WO2019218919A1 - Procédé et appareil de gestion de clé privée dans un scénario de chaîne de blocs, et système - Google Patents

Procédé et appareil de gestion de clé privée dans un scénario de chaîne de blocs, et système Download PDF

Info

Publication number
WO2019218919A1
WO2019218919A1 PCT/CN2019/086111 CN2019086111W WO2019218919A1 WO 2019218919 A1 WO2019218919 A1 WO 2019218919A1 CN 2019086111 W CN2019086111 W CN 2019086111W WO 2019218919 A1 WO2019218919 A1 WO 2019218919A1
Authority
WO
WIPO (PCT)
Prior art keywords
private key
blockchain
tee
computer system
password
Prior art date
Application number
PCT/CN2019/086111
Other languages
English (en)
Chinese (zh)
Inventor
文白林
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2019218919A1 publication Critical patent/WO2019218919A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Definitions

  • the present application relates to a blockchain technology, and in particular, to a method, device and system for managing a private key in a blockchain.
  • Blockchain refers to data generated and stored in blocks, and connected into a chain data structure in chronological order. All nodes need to participate in the data verification, storage and maintenance of the blockchain system, and new blocks. The creation needs to be confirmed by consensus, and broadcast to each node to achieve network-wide synchronization, and then cannot be changed or deleted.
  • the blockchain is a collection of innovations of various prior art, mainly solving the problem of multi-party trust and efficient coordination.
  • the technologies that make up the blockchain mainly include hash operations (SHA256), digital signatures, P2P (peer-to-peer) networks, and consensus algorithms.
  • Typical application scenarios for blockchain technology include cryptocurrency, finance, supply chain, and the Internet of Things.
  • the currency transaction information is stored in the block of each node, and the currency transaction information includes one or more transaction processes, and a transaction process, for example, the address of the A wallet transfers 100 digital coins to the B wallet address ( For example bitcoin).
  • a transaction process for example, the address of the A wallet transfers 100 digital coins to the B wallet address ( For example bitcoin).
  • the receiver decrypts the received ciphertext digest with the corresponding public key to obtain the digest a, performs a hash operation on the received transaction data to obtain the digest b, compares the digest a and the digest b, and when the digest a and the digest b are the same It is only safe to determine the currency trading information. It can be seen that the digital signature technology can ensure the integrity of the information transmission and at the same time verify the identity authentication of the sender, thereby preventing the occurrence of the repudiation in the transaction. However, how to ensure the security of the private key in the digital signature process and avoid the sender's private key from being obtained by a malicious third party is a problem that needs to be solved in the blockchain field.
  • the most common method of private key management is to host the private key on the server of the service provider.
  • the user logs in to the server using the account login method before using the private key to perform related operations.
  • drawbacks in this way if the server is hacked or other vulnerabilities are generated, it is easy to cause the private key to be leaked or lost; the user account may also be stolen; the browser vulnerability in the process of logging in to the server will also be safe for the account.
  • Sexuality has an impact; man-in-the-middle attacks in the process of network transmission and HTTPS certificate hijacking are also a common security risk.
  • Another way is to create and store the private key yourself at the blockchain node device.
  • the security design of most encrypted digital currency wallets is completely dependent on the security boundary of the operating system.
  • the storage and processing of the private key is still stored by using a fixed key or even directly in plaintext, completely relying on the security boundary of the operating system to avoid Illegal access, but whether it is Android (Android), iOS, Windows or Linux, a large number of system security vulnerabilities are exposed and fixed every year, and there are many local rights vulnerabilities in these vulnerabilities. It is easy to break the security design boundary of the operating system and gain the ability to access the private key.
  • the present application provides a private key management method, apparatus, and system, which can be applied to improve the security of a private key in an application scenario involved in a blockchain, thereby improving the security of information stored in a blockchain.
  • the present application provides a computer system on which a rich execution environment REE and a trusted execution environment TEE are deployed, the computer system also deploying a blockchain functional unit based on blockchain technology, such as a digital wallet software.
  • the private key management module and the transaction data processing module in the blockchain functional unit are deployed in the TEE.
  • the private key management module is configured to create a private key and store the private key in the TEE.
  • the transaction data processing module is configured to perform encryption on the digest data related to the blockchain functional unit by using the private key.
  • the generating of the digest data is in the TEE; in other implementations, the generating of the digest data is in the REE, and then the REE sends the digest data to the TEE .
  • the private key management module is specifically configured to perform encryption on the private key before storing the private key, where the stored private key is an encrypted private key.
  • the private key management module is specifically configured to perform encryption on the private key by using a password, where the password is updated or periodically updated when the condition is met, and the new password is used to re-execute the private key. Encrypted and stores the private key encrypted with the new password.
  • the updating condition of the password includes performing encryption of the summary data once.
  • the password is a random number generated by a hardware random number generator.
  • the random number can also be generated by a software random number generator.
  • the present application provides a method for managing a private key, which is applied to a blockchain scenario.
  • the method is applied to a computer system, such as a terminal device, deployed with a rich execution environment REE and a trusted execution environment TEE.
  • a blockchain functional unit such as digital wallet software, is also deployed on the computer system.
  • the method includes: creating a private key involved in the blockchain functional unit at a TEE, and storing the private key on a TEE side; using the private key to perform a digest on the blockchain functional unit on the TEE side
  • the data is encrypted.
  • the summary data is generated on the TEE side; in other implementations, the summary data is generated on the REE side, and the summary data is sent to the TEE for TEE The side performs encryption on the summary data.
  • the method prior to storing the private key, further comprises performing encryption on the private key. It is easy to understand that after encryption, the stored private key is not the original private key, and the encrypted private key needs to be decrypted before using the private key.
  • performing encryption on the private key and storing the encrypted private key includes performing encryption on the private key by using a password, and the password is updated or periodically updated when the condition is satisfied, and is used after being updated.
  • the new password re-encrypts the private key and stores the private key encrypted by the new password.
  • updating the password when the condition is satisfied includes updating the password after performing encryption of the summary data once with the private key.
  • the periodically updating the password comprises: updating the password at regular intervals, and re-encrypting and storing the private key.
  • the password is a random number generated by a hardware random number generator.
  • the random number can also be generated by a software random number generator.
  • the present application provides a computer system, characterized in that the computer system comprises a memory and a processor, the memory is for storing a computer program, the processor is for reading and executing the computer program to implement The method provided by any of the foregoing implementations.
  • the present application provides a blockchain system, characterized in that the blockchain system comprises a computer system provided by any aspect of the present application.
  • the computer system can be a terminal device or other type of computer system.
  • the private key management method, device and system create, store and use the private key involved in the blockchain scenario by using the private key involved in the blockchain scenario.
  • the trusted execution environment of the architecture provides the security of the private key, which solves the security risk of the private key in the untrusted environment to some extent, and improves the security of the blockchain system.
  • the private key is encrypted in the storage execution, further ensuring security.
  • the password of the encrypted private key is changed periodically or under the conditional trigger, so that the security of the password is higher, and the security of the private key is also higher.
  • FIG. 1a is a schematic diagram of a network architecture of a blockchain scenario
  • FIG. 1b is a schematic diagram of a system architecture of a terminal device
  • FIG. 2 is a schematic diagram of an interaction process between CA and TA
  • 3 is a schematic diagram of functional deployment of digital wallet software
  • FIG. 4 is a schematic diagram of a processing flow of a transaction data sender in a digital wallet software
  • FIG. 5 is a schematic diagram of a processing flow of a transaction data receiver in a digital wallet software
  • FIG. 6 is a schematic flowchart of a method for creating a private key
  • FIG. 7 is a schematic flow chart of a private key encryption method
  • FIG. 8 is a schematic structural view of a computer system.
  • TEE ensures the storage, processing and protection of sensitive data in a trusted environment and provides a secure execution environment for authorized trusted applications (TAs).
  • TAs trusted applications
  • the management and use of the private key by the mobile terminal in the blockchain scenario is based on REE. Since the REE has a large number of attacks, the security is not high, and after the private key management and use is moved to the TEE, it is required. Solve the problem of creating and using private keys in TEE and how the digital signature process interacts between REE and TEE.
  • FIG. 1 is a schematic diagram of a network architecture of a blockchain scenario applied by the secret key management method according to the embodiment.
  • the blockchain system consists of a plurality of terminal devices forming a peer-to-peer, decentralized network structure.
  • a terminal device can be seen as a node of a blockchain.
  • the car in the figure represents an in-vehicle terminal device.
  • FIG. 1b is a schematic diagram of a system architecture of any one of the terminal devices in FIG. 1a.
  • the terminal device includes REE and TEE, and REE and TEE respectively run Operating system and a TEE side operating system (such as the open source OP-TEE operating system).
  • the operating system and TEE OS are further divided into user state and kernel state.
  • the CA (Client Application) in the REE and the TA in the TEE form a client/server-like architecture.
  • the TA acts as the server, the CA acts as the client, and the CA initiates the access operation.
  • the two exchange data through the message channel of the hardware layer.
  • the development of the CA needs to call the TEE client API to communicate with the corresponding TA; the TA needs to call the TEE internal API to implement the related functions using the programming resources provided by the TEE.
  • S201 The CA first performs the necessary context initialization.
  • the specific command implemented is TEEC_InitializeContext.
  • S202 Specify a specific path (ta_path) where the TA file is located, and open the session.
  • the specific command implemented is TEEC_OpenSession(ta_path).
  • S204 The CA sends a command, and the bottom interface invokes a SMC (secure monitor call) instruction to trigger the processor to switch to the secure mode, and passes the command to the TA in the TEE for processing (through shared memory mode).
  • SMC secure monitor call
  • the specific command implemented is TEEC_InvokeCommand(cmd).
  • the processor still has a monitoring mode between the safe mode and the non-secure mode, and switches from the safe mode to the monitoring mode and then to the non-secure mode during the switching process, and vice versa.
  • a monitoring mode between the safe mode and the non-secure mode, and switches from the safe mode to the monitoring mode and then to the non-secure mode during the switching process, and vice versa.
  • a blockchain-based application is implemented on a mobile device, and the private key management module and the data processing module in the application are implemented in the REE.
  • the private key management module is configured to create and store a private key/public key
  • the data processing module is configured to perform hashing, digital signature, summary comparison, and the like on the data, thereby identifying whether the data is tampered with and verifying the sender identity information.
  • the digital wallet software mainly includes five major modules: a user management module 301, an asset management module 302, a secret key management module 305, a transaction data processing module 304, and a network management module 303.
  • the user management module 301 is configured to authenticate the correctness of the user name and password when the user logs in.
  • the asset management module 302 is used to view digital asset information, transfer funds to third parties, and the like.
  • the network management module 303 is configured to connect to the network and send/receive network data packets.
  • the key management module is used to create and store private and public keys.
  • the transaction data processing module 304 is configured to perform hash operation and digital signature processing on the transferred transaction data, and further needs to compare the transaction summary data, identify whether the transaction data has been tampered with, and verify the identity information of the sender.
  • the function of the digital signature in the transaction data processing module (equivalent to the transaction data processing module 304_B) and the key management module 305 are implemented on the TEE side, and other functions (equivalent to the transaction data processing module 304_A) ) and other modules are still placed on the REE side.
  • the digital wallet software is completed by being implemented only on the REE side and on the REE and TEE side.
  • the digital wallet software implements the functions of the foregoing key management module and transaction data processing module through one or more TAs on the TEE side, and the functions of other modules can be implemented on one or more CAs on the REE side.
  • modules on the REE side are implemented by one CA
  • two modules on the TEE side are implemented by one TA
  • different functional modules may also be configured by multiple CAs or TAs. achieve.
  • the division of modules is only an example, and the application is not limited thereto.
  • FIG. 4 is an example of processing the transaction data by taking the wallet A to pay 100 digital coins to the wallet B as an example.
  • the process of calling the TEE side module by the REE side module may refer to the process of calling the TA by the CA described above, and the specific calling process is not detailed.
  • Wallet A (also referred to as terminal device A) performs a hash operation on the REE side using the SHA256 algorithm to generate a 256-bit transaction digest.
  • the transaction data includes the address information of the wallet A, the address information of the wallet B, and the payment amount information.
  • Transaction data can be represented as a string.
  • the wallet A then sends the transaction digest to the TA on the TEE side through the data channel between the CA and the TA.
  • the specific implementation is as follows: The REE side CA calls the TEEC_InvokeCommand (cmd) function to send transaction summary data, where cmd is: SEND_DIGEST command.
  • steps S401 and S402 can be performed by the transaction data processing module 304_A.
  • S403 The TA on the TEE side encrypts the transaction digest using the private key of the wallet A and the Elliptic Curve Digital Signature Algorithm (ECDSA) to generate a digital signature (or called signature data) of less than 320 bits.
  • EDSA Elliptic Curve Digital Signature Algorithm
  • the TA on the TEE side returns the signature data and the public key of the wallet A to the REE side CA.
  • the public key and private key of the wallet A are created by the TA on the TEE side. They are created before use, but the specific time is not limited in this embodiment. For example, the public key can be created after the private key is created. It can be created before returning to the REE side.
  • the public key of the wallet A can be obtained according to the private key of the wallet A and the ECDSA algorithm.
  • steps S403 and S404 can be performed by the transaction data processing module 304_B.
  • the CA on the REE side packages the transaction data, the public key, and the signature data into a network data packet and sends the data packet to the network management module.
  • the network management module broadcasts the network data packet to other blockchain nodes of the entire network.
  • step S405 can be performed by the transaction data processing module 304_A.
  • FIG. 5 is a process subsequent to FIG. 4, after the wallet B (also referred to as the terminal device B) receives the network data packet.
  • the processing after the other nodes receive the network data packet is similar to the following, and will not be described in detail.
  • S501 The CA parses out three pieces of data: transaction data, public key, and signature data.
  • the CA invokes the SHA256 algorithm to hash the transaction data to obtain 256-bit summary data.
  • S503 The CA invokes the ECDSA verification signature algorithm to decrypt the signature data to obtain the original transaction summary data.
  • S504 Compare whether the summary data generated by S502 and S503 are equal. If they are equal, it indicates that the transaction data has not been tampered with, and accepts the transaction data; otherwise, the transaction data is discarded.
  • FIG. 6 is a schematic flowchart of a private key created by a TA provided by the present application, and can also be understood as a schematic flowchart of a private key management module for creating a private key.
  • the TA calls a random number generator to generate a 256-bit random number R1.
  • the random number generator is a hardware random number generator or a software random number generator.
  • the hardware random number generator has better randomness and higher security.
  • the implementation of the software random number generator and the hardware random number generator are all prior art in the prior art, wherein the software random number generator is a software functional unit, and the hardware random number generator is a hardware, and the specific implementation is prior art. This embodiment only needs to be called, and will not be described here.
  • S602 Perform a hash operation on the random number R1 by using a hash algorithm to obtain a 256-bit private key, and the hash algorithm may be a SHA (Secure Hash Algorithm) 256 algorithm.
  • SHA Secure Hash Algorithm
  • S603 Encrypt the private key obtained by S602 by using another random number R2 (which may also be understood as a random password, a password, or a key).
  • R2 which may also be understood as a random password, a password, or a key.
  • the specific encryption algorithm may be an AES (Advanced Encryption Standard) 256 algorithm or other encryption algorithm.
  • AES Advanced Encryption Standard
  • Another random number can be generated by calling the aforementioned random number generator or other random number generator.
  • S603 Store the value of R2 and the encrypted key.
  • the value of R2 in this embodiment can be updated. After R2 is updated, the corresponding decryption algorithm is executed on the encrypted key, and then the private key is re-encrypted with the new value.
  • FIG. 7 is a schematic diagram of the process of updating the random number R2.
  • S702 The TA encrypts the transaction digest using the decrypted secret key to obtain signature data.
  • the trigger random number generator generates a new random number as the value of R2.
  • the update of R2 in the implementation shown in Figure 7 is after performing a digital signature (S702).
  • the update of R2 may also be periodic, such as every 3 seconds, or periodically. Combined with the approach shown in Figure 7, or other update method determined as needed.
  • the method provided by the foregoing embodiment provides the security of the private key by using the trusted execution environment of the TrustZone architecture, and can solve the security risk problem caused by the creation, storage, and use of the private key in the untrusted environment to some extent, and improve the block.
  • FIG. 8 is a schematic structural diagram of a computer system according to an embodiment of the present disclosure.
  • the computer system can be a terminal device.
  • the computer system includes a communication module 510, a sensor 520, a user input module 530, an output module 540, a processor 550, an audio and video input module 560, a memory 570, and a power source 580.
  • Communication module 510 can include at least one module that enables communication between the computer system and a communication system or other computer system.
  • the communication module 510 can include one or more of a wired network interface, a broadcast receiving module, a mobile communication module, a wireless internet module, a local area communication module, and a location (or positioning) information module.
  • a wired network interface for example, a wireless network interface
  • a mobile communication module for example, a mobile communication module
  • a wireless internet module a wireless internet module
  • local area communication module a local area communication module
  • a location (or positioning) information module There are many implementations of these various modules in the prior art, and the present application does not describe them one by one.
  • Sensor 520 can sense the current state of the system, such as an open/closed state, position, contact with the user, direction, and acceleration/deceleration, and sensor 520 can generate a sensing signal for controlling the operation of the system.
  • the current state of the system such as an open/closed state, position, contact with the user, direction, and acceleration/deceleration
  • the user input module 530 is configured to receive input digital information, character information or contact touch/contactless gestures, and receive signal input related to user settings and function control of the system.
  • User input module 530 includes a touch panel and/or other input device.
  • the output module 540 includes a display panel for displaying information input by the user, information provided to the user, or various menu interfaces of the system, and the like.
  • the display panel can be configured in the form of a liquid crystal display (LCD) or an organic light-emitting diode (OLED).
  • the touch panel can cover the display panel to form a touch display.
  • the output module 540 may further include an audio output module, an alarm, a haptic module, and the like.
  • the audio and video input module 560 is configured to input an audio signal or a video signal.
  • the audio and video input module 560 can include a camera and a microphone.
  • the power supply 580 can receive external power and internal power under the control of the processor 550 and provide the power required for operation of the various components of the system.
  • Processor 550 can include one or more processors.
  • processor 150 can include one or more central processors, or can include a central processing unit and a graphics processor.
  • the processor 150 includes a plurality of processors, the plurality of processors may be integrated on the same chip, or may each be a separate chip.
  • a processor can include one or more physical cores, with the physical core being the smallest processing module.
  • the memory 570 stores a computer program including an operating system program 572, an application 571, and the like.
  • Typical operating systems such as Microsoft's Windows, Apple's MacOS, etc. for desktop or notebook systems, as developed by Google Inc.
  • Android A system such as a system for a mobile terminal.
  • the method provided by the foregoing embodiment may be implemented by means of software, and may be considered as a specific implementation of the application 571.
  • the memory 570 may be one or more of the following types: flash memory, hard disk type memory, micro multimedia card type memory, card memory (such as SD or XD memory), random access memory (random access memory) , RAM), static random access memory (SRAM), read only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable Read-only memory (PROM), magnetic memory, magnetic disk or optical disk.
  • the memory 570 can also be a network storage device on the Internet, and the system can perform operations such as updating or reading on the memory 570 on the Internet.
  • the processor 550 is configured to read a computer program in the memory 570 and then execute a computer program defined method, such as the processor 550 reading the operating system program 572 to run an operating system on the system and implementing various functions of the operating system, or reading One or more applications 571 are taken to run the application on the system.
  • the memory 570 also stores other data 573 than computer programs, such as blocks, private keys, transaction data, and random numbers, etc., as referred to in this application.
  • connection relationship of each module in FIG. 8 is only an example, and the method provided by any embodiment of the present application may also be applied to other connection mode terminal devices, for example, all modules are connected through a bus.
  • the method provided in this embodiment may also be applied to a non-terminal computer device, such as a cloud server.
  • the device embodiments described above are merely illustrative, wherein the modules described as separate components may or may not be physically separate, and the components displayed as modules may or may not be physical modules, ie may be located A place, or it can be distributed to multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • the connection relationship between the modules indicates that there is a communication connection between them, and specifically, one or more communication buses or signal lines can be realized.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un système informatique. Un environnement d'exécution riche (REE) et un environnement d'exécution de confiance (TEE) sont déployés dans le système informatique; une unité fonctionnelle de chaîne de blocs basée sur une technologie de chaîne de blocs est en outre déployée dans le système informatique, et un module de gestion de clé privée et un module de traitement de données de transaction dans l'unité fonctionnelle de chaîne de blocs sont déployés dans le TEE, le module de gestion de clé privée étant destiné à créer une clé privée et à la stocker dans le TEE, et le module de traitement de données de transaction étant destiné à chiffrer des données de condensé impliquées dans l'unité fonctionnelle de chaîne de blocs à l'aide de la clé privée. Par placement de la clé privée impliquée dans le scénario de chaîne de blocs au niveau d'un côté TEE destiné à la création, au stockage et à l'utilisation, la sécurité de la clé privée est assurée au moyen du TEE d'une architecture TrustZone, et le problème de risque pour la sécurité provoqué par la clé privée dans un environnement non sécurisé est résolu dans une certaine mesure, ce qui permet d'améliorer la sécurité d'un système de chaîne de blocs.
PCT/CN2019/086111 2018-05-15 2019-05-09 Procédé et appareil de gestion de clé privée dans un scénario de chaîne de blocs, et système WO2019218919A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810458967.2 2018-05-15
CN201810458967.2A CN110492990B (zh) 2018-05-15 2018-05-15 区块链场景下的私钥管理方法、装置及系统

Publications (1)

Publication Number Publication Date
WO2019218919A1 true WO2019218919A1 (fr) 2019-11-21

Family

ID=68539534

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/086111 WO2019218919A1 (fr) 2018-05-15 2019-05-09 Procédé et appareil de gestion de clé privée dans un scénario de chaîne de blocs, et système

Country Status (2)

Country Link
CN (1) CN110492990B (fr)
WO (1) WO2019218919A1 (fr)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111178884A (zh) * 2019-12-16 2020-05-19 平安壹钱包电子商务有限公司 信息处理方法、装置、设备及可读存储介质
CN111192050A (zh) * 2019-12-31 2020-05-22 成都库珀区块链科技有限公司 一种数字资产私钥存储提取方法及装置
CN111400743A (zh) * 2020-04-07 2020-07-10 百度国际科技(深圳)有限公司 基于区块链网络的事务处理方法、装置、电子设备和介质
CN111538782A (zh) * 2020-04-14 2020-08-14 浙江浙燃能源有限公司 基于区块链的能源大数据管理系统
CN111565108A (zh) * 2020-07-15 2020-08-21 北京信安世纪科技股份有限公司 签名处理方法、装置及系统
CN113221141A (zh) * 2021-05-06 2021-08-06 杭州复杂美科技有限公司 钱包加密存储方法、签名方法、计算机设备和存储介质
CN114157431A (zh) * 2021-10-27 2022-03-08 上海朝夕网络技术有限公司 基于多变量签名方法的区块链交易处理方法及计算机设备
CN113395159B (zh) * 2021-01-08 2024-03-12 腾讯科技(深圳)有限公司 一种基于可信执行环境的数据处理方法以及相关装置

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110851851B (zh) * 2020-01-15 2020-11-06 蚂蚁区块链科技(上海)有限公司 一种块链式账本中的权限管理方法、装置及设备
CN111429254B (zh) * 2020-03-19 2021-09-10 腾讯科技(深圳)有限公司 一种业务数据处理方法、设备以及可读存储介质
CN111881474B (zh) * 2020-07-24 2023-09-15 杭州弦冰科技有限公司 基于可信计算环境的私钥管理方法和装置
CN112214780B (zh) * 2020-08-26 2021-06-25 腾讯科技(深圳)有限公司 一种数据处理方法、装置、智能设备及存储介质
CN113014539B (zh) * 2020-11-23 2022-05-17 杭州安芯物联网安全技术有限公司 一种物联网设备安全保护系统及方法
CN113656841A (zh) * 2021-07-28 2021-11-16 复旦大学 一种基于trustzone的区块链终端安全保障系统
CN114465761A (zh) * 2021-12-22 2022-05-10 航天信息股份有限公司 一种安全通讯与终端管理的系统及方法

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850200A (zh) * 2017-01-25 2017-06-13 中钞信用卡产业发展有限公司北京智能卡技术研究院 一种使用基于区块链的数字货币的方法、系统及终端
WO2018058441A1 (fr) * 2016-09-29 2018-04-05 Nokia Technologies Oy Procédé et appareil de calcul de confiance

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9973341B2 (en) * 2015-01-23 2018-05-15 Daniel Robert Ferrin Method and apparatus for the limitation of the mining of blocks on a block chain
US10318746B2 (en) * 2015-09-25 2019-06-11 Mcafee, Llc Provable traceability
CN106991334B (zh) * 2016-11-24 2021-03-02 创新先进技术有限公司 一种数据存取的方法、系统及装置
CN106549749B (zh) * 2016-12-06 2019-12-24 杭州趣链科技有限公司 一种基于加法同态加密的区块链隐私保护方法
CN107920052B (zh) * 2017-08-02 2020-11-17 唐盛(北京)物联技术有限公司 一种加密方法及智能装置
CN107896150A (zh) * 2017-12-21 2018-04-10 善林(上海)金融信息服务有限公司 链接区块链网络和物联网的系统

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018058441A1 (fr) * 2016-09-29 2018-04-05 Nokia Technologies Oy Procédé et appareil de calcul de confiance
CN106850200A (zh) * 2017-01-25 2017-06-13 中钞信用卡产业发展有限公司北京智能卡技术研究院 一种使用基于区块链的数字货币的方法、系统及终端

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MIRAJE GENTILAL: "Trustzone-backed Bitcoin Wallet", CS 2 '17 PROCEEDINGS OF THE FOURTH WORKSHOP ON CRYPTOGRAPHY AND SECURITY IN COMPUTING SYSTEMS, 24 January 2017 (2017-01-24), pages 25 - 28, XP058317237 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111178884A (zh) * 2019-12-16 2020-05-19 平安壹钱包电子商务有限公司 信息处理方法、装置、设备及可读存储介质
CN111178884B (zh) * 2019-12-16 2024-04-12 平安壹钱包电子商务有限公司 信息处理方法、装置、设备及可读存储介质
CN111192050B (zh) * 2019-12-31 2023-08-11 成都库珀创新科技有限公司 一种数字资产私钥存储提取方法及装置
CN111192050A (zh) * 2019-12-31 2020-05-22 成都库珀区块链科技有限公司 一种数字资产私钥存储提取方法及装置
CN111400743A (zh) * 2020-04-07 2020-07-10 百度国际科技(深圳)有限公司 基于区块链网络的事务处理方法、装置、电子设备和介质
CN111400743B (zh) * 2020-04-07 2023-08-15 百度国际科技(深圳)有限公司 基于区块链网络的事务处理方法、装置、电子设备和介质
CN111538782A (zh) * 2020-04-14 2020-08-14 浙江浙燃能源有限公司 基于区块链的能源大数据管理系统
CN111538782B (zh) * 2020-04-14 2023-08-08 浙江浙燃能源有限公司 基于区块链的能源大数据管理系统
CN111565108A (zh) * 2020-07-15 2020-08-21 北京信安世纪科技股份有限公司 签名处理方法、装置及系统
CN113395159B (zh) * 2021-01-08 2024-03-12 腾讯科技(深圳)有限公司 一种基于可信执行环境的数据处理方法以及相关装置
CN113221141B (zh) * 2021-05-06 2022-07-19 杭州复杂美科技有限公司 钱包加密存储方法、签名方法、计算机设备和存储介质
CN113221141A (zh) * 2021-05-06 2021-08-06 杭州复杂美科技有限公司 钱包加密存储方法、签名方法、计算机设备和存储介质
CN114157431A (zh) * 2021-10-27 2022-03-08 上海朝夕网络技术有限公司 基于多变量签名方法的区块链交易处理方法及计算机设备

Also Published As

Publication number Publication date
CN110492990A (zh) 2019-11-22
CN110492990B (zh) 2021-10-15

Similar Documents

Publication Publication Date Title
WO2019218919A1 (fr) Procédé et appareil de gestion de clé privée dans un scénario de chaîne de blocs, et système
KR102074116B1 (ko) 블록체인 노드 통신 방법 및 장치
EP3704613B1 (fr) Fourniture d'environnement(s) d'exécution de confiance sur la base d'une chaîne de confiance comprenant une plate-forme
US10116645B1 (en) Controlling use of encryption keys
EP3387813B1 (fr) Dispositif mobile ayant un environnement d'exécution sécurisé
US9838205B2 (en) Network authentication method for secure electronic transactions
ES2687191T3 (es) Método de autentificación de red para transacciones electrónicas seguras
TWI601405B (zh) 用於雲端輔助式密碼術之方法及設備
JP6545136B2 (ja) ウェブページの暗号化送信のためのシステム及び方法
EP3437322B1 (fr) Fourniture d'un accès exceptionnel à faible risque
JP5852265B2 (ja) 計算装置、コンピュータプログラム及びアクセス許否判定方法
US9413754B2 (en) Authenticator device facilitating file security
US9621524B2 (en) Cloud-based key management
JP2020528224A (ja) 信頼できる実行環境におけるスマート契約動作のセキュアな実行
US20160294794A1 (en) Security System For Data Communications Including Key Management And Privacy
WO2015180691A1 (fr) Procédé et dispositif d'accord sur des clés pour informations de validation
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
US10003467B1 (en) Controlling digital certificate use
WO2022028289A1 (fr) Procédé et appareil de chiffrement de données, procédé et appareil de déchiffrement de données, terminal et support d'enregistrement
US10045212B2 (en) Method and apparatus for providing provably secure user input/output
JP6756056B2 (ja) 身元検証による暗号チップ
KR20150087205A (ko) 보안 통신 아키텍쳐
WO2018112482A1 (fr) Procédé et système de distribution de clé d'attestation et de certificat dans un environnement informatique de confiance
JP2022534677A (ja) ブロックチェーンを使用するオンラインアプリケーションおよびウェブページの保護
US10462113B1 (en) Systems and methods for securing push authentications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19802901

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19802901

Country of ref document: EP

Kind code of ref document: A1