CN112434326B - Trusted computing method and device based on data flow - Google Patents

Trusted computing method and device based on data flow Download PDF

Info

Publication number
CN112434326B
CN112434326B CN202110111607.7A CN202110111607A CN112434326B CN 112434326 B CN112434326 B CN 112434326B CN 202110111607 A CN202110111607 A CN 202110111607A CN 112434326 B CN112434326 B CN 112434326B
Authority
CN
China
Prior art keywords
data stream
data
fragment
user program
trusted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110111607.7A
Other languages
Chinese (zh)
Other versions
CN112434326A (en
Inventor
余逸荣
邱鸿霖
吴行行
陈辰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Ant Blockchain Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd, Ant Blockchain Technology Shanghai Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202110111607.7A priority Critical patent/CN112434326B/en
Publication of CN112434326A publication Critical patent/CN112434326A/en
Application granted granted Critical
Publication of CN112434326B publication Critical patent/CN112434326B/en
Priority to PCT/CN2022/071787 priority patent/WO2022161182A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Abstract

A trusted computing method and device based on data flow are disclosed, the method comprises: receiving a calling request sent by a user program; the calling request comprises a fragment data stream participating in the trusted computing and identification information of metadata corresponding to the fragment data stream; reading the fragmented data stream and the metadata from the storage service based on the identification information in response to the call request; the metadata comprises a decryption key for decrypting the data fragments in the fragmented data stream and verification information for performing integrity verification on the data fragments in the fragmented data stream; based on the verification information, carrying out integrity verification on the data fragments in the fragmented data stream, and further decrypting the data fragments in the fragmented data stream based on the decryption key after the integrity verification is passed; and calling the trusted computing program, and performing trusted computing based on the decrypted data fragments in the fragment data stream.

Description

Trusted computing method and device based on data flow
Technical Field
The present disclosure relates to the field of computer applications, and in particular, to a trusted computing method and device based on data flow.
Background
Generally, when a business system needs to calculate and process some private data, on one hand, in order to ensure that the private data is maliciously tampered, a block chain technology can be generally adopted to store the relevant private data; on the other hand, in order to ensure the security of computing and processing the private data, the above computing and processing tasks may be completed in a TEE (Trusted Execution Environment); however, since the memory resources allowed by the trusted execution environment TEE are usually limited, if the number of private data to be calculated and processed is too large, the calculation cannot be completed at one time.
Disclosure of Invention
In view of this, the present specification discloses a trusted computing method and device based on data flow.
According to a first aspect of embodiments of the present specification, a trusted computing method based on data flow is disclosed, which is applied to a computing device loaded with a trusted execution environment; a trusted computing program is run in the trusted execution environment; enabling, by the computing device, a storage service for storing a fragmented data stream uploaded by a user program and participating in the trusted computing and metadata corresponding to the fragmented data stream; wherein, the data fragments in the fragment data stream are encrypted by the user program respectively; the method comprises the following steps:
receiving a call request aiming at a trusted computing program sent by a user program; the calling request comprises a fragment data stream participating in the trusted computing and identification information of metadata corresponding to the fragment data stream;
reading the fragmented data stream and the metadata from the storage service based on the identification information in response to the call request; the metadata comprises a decryption key for decrypting the data fragments in the fragmented data stream and verification information for performing integrity verification on the data fragments in the fragmented data stream;
based on the verification information, carrying out integrity verification on the data fragments in the fragmented data stream, and further decrypting the data fragments in the fragmented data stream based on the decryption key after the integrity verification is passed;
and calling the trusted computing program, and performing trusted computing based on the decrypted data fragments in the fragment data stream.
According to a second aspect of the embodiments of the present specification, a data flow-based trusted computing apparatus is disclosed, which is applied to a computing device loaded with a trusted execution environment; a trusted computing program is run in the trusted execution environment; enabling, by the computing device, a storage service for storing a fragmented data stream uploaded by a user program and participating in the trusted computing and metadata corresponding to the fragmented data stream; wherein, the data fragments in the fragment data stream are encrypted by the user program respectively; the device comprises:
the receiving module is used for receiving a calling request aiming at the trusted computing program sent by the user program; the calling request comprises a fragment data stream participating in the trusted computing and identification information of metadata corresponding to the fragment data stream;
the reading module is used for responding to the calling request and reading the fragment data stream and the metadata from the storage service based on the identification information; the metadata comprises a decryption key for decrypting the data fragments in the fragmented data stream and verification information for performing integrity verification on the data fragments in the fragmented data stream;
the decryption module is used for carrying out integrity verification on the data fragments in the fragmented data stream based on the verification information, and further decrypting the data fragments in the fragmented data stream based on the decryption key after the integrity verification is passed;
and the computing module calls the trusted computing program and performs trusted computing on the basis of the decrypted data fragments in the fragment data stream.
In the above technical solution, on one hand, due to the adoption of a data stream-based data transmission and processing manner, a user program can upload all data fragments and corresponding metadata to a storage service enabled by a computing device in a data stream form, and the computing device can also read all data fragments and corresponding metadata from the storage service in the data stream form, and the user program does not need to wait for long time for fragments in a trusted execution environment TEE to be transmitted and processed one by one, so that the progress of other business processes at the user side is not affected;
on the other hand, since the metadata carries verification information for performing integrity verification on the data fragments in the corresponding fragment data stream, after the integrity verification is completed on the data fragments in the fragment data stream based on the verification information, the integrity of the data fragments participating in trusted computing in the trusted execution environment TEE can be ensured, and the reliability of the result of the trusted computing can be further improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with this specification and together with the description, serve to explain the principles.
FIG. 1 is an exemplary diagram of a trusted computing scenario as described herein;
FIG. 2 is a flow diagram of an exemplary method for trusted data-flow-based computing as described herein;
FIG. 3 is a diagram illustrating an example of a structure of a data slice and a metafile according to the present disclosure;
FIG. 4 is a diagram illustrating an exemplary architecture of a data-stream based trusted computing device as described herein;
fig. 5 is a diagram illustrating an exemplary configuration of a computer device for performing trusted data-stream-based computing as described herein.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in one or more embodiments of the present disclosure, the technical solutions in one or more embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in one or more embodiments of the present disclosure. It is to be understood that the described embodiments are only a few, and not all embodiments. All other embodiments that can be derived by one of ordinary skill in the art from one or more embodiments of the disclosure without making any creative effort shall fall within the scope of the disclosure.
When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of systems and methods consistent with certain aspects of the present description, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Generally, when a business system needs to calculate and process some private data, the above calculation and processing tasks may be completed in a TEE (Trusted Execution Environment); however, since the memory resources allowed by the trusted execution environment TEE are usually limited, if the number of private data to be calculated and processed is too large, the calculation cannot be completed at one time.
In the related technology, a user can perform fragmentation processing on more private data, send the fragmented private data to the trusted execution environment TEE piece by piece, and then the trusted execution environment TEE completes calculation processing piece by piece, so that faults caused by insufficient available memory resources of the trusted execution environment TEE can be avoided;
for example, assuming that the volume of the large batch of data to be processed reaches GB or even TB level, which is far beyond the memory resource available to the trusted execution environment TEE, the user program may determine the size of the fragment according to the size of the memory resource available to the trusted execution environment TEE, and after performing fragment processing on the large batch of data according to the determined size of the fragment, send the data fragments one by one to the trusted execution environment TEE for processing until all the data fragments are processed by the trusted execution environment TEE.
However, in the case of applying this scheme, in order to improve the data processing efficiency, the user program needs to continuously wait for the fragments to be transmitted and processed one by one, and send the next data fragment as soon as possible after the previous data fragment is processed by the trusted execution environment TEE, which may seriously affect the progress of other service processes on the user side.
In addition, in the above process, the trusted execution environment TEE cannot determine whether the received data fragment is lost, damaged or maliciously replaced, so that it is difficult to ensure the reliability of the result of the computing process.
Based on this, the present specification proposes a storage service enabled by a computing device as an input cache between a user program and a trusted execution environment TEE, and performs trusted computing based on a fragmented data stream obtained from the storage service and subjected to integrity check and decryption processing.
During implementation, original data needing to participate in trusted computing can form a fragmented data stream after fragmentation and encryption processing, and the fragmented data stream and metadata containing integrity check information and a decryption key are uploaded to a storage service enabled by computing equipment; the computing device can acquire the fragment data stream uploaded by the user program and the corresponding metadata, perform integrity verification and decryption on the data fragments in the corresponding fragment data stream based on the acquired metadata, and finally complete trusted computing based on the decrypted data fragments.
In the above technical solution, on one hand, due to the adoption of a data stream-based data transmission and processing manner, a user program can upload all data fragments and corresponding metadata to a storage service enabled by a computing device in a data stream form at one time, and the computing device can also read all data fragments and corresponding metadata from the storage service in the data stream form, and the user program does not need to wait for long time for fragments in a trusted execution environment TEE to be transmitted and processed one by one, so that other business process progress at a user side is not affected;
on the other hand, since the metadata carries verification information for performing integrity verification on the data fragments in the corresponding fragment data stream, after the integrity verification is completed on the data fragments in the fragment data stream based on the verification information, the integrity of the data fragments participating in trusted computing in the trusted execution environment TEE can be ensured, and the reliability of the result of the trusted computing can be further improved.
The present specification is described below with reference to specific embodiments and specific application scenarios.
Referring to FIG. 1, FIG. 1 is a diagram illustrating an example trusted computing scenario described herein; in this example, the raw data that needs to participate in trusted computing may be held by a user program, and the user program may process the raw data to form a fragmented data stream and corresponding metadata as shown in the figure, and upload the fragmented data stream and the metadata corresponding to the fragmented data stream to a storage service as shown in the figure; and the computing device with the trusted execution environment can acquire the fragmented data stream and the corresponding metadata from the storage service, so as to finally obtain a computing result of trusted computing.
It can be understood that, in the case that the transmission speed of the data does not match the processing speed, since the storage service may cache the fragmented data stream and the corresponding metafile, the process of writing into the fragmented data stream by the user program and the process of acquiring the fragmented data stream by the computing device may be completed asynchronously, and therefore, the process of writing into the fragmented data stream by the user program does not need to wait because the processing speed in the data re-trusted execution environment is too slow, and the trusted execution environment does not get stuck because the user program temporarily slows down writing into the fragmented data stream. Therefore, a storage service for storing the fragmented data stream uploaded by the user program and participating in the trusted computing and the metadata corresponding to the fragmented data stream is arranged between the user program and the trusted execution environment, so that the waiting time can be reduced, and the continuity of the business process can be improved.
Referring to fig. 2, fig. 2 is a flowchart illustrating a trusted computing method based on data flow according to an embodiment of the present disclosure; the method can be applied to a computing device loaded with a trusted execution environment; the trusted execution environment runs a trusted computing program; the computing device enables a storage service for storing the fragmented data stream which is uploaded by the user program and participates in the trusted computing and the metadata corresponding to the fragmented data stream; wherein, the data fragment in the fragment data stream is encrypted by the user program; the above method may comprise the steps of:
s201, receiving a call request aiming at a trusted computing program sent by a user program; the calling request comprises a fragment data stream participating in the trusted computing and identification information of metadata corresponding to the fragment data stream;
s202, responding to the calling request, and reading the fragment data stream and the metadata from the storage service based on the identification information; the metadata comprises a decryption key for decrypting the data fragments in the fragmented data stream and verification information for performing integrity verification on the data fragments in the fragmented data stream;
s203, based on the verification information, carrying out integrity verification on the data fragments in the fragmented data stream, and further based on the decryption key, decrypting the data fragments in the fragmented data stream after the integrity verification is passed;
and S204, calling the trusted computing program, and performing trusted computing based on the decrypted data fragments in the fragment data stream.
The trusted execution environment may be a logical area in the processor, and is used for ensuring the security, confidentiality and integrity of the code and data put therein; generally, a trusted execution environment may provide an execution environment isolated from an external system, and the external system can only perform input and output according to a preset specification, but cannot acquire a code running state and data inside the trusted execution environment; it can be understood that, for different software and hardware environments, the specific implementation form of the trusted execution environment may be determined by a developer, for example, an SGX (software guard extensions) instruction set may be used on a CPU of an Intel to complete configuration of the trusted execution environment, and a TrustZone technology may be used on an ARM processor to complete configuration of the trusted execution environment; accordingly, the specification is not subject to further enumeration or restriction.
The computing device may be a single computer, or a computing cluster formed by combining a plurality of computers, or a logical host partitioned from a cloud computing platform, or a virtual machine running on a local computer; the detailed implementation form of the computing device need not be limited in this specification, and those skilled in the art can select an appropriate implementation form according to specific needs.
The trusted computing program may include any program that is intended to run in the trusted execution environment; those skilled in the art can design and develop the above trusted computing program according to specific business requirements, and the present specification does not need to make detailed limitations on the business functions of its specific implementation.
The user program may include an application program that runs outside the trusted execution environment and is used to invoke a trusted computing program in the trusted execution environment; it should be understood that the user program may be a program that runs on the same computing device as the trusted execution environment, or may be a program that runs on another computer that is communicatively connected to the computing device; for example, the data to be processed is stored in a data center a, the computing device equipped with the trusted execution environment is located in a computing center B, and a network communication connection is provided between the data center a and the computing center B, so that the user program may be an application program that is run in the data center a and needs to remotely call the computing device equipped with the trusted execution environment.
It is also understood that the user programs may be further subdivided according to functions, for example, issuing a call instruction and uploading the fragmented data stream may be completed by two different user programs, or the fragmented data stream may be uploaded by multiple user program functions; therefore, a person skilled in the art can determine the specific implementation form of the user program according to specific needs.
In this specification, the computing device may first receive a call request for the trusted computing program, which is sent by a user program; specifically, the invocation request may further include a fragmented data stream participating in the trusted computing, and identification information of metadata corresponding to the fragmented data stream. For example, the computing device may receive a call request from a user program, such as "execute a Func1 trusted computing program for AAAA sharded data stream and AAAA metadata". It is understood that the specific software implementation form of the above-mentioned call request is not limited in this specification, and those skilled in the art can determine implementation details according to the conditions of development language, environment, requirement, and the like of a specific software project.
In this specification, the computing device may read the fragmented data stream and the metadata from the storage service based on the identification information in response to the call request; the metadata may carry a decryption key for decrypting the data fragment in the fragmented data stream, and check information for performing integrity check on the data fragment in the fragmented data stream; for example, the fragmented data stream contains 2000 data fragments and shares the same decryption key, so that the meta-file may store the decryption key and integrity check information corresponding to the 2000 data fragments respectively.
It can be understood that the number of the above metafiles may correspond to the number of the fragmented data streams one to one, or a plurality of metafiles may correspond to one fragmented data stream; for example, a certain fragmented data stream includes 2000 data fragments, where the decryption key of the data fragment with odd number is different from the decryption key of the data fragment with even number, two different metafiles may be set for the fragmented data stream, or the two different decryption keys may be recorded in one metafile.
It is also understood that the storage service may be a storage service installed in the computing device, or may be a storage service installed in another device, such as an FTP server, an object storage server, or the like.
In one embodiment, the storage service may be a storage service installed in another device that interfaces with the computing device; for example, the storage service may be an object storage service provided by a data center a, and the computing device equipped with the trusted execution environment is located in a computing center B, and a network communication connection is provided between the data center a and the computing center B.
In an embodiment shown, the storage service may be a storage service installed in the computing device, in this case, the computing device may further receive, from a user program, a fragmented data stream participating in the trusted computing and metadata corresponding to the fragmented data stream, store the received fragmented data stream and the metadata in the storage service, and return identification information of the fragmented data stream and the corresponding metadata to the user program; for example, the storage service is a certain database service on the computer, and the computing device may acquire, from a download module of a user program, a fragmented data stream and corresponding metadata downloaded by the user program from another server, and cache the fragmented data stream and the corresponding metadata in the database service, and return a corresponding database entry main key as identification information to the user program, so that the user program calls a trusted computing program that needs the fragmented data stream and the corresponding metadata to participate in trusted computing.
In an embodiment shown, the identification information may include a storage address of the fragmented data stream and the corresponding metadata in the storage service; it can be understood that, in addition to using the storage address as the identification information, the meaning of the specific identification information can be selected by self according to the specific requirement and the query method supported by the storage service; for example, in a case where the storage service is an object storage service supporting query by object name, the identification information may be a name of a storage object corresponding to the fragmented data stream and corresponding metadata in the storage service.
In this specification, the computing device may perform integrity verification on the data fragments in the fragmented data stream based on the verification information, and further decrypt the data fragments in the fragmented data stream based on the decryption key after the integrity verification passes; specifically, those skilled in the art can select the encryption/decryption algorithm and the integrity check algorithm according to specific requirements, and the specification does not need to be fully enumerated.
In an embodiment shown in the present disclosure, a data fragment in the fragmented data stream may carry a first type check value generated when the user program encrypts the data fragment; the check information may include a second type check value generated by performing preset hash calculation on the first type check value in the data fragment; in this case, the computing device may perform the preset hash calculation on the first type check value in the data segment in the fragmented data stream; and if the result obtained by the hash calculation is matched with the second type check value in the corresponding check information, the data fragment in the fragment data stream passes the integrity check.
In one embodiment, the encryption algorithm is AES-GCM algorithm; when the algorithm is used for encrypting the data fragments, an authentication tag auth _ tag is correspondingly generated, and the authentication tag auth _ tag can be used as the first type check value; and then, according to the authentication tag auth _ tag, hash calculation such as sha-256 is performed, so that a corresponding second type check value can be obtained.
By adopting the mode, the authentication label generated in the encryption process can be fully utilized, and as long as the integrity of the data fragment is damaged by deletion, addition or replacement, the integrity check cannot pass, so that the reduction of the reliability of the calculation result caused by insecurity of the data fragment can be avoided.
Referring to fig. 3, fig. 3 is a diagram illustrating a structure of a data slice and a metafile according to the present disclosure; in this example, when generating the data slice, the slice may be further encrypted into smaller data blocks, resulting in encrypted data block 1, encrypted data block 2, through encrypted data block n as shown in the figure; meanwhile, due to the characteristics of the AES-GCM algorithm, Auth _ tag _1, Auth _ tag _2 and Auth _ tag _ n can be correspondingly generated, and all the encrypted data blocks and the corresponding Auth _ tags can be stored in the data fragments.
It can be understood that the AES-GCM algorithm is an algorithm for the encryptor to input the data block to be encrypted, the encryption key, the initial vector iv, and the additional information add _ data to obtain the encrypted data block and the authentication tag auth _ tag, wherein the lengths of the initial vector iv and the encrypted data block can be carried in the data fragment to perform the further verification or the auxiliary decryption.
In this specification, in order to further ensure the security and reliability of the metafile, the content in the metafile may be further encrypted. Specific implementation a person skilled in the art can determine a specific encryption processing scheme according to performance and security requirements.
In one embodiment shown, a symmetric encryption key may be used to encrypt/decrypt the decryption key in the metafile; specifically, the encryption operation may be performed before the metafile is uploaded to the storage service, and when a decryption key needs to be extracted from the metafile, a corresponding decryption operation may be performed; the symmetric encryption key can be generated based on an ECIES algorithm; according to the ECIES algorithm, a secret key which is the same as a symmetric secret key used when a user program is encrypted can be obtained under a trusted execution environment, so that the successful completion of the symmetric encryption/decryption can be ensured; one feasible implementation manner is that a pair of elliptic curve asymmetric keys upk/usk is generated at one side of a user program, and another pair of elliptic curve asymmetric keys pk/sk is generated at one side of a trusted execution environment; calculating a shared secret key at one side of the user program through a private key usk of the user program and a public key pk of a trusted execution environment, and further deriving a symmetric encryption key from the shared secret key by using a secret key derivation KDF function; correspondingly, on the trusted execution environment side, a shared key may be calculated from its private key sk and the public key upk of the user program, and the same symmetric encryption key may be derived from the shared key by a key derivation KDF function.
It is understood that, in the above processes, the process of public key exchange and the specific manner of generating the key pair can be specifically designed by those skilled in the art with reference to the related technical documents, and the present specification is not limited further. Furthermore, in addition to the ECIES algorithm, other key generation algorithms that enable the user program side to agree with the trusted execution environment side may be used by those skilled in the art, and need not be further enumerated in this specification.
In this specification, the computing device may invoke the trusted computing program to perform trusted computing based on the decrypted data slice in the sliced data stream. As mentioned above, the trusted computing program may be selected and designed according to specific business requirements, and this specification need not be further limited.
In one embodiment, the method may further include the step of returning the result; specifically, the computing device may return a result obtained after the trusted computing to the user program in response to a result query request sent by the user program; it can be understood that not all results of the trusted computing need to be returned to the user program, for example, the results of the trusted computing may be directly written into a preset database or file, and the like, and further a subsequent action may be triggered based on the results of the trusted computing, for example, a prompt box with a matching success is shown when the results match a preset answer, and the like; it is also understood that the result of the above-mentioned trusted calculation can also be returned and shown in different forms, for example, the calculation result in the form of number can be correspondingly generated into a statistical chart and so on; the skilled person may determine whether to return the result obtained after the above-mentioned trusted computing to the user program, and may also determine the form of the result of the returned trusted computing, which is not further limited in this specification.
In one embodiment shown, if the data amount of the result of the trusted computing is too large, a method similar to the input method can be adopted, and the storage service is used as a cache; specifically, when the data amount of the result is greater than a preset threshold, the result obtained after the trusted computing may be stored in the storage service, and a storage address of the result in the storage service may be returned to the user program. It is understood that the returned result may also be encrypted or sliced similarly to the foregoing description, and the description of this specification is omitted.
The above contents are all embodiments of the present specification directed to the trusted computing method based on data stream. This specification also provides embodiments of a corresponding data-stream based trusted computing device as follows:
the present specification provides a data flow-based trusted computing device, please refer to fig. 4, where fig. 4 is a diagram illustrating a structure of the data flow-based trusted computing device according to the present specification; the apparatus may include a receiving module 401, a reading module 402, a decryption module 403, a calculation module 404; the device can be applied to a computing device loaded with a trusted execution environment; a trusted computing program is run in the trusted execution environment; enabling a storage service for storing the fragmented data stream which is uploaded by the user program and participates in the trusted computing and the metadata corresponding to the fragmented data stream by the computing device; wherein, the data fragment in the fragment data stream is encrypted by the user program; in particular, the method of manufacturing a semiconductor device,
the receiving module 401 may receive a call request for the trusted computing program sent by the user program; the calling request comprises a fragment data stream participating in the trusted computing and identification information of metadata corresponding to the fragment data stream;
a reading module 402, configured to read the fragmented data stream and the metadata from the storage service based on the identification information in response to the call request; the metadata comprises a decryption key for decrypting the data fragments in the fragmented data stream and verification information for performing integrity verification on the data fragments in the fragmented data stream;
a decryption module 403, configured to perform integrity verification on the data fragments in the fragmented data stream based on the verification information, and further decrypt the data fragments in the fragmented data stream based on the decryption key after the integrity verification passes;
the calculation module 404 invokes the trusted calculation program, and performs trusted calculation based on the decrypted data fragments in the fragment data stream.
In one embodiment, the storage service may be a storage service installed in another device that interfaces with the computing device; for example, the storage service may be an object storage service provided by a data center a, and the computing device equipped with the trusted execution environment is located in a computing center B, and a network communication connection is provided between the data center a and the computing center B.
In an embodiment shown, the storage service may be a storage service installed in the computing device, in which case, the apparatus may further include a storage module, where the storage module may receive a fragmented data stream participating in the trusted computing and metadata corresponding to the fragmented data stream sent by a user program, store the received fragmented data stream and metadata in the storage service, and return identification information of the fragmented data stream and the corresponding metadata to the user program; for example, the storage service is a certain database service on the computer, and the storage module may acquire, from a download module of a user program, a fragmented data stream and corresponding metadata downloaded by the user program from another server, and cache the fragmented data stream and the corresponding metadata in the database service, and return a corresponding database entry main key as identification information to the user program, so that the user program calls a trusted computing program that needs the fragmented data stream and the corresponding metadata to participate in trusted computing.
In an embodiment shown, the identification information may include a storage address of the fragmented data stream and the corresponding metadata in the storage service; it can be understood that, in addition to using the storage address as the identification information, the meaning of the specific identification information can be selected by self according to the specific requirement and the query method supported by the storage service; for example, in a case where the storage service is an object storage service supporting query by object name, the identification information may be a name of a storage object corresponding to the fragmented data stream and corresponding metadata in the storage service.
In an embodiment shown in the present disclosure, a data fragment in the fragmented data stream may carry a first type check value generated when the user program encrypts the data fragment; the check information may include a second type check value generated by performing preset hash calculation on the first type check value in the data fragment; in this case, the decryption module 403 may perform the preset hash calculation on the first type check value in the data segment of the fragmented data stream; and if the result obtained by the hash calculation is matched with the second type check value in the corresponding check information, the data fragment in the fragment data stream passes the integrity check.
In one embodiment, the encryption algorithm is AES-GCM algorithm; when the algorithm is used for encrypting the data fragments, an authentication tag auth _ tag is correspondingly generated, and the authentication tag auth _ tag can be used as the first type check value; and then, according to the authentication tag auth _ tag, hash calculation such as sha-256 is performed, so that a corresponding second type check value can be obtained.
By adopting the mode, the authentication label generated in the encryption process can be fully utilized, and as long as the integrity of the data fragment is damaged by deletion, addition or replacement, the integrity check cannot pass, so that the reduction of the reliability of the calculation result caused by insecurity of the data fragment can be avoided.
In one embodiment shown, a symmetric encryption key may be used to encrypt/decrypt the decryption key in the metafile; specifically, the encryption operation may be performed before the metafile is uploaded to the storage service, and when a decryption key needs to be extracted from the metafile, the decryption module 403 may perform a corresponding decryption operation; the key used for the above symmetric encryption may be generated based on an ECIES algorithm.
In one embodiment shown, the apparatus may further include a return module; specifically, the return module may return the result obtained after the trusted computing to the user program in response to a result query request sent by the user program; it can be understood that not all results of the trusted computing need to be returned to the user program, for example, the results of the trusted computing may be directly written into a preset database or file, and the like, and further a subsequent action may be triggered based on the results of the trusted computing, for example, a prompt box with a matching success is shown when the results match a preset answer, and the like; it is also understood that the result of the above-mentioned trusted calculation can also be returned and shown in different forms, for example, the calculation result in the form of number can be correspondingly generated into a statistical chart and so on; the skilled person may determine whether to return the result obtained after the above-mentioned trusted computing to the user program, and may also determine the form of the result of the returned trusted computing, which is not further limited in this specification.
In one embodiment shown, if the data amount of the result of the trusted computing is too large, a method similar to the input method can be adopted, and the storage service is used as a cache; specifically, the returning module may store the result obtained after the trusted computing in the storage service when the data amount of the result is greater than a preset threshold, and return the storage address of the result in the storage service to the user program. It is understood that the returned result may also be encrypted or sliced similarly to the foregoing description, and the description of this specification is omitted.
Embodiments of the present specification further provide a computer device, which at least includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the aforementioned trusted data flow-based computing method when executing the program.
Fig. 5 is a schematic diagram illustrating a more specific hardware structure of a computing device according to an embodiment of the present disclosure, where the computing device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Embodiments of the present specification further provide a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the aforementioned trusted data-stream-based computing method.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
From the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present disclosure can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present specification may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described apparatus embodiments are merely illustrative, and the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present disclosure. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is only a specific embodiment of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, a plurality of modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as the protection scope of the embodiments of the present disclosure.

Claims (19)

1. A trusted computing method based on data flow is applied to computing equipment loaded with a trusted execution environment; a trusted computing program is run in the trusted execution environment; the computing device enables a storage service for storing, outside the trusted execution environment, fragmented data streams uploaded by user programs participating in the trusted computing and metadata corresponding to the fragmented data streams; wherein, the data fragments in the fragment data stream are encrypted by the user program respectively; the user program comprises a user program that runs outside the trusted execution environment; the method comprises the following steps:
receiving a call request aiming at a trusted computing program sent by a user program; the calling request comprises a fragment data stream participating in the trusted computing and identification information of metadata corresponding to the fragment data stream;
reading the fragmented data stream and the metadata from the storage service based on the identification information in response to the call request; the metadata comprises a decryption key for decrypting the data fragments in the fragmented data stream and verification information for performing integrity verification on the data fragments in the fragmented data stream;
based on the verification information, carrying out integrity verification on the data fragments in the fragmented data stream, and further decrypting the data fragments in the fragmented data stream based on the decryption key after the integrity verification is passed;
and calling the trusted computing program, and performing trusted computing based on the decrypted data fragments in the fragment data stream.
2. The method of claim 1, the storage service comprising a storage service hosted by another device that interfaces with the computing device.
3. The method of claim 1, the storage service comprising a storage service hosted by the computing device; the method further comprises the following steps:
receiving and storing a fragmented data stream which is sent by a user program and participates in the trusted computing and metadata corresponding to the fragmented data stream in the storage service;
and returning the identification information of the fragment data stream and the corresponding metadata to a user program.
4. The method of claim 3, the identification information comprising a storage address of the fragmented data stream and corresponding metadata in the storage service.
5. The method according to claim 1, wherein a data fragment in the fragmented data stream carries a first type check value generated when the user program encrypts the data fragment; the check information comprises a second type check value generated by performing preset hash calculation on the first type check value in the data fragment;
the integrity check of the data fragments in the fragment data stream based on the check information includes:
performing the preset hash calculation on the first type check value in the data fragment in the fragment data stream; and if the result of the hash calculation is matched with the second type check value in the corresponding check information, the data fragment in the fragment data stream passes the integrity check.
6. The method of claim 5, wherein the encrypted algorithm is an AES-GCM algorithm, and the first type of check value comprises an authentication tag auth _ tag generated when the data slice is encrypted based on the AES-GCM algorithm in a user program.
7. The method of claim 1, the decryption key comprising a symmetrically encrypted decryption key ciphertext; the symmetric key for symmetric encryption is a symmetric key generated based on an ECIES algorithm;
the decrypting the data fragments in the fragmented data stream based on the decryption key includes:
decrypting the decryption key ciphertext by using a symmetric key generated based on an ECIES algorithm to obtain a decryption key plaintext;
and decrypting the data fragments in the fragmented data stream based on the decryption key plaintext.
8. The method of claim 1, further comprising:
and responding to a result query request sent by a user program, and returning a result obtained after the trusted computing to the user program.
9. The method of claim 8, returning the trusted computed result to the user program, comprising:
under the condition that the data volume of the result is larger than a preset threshold value, storing the result obtained after the trusted computing into the storage service;
and returning the storage address of the result in the storage service to the user program.
10. A trusted computing device based on data flow is applied to a computing device loaded with a trusted execution environment; a trusted computing program is run in the trusted execution environment; the computing device enables a storage service for storing, outside the trusted execution environment, fragmented data streams uploaded by user programs participating in the trusted computing and metadata corresponding to the fragmented data streams; wherein, the data fragments in the fragment data stream are encrypted by the user program respectively; the user program comprises a user program that runs outside the trusted execution environment; the device comprises:
the receiving module is used for receiving a calling request aiming at the trusted computing program sent by the user program; the calling request comprises a fragment data stream participating in the trusted computing and identification information of metadata corresponding to the fragment data stream;
the reading module is used for responding to the calling request and reading the fragment data stream and the metadata from the storage service based on the identification information; the metadata comprises a decryption key for decrypting the data fragments in the fragmented data stream and verification information for performing integrity verification on the data fragments in the fragmented data stream;
the decryption module is used for carrying out integrity verification on the data fragments in the fragmented data stream based on the verification information, and further decrypting the data fragments in the fragmented data stream based on the decryption key after the integrity verification is passed;
and the computing module calls the trusted computing program and performs trusted computing on the basis of the decrypted data fragments in the fragment data stream.
11. The apparatus of claim 10, the storage service comprising a storage service hosted by another device that is interfaced with the computing device.
12. The apparatus of claim 10, the storage service comprising a storage service hosted by the computing device; the device further comprises:
the storage module is used for receiving and storing the fragment data stream which is sent by a user program and participates in the trusted computing and the metadata corresponding to the fragment data stream in the storage service; and returning the identification information of the fragment data stream and the corresponding metadata to a user program.
13. The apparatus of claim 12, the identification information comprising a storage address of the fragmented data stream and corresponding metadata in the storage service.
14. The apparatus according to claim 10, wherein a data fragment in the fragmented data stream carries a first type check value generated when the user program encrypts the data fragment; the check information comprises a second type check value generated by executing preset hash calculation on the first type check value in the data fragment;
the decryption module further:
performing the preset hash calculation on the first type check value in the data fragment in the fragment data stream; and if the result of the hash calculation is matched with the second type check value in the corresponding check information, the data fragment in the fragment data stream passes the integrity check.
15. The apparatus of claim 14, wherein the encrypted algorithm is an AES-GCM algorithm, and the first type of check value comprises an authentication tag auth _ tag generated when the data slice is encrypted based on the AES-GCM algorithm in a user program.
16. The apparatus of claim 10, the decryption key comprising a symmetrically encrypted decryption key ciphertext; the symmetric key for symmetric encryption is a symmetric key generated based on an ECIES algorithm;
the decryption module further:
decrypting the decryption key ciphertext by using a symmetric key generated based on an ECIES algorithm to obtain a decryption key plaintext; and decrypting the data fragments in the fragmented data stream based on the decryption key plaintext.
17. The apparatus of claim 10, the apparatus further comprising:
and the return module is used for responding to a result query request sent by a user program and returning the result obtained after the trusted computing to the user program.
18. The apparatus of claim 17, the return module further to:
under the condition that the data volume of the result is larger than a preset threshold value, storing the result obtained after the trusted computing into the storage service; and returning the storage address of the result in the storage service to the user program.
19. A computer device comprising at least a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the trusted data-stream-based computing method of any one of claims 1 to 9.
CN202110111607.7A 2021-01-27 2021-01-27 Trusted computing method and device based on data flow Active CN112434326B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110111607.7A CN112434326B (en) 2021-01-27 2021-01-27 Trusted computing method and device based on data flow
PCT/CN2022/071787 WO2022161182A1 (en) 2021-01-27 2022-01-13 Trusted computing method and apparatus based on data stream

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110111607.7A CN112434326B (en) 2021-01-27 2021-01-27 Trusted computing method and device based on data flow

Publications (2)

Publication Number Publication Date
CN112434326A CN112434326A (en) 2021-03-02
CN112434326B true CN112434326B (en) 2021-05-07

Family

ID=74697315

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110111607.7A Active CN112434326B (en) 2021-01-27 2021-01-27 Trusted computing method and device based on data flow

Country Status (2)

Country Link
CN (1) CN112434326B (en)
WO (1) WO2022161182A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112434326B (en) * 2021-01-27 2021-05-07 支付宝(杭州)信息技术有限公司 Trusted computing method and device based on data flow
CN115708095A (en) * 2021-08-20 2023-02-21 华为技术有限公司 Data security processing method and device
CN114363321A (en) * 2021-12-30 2022-04-15 支付宝(杭州)信息技术有限公司 File transmission method, equipment and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111027083A (en) * 2019-12-06 2020-04-17 支付宝(杭州)信息技术有限公司 Private data processing method and system
CN111611625A (en) * 2020-05-26 2020-09-01 牛津(海南)区块链研究院有限公司 Cloud data integrity auditing method and device and computer readable storage medium
CN111859383A (en) * 2020-06-08 2020-10-30 西安电子科技大学 Software automatic segmentation method, system, storage medium, computer equipment and terminal
CN112231124A (en) * 2020-12-14 2021-01-15 支付宝(杭州)信息技术有限公司 Inter-application communication method and device based on privacy protection

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150156186A1 (en) * 2013-09-16 2015-06-04 Clutch Authentication Systems, Llc System and method for communication over color encoded light patterns
CN107766724A (en) * 2017-10-17 2018-03-06 华北电力大学 A kind of construction method of trusted computer platform software stack function structure
CN112434326B (en) * 2021-01-27 2021-05-07 支付宝(杭州)信息技术有限公司 Trusted computing method and device based on data flow

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111027083A (en) * 2019-12-06 2020-04-17 支付宝(杭州)信息技术有限公司 Private data processing method and system
CN111611625A (en) * 2020-05-26 2020-09-01 牛津(海南)区块链研究院有限公司 Cloud data integrity auditing method and device and computer readable storage medium
CN111859383A (en) * 2020-06-08 2020-10-30 西安电子科技大学 Software automatic segmentation method, system, storage medium, computer equipment and terminal
CN112231124A (en) * 2020-12-14 2021-01-15 支付宝(杭州)信息技术有限公司 Inter-application communication method and device based on privacy protection

Also Published As

Publication number Publication date
WO2022161182A1 (en) 2022-08-04
CN112434326A (en) 2021-03-02

Similar Documents

Publication Publication Date Title
US20210064784A1 (en) Managing a smart contract on a blockchain
CN112434326B (en) Trusted computing method and device based on data flow
CN110992027B (en) Efficient transaction method and device for realizing privacy protection in block chain
CN110032885B (en) Method, node and storage medium for implementing privacy protection in block chain
CN110223172B (en) Conditional receipt storage method and node combining code labeling and type dimension
CN110245490B (en) Conditional receipt storage method and node combining code labeling and type dimension
CN110020549B (en) Method, node and storage medium for implementing privacy protection in block chain
CN110266644B (en) Receipt storage method and node combining code marking and transaction types
CN110264198B (en) Conditional receipt storage method and node combining code labeling and transaction type
CN111901402A (en) Method, node and storage medium for implementing privacy protection in block chain
CN110245504B (en) Receipt storage method and node combined with condition limitation of multi-type dimensionality
CN110245947B (en) Receipt storage method and node combining conditional restrictions of transaction and user types
CN110264197B (en) Receipt storage method and node combining event function type and judgment condition
CN111899017A (en) Method, node and storage medium for realizing privacy protection in block chain
CN110033266B (en) Method, node and storage medium for implementing privacy protection in block chain
CN111898156A (en) Method, node and storage medium for realizing contract calling in block chain
US10783277B2 (en) Blockchain-type data storage
CN110263543B (en) Object-level receipt storage method and node based on code labeling
CN110264194B (en) Receipt storage method and node based on event function type
CN110033265B (en) Method, node and storage medium for implementing privacy protection in block chain
CN110059497B (en) Method, node and storage medium for implementing privacy protection in block chain
CN112417485A (en) Model training method, system and device based on trusted execution environment
CN110008737B (en) Method, node and storage medium for implementing privacy protection in block chain
WO2021057273A1 (en) Method and apparatus for realizing efficient contract calling on fpga
CN113721983A (en) External memory, method for providing password service and business processing equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40048637

Country of ref document: HK