CN113810382A - Cipher text loading method for resisting SGX side channel attack - Google Patents

Cipher text loading method for resisting SGX side channel attack Download PDF

Info

Publication number
CN113810382A
CN113810382A CN202110973607.8A CN202110973607A CN113810382A CN 113810382 A CN113810382 A CN 113810382A CN 202110973607 A CN202110973607 A CN 202110973607A CN 113810382 A CN113810382 A CN 113810382A
Authority
CN
China
Prior art keywords
user
program
enclave
report
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110973607.8A
Other languages
Chinese (zh)
Other versions
CN113810382B (en
Inventor
张建
张建磊
王庆豪
史闻博
鲁宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University Qinhuangdao Branch
Original Assignee
Northeastern University Qinhuangdao Branch
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University Qinhuangdao Branch filed Critical Northeastern University Qinhuangdao Branch
Priority to CN202110973607.8A priority Critical patent/CN113810382B/en
Publication of CN113810382A publication Critical patent/CN113810382A/en
Application granted granted Critical
Publication of CN113810382B publication Critical patent/CN113810382B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a cipher text loading method for resisting SGX side channel attack, which comprises the steps of firstly encrypting a source program and transmitting the encrypted program to a cloud provider, loading cipher text codes and a loader program by the cloud provider, and initializing an Enclave of a cloud environment according to the information; the method comprises the steps that remote authentication is conducted between a user and a cloud environment, a safe communication channel is established, and the user transmits a key used in encryption to an Enclave in the cloud environment safely through a key exchange protocol; finally, the Enclave uses the key decryption program and the loader program, and the loader program executes the program according to the parameters transmitted by the user; before the encrypted message is transmitted to the envelope, the program exists in a ciphertext mode, a malicious environment cannot acquire a program plaintext, the confidentiality of the program is guaranteed, a remote authentication mechanism in an SGX is fully utilized, a key established by combining a key exchange protocol is used for protecting an encryption key used in the process of encrypting the plaintext program, and the overhead of the scheme is reduced while side channel attack is resisted.

Description

Cipher text loading method for resisting SGX side channel attack
Technical Field
The invention relates to the technical field of information security, in particular to a ciphertext loading method for resisting SGX side channel attack.
Background
At present, more and more computing tasks are processed by cloud servers, so that codes and data of users are controlled by cloud platforms, which seriously affects information security of the users, for example, a cloud provider attacks proprietary algorithms of the users through privileges. SGX (software guard extensions) instruction set extension aims to provide a trusted execution environment of a user space by taking hardware security as mandatory guarantee and not depending on the security state of firmware and software, and realizes isolated operation among different programs by a new instruction set extension and an access control mechanism so as to guarantee that confidentiality and integrity of user key codes and data are not damaged by malicious software. With SGX, it is possible to establish a secure compute region in a computer and provide hardware level security isolation and protection for internal code. In the SGX-enabled device, a user can create a secure container (enclosure) in a memory by using an instruction to protect an internal program, and even malicious privileged software (such as an operating system, a virtual monitor, and the like) cannot destroy the integrity and confidentiality of the program in the execution process. The implementation of secure execution of programs in the SGX can effectively improve the versatility of the scheme. However, the existing SGX has a side channel attack problem, such as a page table-based side channel attack, a cache-based side channel attack, and a DRAM-based side channel attack.
Aiming at the side channel attack problem of SGX, Shih and the like provide a special T-SGX scheme for resisting abnormal information leakage caused by asynchronous envelope exit due to abnormal occurrence in code execution, and page faults and other synchronous abnormalities are effectively inhibited by means of widely deployed Transactional Synchronization Extensions (TSX), so that side channel page table attack is relieved; ahmad et al propose OBFUSCURO, a solution for resisting access mode leakage of software and hardware combination of SGX and ORAM technologies, code and data are compiled into code blocks and data blocks with fine granularity by an LLVM compiler before Enclave runs, the data access times of one code block are strictly controlled to be one time, and side channel attacks based on a page table, a cache and a DRAM are effectively resisted. Furthermore, Lee et al propose a zigbee scheme that converts conditional branch code in a program into unconditional branch code that jumps to a fixed location, thereby hiding control flow. Existing schemes can resist one or several SGX side channel attacks, but their overhead is large. There is therefore a need for a more efficient technique that can achieve protection against side channel attacks by SGX.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a ciphertext loading method for resisting SGX side channel attack, which comprises the following steps:
step 1: the user generates a symmetric key and trustees the encrypted ciphertext to an application program of a cloud service provider;
step 2: verifying whether the security container Enable in the cloud server is trusted according to a remote authentication protocol to realize a remote authentication process;
and step 3: in the process of remote authentication, an ECDH algorithm is used for constructing a safe communication channel for both a user and a server;
and 4, step 4: and transmitting the key used by the encrypted program and the parameters required by the program operation to the Enclave of the cloud environment for decrypting the ciphertext.
The step 1 comprises the following steps:
step 1.1: AES-GCM algorithm implemented by user using AES-NI instruction set provided by Intel generates a pair of symmetric keys k0
Step 1.2: using the generated symmetric key k0Clear text program P for user to be hosted to cloud service provideruserEncrypting to obtain encrypted application program { Puser}k0
Step 1.3: application program P after encryptionuser}k0Sending the { P to a cloud service provider, and sending the { P to the cloud service provider through the cloud service provideruser}k0And a loader program PloaderLoading into an Enclave of the platform;
step 1.4: creating a secure container Enclave to a port through a cloud service providerPuser}k0The allocated safe memory page is set as an Enclave code page with read, write and execute rights.
The step 2 comprises the following steps:
step 2.1: the SGX platform application receives the challenge value sent by the challenger;
step 2.2: sending the received challenge value and the authentication request to a security container Enclave to be authenticated through an application program of the SGX platform;
step 2.3: the security container Enable to be authenticated generates a local authentication Report according to the Report key and the measurement log, and sends the Report to the application program;
step 2.4: after receiving the REPORT, the application program sends the REPORT to a querying envelope for verification and signature;
step 2.5: the checking Enable calls a REPORT key to verify the REPORT, then uses an authentication key to sign the REPORT to generate a remote authentication REPORT QUOTE, and returns the REPORT to the application program;
step 2.6: the application program sends a remote authentication report QUOTE to a remote party;
step 2.7: the remote party verifies by sending the queue to the Intel authentication service IAS and returns a response signal for remote verification.
The step 3 comprises the following steps:
step 3.1: calculating g according to the random number x generated by the user terminalxmod n, let X be gxmod n, wherein n is a prime number shared by both the user and the server, g is an integer shared by both the user and the server, g is an original root of n, and mod represents a remainder operation;
step 3.2: constructing the identity of the user side and the generated X into a REPORT and sending the REPORT to a Quote Enclave;
step 3.3: the Quote Enclave verifies the identity information of the client side security container Enclave, and returns a Quote structure QUOTE after verification is successful;
step 3.4: encrypting QUOTE by using EPID and sending the encrypted QUOTE to a security container Enclave at a cloud server end, decrypting the security container Enclave to obtain X, and simultaneously generating a random numberNumber of machines y, and calculate gymod n, let Y equal gy mod n;
Step 3.5: the security container Enclave at the cloud server side sends the Y and the response signal of the remote verification to the security container Enclave at the client side;
step 3.6: user side computing Yxmod n, while the server side computes Xymod n, if the calculated results are the same, it indicates that a secure communication channel is successfully established between the user and the server, and the calculated result is recorded as K.
The step 4 comprises the following steps:
step 4.1: user encrypts key K with result K0And executing the parameters Par needing to be submitted to obtain k0Par K, and sends it to the cloud service provider, which forwards it to the secure container Enclave;
step 4.2: verifying whether the source of the message is from the correct user through the secure container envelope, and then decrypting the K by using the K0Par K, obtaining the decryption key K of the program0And parameters of program execution Par;
step 4.3: use of k by a safety Container Enclave0Decryption { Puser}k0Obtaining a plaintext program P of a useruserThen loader program PloaderThe result R corresponding to the execution parameter ParparEncrypted with K to obtain { RparK, returning to a cloud service provider, and sending to a user by the cloud service provider;
step 4.4: user decryption using K { R }parK, and obtaining a program execution result Rpar
The invention has the beneficial effects that:
the invention provides a cipher text loading method for resisting SGX side channel attack, which makes full use of a remote authentication mechanism in SGX and protects an encryption key used in the process of encrypting a plaintext program by combining a key constructed by a key exchange protocol, thereby reducing the cost of a scheme while resisting side channel attack. In addition, the method solves the problem that the code page granted with the writable and executable authority lacks data execution protection.
Drawings
FIG. 1 is a flowchart of a ciphertext loading method for defending against SGX side channel attacks in the present invention;
FIG. 2 is a schematic diagram of a ciphertext loading method for defending against SGX side channel attack in the present invention;
fig. 3 is a block diagram of the remote authentication and key exchange process of the present invention.
Detailed Description
The invention is further described with reference to the following figures and specific examples. The invention provides a scheme for defending the channel on the SGX side against the attack based on ciphertext loading from the viewpoint of limiting attack conditions. The scheme is based on a remote authentication mechanism and combines a key exchange protocol to provide an SGX side channel attack protection scheme with low cost. The remote authentication technology is a mechanism provided by Intel for helping Enclave prove to another remote party that a specific code enables safe operation in a platform of the SGX, and the key exchange protocol is a protocol provided by Intel for realizing that two parties construct a secure channel, and by combining the two protocols, side channel attack can be resisted, and meanwhile, less overhead is used.
A cipher text loading method for resisting SGX side channel attack is based on remote authentication provided by Intel SGX, and uses a key exchange protocol on the basis of the remote authentication, thereby effectively protecting a key used in the process of encrypting a program, and safely transmitting the program into an Intel processor SGX envelope and safely decrypting the program; the symbols involved in the invention are described below: puser: a program of a user; k is a radical of0: user encryption PuserA key to use; ploader: a loader program; par: the parameters that are passed in; rpar: par-based execution of PuserThe obtained return value; k: user and PloaderThe key established in (c).
As shown in fig. 2, for the source program, the source program is first encrypted and transmitted to the cloud provider, and the cloud provider loads the ciphertext code and the loader program and initializes the envelope of the cloud environment according to these pieces of information. And then, performing remote authentication between the user and the cloud environment, and constructing a secure communication channel, wherein in a remote authentication protocol, Intel provides some user-defined data, and the user securely transmits a key used in encryption to Enclave in the cloud environment through a key exchange protocol. Finally Enclave uses the key to decrypt the program and the loader program, which executes the program according to the parameters passed by the user. Before the program is transmitted to the Enclave, the program exists in a ciphertext mode, and the malicious environment cannot acquire the plaintext of the program, so that the confidentiality of the program is ensured.
Based on the above principle, a ciphertext loading method for resisting SGX side channel attack is provided, as shown in fig. 1, including the following steps:
step 1: the user generates a symmetric key and trustees the encrypted ciphertext to an application program of a cloud service provider; the method comprises the following steps:
step 1.1: AES-GCM algorithm implemented by user using AES-NI instruction set provided by Intel generates a pair of symmetric keys k0(ii) a The AES-GCM algorithm is an algorithm with authentication and encryption, and encryption data and an authentication code can be generated for a given original text at the same time.
Step 1.2: using the generated symmetric key k0Clear text program P for user to be hosted to cloud service provideruserEncrypting to obtain encrypted application program { Puser}k0
Step 1.3: application program P after encryptionuser}k0Sending the { P to a cloud service provider, and sending the { P to the cloud service provider through the cloud service provideruser}k0And a loader program PloaderLoading into an Enclave of the platform;
step 1.4: setting security container Enable to be { P through cloud service provideruser}k0The allocated safe memory page is set as an Enclave code page with read, write and execute rights.
And in the key exchange stage, a user verifies whether the Enclave in the cloud server is credible by using a remote authentication protocol provided by Intel, and the implementation of the protocol is based on a process of multiple interactions.
Step 2: verifying whether the security container Enable in the cloud server is trusted according to a remote authentication protocol to realize a remote authentication process; the method comprises the following steps:
step 2.1: the SGX platform application receives the challenge value sent by the challenger;
step 2.2: sending the received challenge value and the authentication request to a security container Enclave to be authenticated through an application program of the SGX platform;
step 2.3: the security container Enclave to be authenticated generates a local authentication Report according to a Report key (Report key, only enclaves of the same platform can generate the same Report key) and a measurement log (the measurement log is generated by hardware and records all activities in the Enclave construction process), and sends the local authentication Report to an application program;
step 2.4: after receiving the REPORT, the application program sends the REPORT to a querying envelope for verification and signature; the Quoting Enclave is a special Enclave provided by Intel officials, and only the Quoting Enclave can call an authentication Key Attestation Key for binding platform hardware information. Attestation Key represents the trustworthiness of the platform.
Step 2.5: the checking Enable calls a REPORT Key to verify the REPORT, then uses an authentication Key Attestation Key to sign the REPORT to generate a remote authentication REPORT QUOTE, and returns the REPORT to the application program;
step 2.6: the application program sends a remote authentication report QUOTE to a remote party;
step 2.7: the remote party verifies by sending the queue to an Intel Authentication Service (IAS) and returns a response signal of remote verification.
In the process of remote authentication, Intel provides some self-defined data for users to control, and the self-defined data is used for implementing an ECDH (explicit-Curve Diffie-Hellman) algorithm, so as to construct a secure communication channel for both the users and the server.
And step 3: in the process of remote authentication, an ECDH algorithm is used for constructing a safe communication channel for both a user and a server; the method comprises the following steps:
step 3.1: according to the userEnd-generated random number x calculates gxmod n, let X be gxmod n, wherein n is a prime number shared by both the user and the server, g is an integer shared by both the user and the server, g is an original root of n, and mod represents a remainder operation; the user and the server share a prime number n and an integer g, and the two data are public and can be seen by an attacker.
Step 3.2: constructing the identity of the user side and the generated X into a REPORT and sending the REPORT to a Quote Enclave;
step 3.3: the Quote Enclave verifies the identity information of the client side security container Enclave, and returns a Quote structure QUOTE after verification is successful;
step 3.4: encrypting QUOTE by using EPID and sending the encrypted QUOTE to a security container Enclave at a cloud server end, decrypting the security container Enclave to obtain X, generating a random number y, and calculating gymod n, let Y equal gymod n; the EPID (enhanced Privacy id) creates a platform-certified signature key by referring to enclave, this key represents not only the platform but also the trustworthiness of the underlying hardware, and binds the version of the processor firmware, and only the referring enclave can access the EPID key when the enclave system is running.
Step 3.5: the security container Enclave at the cloud server side sends the Y and the response signal of the remote verification to the security container Enclave at the client side;
step 3.6: user side computing Yxmod n, while the server side computes Xymod n, if the calculated results are the same, it indicates that a secure communication channel is successfully established between the user and the server, and the calculated result is recorded as K.
The user and the server have already established a secure communication channel, and at this time, only the key used by the encrypted program and the parameters required for program operation need to be transferred to the envelope of the cloud environment, as shown in fig. 3.
And 4, step 4: transmitting a key used by the encrypted program and parameters required by program operation to an encrypt of the cloud environment for decryption of the ciphertext; the method comprises the following steps:
step 4.1: user utilizing knotFruit K encryption key K0And executing the parameters Par needing to be submitted to obtain k0Par K, and sends it to the cloud service provider, which forwards it to the secure container Enclave;
step 4.2: verifying whether the source of the message is from the correct user through the secure container envelope, and then decrypting the K by using the K0Par K, obtaining the decryption key K of the program0And parameters of program execution Par;
step 4.3: use of k by a safety Container Enclave0Decryption { Puser}k0Obtaining a plaintext program P of a useruserThen loader program PloaderThe result R corresponding to the execution parameter ParparEncrypted with K to obtain { RparK, returning to a cloud service provider, and sending to a user by the cloud service provider;
step 4.4: user decryption using K { R }parK, and obtaining a program execution result Rpar
Since the loader needs to complete the writing and execution of the application program at runtime, the user's code page is granted writable and executable rights, and one feature of Enclave is that the corresponding attribute cannot be changed after initialization, which may result in the code page in Enclave lacking data execution protection.
The method solves this problem by implementing a protection method based on software data, the core idea of which is to implement a virtual barrier between code pages and data pages based on software implementing NRW boundaries (i.e. unreadable and writeable boundaries) inside an envelope. Typically, program execution uses explicit memory access instructions (mov, inc, add, etc.) to read and write to memory pages. For such instructions to read and write to a code page, it is ensured that the memory address being accessed is always above the NRW boundary (i.e. the operands should not point to the code page). The scheme uses registers to hold NRW boundaries that are stored into registers by the loader program prior to execution of the user program.
The method can resist side channel attacks of most SGX through the logic of the encryption code hiding plaintext program, and has the comprehensiveness of resisting the attacks; the method only encrypts the plaintext program without performing other confusion operations on the program, so that the cost is low; the method is a data execution protection method based on software, and can effectively solve the problem that a code page lacks data execution protection.

Claims (5)

1. A ciphertext loading method for resisting SGX side channel attack is characterized by comprising the following steps:
step 1: the user generates a symmetric key and trustees the encrypted ciphertext to an application program of a cloud service provider;
step 2: verifying whether the security container Enable in the cloud server is trusted according to a remote authentication protocol to realize a remote authentication process;
and step 3: in the process of remote authentication, an ECDH algorithm is used for constructing a safe communication channel for both a user and a server;
and 4, step 4: and transmitting the key used by the encrypted program and the parameters required by the program operation to the Enclave of the cloud environment for decrypting the ciphertext.
2. The ciphertext loading method for defending against SGX side channel attack according to claim 1, wherein the step 1 comprises:
step 1.1: AES-GCM algorithm implemented by user using AES-NI instruction set provided by Intel generates a pair of symmetric keys k0
Step 1.2: using the generated symmetric key k0Clear text program P for user to be hosted to cloud service provideruserEncrypting to obtain encrypted application program { Puser}k0
Step 1.3: application program P after encryptionuser}k0Sending the { P to a cloud service provider, and sending the { P to the cloud service provider through the cloud service provideruser}k0And a loader program PloaderLoading into an Enclave of the platform;
step 1.4: setting security container Enable to be { P through cloud service provideruser}k0The allocated secure memory pages are arranged to have read, write andan envelope code page for the execution authority.
3. The ciphertext loading method for defending against SGX side channel attack according to claim 1, wherein the step 2 comprises:
step 2.1: the SGX platform application receives the challenge value sent by the challenger;
step 2.2: sending the received challenge value and the authentication request to a security container Enclave to be authenticated through an application program of the SGX platform;
step 2.3: the security container Enable to be authenticated generates a local authentication Report according to the Report key and the measurement log, and sends the Report to the application program;
step 2.4: after receiving the REPORT, the application program sends the REPORT to a querying envelope for verification and signature;
step 2.5: the checking Enable calls a REPORT key to verify the REPORT, then uses an authentication key to sign the REPORT to generate a remote authentication REPORT QUOTE, and returns the REPORT to the application program;
step 2.6: the application program sends a remote authentication report QUOTE to a remote party;
step 2.7: the remote party verifies by sending the queue to the Intel authentication service IAS and returns a response signal for remote verification.
4. The ciphertext loading method for defending against SGX side channel attack according to claim 1, wherein the step 3 comprises:
step 3.1: calculating g according to the random number x generated by the user terminalxmod n, let X be gxmod n, wherein n is a prime number shared by both the user and the server, g is an integer shared by both the user and the server, g is an original root of n, and mod represents a remainder operation;
step 3.2: constructing the identity of the user side and the generated X into a REPORT and sending the REPORT to a Quote Enclave;
step 3.3: the Quote Enclave verifies the identity information of the client side security container Enclave, and returns a Quote structure QUOTE after verification is successful;
step 3.4: encrypting QUOTE by using EPID and sending the encrypted QUOTE to a security container Enclave at a cloud server end, decrypting the security container Enclave to obtain X, generating a random number y, and calculating gymod n, let Y equal gy mod n;
Step 3.5: the security container Enclave at the cloud server side sends the Y and the response signal of the remote verification to the security container Enclave at the client side;
step 3.6: user side computing Yxmod n, while the server side computes Xymod n, if the calculated results are the same, it indicates that a secure communication channel is successfully established between the user and the server, and the calculated result is recorded as K.
5. The ciphertext loading method for defending against SGX side channel attack according to claim 1, wherein the step 4 comprises:
step 4.1: user encrypts key K with result K0And executing the parameters Par needing to be submitted to obtain k0Par K, and sends it to the cloud service provider, which forwards it to the secure container Enclave;
step 4.2: verifying whether the source of the message is from the correct user through the secure container envelope, and then decrypting the K by using the K0Par K, obtaining the decryption key K of the program0And parameters of program execution Par;
step 4.3: use of k by a safety Container Enclave0Decryption { Puser}k0Obtaining a plaintext program P of a useruserThen loader program PloaderThe result R corresponding to the execution parameter ParparEncrypted with K to obtain { RparK, returning to a cloud service provider, and sending to a user by the cloud service provider;
step 4.4: user decryption using K { R }parK, and obtaining a program execution result Rpar
CN202110973607.8A 2021-08-24 2021-08-24 Ciphertext loading method for resisting SGX side channel attack Active CN113810382B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110973607.8A CN113810382B (en) 2021-08-24 2021-08-24 Ciphertext loading method for resisting SGX side channel attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110973607.8A CN113810382B (en) 2021-08-24 2021-08-24 Ciphertext loading method for resisting SGX side channel attack

Publications (2)

Publication Number Publication Date
CN113810382A true CN113810382A (en) 2021-12-17
CN113810382B CN113810382B (en) 2023-07-11

Family

ID=78894008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110973607.8A Active CN113810382B (en) 2021-08-24 2021-08-24 Ciphertext loading method for resisting SGX side channel attack

Country Status (1)

Country Link
CN (1) CN113810382B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114462047A (en) * 2022-01-25 2022-05-10 北京工业大学 Cloud outsourcing computing security method based on SGX technology
CN115081000A (en) * 2022-06-17 2022-09-20 苏州浪潮智能科技有限公司 Method, system, device and storage medium for protecting source code of remote object program
CN115270134A (en) * 2022-07-18 2022-11-01 京信数据科技有限公司 Computing method and system based on FPGA trusted execution environment

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104392188A (en) * 2014-11-06 2015-03-04 三星电子(中国)研发中心 Security data storage method and system
CN108595950A (en) * 2018-04-18 2018-09-28 中南大学 A kind of safe Enhancement Methods of SGX of combination remote authentication
CN109150517A (en) * 2018-09-04 2019-01-04 大唐高鸿信安(浙江)信息科技有限公司 Key security management system and method based on SGX
CN109361668A (en) * 2018-10-18 2019-02-19 国网浙江省电力有限公司 A kind of data trusted transmission method
CN110138799A (en) * 2019-05-30 2019-08-16 东北大学 A kind of secure cloud storage method based on SGX
CN110535628A (en) * 2019-08-29 2019-12-03 阿里巴巴集团控股有限公司 The method and device of Secure calculating is carried out by certificate issuance
CN110912686A (en) * 2019-10-15 2020-03-24 福建联迪商用设备有限公司 Secure channel key negotiation method and system
US20200151170A1 (en) * 2018-11-14 2020-05-14 Baidu Online Network Technology (Beijing) Co., Ltd. Spark query method and system supporting trusted computing
CN111181720A (en) * 2019-12-31 2020-05-19 支付宝(杭州)信息技术有限公司 Service processing method and device based on trusted execution environment
CN112182615A (en) * 2020-09-29 2021-01-05 北京电子科技学院 Cloud computing key protection system based on SGX and ORAM technology
CN112948810A (en) * 2021-05-12 2021-06-11 支付宝(杭州)信息技术有限公司 Trusted computing program calling method and device, electronic equipment and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104392188A (en) * 2014-11-06 2015-03-04 三星电子(中国)研发中心 Security data storage method and system
CN108595950A (en) * 2018-04-18 2018-09-28 中南大学 A kind of safe Enhancement Methods of SGX of combination remote authentication
CN109150517A (en) * 2018-09-04 2019-01-04 大唐高鸿信安(浙江)信息科技有限公司 Key security management system and method based on SGX
CN109361668A (en) * 2018-10-18 2019-02-19 国网浙江省电力有限公司 A kind of data trusted transmission method
US20200151170A1 (en) * 2018-11-14 2020-05-14 Baidu Online Network Technology (Beijing) Co., Ltd. Spark query method and system supporting trusted computing
CN110138799A (en) * 2019-05-30 2019-08-16 东北大学 A kind of secure cloud storage method based on SGX
CN110535628A (en) * 2019-08-29 2019-12-03 阿里巴巴集团控股有限公司 The method and device of Secure calculating is carried out by certificate issuance
CN110912686A (en) * 2019-10-15 2020-03-24 福建联迪商用设备有限公司 Secure channel key negotiation method and system
CN111181720A (en) * 2019-12-31 2020-05-19 支付宝(杭州)信息技术有限公司 Service processing method and device based on trusted execution environment
CN112182615A (en) * 2020-09-29 2021-01-05 北京电子科技学院 Cloud computing key protection system based on SGX and ORAM technology
CN112948810A (en) * 2021-05-12 2021-06-11 支付宝(杭州)信息技术有限公司 Trusted computing program calling method and device, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王冠: "基于SGX的Hadoop KMS安全增强方案", 《信息安全研究》, pages 2 - 6 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114462047A (en) * 2022-01-25 2022-05-10 北京工业大学 Cloud outsourcing computing security method based on SGX technology
CN114462047B (en) * 2022-01-25 2024-03-29 北京工业大学 Cloud outsourcing calculation safety method based on SGX technology
CN115081000A (en) * 2022-06-17 2022-09-20 苏州浪潮智能科技有限公司 Method, system, device and storage medium for protecting source code of remote object program
CN115270134A (en) * 2022-07-18 2022-11-01 京信数据科技有限公司 Computing method and system based on FPGA trusted execution environment
CN115270134B (en) * 2022-07-18 2023-04-18 京信数据科技有限公司 Computing method and system based on FPGA trusted execution environment

Also Published As

Publication number Publication date
CN113810382B (en) 2023-07-11

Similar Documents

Publication Publication Date Title
CA3048894C (en) Addressing a trusted execution environment using encryption key
US10972265B2 (en) Addressing a trusted execution environment
AU2017396531B2 (en) Addressing a trusted execution environment using signing key
CN107506659B (en) Data protection system and method of general database based on SGX
CN113810382B (en) Ciphertext loading method for resisting SGX side channel attack
US10897360B2 (en) Addressing a trusted execution environment using clean room provisioning
US20240232441A1 (en) Executing entity-Specific Cryptographic Code in a Cryptographic
US20230254160A1 (en) A calculation method and device for elliptic curve digital signature to resist memory disclosure attacks
CN113726733A (en) Encryption intelligent contract privacy protection method based on trusted execution environment
Mavrogiannopoulos et al. A linux kernel cryptographic framework: decoupling cryptographic keys from applications
Hao et al. Trusted block as a service: Towards sensitive applications on the cloud
US20210111901A1 (en) Executing entity-specific cryptographic code in a trusted execution environment
CN115081000B (en) Method, system, device and storage medium for protecting remote target program source code
Tsai et al. Cloud encryption using distributed environmental keys
KR101188659B1 (en) Method for protecting the digital contents between player and cartridges
He et al. EnShare: Sharing Files Securely and Efficiently in the Cloud using Enclave
EP4042630A1 (en) Executing entity-specific cryptographic code in a cryptographic coprocessor
Mavrogiannopoulos et al. A Linux kernel cryptographic framework: Decoupling cryptographic keys from applications [extended version]
NZ754540B2 (en) Addressing a trusted execution environment using signing key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Shi Wenbo

Inventor after: Zhang Jian

Inventor after: Zhang Jianlei

Inventor after: Wang Qinghao

Inventor after: Lu Ning

Inventor before: Zhang Jian

Inventor before: Zhang Jianlei

Inventor before: Wang Qinghao

Inventor before: Shi Wenbo

Inventor before: Lu Ning

CB03 Change of inventor or designer information