CN115622719B - A method, device and system for processing data of Internet of Things - Google Patents

A method, device and system for processing data of Internet of Things Download PDF

Info

Publication number
CN115622719B
CN115622719B CN202110789228.3A CN202110789228A CN115622719B CN 115622719 B CN115622719 B CN 115622719B CN 202110789228 A CN202110789228 A CN 202110789228A CN 115622719 B CN115622719 B CN 115622719B
Authority
CN
China
Prior art keywords
service end
data
internet
things
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110789228.3A
Other languages
Chinese (zh)
Other versions
CN115622719A (en
Inventor
韩宇龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile IoT Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile IoT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile IoT Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110789228.3A priority Critical patent/CN115622719B/en
Publication of CN115622719A publication Critical patent/CN115622719A/en
Application granted granted Critical
Publication of CN115622719B publication Critical patent/CN115622719B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method, a device and a system for processing data of the Internet of things, wherein the method comprises the following steps: receiving an access request for requesting to access the internet of things data of a second service end from a first service end, wherein the access request carries a temporary certificate of the second service end, and the temporary certificate adopts an identity private key of the first service end to carry out digital signature; decrypting the temporary certificate by adopting a decryption private key and verifying the digital signature of the first service end through a blockchain system so as to verify the validity of the first service end; after verifying that the first service end is legal, acquiring target Internet of things data corresponding to the temporary certificate through a blockchain system and an interstellar file system IPFS; and sending the acquired target internet of things data to a first service end.

Description

一种物联网数据处理方法、装置及系统A method, device and system for processing data of Internet of Things

技术领域Technical Field

本发明涉及数据处理技术领域,特别是指一种物联网数据处理方法、装置及系统。The present invention relates to the field of data processing technology, and in particular to an Internet of Things data processing method, device and system.

背景技术Background technique

随着物联网技术的发展,各种物联网数据激增,数据量越来越大,对于数据存储、数据分享和数据安全性的要求越来越高。目前常采用区块链技术、星际文件系统(IPFS)、电子签名技术、Hyperledger Fabric数据库等方式进行数据存储、数据分享和数据安全性。With the development of IoT technology, various IoT data have surged, and the amount of data is getting larger and larger, and the requirements for data storage, data sharing and data security are getting higher and higher. Currently, blockchain technology, InterPlanetary File System (IPFS), electronic signature technology, Hyperledger Fabric database and other methods are commonly used for data storage, data sharing and data security.

关于区块链,区块链是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式。狭义来讲,区块链是一种按照时间顺序将数据区块以顺序相连的方式组合成的一种链式数据结构,并以密码学方式保证的不可篡改和不可伪造的分布式账本。广义来讲,区块链技术是利用块链式数据结构来验证与存储数据、利用分布式节点共识算法来生成和更新数据、利用密码学的方式保证数据传输和访问的安全、利用由自动化脚本代码组成的智能合约来编程和操作数据的一种全新的分布式基础架构与计算方式。从数据角度来看,区块链按照时间顺序将数据区块以顺序相连的方式组合成的一种链式数据结构,所述数据结构通过密码学方式保证其不可篡改和不可伪造。从技术角度来看,区块链技术整合了多种不同的技术,通过构建区块链网络,使得网络内的每个节点都允许获得一份完整的数据块拷贝,并基于共识机制以及竞争计算来维持基于区块链的数据块的更新。由此,通过多节点沟通构成的端到端网络实现数据存储和管理的去中心化和去信任。Regarding blockchain, blockchain is a new application mode of computer technologies such as distributed data storage, peer-to-peer transmission, consensus mechanism, encryption algorithm, etc. In a narrow sense, blockchain is a distributed ledger that combines data blocks in a sequential manner in chronological order to form a chain data structure, and is cryptographically guaranteed to be tamper-proof and unforgeable. In a broad sense, blockchain technology is a new distributed infrastructure and computing method that uses block chain data structures to verify and store data, uses distributed node consensus algorithms to generate and update data, uses cryptography to ensure the security of data transmission and access, and uses smart contracts composed of automated script codes to program and operate data. From a data perspective, blockchain combines data blocks in a sequential manner in chronological order to form a chain data structure, and the data structure is cryptographically guaranteed to be tamper-proof and unforgeable. From a technical perspective, blockchain technology integrates a variety of different technologies. By building a blockchain network, each node in the network is allowed to obtain a complete copy of the data block, and the update of the data block based on the blockchain is maintained based on the consensus mechanism and competitive computing. As a result, the decentralization and trustlessness of data storage and management are achieved through an end-to-end network composed of multi-node communication.

关于IPFS,IPFS是一个旨在创建持久且分布式存储和共享文件的网络传输协议,它是一种内容可寻址的对等超媒体分发协议。在IPFS网络中的节点将构成一个分布式文件系统。IPFS是一个对等的分布式文件系统,它尝试为所有计算设备连接同一个文件系统。在某些方面,IPFS类似于万维网,但它也可以被视作一个独立的BitTorrent群、在同一个Git仓库中交换对象。IPFS提供了一个高吞吐量、按内容寻址的块存储模型,以及与内容相关超链接。这形成了一个广义的Merkle有向无环图(DAG)。IPFS结合了分布式散列表、鼓励块交换和一个自我认证的名字空间。IPFS没有单点故障,并且节点不需要相互信任。分布式内容传递可以节约带宽,且能够防止HTTP方案可能遇到的DDoS攻击。About IPFS, IPFS is a network transmission protocol designed to create persistent and distributed storage and sharing of files. It is a content-addressable peer-to-peer hypermedia distribution protocol. Nodes in the IPFS network will form a distributed file system. IPFS is a peer-to-peer distributed file system that attempts to connect the same file system to all computing devices. In some ways, IPFS is similar to the World Wide Web, but it can also be seen as an independent BitTorrent group, exchanging objects in the same Git repository. IPFS provides a high-throughput, content-addressed block storage model, as well as hyperlinks associated with the content. This forms a generalized Merkle directed acyclic graph (DAG). IPFS combines a distributed hash table, encourages block exchange, and a self-certified namespace. IPFS has no single point of failure, and nodes do not need to trust each other. Distributed content delivery can save bandwidth and prevent DDoS attacks that HTTP schemes may encounter.

关于电子签名,电子签名技术的实现需要使用到非对称加密(如RSA算法)和报文摘要(如HASH算法)。非对称加密是指用户有两个密钥,一个是公钥,一个是私钥,公钥是公开的,任何人可以使用,私钥是保密的,只有用户自己可以使用,公钥和私钥是对应关系。用户可以用对方的公钥加密信息,并传送给对方,对方使用自己的私钥将密文解开。公私钥是互相解密的,而且绝对不会有第三者能插进来。报文摘要利用HASH算法对任何要传输的信息进行运算,生成128位的报文摘要,而不同内容的信息一定会生成不同的报文摘要,因此报文摘要就成了电子信息的“指纹”。Regarding electronic signatures, the implementation of electronic signature technology requires the use of asymmetric encryption (such as RSA algorithm) and message digests (such as HASH algorithm). Asymmetric encryption means that the user has two keys, one is a public key and the other is a private key. The public key is public and can be used by anyone, and the private key is confidential and can only be used by the user himself. The public key and the private key are in a corresponding relationship. The user can encrypt information with the other party's public key and send it to the other party. The other party uses his private key to decrypt the ciphertext. The public and private keys are mutually decrypted, and absolutely no third party can insert it. The message digest uses the HASH algorithm to calculate any information to be transmitted and generate a 128-bit message digest. Information with different contents will definitely generate different message digests, so the message digest becomes the "fingerprint" of electronic information.

对于非对称加密加密算法,非对称加密算法需要两个密钥:公开密钥(publickey:简称公钥)和私有密钥(privatekey:简称私钥)。公钥与私钥是一对,如果用公钥对数据进行加密,只有用对应的私钥才能解密。因为加密和解密使用的是两个不同的密钥,所以这种算法叫作非对称加密算法。非对称加密算法实现机密信息交换的基本过程是:甲方生成一对密钥并将公钥公开,需要向甲方发送信息的其他角色(乙方)使用该密钥(甲方的公钥)对机密信息进行加密后再发送给甲方;甲方再用自己私钥对加密后的信息进行解密。甲方想要回复乙方时正好相反,使用乙方的公钥对数据进行加密,同理,乙方使用自己的私钥来进行解密。非对称密码体制的特点:算法强度复杂、安全性依赖于算法与密钥但是由于其算法复杂,而使得加密解密速度没有对称加密解密的速度快。对称密码体制中只有一种密钥,并且是非公开的,如果要解密就得让对方知道密钥。所以保证其安全性就是保证密钥的安全,而非对称密钥体制有两种密钥,其中一个是公开的,这样就可以不需要像对称密码那样传输对方的密钥了,这样安全性就大了很多。For asymmetric encryption algorithms, asymmetric encryption algorithms require two keys: a public key (publickey: referred to as public key) and a private key (privatekey: referred to as private key). The public key and the private key are a pair. If the data is encrypted with the public key, it can only be decrypted with the corresponding private key. Because encryption and decryption use two different keys, this algorithm is called an asymmetric encryption algorithm. The basic process of asymmetric encryption algorithms to achieve confidential information exchange is: Party A generates a pair of keys and makes the public key public. Other roles (Party B) who need to send information to Party A use the key (Party A's public key) to encrypt the confidential information and then send it to Party A; Party A then uses its own private key to decrypt the encrypted information. When Party A wants to reply to Party B, it is just the opposite. It uses Party B's public key to encrypt the data. Similarly, Party B uses its own private key to decrypt. Characteristics of asymmetric cryptographic systems: The algorithm strength is complex and security depends on the algorithm and key. However, due to the complexity of the algorithm, the encryption and decryption speed is not as fast as that of symmetric encryption and decryption. There is only one key in the symmetric cryptographic system, and it is non-public. If you want to decrypt, you have to let the other party know the key. Therefore, to ensure its security is to ensure the security of the key. The asymmetric key system has two keys, one of which is public. In this way, there is no need to transmit the other party's key like in symmetric encryption, which makes the security much greater.

关于Hyperledger Fabric数据库,Fabric有两种数据库:一种是分类账,一种是状态数据库。其中,分类帐是实际的“区块链”,它是一个基于文件的分类帐,用于存储序列化块。每个块都有一个或多个事务,每个事务都包含一个读写集,用于修改一个或多个键/值对。分类帐是权威的最终来源,并且是不可变的。状态数据库保存任何给定键的最后一个已知提交值,当每个对等方验证并提交事务时,它将被填充。始终可以通过重新处理分类帐来重建状态数据库,目前有两种状态数据库选项:嵌入式LevelDB或外部CouchDB。Regarding Hyperledger Fabric databases, Fabric has two types of databases: one is the ledger and the other is the state database. Among them, the ledger is the actual "blockchain", which is a file-based ledger that stores serialized blocks. Each block has one or more transactions, and each transaction contains a read-write set that modifies one or more key/value pairs. The ledger is the ultimate source of authority and is immutable. The state database holds the last known committed value for any given key, and it is populated when each peer verifies and commits the transaction. The state database can always be rebuilt by reprocessing the ledger, and there are currently two state database options: embedded LevelDB or external CouchDB.

但是,现有的数据处理方法中,通常IPFS保存的是物联网数据文件明文,区块链存证者数据文件Hash经过加密的密文,由于整套系统并没有对物联网数据本身进行加密存储,这就造成了数据安全性差。However, in the existing data processing methods, IPFS usually stores the plain text of IoT data files, and the blockchain stores the encrypted ciphertext of the data file Hash. Since the entire system does not encrypt and store the IoT data itself, this results in poor data security.

发明内容Summary of the invention

本发明的目的是提供一种物联网数据处理方法、装置及系统,解决了现有技术中物联网数据安全性差的问题。The purpose of the present invention is to provide an Internet of Things data processing method, device and system to solve the problem of poor Internet of Things data security in the prior art.

为达到上述目的,本发明的实施例提供一种物联网数据处理方法,应用于服务端,包括:To achieve the above object, an embodiment of the present invention provides an Internet of Things data processing method, which is applied to a server, comprising:

从第一业务端接收用于请求访问第二业务端的物联网数据的访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名;Receiving, from the first service end, an access request for accessing IoT data of the second service end, the access request carrying a temporary certificate of the second service end, the temporary certificate being digitally signed using an identity private key of the first service end;

采用解密私钥对临时证书进行解密并通过区块链系统验证第一业务端的数字签名,以验证第一业务端的合法性;Decrypting the temporary certificate using the decryption private key and verifying the digital signature of the first business end through the blockchain system to verify the legitimacy of the first business end;

在验证第一业务端合法后,通过区块链系统和星际文件系统IPFS系统获取临时证书对应的目标物联网数据;After verifying the legitimacy of the first business end, the target IoT data corresponding to the temporary certificate is obtained through the blockchain system and the Interstellar File System IPFS system;

将获取到的目标物联网数据发送给第一业务端。The acquired target IoT data is sent to the first service end.

可选地,所述临时证书包括以下至少一项:数据类型、时间段、解密私钥、所述第二业务端的身份标识ID、所述第一业务端的身份标识ID、所述第二业务端的签名。Optionally, the temporary certificate includes at least one of the following: data type, time period, decryption private key, identity identification ID of the second business end, identity identification ID of the first business end, and signature of the second business end.

可选地,通过所述区块链系统和星际文件系统IPFS系统获取所述临时证书对应的目标物联网数据,包括:Optionally, obtaining target IoT data corresponding to the temporary certificate through the blockchain system and the InterPlanetary File System (IPFS) system includes:

从所述区块链系统读取所述临时证书中描述的数据类型对应的文件哈希Hash;Reading a file hash Hash corresponding to the data type described in the temporary certificate from the blockchain system;

从所述IPFS系统中读取所述文件Hash对应的物联网数据密文;Read the IoT data ciphertext corresponding to the file Hash from the IPFS system;

采用所述临时证书中的解密私钥对所述物联网数据密文进行解密,得到明文的目标物联网数据。The decryption private key in the temporary certificate is used to decrypt the IoT data ciphertext to obtain the target IoT data in plaintext.

可选地,从第一业务端接收用于请求访问第二业务端的物联网数据的访问请求之前,还包括:Optionally, before receiving an access request for accessing IoT data of a second service end from a first service end, the method further includes:

建立所述第一业务端和所述第二业务端的数据共享协议,并将所述第二业务端的临时证书颁发给所述第一业务端。A data sharing agreement is established between the first business end and the second business end, and a temporary certificate of the second business end is issued to the first business end.

可选地,从第一业务端接收用于请求访问第二业务端的物联网数据的访问请求之前,还包括:Optionally, before receiving an access request for accessing IoT data of a second service end from a first service end, the method further includes:

获取服务端的加解密公私钥对,所述加解密公私钥对包括解密私钥和加密公钥;Obtaining a server-side encryption and decryption public and private key pair, wherein the encryption and decryption public and private key pair includes a decryption private key and an encryption public key;

在本地存储所述解密私钥,将所述加密公钥发送给所述第一业务端和所述第二业务端。The decryption private key is stored locally, and the encryption public key is sent to the first service end and the second service end.

可选地,从第一业务端接收用于请求访问第二业务端的物联网数据的访问请求之前,还包括:Optionally, before receiving an access request for accessing IoT data of a second service end from a first service end, the method further includes:

接收第二业务端对应的物联网设备的物联网数据,所述物联网数据采用所述第二业务端的身份私钥进行数字签名;Receive IoT data of an IoT device corresponding to the second service end, wherein the IoT data is digitally signed using the identity private key of the second service end;

通过区块链系统验证所述第二业务端的数字签名,以验证所述第二业务端的合法性;Verifying the digital signature of the second business end through the blockchain system to verify the legitimacy of the second business end;

在验证所述第二业务端合法后,根据所述物联网数据的类型,将所述物联网数据缓存至相应的数据序列。After verifying that the second service end is legitimate, the IoT data is cached into a corresponding data sequence according to the type of the IoT data.

可选地,根据所述物联网数据的类型,将所述物联网数据缓存至相应的数据序列之后,还包括:Optionally, according to the type of the IoT data, after caching the IoT data into a corresponding data sequence, the method further includes:

在预定间隔后或达到预定缓存容量后,从所述区块链系统读取所述第二业务端针对所述物联网数据的类型的加密公钥;After a predetermined interval or after a predetermined cache capacity is reached, reading the encryption public key of the second service end for the type of the IoT data from the blockchain system;

采用读取到的加密公钥对所述物联网数据进行加密,并存储于IPFS系统得到相应的文件Hash;The IoT data is encrypted using the read encryption public key and stored in the IPFS system to obtain the corresponding file Hash;

将所述文件Hash存储于所述区块链系统中。The file Hash is stored in the blockchain system.

可选地,所述针对所述物联网数据的类型的加密公钥对应的针对物联网数据的类型的解密私钥存储于所述第二业务端。Optionally, the decryption private key for the type of IoT data corresponding to the encryption public key for the type of IoT data is stored in the second service end.

为达到上述目的,本发明的实施例提供一种物联网数据处理方法,应用于第一业务端,包括:To achieve the above object, an embodiment of the present invention provides an Internet of Things data processing method, which is applied to a first service end and includes:

向服务端发送用于请求访问第二业务端的物联网数据的访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名;Sending an access request for accessing IoT data of the second service end to the service end, wherein the access request carries a temporary certificate of the second service end, and the temporary certificate is digitally signed with the identity private key of the first service end;

从服务端接收临时证书对应的目标物联网数据,目标物联网数据为服务端在验证第一业务端合法后,通过区块链系统和星际文件系统IPFS系统获取到的。The target IoT data corresponding to the temporary certificate is received from the server. The target IoT data is obtained by the server through the blockchain system and the Interstellar File System IPFS system after verifying the legitimacy of the first business end.

可选地,所述临时证书包括以下至少一项:数据类型、时间段、解密私钥、所述第二业务端的身份标识ID、所述第一业务端的身份标识ID、所述第二业务端的签名。Optionally, the temporary certificate includes at least one of the following: data type, time period, decryption private key, identity identification ID of the second business end, identity identification ID of the first business end, and signature of the second business end.

可选地,向服务端发送用于请求访问第二业务端的物联网数据的访问请求之前,还包括:Optionally, before sending an access request for accessing IoT data of the second service end to the service end, the method further includes:

建立与所述第二业务端的数据共享协议;Establishing a data sharing agreement with the second service end;

接收所述第二业务端的临时证书。Receive the temporary certificate of the second service end.

可选地,向服务端发送用于请求访问第二业务端的物联网数据的访问请求之前,还包括:Optionally, before sending an access request for accessing IoT data of the second service end to the service end, the method further includes:

接收服务端的加密公钥,所述服务端的加密公钥对应的解密私钥存储在所述服务端。An encrypted public key is received from a server, and a decryption private key corresponding to the encrypted public key of the server is stored in the server.

可选地,向服务端发送用于请求访问第二业务端的物联网数据的访问请求之前,还包括:Optionally, before sending an access request for accessing IoT data of the second service end to the service end, the method further includes:

获取所述第一业务端的身份公私钥对,所述身份公私钥对包括:身份验签公钥和身份签名私钥;Obtaining the public and private key pair of the first service end, wherein the public and private key pair includes: an identity verification public key and an identity signature private key;

在本地存储所述身份签名私钥,并向所述服务端发送所述身份签名私钥;Storing the identity signature private key locally and sending the identity signature private key to the server;

向所述区块链系统发送所述身份验签公钥。Send the identity verification public key to the blockchain system.

为达到上述目的,本发明的实施例提供一种物联网数据处理装置,应用于服务端,包括:To achieve the above object, an embodiment of the present invention provides an Internet of Things data processing device, which is applied to a server, including:

第一接收模块,用于从第一业务端接收用于请求访问第二业务端的物联网数据的访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名;A first receiving module is used to receive an access request for accessing IoT data of a second business end from a first business end, where the access request carries a temporary certificate of the second business end, and the temporary certificate is digitally signed with an identity private key of the first business end;

第一验证模块,用于采用解密私钥对临时证书进行解密并通过区块链系统验证第一业务端的数字签名,以验证第一业务端的合法性;A first verification module, used to decrypt the temporary certificate using a decryption private key and verify the digital signature of the first business end through the blockchain system to verify the legitimacy of the first business end;

第一获取模块,用于在验证第一业务端合法后,通过区块链系统和星际文件系统IPFS系统获取临时证书对应的目标物联网数据;The first acquisition module is used to obtain the target IoT data corresponding to the temporary certificate through the blockchain system and the InterPlanetary File System IPFS system after verifying the legitimacy of the first business end;

第一发送模块,用于将获取到的目标物联网数据发送给第一业务端。The first sending module is used to send the acquired target Internet of Things data to the first service end.

可选地,所述临时证书包括以下至少一项:数据类型、时间段、解密私钥、所述第二业务端的身份标识ID、所述第一业务端的身份标识ID、所述第二业务端的签名。Optionally, the temporary certificate includes at least one of the following: data type, time period, decryption private key, identity identification ID of the second business end, identity identification ID of the first business end, and signature of the second business end.

可选地,所述第一获取模块包括:Optionally, the first acquisition module includes:

第一读取单元,用于从所述区块链系统读取所述临时证书中描述的数据类型对应的文件哈希Hash;A first reading unit, configured to read a file hash Hash corresponding to the data type described in the temporary certificate from the blockchain system;

第二读取单元,用于从所述IPFS系统中读取所述文件Hash对应的物联网数据密文;A second reading unit is used to read the IoT data ciphertext corresponding to the file Hash from the IPFS system;

第一解密单元,用于采用所述临时证书中的解密私钥对所述物联网数据密文进行解密,得到明文的目标物联网数据。The first decryption unit is used to decrypt the IoT data ciphertext using the decryption private key in the temporary certificate to obtain the target IoT data in plain text.

可选地,所述物联网数据处理装置还包括:Optionally, the Internet of Things data processing device further includes:

第一建立模块,用于建立所述第一业务端和所述第二业务端的数据共享协议,A first establishing module is used to establish a data sharing agreement between the first service end and the second service end.

第二发送模块,用于将所述第二业务端的临时证书颁发给所述第一业务端。The second sending module is used to issue the temporary certificate of the second service end to the first service end.

可选地,所述物联网数据处理装置还包括:Optionally, the Internet of Things data processing device further includes:

第二获取模块,用于获取服务端的加解密公私钥对,所述加解密公私钥对包括解密私钥和加密公钥;A second acquisition module is used to obtain a public-private key pair for encryption and decryption from the server, wherein the public-private key pair for encryption and decryption includes a decryption private key and an encryption public key;

第一存储模块,用于在本地存储所述解密私钥,A first storage module is used to store the decryption private key locally.

第三发送模块,用于将所述加密公钥发送给所述第一业务端和所述第二业务端。The third sending module is used to send the encrypted public key to the first service end and the second service end.

可选地,所述物联网数据处理装置还包括:Optionally, the Internet of Things data processing device further includes:

第二接收模块,用于接收第二业务端对应的物联网设备的物联网数据,所述物联网数据采用所述第二业务端的身份私钥进行数字签名;A second receiving module is used to receive IoT data of an IoT device corresponding to a second service end, wherein the IoT data is digitally signed using an identity private key of the second service end;

第二验证模块,用于通过区块链系统验证所述第二业务端的数字签名,以验证所述第二业务端的合法性;A second verification module, used to verify the digital signature of the second business end through the blockchain system to verify the legitimacy of the second business end;

缓存模块,用于在验证所述第二业务端合法后,根据所述物联网数据的类型,将所述物联网数据缓存至相应的数据序列。A cache module is used to cache the IoT data into a corresponding data sequence according to the type of the IoT data after verifying that the second service end is legitimate.

可选地,所述物联网数据处理装置还包括:Optionally, the Internet of Things data processing device further includes:

第一读取模块,用于在预定间隔后或达到预定缓存容量后,从所述区块链系统读取所述第二业务端针对所述物联网数据的类型的加密公钥;A first reading module, configured to read, from the blockchain system, an encrypted public key of the second service end for the type of the IoT data after a predetermined interval or after a predetermined cache capacity is reached;

加密模块,用于采用读取到的加密公钥对所述物联网数据进行加密;An encryption module, used to encrypt the IoT data using the read encryption public key;

第二存储模块,用于将加密后的物联网数据存储于IPFS系统得到相应的文件Hash;The second storage module is used to store the encrypted IoT data in the IPFS system to obtain the corresponding file Hash;

第三存储模块,用于将所述文件Hash存储于所述区块链系统中。The third storage module is used to store the file Hash in the blockchain system.

可选地,所述针对所述物联网数据的类型的加密公钥对应的针对物联网数据的类型的解密私钥存储于所述第二业务端。Optionally, the decryption private key for the type of IoT data corresponding to the encryption public key for the type of IoT data is stored in the second service end.

为达到上述目的,本发明的实施例提供一种物联网数据处理装置,应用于第一业务端,包括:To achieve the above object, an embodiment of the present invention provides an Internet of Things data processing device, which is applied to a first service end and includes:

第四发送模块,用于向服务端发送用于请求访问第二业务端的物联网数据的访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名;A fourth sending module is used to send an access request for accessing the IoT data of the second business end to the server, where the access request carries a temporary certificate of the second business end, and the temporary certificate is digitally signed with the identity private key of the first business end;

第三接收模块,用于从服务端接收临时证书对应的目标物联网数据,目标物联网数据为服务端在验证第一业务端合法后,通过区块链系统和星际文件系统IPFS系统获取到的。The third receiving module is used to receive the target IoT data corresponding to the temporary certificate from the server. The target IoT data is obtained by the server through the blockchain system and the Interstellar File System IPFS system after verifying the legitimacy of the first business end.

可选地,所述临时证书包括以下至少一项:数据类型、时间段、解密私钥、所述第二业务端的身份标识ID、所述第一业务端的身份标识ID、所述第二业务端的签名。Optionally, the temporary certificate includes at least one of the following: data type, time period, decryption private key, identity identification ID of the second business end, identity identification ID of the first business end, and signature of the second business end.

可选地,所述物联网数据处理装置还包括:Optionally, the Internet of Things data processing device further includes:

第二建立模块,用于建立与所述第二业务端的数据共享协议;A second establishing module, used to establish a data sharing agreement with the second service end;

第四接收模块,用于接收所述第二业务端的临时证书。The fourth receiving module is used to receive the temporary certificate of the second service end.

可选地,所述物联网数据处理装置还包括:Optionally, the Internet of Things data processing device further includes:

第五接收模块,用于接收服务端的加密公钥,所述服务端的加密公钥对应的解密私钥存储在所述服务端。The fifth receiving module is used to receive the encrypted public key of the server, and the decryption private key corresponding to the encrypted public key of the server is stored in the server.

可选地,所述物联网数据处理装置还包括:Optionally, the Internet of Things data processing device further includes:

第三获取模块,用于获取所述第一业务端的身份公私钥对,所述身份公私钥对包括:身份验签公钥和身份签名私钥;A third acquisition module is used to obtain the public and private key pair of the identity of the first service end, wherein the public and private key pair of the identity includes: an identity verification public key and an identity signature private key;

第四存储模块,用于在本地存储所述身份签名私钥,The fourth storage module is used to store the identity signature private key locally,

第五发送模块,用于向所述服务端发送所述身份签名私钥;A fifth sending module, used to send the identity signature private key to the server;

第六发送模块,用向所述区块链系统发送所述身份验签公钥。The sixth sending module is used to send the identity verification public key to the blockchain system.

为达到上述目的,本发明的实施例提供一种物联网数据处理系统,包括:服务端、第一业务端、第二业务端、区块链系统、星际文件系统IPFS系统和物联网设备,其中,To achieve the above-mentioned purpose, an embodiment of the present invention provides an Internet of Things data processing system, including: a server, a first business terminal, a second business terminal, a blockchain system, an InterPlanetary File System IPFS system and an Internet of Things device, wherein:

第一业务端向服务端发送用于请求访问第二业务端的物联网数据的访问请求;The first service end sends an access request to the service end for accessing the IoT data of the second service end;

服务端接收访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名;The server receives the access request, which carries the temporary certificate of the second service end, and the temporary certificate is digitally signed with the identity private key of the first service end;

服务端采用解密私钥对临时证书进行解密并通过区块链系统验证第一业务端的数字签名,以验证第一业务端的合法性;The server uses the decryption private key to decrypt the temporary certificate and verifies the digital signature of the first business end through the blockchain system to verify the legitimacy of the first business end;

服务端在验证第一业务端合法后,通过区块链系统和IPFS系统获取临时证书对应的目标物联网数据;After verifying the legitimacy of the first business end, the server obtains the target IoT data corresponding to the temporary certificate through the blockchain system and the IPFS system;

服务端将获取到的目标物联网数据发送给第一业务端;The server sends the acquired target IoT data to the first service end;

第一业务端接收临时证书对应的目标物联网数据。The first business end receives target IoT data corresponding to the temporary certificate.

为达到上述目的,本发明的实施例提供一种可读存储介质,其上存储有程序或指令,程序或指令被处理器执行时实现如上服务端或第一业务端的物联网数据处理方法中的步骤。To achieve the above-mentioned purpose, an embodiment of the present invention provides a readable storage medium on which a program or instruction is stored. When the program or instruction is executed by a processor, the steps in the IoT data processing method of the above-mentioned server or first business end are implemented.

本发明的上述技术方案的有益效果如下:The beneficial effects of the above technical solution of the present invention are as follows:

本发明实施例使用临时证书的形式提供数据分享授权,保证只有合规的拥有者向服务端提交临时证书才能获得物联网数据,数据访问者无法拿到解密私钥等敏感和隐私信息,这提高了隐私安全性。The embodiment of the present invention provides data sharing authorization in the form of a temporary certificate, ensuring that only compliant owners who submit temporary certificates to the server can obtain IoT data, and data accessors cannot obtain sensitive and private information such as decryption private keys, thereby improving privacy security.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本发明实施例中服务端的物联网数据处理方法的流程图;FIG1 is a flow chart of a method for processing IoT data on a server side according to an embodiment of the present invention;

图2为本发明实施例的数据共享流程的流程示意图;FIG2 is a schematic diagram of a data sharing process according to an embodiment of the present invention;

图3为本发明实施例的授权流程的流程示意图;FIG3 is a schematic diagram of an authorization process according to an embodiment of the present invention;

图4为本发明实施例的数据存储流程的流程示意图;FIG4 is a schematic diagram of a data storage process according to an embodiment of the present invention;

图5为本发明实施例的企业身份信息的数据结构示意图;FIG5 is a schematic diagram of the data structure of enterprise identity information according to an embodiment of the present invention;

图6为本发明实施例的物联网设备身份信息的数据结构示意图;FIG6 is a schematic diagram of a data structure of an IoT device identity information according to an embodiment of the present invention;

图7为本发明实施例中第一业务端的物联网数据处理方法的流程示意图;7 is a schematic diagram of a flow chart of a method for processing IoT data at a first service end in an embodiment of the present invention;

图8为本发明实施例中服务端的物联网数据处理装置的结构示意图;FIG8 is a schematic diagram of the structure of an Internet of Things data processing device at a server end in an embodiment of the present invention;

图9为本发明实施例中第一业务端的物联网数据处理装置的结构示意图;9 is a schematic diagram of the structure of an Internet of Things data processing device of a first service end in an embodiment of the present invention;

图10为本发明实施例的物理网数据处理系统的系统架构示意图。FIG. 10 is a schematic diagram of the system architecture of a physical network data processing system according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明要解决的技术问题、技术方案和优点更加清楚,下面将结合附图及具体实施例进行详细描述。In order to make the technical problems, technical solutions and advantages to be solved by the present invention more clear, a detailed description will be given below with reference to the accompanying drawings and specific embodiments.

应理解,说明书通篇中提到的“一个实施例”或“一实施例”意味着与实施例有关的特定特征、结构或特性包括在本发明的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。It should be understood that the references to "one embodiment" or "an embodiment" throughout the specification mean that the specific features, structures, or characteristics associated with the embodiment are included in at least one embodiment of the present invention. Therefore, the references to "in one embodiment" or "in an embodiment" appearing throughout the specification do not necessarily refer to the same embodiment. In addition, these specific features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

在本发明的各种实施例中,应理解,下述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。In various embodiments of the present invention, it should be understood that the size of the serial numbers of the following processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.

另外,本文中术语“系统”和“网络”在本文中常可互换使用。Additionally, the terms "system" and "network" are often used interchangeably herein.

在本申请所提供的实施例中,应理解,“与A相应的B”表示B与A相关联,根据A可以确定B。但还应理解,根据A确定B并不意味着仅仅根据A确定B,还可以根据A和/或其它信息确定B。In the embodiments provided in the present application, it should be understood that "B corresponding to A" means that B is associated with A, and B can be determined according to A. However, it should also be understood that determining B according to A does not mean determining B only according to A, and B can also be determined according to A and/or other information.

如图1所示,本发明实施例的一种物联网数据处理方法,应用于服务端,包括但不限于以下步骤:As shown in FIG1 , an IoT data processing method according to an embodiment of the present invention is applied to a server, and includes but is not limited to the following steps:

步骤11:从第一业务端接收用于请求访问第二业务端的物联网数据的访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名。Step 11: Receive an access request for accessing IoT data of the second business end from the first business end, where the access request carries a temporary certificate of the second business end, and the temporary certificate is digitally signed using the identity private key of the first business end.

其中,第一业务端对应第一企业,第二业务端对应第二企业,每个企业拥有各自的业务端,企业通过业务端可申请访问其他企业的物联网数据。第一业务端和第二业务端均可作为数据访问方或数据共享方,本实施例仅以第一业务端为数据访问方,第二业务端为数据共享方为例进行说明,第一业务端和第二业务端的身份可以互换,且第一业务端和第二业务端为物联网数据处理系统中的任意两个业务端,不具备特指性。Among them, the first business terminal corresponds to the first enterprise, and the second business terminal corresponds to the second enterprise. Each enterprise has its own business terminal, and the enterprise can apply to access the IoT data of other enterprises through the business terminal. Both the first business terminal and the second business terminal can be used as data access parties or data sharing parties. This embodiment only takes the first business terminal as a data access party and the second business terminal as a data sharing party as an example for explanation. The identities of the first business terminal and the second business terminal can be interchangeable, and the first business terminal and the second business terminal are any two business terminals in the IoT data processing system and are not specific.

可选地,临时证书包括以下至少一项:数据类型、时间段、解密私钥、第二业务端的身份标识ID、第一业务端的身份标识ID、第二业务端的签名,这样临时证书可以指定数据类型和时间段;并可以通过指定临时证书有效期的方式限制使用时间或次数,以提高数据访问灵活性。Optionally, the temporary certificate includes at least one of the following: data type, time period, decryption private key, identity identification ID of the second business end, identity identification ID of the first business end, and signature of the second business end, so that the temporary certificate can specify the data type and time period; and the usage time or number of times can be limited by specifying the validity period of the temporary certificate to improve data access flexibility.

步骤12:采用解密私钥对临时证书进行解密并通过区块链系统验证第一业务端的数字签名,以验证第一业务端的合法性。Step 12: Decrypt the temporary certificate using the decryption private key and verify the digital signature of the first business end through the blockchain system to verify the legitimacy of the first business end.

通过验证第一业务端的合法性,只允许合规的拥有者向服务端提交临时证书才能获得物联网数据,可提高数据访问的安全性。By verifying the legitimacy of the first business end, only compliant owners are allowed to submit temporary certificates to the server to obtain IoT data, which can improve the security of data access.

步骤13:在验证第一业务端合法后,通过区块链系统和星际文件系统IPFS系统获取临时证书对应的目标物联网数据。Step 13: After verifying the legitimacy of the first business end, obtain the target IoT data corresponding to the temporary certificate through the blockchain system and the Interstellar File System IPFS system.

通过区块链系统和IPFS系统共同存储物联网数据,可提高数据的安全性。By jointly storing IoT data through the blockchain system and the IPFS system, data security can be improved.

可选地,步骤13包括:从区块链系统读取临时证书中描述的数据类型对应的文件哈希Hash;从IPFS系统中读取文件Hash对应的物联网数据密文;采用临时证书中的解密私钥对物联网数据密文进行解密,得到明文的目标物联网数据。这样,在IPFS中保存的是物联网数据文件密文,这从根本上提高了数据安全性。Optionally, step 13 includes: reading the file hash Hash corresponding to the data type described in the temporary certificate from the blockchain system; reading the IoT data ciphertext corresponding to the file hash from the IPFS system; decrypting the IoT data ciphertext using the decryption private key in the temporary certificate to obtain the target IoT data in plain text. In this way, the IoT data file ciphertext is stored in IPFS, which fundamentally improves data security.

步骤14:将获取到的目标物联网数据发送给第一业务端。Step 14: Send the acquired target IoT data to the first service end.

可选地,步骤11之前还包括:建立第一业务端和第二业务端的数据共享协议,并将第二业务端的临时证书颁发给第一业务端。Optionally, before step 11, the method further includes: establishing a data sharing agreement between the first business end and the second business end, and issuing a temporary certificate of the second business end to the first business end.

以上介绍了物联网数据处理方法中的数据共享流程,下面将结合附图对较完整的数据共享流程做进一步说明。The above introduces the data sharing process in the IoT data processing method. The following will further illustrate a more complete data sharing process with reference to the accompanying drawings.

如图2所示,数据共享流程包括但不限于以下步骤:As shown in Figure 2, the data sharing process includes but is not limited to the following steps:

步骤21:每个企业拥有一个业务端,企业向服务端申请访问其他企业的物联网数据,例如访问某数据类型、某时间段的物联网数据。Step 21: Each enterprise has a business end, and the enterprise applies to the server for access to other enterprises' IoT data, such as access to IoT data of a certain data type or time period.

步骤22:其他企业和企业达成协议后,其他企业通过业务端生成临时证书,并将临时证书颁发给企业。其中,临时证书包含数据类型、时间段、解密私钥、数据分享方ID、数据访问方ID、数据分享方签名等。Step 22: After the other enterprise and the enterprise reach an agreement, the other enterprise generates a temporary certificate through the business end and issues the temporary certificate to the enterprise. The temporary certificate contains the data type, time period, decryption private key, data sharing party ID, data access party ID, data sharing party signature, etc.

步骤23:企业将临时证书提交给服务端,并使用身份私钥进行数字签名。Step 23: The enterprise submits the temporary certificate to the server and digitally signs it using the identity private key.

步骤24:服务端使用区块链验证企业身份合法性,解析和验证临时证书,例如使用服务端解密私钥对临时证书进行解密,使用区块链验证临时证书中发证方数字签名等。Step 24: The server uses blockchain to verify the legitimacy of the enterprise identity, parse and verify the temporary certificate, such as using the server's decryption private key to decrypt the temporary certificate, and use blockchain to verify the digital signature of the issuer in the temporary certificate.

步骤25:服务端从区块链读取临时证书中描述的数据类型对应的文件Hash。Step 25: The server reads the file Hash corresponding to the data type described in the temporary certificate from the blockchain.

步骤26:服务端从IPFS系统读取文件Hash对应的物联网数据密文。Step 26: The server reads the IoT data ciphertext corresponding to the file Hash from the IPFS system.

步骤27:服务端使用临时证书中的解密私钥对密文进行解密,获得明文原始物联网数据。Step 27: The server uses the decryption private key in the temporary certificate to decrypt the ciphertext and obtain the original plaintext IoT data.

步骤28:服务端将明文原始物联网数据返回给企业。Step 28: The server returns the plaintext original IoT data to the enterprise.

可选地,本发明实施例的物联网数据处理方法中除了数据共享流程外,还包括授权流程,以保证只有授权的设备和业务端才能接入系统,提高系统的安全性。Optionally, in addition to the data sharing process, the IoT data processing method of the embodiment of the present invention also includes an authorization process to ensure that only authorized devices and service terminals can access the system, thereby improving the security of the system.

可选地,步骤11之前,该方法还包括:获取服务端的加解密公私钥对,加解密公私钥对包括解密私钥和加密公钥;在本地存储解密私钥,将加密公钥发送给第一业务端和第二业务端。这样将解密私钥仅存储于服务端而不存储于数据访问方(第一业务端)可保证隐私安全性。Optionally, before step 11, the method further includes: obtaining a public-private key pair for encryption and decryption from the server, the public-private key pair for encryption and decryption including a decryption private key and an encryption public key; storing the decryption private key locally, and sending the encryption public key to the first service end and the second service end. In this way, the decryption private key is only stored on the server and not on the data access party (the first service end), thereby ensuring privacy and security.

以上简单介绍了本发明授权流程,下面将结合附图对较为完整的授权流程做进一步说明。The above briefly introduces the authorization process of the present invention. The following will further illustrate a more complete authorization process with reference to the accompanying drawings.

如图3所示,授权流程包括但不限于如下步骤:As shown in Figure 3, the authorization process includes but is not limited to the following steps:

步骤31:使用第三方安全机构、区块链或服务端,生成物联网设备、企业业务端和服务端的身份公私钥对。Step 31: Use a third-party security agency, blockchain or server to generate public and private key pairs for IoT devices, enterprise business terminals and servers.

步骤32:物联网设备、企业业务端和服务端本地保存身份私钥,区块链存证对应身份公钥。Step 32: The IoT device, enterprise business end, and server end store the private key locally, and the blockchain stores the corresponding public key.

步骤33:使用第三方安全机构、区块链或服务端,生成服务端加解密公私钥对。Step 33: Use a third-party security agency, blockchain or server to generate a server-side encryption and decryption public and private key pair.

步骤34:服务端本地保存解密私钥,将加密公钥分发给所有企业业务端。Step 34: The server saves the decryption private key locally and distributes the encryption public key to all enterprise business terminals.

步骤35:使用第三方安全机构、区块链或服务端,生成企业业务端针对每种数据类型的加解密公私钥对。Step 35: Use a third-party security agency, blockchain or server to generate public and private key pairs for encryption and decryption of each data type for the enterprise business end.

步骤36:企业业务端本地保存解密私钥,区块链存证对应加密公钥。Step 36: The enterprise business end saves the decryption private key locally, and the blockchain stores the corresponding encryption public key.

本实施例中使用区块链存证物联网设备和企业业务端的身份信息并提供身份验证机制,这保证只有授权的设备和业务端才能接入系统,提高了系统安全性。In this embodiment, blockchain is used to store the identity information of IoT devices and enterprise business terminals and provide an identity authentication mechanism, which ensures that only authorized devices and business terminals can access the system, thereby improving system security.

可选地,本发明实施例的物联网数据处理方法中除了数据共享流程和授权流程外,还包括数据存储流程,以保证只有授权的设备才能存储数据,提高系统的安全性。Optionally, in addition to the data sharing process and the authorization process, the IoT data processing method of the embodiment of the present invention also includes a data storage process to ensure that only authorized devices can store data, thereby improving the security of the system.

可选地,步骤11之前,该方法还包括:接收第二业务端对应的物联网设备的物联网数据,物联网数据采用第二业务端的身份私钥进行数字签名;通过区块链系统验证第二业务端的数字签名,以验证第二业务端的合法性;在验证第二业务端合法后,根据物联网数据的类型,将物联网数据缓存至相应的数据序列。Optionally, before step 11, the method also includes: receiving IoT data of the IoT device corresponding to the second business end, and digitally signing the IoT data using the identity private key of the second business end; verifying the digital signature of the second business end through the blockchain system to verify the legitimacy of the second business end; after verifying the legitimacy of the second business end, caching the IoT data to a corresponding data sequence according to the type of the IoT data.

可选地,根据物联网数据的类型,将物联网数据缓存至相应的数据序列之后,还包括:Optionally, according to the type of IoT data, after caching the IoT data into a corresponding data sequence, the method further includes:

在预定时间间隔后或达到预定缓存容量后,从区块链系统读取第二业务端针对物联网数据的类型的加密公钥;采用读取到的加密公钥对物联网数据进行加密,并存储于IPFS系统得到相应的文件Hash;将文件Hash存储于区块链系统中。这样,在IPFS中保存的是物联网数据文件密文,这从根本上提高了数据安全性。After a predetermined time interval or when the predetermined cache capacity is reached, the encryption public key of the second business end for the type of IoT data is read from the blockchain system; the IoT data is encrypted using the read encryption public key and stored in the IPFS system to obtain the corresponding file Hash; the file Hash is stored in the blockchain system. In this way, the ciphertext of the IoT data file is saved in IPFS, which fundamentally improves data security.

可选地,针对物联网数据的类型的加密公钥对应的针对物联网数据的类型的解密私钥存储于第二业务端。Optionally, a decryption private key for the type of IoT data corresponding to the encryption public key for the type of IoT data is stored in the second service end.

以上简单介绍了数据存储流程,下面结合附图对较为完整的数据存储流程作进一步介绍。The above briefly introduces the data storage process. The following is a further introduction to a more complete data storage process with reference to the accompanying drawings.

如图4所示,该数据存储流程包括但不限于:As shown in FIG4 , the data storage process includes but is not limited to:

步骤41:每个企业拥有若干物联网设备,物联网设备向服务端上传物联网数据,使用身份私钥附件数字签名。Step 41: Each enterprise has a number of IoT devices, and the IoT devices upload IoT data to the server and use the identity private key attachment to digitally sign.

步骤42:服务端使用区块链验证物联网设备身份合法性。即服务端从区块链获得物联网设备身份公钥,并用公钥验签数字签名。Step 42: The server uses the blockchain to verify the legitimacy of the IoT device identity. That is, the server obtains the IoT device identity public key from the blockchain and uses the public key to verify the digital signature.

步骤43:如果验签通过,服务端根据数据类型缓存合法数据进入不同序列。Step 43: If the signature verification is successful, the server caches the legal data into different sequences according to the data type.

步骤44:预定时间间隔或预定缓存容量达到后,服务端从区块链读取对应企业、对应数据类型的加密公钥,对缓存的数据系列进行加密。Step 44: After the predetermined time interval or the predetermined cache capacity is reached, the server reads the encryption public key of the corresponding enterprise and the corresponding data type from the blockchain and encrypts the cached data series.

步骤45:服务端将密文存储于IPFS系统并获得文件Hash。Step 45: The server stores the ciphertext in the IPFS system and obtains the file Hash.

步骤46:服务端将文件Hash存证于区块链。Step 46: The server stores the file Hash in the blockchain.

本发明实施例中物联网设备上传数据时身份验证只使用了区块链query类型操作(不进行共识验证),只有服务端将缓存数据写入IPFS的过程才会使用区块链invoke类型操作(进行共识验证),这在提高系统安全性的同时保证了系统并发能力。In the embodiment of the present invention, when the IoT device uploads data, the identity authentication only uses the blockchain query type operation (without consensus verification). Only when the server writes the cached data to IPFS will the blockchain invoke type operation (for consensus verification) be used. This improves the system security while ensuring the system concurrency capability.

其中,本发明实施例中,区块链的数据结构存储着2种身份信息数据结构:企业身份信息数据结构和设备身份信息数据结构。Among them, in the embodiment of the present invention, the data structure of the blockchain stores two types of identity information data structures: enterprise identity information data structure and device identity information data structure.

一种可行的企业身份信息数据结构如图5所示。其中“企业描述”描述了企业介绍;“企业身份公钥”描述了企业身份验证信息;“数据类型和加密公钥、文件Hash映射关系”描述了一个列表(list),列表的每个单元是一个映射(map),映射的键(key)是数据类型,值(value)是一个映射并且该映射包括加密公钥和文件Hash。A feasible enterprise identity information data structure is shown in Figure 5. The "Enterprise Description" describes the enterprise introduction; the "Enterprise Identity Public Key" describes the enterprise identity authentication information; the "Data Type and Encryption Public Key, File Hash Mapping Relationship" describes a list, each unit of the list is a map, the key of the map is the data type, the value is a map and the map includes the encryption public key and the file Hash.

一种可行的设备身份信息数据结构如图6所示。其中“设备描述”描述了设备介绍;“企业身份ID”描述了所述设备属于哪个企业;“设备身份公钥”描述了设备身份验证信息。A feasible device identity information data structure is shown in Figure 6. The "device description" describes the device introduction; the "enterprise identity ID" describes which enterprise the device belongs to; and the "device identity public key" describes the device identity authentication information.

此外,本发明实施例中的临时证书是一个使用服务端加密公钥加密过的加密信息,加密内容包含数据类型、时间段、解密私钥、数据分享方ID、数据访问方ID、数据分享方签名等。In addition, the temporary certificate in the embodiment of the present invention is an encrypted information encrypted using the server encryption public key, and the encrypted content includes the data type, time period, decryption private key, data sharing party ID, data access party ID, data sharing party signature, etc.

本发明实施例中,企业A申请访问企业B的物联网数据,需要企业B提供的临时证书。服务端收到所述临时证书后,首先使用服务端解密私钥解密加密信息,从而得到包含数据类型、时间段、解密私钥、数据分享方ID、数据访问方ID、数据分享方签名等明文;然后通过区块链存证的数据分享方身份公钥对数据分享方签名进行验签;验签通过后,根据数据类型、时间段、解密私钥获得相应IPFS中的物联网数据密文对应的明文。这样可以保证只有合规的拥有者向服务端提交临时证书才能获得物联网数据,临时证书可以指定数据类型和时间段,以提高数据分享的灵活性。In an embodiment of the present invention, enterprise A applies to access the IoT data of enterprise B, and needs a temporary certificate provided by enterprise B. After receiving the temporary certificate, the server first uses the server's decryption private key to decrypt the encrypted information, thereby obtaining plain text including data type, time period, decryption private key, data sharing party ID, data access party ID, data sharing party signature, etc.; then the data sharing party signature is verified by the data sharing party identity public key stored in the blockchain; after the verification is passed, the plain text corresponding to the IoT data ciphertext in the corresponding IPFS is obtained according to the data type, time period, and decryption private key. In this way, it can be ensured that only compliant owners who submit temporary certificates to the server can obtain IoT data. Temporary certificates can specify data types and time periods to improve the flexibility of data sharing.

本发明实施例的物联网数据处理方法中,使用临时证书的形式提供数据分享授权,保证只有合规的拥有者向服务端提交临时证书才能获得物联网数据,数据访问者无法拿到解密私钥等敏感和隐私信息,这提高了隐私安全性。In the IoT data processing method of the embodiment of the present invention, data sharing authorization is provided in the form of a temporary certificate, ensuring that only compliant owners who submit temporary certificates to the server can obtain IoT data, and data accessors cannot obtain sensitive and private information such as decryption private keys, which improves privacy security.

以上从服务端介绍了本发明实施例的物联网数据处理方法,下面将结合附图对第一业务端的物联网数据处理方法作进一步说明。The above describes the IoT data processing method of the embodiment of the present invention from the perspective of the service end. The IoT data processing method of the first service end will be further described below with reference to the accompanying drawings.

如图7所示,本发明实施例的一种物联网数据处理方法,应用于第一业务端,包括但不限于以下步骤:As shown in FIG. 7 , an IoT data processing method according to an embodiment of the present invention is applied to a first service end, and includes but is not limited to the following steps:

步骤71:向服务端发送用于请求访问第二业务端的物联网数据的访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名。Step 71: Send an access request for accessing IoT data of the second business end to the server, where the access request carries a temporary certificate of the second business end, and the temporary certificate is digitally signed using the identity private key of the first business end.

步骤72:从服务端接收临时证书对应的目标物联网数据,目标物联网数据为服务端在验证第一业务端合法后,通过区块链系统和星际文件系统IPFS系统获取到的。Step 72: Receive the target IoT data corresponding to the temporary certificate from the server, where the target IoT data is obtained by the server through the blockchain system and the InterPlanetary File System IPFS system after verifying the legitimacy of the first business end.

可选地,临时证书包括以下至少一项:数据类型、时间段、解密私钥、第二业务端的身份标识ID、第一业务端的身份标识ID、第二业务端的签名。Optionally, the temporary certificate includes at least one of the following: data type, time period, decryption private key, identity ID of the second business end, identity ID of the first business end, and signature of the second business end.

可选地,步骤71之前,该方法还包括:建立与第二业务端的数据共享协议;接收第二业务端的临时证书。Optionally, before step 71, the method further includes: establishing a data sharing agreement with the second business end; and receiving a temporary certificate from the second business end.

可选地,步骤71之前,该方法还包括:接收服务端的加密公钥,服务端的加密公钥对应的解密私钥存储在服务端。Optionally, before step 71, the method further includes: receiving an encrypted public key from the server, wherein a decryption private key corresponding to the encrypted public key from the server is stored on the server.

可选地,步骤71之前,该方法还包括:获取第一业务端的身份公私钥对,身份公私钥对包括:身份验签公钥和身份签名私钥;在本地存储身份签名私钥,并向服务端发送身份签名私钥;向区块链系统发送身份验签公钥。Optionally, before step 71, the method also includes: obtaining the identity public-private key pair of the first business end, the identity public-private key pair including: an identity verification public key and an identity signature private key; storing the identity signature private key locally, and sending the identity signature private key to the server; and sending the identity verification public key to the blockchain system.

该第一业务端侧的实施例是与上述服务端侧的方法实施例对应的,上述服务端侧方法实施例的所有实现方式均适用于本实施例中,并能达到相似的技术效果,本发明实施例使用临时证书的形式提供数据分享授权,保证只有合规的拥有者向服务端提交临时证书才能获得物联网数据,数据访问者无法拿到解密私钥等敏感和隐私信息,这提高了隐私安全性。The embodiment of the first business end side corresponds to the method embodiment of the above-mentioned server side. All implementation methods of the above-mentioned server side method embodiment are applicable to this embodiment and can achieve similar technical effects. The embodiment of the present invention uses a temporary certificate to provide data sharing authorization, ensuring that only compliant owners can obtain IoT data by submitting a temporary certificate to the server. Data accessors cannot obtain sensitive and private information such as decryption private keys, which improves privacy security.

以上介绍了服务端和第一业务端的物联网数据处理方法,下面本实施例将进一步结合附图对其对应的装置作进一步介绍。The above introduces the IoT data processing method of the service end and the first business end. The following embodiment will further introduce its corresponding device in conjunction with the accompanying drawings.

如图8所示,本发明实施例提供了一种物联网数据处理装置800,应用于服务端,该装置包括但不限于以下功能模块:As shown in FIG8 , an embodiment of the present invention provides an IoT data processing device 800, which is applied to a server, and includes but is not limited to the following functional modules:

第一接收模块810,用于从第一业务端接收用于请求访问第二业务端的物联网数据的访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名;The first receiving module 810 is used to receive an access request for accessing IoT data of a second business end from a first business end, where the access request carries a temporary certificate of the second business end, and the temporary certificate is digitally signed with an identity private key of the first business end;

第一验证模块820,用于采用解密私钥对临时证书进行解密并通过区块链系统验证第一业务端的数字签名,以验证第一业务端的合法性;A first verification module 820, configured to decrypt the temporary certificate using a decryption private key and verify the digital signature of the first business end through the blockchain system to verify the legitimacy of the first business end;

第一获取模块830,用于在验证第一业务端合法后,通过区块链系统和星际文件系统IPFS系统获取临时证书对应的目标物联网数据;The first acquisition module 830 is used to obtain the target IoT data corresponding to the temporary certificate through the blockchain system and the InterPlanetary File System IPFS system after verifying that the first business end is legitimate;

第一发送模块840,用于将获取到的目标物联网数据发送给第一业务端。The first sending module 840 is used to send the acquired target IoT data to the first service end.

可选地,临时证书包括以下至少一项:数据类型、时间段、解密私钥、第二业务端的身份标识ID、第一业务端的身份标识ID、第二业务端的签名。Optionally, the temporary certificate includes at least one of the following: data type, time period, decryption private key, identity ID of the second business end, identity ID of the first business end, and signature of the second business end.

可选地,第一获取模块830包括:Optionally, the first acquisition module 830 includes:

第一读取单元,用于从区块链系统读取临时证书中描述的数据类型对应的文件哈希Hash;A first reading unit, used to read a file hash Hash corresponding to the data type described in the temporary certificate from the blockchain system;

第二读取单元,用于从IPFS系统中读取文件Hash对应的物联网数据密文;The second reading unit is used to read the IoT data ciphertext corresponding to the file Hash from the IPFS system;

第一解密单元,用于采用临时证书中的解密私钥对物联网数据密文进行解密,得到明文的目标物联网数据。The first decryption unit is used to decrypt the Internet of Things data ciphertext using the decryption private key in the temporary certificate to obtain the target Internet of Things data in plain text.

可选地,该物联网数据处理装置800还包括:Optionally, the Internet of Things data processing device 800 further includes:

第一建立模块,用于建立第一业务端和第二业务端的数据共享协议,The first establishment module is used to establish a data sharing agreement between the first service end and the second service end.

第二发送模块,用于将第二业务端的临时证书颁发给第一业务端。The second sending module is used to issue the temporary certificate of the second service end to the first service end.

可选地,该物联网数据处理装置800还包括:Optionally, the Internet of Things data processing device 800 further includes:

第二获取模块,用于获取服务端的加解密公私钥对,加解密公私钥对包括解密私钥和加密公钥;The second acquisition module is used to obtain the encryption and decryption public and private key pair of the server, the encryption and decryption public and private key pair includes a decryption private key and an encryption public key;

第一存储模块,用于在本地存储解密私钥,The first storage module is used to store the decryption private key locally.

第三发送模块,用于将加密公钥发送给第一业务端和第二业务端。The third sending module is used to send the encrypted public key to the first service end and the second service end.

可选地,该物联网数据处理装置800还包括:Optionally, the Internet of Things data processing device 800 further includes:

第二接收模块,用于接收第二业务端对应的物联网设备的物联网数据,物联网数据采用第二业务端的身份私钥进行数字签名;A second receiving module is used to receive IoT data of an IoT device corresponding to the second service end, where the IoT data is digitally signed using the identity private key of the second service end;

第二验证模块,用于通过区块链系统验证第二业务端的数字签名,以验证第二业务端的合法性;A second verification module is used to verify the digital signature of the second business end through the blockchain system to verify the legitimacy of the second business end;

缓存模块,用于在验证第二业务端合法后,根据物联网数据的类型,将物联网数据缓存至相应的数据序列。The cache module is used to cache the IoT data into a corresponding data sequence according to the type of the IoT data after verifying that the second business end is legitimate.

可选地,物联网数据处理装置800还包括:Optionally, the Internet of Things data processing device 800 further includes:

第一读取模块,用于在预定间隔后或达到预定缓存容量后,从区块链系统读取第二业务端针对物联网数据的类型的加密公钥;A first reading module is used to read the encryption public key of the second service end for the type of IoT data from the blockchain system after a predetermined interval or after a predetermined cache capacity is reached;

加密模块,用于采用读取到的加密公钥对物联网数据进行加密;An encryption module, used to encrypt IoT data using the read encryption public key;

第二存储模块,用于将加密后的物联网数据存储于IPFS系统得到相应的文件Hash;The second storage module is used to store the encrypted IoT data in the IPFS system to obtain the corresponding file Hash;

第三存储模块,用于将文件Hash存储于区块链系统中。The third storage module is used to store the file Hash in the blockchain system.

可选地,针对物联网数据的类型的加密公钥对应的针对物联网数据的类型的解密私钥存储于第二业务端。Optionally, a decryption private key for the type of IoT data corresponding to the encryption public key for the type of IoT data is stored in the second service end.

如图9所示,本发明实施例还提供一种物联网数据处理装置900,应用于第一业务端,包括但不限于以下功能模块:As shown in FIG. 9 , an embodiment of the present invention further provides an IoT data processing device 900, which is applied to a first service end and includes but is not limited to the following functional modules:

第四发送模块910,用于向服务端发送用于请求访问第二业务端的物联网数据的访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名;The fourth sending module 910 is used to send an access request for accessing IoT data of the second service end to the service end, where the access request carries a temporary certificate of the second service end, and the temporary certificate is digitally signed with the identity private key of the first service end;

第三接收模块920,用于从服务端接收临时证书对应的目标物联网数据,目标物联网数据为服务端在验证第一业务端合法后,通过区块链系统和星际文件系统IPFS系统获取到的。The third receiving module 920 is used to receive target IoT data corresponding to the temporary certificate from the server, and the target IoT data is obtained by the server through the blockchain system and the Interstellar File System IPFS system after verifying the legitimacy of the first business end.

可选地,临时证书包括以下至少一项:数据类型、时间段、解密私钥、第二业务端的身份标识ID、第一业务端的身份标识ID、第二业务端的签名。Optionally, the temporary certificate includes at least one of the following: data type, time period, decryption private key, identity ID of the second business end, identity ID of the first business end, and signature of the second business end.

可选地,物联网数据处理装置900还包括:Optionally, the Internet of Things data processing device 900 further includes:

第二建立模块,用于建立与第二业务端的数据共享协议;A second establishing module, used to establish a data sharing agreement with a second service end;

第四接收模块,用于接收第二业务端的临时证书。The fourth receiving module is used to receive the temporary certificate of the second service end.

可选地,物联网数据处理装置900还包括:Optionally, the Internet of Things data processing device 900 further includes:

第五接收模块,用于接收服务端的加密公钥,服务端的加密公钥对应的解密私钥存储在服务端。The fifth receiving module is used to receive the encrypted public key of the server, and the decryption private key corresponding to the encrypted public key of the server is stored in the server.

可选地,物联网数据处理装置900还包括:Optionally, the Internet of Things data processing device 900 further includes:

第三获取模块,用于获取第一业务端的身份公私钥对,身份公私钥对包括:身份验签公钥和身份签名私钥;A third acquisition module is used to obtain the public and private key pair of the identity of the first service end, the public and private key pair of the identity includes: an identity verification public key and an identity signature private key;

第四存储模块,用于在本地存储身份签名私钥,The fourth storage module is used to store the identity signature private key locally.

第五发送模块,用于向服务端发送身份签名私钥;The fifth sending module is used to send the identity signature private key to the server;

第六发送模块,用向区块链系统发送身份验签公钥。The sixth sending module is used to send the identity verification public key to the blockchain system.

以上介绍了本发明实施例的物联网数据处理方法及装置,下面将结合附图对物联网数据处理系统做进一步介绍。The above describes the IoT data processing method and device according to the embodiment of the present invention. The IoT data processing system will be further described below with reference to the accompanying drawings.

如图10所示,本发明实施例的物联网数据处理系统包括:服务端、第一业务端、第二业务端、区块链系统、星际文件系统IPFS系统和物联网设备,其中,As shown in FIG10 , the IoT data processing system of the embodiment of the present invention includes: a server, a first service end, a second service end, a blockchain system, an InterPlanetary File System IPFS system, and an IoT device, wherein:

第一业务端向服务端发送用于请求访问第二业务端的物联网数据的访问请求;The first service end sends an access request to the service end for accessing the IoT data of the second service end;

服务端接收访问请求,访问请求携带有第二业务端的临时证书,临时证书采用第一业务端的身份私钥进行数字签名;The server receives the access request, which carries the temporary certificate of the second service end, and the temporary certificate is digitally signed with the identity private key of the first service end;

服务端采用解密私钥对临时证书进行解密并通过区块链系统验证第一业务端的数字签名,以验证第一业务端的合法性;The server uses the decryption private key to decrypt the temporary certificate and verifies the digital signature of the first business end through the blockchain system to verify the legitimacy of the first business end;

服务端在验证第一业务端合法后,通过区块链系统和IPFS系统获取临时证书对应的目标物联网数据;After verifying the legitimacy of the first business end, the server obtains the target IoT data corresponding to the temporary certificate through the blockchain system and IPFS system;

服务端将获取到的目标物联网数据发送给第一业务端;The server sends the acquired target IoT data to the first service end;

第一业务端接收临时证书对应的目标物联网数据。The first business end receives target IoT data corresponding to the temporary certificate.

本发明实施例提出一种物联网数据处理系统,该系统主要包括区块链系统、IPFS系统、服务端、若干业务端(第一业务端、第二业务端等)、若干物联网设备,主要用于企业管理海量物联网数据和多方数据共享。主要流程包括数据存储流程和数据共享流程,其中数据存储流程为:每个企业拥有若干物联网设备,物联网设备向服务端上传物联网数据;服务端使用区块链验证物联网设备身份合法性,并根据数据类型缓存合法数据进入不同序列;预定时间间隔或预定缓存容量达到后,服务端使用区块链存储的对应业务端(一个业务端对应一个企业)、对应数据类型的加密公钥对缓存数据加密;服务端将密文存储于IPFS系统并获得文件Hash,然后将文件Hash存储于区块链。数据共享流程为:每个企业拥有一个业务端,通过业务端申请访问其他企业某数据类型、某时间段的物联网数据;企业首先获得被申请访问数据企业的临时证书(临时证书包含数据类型、时间段、解密私钥、数据分享方ID、数据访问方ID、数据分享方签名等),将临时证书提交给服务端;服务端使用区块链验证业务端(或称为企业)身份合法性,解析和验证临时证书;服务端从区块链读取临时证书中描述的数据类型对应的文件Hash;服务端从IPFS系统读取文件Hash对应的物联网数据密文;服务端使用临时证书的解密私钥对密文进行解密,并获得明文原始物联网数据;服务端将明文原始物联网数据返回给相应的业务端(企业)。The embodiment of the present invention proposes an Internet of Things data processing system, which mainly includes a blockchain system, an IPFS system, a server, several business terminals (a first business terminal, a second business terminal, etc.), and several Internet of Things devices, and is mainly used for enterprises to manage massive Internet of Things data and multi-party data sharing. The main process includes a data storage process and a data sharing process, wherein the data storage process is: each enterprise has several Internet of Things devices, and the Internet of Things devices upload Internet of Things data to the server; the server uses the blockchain to verify the legitimacy of the identity of the Internet of Things device, and caches the legitimate data into different sequences according to the data type; after the predetermined time interval or the predetermined cache capacity is reached, the server uses the corresponding business terminal (one business terminal corresponds to one enterprise) stored in the blockchain and the encryption public key of the corresponding data type to encrypt the cached data; the server stores the ciphertext in the IPFS system and obtains the file Hash, and then stores the file Hash in the blockchain. The data sharing process is as follows: each enterprise has a business end, and applies for access to IoT data of a certain data type and a certain time period of other enterprises through the business end; the enterprise first obtains a temporary certificate of the enterprise whose data is applied for access (the temporary certificate contains the data type, time period, decryption private key, data sharing party ID, data access party ID, data sharing party signature, etc.), and submits the temporary certificate to the server; the server uses the blockchain to verify the legitimacy of the business end (or enterprise) identity, parses and verifies the temporary certificate; the server reads the file Hash corresponding to the data type described in the temporary certificate from the blockchain; the server reads the IoT data ciphertext corresponding to the file Hash from the IPFS system; the server uses the decryption private key of the temporary certificate to decrypt the ciphertext and obtain the plaintext original IoT data; the server returns the plaintext original IoT data to the corresponding business end (enterprise).

本发明实施例的物联网数据处理装置及系统是与上述方法实施例对应的,上述方法实施例的实现方式均可适用于该装置及系统的实施例中,并能达到相同的技术效果,使用临时证书的形式提供数据分享授权,保证只有合规的拥有者向服务端提交临时证书才能获得物联网数据;数据访问者无法拿到解密私钥这类敏感和隐私信息,这提高了隐私安全性。The Internet of Things data processing device and system of the embodiment of the present invention correspond to the above-mentioned method embodiment. The implementation methods of the above-mentioned method embodiment can be applied to the embodiments of the device and system and can achieve the same technical effect. Data sharing authorization is provided in the form of a temporary certificate to ensure that only compliant owners can obtain Internet of Things data by submitting a temporary certificate to the server. Data accessors cannot obtain sensitive and private information such as decryption private keys, which improves privacy security.

本发明实施例的一种可读存储介质,其上存储有程序或指令,所述程序或指令被处理器执行时实现如上所述的物联网数据处理方法中的步骤,且能达到相同的技术效果,为避免重复,这里不再赘述。A readable storage medium according to an embodiment of the present invention stores a program or instruction thereon. When the program or instruction is executed by a processor, the steps in the IoT data processing method as described above are implemented, and the same technical effect can be achieved. To avoid repetition, it will not be described here.

其中,所述可读存储介质,包括计算机可读存储介质,如计算机只读存储器(Read-Only Memory,简称ROM)、随机存取存储器(Random Access Memory,简称RAM)、磁碟或者光盘等。The readable storage medium includes a computer-readable storage medium, such as a computer read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk.

进一步需要说明的是,此说明书中所描述的终端包括但不限于智能手机、平板电脑等,且所描述的许多功能部件都被称为模块,以便更加特别地强调其实现方式的独立性。It should be further explained that the terminals described in this specification include but are not limited to smart phones, tablet computers, etc., and many of the functional components described are called modules in order to more particularly emphasize the independence of their implementation methods.

本发明实施例中,模块可以用软件实现,以便由各种类型的处理器执行。举例来说,一个标识的可执行代码模块可以包括计算机指令的一个或多个物理或者逻辑块,举例来说,其可以被构建为对象、过程或函数。尽管如此,所标识模块的可执行代码无需物理地位于一起,而是可以包括存储在不同位里上的不同的指令,当这些指令逻辑上结合在一起时,其构成模块并且实现该模块的规定目的。In the embodiment of the present invention, the module can be implemented with software so that it can be executed by various types of processors. For example, an executable code module of an identification can include one or more physical or logical blocks of computer instructions, for example, it can be constructed as an object, process or function. Nevertheless, the executable code of the identified module does not need to be physically located together, but can include different instructions stored in different positions, and when these instructions are logically combined together, it constitutes a module and realizes the specified purpose of the module.

实际上,可执行代码模块可以是单条指令或者是许多条指令,并且甚至可以分布在多个不同的代码段上,分布在不同程序当中,以及跨越多个存储器设备分布。同样地,操作数据可以在模块内被识别,并且可以依照任何适当的形式实现并且被组织在任何适当类型的数据结构内。所述操作数据可以作为单个数据集被收集,或者可以分布在不同位置上(包括在不同存储设备上),并且至少部分地可以仅作为电子信号存在于系统或网络上。In fact, executable code module can be a single instruction or many instructions, and can even be distributed on a plurality of different code segments, distributed among different programs, and distributed across a plurality of memory devices. Similarly, operating data can be identified in the module, and can be implemented and organized in the data structure of any appropriate type according to any appropriate form. The operating data can be collected as a single data set, or can be distributed in different locations (including on different storage devices), and can only be present on a system or network as an electronic signal at least in part.

在模块可以利用软件实现时,考虑到现有硬件工艺的水平,所以可以以软件实现的模块,在不考虑成本的情况下,本领域技术人员都可以搭建对应的硬件电路来实现对应的功能,所述硬件电路包括常规的超大规模集成(VLSI)电路或者门阵列以及诸如逻辑芯片、晶体管之类的现有半导体或者是其它分立的元件。模块还可以用可编程硬件设备,诸如现场可编程门阵列、可编程阵列逻辑、可编程逻辑设备等实现。When a module can be implemented by software, considering the level of existing hardware technology, a person skilled in the art can build a corresponding hardware circuit to implement the corresponding function of the module that can be implemented by software without considering the cost. The hardware circuit includes a conventional very large scale integration (VLSI) circuit or gate array and existing semiconductors such as logic chips, transistors, or other discrete components. The module can also be implemented by a programmable hardware device, such as a field programmable gate array, a programmable array logic, a programmable logic device, etc.

上述范例性实施例是参考该些附图来描述的,许多不同的形式和实施例是可行而不偏离本发明精神及教示,因此,本发明不应被建构成为在此所提出范例性实施例的限制。更确切地说,这些范例性实施例被提供以使得本发明会是完善又完整,且会将本发明范围传达给那些熟知此项技术的人士。在该些图式中,组件尺寸及相对尺寸也许基于清晰起见而被夸大。在此所使用的术语只是基于描述特定范例性实施例目的,并无意成为限制用。如在此所使用地,除非该内文清楚地另有所指,否则该单数形式“一”、“一个”和“该”是意欲将该些多个形式也纳入。会进一步了解到该些术语“包含”及/或“包括”在使用于本说明书时,表示所述特征、整数、步骤、操作、构件及/或组件的存在,但不排除一或更多其它特征、整数、步骤、操作、构件、组件及/或其族群的存在或增加。除非另有所示,陈述时,一值范围包含该范围的上下限及其间的任何子范围。The above exemplary embodiments are described with reference to the accompanying drawings, and many different forms and embodiments are feasible without departing from the spirit and teachings of the present invention. Therefore, the present invention should not be constructed as a limitation of the exemplary embodiments proposed herein. More specifically, these exemplary embodiments are provided so that the present invention will be perfect and complete, and the scope of the present invention will be conveyed to those who are familiar with the technology. In these figures, the component sizes and relative sizes may be exaggerated for clarity. The terms used here are only based on the purpose of describing specific exemplary embodiments and are not intended to be limiting. As used herein, unless the text clearly indicates otherwise, the singular forms "one", "an" and "the" are intended to include these multiple forms. It will be further understood that the terms "including" and/or "comprising" when used in this specification indicate the presence of the features, integers, steps, operations, components and/or components, but do not exclude the presence or increase of one or more other features, integers, steps, operations, components, components and/or their groups. Unless otherwise indicated, when stated, a range of values includes the upper and lower limits of that range and any subranges therebetween.

以上所述是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明所述原理的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is a preferred embodiment of the present invention. It should be pointed out that for ordinary technicians in this technical field, several improvements and modifications can be made without departing from the principles of the present invention. These improvements and modifications should also be regarded as the scope of protection of the present invention.

Claims (17)

1. The data processing method of the Internet of things is applied to a server and is characterized by comprising the following steps:
Receiving an access request for requesting to access Internet of things data of a second service end from a first service end, wherein the access request carries a temporary certificate of the second service end, the temporary certificate is digitally signed by adopting an identity private key of the first service end, and is encrypted by adopting a service end encryption public key;
Decrypting the temporary certificate by adopting a server decryption private key, and obtaining an identity public key of the first service end through a block chain system to verify a digital signature of the first service end so as to verify the validity of the first service end;
after verifying that the first service end is legal, acquiring target Internet of things data corresponding to the temporary certificate through the blockchain system and the interstellar file system IPFS;
and sending the acquired target internet of things data to the first service end.
2. The internet of things data processing method of claim 1, wherein the temporary certificate comprises at least one of: the method comprises the steps of data type, time period, decryption private key, identification ID of the second service end, identification ID of the first service end and signature of the second service end.
3. The method for processing data of the internet of things according to claim 2, wherein obtaining, by the blockchain system and the interstellar file system IPFS, the target internet of things data corresponding to the temporary certificate comprises:
reading a file Hash corresponding to the data type described in the temporary certificate from the blockchain system;
Reading the data ciphertext of the Internet of things corresponding to the file Hash from the IPFS system;
And decrypting the data ciphertext of the Internet of things by adopting a decryption private key in the temporary certificate to obtain target Internet of things data of a plaintext.
4. The method for processing internet of things data according to claim 1, further comprising, before receiving an access request for requesting access to internet of things data of the second service terminal from the first service terminal:
and establishing a data sharing protocol of the first service end and the second service end, and issuing a temporary certificate of the second service end to the first service end.
5. The method for processing internet of things data according to claim 1, further comprising, before receiving an access request for requesting access to internet of things data of the second service terminal from the first service terminal:
obtaining an encryption and decryption public-private key pair of a server, wherein the encryption and decryption public-private key pair comprises a decryption private key and an encryption public key;
And storing the decryption private key locally, and sending the encryption public key to the first service end and the second service end.
6. The method for processing internet of things data according to claim 1, further comprising, before receiving an access request for requesting access to internet of things data of the second service terminal from the first service terminal:
Receiving Internet of things data of Internet of things equipment corresponding to a second service end, wherein the Internet of things data is digitally signed by adopting an identity private key of the second service end;
Verifying the digital signature of the second service end through a block chain system so as to verify the validity of the second service end;
After verifying that the second service end is legal, caching the data of the Internet of things into corresponding data sequences according to the type of the data of the Internet of things.
7. The method for processing data of the internet of things according to claim 6, wherein after caching the data of the internet of things to the corresponding data sequence according to the type of the data of the internet of things, further comprising:
After a preset interval or after a preset cache capacity is reached, reading an encrypted public key of the second service end aiming at the type of the data of the Internet of things from the blockchain system;
encrypting the data of the Internet of things by using the read encryption public key, and storing the encrypted data in a IPFS system to obtain a corresponding file Hash;
storing the file Hash in the blockchain system.
8. The method for processing data of the internet of things according to claim 7, wherein a decryption private key corresponding to the encryption public key for the type of the data of the internet of things is stored in the second service end.
9. The data processing method of the Internet of things is applied to a first service end and is characterized by comprising the following steps:
Sending an access request for requesting to access the internet of things data of a second service end to a service end, wherein the access request carries a temporary certificate of the second service end, and the temporary certificate adopts an identity private key of the first service end to carry out digital signature and adopts a service end encryption public key to carry out encryption;
And receiving target internet of things data corresponding to the temporary certificate from the server, wherein the target internet of things data is obtained by the server through a block chain system and a interstellar file system IPFS after the server decrypts the temporary certificate by adopting a server decryption private key and obtains an identity public key of the first service end through the block chain system to verify the digital signature of the first service end so as to verify that the first service end is legal.
10. The internet of things data processing method of claim 9, wherein the temporary certificate comprises at least one of: the method comprises the steps of data type, time period, decryption private key, identification ID of the second service end, identification ID of the first service end and signature of the second service end.
11. The method for processing internet of things data according to claim 9, further comprising, before sending an access request for requesting access to internet of things data of the second service side to the service side:
establishing a data sharing protocol with the second service end;
and receiving the temporary certificate of the second service end.
12. The method for processing internet of things data according to claim 9, further comprising, before sending an access request for requesting access to internet of things data of the second service side to the service side:
And receiving an encrypted public key of the server, wherein a decryption private key corresponding to the encrypted public key of the server is stored in the server.
13. The method for processing internet of things data according to claim 9, further comprising, before sending an access request for requesting access to internet of things data of the second service side to the service side:
acquiring an identity public-private key pair of the first service end, wherein the identity public-private key pair comprises: an identity public key and an identity private key;
storing the identity private key locally and sending the identity private key to the server;
the identity public key is sent to the blockchain system.
14. The utility model provides a thing networking data processing device, is applied to the server, its characterized in that includes:
The system comprises a first receiving module, a second receiving module and a server side encryption module, wherein the first receiving module is used for receiving an access request for requesting to access Internet of things data of a second service side from a first service side, the access request carries a temporary certificate of the second service side, the temporary certificate adopts an identity private key of the first service side to carry out digital signature, and adopts a server side encryption public key to carry out encryption;
the first verification module is used for decrypting the temporary certificate by adopting a server-side decryption private key, and obtaining an identity public key of the first service side through a block chain system to verify the digital signature of the first service side so as to verify the validity of the first service side;
the first obtaining module is configured to obtain, after verifying that the first service end is legal, target internet of things data corresponding to the temporary certificate through the blockchain system and the interstellar file system IPFS;
the first sending module is used for sending the obtained target internet of things data to the first service end.
15. The utility model provides a thing networking data processing device, is applied to first service end, which is characterized in that includes:
A fourth sending module, configured to send an access request for requesting to access internet of things data of a second service end to a service end, where the access request carries a temporary certificate of the second service end, and the temporary certificate uses an identity private key of the first service end to perform digital signature and uses a service end encryption public key to perform encryption;
The third receiving module is configured to receive, from the server, target internet of things data corresponding to the temporary certificate, where the target internet of things data is obtained by the server through a blockchain system and an interstellar file system IPFS after the server decrypts the temporary certificate by using a server decryption private key and obtains an identity public key of the first service to verify a digital signature of the first service, so that the first service is verified to be legal.
16. An internet of things data processing system, comprising: the system comprises a server side, a first service side, a second service side, a block chain system, an interstellar file system IPFS system and Internet of things equipment, wherein,
The first service end sends an access request for requesting to access the Internet of things data of the second service end to a service end;
The server receives the access request, wherein the access request carries a temporary certificate of the second service end, the temporary certificate is digitally signed by adopting an identity private key of the first service end, and is encrypted by adopting a server encryption public key;
The server decrypts the temporary certificate by adopting a server decryption private key, and obtains an identity public key of the first service end through the blockchain system to verify the digital signature of the first service end so as to verify the validity of the first service end;
after verifying that the first service end is legal, the service end acquires target Internet of things data corresponding to the temporary certificate through the blockchain system and the IPFS system;
the server side sends the acquired target internet of things data to the first service side;
and the first service end receives the target internet of things data corresponding to the temporary certificate.
17. A readable storage medium having stored thereon a program or instructions, which when executed by a processor, implement the steps in the internet of things data processing method of any one of claims 1 to 13.
CN202110789228.3A 2021-07-13 2021-07-13 A method, device and system for processing data of Internet of Things Active CN115622719B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110789228.3A CN115622719B (en) 2021-07-13 2021-07-13 A method, device and system for processing data of Internet of Things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110789228.3A CN115622719B (en) 2021-07-13 2021-07-13 A method, device and system for processing data of Internet of Things

Publications (2)

Publication Number Publication Date
CN115622719A CN115622719A (en) 2023-01-17
CN115622719B true CN115622719B (en) 2024-07-02

Family

ID=84855538

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110789228.3A Active CN115622719B (en) 2021-07-13 2021-07-13 A method, device and system for processing data of Internet of Things

Country Status (1)

Country Link
CN (1) CN115622719B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116436926A (en) * 2023-03-05 2023-07-14 上海有倕信息科技有限公司 A blockchain system and method for managing Internet of Things devices

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248479A (en) * 2012-02-06 2013-08-14 中兴通讯股份有限公司 Cloud storage safety system, data protection method and data sharing method
CN104202168A (en) * 2014-09-19 2014-12-10 浪潮电子信息产业股份有限公司 Cloud data integrity verification method based on trusted third party

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108462568B (en) * 2018-02-11 2021-08-06 西安电子科技大学 A blockchain-based secure file storage and sharing method and cloud storage system
CN109918878B (en) * 2019-04-24 2021-03-02 中国科学院信息工程研究所 A blockchain-based industrial IoT device identity authentication and secure interaction method
WO2021179203A1 (en) * 2020-03-11 2021-09-16 合肥达朴汇联科技有限公司 Data transmission method, system and device, electronic device, and readable storage medium
CN112003832A (en) * 2020-07-29 2020-11-27 北京科技大学 Block chain-based Internet of things data privacy protection method
CN112073479A (en) * 2020-08-26 2020-12-11 重庆邮电大学 Method and system for controlling de-centering data access based on block chain
CN112187826A (en) * 2020-10-14 2021-01-05 深圳壹账通智能科技有限公司 Data authorization and data access method and system in block chain network
CN112564912B (en) * 2020-11-24 2023-03-24 北京金山云网络技术有限公司 Method, system and device for establishing secure connection and electronic equipment
CN112417519B (en) * 2020-11-25 2023-09-29 弘景智业(北京)多式联运咨询有限公司 A blockchain-based supply chain logistics data security sharing method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248479A (en) * 2012-02-06 2013-08-14 中兴通讯股份有限公司 Cloud storage safety system, data protection method and data sharing method
CN104202168A (en) * 2014-09-19 2014-12-10 浪潮电子信息产业股份有限公司 Cloud data integrity verification method based on trusted third party

Also Published As

Publication number Publication date
CN115622719A (en) 2023-01-17

Similar Documents

Publication Publication Date Title
US12309296B2 (en) Systems and methods for notary agent for public key infrastructure names
AU2022204148B2 (en) Methods and apparatus for providing blockchain participant identity binding
CN109829326B (en) Cross-domain authentication and fair audit de-duplication cloud storage system based on block chain
JP6285454B2 (en) Entity network translation (ENT)
US10432394B2 (en) Method and system for sharing encrypted content
US7680937B2 (en) Content publication
CN109327481B (en) A blockchain-based unified online authentication method and system for the entire network
CN109450843B (en) A blockchain-based SSL certificate management method and system
CN119135332A (en) Credential generation and distribution method and system for blockchain network
JP2007518369A (en) Efficiently signable real-time credentials for OCSP and distributed OCSP
CN101212293B (en) A method and system for identity authentication
US20250193013A1 (en) Methods, systems, and computer readable-media for privacy preserving identity verification
CN114844700A (en) Identity authentication method, system, equipment and storage medium based on trusted storage in distributed environment
EP4695938A1 (en) Apparatus and method for managing credentials
CN116015856A (en) Data transfer method and device based on blockchain digital identity
CN113239376B (en) Data sharing method, request method and device based on block chain
CN115622719B (en) A method, device and system for processing data of Internet of Things
CN115720137B (en) Information management system, method and device
CN1985460B (en) Communication Valid Realtime Credentials for OCSP and Distributed OCSP

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant