CN117077202A - SGX (service gateway) -based network data security protection system and method - Google Patents

SGX (service gateway) -based network data security protection system and method Download PDF

Info

Publication number
CN117077202A
CN117077202A CN202311109709.0A CN202311109709A CN117077202A CN 117077202 A CN117077202 A CN 117077202A CN 202311109709 A CN202311109709 A CN 202311109709A CN 117077202 A CN117077202 A CN 117077202A
Authority
CN
China
Prior art keywords
data
network data
user
sharing
retrieval
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311109709.0A
Other languages
Chinese (zh)
Inventor
高婧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202311109709.0A priority Critical patent/CN117077202A/en
Publication of CN117077202A publication Critical patent/CN117077202A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data security protection system and method based on SGX network, belonging to the technical field of data security, wherein the system comprises: the data classification module classifies the network data, and performs catalog allocation and storage according to the classification; the data security module controls the access authority of the user, encrypts and decrypts the network data, and protects privacy in the transaction process of the secret key and the network data; the data storage module performs distributed uplink storage on the encrypted network data and simultaneously stores copies; the data retrieval module receives a retrieval request of a user through the hash table and rapidly locates target network data according to the catalogue; the data sharing module receives the sharing request of the user to search the target network data, and the data sharing module performs sharing after decryption and protects the sharing process. According to the invention, the data retrieval range is narrowed by storing the classified data, the retrieval efficiency is improved, and the secret key and the network data transaction process are safely protected by privacy protection.

Description

SGX (service gateway) -based network data security protection system and method
Technical Field
The invention belongs to the technical field of data security, and particularly relates to a SGX (serving gateway) network-based data security protection system and method.
Background
SGX is an abbreviation for Software Guard eXtens ions, software protection extension.
With the development of big data, the Internet and cloud technology, network data brings great convenience for informatization, but also brings potential safety hazards, and the network data has certain threat to the processing of a large number of data sets and the use of private data.
The method for ensuring the safety of the network data in the related technology is to firstly perform standardized processing on the network data, then encrypt the standardized network data and store the encrypted standardized network data in a database, and perform visual display on a front-end display interface released after decryption and restoration and desensitization processing on the data stored in the database during use. The method still has the problems that firstly, the security is low, the security of an encryption algorithm cannot be ensured, if a vulnerability exists in the encryption algorithm or a secret key is leaked, network data can be stolen or tampered by an attacker, and the security cannot be ensured when network transaction is carried out on the network data; secondly, the processing efficiency is slower, especially for network data with large data volume, the problem of low processing efficiency is very likely to occur for a processing system with limited hardware environment, the timeliness and effectiveness of the data can be influenced, and the processing system is not friendly to users.
In summary, the security of network data brings convenience to informatization and also brings security threat, and the existing mode for processing, encrypting, decrypting and desensitizing the network data has low security and low processing efficiency.
Therefore, in view of the above drawbacks, it is highly desirable to provide a SGX-based network data security protection system and method.
Disclosure of Invention
Aiming at the defects that the safety of the network data is low and the processing efficiency is low in the existing mode of processing, encrypting, decrypting and desensitizing the network data while the safety of the network data is convenient for informatization, the invention provides a SGX-based network data safety protection system and a SGX-based network data safety protection method, and aims to solve the technical problems.
In a first aspect, the present invention provides an SGX-based network data security protection system, including:
the data classification module is used for classifying the received network data through a classification function, distributing the network data according to the classification, and storing the catalogs;
the data security module is used for controlling the access rights of the users, encrypting the classified network data before storing and decrypting the classified network data before reading, and protecting privacy by using SGX in the transaction process of the secret key and the network data;
The data storage module is used for verifying and verifying the encrypted network data, carrying out distributed uplink storage according to the catalogue in classification, and simultaneously storing copies;
the data retrieval module is used for receiving a retrieval request of a user through the hash table, and rapidly positioning target network data according to the catalogue after verifying the retrieval authority of the user;
and the data sharing module is used for receiving the sharing request of the user, searching the target network data after verifying the sharing authority of the user, decrypting the target network data through the data security module, sharing the target network data and protecting the sharing process.
Further, the data classification module includes:
the data receiving unit is used for receiving network data of a user through the front-end client and providing the network data to the back-end server;
the classification function unit is used for presetting a classification function at the rear-end server and classifying the received network data through the classification function;
and the distribution unit is used for distributing the classified network data to the same HDFS directory and storing the data types and the HDFS directory into the JSON configuration file of the front-end client.
Further, the classification function unit includes:
the classification function setting subunit is used for acquiring the target data retrieval granularity, setting a classification function at a back-end server in advance according to the target data retrieval granularity, and determining an attribute set of target classification;
The data classification subunit is used for classifying the received network data by using a classification function, fitting the received network data with an attribute set and judging whether the same attribute exists or not;
if yes, dividing the network data into target classifications with the same attribute;
if not, determining the attribute of the network data, judging whether the attribute of the network data has the attribute with the similarity larger than the threshold value in the attribute set, dividing the network data into target classifications corresponding to the attribute when the attribute exists, and correcting classification functions when the attribute does not exist;
and the classification function correction subunit is used for correcting the classification function when each attribute in the attribute set is different from the attribute of the network data and the similarity is smaller than the threshold value, so that the attribute of the network data is supplemented into the target classification.
Further, the data security module includes:
the access control unit is used for receiving an access request of a user through the front-end client, verifying the authority of the user, judging whether illegal or unauthorized access exists, prohibiting the access of the user when the illegal or unauthorized access exists, and allowing the access of the user when the illegal or unauthorized access does not exist;
the encryption unit is used for generating a secret key by using a symmetric encryption algorithm, encrypting the classified network data before being stored and encrypting the classified network data retrieval condition by using the secret key, and decrypting the encrypted network data before being read by using the secret key when the access request of the user is compliant;
The data protection unit is used for identifying and authenticating the network data received by the front-end client before classification, auditing the network data content to judge whether illegal data exists, anonymously limiting issuing authority for a user from which the network data is derived, and processing distorted network data;
and the transaction data privacy protection unit is used for carrying out privacy protection on the transaction process of the classified network data through SGX.
Further, the transaction data privacy protection unit includes:
an initialization subunit, configured to perform environmental monitoring of the SGX program at both the key server and the transaction server, create a local key file and a key security area memory at the key server, and create a local transaction file and a transaction security area memory at the transaction server;
the secret read-write subunit is used for using the thread and the bottom layer command corresponding to the transaction security memory, encrypting the written network data by using a key in the transaction security area according to the Path ORAM algorithm, storing the encrypted network data in the encrypted file in the form of key value pairs, searching the corresponding key value pairs from the encrypted file according to the Path ORAM algorithm in the transaction security area, decrypting the encrypted network data by using the key, and then reading the network data;
The anti-leakage subunit is used for placing the secret key encrypted by the user in the secret key safety area by introducing and modifying the HTTS communication related function of the OpenSSL library;
and the encryption storage subunit is used for respectively storing the persistent data and the state generated in the transaction security area and the key security processing data into a local transaction file and a local key file.
Further, the data storage module includes:
the data processing unit is used for carrying out uplink preprocessing on the encrypted network data according to the category, signing the encrypted network data, providing the encrypted network data for the consensus unit, receiving a data sharing request, processing the network data stored in the storage unit, sharing the network data, receiving a retrieval request, retrieving the network data stored in the storage unit and returning the network data to a user;
the data interface unit is used for realizing data receiving, calling chains, intelligent contracts and identity interfaces;
the data service unit is used for providing intermediate class services of the data processing unit and the data interface unit;
the consensus unit is used for verifying and validating the network data after the preprocessing of the data processing unit;
and the storage unit is used for verifying that the passed preprocessed network data is stored in a Hadoop uplink distributed mode according to the HDFS directory, and simultaneously storing copies.
Further, the data retrieval module includes:
the search request receiving unit is used for receiving search keywords input by a user through a hash table at the front-end client;
the retrieval right verification unit is used for decrypting the retrieval condition through the security module and verifying the retrieval right of the user;
and the data retrieval unit is used for acquiring the JSON configuration file from the front-end client when the user retrieval authority verification passes, positioning the HDFS directory according to the retrieval keywords to perform target network data retrieval, and displaying the retrieval result to the user.
Further, the data sharing module includes:
the sharing request analysis unit is used for receiving the sharing request input by the user at the front-end client, and analyzing out the search keyword, the sharing request user and the target sharing position;
the shared data determining unit is used for providing the search keywords for the data searching module and acquiring the target network data position;
the sharing authority verification unit is used for identifying the source of the target network data, comparing the source of the target network data with the sharing request user and verifying the sharing authority of the user;
the data sharing unit is used for decrypting the target network data which passes through the verification of the user sharing authority through the data security module, performing privacy protection on the decryption process, and then publishing the decrypted network data to the target sharing position to complete data sharing.
In a second aspect, the present invention provides a SGX network data security protection method, including the steps of:
s1, receiving network data, classifying the network data through a data classifying module, and distributing catalogues for the classified network data and storing the catalogues;
s2, encrypting the classified network data by using a secret key through a data security module, and protecting privacy by using SGX in the transaction process of the secret key and the network data;
s3, verifying and validating the encrypted network data through a data storage module, performing distributed uplink storage according to the catalogue in classification, and simultaneously storing copies;
s4, receiving a search and sharing request of the user, positioning target network data according to the stored catalogue after verifying the user permission, decrypting by using the security module, and returning a search result and a sharing result to the user.
Further, the specific steps of step S1 are as follows:
s11, receiving network data of a user through a front-end client and providing the network data to a back-end server;
s12, identifying and authenticating the received network data through a data security module, auditing the network data content to judge whether illegal data exist, limiting issuing authority of a user from which the network data is derived for anonymity, and processing distorted network data;
S13, presetting a classification function at a rear-end server, and classifying the processed network data through the classification function;
s14, distributing the classified network data to the same HDFS directory, and storing the data types and the HDFS directory to a JSON configuration file of a front-end client;
the specific steps of the step S2 are as follows:
s21, initializing an SGX environment and creating a safety zone;
s22, generating a secret key by using a symmetric encryption algorithm, encrypting the classified network data in a safe area by using the secret key, encrypting the classified network data retrieval condition in the safe area, and realizing privacy protection in the encryption process;
the specific steps of the step S3 are as follows:
s31, carrying out uplink preprocessing on the encrypted network data according to the category, and then carrying out signature;
s32, verifying and verifying the preprocessed network data and the retrieval conditions, and then carrying out distributed storage on the Hadoop uplink according to the HDFS directory, and simultaneously storing copies;
the specific steps of the step S4 are as follows:
s41, judging the type of the received user request;
when a search request is made for the user, the process proceeds to step S42;
when a request is shared for the user, go to step S44;
s42, decrypting the retrieval condition through the data security module, verifying the retrieval authority of the user, and receiving the retrieval keyword input by the user through the data retrieval module by using the hash table when the verification is passed;
S43, receiving a search keyword input by a user through a hash table, simultaneously acquiring a JSON configuration file at a front-end client, positioning an HDFS catalog according to the search keyword to search target network data, displaying a search result to the user, and ending;
s44, analyzing a search keyword, a sharing request user and a target sharing position from the user sharing request;
s45, providing the search keywords to a data search module to acquire a target network data position;
s46, identifying a target network data source, comparing the target network data source with a sharing request user through a data security module, and verifying the sharing authority of the user;
s47, decrypting the target network data which passes through the verification of the user sharing authority through the data security module, performing privacy protection on the decryption process, and then publishing the decrypted network data to a target sharing position to complete data sharing.
Further, the specific steps of step S13 are as follows:
s131, acquiring target data retrieval granularity, setting a classification function in a back-end server in advance according to the target data retrieval granularity, and determining an attribute set of target classification;
s132, classifying the received network data by using a classification function, fitting with an attribute set, and judging whether the same attribute exists;
If yes, go to step S133;
if not, go to step S134;
s133, dividing the network data into target classifications with the same attribute, and entering step S14;
s134, determining the attribute of the network data, and judging whether the attribute of the network data has the attribute with the similarity larger than a threshold value in an attribute set;
if yes, go to step S135;
if not, go to step S136;
s135, dividing the network data into target classifications corresponding to the attributes, and entering step S14;
s136, correcting the classification function so that the attribute of the network data is supplemented to the target classification, and returning to the step S132.
The invention has the beneficial effects that:
according to the SGX-based network data security protection system and method provided by the invention, after the network data is classified by the data classification module, the network data under each category is ensured to have the same or similar attribute, the classified network data is distributed under the same HDFS directory, the data types and the HDFS directory are written into the JSON configuration file, the position of the target network data is rapidly positioned according to the retrieval keywords at the later retrieval moment, the retrieval range is reduced, the later retrieval efficiency is greatly facilitated, and the problem of long system response time during retrieval is avoided; the data security module of the invention uses the SGX key to put the key, encryption and decryption process and retrieval and sharing process into the security area for protection through the transaction data privacy protection unit, thereby providing strong privacy security protection for a series of processes from key management to transaction request and the like for users, and safely hiding the cryptographic details of the blockchain for the users, thereby improving the practicability of the system.
In addition, the invention has reliable design principle, simple structure and very wide application prospect.
It can be seen that the present invention has outstanding substantial features and significant advances over the prior art, as well as the benefits of its implementation.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a schematic diagram of an SGX-based network data security protection system according to the present invention.
FIG. 2 is a schematic diagram of a classification function unit of the present invention.
Fig. 3 is a schematic diagram of a transaction data privacy preserving unit of the present invention.
Fig. 4 is a flow chart of an SGX-based network data security protection method embodiment 4 of the present invention.
Fig. 5 is a flow chart of an SGX-based network data security protection method embodiment 5 of the present invention.
Fig. 6 is a flow chart of classifying network data according to the present invention.
Detailed Description
In order to make the technical solution of the present invention better understood by those skilled in the art, the technical solution of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
Example 1:
as shown in fig. 1, the present invention provides an SGX-based network data security protection system, including:
the data classification module is used for classifying the received network data through a classification function, distributing the network data according to the classification, and storing the catalogs;
the data security module is used for controlling the access rights of the users, encrypting the classified network data before storing and decrypting the classified network data before reading, and protecting privacy by using SGX in the transaction process of the secret key and the network data;
the data storage module is used for verifying and verifying the encrypted network data, carrying out distributed uplink storage according to the catalogue in classification, and simultaneously storing copies;
the data retrieval module is used for receiving a retrieval request of a user through the hash table, and rapidly positioning target network data according to the catalogue after verifying the retrieval authority of the user;
and the data sharing module is used for receiving the sharing request of the user, searching the target network data after verifying the sharing authority of the user, decrypting the target network data through the data security module, sharing the target network data and protecting the sharing process.
Example 2:
as shown in fig. 1, the present invention provides an SGX-based network data security protection system, including:
The data classification module is used for classifying the received network data through a classification function, distributing the network data according to the classification, and storing the catalogs; the data classification module comprises:
the data receiving unit is used for receiving network data of a user through the front-end client and providing the network data to the back-end server;
the classification function unit is used for presetting a classification function at the rear-end server and classifying the received network data through the classification function;
the distribution unit is used for distributing the classified network data to the same HDFS directory and storing the data types and the HDFS directory into the JSON configuration file of the front-end client;
the data security module is used for controlling the access rights of the users, encrypting the classified network data before storing and decrypting the classified network data before reading, and protecting privacy by using SGX in the transaction process of the secret key and the network data; the data security module includes:
the access control unit is used for receiving an access request of a user through the front-end client, verifying the authority of the user, judging whether illegal or unauthorized access exists, prohibiting the access of the user when the illegal or unauthorized access exists, and allowing the access of the user when the illegal or unauthorized access does not exist;
The encryption unit is used for generating a secret key by using a symmetric encryption algorithm, encrypting the classified network data before being stored and encrypting the classified network data retrieval condition by using the secret key, and decrypting the encrypted network data before being read by using the secret key when the access request of the user is compliant;
the data protection unit is used for identifying and authenticating the network data received by the front-end client before classification, auditing the network data content to judge whether illegal data exists, anonymously limiting issuing authority for a user from which the network data is derived, and processing distorted network data;
the transaction data privacy protection unit is used for performing privacy protection on the transaction process of the classified network data through SGX;
the data storage module is used for verifying and verifying the encrypted network data, carrying out distributed uplink storage according to the catalogue in classification, and simultaneously storing copies; the data storage module includes:
the data processing unit is used for carrying out uplink preprocessing on the encrypted network data according to the category, signing the encrypted network data, providing the encrypted network data for the consensus unit, receiving a data sharing request, processing the network data stored in the storage unit, sharing the network data, receiving a retrieval request, retrieving the network data stored in the storage unit and returning the network data to a user;
The data interface unit is used for realizing data receiving, calling chains, intelligent contracts and identity interfaces;
the data service unit is used for providing intermediate class services of the data processing unit and the data interface unit;
the consensus unit is used for verifying and validating the network data after the preprocessing of the data processing unit;
the storage unit is used for verifying that the network data after passing the pretreatment is stored in a Hadoop uplink distributed mode according to the HDFS catalog, and simultaneously storing copies;
the data retrieval module is used for receiving a retrieval request of a user through the hash table, and rapidly positioning target network data according to the catalogue after verifying the retrieval authority of the user; the data retrieval module comprises:
the search request receiving unit is used for receiving search keywords input by a user through a hash table at the front-end client;
the retrieval right verification unit is used for decrypting the retrieval condition through the security module and verifying the retrieval right of the user;
the data retrieval unit is used for acquiring a JSON configuration file from the front-end client when the user retrieval authority verification passes, positioning the HDFS directory according to the retrieval keywords to perform target network data retrieval, and displaying the retrieval result to the user;
the data sharing module is used for receiving the sharing request of the user, searching the target network data after verifying the sharing authority of the user, carrying out decryption through the data security module, sharing and protecting the sharing process; the data sharing module comprises:
The sharing request analysis unit is used for receiving the sharing request input by the user at the front-end client, and analyzing out the search keyword, the sharing request user and the target sharing position;
the shared data determining unit is used for providing the search keywords for the data searching module and acquiring the target network data position;
the sharing authority verification unit is used for identifying the source of the target network data, comparing the source of the target network data with the sharing request user and verifying the sharing authority of the user;
the data sharing unit is used for decrypting the target network data which passes through the verification of the user sharing authority through the data security module, performing privacy protection on the decryption process, and then publishing the decrypted network data to the target sharing position to complete data sharing.
Example 3:
as shown in fig. 1, the present invention provides an SGX-based network data security protection system, including:
the data classification module is used for classifying the received network data through a classification function, distributing the network data according to the classification, and storing the catalogs; the data classification module comprises:
the data receiving unit is used for receiving network data of a user through the front-end client and providing the network data to the back-end server;
The classification function unit is used for presetting a classification function at the rear-end server and classifying the received network data through the classification function; as shown in fig. 2, the classification function unit includes:
the classification function setting subunit is used for acquiring the target data retrieval granularity, setting a classification function at a back-end server in advance according to the target data retrieval granularity, and determining an attribute set of target classification;
the data classification subunit is used for classifying the received network data by using a classification function, fitting the received network data with an attribute set and judging whether the same attribute exists or not;
if yes, dividing the network data into target classifications with the same attribute;
if not, determining the attribute of the network data, judging whether the attribute of the network data has the attribute with the similarity larger than the threshold value in the attribute set, dividing the network data into target classifications corresponding to the attribute when the attribute exists, and correcting classification functions when the attribute does not exist;
the classification function correction subunit is used for correcting the classification function when each attribute in the attribute set is different from the attribute of the network data and the similarity is smaller than the threshold value, so that the attribute of the network data is supplemented to the target classification;
The distribution unit is used for distributing the classified network data to the same HDFS directory and storing the data types and the HDFS directory into the JSON configuration file of the front-end client;
the data security module is used for controlling the access rights of the users, encrypting the classified network data before storing and decrypting the classified network data before reading, and protecting privacy by using SGX in the transaction process of the secret key and the network data; the data security module includes:
the access control unit is used for receiving an access request of a user through the front-end client, verifying the authority of the user, judging whether illegal or unauthorized access exists, prohibiting the access of the user when the illegal or unauthorized access exists, and allowing the access of the user when the illegal or unauthorized access does not exist;
the encryption unit is used for generating a secret key by using a symmetric encryption algorithm, encrypting the classified network data before being stored and encrypting the classified network data retrieval condition by using the secret key, and decrypting the encrypted network data before being read by using the secret key when the access request of the user is compliant;
the data protection unit is used for identifying and authenticating the network data received by the front-end client before classification, auditing the network data content to judge whether illegal data exists, anonymously limiting issuing authority for a user from which the network data is derived, and processing distorted network data;
The transaction data privacy protection unit is used for performing privacy protection on the transaction process of the classified network data through SGX; as shown in fig. 3, the transaction data privacy protecting unit includes:
an initialization subunit, configured to perform environmental monitoring of the SGX program at both the key server and the transaction server, create a local key file and a key security area memory at the key server, and create a local transaction file and a transaction security area memory at the transaction server;
the secret read-write subunit is used for using the thread and the bottom layer command corresponding to the transaction security memory, encrypting the written network data by using a key in the transaction security area according to the Path ORAM algorithm, storing the encrypted network data in the encrypted file in the form of key value pairs, searching the corresponding key value pairs from the encrypted file according to the Path ORAM algorithm in the transaction security area, decrypting the encrypted network data by using the key, and then reading the network data;
the anti-leakage subunit is used for placing the secret key encrypted by the user in the secret key safety area by introducing and modifying the HTTS communication related function of the OpenSSL library;
the encryption storage subunit is used for respectively storing the persistence data and the state generated in the process of processing the data safely by the transaction safety area and the secret key to a local transaction file and a local secret key file;
The data storage module is used for verifying and verifying the encrypted network data, carrying out distributed uplink storage according to the catalogue in classification, and simultaneously storing copies; the data storage module includes:
the data processing unit is used for carrying out uplink preprocessing on the encrypted network data according to the category, signing the encrypted network data, providing the encrypted network data for the consensus unit, receiving a data sharing request, processing the network data stored in the storage unit, sharing the network data, receiving a retrieval request, retrieving the network data stored in the storage unit and returning the network data to a user;
the data interface unit is used for realizing data receiving, calling chains, intelligent contracts and identity interfaces;
the data service unit is used for providing intermediate class services of the data processing unit and the data interface unit;
the consensus unit is used for verifying and validating the network data after the preprocessing of the data processing unit;
the storage unit is used for verifying that the network data after passing the pretreatment is stored in a Hadoop uplink distributed mode according to the HDFS catalog, and simultaneously storing copies;
the data retrieval module is used for receiving a retrieval request of a user through the hash table, and rapidly positioning target network data according to the catalogue after verifying the retrieval authority of the user; the data retrieval module comprises:
The search request receiving unit is used for receiving search keywords input by a user through a hash table at the front-end client;
the retrieval right verification unit is used for decrypting the retrieval condition through the security module and verifying the retrieval right of the user;
the data retrieval unit is used for acquiring a JSON configuration file from the front-end client when the user retrieval authority verification passes, positioning the HDFS directory according to the retrieval keywords to perform target network data retrieval, and displaying the retrieval result to the user;
the data sharing module is used for receiving the sharing request of the user, searching the target network data after verifying the sharing authority of the user, carrying out decryption through the data security module, sharing and protecting the sharing process; the data sharing module comprises:
the sharing request analysis unit is used for receiving the sharing request input by the user at the front-end client, and analyzing out the search keyword, the sharing request user and the target sharing position;
the shared data determining unit is used for providing the search keywords for the data searching module and acquiring the target network data position;
the sharing authority verification unit is used for identifying the source of the target network data, comparing the source of the target network data with the sharing request user and verifying the sharing authority of the user;
The data sharing unit is used for decrypting the target network data which passes through the verification of the user sharing authority through the data security module, performing privacy protection on the decryption process, and then publishing the decrypted network data to the target sharing position to complete data sharing.
Example 4:
as shown in fig. 4, the present invention provides a SGX network data security protection method, including the following steps:
s1, receiving network data, classifying the network data through a data classifying module, and distributing catalogues for the classified network data and storing the catalogues;
s2, encrypting the classified network data by using a secret key through a data security module, and protecting privacy by using SGX in the transaction process of the secret key and the network data;
s3, verifying and validating the encrypted network data through a data storage module, performing distributed uplink storage according to the catalogue in classification, and simultaneously storing copies;
s4, receiving a search and sharing request of the user, positioning target network data according to the stored catalogue after verifying the user permission, decrypting by using the security module, and returning a search result and a sharing result to the user.
Example 5:
as shown in fig. 5, the present invention provides a SGX network data security protection method, including the following steps:
S1, receiving network data, classifying the network data through a data classifying module, and distributing catalogues for the classified network data and storing the catalogues; the specific steps of the step S1 are as follows:
s11, receiving network data of a user through a front-end client and providing the network data to a back-end server;
s12, identifying and authenticating the received network data through a data security module, auditing the network data content to judge whether illegal data exist, limiting issuing authority of a user from which the network data is derived for anonymity, and processing distorted network data;
s13, presetting a classification function at a rear-end server, and classifying the processed network data through the classification function; as shown in fig. 6, the specific steps of step S13 are as follows:
s131, acquiring target data retrieval granularity, setting a classification function in a back-end server in advance according to the target data retrieval granularity, and determining an attribute set of target classification;
s132, classifying the received network data by using a classification function, fitting with an attribute set, and judging whether the same attribute exists;
if yes, go to step S133;
if not, go to step S134;
s133, dividing the network data into target classifications with the same attribute, and entering step S14;
S134, determining the attribute of the network data, and judging whether the attribute of the network data has the attribute with the similarity larger than a threshold value in an attribute set;
if yes, go to step S135;
if not, go to step S136;
s135, dividing the network data into target classifications corresponding to the attributes, and entering step S14;
s136, correcting the classification function to enable the attribute of the network data to be supplemented into the target classification, and returning to the step S132;
s14, distributing the classified network data to the same HDFS directory, and storing the data types and the HDFS directory to a JSON configuration file of a front-end client;
s2, encrypting the classified network data by using a secret key through a data security module, and protecting privacy by using SGX in the transaction process of the secret key and the network data; the specific steps of the step S2 are as follows:
s21, initializing an SGX environment and creating a safety zone;
s22, generating a secret key by using a symmetric encryption algorithm, encrypting the classified network data in a safe area by using the secret key, encrypting the classified network data retrieval condition in the safe area, and realizing privacy protection in the encryption process;
s3, verifying and validating the encrypted network data through a data storage module, performing distributed uplink storage according to the catalogue in classification, and simultaneously storing copies; the specific steps of the step S3 are as follows:
S31, carrying out uplink preprocessing on the encrypted network data according to the category, and then carrying out signature;
s32, verifying and verifying the preprocessed network data and the retrieval conditions, and then carrying out distributed storage on the Hadoop uplink according to the HDFS directory, and simultaneously storing copies;
s4, receiving a search and sharing request of a user, positioning target network data according to a stored directory after verifying the user permission, decrypting by using a security module, and returning a search result and a sharing result to the user; the specific steps of the step S4 are as follows:
s41, judging the type of the received user request;
when a search request is made for the user, the process proceeds to step S42;
when a request is shared for the user, go to step S44;
s42, decrypting the retrieval condition through the data security module, verifying the retrieval authority of the user, and receiving the retrieval keyword input by the user through the data retrieval module by using the hash table when the verification is passed;
s43, receiving a search keyword input by a user through a hash table, simultaneously acquiring a JSON configuration file at a front-end client, positioning an HDFS catalog according to the search keyword to search target network data, displaying a search result to the user, and ending;
s44, analyzing a search keyword, a sharing request user and a target sharing position from the user sharing request;
S45, providing the search keywords to a data search module to acquire a target network data position;
s46, identifying a target network data source, comparing the target network data source with a sharing request user through a data security module, and verifying the sharing authority of the user;
s47, decrypting the target network data which passes through the verification of the user sharing authority through the data security module, performing privacy protection on the decryption process, and then publishing the decrypted network data to a target sharing position to complete data sharing.
Although the present invention has been described in detail by way of preferred embodiments with reference to the accompanying drawings, the present invention is not limited thereto. Various equivalent modifications and substitutions may be made in the embodiments of the present invention by those skilled in the art without departing from the spirit and scope of the present invention, and it is intended that all such modifications and substitutions be within the scope of the present invention/be within the scope of the present invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. An SGX network based data security protection system, comprising:
The data classification module is used for classifying the received network data through a classification function, distributing the network data according to the classification, and storing the catalogs;
the data security module is used for controlling the access rights of the user, encrypting the classified network data before storing and decrypting the classified network data before reading, and protecting privacy by using a software expansion protection technology in the transaction process of the secret key and the network data;
the data storage module is used for verifying and verifying the encrypted network data, carrying out distributed uplink storage according to the catalogue in classification, and simultaneously storing copies;
the data retrieval module is used for receiving a retrieval request of a user through the hash table, and rapidly positioning target network data according to the catalogue after verifying the retrieval authority of the user;
and the data sharing module is used for receiving the sharing request of the user, searching the target network data after verifying the sharing authority of the user, decrypting the target network data through the data security module, sharing the target network data and protecting the sharing process.
2. The SGX network based data security protection system of claim 1, wherein the data classification module comprises:
the data receiving unit is used for receiving network data of a user through the front-end client and providing the network data to the back-end server;
The classification function unit is used for presetting a classification function at the rear-end server and classifying the received network data through the classification function;
the distribution unit is used for distributing the classified network data to the same Hadoop distributed hierarchical system catalog, and storing the data types and the Hadoop distributed hierarchical system catalog to the lightweight data exchange format configuration file of the front-end client.
3. The SGX network based data security protection system of claim 2, wherein the classification function unit includes:
the classification function setting subunit is used for acquiring the target data retrieval granularity, setting a classification function at a back-end server in advance according to the target data retrieval granularity, and determining an attribute set of target classification;
the data classification subunit is used for classifying the received network data by using a classification function, fitting the received network data with an attribute set and judging whether the same attribute exists or not;
if yes, dividing the network data into target classifications with the same attribute;
if not, determining the attribute of the network data, judging whether the attribute of the network data has the attribute with the similarity larger than the threshold value in the attribute set, dividing the network data into target classifications corresponding to the attribute when the attribute exists, and correcting classification functions when the attribute does not exist;
And the classification function correction subunit is used for correcting the classification function when each attribute in the attribute set is different from the attribute of the network data and the similarity is smaller than the threshold value, so that the attribute of the network data is supplemented into the target classification.
4. The SGX network based data security protection system of claim 2, wherein the data security module comprises:
the access control unit is used for receiving an access request of a user through the front-end client, verifying the authority of the user, judging whether illegal or unauthorized access exists, prohibiting the access of the user when the illegal or unauthorized access exists, and allowing the access of the user when the illegal or unauthorized access does not exist;
the encryption unit is used for generating a secret key by using a symmetric encryption algorithm, encrypting the classified network data before being stored and encrypting the classified network data retrieval condition by using the secret key, and decrypting the encrypted network data before being read by using the secret key when the access request of the user is compliant;
the data protection unit is used for identifying and authenticating the network data received by the front-end client before classification, auditing the network data content to judge whether illegal data exists, anonymously limiting issuing authority for a user from which the network data is derived, and processing distorted network data;
And the transaction data privacy protection unit is used for carrying out privacy protection on the transaction process of the classified network data through a software extension protection technology.
5. The SGX network based data security protection system of claim 4, wherein the transaction data privacy protection unit includes:
the initialization subunit is used for executing environment monitoring of the software extension protection program on the key server and the transaction server, creating a local key file and a key security area memory on the key server, and creating a local transaction file and a transaction security area memory on the transaction server;
the secret read-write subunit is used for using the thread and the bottom layer command corresponding to the transaction secure memory, encrypting the written network data by using a key in the transaction secure area according to the path random access confusing algorithm, storing the encrypted network data in the encrypted file in the form of key value pairs, searching the corresponding key value pairs from the encrypted file according to the path random access confusing algorithm in the transaction secure area, decrypting the encrypted network data by using the key, and then reading the network data;
a leakage-proof subunit, configured to place the user-encrypted key in the key security area by introducing and modifying a hypertext transfer security protocol communication related function of the software library package of the open source code;
And the encryption storage subunit is used for respectively storing the persistent data and the state generated in the transaction security area and the key security processing data into a local transaction file and a local key file.
6. The SGX network based data security protection system of claim 4, wherein the data storage module comprises:
the data processing unit is used for carrying out uplink preprocessing on the encrypted network data according to the category, signing the encrypted network data, providing the encrypted network data for the consensus unit, receiving a data sharing request, processing the network data stored in the storage unit, sharing the network data, receiving a retrieval request, retrieving the network data stored in the storage unit and returning the network data to a user;
the data interface unit is used for realizing data receiving, calling chains, intelligent contracts and identity interfaces;
the data service unit is used for providing intermediate class services of the data processing unit and the data interface unit;
the consensus unit is used for verifying and validating the network data after the preprocessing of the data processing unit;
the storage unit is used for verifying that the passed preprocessed network data is stored in a Hadoop uplink distributed mode according to the Hadoop distributed file system catalog, and simultaneously storing copies.
7. The SGX network based data security protection system of claim 4, wherein the data retrieval module comprises:
the retrieval request receiving unit is used for receiving retrieval keywords input by a user through the hash table at the front-end client;
the retrieval right verification unit is used for decrypting the retrieval condition through the security module and verifying the retrieval right of the user;
and the data retrieval unit is used for acquiring a lightweight data exchange format configuration file from the front-end client when the user retrieval authority verification passes, positioning the Hadoop distributed file system catalog according to the retrieval key words to perform target network data retrieval, and displaying the retrieval result to the user.
8. The SGX network based data security protection system of claim 7, wherein the data sharing module includes:
the sharing request analysis unit is used for receiving the sharing request input by the user at the front-end client, and analyzing out the search keyword, the sharing request user and the target sharing position;
the shared data determining unit is used for providing the search keywords for the data searching module and acquiring the target network data position;
the sharing authority verification unit is used for identifying the source of the target network data, comparing the source of the target network data with the sharing request user and verifying the sharing authority of the user;
The data sharing unit is used for decrypting the target network data which passes through the verification of the user sharing authority through the data security module, performing privacy protection on the decryption process, and then publishing the decrypted network data to the target sharing position to complete data sharing.
9. The SGX-based network data security protection method is characterized by comprising the following steps:
s1, receiving network data, classifying the network data through a data classifying module, and distributing catalogues for the classified network data and storing the catalogues;
s2, encrypting the classified network data by using a secret key through a data security module, and performing privacy protection on the secret key and the network data by using a software expansion protection technology in the transaction process;
s3, verifying and validating the encrypted network data through a data storage module, performing distributed uplink storage according to the catalogue in classification, and simultaneously storing copies;
s4, receiving a search and sharing request of the user, positioning target network data according to the stored catalogue after verifying the user permission, decrypting by using the security module, and returning a search result and a sharing result to the user.
10. The SGX network-based data security protection method according to claim 9, wherein step S1 specifically includes the steps of:
S11, receiving network data of a user through a front-end client and providing the network data to a back-end server;
s12, identifying and authenticating the received network data through a data security module, auditing the network data content to judge whether illegal data exist, limiting issuing authority of a user from which the network data is derived for anonymity, and processing distorted network data;
s13, presetting a classification function at a rear-end server, and classifying the processed network data through the classification function;
s14, distributing the classified network data to the same Hadoop distributed file system directory, and storing the data types and the Hadoop distributed file system directory to a lightweight data exchange format configuration file of a front-end client;
the specific steps of the step S2 are as follows:
s21, initializing a software expansion technical environment and creating a safety zone;
s22, generating a secret key by using a symmetric encryption algorithm, encrypting the classified network data in a safe area by using the secret key, encrypting the classified network data retrieval condition in the safe area, and realizing privacy protection in the encryption process;
the specific steps of the step S3 are as follows:
s31, carrying out uplink preprocessing on the encrypted network data according to the category, and then carrying out signature;
S32, verifying and validating the preprocessed network data and the retrieval conditions, and then carrying out distributed storage on the Hadoop uplink according to the Hadoop distributed file system catalog, and simultaneously storing copies;
the specific steps of the step S4 are as follows:
s41, judging the type of the received user request;
when a search request is made for the user, the process proceeds to step S42;
when a request is shared for the user, go to step S44;
s42, decrypting the retrieval condition through the data security module, verifying the retrieval authority of the user, and receiving the retrieval keyword input by the user through the data retrieval module by using the hash table when the verification passes;
s43, receiving a search keyword input by a user through a hash table, simultaneously acquiring a lightweight data exchange format configuration file at a front-end client, positioning a Hadoop distributed file system catalog according to the search keyword to perform target network data search, displaying a search result to the user, and ending;
s44, analyzing a search keyword, a sharing request user and a target sharing position from the user sharing request;
s45, providing the search keywords to a data search module to acquire a target network data position;
s46, identifying a target network data source, comparing the target network data source with a sharing request user through a data security module, and verifying the sharing authority of the user;
S47, decrypting the target network data which passes through the verification of the user sharing authority through the data security module, performing privacy protection on the decryption process, and then publishing the decrypted network data to a target sharing position to complete data sharing.
CN202311109709.0A 2023-08-31 2023-08-31 SGX (service gateway) -based network data security protection system and method Pending CN117077202A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311109709.0A CN117077202A (en) 2023-08-31 2023-08-31 SGX (service gateway) -based network data security protection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311109709.0A CN117077202A (en) 2023-08-31 2023-08-31 SGX (service gateway) -based network data security protection system and method

Publications (1)

Publication Number Publication Date
CN117077202A true CN117077202A (en) 2023-11-17

Family

ID=88713213

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311109709.0A Pending CN117077202A (en) 2023-08-31 2023-08-31 SGX (service gateway) -based network data security protection system and method

Country Status (1)

Country Link
CN (1) CN117077202A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117708878A (en) * 2023-12-08 2024-03-15 中科科界(北京)科技有限公司 ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117708878A (en) * 2023-12-08 2024-03-15 中科科界(北京)科技有限公司 ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method
CN117708878B (en) * 2023-12-08 2024-05-03 中科科界(北京)科技有限公司 ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method

Similar Documents

Publication Publication Date Title
EP3962019B1 (en) Trusted data transmission methods, apparatuses, and devices
CN106980794B (en) TrustZone-based file encryption and decryption method and device and terminal equipment
US7587608B2 (en) Method and apparatus for storing data on the application layer in mobile devices
JP4463887B2 (en) Protected storage of core data secrets
US6351811B1 (en) Systems and methods for preventing transmission of compromised data in a computer network
US8949603B2 (en) Database management system and encryption method performed in database
US11170128B2 (en) Information security using blockchains
CA2976701A1 (en) Cloud encryption key broker apparatuses, methods and systems
CN106992851B (en) TrustZone-based database file password encryption and decryption method and device and terminal equipment
WO2016107893A1 (en) System and method for obfuscating an identifier to protect the identifier from impermissible appropriation
AU2011201188A1 (en) System and method for securing data
CN106022155A (en) Method and server for security management in database
CN104579689A (en) Soft secret key system and implementation method
US20120096280A1 (en) Secured storage device with two-stage symmetric-key algorithm
US20210142319A1 (en) Systems and methods for distributed data mapping
CN113015991A (en) Secure digital wallet processing system
Tariq et al. Secure keyword search using dual encryption in cloud computing
CN117077202A (en) SGX (service gateway) -based network data security protection system and method
US8499357B1 (en) Signing a library file to verify a callback function
US10402573B1 (en) Breach resistant data storage system and method
CN112685755A (en) Database encryption and decryption method and device, storage medium and electronic equipment
Chalkoo et al. Challenges of data protection and security in cloud computing
CN115694921B (en) Data storage method, device and medium
EP4123486A1 (en) Systems and methods for improved researcher privacy in distributed ledger-based query logging systems
Mothlabeng et al. An Algorithm to Enhance Data Integrity in Cloud Computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination