CN107919954B - A kind of block chain user key guard method and device based on SGX software protecting extended instruction - Google Patents

A kind of block chain user key guard method and device based on SGX software protecting extended instruction Download PDF

Info

Publication number
CN107919954B
CN107919954B CN201710989478.5A CN201710989478A CN107919954B CN 107919954 B CN107919954 B CN 107919954B CN 201710989478 A CN201710989478 A CN 201710989478A CN 107919954 B CN107919954 B CN 107919954B
Authority
CN
China
Prior art keywords
key
user
block chain
sgx
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710989478.5A
Other languages
Chinese (zh)
Other versions
CN107919954A (en
Inventor
陈建海
刘丁豪
王津航
何钦铭
黄步添
林威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201710989478.5A priority Critical patent/CN107919954B/en
Publication of CN107919954A publication Critical patent/CN107919954A/en
Application granted granted Critical
Publication of CN107919954B publication Critical patent/CN107919954B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB

Abstract

The block chain user key protective device based on SGX that the invention discloses a kind of, comprising: SGX encrypting module generates confidence space based on software protecting extended instruction, and generates the access key for verifying the confidence space access authority;The confidence space is used for the user key and cipher key operation function of memory block chain network;Transaction common recognition module, receives the transaction from block chain network, by the access cipher key access SGX encrypting module, calls cipher key operation function therein, realizes that the verifying to transaction is known together;It trades constructing module, initiates transaction according to the user's intention, by the access cipher key access SGX encrypting module, call cipher key operation function therein, realize the filling of Transaction Information and legalize, and broadcast the transaction to block chain network.The invention also discloses block chain user key guard methods.This method can effectively resist Malware to the sniff of user local key with crack, protect the block chain assets of user not encroached on.

Description

A kind of block chain user key guard method based on SGX software protecting extended instruction And device
Technical field
The present invention relates to block chain application field more particularly to a kind of block chains based on SGX software protecting extended instruction User key guard method and device.
Background technique
The development of the emerging technologies such as cloud computing, internet and big data, so that conventional center system information data is total to The demand of enjoying is increasingly urgent to.However, centralized system lacks a kind of safe and reliable mechanism, it is always the pain spot of reality.With than Deeply, bottom block chain technology is drawn in recent years to solve the problems, such as that real pain spot provides effective means for the rise and application of special coin Extensive concern is played.Block chain technology is born as bit coin Floor layer Technology with architecture, is substantially one and goes The accounting system of the heart, a similar Distributed sharing account book.Novel block catenary system uses P2P network technology, cryptography, is total to Know algorithm, the intelligent technologies such as contract and distributed data base, there are data can not distort, system collective safeguards, information discloses Bright equal traditional account book system characteristic too far behind to catch up, this makes a kind of great potential, decentralization Assets Reorganization Taking science and engineering Tool and technology.
Using bit coin as the publicly-owned block chain of representative, so that block chain has the key property of issue value assets.User Key is the significant data in block catenary system.The safety of key is the important leverage of user's right.In block catenary system, number The ownership of word assets (such as bit coin) is being established by digital cipher and digital signature.Digital cipher is not deposited actually It is stored in block chain network, but keeping is responsible for by each user, is maintained secrecy to other people.The safety of block chain is just to rely on key Decentralised control.Meanwhile the characteristics such as the decentralization of block chain is trusted and control, ownership authenticate also are all based on modern password What key mechanism was realized.According to Cryptography Principles, only effective key could generate effective digital signature, only have The digital signature of effect just can make the transaction on chain effective.This has fundamentally prevented the possibility that transaction is forged on block chain, ensures The interests of user.
As soon as however, possess the key or its copy of a user account if there is third party, then third party user's energy Practical control corresponds to the account assets of the key.Therefore, for a user, once lose or damage key, user Oneself corresponding total assets may be thoroughly lost, and gives means for change without any.The block link network healthy and strong for one Network, careless omission of the single user in key management will not influence the stabilization of whole network, but user will undertake whole Consequence.In addition, the modern general-purpose operating system is not fool proof, be also not suitable for storing key information with document form.Especially with Internet technology it is universal, our computer passes through internet for a long time and is exposed to outer, and during which Malware or program can be with It is concealed and easily steal local data;Or the carelessness due to operator, it is mixed into Malware and is installed on local, Jin Erwei Coerce all important local datas.
To protect key, there are mainly two types of common methods.The first is stored after encrypting key.This is a kind of common Security means, but the effect of this method is influenced by specific Encryption Algorithm and means.Because by data simple encryption and being stored in Operating system is local, and Malware still has an opportunity continuous access, and can attempt to decrypt in period and obtain key, complicated evil Meaning software even can directly extract confidential data from memory, threaten key safety;Excessively complicated encryption method is then use The maintenance at family brings very big burden, in some instances it may even be possible to because forgeing or " loss " key due to lost part encryption details.It is another opposite Safer method is that the key information of key or encryption is recorded in the physics such as paper, plastics, metal using physical store Medium, and back up and multiple be subject to safe preservation (being such as locked into safety box) respectively.But this method will lead to using key just Victory decline.Once (especially being handed over using itself part professional user or block chain because the frequency of use of key rises Easily frequently), user just has to handle cumbersome write operation one by one.
For compromise between security and availability, anti-tamper " wallet " technology of professional hardware is come into being.Unlike be easy to by To the common soft and hardware of attack, hardware wallet only provides the generation system and correlation of very limited interface or even built-in key Proving program externally only exports the signature of private key, to provide security level almost safe against all possibilities for unprofessional user, simultaneously Also there is comparable ease for operation.For the risk for evading damage and loss, hardware wallet is usually very firm, and provides for user The approach of physical backup private key.But the framework of its highly-specialised generally requires tightly to dock with the application of specific block chain, To be allowed to be difficult to be designed to a common apparatus.There is no general type block chain key storage hardware at present, only for specific The dedicated hardware wallet (such as Trezor) of block chain application (such as bit coin).
Intel SGX (Software Guard Extensions) is a set of cpu instruction, can be supported using creation safety Area (enclave): in application address space shielded region, it may be ensured that the machine of the terminal operating system environmentally information content Close property and integrality.The memory content for attempting to access enclave from software respective is not allowed to, even enhanced privileges are soft Part (such as master operating system, monitor of virtual machine etc.) does not allow to access.The security boundary of enclave only include CPU and it from Body.The enclave of SGX creation is it can be appreciated that a credible performing environment TEE.A CPU can be run more in SGX technology A safe enclaves, support concurrently execute.
Summary of the invention
The block chain user key protective device based on SGX software protecting extended instruction that the present invention provides a kind of, in area The client node of block chain application system introduces SGX, and the block chain user key protective device and various block chain network are mutual It is compatible, it can be used as the node administration component of block chain network, provide key preservation and the service for checking credentials for block chain network user.
A kind of block chain user key protective device based on SGX software protecting extended instruction, comprising:
SGX encrypting module generates confidence space based on software protecting extended instruction, and generates for verifying the credible sky Between access authority access key;The confidence space is used for the user key and cipher key operation function of memory block chain network;
Transaction common recognition module, receives the transaction from block chain network, encrypts mould by the access cipher key access SGX Block calls cipher key operation function therein, realizes that the verifying to transaction is known together;
It trades constructing module, initiates transaction according to the user's intention, by the access cipher key access SGX encrypting module, Cipher key operation function therein is called, the filling of Transaction Information is realized and legalizes, and broadcasts the transaction to block chain network.
Preferably, the SGX encrypting module includes:
User's space, including processing space and confidence space;The processing space is for loading user key and key behaviour Make the certificate information of function, the confidence space is for storing user key and cipher key operation function;
SGX driver is measured by the certificate information to user key and cipher key operation function, is the user Key and cipher key operation function distribute confidence space, and it is hard that the certificate information of user key and cipher key operation function is passed to SGX Part processor;
SGX hardware processor carries out user key and cipher key operation function certificate information and the integrality of confidence space Verifying, it is raw according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor characteristic of user key and cipher key operation function certificate At the access key of confidence space, encrypted by accessing key pair confidence space.
The SGX driver belongs to operating system;SGX hardware processor belongs to hardware architecture.
The access key of confidence space is block chain network user key, cipher key operation function and the SGX hardware by user The physical hardware information of processor, which is intersected, to be generated, and ensure that the safety and validity of associated verification step.
The block chain user key guard method based on SGX software protecting extended instruction that the present invention also provides a kind of, should Method passes through the client node for introducing the SGX hardware of Intel to block chain network user, (credible using the enclave of SGX Space) mechanism, safe user key memory space and corresponding accessing operation are locally being constructed, is realizing local user's key Secure storage and use.
A kind of block chain user key guard method based on SGX software protecting extended instruction, comprising:
(1) it obtains user key and is stored in SGX encrypting module;
(2) relevant cipher key operation is handled.
Step (1) includes:
(1-1) obtains the user key that block chain is approved with secure way;
The step of the case where for needing user to be autonomously generated user key, generation user key, should be in the equipment of safety (such as from the emergency PC of failed cluster) is generated by the complete seed of cryptography and algorithm according to regulation format.
For the user key for needing block chain network to issue, then by the communications conduit of strict protection, with adding for safety Close mode obtains;Or it is obtained by the secured fashion under line.
(1-2) backs up user key;
To evade the risk for causing key to be lost due to various reasons in the future, which kind of key keeping mode no matter is taken, all It is recommended that user carries out the backup of safety to the user key of acquisition in advance.It is proposed with physical store or the storage of offline secure equipment Etc. modes user key is backed up;And more parts are backed up, give secure storage respectively.
(1-3) generates public key from user key and is stored in local;
Under normal circumstances, user need to generate public key by user key, and block chain address (such as bit of oneself is generated with public key Coin), it oneself is transacting targeted so that other people specify.So needs execute the step before storing user key to generate and user The corresponding public key of key, is stored in local.
The address that public key generates can be disclosed to the whole network, without encryption.For being responsible for handling client public key by block chain network With the block catenary system (address that such as each user can inquire each user to block chain network) of address, which can be by block chain Network is completed.
User key is stored in SGX encrypting module by (1-4).
Step (1-4) includes:
(a) certificate for generating user key and cipher key operation function, by user key and cipher key operation function and the card Book uploads in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX driver, Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to In confidence space, data in delete processing space later;
(c) SGX driver obtains the certificate information of user key and cipher key operation function and passes to SGX hardware handles Device;SGX hardware processor generates confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor itself of certificate information Access key, by access key pair confidence space encrypted;
(d) step (a)~(c) is repeated, multiple confidence spaces is established, more parts of user keys of backup is stored in difference respectively Confidence space in.
In step (2), handling relevant cipher key operation includes key behaviour caused by processing is traded by block chain network is incoming Make and cipher key operation caused by trading is initiated by user.
Cipher key operation caused by processing is traded by block chain network is incoming the following steps are included:
(I) block chain client receives the incoming Transaction Information of block chain network;
(II) calls the verifying function outside the safety zone SGX to verify the part for not needing user key in transaction, counts It calculates the priority of transaction and is ranked up;
The verifying of the part is limited to not needing the verifying of user key, for example, verify transaction whether version correct, transaction Whether amount of assets is legal etc..The priority for selectively completing transaction depending on the framework of specific block chain simultaneously calculates and the behaviour such as sequence Make.
(III) block chain client is initiated to request to SGX driver, after access key authentication, calls a certain credible sky Interior key authentication function verifies the part that user key is needed in transaction;
Need the verifying of the part of user key to be limited to need the verifying of user key, for example, determine it is transacting targeted whether be Oneself etc..
(IV) inspection calls another credible sky if call result is abnormal to the call result of key authentication function Interior key authentication function, until call result is normal;Verification information is packaged into verification result later, completes testing for transaction Card;
(V), which is sent according to verification result to block chain network, to be fed back;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or illegal to block chain network feedback trading.
Processing by user initiate trade caused by cipher key operation the following steps are included:
(I) block chain client constructs transaction outside the safety zone SGX;
In the step, block chain client needs to trade according to the legal construction of rule of respective block chain, for transaction supplement The necessary informations such as destination address, turnover;Simultaneously in the step, block chain client is without providing the signing messages of oneself;
(II) block chain client is initiated to request to SGX driver, after access key authentication, calls a certain credible sky Interior key signature function obtains user key signature;
(III) it checks and another credible sky is called if call result is abnormal to the call result of key signature function Interior key signature function, until call result is normal;Signing messages is packaged to the structure that transaction is completed into Transaction Information later It builds;
(IV) it broadcasts and trades to block chain network.
Compared with prior art, the invention has the benefit that
(1) the block chain user key protective device of the invention based on SGX has both safety, availability and general simultaneously Property, can effectively resist Malware to the sniff of user local key with crack, protect the block chain assets of user not encroached on;
(2) operation of block chain client is divided into two independent sectors, and function is called using different keys in each part, Improve the operational paradigm of block chain client.Two parts are placed on Enclave (confidence space) to the operation of key simultaneously Interior execution, external program can not learn key information and relevant operation.Key will not be come across with clear-text way it is any can not Believe memory, memory overflow attack can be resisted;
(3) a kind of more Enclave mechanism are given, the safety of key preservation is further improved.Even if single Enclave damage, client remain to operate normally, and user can receive the feedback of Enclave damage simultaneously, take further Client is safeguarded in specific aim measure, protects key;
(4) a set of safe operating process is given for being not affected by the key pre-write of SGX protection, use can be effectively reduced The security threat that family key is subject to before being protected by SGX.
Detailed description of the invention
Fig. 1 is the structure and workflow schematic diagram that the block chain user key based on SGX protects client;
Fig. 2 is the flow diagram for obtaining user key and being stored in SGX encrypting module;
Fig. 3 is the flow diagram of cipher key operation caused by processing is traded by block chain network is incoming;
Fig. 4 is the flow diagram that cipher key operation caused by trading is initiated in processing by user.
Specific embodiment
Present invention is further described in detail with reference to the accompanying drawings and examples.
The block chain user key protective device based on SGX of the present embodiment, including 3 software modules: transaction common recognition mould Block, transaction constructing module and SGX encrypting module, Row control is as shown in Figure 1, specific as follows:
(1) preliminary treatment: need to carry out the acquisition and write-in of block chain key before the operation of block chain client in advance SGX, process are as shown in Figure 2.
(1-1) obtains the user key that block chain is approved with secure way;
The step of the case where for needing user to be autonomously generated user key, generation user key, should be in the equipment of safety (such as from the emergency PC of failed cluster) is generated by the complete seed of cryptography and algorithm according to regulation format.
For the user key for needing block chain network to issue, then by the communications conduit of strict protection, with adding for safety Close mode obtains;Or it is obtained by the secured fashion under line.
(1-2) backs up user key;
To evade the risk for causing key to be lost due to various reasons in the future, which kind of key keeping mode no matter is taken, all It is recommended that user carries out the backup of safety to the user key of acquisition in advance.It is proposed with physical store or the storage of offline secure equipment Etc. modes user key is backed up;And more parts are backed up, give secure storage respectively.
(1-3) is from user key generation public key and storage and locally;
Under normal circumstances, user need to generate public key by user key, and block chain address (such as bit of oneself is generated with public key Coin), it oneself is transacting targeted so that other people specify.So needs execute the step before storing user key to generate and user The corresponding public key of key, is stored in local.
The address that public key generates can be disclosed to the whole network, without encryption.For being responsible for handling client public key by block chain network With the block catenary system (address that such as each user can inquire each user to block chain network) of address, which can be by block chain Network is completed.
User key is stored in SGX encrypting module by (1-4).
Step (1-4) includes:
(a) generate user key and cipher key operation function certificate, by user key and and cipher key operation function with it is described Certificate uploads in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX driver, Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to In confidence space, data in delete processing space later;
(c) SGX driver obtains the certificate information of user key and cipher key operation function and passes to SGX hardware handles Device;SGX hardware processor generates confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor itself of certificate information Access key, by access key pair confidence space encrypted.
(d) step (a)~(c) is repeated, multiple confidence spaces is established, more parts of user keys of backup is stored in difference respectively Confidence space in.
Key deposit SGX SGX encrypting module is used into wherein, effect is generated based on software protecting extended instruction Enclave come store user key information and cipher key operation function, and generate to verify the close of confidence space access authority Key is operated with for subsequent access.The process establishes multiple enclave (being 3 in this example, such as Fig. 1) simultaneously, to ensure Block chain client remains to operate normally when extremely in special circumstances single enclave is damaged, and gives user feedback to repair The enclave of damage avoids user's Lost Security Key without knowing it.
(2) transaction common recognition processing: the part is common to complete transaction common recognition using transaction common recognition module and SGX encrypting module Processing, process are as shown in Figure 3.The effect of transaction common recognition module is to receive the transaction flow from block chain network, and carry out lattice The authentication functions such as formula verifying, number of deals verifying, by calling the completion of SGX encrypting module to need user key in verification process Verifying, final realize know together to the verifying traded in network.Once the verifying function in safety zone returns to exception, just call another Identical verifying function in a safety zone, until completing verifying.The effect of SGX encrypting module herein is provided for common recognition processing It is capable of the verifying function of security invocation user blocks chain account key.
The following steps are included:
(I) block chain client receives the incoming Transaction Information of block chain network;
(II) calls the verifying function outside the safety zone SGX to verify the part for not needing user key in transaction, counts It calculates the priority of transaction and is ranked up;
The verifying of the part is limited to not needing the verifying of user key, for example, verify transaction whether version correct, transaction Whether amount of assets is legal etc..The priority for selectively completing transaction depending on the framework of specific block chain simultaneously calculates and the behaviour such as sequence Make.
(III) block chain client is initiated to request to SGX driver, after access key authentication, calls a certain credible sky Interior key authentication function verifies the part that user key is needed in transaction;
Need the verifying of the part of user key to be limited to need the verifying of user key, for example, determine it is transacting targeted whether be Oneself etc..
(IV) inspection calls another credible sky if call result is abnormal to the call result of key authentication function Interior key authentication function, until call result is normal;Verification information is packaged into verification result later, completes testing for transaction Card;
(V), which is sent according to verification result to block chain network, to be fed back;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or illegal to block chain network feedback trading.
(3) transaction Construction treatment: the part is common to complete construction of trading using transaction constructing module and SGX encrypting module With initiation, process is as shown in Figure 4.Constructing module of trading initiates to trade according to the intention of user, passes through and calls SGX encrypting module It realizes the filling of Transaction Information and legalizes, and broadcast the transaction to the whole network.Once the signature function in safety zone returns to exception, Just the same signature function in another safety zone is called, until completing transaction building.The effect of SGX encrypting module herein is The signature function for capableing of security invocation user blocks chain account key is provided for transaction construction.
The following steps are included:
(I) block chain client constructs transaction outside the safety zone SGX;
In the step, block chain client needs to trade according to the legal construction of rule of respective block chain, for transaction supplement The necessary informations such as destination address, turnover;Simultaneously in the step, block chain client is without providing the signing messages of oneself;
(II) block chain client is initiated to request to SGX driver, after access key authentication, calls a certain credible sky Interior key signature function obtains user key signature;
Assets of the signature of the step for confirming that oneself is initiated in transaction are effective.
(III) it checks and another credible sky is called if call result is abnormal to the call result of key signature function Interior key signature function, until call result is normal;Signing messages is packaged to the structure that transaction is completed into Transaction Information later It builds;
If call result is abnormal, illustrates the user key damage in the confidence space, then call another confidence space Interior signature function reacquires signature.
(IV) it broadcasts and trades to block chain network.
Technical solution of the present invention and beneficial effect is described in detail in embodiment described above, it should be understood that Above is only a specific embodiment of the present invention, it is not intended to restrict the invention, it is all to be done in spirit of the invention Any modification, supplementary, and equivalent replacement etc., should all be included in the protection scope of the present invention.

Claims (3)

1. a kind of block chain user key protective device based on SGX software protecting extended instruction characterized by comprising
SGX encrypting module generates confidence space based on software protecting extended instruction, and generates and visit for verifying the confidence space Ask the access key of permission;The confidence space is used for the user key and cipher key operation function of memory block chain network;
Transaction common recognition module, receives the transaction from block chain network, by the access cipher key access SGX encrypting module, adjusts With cipher key operation function therein, realize that the verifying to transaction is known together;
Transaction constructing module, initiates transaction according to the user's intention, passes through the access cipher key access SGX encrypting module, calls Cipher key operation function therein, realizes the filling of Transaction Information and legalizes, and broadcasts the transaction to block chain network.
2. block chain user key protective device according to claim 1, which is characterized in that the SGX encrypting module Include:
User's space, including processing space and confidence space;The processing space is for loading user key and cipher key operation letter The certificate information of both numbers, the confidence space is for storing user key and cipher key operation function;
SGX driver is measured by the certificate information to both user key and cipher key operation function, is the user Key and cipher key operation function distribute confidence space, and the certificate information of both user key and cipher key operation function is passed to SGX hardware processor;
SGX hardware processor, the integrality of certificate information and confidence space to both user key and cipher key operation function into Row verifying, according to the cryptographic Hash of the certificate of both user key and cipher key operation function and SGX hardware processor characteristic Cryptographic Hash generates the access key of confidence space, is encrypted by accessing key pair confidence space.
3. a kind of block chain user key guard method based on SGX software protecting extended instruction characterized by comprising
(1) it obtains user key and is stored in SGX encrypting module, comprising:
(1-1) obtains the user key that block chain is approved with secure way;
(1-2) backs up user key;
(1-3) generates public key from user key and is stored in local;
User key is stored in SGX encrypting module by (1-4), comprising:
(a) certificate for generating both user key and cipher key operation function, by user key and cipher key operation function and the card Book uploads in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out by certificate of the SGX driver to user key, cipher key operation function and the two uploaded, Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to In confidence space, data in delete processing space later;
(c) SGX driver obtains the certificate information of both user key and cipher key operation function and passes to SGX hardware handles Device;SGX hardware processor generates confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor itself of certificate information Access key, by access key pair confidence space encrypted;
(d) repeat step (a)~(c), establish multiple confidence spaces, by more parts of user keys of backup be stored in respectively it is different can Believe in space;
(2) relevant cipher key operation, including processing are handled by the caused cipher key operation of the incoming transaction of block chain network and by user Initiate cipher key operation caused by trading;
Cipher key operation caused by processing is traded by block chain network is incoming the following steps are included:
(I) block chain client receives the incoming Transaction Information of block chain network;
(II) calls the verifying function outside the safety zone SGX to verify the part for not needing user key in transaction, calculates and hands over Easy priority is simultaneously ranked up;
(III) block chain client is initiated to request to SGX driver, after access key authentication, calls in a certain confidence space Key authentication function the part that user key is needed in transaction is verified;
The call result of key authentication function is called in another confidence space in (IV) inspection if call result is abnormal Key authentication function, until call result is normal;Verification information is packaged to the verifying that transaction is completed into verification result later;
(V), which is sent according to verification result to block chain network, to be fed back;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or illegal to block chain network feedback trading;
Processing by user initiate trade caused by cipher key operation the following steps are included:
(I) block chain client constructs transaction outside the safety zone SGX;
(II) block chain client is initiated to request to SGX driver, after access key authentication, calls in a certain confidence space Key signature function obtain user key signature;
(III) it checks and the call result of key signature function is called in another confidence space if call result is abnormal Key signature function, until call result is normal;Signing messages is packaged to the building that transaction is completed into Transaction Information later;
(IV) it broadcasts and trades to block chain network.
CN201710989478.5A 2017-10-20 2017-10-20 A kind of block chain user key guard method and device based on SGX software protecting extended instruction Active CN107919954B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710989478.5A CN107919954B (en) 2017-10-20 2017-10-20 A kind of block chain user key guard method and device based on SGX software protecting extended instruction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710989478.5A CN107919954B (en) 2017-10-20 2017-10-20 A kind of block chain user key guard method and device based on SGX software protecting extended instruction

Publications (2)

Publication Number Publication Date
CN107919954A CN107919954A (en) 2018-04-17
CN107919954B true CN107919954B (en) 2019-05-14

Family

ID=61894889

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710989478.5A Active CN107919954B (en) 2017-10-20 2017-10-20 A kind of block chain user key guard method and device based on SGX software protecting extended instruction

Country Status (1)

Country Link
CN (1) CN107919954B (en)

Families Citing this family (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7372938B2 (en) * 2018-05-14 2023-11-01 エヌチェーン ライセンシング アーゲー Computer-implemented systems and methods for performing atomic swaps using blockchain
CN108921557A (en) * 2018-07-06 2018-11-30 佛山伊苏巨森科技有限公司 A method of it is traded by the system and protection of block chain network protection transaction
CN109101822B (en) * 2018-07-10 2021-01-29 西安交通大学 Method for solving data privacy disclosure problem in multi-party computing
CN110781492B (en) * 2018-07-31 2023-09-26 阿里巴巴集团控股有限公司 Data processing method, device, equipment and storage medium
CN109150517B (en) * 2018-09-04 2021-03-12 大唐高鸿信安(浙江)信息科技有限公司 Secret key safety management system and method based on SGX
CN110011801B (en) * 2018-11-16 2020-10-20 创新先进技术有限公司 Remote certification method and device for trusted application program and electronic equipment
CN110008686B (en) * 2018-11-16 2020-12-04 创新先进技术有限公司 Cross-block-chain data processing method and device, client and block chain system
CN109934579A (en) * 2018-11-30 2019-06-25 上海点融信息科技有限责任公司 For the key generation method of block chain network, endorsement method, storage medium, calculate equipment
CN111325545B (en) * 2018-12-13 2023-05-02 北京沃东天骏信息技术有限公司 Key management method, device and equipment based on blockchain
CN109766712B (en) * 2018-12-14 2020-08-25 华东师范大学 Credit reporting streaming method based on block chain and Intel SGX
CN110008735B (en) * 2019-01-31 2020-05-19 阿里巴巴集团控股有限公司 Method, node and storage medium for realizing contract calling in block chain
CN111899017A (en) * 2019-01-31 2020-11-06 创新先进技术有限公司 Method, node and storage medium for realizing privacy protection in block chain
CN110032884B (en) * 2019-01-31 2020-04-17 阿里巴巴集团控股有限公司 Method for realizing privacy protection in block chain, node and storage medium
CN111767556A (en) * 2019-01-31 2020-10-13 阿里巴巴集团控股有限公司 Method for realizing privacy protection in block chain, node and storage medium
CN111614464B (en) * 2019-01-31 2023-09-29 创新先进技术有限公司 Method for safely updating secret key in blockchain, node and storage medium
CN110032876B (en) * 2019-02-19 2020-03-06 阿里巴巴集团控股有限公司 Method, node and storage medium for implementing privacy protection in block chain
CN110022316A (en) * 2019-03-29 2019-07-16 阿里巴巴集团控股有限公司 The method and apparatus for creating block chain account and resetting account key
WO2019120336A2 (en) * 2019-04-19 2019-06-27 Alibaba Group Holding Limited Methods and devices for establishing communication between blockchain networks
ES2872101T3 (en) * 2019-04-26 2021-11-02 Advanced New Technologies Co Ltd Distributed key management for trusted runtime environments
CN110222485B (en) * 2019-05-14 2021-01-12 浙江大学 Industrial control white list management system and method based on SGX software protection extended instruction
CN110264196B (en) * 2019-05-20 2021-04-23 创新先进技术有限公司 Conditional receipt storage method and node combining code labeling and user type
CN110223172B (en) * 2019-05-20 2021-04-13 创新先进技术有限公司 Conditional receipt storage method and node combining code labeling and type dimension
CN110266659B (en) * 2019-05-31 2020-09-25 联想(北京)有限公司 Data processing method and equipment
CN110443710B (en) * 2019-08-02 2022-06-07 中国工商银行股份有限公司 Block chain system and method for batch signature
CN110675253A (en) * 2019-08-15 2020-01-10 山大地纬软件股份有限公司 Block chain-based exclusive digital asset trusted keeping and transferring device and method
CN110889696A (en) * 2019-11-27 2020-03-17 杭州趣链科技有限公司 Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology
CN111159018B (en) * 2019-12-17 2021-06-22 浙江大学 Software protection extended instruction SGX-based online fuzzy test system and method
CN111160905B (en) * 2019-12-17 2023-07-18 浙江大学 Block chain link point user request processing protection method and device
CN111404896B (en) * 2020-03-06 2022-03-04 杭州云象网络技术有限公司 Non-central identity authentication method based on SGX
CN111475782B (en) * 2020-04-08 2022-11-08 浙江大学 API (application program interface) key protection method and system based on SGX (generalized Standard X) software extension instruction
CN111709745A (en) * 2020-06-09 2020-09-25 浙江大学 SGX-based block chain transaction security protection system and method thereof
CN112235301B (en) * 2020-10-14 2023-06-06 北京金山云网络技术有限公司 Access right verification method and device and electronic equipment
CN113037477A (en) * 2021-03-08 2021-06-25 北京工业大学 Kerberos security enhancement method based on Intel SGX
CN113055376A (en) * 2021-03-10 2021-06-29 电子科技大学 Block chain data protection system
CN114301928A (en) * 2021-11-29 2022-04-08 之江实验室 SGX-based chain uplink and downlink mixed consensus method and system
CN114629684A (en) * 2022-02-16 2022-06-14 深圳番多拉信息科技有限公司 Permission token processing method, system, device and storage medium based on block chain
CN116260595B (en) * 2023-05-15 2023-07-25 豪符密码检测技术(成都)有限责任公司 Cloud password detection method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106533694A (en) * 2016-11-03 2017-03-22 浙江大学 Method and system for implementation of Openstack token access protection mechanism
CN107113284A (en) * 2014-11-26 2017-08-29 英特尔公司 For the trusted computing base evidence binding of transportable virtual machine
CN107209722A (en) * 2015-02-23 2017-09-26 英特尔公司 For instruction and the logic for making the process forks of Secure Enclave in Secure Enclave page cache He setting up sub- enclave

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160379212A1 (en) * 2015-06-26 2016-12-29 Intel Corporation System, apparatus and method for performing cryptographic operations in a trusted execution environment
US10318746B2 (en) * 2015-09-25 2019-06-11 Mcafee, Llc Provable traceability
US11209815B2 (en) * 2016-04-01 2021-12-28 Intel Corporation Drone control registration

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107113284A (en) * 2014-11-26 2017-08-29 英特尔公司 For the trusted computing base evidence binding of transportable virtual machine
CN107209722A (en) * 2015-02-23 2017-09-26 英特尔公司 For instruction and the logic for making the process forks of Secure Enclave in Secure Enclave page cache He setting up sub- enclave
CN106533694A (en) * 2016-11-03 2017-03-22 浙江大学 Method and system for implementation of Openstack token access protection mechanism

Also Published As

Publication number Publication date
CN107919954A (en) 2018-04-17

Similar Documents

Publication Publication Date Title
CN107919954B (en) A kind of block chain user key guard method and device based on SGX software protecting extended instruction
CN108418680B (en) Block chain key recovery method and medium based on secure multi-party computing technology
CN110034924B (en) Data processing method and device
TWI709314B (en) Data processing method and device
CN109274652B (en) Identity information verification system, method and device and computer storage medium
CN109412812B (en) Data security processing system, method, device and storage medium
CN110990827A (en) Identity information verification method, server and storage medium
CN109361668A (en) A kind of data trusted transmission method
US10498712B2 (en) Balancing public and personal security needs
AU2020244511B2 (en) Balancing public and personal security needs
CN105745661A (en) Policy-based trusted inspection of rights managed content
CN106027503A (en) Cloud storage data encryption method based on TPM
US9734346B2 (en) Device and method for providing security in remote digital forensic environment
CN111859446A (en) Agricultural product traceability information sharing-privacy protection method and system
CN105740725A (en) File protection method and system
CN111914293A (en) Data access authority verification method and device, computer equipment and storage medium
CN109309645A (en) A kind of software distribution security guard method
KR20090019576A (en) Certification method and system for a mobile phone
CN105933117A (en) Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage
US8756433B2 (en) Associating policy with unencrypted digital content
US8755521B2 (en) Security method and system for media playback devices
KR102055888B1 (en) Encryption and decryption method for protecting information
CN113901507A (en) Multi-party resource processing method and privacy computing system
TW202101267A (en) Account data processing method and account data processing system ensuring that there is encryption protection when account data is returned to an electronic payment dealer
CN116155496B (en) National soil transformation investigation data transmission method and device based on national secret algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant