一种基于区块链的数据完整性验证解决方案

数据在物联网环境下采集、传递、存储过程中,如果缺少严密的安全防范措施,可能会出现假冒的、被篡改的或者过期的数据,这些缺乏完整性保护的物联网数据会对物联网应用造成极大的危害。数据的完整性是确保数据可信的必要条件。区块链的去中心化、分布式、持久性、不可篡改等属性,使得区块链目前成为在具有隐私保护应用需求的数据完整性验证的优选方法。文中提出了一种基于区块链的数据完整性验证的区块链结构和基于去中心化时间戳的数据完整性验证机制,设计了基于区块链的数据完整性验证的智能合约,在以太坊平台上模拟真实场景。实验结果表明,基于区块链的数据完整性验证技术方案,可以在去中心化的应用环境下,并在数据分散存储以保护数据隐私的前提下,确保数据的完整性。     

Cooperative Detection Method for DDoS Attacks Based on Blockchain

Distributed Denial of Service (DDoS) attacks is always one of the major problems for service providers. Using blockchain to detect DDoS attacks is one of the current popular methods. However, the problems of high time overhead and cost exist in the most of the blockchain methods for detecting DDoS attacks. This paper proposes a blockchain-based collaborative detection method for DDoS attacks. First, the trained DDoS attack detection model is encrypted by the Intel Software Guard Extensions (SGX), which provides high security for uploading the DDoS attack detection model to the blockchain. Secondly, the service provider uploads the encrypted model to Inter Planetary File System (IPFS) and then a corresponding Content-ID (CID) is generated by IPFS which greatly saves the cost of uploading encrypted models to the blockchain. In addition, due to the small amount of model data, the time cost of uploading the DDoS attack detection model is greatly reduced. Finally, through the blockchain and smart contracts, the CID is distributed to other service providers, who can use the CID to download the corresponding DDoS attack detection model from IPFS. Blockchain provides a decentralized, trusted and tamper-proof environment for service providers. Besides, smart contracts and IPFS greatly improve the distribution efficiency of the model, while the distribution of CID greatly improves the efficiency of the transmission on the blockchain. In this way, the purpose of collaborative detection can be achieved, and the time cost of transmission on blockchain and IPFS can be considerably saved. We designed a blockchain-based DDoS attack collaborative detection framework to improve the data transmission efficiency on the blockchain, and use IPFS to greatly reduce the cost of the distribution model. In the experiment, compared with most blockchain-based method for DDoS attack detection, the proposed model using blockchain distribution shows the advantages of low cost and latency. The remote authentication mechanism of Intel SGX provides high security and integrity, and ensures the availability of distributed models.     

Outsourced data integrity verification based on blockchain in untrusted environment

Outsourced data, as the significant component of cloud service, has been widely used due to its convenience, low overhead, and high flexibility. To guarantee the integrity of outsourced data, data owner (DO) usually adopts a third party auditor (TPA) to execute the data integrity verification scheme. However, during the verification process, DO cannot fully confirm the reliability of the TPA, and handing over the verification of data integrity to the untrusted TPA may lead to data security threats. In this paper, we focus on the problem of integrity verification of outsourced data in untrusted environment, that is, how to improve the security and efficiency of data integrity verification without utilizing untrusted TPA. To address the problem, we design a decentralized model based on blockchain consisting of some collaborative verification peers (VPs), each of which maintains a replication of the entire blockchain to avoid maliciously tampering with. Based on the model, we present an advanced data integrity verification algorithm which allows DO to store and check the verification information by writing and retrieving the blockchain. In addition, in order to improve the concurrent performance, we extend the algorithm by introducing the verification group (VG) constituting by some VPs organized by Inner-Group and Inter-Group consensus protocols. We conduct a completed security analysis as well as extensive experiments of our proposed approach, and the evaluation results demonstrate that our proposed approaches achieve superior performance.

     

区块链技术在域间路由安全领域的应用研究

互联网域间路由系统的安全问题一直备受关注.实现全网范围的互联网资源管理认证和可信跨域协作至关重要.区块链技术以其去中心化、防篡改、可追溯等天然属性,可作为域间网络资源认证与信任建立的基础.首先分析域间路由系统安全脆弱性及其影响,以及传统域间路由安全机制面临的部署困难、管理复杂、信任中心化等困境;然后,在简要介绍区块链技术基本理论的基础上指出区块链技术运用于域间路由系统安全的技术思路,并详述区块链技术应用于域间路由认证、域间智能管理和域间DDoS防御等方面的最新进展;最后,分析区块链应用于域间路由安全领域的优势,从性能与规模、兼容性与增量部署以及区块链自身安全问题这3个方面分析其问题与挑战,并对下一步研究进行展望.     

基于区块链的网络安全体系结构与关键技术研究进展

随着互联网技术的不断演进与用户数量的"爆炸式"增长,网络作为一项基础设施渗透于人们生存、生活的各个方面,其安全问题也逐渐成为人们日益关注的重点.然而,随着网络规模的扩大以及攻击者恶意行为的多样化、复杂化,传统网络安全体系架构及其关键技术已经暴露出单点信任、部署困难等诸多问题,而具备去中心化、不可篡改等特性的区块链技术为...     

基于区块链的数据治理协同方法

针对当前数据治理过程中面临的数据标准不统一、数据质量良莠不齐以及数据安全隐私凸显等问题,提出一种基于区块链的数据治理协同方法,将区块链多方协作、安全可信等特性应用到数据标准的构建、数据安全的保障和数据共享过程的控制。本方法首先根据数据治理要求和区块链特征,提炼形成基于区块链的数据治理协同模型,通过构建多方协作的数据标准流程、数据标准构建和更新机制、安全可靠的数据共享和访问控制等,实现区块链数据治理协同方法,从而提升数据标准化工作的效率和安全性。实验及分析结果表明,该方法比传统的数据标准构建方法在标准用语申请时间效率上有明显的提升,特别是在大数据环境下,基于区块链智能合约的方法对时间效率提升更为明显,基于区块链的分布式存储等特性为系统的安全、用户行为追溯和审计提供了有力依据和保障。该方案对于数据治理工作具有良好的应用示范效果,为行业的元数据管理、数据标准的共享和应用提供了借鉴思路。     

基于信誉的二阶段溯源区块链共识策略

基于区块链技术的产品溯源系统在现代供应链系统中被广泛应用,溯源区块链适合采用联盟链来构建,其参与利益方多、共识网络差异化高的特性影响了此类区块链系统的性能和安全性。对区块链共识过程进行分析,构建模拟溯源区块链的系统模型和信誉模型,以排除拜占庭故障节点。在此基础上,设计包含代表选择和代表共识两个阶段的共识过程,并提出一种基于信誉的二阶段溯源区块链共识策略RTsBFT。实验结果表明,在相同的配置环境和条件下,相比CSBFT和PBFT策略,RTsBFT可取得更高的系统吞吐量、更短的延迟和更低的故障节点率,能够有效提高联盟链场景下溯源系统的性能和安全性。     

ERSChain: Towards secure and flexible educational resource sharing using consortium blockchain and revocable ciphertext-policy attribute-based encryption

Sharing high-quality educational resources has become an effective way to promote educational equity. The traditional educational resource sharing platforms using centralized storage architecture have security issues. Recently, many studies use blockchain to achieve secure sharing of educational resources. However, the existing blockchain-based educational resource sharing schemes only use blockchain as a storage tool, and have issues such as low sharing efficiency, without considering copyright security, and lack of a trusted sharing environment, which prevents the large-scale sharing of educational resources. In response, we propose ERSChain, a novel blockchain-based educational resources sharing solution. First, we put forward a hybrid storage method that keeps the hash value of resource in the blockchain and stores the encrypted resource in the off-chain, which can alleviate the storage and computing pressure brought by massive educational resources while ensuring the integrity of resources. Second, we construct an efficient revocable ciphertext-policy attribute-based encryption algorithm to implement flexible access control and an outsourced decryption algorithm to achieve greater efficiency. Obtaining access to educational resources is possible when user's attributes meet the access policy and the user's identity does not exist in the revocation list. Third, we put forward a credit mechanism to adjust the user's credibility and a credit-based consensus mechanism to maintain the trusted sharing environment. Finally, security analysis and plentiful of experiments demonstrate that our proposed ERSChain achieves security assurance, has better applicability than similar works, and enables large-scale sharing of educational resources.     

基于区块链的域间路由策略符合性验证方法

域间路由系统自治域(ASes)间具有不同的商业关系和路由策略.违反自治域间出站策略协定的路由传播可能引发路由泄露,进而导致网络中断、流量窃听、链路过载等严重后果.路由策略符合性验证对于保证域间路由系统安全性和稳定性至关重要.但自治域对本地路由策略自主配置与隐私保护的双重需求增加了验证路由策略符合性的难度,使其一直是域间路由安全领域尚未妥善解决的难点问题.提出一种基于区块链的域间路由策略符合性验证方法.该方法以区块链和密码学技术作为信任背书,使自治域能够以安全和隐私的方式发布、交互、验证和执行路由策略期望,通过生成对应路由更新的路由证明,保证路由传播过程的真实性,从而以多方协同的方式完成路由策略符合性验证.通过实现原型系统并基于真实路由数据开展实验与分析,结果表明该方法可以在不泄露自治域商业关系和本地路由策略的前提下针对路由传播出站策略符合性进行可追溯的验证,以合理的开销有效抑制策略违规路由传播,在局部部署情况下也具有显著的策略违规路由抑制能力.     

基于区块链的共享充电桩安全监管方案

共享充电桩可缓解当前电车充电难的现状。然而,基于第三方平台的共享充电桩平台面临着信任问题;而基于区块链的共享充电桩平台虽可提供信任环境,但缺乏对用户、桩主、充电量等信息核查。为解决以上问题,提出了一种基于区块链的共享充电桩安全监管方案。该方案通过基于双链的共享充电信任模型,安全地存储用户、桩主或运营商的关键信息,并在该模型上设计穿透式监管方案,向上核查用户、桩主或运营商的身份,向下核查充电量、充电速度等信息正确性。实验评估表明,该方案能够以不大的开销提高平台的安全性。     

基于区块链的数据完整性多方高效审计机制

提出了一种面向大数据环境的基于区块链的数据完整性多方高效审计机制(MBE-ADI).构建基于数据域的混合Merkle DAG结构对数据组织,实现大数据环境下大量非结构化数据同时验证;为应对大数据环境下数据量大的问题,设计基于BLS签名多副本确定性验证方法,实现支持多副本的数据完整性高效验证;设计基于联盟链的双验证审计架...     

面向数据保护的区块链物联网边缘卸载策略

物联网（IoT）设备的广泛应用带来了数据安全性和完整性的挑战。针对这一问题,研究提出了一种区块链物联网边缘卸载策略,专注于数据保护。该策略通过将IoT设备数据上传至区块链,利用其不可窜改性和可追溯性来保障数据安全。鉴于区块链的工作量证明（PoW）共识算法在数据验证和区块添加方面的高计算资源需求,该策略采用边缘计算技术,将PoW共识过程卸载至边缘服务器执行。进一步地,设计并实现了一个多目标边缘卸载算法（multi-object edge offloading algorithm,MEOA）,以寻找最优卸载策略,动态调整PoW共识难度,实现系统安全性与运行效率的平衡。仿真实验结果显示,该策略相比其他卸载策略,在提高IoT设备数据上链效率、降低时间和能耗成本方面表现优异,同时确保了数据安全性和完整性。     

Caterpillar: A business process execution engine on the Ethereum blockchain

Blockchain platforms, such as Ethereum, allow a set of actors to maintain a ledger of transactions without relying on a central authority and to deploy programs, called smart contracts, that are executed whenever certain transactions occur. These features can be used as basic building blocks for executing collaborative business processes between mutually untrusting parties. However, implementing business processes using the low-level primitives provided by blockchain platforms is cumbersome and error-prone. In contrast, established business process management systems (BPMSs), such as those based on the standard Business Process Model and Notation (BPMN), provide convenient abstractions for rapid development of process-oriented applications. This article demonstrates how to combine the advantages of a BPMS with those of a blockchain platform. The article introduces a blockchain-based BPMN execution engine, named Caterpillar. Like any BPMN execution engine, Caterpillar supports the creation of instances of a process model and allows users to monitor the state of process instances and to execute tasks thereof. The specificity of Caterpillar is that the state of each process instance is maintained on the (Ethereum) blockchain and the workflow routing is performed by smart contracts generated by a BPMN-to-Solidity compiler. The Caterpillar compiler supports a large array of BPMN constructs, including subprocesses, multiple-instance activities, and event handlers. The paper describes the architecture of Caterpillar and the interfaces it provides to support the monitoring of process instances, the allocation and execution of work items, and the execution of service tasks.     

VacChain: A Blockchain-Based EMR System to Manage Child Vaccination Records

The digitalization of healthcare-related information service systems has become a trend across the world. However, several crucial services are still provided manually due to a lack of trust in digital solutions. One such service is keeping records of children’s vaccination, which still relies on a paper-based file system in most parts of the world. This approach causes serious data integrity problems. Recently, healthcare has become a potential application area of the blockchain, as it can preserve and protect highly sensitive private medical records while sharing these records in a decentralized manner without losing personal ownership. Therefore, we propose a new digital model to track a child’s vaccination records using blockchain. In particular, this proposed application helps improve the vaccination record-keeping process by ensuring the integrity of the preserved data in a more secure way. In an emerging pandemic situation, our approach can be extended to manage the overall vaccination process effectively.     

基于区块链的数字版权交易系统

在当前数字化、网络化时代中,数字版权交易需求越来越大,传统的中心化版权保护系统存在注册成本高、作品受理时间长、容易遭受破坏者的篡改等问题。区块链技术作为一个以P2P网络为基础,以密码技术为核心的去中心化网络结构,能够在网络上以纯数学方法建立信任关系,无需依托中间平台就能够缓解上述问题。借助区块链技术的自我监管、可追溯、去中心化的特性,结合数字版权交易场景,设计了一个基于联盟链的数字版权交易系统模型,利用当前 IBM 提供的最新联盟链技术,做了版权注册和版权交易的实现,能够保证版权信息不可篡改性和可溯源性。最后,测试了链码部署安装时间。结果表明,系统安装简单,维护成本低。相比传统的基于可信第三方版权认证机制,基于区块链的数字版权交易系统注册时间短,无需注册费,具有更好的架构安全性和可扩展性。     

基于身份密码系统和区块链的跨域认证协议

随着信息网络技术的快速发展和网络规模的持续扩张,网络环境中提供的海量数据和多样服务的丰富性和持久性都得到了前所未有的提升.处于不同网络管理域中的用户与信息服务实体之间频繁交互,在身份认证、权限管理、信任迁移等方面面临一系列安全问题和挑战.本文针对异构网络环境中用户访问不同信任域网络服务时的跨域身份认证问题,基于IBC身...     

基于教育区块链与无证书签名的身份认证方案

针对当前教育资源共享安全性低和身份认证困难的问题, 提出了一种区块链技术与无证书签名相结合的可跨域身份认证方案, 将无证书签名技术的高安全性、无密钥托管问题等优点应用到区块链的分布式网络中, 实现了身份认证过程中用户安全、跨域认证、恶意用户可追溯、注册信息不可篡改. 首先, 基于教育区块链与无证书签名的身份认证方案是建...     

ShadowEth: Private Smart Contract on Public Blockchain

Blockchain is becoming popular as a distributed and reliable ledger which allows distrustful parties to transact safely without trusting third parties. Emerging blockchain systems like Ethereum support smart contracts where miners can run arbitrary user-defined programs. However, one of the biggest concerns about the blockchain and the smart contract is privacy, since all the transactions on the chain are exposed to the public. In this paper, we present ShadowEth, a system that leverages hardware enclave to ensure the confidentiality of smart contracts while keeping the integrity and availability based on existing public blockchains like Ethereum. ShadowEth establishes a confidential and secure platform protected by trusted execution environment (TEE) off the public blockchain for the execution and storage of private contracts. It only puts the process of verification on the blockchain. We provide a design of our system including a protocol of the cryptographic communication and verification and show the applicability and feasibility of ShadowEth by various case studies. We implement a prototype using the Intel SGX on the Ethereum network and analyze the security and availability of the system.     

基于区块链的建筑信息模型图纸多人协同创作系统

建筑信息模型（BIM）图纸多人协同创作在大型建筑项目中很重要,而现有的基于Revit等建模软件或云服务的BIM图纸多人协同创作方法存在BIM图纸版本混乱、不易溯源以及数据安全风险等问题。针对这些问题,设计了一种基于区块链的BIM图纸多人协同创作系统。该系统采用链上链下协同的存储方式,使用区块链和数据库分别存储BIM图纸创作过程中每次创作后的BIM图纸信息以及完整BIM图纸,利用区块链去中心化、可追溯和防篡改的特性保证BIM图纸的版本清晰,并为以后的版权划分提供依据,而且提升了BIM图纸信息数据的安全性。实验结果表明,该系统在多用户并发情况下的平均出块时间为0.467 85 s,系统的最大处理速率为每秒1 568次交易,验证了该系统是可靠的,且可以满足实际应用场景的需求。     

基于区块链的具有隐私保护的多项式外包计算方案

随着区块链的快速发展,基于区块链的外包计算得到了广泛应用.外包计算允许资源受限的用户将复杂的计算以付费的方式外包给资源强大的外包计算者来计算,从而可以便捷地获得计算结果.然而外包计算过程中可能会泄露用户的隐私数据,因此,在外包计算过程中需要考虑用户数据的隐私性、安全性以及计算结果的可验证性.本文针对高阶多项式的外包计算...