Ethereum中如何实现ACL

Posted on Edited on

需求

在供应链(金融)、个人履历以及各个行业应用中,ACL(Access Control List)是共同类的需求。

写管理

OpenZeppelinRoles.sol 可以使用,搭配 ERC721 合约 使用,处理生成和销毁数字资产功效加倍。但是数据写在区块链上之后,即使使用了 private 关键字也是可以被用户读取的。

以上方法只实现了用户的 写权限控制,无法实现用户的读权限控制。

读管理

思路简介:

a) 客户端 AES 加密原文(shared data);b) 密文(encrypt(shared data))如果过大则存放于某云数据库,其他用户也可以访问到云数据库,也可以直接存放于ethereum 上,如 Tx 的 extraData 或者 state 中;c) 验证用户符合条件,如 role,policy或者address的要求时,data owner 将 encrypt 的秘钥经过用户(data user)的 pk 加密后, 通过 event 传递给到用户(data user)

详细参加:Multi-Authority Attribute-Based Access Control with Smart Contract

以下是论文中的详细说明:

Architecture

System target

Here we present a concrete example. Suppose an data owner in the Computer and Information Sciences Department at the University of Delaware specifies access policy W to be [UD, PhD Student, Gender#] for accessing encrypted research meeting notes, and we have student Alice’s attribute list SAlice = [UD, PhD Student, Female], and student Bob’s attribute list SBob = [UD, Master Student, Male]. As a result, Alice can access the corresponding encrypted research meeting notes, while Bob cannot because he is an Master student. Notice that the Gender# attribute indicates that either gender satisfies the access policy.

Participants

• Data Owner (DO): A DO is an entity (e.g., person, organization, or process) who owns the data to be shared. A DO actively specifies access policies for the data it shares.

• Data User (DU): A DU is an entity who wants to access data shared by DOs. A DU actively seeks access authorizations from DOs.

• Shared Data (SD): An SD is a piece of data owned by a DO, and can be accessed passively by authorized DUs.

• Attribute Token (AT): An AT is a credential representing an attribute that a DU possesses.

• Attribute Authority (AA): An AA is a pre-verified and authorized node in Ethereum who issues ATs to qualified DUs who possess the corresponding attributes.

Workflow / Timeflow