Research And Implementation Of On-Chain Authority Management Model Controlled By Users

Traditional permission management techniques rely heavily on trusted third parties to complete the management of the allocation of permissions,where the owner of the data has no direct control over the granting and revocation of access to the data and the data is at risk of being compromised.Using the decentralized nature of the blockchain,it is possible to achieve autonomous and controlled management of individual data access rights without the scenario of a trusted third party.In order to achieve fine-grained permission management,existing blockchain-based permission management implementations usually use the Ciphertext-Policy Attribute-Based Encryption(CP-ABE).The data owner can generate the corresponding decryption key for the data user according to its own attributes,encrypt the permission assignment information through a specific access control structure,and the data user who meets the attribute requirements can get the permission assignment information through the blockchain and obtain data access rights.However,the existing rights management solution based on CP-ABE model and blockchain technology combined with the enterprise application scenario will have high management complexity due to the number of users;at the same time,data users cannot be dynamically revoked once they obtain data access rights through the blockchain.As a result,existing blockchain-based permission management schemes do not fully enable autonomous and controllable permission allocation management by data owners.In response to the above problems,this paper proposes a novel user-controlled,up-chain permission management scheme.By extending the CP-ABE model,this solution implements permission inheritance,permission granting,and permission revocation operations,which can be flexibly applied in enterprise application scenarios.The scheme adopts a multinomial tree structure to implement the protocol description of the property set,which supports the inheritance of rights based on role assignment;the smart contract generation protocol based on user property matching implements the granting of rights by the data owner to the data user;and the timestamp technique and subset overlay algorithm implements the rights revocation management,which revokes the allocated rights once the validity period expires or the data owner actively revokes the rights.The main work of this paper and its innovations are as follows.1.In response to the problem that CP-ABE increases in complexity with the number of users in the enterprise application scenario,this paper proposes an extended model of CP-ABE based on role assignment.The model introduces the concept of attribute tree based on CP-ABE,which satisfies the strict bias relationship and enables data user role delineation and permission inheritance operations.The system can construct an attribute tree based on the permission inclusion relationship between roles,with each node in the tree representing a role except for the root and leaf nodes,and the leaf nodes in the tree representing the inherent attributes of each role.When CP-ABE encrypts data,the access control structure is based on the access relationship between the roles in the attribute tree and the inherent attributes of the roles to achieve the inheritance of rights,and the hierarchical rights management is achieved according to the hierarchical relationship between the roles,reducing the complexity of rights management.2.In this paper,we propose an up-chain permission allocation model based on smart contracts,which implements the granting of permission by data owners to data users based on attributes.The model writes the process of privilege management as a smart contract and deploys that smart contract on the blockchain node,and when a privilege assignment is required,the model participants initiate the transaction by calling the smart contract.The data owner can implement permission assignments directly through chain transactions without relying on trusted third parties,and permission assignments are implemented based on the attributes owned by the data user.3.To address the current problem of difficulty in revoking privileges after using CP-ABE for privilege assignment on the blockchain,this paper proposes two privilege revocation mechanisms to achieve automatic revocation of privileges once the expiration date expires or when the data owner actively revokes the privileges.The former is based on timestamp,which is realized by assigning a valid access time to each data user and automatically revoking the privilege when the time expires;the latter is realized by constructing a binary tree to assign different version numbers to different data users,and when the data owner wants to actively revoke the privilege,he can do so by changing the version number information in the access control structure.With both of these mechanisms,flexibility is enhanced while reducing the complexity of revocation operations.4.The implementation and validation of a prototype system for up-chain rights management was completed on the basis of the above-mentioned scheme.The prototype system enables autonomous and controllable privilege assignment,privilege inheritance,and privilege revocation on the blockchain by the data owner.Tests have shown that the throughput is above 400 TPS for status data query on the blockchain and above 130 TPS for transactions,which can be effectively deployed in enterprise application scenarios.