instructions are executed by a processor, the steps of the method according to any one of claims 1 to 15 are implemented.
CN202111022347.2A 2021-09-01 2021-09-01 Method and device for deploying data sharing service Active CN113849558B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111022347.2A CN113849558B (en) 2021-09-01 2021-09-01 Method and device for deploying data sharing service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111022347.2A CN113849558B (en) 2021-09-01 2021-09-01 Method and device for deploying data sharing service

Publications (2)

Publication Number Publication Date
CN113849558A CN113849558A (en) 2021-12-28
CN113849558B true CN113849558B (en) 2024-10-29

Family

ID=78976748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111022347.2A Active CN113849558B (en) 2021-09-01 2021-09-01 Method and device for deploying data sharing service

Country Status (1)

Country Link
CN (1) CN113849558B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115379447A (en) * 2022-08-16 2022-11-22 无锡融卡科技有限公司 Identity authentication method and mobile terminal
CN115757589A (en) * 2022-12-02 2023-03-07 用友网络科技股份有限公司 Database data exchange and sharing method, device and readable storage medium
CN118395507B (en) * 2024-07-01 2024-09-24 东方电子股份有限公司 Data security sharing method and data security sharing system thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106992990A (en) * 2017-05-19 2017-07-28 北京牛链科技有限公司 Data sharing method and system and block catenary system and computing device
CN107241360A (en) * 2017-08-04 2017-10-10 北京明朝万达科技股份有限公司 A kind of data safety shares exchange method and data safety shares switching plane system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100146582A1 (en) * 2008-12-04 2010-06-10 Dell Products L.P. Encryption management in an information handling system
US9614730B2 (en) * 2013-10-31 2017-04-04 Sap Se Performing customized deployment scenarios in shared environments
CN109255246A (en) * 2018-08-14 2019-01-22 平安普惠企业管理有限公司 Interface parameters encryption method, device, computer equipment and storage medium
CN112347496A (en) * 2020-11-16 2021-02-09 中电科大数据研究院有限公司 A fine-grained data security access control method and system
CN112199220B (en) * 2020-12-01 2021-03-02 蚂蚁智信(杭州)信息技术有限公司 API gateway-based data calling method and API gateway
CN112637163B (en) * 2020-12-14 2023-06-27 北京中电普华信息技术有限公司 Authentication and authorization method and system based on API gateway

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106992990A (en) * 2017-05-19 2017-07-28 北京牛链科技有限公司 Data sharing method and system and block catenary system and computing device
CN107241360A (en) * 2017-08-04 2017-10-10 北京明朝万达科技股份有限公司 A kind of data safety shares exchange method and data safety shares switching plane system

Also Published As

Publication number Publication date
CN113849558A (en) 2021-12-28

Similar Documents

Publication Publication Date Title
US10454942B2 (en) Managed clone applications
US10931650B1 (en) Apparatus and method for building, extending and managing interactions between digital identities and digital identity applications
US9858428B2 (en) Controlling mobile device access to secure data
WO2022237123A1 (en) Method and apparatus for acquiring blockchain data, electronic device, and storage medium
US9049186B1 (en) Trusted security zone re-provisioning and re-use capability for refurbished mobile devices
CN111373400A (en) System and method for implementing a resolver service for decentralized identity
US11477187B2 (en) API key access authorization
TW201917615A (en) Method and device for implementing application and use of digital certificate capable of saving resources of devices and reducing operation of the client
CN113849558B (en) Method and device for deploying data sharing service
US11036688B2 (en) Sharing of data with applications
CN111133428B (en) System and method for registering subscribable state in blockchain
US11750570B1 (en) Decentralized messaging inbox
WO2016140692A1 (en) Enabling file attachments in calendar events
US11768692B2 (en) Systems and methods for automated application launching
US20180152434A1 (en) Virtual content repository
US10846419B2 (en) Service for users to voluntarily self-identify in over the top (OTT) messaging
US20230409357A1 (en) Asymmetric workspace application notification and interaction
WO2025248319A1 (en) Data processing method and cluster, computing device, computer readable storage medium, and computer program product
US11095448B2 (en) HASSH profiling mechanism
US12323802B2 (en) Systems and methods for providing a secure notification service for mobile applications
Bock Measuring adoption of phishing-resistant authentication methods on the web
TW202347354A (en) Application sharing method, file sharing method and device based on blockchain
Munir Authentication Model for Mobile Cloud Computing Database Service
HK40030250B (en) System and method for registering subscribable sub-states in blockchain
Goel A CleanRoom approach to bring your own apps

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20240923

Address after: Room 803, floor 8, No. 618 Wai Road, Huangpu District, Shanghai 200010

Applicant after: Ant blockchain Technology (Shanghai) Co.,Ltd.

Country or region after: China

Address before: 310000 801-11 section B, 8th floor, 556 Xixi Road, Xihu District, Hangzhou City, Zhejiang Province

Applicant before: Alipay (Hangzhou) Information Technology Co.,Ltd.

Country or region before: China

Applicant before: Ant blockchain Technology (Shanghai) Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant