CN112422500A - Cross-platform data transmission method and device, storage medium and electronic device - Google Patents

Cross-platform data transmission method and device, storage medium and electronic device Download PDF

Info

Publication number
CN112422500A
CN112422500A CN202011018281.5A CN202011018281A CN112422500A CN 112422500 A CN112422500 A CN 112422500A CN 202011018281 A CN202011018281 A CN 202011018281A CN 112422500 A CN112422500 A CN 112422500A
Authority
CN
China
Prior art keywords
enclave
encrypted data
user
data
transmitted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011018281.5A
Other languages
Chinese (zh)
Other versions
CN112422500B (en
Inventor
范学鹏
曾驭龙
汤载阳
王宸敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yizhi Technology Co ltd
Original Assignee
Beijing Yizhi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yizhi Technology Co ltd filed Critical Beijing Yizhi Technology Co ltd
Priority to CN202011018281.5A priority Critical patent/CN112422500B/en
Publication of CN112422500A publication Critical patent/CN112422500A/en
Application granted granted Critical
Publication of CN112422500B publication Critical patent/CN112422500B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0414Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The application discloses a cross-platform data transmission method and device, a storage medium and an electronic device. The method is used for supporting a first user end and a second user end of a trusted execution environment, and comprises the following steps: the first user terminal encrypts private data to be transmitted to obtain encrypted data; the first user terminal sends the encrypted data to a block chain for uplink; the second user end obtains the encrypted data from the block chain and transmits the encrypted data to the enclave of the second user end; decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave; and transmitting the private data to be transmitted into the target enclave. The method and the device solve the technical problems that the execution environment of the trusted program and the cross-platform private data transmission are poor in effect, and the private data is easily leaked. Through the block chain-based cross-platform private data transmission method and device, the encrypted data on the chain cannot be cracked.

Description

Cross-platform data transmission method and device, storage medium and electronic device
Technical Field
The application relates to the field of block chain cross-platform private data transmission, in particular to a cross-platform data transmission method and device, a storage medium and an electronic device.
Background
If the user wants that the program of the user is not falsified, the user wants that the value of the intermediate variable in the program executing process is not acquired, namely the program is a trusted program. Meanwhile, many scenarios require private data transmission across user-side platforms.
For example, when a first user wishes to transfer confidential data to a second user's platform for execution by a trusted program of the second user, the second user is expected to be unable to obtain a particular value of the confidential data. Further, when the private data to be transmitted is itself a randomly generated private key, i.e. the private key is also required to be invisible to the first user, but the public key of the data is still required to be correctly disclosed for verifying the signature.
Aiming at the problems that the execution environment of a trusted program and the cross-platform private data transmission effect are poor and private data leakage is easily caused in the related technology, an effective solution is not provided at present.
Disclosure of Invention
The application mainly aims to provide a cross-platform data transmission method and device, a storage medium and an electronic device, so as to solve the problem that private data is easily leaked due to poor effects on the execution environment of a trusted program and the cross-platform private data transmission.
To achieve the above object, according to one aspect of the present application, there is provided a cross-platform data transmission method.
The cross-platform data transmission method is used for supporting a first user end and a second user end of a trusted execution environment, and comprises the following steps: the first user terminal encrypts private data to be transmitted to obtain encrypted data; the first user terminal sends the encrypted data to a block chain for uplink; the second user end obtains the encrypted data from the block chain and transmits the encrypted data to the enclave of the second user end; decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave; and transmitting the private data to be transmitted into the target enclave.
Further, before the second user obtains the encrypted data from the blockchain and transmits the encrypted data to the enclave of the second user, the method further includes: chaining the public key generated by the enclave of the second user terminal and the authorization of the public key together; and/or encrypting and storing a private key generated by the enclave of the second user side at the second user side.
Further, the privacy data includes: in the case of random numbers, the method further comprises: generating private data according to the enclave of the first user terminal; the first user terminal sends a public key generated by acquiring the enclave of the second user terminal on the block chain and the authorization of the public key to the enclave of the first user terminal; and under the condition that the authorization of the public key is verified to pass by the enclave of the first user, encrypting the private data by adopting the public key to obtain encrypted data, and then sending the encrypted data to a block chain for uplink.
Further, still include: under the condition that a first user terminal designates a hash value of the target enclave, the first user terminal encrypts the hash value and the private data to be transmitted and sends the encrypted hash value and the private data to be transmitted to a block chain for uplink transmission; and the second user side obtains the hash value and the encrypted data of the private data to be transmitted from the blockchain and transmits the encrypted data to the enclave of the second user side.
Further, decrypting the encrypted data according to a private key generated by the enclave of the second user to obtain private data to be transmitted, and verifying the identity of the target enclave includes: under the condition that the encrypted data comprise the hash value of the designated target enclave, the hash value of the interaction target is checked; and performing hash value matching according to the inspection result, and determining the target enclave corresponding to the hash value.
Further, the decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of the target enclave further includes: the identity of the verification target enclave is generated via a third party signature.
Further, the enclave of the second user end is deployed via a third party and is not linked to an extranet and/or server.
To achieve the above object, according to another aspect of the present application, there is provided a cross-platform data transmission apparatus.
The cross-platform data transmission device is used for supporting a first user terminal and a second user terminal of a trusted execution environment, and comprises: the encryption module is used for encrypting the private data to be transmitted by the first user end to obtain encrypted data; a block chain module, configured to send the encrypted data to a block chain for chain transmission by the first user equipment; the acquisition module is used for acquiring the encrypted data from the block chain by the second user end and transmitting the encrypted data to the enclave of the second user end; the verification module is used for decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave; and the transmitting module is used for transmitting the private data to be transmitted into the target enclave.
According to a third aspect of embodiments of the present application, there is provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above-mentioned method embodiments when executed.
According to a fourth aspect of embodiments of the present application, there is provided an electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the steps of any of the above method embodiments.
In the embodiment of the application, a cross-platform data transmission method and device, a storage medium and an electronic device are adopted, a mode that a first user terminal encrypts private data to be transmitted to obtain encrypted data is adopted, the first user terminal sends the encrypted data to a block chain for chaining, and a second user terminal obtains the encrypted data from the block chain and transmits the encrypted data to a enclave of the second user terminal; the encrypted data are decrypted according to the enclave of the second user end to obtain the private data to be transmitted, the identity of a target enclave is verified, the private data to be transmitted are transmitted into the target enclave, the technical effects of cross-platform private data transmission and identity authentication can be achieved, and the technical problems that the execution environment of a trusted program and the cross-platform private data transmission are poor and private data are easily leaked are solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, serve to provide a further understanding of the application and to enable other features, objects, and advantages of the application to be more apparent. The drawings and their description illustrate the embodiments of the invention and do not limit it. In the drawings:
fig. 1 is a schematic diagram of xx structure implemented by a cross-platform data transmission method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart diagram illustrating a cross-platform data transmission method according to an embodiment of the present application;
FIG. 3 is a schematic structural diagram of a cross-platform data transmission apparatus according to an embodiment of the present application;
fig. 4 is a schematic diagram illustrating a principle of a cross-platform data transmission method according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In this application, the terms "upper", "lower", "left", "right", "front", "rear", "top", "bottom", "inner", "outer", "middle", "vertical", "horizontal", "lateral", "longitudinal", and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings. These terms are used primarily to better describe the present application and its embodiments, and are not used to limit the indicated devices, elements or components to a particular orientation or to be constructed and operated in a particular orientation.
Moreover, some of the above terms may be used to indicate other meanings besides the orientation or positional relationship, for example, the term "on" may also be used to indicate some kind of attachment or connection relationship in some cases. The specific meaning of these terms in this application will be understood by those of ordinary skill in the art as appropriate.
Furthermore, the terms "mounted," "disposed," "provided," "connected," and "sleeved" are to be construed broadly. For example, it may be a fixed connection, a removable connection, or a unitary construction; can be a mechanical connection, or an electrical connection; may be directly connected, or indirectly connected through intervening media, or may be in internal communication between two devices, elements or components. The specific meaning of the above terms in the present application can be understood by those of ordinary skill in the art as appropriate.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking the example of running on a computer device, fig. 1 is a hardware structure block diagram of the computer device of the cross-platform data transmission method according to the embodiment of the present invention.
The embodiment of the application also provides computer equipment. As shown in fig. 1, the computer device 20 may include: the at least one processor 201, e.g., CPU, the at least one network interface 204, the user interface 203, the memory 205, the at least one communication bus 202, and optionally, a display 206. Wherein a communication bus 202 is used to enable the connection communication between these components. The user interface 203 may include a touch screen, a keyboard or a mouse, among others. The network interface 204 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), and a communication connection may be established with the server via the network interface 204. The memory 205 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory, and the memory 205 includes a flash in the embodiment of the present invention. The memory 205 may optionally be at least one memory system located remotely from the processor 201. As shown in fig. 1, memory 205, which is a type of computer storage medium, may include an operating system, a network communication module, a user interface module, and program instructions.
It should be noted that the network interface 204 may be connected to a receiver, a transmitter or other communication module, and the other communication module may include, but is not limited to, a WiFi module, a bluetooth module, etc., and it is understood that the computer device in the embodiment of the present invention may also include a receiver, a transmitter, other communication module, etc.
Processor 201 may be used to call program instructions stored in memory 205 and cause computer device 20 to perform output transfer operations.
Example 1
As shown in fig. 2, the method in the embodiment of the present application is used for supporting a first user side and a second user side of a trusted execution environment, and specifically includes the following steps S201 to S205:
step S201, the first user terminal obtains encrypted data by encrypting the private data to be transmitted;
step S202, the first user terminal sends the encrypted data to a block chain for uplink;
step S203, the second user end obtains the encrypted data from the block chain and transmits the encrypted data to the enclave of the second user end;
step S204, decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave;
step S205, the private data to be transmitted is transmitted into the target enclave.
From the above description, it can be seen that the following technical effects are achieved by the present application:
acquiring encrypted data by encrypting private data to be transmitted by the first user end, sending the encrypted data to a block chain by the first user end for chaining, and acquiring the encrypted data by the second user end from the block chain and transmitting the encrypted data to the enclave of the second user end; the encrypted data are decrypted according to the enclave of the second user end to obtain the private data to be transmitted, the identity of a target enclave is verified, the purpose that the private data to be transmitted are transmitted into the target enclave is achieved, the technical effects of cross-platform private data transmission and identity authentication can be achieved, and the technical problems that the execution environment of a trusted program and the cross-platform private data transmission are poor and private data leakage is easily caused are solved.
In step S201, the first user obtains encrypted data by encrypting the private data to be transmitted.
In the above step S202, the encrypted data obtained in the above step is sent to a block chain for uplink at the first ue.
In some optional embodiments, the blockchain is used as a decentralized account book, and has the characteristics of non-tampering, safety, credibility and the like.
In some optional embodiments, the blockchain comprises, in accordance with node permissions of a blockchain network: a public chain and a federation chain. A federation chain generally refers to a block chain with admission thresholds for users of a particular group. Compared with a public chain, the alliance chain can be deployed in a local area network, and users can be supported to use the alliance chain under the environment without an external network.
In some preferred embodiments, the block chain is selected as a federation chain.
After the uplink is performed in step S203, the second ue obtains the encrypted data from the blockchain and transmits the encrypted data to the enclave of the second ue.
In some optional embodiments, the enclave of the second user end is used as a hardware-guaranteed isolated trusted execution environment instance.
In step S204, the encrypted data is decrypted according to the enclave of the second user end to obtain private data to be transmitted, and the identity of the target enclave is verified.
In step S205, the private data to be transmitted is transmitted to the target enclave according to the decrypted private data to be transmitted.
As a possible implementation manner of the present application, before the second user obtains the encrypted data from the blockchain and transfers the encrypted data to the enclave of the second user, the method includes: chaining the public key generated by the enclave of the second user terminal and the authorization of the public key together; and/or encrypting and storing a private key generated by the enclave of the second user side at the second user side.
In specific implementation, a trusted third party installs an open-source enclave, namely an enclave, named enclave B, on a platform of a second user side. Enclave B calls SGX self-contained method to generate a pair of public and private keys, noted pkb, skb. And then, the private key skb is encrypted and exported, and is stored in the local of the user B. The public key pkb is derived directly, signed by a third party for an authorization for it, and pkb is sent along with the authorization to the blockchain, the uplink.
In some optional embodiments, Enclave B is based on intel's trusted execution environment SGX.
In some optional embodiments, the third party provides an interface for statically checking and signing enclave, the interface is realized by deploying another open source enclave, networking is not required for each access, interaction with the third party is not required, and privacy disclosure of the third party is not caused.
In some optional embodiments, the open source means that the enclave code is completely written and disclosed, has a certain hash value, and cannot be tampered by anyone.
In some optional embodiments, the trusted execution environment SGX generates a public and private key SGX _ create _ key _ pair _ ECC 256, which is based on the principle that the CPU randomly generates a private key by obtaining circuit information and calculates a public key according to a corresponding rule.
In some optional embodiments, the key obtained by encrypting skb and deriving is a symmetric key carried by enclave B, and is related to the hash value of enclave B. The value of the symmetric key is private to the outside on the premise that enclave B does not contain a divulging privacy method. Therefore, after skb is encrypted by the symmetric key, only enclave B can unlock the ciphertext to restore skb. Enclave B can then read the encrypted skb locally at any time and decrypt it internally for use.
In some optional embodiments, the authorization is to sign the information to be authorized by using a preset private key for the third party, and meanwhile, the corresponding authorization public key is disclosed on the blockchain, so that anyone can verify the signature. The third party ensures that all authorized public keys are generated in the open-source enclave, and the open-source enclave does not reveal privacy. It is safe to encrypt and uplink the private data with the authorized public key.
In some optional embodiments, the installation process at the enclave of the second user end need only be performed once. Once installed, the second user may receive private data from any user to enclave B any number of times, without relying on a third party.
As a possible implementation manner of the present application, the privacy data includes: in the case of random numbers, the method further comprises: generating private data according to the enclave of the first user terminal; the first user terminal sends a public key generated by acquiring the enclave of the second user terminal on the block chain and the authorization of the public key to the enclave of the first user terminal; and under the condition that the authorization of the public key is verified to pass by the enclave of the first user, encrypting the private data by adopting the public key to obtain encrypted data, and then sending the encrypted data to a block chain for uplink.
In a specific implementation, it may be desirable that the first user end does not know the specific value of m, but is applicable to a scenario where m is a random number. If it is desired that the first user side does not know the value of m either, m is randomly generated by the enclave a of the first user side, after which user a transmits the pkb retrieved on the chain and its authorization into enclave a. enclave A verifies the authorization validity, after the authorization validity is passed, m is encrypted by pkb to obtain pkb [ m ], and then the chain is exported and linked. Furthermore, if randomly generated m is used as some private key, enclave a exports and chains its corresponding public key as well for later verification of use.
As a possible implementation manner of the present application, the method further includes: under the condition that a first user terminal specifies a hash value of the target enclave, the first user terminal encrypts and sends the hash value to a block chain for uplink; and the second user end obtains the hash value encrypted data from the block chain and transmits the hash value encrypted data to the enclave of the second user end.
In an implementation, if the first ue wants to specify the hash value of the target enclave, the first ue encrypts the uplink together with the hash value, and the ciphertext becomes pkb [ m | | hash ]. The second client gets pkb m hash from the chain and enters enclave B.
As a possible implementation manner of the present application, decrypting the encrypted data according to the enclave of the second user to obtain the private data to be transmitted, and verifying the identity of the target enclave includes: under the condition that the encrypted data comprise the hash value of the designated target enclave, the hash value of the interaction target is checked; and performing hash value matching according to the inspection result, and determining the target enclave corresponding to the hash value.
In specific implementation, the Enclave B decrypts pkb [ m ] by skb to obtain m. And if the specified hash value exists, decrypting the hash value together with the specified hash value. And the Enclave B authentication needs to accept the object Enclave identity of m, and if the hash value is specified, the Enclave B authentication comprises a process of verifying the matching between the hash value of the interactive object and the specified hash. M is transmitted into the target enclave through post-establishing local attesting.
As a possible implementation manner of the present application, the decrypting the encrypted data according to the enclave of the second user to obtain the private data to be transmitted, and verifying the identity of the target enclave further includes: the identity of the verification target enclave is generated via a third party signature.
In particular implementation, authenticating the identity of the target enclave includes verifying that the enclave is generated by a signature of a trusted third party, and the like, so as to ensure that privacy is not leaked.
As a possible implementation of the present application, the enclave of the second user side is deployed via a third party and is not linked to an extranet and/or a server.
In specific implementation, local authentication is an intel self-contained function and is used for identity authentication and interaction with a platform enclave, and an external network does not need to be connected during use.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
In this embodiment, a cross-platform data transmission device is further provided, and the device is used to implement the foregoing embodiments and preferred embodiments, and the description of the device is omitted for brevity. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a block diagram of a cross-platform data transmission apparatus according to an embodiment of the present invention, as shown in fig. 3, the apparatus is used for supporting a first user side and a second user side of a trusted execution environment, and the apparatus includes:
an encryption module 31, configured to encrypt the private data to be transmitted by the first user to obtain encrypted data;
an uplink module 32, configured to send the encrypted data to a block chain for uplink by the first ue;
an obtaining module 33, configured to obtain the encrypted data from the block chain and transmit the obtained encrypted data to an enclave of the second user end by the second user end;
the verification module 34 is configured to decrypt the encrypted data according to the enclave of the second user end to obtain private data to be transmitted, and verify the identity of the target enclave;
an importing module 35, configured to import the private data to be transmitted into the target enclave.
In the encryption module 31, the first user end encrypts the private data to be transmitted to obtain encrypted data.
The encrypted data obtained in the above steps is sent to a block chain for uplink in the uplink module 32 at the first ue.
In some optional embodiments, the blockchain is used as a decentralized account book, and has the characteristics of non-tampering, safety, credibility and the like.
In some optional embodiments, the blockchain comprises, in accordance with node permissions of a blockchain network: a public chain and a federation chain. A federation chain generally refers to a block chain with admission thresholds for users of a particular group. Compared with a public chain, the alliance chain can be deployed in a local area network, and users can be supported to use the alliance chain under the environment without an external network.
In some preferred embodiments, the block chain is selected as a federation chain.
After the obtaining module 33 goes through uplink, the second ue obtains the encrypted data by obtaining from the blockchain and transmits the encrypted data to the enclave of the second ue.
In some optional embodiments, the enclave of the second user end is used as a hardware-guaranteed isolated trusted execution environment instance.
And after uplink transmission, the second user terminal obtains the encrypted data from the block chain and transmits the encrypted data to the enclave of the second user terminal.
In some optional embodiments, the enclave of the second user end is used as a hardware-guaranteed isolated trusted execution environment instance.
The encrypted data is decrypted in the verification module 34 according to the enclave of the second user end to obtain private data to be transmitted, and the identity of the target enclave is verified.
And transmitting the private data to be transmitted into the target enclave in the transmitting module 35 according to the decrypted private data to be transmitted.
It will be apparent to those skilled in the art that the modules or steps of the present application described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and they may alternatively be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, or fabricated separately as individual integrated circuit modules, or fabricated as a single integrated circuit module from multiple modules or steps. Thus, the present application is not limited to any specific combination of hardware and software.
In order to better understand the above cross-platform data transmission method flow, the following explains the above technical solutions with reference to the preferred embodiments, but the technical solutions of the embodiments of the present invention are not limited thereto.
The method in the present application is based on the SGX implementation of intel, but the core idea thereof is also applicable to trusted execution environments using other platforms.
In particular, there are a range of hardware-based solutions called Trusted Execution Environments (TEE): including SGX of intel, SEV of AMD and the like, the core idea is to perform isolation protection on data through a hardware technology. Therefore, when the program runs in a trusted execution environment, the two basic goals that the code cannot be tampered and the intermediate variable cannot be obtained can be achieved. The design principle is that the authority judgment of protected memory access is added in the layer of the CPU circuit, the external world of the memory address field protected by the TEE cannot access, but some methods of the trusted program can be designated as being capable of being called by the external world during design.
In order to realize data interaction between two enclaves, the Intel provides functions called local attack and remote attack for realizing data interaction between the two enclaves. The former is used for identity authentication and data interaction between two enclaves under the same platform, and the latter is used for identity authentication and data interaction between cross-platforms. However, a great disadvantage of remote authentication is that each time the application is used, two interacting parties are required to connect to the internet and interact with the intel server once, which causes great limitation. For example, for highly secure and confidential government agencies and enterprises, the production environment may only provide local area network connectivity.
The method and the system realize a set of new cross-platform interaction algorithm based on the alliance chain, can realize cross-platform private data transmission, identity authentication and the like, achieve the same security and standard as remote authentication of intel, and do not need to connect an external network or interact with an intel official party.
The method in the application does not depend on linking an extranet and an intel official server, and the problem of private data transmission between the enclaves of the cross-platform is solved. The method can be used for various scenes such as private data transaction, private data analysis and the like. As shown in fig. 4, the method specifically includes the following steps:
in step 1, user A encrypts m with pkb (ciphertext denoted pkb m), then derives and chains. If user a wishes to specify the hash value of the target enclave, the hash value is also encrypted uplink (ciphertext becomes pkb [ m | | | hash ]). User B gets pkb [ m ] (or pkb [ m | | hash ]) from the chain and enters enclave B.
Step 2, Enclave B decrypts pkb [ m ] with skb to get m. And if the specified hash value exists, decrypting the hash value together with the specified hash value.
And 3, the Enclave B certifies the object Enclave identity needing to be accepted by m, and if the hash value is appointed, the process of verifying the matching between the hash value of the interactive object and the appointed hash is included. M is transmitted into the target enclave through post-establishing local attesting.
Step 4, optionally, if it is desired that user a does not know the value of m either, m is randomly generated by enclave a, and then user a transmits pkb obtained on the chain and its authorization into enclave a. enclave A verifies the authorization validity, after the authorization validity is passed, m is encrypted by pkb to obtain pkb [ m ], and then the chain is exported and linked. The subsequent enclave B execution flow is similar to the above.
Alternatively, if randomly generated m is used as some private key, enclave a exports and chains its corresponding public key as well for later verification of use.
In some optional embodiments, authenticating the identity of the target enclave includes verifying that the enclave was generated via a third party's signature, etc., to ensure that it does not reveal privacy.
In some optional embodiments, local authentication is an intel self-contained function, is used for identity authentication and interaction with platform enclave, and does not need to be connected with an external network during use. Suppose there are two users, A, B, both supporting Intel's SGX. Suppose that user a needs to transmit a private data m into an enclave (called target enclave) of user B, and hopes that user B cannot obtain the value of m. Meanwhile, it is assumed that all users can only interact with the blockchain, and cannot connect to the extranet or rely on other third parties. Alternatively, it is desirable that user a does not know the specific value of m. Only for scenes where m is a random number.
It is assumed that the target enclave itself does not reveal the information of m. It is also assumed that the target enclave contains some authenticatable identity feature, e.g. generated via a third party signature, or its hash value is disclosed/specified by user a.
The method in the present application further comprises: the enclave installation process comprises the following steps in specific implementation:
step 1, a third party installs an open source enclave on a platform of a user B, and the enclave is recorded as enclave B. Enclave B calls SGX self-contained method to generate a pair of public and private keys, noted pkb, skb. Then, the private key skb is encrypted and exported, and is stored locally in the user B; the public key pkb is derived directly, signed by a third party for an authorization for it, and pkb is sent along with the authorization to the blockchain, the uplink.
And 2, if the user A does not know the specific value of m, installing an open source enclave which is recorded as enclave A when the third party is on the platform of the user A.
In some optional embodiments, the third party provides an interface for statically checking and signing enclave, the interface is realized by deploying another open source enclave, networking is not required for each access, interaction with the third party is not required, and privacy disclosure of the third party is not caused.
In some optional embodiments, the SGX generates the public and private keys SGX _ create _ key _ pair _ ECC 256, which is based on the principle that the CPU randomly generates a private key by obtaining circuit information and calculates the public key according to the corresponding rule.
In some alternative embodiments, the key used to encrypt and derive skb is a symmetric key carried by enclave B, and is associated with the hash value of enclave B. The value of the symmetric key is private to the outside on the premise that enclave B does not contain a divulging privacy method. Therefore, after skb is encrypted by the symmetric key, only enclave B can unlock the ciphertext to restore skb. Enclave B can then read the encrypted skb locally at any time and decrypt it internally for use.
In some optional embodiments, the authorization is to sign the information to be authorized by using a certain private key of the third party, and meanwhile, the corresponding authorization public key is disclosed on the blockchain, so that anyone can verify the signature. The third party ensures that all authorized public keys are generated in the open-source enclave, and the open-source enclave does not reveal privacy. It is safe to encrypt and uplink the private data with the authorized public key.
In some alternative embodiments, the installation process need only be performed once. Once installed, the user B may receive private data from any user to the enclave B any number of times, without relying on a third party.
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, the first user end obtains encrypted data by encrypting the private data to be transmitted;
s2, the first ue sends the encrypted data to a block chain for uplink;
s3, the second user end obtains the encrypted data through obtaining the encrypted data from the block chain and transmits the encrypted data to the enclave of the second user end;
s4, decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave;
s5, the private data to be transmitted are transmitted into the target enclave.
Optionally, the storage medium is further arranged to store a computer program for performing the steps of:
s31, chaining the public key generated by the enclave of the second user terminal and the authorization of the public key together.
Optionally, the storage medium is further arranged to store a computer program for performing the steps of:
and S32, encrypting and storing the private key generated by the enclave of the second user side in the second user side.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, the first user end obtains encrypted data by encrypting the private data to be transmitted;
s2, the first ue sends the encrypted data to a block chain for uplink;
s3, the second user end obtains the encrypted data through obtaining the encrypted data from the block chain and transmits the encrypted data to the enclave of the second user end;
s4, decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave;
s5, the private data to be transmitted are transmitted into the target enclave.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A cross-platform data transmission method is used for supporting a first user end and a second user end of a trusted execution environment, and comprises the following steps:
the first user terminal encrypts private data to be transmitted to obtain encrypted data;
the first user terminal sends the encrypted data to a block chain for uplink;
the second user end obtains the encrypted data from the block chain and transmits the encrypted data to the enclave of the second user end;
decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave;
and transmitting the private data to be transmitted into the target enclave.
2. The method of claim 1, wherein before the second user terminal obtains the encrypted data from the blockchain and transmits the encrypted data to the enclave of the second user terminal, the method further comprises:
chaining the public key generated by the enclave of the second user terminal and the authorization of the public key together;
and/or encrypting and storing a private key generated by the enclave of the second user side at the second user side.
3. The method of claim 1, wherein the privacy data comprises: in the case of random numbers, the method further comprises:
generating private data according to the enclave of the first user terminal;
the first user terminal sends a public key generated by acquiring the enclave of the second user terminal on the block chain and the authorization of the public key to the enclave of the first user terminal;
and under the condition that the authorization of the public key is verified to pass by the enclave of the first user, encrypting the private data by adopting the public key to obtain encrypted data, and then sending the encrypted data to a block chain for uplink.
4. The method of claim 1, further comprising:
under the condition that a first user terminal designates a hash value of the target enclave, the first user terminal encrypts the hash value and the private data to be transmitted and sends the encrypted hash value and the private data to be transmitted to a block chain for uplink transmission;
and the second user side obtains the hash value and the encrypted data of the private data to be transmitted from the blockchain and transmits the encrypted data to the enclave of the second user side.
5. The method according to claim 4, wherein decrypting the encrypted data according to a private key generated by the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave comprises:
under the condition that the encrypted data comprise the hash value of the designated target enclave, the hash value of the interaction target is checked;
and performing hash value matching according to the inspection result, and determining the target enclave corresponding to the hash value.
6. The method of claim 1, wherein decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave further comprises: the identity of the verification target enclave is generated via a third party signature.
7. The method of claim 1, wherein the enclave of the second user end is deployed via a third party and is not linked to an extranet and/or a server.
8. A cross-platform data transfer apparatus for supporting a first user side and a second user side of a trusted execution environment, the apparatus comprising:
the encryption module is used for encrypting the private data to be transmitted by the first user end to obtain encrypted data;
a block chain module, configured to send the encrypted data to a block chain for chain transmission by the first user equipment;
the acquisition module is used for acquiring the encrypted data from the block chain by the second user end and transmitting the encrypted data to the enclave of the second user end;
the verification module is used for decrypting the encrypted data according to the enclave of the second user end to obtain private data to be transmitted and verifying the identity of a target enclave;
and the transmitting module is used for transmitting the private data to be transmitted into the target enclave.
9. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 7 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 7.
CN202011018281.5A 2020-09-25 2020-09-25 Cross-platform data transmission method and device, storage medium and electronic device Active CN112422500B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011018281.5A CN112422500B (en) 2020-09-25 2020-09-25 Cross-platform data transmission method and device, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011018281.5A CN112422500B (en) 2020-09-25 2020-09-25 Cross-platform data transmission method and device, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN112422500A true CN112422500A (en) 2021-02-26
CN112422500B CN112422500B (en) 2023-05-16

Family

ID=74854752

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011018281.5A Active CN112422500B (en) 2020-09-25 2020-09-25 Cross-platform data transmission method and device, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN112422500B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113672993A (en) * 2021-08-26 2021-11-19 济南浪潮数据技术有限公司 Data processing method, system, equipment and computer readable storage medium
CN114726878A (en) * 2022-03-28 2022-07-08 广州广电运通金融电子股份有限公司 Cloud storage system, equipment and method
CN115174260A (en) * 2022-07-29 2022-10-11 中国工商银行股份有限公司 Data verification method, data verification device, computer, storage medium and program product

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180211067A1 (en) * 2017-01-24 2018-07-26 Microsoft Technology Licensing, Llc Cross-platform enclave identity
DE102018101307A1 (en) * 2017-02-22 2018-08-23 Intel Corporation SGX enclave remote authentication techniques
US20190074968A1 (en) * 2017-09-06 2019-03-07 Alibaba Group Holding Limited Method, apparatus and system for data encryption and decryption
CN109726588A (en) * 2018-12-21 2019-05-07 上海邑游网络科技有限公司 Method for secret protection and system based on Information hiding
CN109995781A (en) * 2019-03-29 2019-07-09 腾讯科技(深圳)有限公司 Transmission method, device, medium and the equipment of data
CN110020855A (en) * 2019-01-31 2019-07-16 阿里巴巴集团控股有限公司 Method, the node, storage medium of secret protection are realized in block chain
CN110120869A (en) * 2019-03-27 2019-08-13 上海隔镜信息科技有限公司 Key management system and cipher key service node
CN110931093A (en) * 2020-02-18 2020-03-27 支付宝(杭州)信息技术有限公司 Medical information sharing system and method
CN110992027A (en) * 2019-11-29 2020-04-10 支付宝(杭州)信息技术有限公司 Efficient transaction method and device for realizing privacy protection in block chain
CN110998581A (en) * 2019-03-26 2020-04-10 阿里巴巴集团控股有限公司 Program execution and data attestation scheme using multiple key pairs for signatures
CN111047450A (en) * 2020-03-18 2020-04-21 支付宝(杭州)信息技术有限公司 Method and device for calculating down-link privacy of on-link data
CN111090875A (en) * 2020-03-18 2020-05-01 支付宝(杭州)信息技术有限公司 Contract deployment method and device
WO2020108138A1 (en) * 2018-11-30 2020-06-04 阿里巴巴集团控股有限公司 Method for implementing privacy protection in blockchain
US20200177366A1 (en) * 2019-06-18 2020-06-04 Alibaba Group Holding Limited Homomorphic data encryption method and apparatus for implementing privacy protection
CN111400756A (en) * 2020-03-13 2020-07-10 杭州复杂美科技有限公司 Private data uplink method, device and storage medium

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180211067A1 (en) * 2017-01-24 2018-07-26 Microsoft Technology Licensing, Llc Cross-platform enclave identity
DE102018101307A1 (en) * 2017-02-22 2018-08-23 Intel Corporation SGX enclave remote authentication techniques
US20190074968A1 (en) * 2017-09-06 2019-03-07 Alibaba Group Holding Limited Method, apparatus and system for data encryption and decryption
WO2020108138A1 (en) * 2018-11-30 2020-06-04 阿里巴巴集团控股有限公司 Method for implementing privacy protection in blockchain
CN109726588A (en) * 2018-12-21 2019-05-07 上海邑游网络科技有限公司 Method for secret protection and system based on Information hiding
CN110020855A (en) * 2019-01-31 2019-07-16 阿里巴巴集团控股有限公司 Method, the node, storage medium of secret protection are realized in block chain
CN110998581A (en) * 2019-03-26 2020-04-10 阿里巴巴集团控股有限公司 Program execution and data attestation scheme using multiple key pairs for signatures
CN110120869A (en) * 2019-03-27 2019-08-13 上海隔镜信息科技有限公司 Key management system and cipher key service node
CN109995781A (en) * 2019-03-29 2019-07-09 腾讯科技(深圳)有限公司 Transmission method, device, medium and the equipment of data
US20200177366A1 (en) * 2019-06-18 2020-06-04 Alibaba Group Holding Limited Homomorphic data encryption method and apparatus for implementing privacy protection
CN110992027A (en) * 2019-11-29 2020-04-10 支付宝(杭州)信息技术有限公司 Efficient transaction method and device for realizing privacy protection in block chain
CN110931093A (en) * 2020-02-18 2020-03-27 支付宝(杭州)信息技术有限公司 Medical information sharing system and method
CN111400756A (en) * 2020-03-13 2020-07-10 杭州复杂美科技有限公司 Private data uplink method, device and storage medium
CN111047450A (en) * 2020-03-18 2020-04-21 支付宝(杭州)信息技术有限公司 Method and device for calculating down-link privacy of on-link data
CN111090875A (en) * 2020-03-18 2020-05-01 支付宝(杭州)信息技术有限公司 Contract deployment method and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113672993A (en) * 2021-08-26 2021-11-19 济南浪潮数据技术有限公司 Data processing method, system, equipment and computer readable storage medium
CN113672993B (en) * 2021-08-26 2023-12-22 济南浪潮数据技术有限公司 Data processing method, system, equipment and computer readable storage medium
CN114726878A (en) * 2022-03-28 2022-07-08 广州广电运通金融电子股份有限公司 Cloud storage system, equipment and method
CN114726878B (en) * 2022-03-28 2024-02-23 广州广电运通金融电子股份有限公司 Cloud storage system, equipment and method
CN115174260A (en) * 2022-07-29 2022-10-11 中国工商银行股份有限公司 Data verification method, data verification device, computer, storage medium and program product
CN115174260B (en) * 2022-07-29 2024-02-02 中国工商银行股份有限公司 Data verification method, device, computer, storage medium and program product

Also Published As

Publication number Publication date
CN112422500B (en) 2023-05-16

Similar Documents

Publication Publication Date Title
CN103685282B (en) A kind of identity identifying method based on single-sign-on
US9608813B1 (en) Key rotation techniques
US8984295B2 (en) Secure access to electronic devices
Ye et al. Security analysis of Internet-of-Things: A case study of august smart lock
CN101212293B (en) Identity authentication method and system
CN110990827A (en) Identity information verification method, server and storage medium
US9300639B1 (en) Device coordination
US10263782B2 (en) Soft-token authentication system
CN112422500B (en) Cross-platform data transmission method and device, storage medium and electronic device
CN105553951A (en) Data transmission method and data transmission device
CN108418691A (en) Dynamic network identity identifying method based on SGX
CN102577301A (en) Method and apparatus for trusted authentication and logon
JP2016508699A (en) Data security service
CN109831311A (en) A kind of server validation method, system, user terminal and readable storage medium storing program for executing
EP3029879A1 (en) Information processing device, information processing method, and computer program
WO2018030289A1 (en) Ssl communication system, client, server, ssl communication method, and computer program
CN105187382A (en) Multi-factor identity authentication method for preventing library collision attacks
CN115001841A (en) Identity authentication method, identity authentication device and storage medium
CN105612728B (en) The safe data channel authentication of implicit shared key
KR101358375B1 (en) Prevention security system and method for smishing
Badar et al. Secure authentication protocol for home area network in smart grid-based smart cities
KR101680536B1 (en) Method for Service Security of Mobile Business Data for Enterprise and System thereof
KR20130100032A (en) Method for distributting smartphone application by using code-signing scheme
US10979226B1 (en) Soft-token authentication system with token blocking after entering the wrong PIN
Han et al. Scalable and secure virtualization of hsm with scaletrust

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant