CN107919954A - A kind of block chain user key guard method and device based on SGX - Google Patents

A kind of block chain user key guard method and device based on SGX Download PDF

Info

Publication number
CN107919954A
CN107919954A CN201710989478.5A CN201710989478A CN107919954A CN 107919954 A CN107919954 A CN 107919954A CN 201710989478 A CN201710989478 A CN 201710989478A CN 107919954 A CN107919954 A CN 107919954A
Authority
CN
China
Prior art keywords
key
block chain
user
sgx
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710989478.5A
Other languages
Chinese (zh)
Other versions
CN107919954B (en
Inventor
陈建海
刘丁豪
王津航
何钦铭
黄步添
林威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201710989478.5A priority Critical patent/CN107919954B/en
Publication of CN107919954A publication Critical patent/CN107919954A/en
Application granted granted Critical
Publication of CN107919954B publication Critical patent/CN107919954B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of block chain user key protective device based on SGX, including:SGX encrypting modules, confidence space is generated based on software protecting extended instruction, and generates the access key for being used for verifying the confidence space access rights;The confidence space is used for the user key and cipher key operation function of memory block chain network;Transaction common recognition module, receives the transaction from block chain network, by the access cipher key access SGX encrypting modules, calls cipher key operation function therein, realizes the verification common recognition to transaction;Transaction constructing module, initiates transaction according to the user's intention, by the access cipher key access SGX encrypting modules, calls cipher key operation function therein, realizes the filling of Transaction Information with legalizing, and broadcast the transaction to block chain network.The invention also discloses block chain user key guard method.This method can effectively resist Malware to the sniff of user local key with cracking, and protect the block chain assets of user from infringement.

Description

A kind of block chain user key guard method and device based on SGX
Technical field
The present invention relates to block chain application field, more particularly to a kind of block chain user key guard method based on SGX And device.
Background technology
The development of the emerging technologies such as cloud computing, internet and big data so that conventional center system information data is total to It is increasingly urgent to enjoy demand.However, centralized system lacks a kind of safe and reliable mechanism, it is always the pain spot of reality.With than Deeply, bottom block chain technology is drawn in recent years to solve the problems, such as that real pain spot provides effective means for the rise and application of special coin Extensive concern is played.Block chain technology is born as bit coin Floor layer Technology with architecture, it is substantially one and goes The accounting system of the heart, a similar Distributed sharing account book.New block catenary system uses P2P network technologies, cryptography, is total to Know algorithm, the intelligent technology such as contract and distributed data base, there are data can not distort, system collective safeguards, information discloses The bright characteristic for waiting traditional account book system too far behind to catch up, this makes a kind of great potential, decentralization Assets Reorganization Taking science and engineering Tool and technology.
Publicly-owned block chain using bit coin as representative so that block chain has the key property of issue value assets.User Key is the significant data in block catenary system.The safety of key is the important leverage of user's right.In block catenary system, number The ownership of word assets (such as bit coin) is established by digital cipher and digital signature.Digital cipher is not deposited actually Block chain network is stored in, but keeping is responsible for by each user, is maintained secrecy to other people.The security of block chain is just to rely on key Decentralised control.Meanwhile the decentralization trust of block chain is also all based on modern password with characteristics such as control, ownership certifications What key mechanism was realized.According to Cryptography Principles, only effective key could generate effective digital signature, only have The digital signature of effect can just make the transaction on chain effective.This has fundamentally prevented the possibility that transaction is forged on block chain, ensures The interests of user.
As soon as however, possess the key or its copy of a user account if there is third party, then third party user's energy Account assets of the actual control corresponding to the key.Therefore, for a user, once lose or damage key, user Oneself corresponding total assets may be thoroughly lost, and means are given for change without any.For a healthy and strong block link network Network, careless omission of the unique user in key management can't influence the stabilization of whole network, but user will undertake whole Consequence.In addition, the modern general-purpose operating system is not fool proof, be also not suitable for storing key information with document form.Especially with The popularization of Internet technology, our computer is for a long time by internet exposed to outer, and during which Malware or program can be with It is concealed and easily steal local data;Or the carelessness due to operator, it is mixed into Malware and is installed on local, Jin Erwei Coerce all important local datas.
To protect key, mainly there are two kinds of common methods.The first is stored after key is encrypted.This is a kind of common Security means, but the effect of this method is influenced by specific Encryption Algorithm and means.Because by data simple encryption and it is stored in Operating system is local, and Malware still has an opportunity continuous access, and can attempt to decrypt and obtain key, complicated evil in period Meaning software even can directly extract confidential data from memory, threaten key safety;Excessively complicated encryption method is then use The maintenance at family brings very big burden, in some instances it may even be possible to " loss " key because of forgetting or lost part encryption details.It is another opposite Safer method is to use physical store, i.e., key or encrypted key information is recorded in the physics such as paper, plastics, metal Medium, and back up multiple be subject to respectively securely held (being such as locked into safety box).But this method can cause using key just Victory declines.(particularly part professional user, or block chain are handed over using itself because once the frequency of use of key rises Easily frequently), user just has to handle cumbersome write operation one by one.
For compromise between security and availability, anti-tamper " wallet " technology of professional hardware is come into being.Unlike be easy to by To the common soft and hardware of attack, hardware wallet only provides very limited amount of interface, or even the generation system and correlation of built-in key Proving program, externally only exports the signature of private key, so as to provide safe class almost safe against all possibilities for unprofessional user, at the same time Also there is suitable ease for operation.For the risk evaded damage with lost, hardware wallet is usually very firm, and provides to the user The approach of physical backup private key.But the framework of its highly-specialised generally requires tightly to dock with the application of specific block chain, So as to be allowed to be difficult to be designed to a common apparatus.Do not have general type block chain key storage hardware at present, only for specific The dedicated hardware wallet (such as Trezor) of block chain application (such as bit coin).
Intel SGX (Software Guard Extensions) is a set of cpu instruction, can be supported safe using creating Area (enclave):Shielded region in application address space, it may be ensured that the machine of the terminal operating system environmentally information content Close property and integrality.The memory content for attempting to access enclave from software respective is not allowed to, even enhanced privileges are soft Part (such as master operating system, monitor of virtual machine etc.) does not allow to access.The secure border of enclave only comprising CPU and it from Body.The enclave that SGX is created is it can be appreciated that a credible performing environment TEE.A CPU can be run more in SGX technologies A safe enclaves, support concurrently perform.
The content of the invention
The present invention provides a kind of block chain user key protective device based on SGX, in the visitor of block chain application system Family end node introduces SGX, and the block chain user key protective device and various block chain network are compatible, can be used as block chain The node administration component of network, key preservation and the service for checking credentials are provided for block chain network user.
A kind of block chain user key protective device based on SGX, including:
SGX encrypting modules, confidence space is generated based on software protecting extended instruction, and is generated and be used to verify the credible sky Between access rights access key;The confidence space is used for the user key and cipher key operation function of memory block chain network;
Transaction common recognition module, receives the transaction from block chain network, and mould is encrypted by the access cipher key access SGX Block, calls cipher key operation function therein, realizes the verification common recognition to transaction;
Transaction constructing module, initiates transaction according to the user's intention, and cipher key access SGX encrypting modules are accessed by described, Cipher key operation function therein is called, realizes the filling of Transaction Information with legalizing, and the transaction is broadcasted to block chain network.
Preferably, the SGX encrypting modules include:
User's space, including processing space and confidence space;The processing space is used to load user key and key behaviour Make the certificate information of function, the confidence space is used to store user key and cipher key operation function;
SGX drivers, are the user by being measured to the certificate information of user key and cipher key operation function Key and cipher key operation function distribution confidence space, it is hard to pass to SGX by the certificate information of user key and cipher key operation function Part processor;
SGX hardware processors, carry out user key and cipher key operation function certificate information and the integrality of confidence space Verification, gives birth to according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor characteristics of user key and cipher key operation function certificate Into the access key of confidence space, confidence space is encrypted by accessing key.
The SGX drivers belong to operating system;SGX hardware processors belong to hardware architecture.
The access key of confidence space is block chain network user key, cipher key operation function and the SGX hardware by user The physical hardware information of processor intersects generation, ensure that the security and validity of associated verification step.
Present invention also offers a kind of block chain user key guard method based on SGX, this method is by introducing Intel SGX hardware to block chain network user client node, using enclave (confidence space) mechanism of SGX, in local structure Safe user key memory space and corresponding accessing operation are built, realizes secure storage and the use of local user's key.
A kind of block chain user key guard method based on SGX, including:
(1) obtain user key and be stored in SGX encrypting modules;
(2) relevant cipher key operation is handled.
Step (1) includes:
(1-1) obtains the user key of block chain accreditation with secure way;
In the case of needing user to be autonomously generated user key, generate user key the step of should be in the equipment of safety (such as from the emergency PC of failed cluster) is by the complete seed of cryptography and algorithm according to regulation form generation.
For the user key for needing block chain network to issue, then by the communications conduit of strict protection, with adding for safety Close mode obtains;Or obtained by the secured fashion under line.
(1-2) backs up user key;
To evade the risk for causing key to be lost due to various reasons in the future, which kind of key keeping mode no matter is taken, all It is recommended that user carries out safe backup in advance to the user key of acquisition.It is proposed with physical store or the storage of offline secure equipment User key is backed up etc. mode;And more parts are backed up, give secure storage respectively.
(1-3) generates public key from user key and is stored in local;
Under normal circumstances, user need to generate public key by user key, and block chain address (such as bit of oneself is generated with public key Coin), oneself it is transacting targeted so that other people specify.So needs perform the step to generate and user before user key is stored The corresponding public key of key, is stored in local.
The address of public key generation can be disclosed to the whole network, without encryption.For being responsible for handling client public key by block chain network With the block catenary system (such as each user can inquire the address of each user to block chain network) of address, which can be by block chain Network is completed.
User key is stored in SGX encrypting modules by (1-4).
Step (1-4) includes:
(a) certificate of user key and cipher key operation function is generated, by user key and cipher key operation function and the card Book is uploaded in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX drivers, Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to In confidence space, data in delete processing space afterwards;
(c) SGX drivers obtain the certificate information of user key and cipher key operation function and pass to SGX hardware handles Device;SGX hardware processors generate confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processors itself of certificate information Access key, confidence space is encrypted by accessing key;
(d) repeat step (a)~(c), establishes multiple confidence spaces, and more parts of user keys of backup are stored in difference respectively Confidence space in.
In step (2), handling relevant cipher key operation includes processing key behaviour as caused by block chain network is passed to transaction Work and the cipher key operation as caused by user initiates transaction.
Processing cipher key operation as caused by block chain network is passed to transaction comprises the following steps:
(i) block chain client receives the Transaction Information that block chain network is passed to;
(ii) calling in the verification function pair transaction outside SGX places of safety is not required the part of user key to be verified, counts Calculate the priority of transaction and be ranked up;
The verification of the part is limited to the verification that user key is not required, for example, verify transaction whether version correct, transaction Whether amount of assets is legal etc..The framework depending on specific block chain selectively completes the behaviour such as priority calculating and the sequence of transaction at the same time Make.
(iii) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain credible The part of user key is needed to be verified in key authentication function pair transaction in space;
Need the verification of the part of user key to be limited to the verification for needing user key, for example, determine it is transacting targeted whether be Oneself etc..
(iv) check the call result to key authentication function, if call result is abnormal, call another credible sky Interior key authentication function, until call result is normal;Checking information is packed into verification result afterwards, completes testing for transaction Card;
(v) sent and fed back to block chain network according to verification result;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or it is illegal to block chain network feedback trading.
Processing cipher key operation as caused by user initiates transaction comprises the following steps:
(I) block chain client builds transaction outside SGX places of safety;
In the step, block chain client needs to merchandise according to the regular legal construction of respective block chain, is supplemented for transaction The necessary informations such as destination address, turnover;At the same time the signing messages of oneself need not be provided in the step, block chain client;
(II) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain credible sky Interior key signature function obtains user key signature;
(I II) checks the call result to key signature function, if call result is abnormal, calls another credible sky Interior key signature function, until call result is normal;Signing messages is packed into Transaction Information afterwards, completes the structure of transaction Build;
(IV) broadcast and merchandise to block chain network.
Compared with prior art, beneficial effects of the present invention are:
(1) the block chain user key protective device based on SGX of the invention has both security, availability and general at the same time Property, Malware can be effectively resisted to the sniff of user local key with cracking, and protect the block chain assets of user from infringement;
(2) operation of block chain client is divided into two independent sectors, and each part uses different key call functions, Improve the operational paradigm of block chain client.Operation of two parts to key at the same time is placed on Enclave (confidence space) Interior execution, external program can not learn key information and relevant operation.Key will not be come across with clear-text way it is any can not Believe memory, memory overflow attack can be resisted;
(3) a kind of more Enclave mechanism are given, further improve the security of key preservation.It is even if single Enclave is damaged, and client remains to normal operation, and user can receive the feedback of Enclave damages at the same time, is taken further Client is safeguarded in specific aim measure, protects key;
(4) a set of safe operating process is given for being not affected by the key pre-write of SGX protections, can effectively reduces use The security threat that family key is subject to before being protected by SGX.
Brief description of the drawings
Fig. 1 is the structure and workflow schematic diagram that the block chain user key based on SGX protects client;
Fig. 2 is acquisition user key and is stored in the flow diagram of SGX encrypting modules;
Fig. 3 is the flow diagram of processing cipher key operation as caused by block chain network is passed to transaction;
Fig. 4 is the flow diagram of processing cipher key operation as caused by user initiates transaction.
Embodiment
The present invention is described in further detail with reference to the accompanying drawings and examples.
The block chain user key protective device based on SGX of the present embodiment, including 3 software modules:Transaction common recognition mould Block, transaction constructing module and SGX encrypting modules, its Row control is as shown in Figure 1, specific as follows:
(1) preliminary treatment:The acquisition and write-in of progress block chain key in advance are needed before the operation of block chain client SGX, its flow are as shown in Figure 2.
(1-1) obtains the user key of block chain accreditation with secure way;
In the case of needing user to be autonomously generated user key, generate user key the step of should be in the equipment of safety (such as from the emergency PC of failed cluster) is by the complete seed of cryptography and algorithm according to regulation form generation.
For the user key for needing block chain network to issue, then by the communications conduit of strict protection, with adding for safety Close mode obtains;Or obtained by the secured fashion under line.
(1-2) backs up user key;
To evade the risk for causing key to be lost due to various reasons in the future, which kind of key keeping mode no matter is taken, all It is recommended that user carries out safe backup in advance to the user key of acquisition.It is proposed with physical store or the storage of offline secure equipment User key is backed up etc. mode;And more parts are backed up, give secure storage respectively.
(1-3) is from user key generation public key and storage and locally;
Under normal circumstances, user need to generate public key by user key, and block chain address (such as bit of oneself is generated with public key Coin), oneself it is transacting targeted so that other people specify.So needs perform the step to generate and user before user key is stored The corresponding public key of key, is stored in local.
The address of public key generation can be disclosed to the whole network, without encryption.For being responsible for handling client public key by block chain network With the block catenary system (such as each user can inquire the address of each user to block chain network) of address, which can be by block chain Network is completed.
User key is stored in SGX encrypting modules by (1-4).
Step (1-4) includes:
(a) generate the certificate of user key and cipher key operation function, by user key and and cipher key operation function with it is described Certificate is uploaded in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX drivers, Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to In confidence space, data in delete processing space afterwards;
(c) SGX drivers obtain the certificate information of user key and cipher key operation function and pass to SGX hardware handles Device;SGX hardware processors generate confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processors itself of certificate information Access key, confidence space is encrypted by accessing key.
(d) repeat step (a)~(c), establishes multiple confidence spaces, and more parts of user keys of backup are stored in difference respectively Confidence space in.
Key deposit SGX SGX encrypting modules are used into wherein, its effect is generated based on software protecting extended instruction Enclave stores the key information of user and cipher key operation function, and generates to verify the close of confidence space access rights Key, operates with for subsequent access.The process establishes multiple enclave (being 3 in this example, such as Fig. 1) at the same time, to ensure Block chain client remains to normal operation when extremely single enclave is damaged in special circumstances, and gives user feedback to repair The enclave of damage, avoids user's Lost Security Key in the case of unwitting.
(2) common recognition of merchandising processing:The part is common to complete transaction common recognition using transaction common recognition module and SGX encrypting modules Processing, its flow are as shown in Figure 3.The effect of transaction common recognition module is to receive the transaction flow from block chain network, and carries out lattice The authentication functions such as formula verification, number of deals verification, by calling SGX encrypting modules to complete to need user key in verification process Verification, final realize know together the verification merchandised in network.Once the verification function in place of safety returns to exception, just call another Identical verification function in a place of safety, until completing verification.The effect of SGX encrypting modules herein is provided for common recognition processing It is capable of the verification function of security invocation user blocks chain account key.
Comprise the following steps:
(i) block chain client receives the Transaction Information that block chain network is passed to;
(ii) calling in the verification function pair transaction outside SGX places of safety is not required the part of user key to be verified, counts Calculate the priority of transaction and be ranked up;
The verification of the part is limited to the verification that user key is not required, for example, verify transaction whether version correct, transaction Whether amount of assets is legal etc..The framework depending on specific block chain selectively completes the behaviour such as priority calculating and the sequence of transaction at the same time Make.
(iii) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain credible The part of user key is needed to be verified in key authentication function pair transaction in space;
Need the verification of the part of user key to be limited to the verification for needing user key, for example, determine it is transacting targeted whether be Oneself etc..
(iv) check the call result to key authentication function, if call result is abnormal, call another credible sky Interior key authentication function, until call result is normal;Checking information is packed into verification result afterwards, completes testing for transaction Card;
(v) sent and fed back to block chain network according to verification result;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or it is illegal to block chain network feedback trading.
(3) transaction Construction treatment:The part is common to complete transaction construction using transaction constructing module and SGX encrypting modules It is as shown in Figure 4 with initiation, its flow.Constructing module of merchandising initiates transaction according to the intention of user, by calling SGX encrypting modules The filling of Transaction Information is realized with legalizing, and the transaction is broadcasted to the whole network.Once the signature function in place of safety returns to exception, Just the same signature function in another place of safety is called, until completing transaction structure.The effect of SGX encrypting modules herein is The signature function for being capable of security invocation user blocks chain account key is provided for transaction construction.
Comprise the following steps:
(I) block chain client builds transaction outside SGX places of safety;
In the step, block chain client needs to merchandise according to the regular legal construction of respective block chain, is supplemented for transaction The necessary informations such as destination address, turnover;At the same time the signing messages of oneself need not be provided in the step, block chain client;
(II) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain credible sky Interior key signature function obtains user key signature;
The signature of the step is used to confirm that the assets that oneself is initiated in transaction are effective.
(I II) checks the call result to key signature function, if call result is abnormal, calls another credible sky Interior key signature function, until call result is normal;Signing messages is packed into Transaction Information afterwards, completes the structure of transaction Build;
If call result is abnormal, illustrates the user key damage in the confidence space, then call another confidence space Interior signature function reacquires signature.
(IV) broadcast and merchandise to block chain network.
Technical scheme and beneficial effect is described in detail in embodiment described above, it should be understood that The foregoing is merely the specific embodiment of the present invention, it is not intended to limit the invention, it is all to be done in the spirit of the present invention Any modification, supplementary, and equivalent replacement etc., should all be included in the protection scope of the present invention.

Claims (7)

  1. A kind of 1. block chain user key protective device based on SGX, it is characterised in that including:
    SGX encrypting modules, confidence space is generated based on software protecting extended instruction, and is generated and be used to verify that the confidence space is visited Ask the access key of authority;The confidence space is used for the user key and cipher key operation function of memory block chain network;
    Transaction common recognition module, receives the transaction from block chain network, by the access cipher key access SGX encrypting modules, adjusts With cipher key operation function therein, the verification common recognition to transaction is realized;
    Transaction constructing module, initiates transaction according to the user's intention, passes through the access cipher key access SGX encrypting modules, calls Cipher key operation function therein, realizes the filling of Transaction Information with legalizing, and broadcast the transaction to block chain network.
  2. 2. block chain user key protective device according to claim 1, it is characterised in that the SGX encrypting modules Including:
    User's space, including processing space and confidence space;The processing space is used to load user key and cipher key operation letter Several certificate informations, the confidence space are used to store user key and cipher key operation function;
    SGX drivers, are the user key by being measured to the certificate information of user key and cipher key operation function Confidence space is distributed with cipher key operation function, the certificate information of user key and cipher key operation function is passed at SGX hardware Manage device;
    SGX hardware processors, verify user key and cipher key operation function certificate information and the integrality of confidence space, Generated according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor characteristics of user key and cipher key operation function certificate credible The access key in space, is encrypted confidence space by accessing key.
  3. A kind of 3. block chain user key guard method based on SGX, it is characterised in that including:
    (1) obtain user key and be stored in SGX encrypting modules;
    (2) relevant cipher key operation is handled, including processing cipher key operation as caused by block chain network is passed to transaction and by user Initiate cipher key operation caused by transaction.
  4. 4. block chain user key guard method according to claim 3, it is characterised in that step (1) includes:
    (1-1) obtains the user key of block chain accreditation with secure way;
    (1-2) backs up user key;
    (1-3) generates public key from user key and is stored in local;
    User key is stored in SGX encrypting modules by (1-4).
  5. 5. block chain user key guard method according to claim 4, it is characterised in that step (1-4) includes:
    (a) certificate of user key and cipher key operation function is generated, by user key and cipher key operation function and the certificate one Rise and upload in processing space;
    The cipher key operation function includes key authentication function and key signature function;
    (b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX drivers, being can Believe space distribution address space and page, create confidence space, and user key and cipher key operation function copied to credible In space, data in delete processing space afterwards;
    (c) SGX drivers obtain the certificate information of user key and cipher key operation function and pass to SGX hardware processors;SGX Hardware processor generates the access of confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processors itself of certificate information Key, is encrypted confidence space by accessing key;
    (d) repeat step (a)~(c), establishes multiple confidence spaces, by more parts of user keys of backup be stored in respectively it is different can Believe in space.
  6. 6. block chain user key guard method according to claim 3, it is characterised in that in step (2), handle by area Block chain network be passed to transaction caused by cipher key operation comprise the following steps:
    (i) block chain client receives the Transaction Information that block chain network is passed to;
    (ii) calling in the verification function pair transaction outside SGX places of safety is not required the part of user key to be verified, calculates and hands over Easy priority is simultaneously ranked up;
    (iii) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain confidence space The part of user key is needed to be verified in interior key authentication function pair transaction;
    (iv) check the call result to key authentication function, if call result is abnormal, call in another confidence space Key authentication function, until call result is normal;Checking information is packed into verification result afterwards, completes the verification of transaction;
    (v) sent and fed back to block chain network according to verification result;
    If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
    If authentication failed, stop propagating the transaction, or it is illegal to block chain network feedback trading.
  7. 7. block chain user key guard method according to claim 3, it is characterised in that in step (2), handle by with Cipher key operation caused by the initiation transaction of family comprises the following steps:
    (I) block chain client builds transaction outside SGX places of safety;
    (II) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls in a certain confidence space Key signature function obtain user key signature;
    (III) check the call result to key signature function, if call result is abnormal, call in another confidence space Key signature function, until call result is normal;Signing messages is packed into Transaction Information afterwards, completes the structure of transaction;
    (IV) broadcast and merchandise to block chain network.
CN201710989478.5A 2017-10-20 2017-10-20 A kind of block chain user key guard method and device based on SGX software protecting extended instruction Active CN107919954B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710989478.5A CN107919954B (en) 2017-10-20 2017-10-20 A kind of block chain user key guard method and device based on SGX software protecting extended instruction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710989478.5A CN107919954B (en) 2017-10-20 2017-10-20 A kind of block chain user key guard method and device based on SGX software protecting extended instruction

Publications (2)

Publication Number Publication Date
CN107919954A true CN107919954A (en) 2018-04-17
CN107919954B CN107919954B (en) 2019-05-14

Family

ID=61894889

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710989478.5A Active CN107919954B (en) 2017-10-20 2017-10-20 A kind of block chain user key guard method and device based on SGX software protecting extended instruction

Country Status (1)

Country Link
CN (1) CN107919954B (en)

Cited By (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108921557A (en) * 2018-07-06 2018-11-30 佛山伊苏巨森科技有限公司 A method of it is traded by the system and protection of block chain network protection transaction
CN109101822A (en) * 2018-07-10 2018-12-28 西安交通大学 A method of solving data-privacy leakage problem in multi-party calculate
CN109150517A (en) * 2018-09-04 2019-01-04 大唐高鸿信安(浙江)信息科技有限公司 Key security management system and method based on SGX
CN109766712A (en) * 2018-12-14 2019-05-17 华东师范大学 A kind of reference report circulation method based on block chain and Intel SGX
CN109831298A (en) * 2019-01-31 2019-05-31 阿里巴巴集团控股有限公司 The method of security update key and node, storage medium in block chain
CN109934579A (en) * 2018-11-30 2019-06-25 上海点融信息科技有限责任公司 For the key generation method of block chain network, endorsement method, storage medium, calculate equipment
CN110011801A (en) * 2018-11-16 2019-07-12 阿里巴巴集团控股有限公司 Remote certification method and device, the electronic equipment of trusted application
CN110020855A (en) * 2019-01-31 2019-07-16 阿里巴巴集团控股有限公司 Method, the node, storage medium of secret protection are realized in block chain
CN110022316A (en) * 2019-03-29 2019-07-16 阿里巴巴集团控股有限公司 The method and apparatus for creating block chain account and resetting account key
CN110032876A (en) * 2019-02-19 2019-07-19 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
CN110223172A (en) * 2019-05-20 2019-09-10 阿里巴巴集团控股有限公司 The receipt storage method and node of conditional combination code mark and type dimension
CN110222485A (en) * 2019-05-14 2019-09-10 浙江大学 Industry control white list management system and method based on SGX software protecting extended instruction
CN110266659A (en) * 2019-05-31 2019-09-20 联想(北京)有限公司 A kind of data processing method and equipment
CN110264196A (en) * 2019-05-20 2019-09-20 阿里巴巴集团控股有限公司 In conjunction with the conditional receipt storage method and node of code mark and user type
CN110443710A (en) * 2019-08-02 2019-11-12 中国工商银行股份有限公司 A kind of the block catenary system and method for batch signature
CN110675253A (en) * 2019-08-15 2020-01-10 山大地纬软件股份有限公司 Block chain-based exclusive digital asset trusted keeping and transferring device and method
CN110781492A (en) * 2018-07-31 2020-02-11 阿里巴巴集团控股有限公司 Data processing method, device, equipment and storage medium
CN110892696A (en) * 2019-04-19 2020-03-17 阿里巴巴集团控股有限公司 Method and apparatus for establishing communication between blockchain networks
CN110889696A (en) * 2019-11-27 2020-03-17 杭州趣链科技有限公司 Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology
CN111095899A (en) * 2019-04-26 2020-05-01 阿里巴巴集团控股有限公司 Distributed key management for trusted execution environments
CN111159018A (en) * 2019-12-17 2020-05-15 浙江大学 Software protection extended instruction SGX-based online fuzzy test system and method
CN111160905A (en) * 2019-12-17 2020-05-15 浙江大学 Block chain node user request processing protection method and device
CN111325545A (en) * 2018-12-13 2020-06-23 北京沃东天骏信息技术有限公司 Key management method, device and equipment based on block chain
CN111404896A (en) * 2020-03-06 2020-07-10 杭州云象网络技术有限公司 Non-central identity authentication method based on SGX
CN111475782A (en) * 2020-04-08 2020-07-31 浙江大学 API (application program interface) key protection method and system based on SGX (secure gateway) software extension instruction
CN111709745A (en) * 2020-06-09 2020-09-25 浙江大学 SGX-based block chain transaction security protection system and method thereof
CN111767555A (en) * 2019-01-31 2020-10-13 阿里巴巴集团控股有限公司 Method for realizing privacy protection in block chain, node and storage medium
CN111767556A (en) * 2019-01-31 2020-10-13 阿里巴巴集团控股有限公司 Method for realizing privacy protection in block chain, node and storage medium
CN111898156A (en) * 2019-01-31 2020-11-06 创新先进技术有限公司 Method, node and storage medium for realizing contract calling in block chain
CN112119610A (en) * 2018-05-14 2020-12-22 区块链控股有限公司 Improved system and method for storage, generation and verification of tokens for controlling access to resources
CN112235301A (en) * 2020-10-14 2021-01-15 北京金山云网络技术有限公司 Method and device for verifying access authority and electronic equipment
CN112765595A (en) * 2018-11-16 2021-05-07 创新先进技术有限公司 Cross-block-chain data processing method and device, client and block chain system
CN112970227A (en) * 2018-10-17 2021-06-15 区块链控股有限公司 Computer-implemented system and method including public key combination verification
CN113037477A (en) * 2021-03-08 2021-06-25 北京工业大学 Kerberos security enhancement method based on Intel SGX
CN113055376A (en) * 2021-03-10 2021-06-29 电子科技大学 Block chain data protection system
CN114301928A (en) * 2021-11-29 2022-04-08 之江实验室 SGX-based chain uplink and downlink mixed consensus method and system
CN114629684A (en) * 2022-02-16 2022-06-14 深圳番多拉信息科技有限公司 Permission token processing method, system, device and storage medium based on block chain
CN116260595A (en) * 2023-05-15 2023-06-13 豪符密码检测技术(成都)有限责任公司 Cloud password detection method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160379212A1 (en) * 2015-06-26 2016-12-29 Intel Corporation System, apparatus and method for performing cryptographic operations in a trusted execution environment
CN106533694A (en) * 2016-11-03 2017-03-22 浙江大学 Method and system for implementation of Openstack token access protection mechanism
US20170091467A1 (en) * 2015-09-25 2017-03-30 Mcafee, Inc. Provable traceability
CN107113284A (en) * 2014-11-26 2017-08-29 英特尔公司 For the trusted computing base evidence binding of transportable virtual machine
CN107209722A (en) * 2015-02-23 2017-09-26 英特尔公司 For instruction and the logic for making the process forks of Secure Enclave in Secure Enclave page cache He setting up sub- enclave
US20170285633A1 (en) * 2016-04-01 2017-10-05 Lntel Corporation Drone control registration

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107113284A (en) * 2014-11-26 2017-08-29 英特尔公司 For the trusted computing base evidence binding of transportable virtual machine
CN107209722A (en) * 2015-02-23 2017-09-26 英特尔公司 For instruction and the logic for making the process forks of Secure Enclave in Secure Enclave page cache He setting up sub- enclave
US20160379212A1 (en) * 2015-06-26 2016-12-29 Intel Corporation System, apparatus and method for performing cryptographic operations in a trusted execution environment
US20170091467A1 (en) * 2015-09-25 2017-03-30 Mcafee, Inc. Provable traceability
US20170285633A1 (en) * 2016-04-01 2017-10-05 Lntel Corporation Drone control registration
CN106533694A (en) * 2016-11-03 2017-03-22 浙江大学 Method and system for implementation of Openstack token access protection mechanism

Cited By (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112119610A (en) * 2018-05-14 2020-12-22 区块链控股有限公司 Improved system and method for storage, generation and verification of tokens for controlling access to resources
CN112166578A (en) * 2018-05-14 2021-01-01 区块链控股有限公司 Improved system and method for storage, generation and verification of tokens for controlling access to resources
CN108921557A (en) * 2018-07-06 2018-11-30 佛山伊苏巨森科技有限公司 A method of it is traded by the system and protection of block chain network protection transaction
CN109101822A (en) * 2018-07-10 2018-12-28 西安交通大学 A method of solving data-privacy leakage problem in multi-party calculate
CN110781492B (en) * 2018-07-31 2023-09-26 阿里巴巴集团控股有限公司 Data processing method, device, equipment and storage medium
CN110781492A (en) * 2018-07-31 2020-02-11 阿里巴巴集团控股有限公司 Data processing method, device, equipment and storage medium
CN109150517A (en) * 2018-09-04 2019-01-04 大唐高鸿信安(浙江)信息科技有限公司 Key security management system and method based on SGX
CN112970227A (en) * 2018-10-17 2021-06-15 区块链控股有限公司 Computer-implemented system and method including public key combination verification
CN110011801B (en) * 2018-11-16 2020-10-20 创新先进技术有限公司 Remote certification method and device for trusted application program and electronic equipment
CN112765595B (en) * 2018-11-16 2024-05-10 创新先进技术有限公司 Cross-blockchain data processing method, device, client and blockchain system
CN110011801A (en) * 2018-11-16 2019-07-12 阿里巴巴集团控股有限公司 Remote certification method and device, the electronic equipment of trusted application
CN112765595A (en) * 2018-11-16 2021-05-07 创新先进技术有限公司 Cross-block-chain data processing method and device, client and block chain system
CN109934579A (en) * 2018-11-30 2019-06-25 上海点融信息科技有限责任公司 For the key generation method of block chain network, endorsement method, storage medium, calculate equipment
CN111325545A (en) * 2018-12-13 2020-06-23 北京沃东天骏信息技术有限公司 Key management method, device and equipment based on block chain
CN111325545B (en) * 2018-12-13 2023-05-02 北京沃东天骏信息技术有限公司 Key management method, device and equipment based on blockchain
CN109766712A (en) * 2018-12-14 2019-05-17 华东师范大学 A kind of reference report circulation method based on block chain and Intel SGX
CN110020855A (en) * 2019-01-31 2019-07-16 阿里巴巴集团控股有限公司 Method, the node, storage medium of secret protection are realized in block chain
CN111767555A (en) * 2019-01-31 2020-10-13 阿里巴巴集团控股有限公司 Method for realizing privacy protection in block chain, node and storage medium
CN109831298A (en) * 2019-01-31 2019-05-31 阿里巴巴集团控股有限公司 The method of security update key and node, storage medium in block chain
CN111898156B (en) * 2019-01-31 2024-04-16 创新先进技术有限公司 Method, node and storage medium for realizing contract call in block chain
CN111898156A (en) * 2019-01-31 2020-11-06 创新先进技术有限公司 Method, node and storage medium for realizing contract calling in block chain
CN111767556A (en) * 2019-01-31 2020-10-13 阿里巴巴集团控股有限公司 Method for realizing privacy protection in block chain, node and storage medium
CN110032876A (en) * 2019-02-19 2019-07-19 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
CN110022316A (en) * 2019-03-29 2019-07-16 阿里巴巴集团控股有限公司 The method and apparatus for creating block chain account and resetting account key
CN110892696A (en) * 2019-04-19 2020-03-17 阿里巴巴集团控股有限公司 Method and apparatus for establishing communication between blockchain networks
CN110892696B (en) * 2019-04-19 2021-08-27 创新先进技术有限公司 Method and apparatus for establishing communication between blockchain networks
CN111095899B (en) * 2019-04-26 2021-12-24 创新先进技术有限公司 Distributed key management for trusted execution environments
US11356285B2 (en) 2019-04-26 2022-06-07 Advanced New Technologies Co., Ltd. Distributed key management for trusted execution environments
CN111095899A (en) * 2019-04-26 2020-05-01 阿里巴巴集团控股有限公司 Distributed key management for trusted execution environments
CN110222485B (en) * 2019-05-14 2021-01-12 浙江大学 Industrial control white list management system and method based on SGX software protection extended instruction
CN110222485A (en) * 2019-05-14 2019-09-10 浙江大学 Industry control white list management system and method based on SGX software protecting extended instruction
CN110223172A (en) * 2019-05-20 2019-09-10 阿里巴巴集团控股有限公司 The receipt storage method and node of conditional combination code mark and type dimension
CN110264196B (en) * 2019-05-20 2021-04-23 创新先进技术有限公司 Conditional receipt storage method and node combining code labeling and user type
CN110264196A (en) * 2019-05-20 2019-09-20 阿里巴巴集团控股有限公司 In conjunction with the conditional receipt storage method and node of code mark and user type
CN110266659A (en) * 2019-05-31 2019-09-20 联想(北京)有限公司 A kind of data processing method and equipment
CN110443710A (en) * 2019-08-02 2019-11-12 中国工商银行股份有限公司 A kind of the block catenary system and method for batch signature
CN110443710B (en) * 2019-08-02 2022-06-07 中国工商银行股份有限公司 Block chain system and method for batch signature
CN110675253A (en) * 2019-08-15 2020-01-10 山大地纬软件股份有限公司 Block chain-based exclusive digital asset trusted keeping and transferring device and method
CN110889696A (en) * 2019-11-27 2020-03-17 杭州趣链科技有限公司 Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology
CN111160905B (en) * 2019-12-17 2023-07-18 浙江大学 Block chain link point user request processing protection method and device
CN111160905A (en) * 2019-12-17 2020-05-15 浙江大学 Block chain node user request processing protection method and device
CN111159018A (en) * 2019-12-17 2020-05-15 浙江大学 Software protection extended instruction SGX-based online fuzzy test system and method
CN111404896A (en) * 2020-03-06 2020-07-10 杭州云象网络技术有限公司 Non-central identity authentication method based on SGX
CN111404896B (en) * 2020-03-06 2022-03-04 杭州云象网络技术有限公司 Non-central identity authentication method based on SGX
CN111475782A (en) * 2020-04-08 2020-07-31 浙江大学 API (application program interface) key protection method and system based on SGX (secure gateway) software extension instruction
CN111475782B (en) * 2020-04-08 2022-11-08 浙江大学 API (application program interface) key protection method and system based on SGX (generalized Standard X) software extension instruction
CN111709745A (en) * 2020-06-09 2020-09-25 浙江大学 SGX-based block chain transaction security protection system and method thereof
CN112235301A (en) * 2020-10-14 2021-01-15 北京金山云网络技术有限公司 Method and device for verifying access authority and electronic equipment
CN113037477A (en) * 2021-03-08 2021-06-25 北京工业大学 Kerberos security enhancement method based on Intel SGX
CN113055376A (en) * 2021-03-10 2021-06-29 电子科技大学 Block chain data protection system
CN114301928A (en) * 2021-11-29 2022-04-08 之江实验室 SGX-based chain uplink and downlink mixed consensus method and system
CN114629684A (en) * 2022-02-16 2022-06-14 深圳番多拉信息科技有限公司 Permission token processing method, system, device and storage medium based on block chain
CN116260595A (en) * 2023-05-15 2023-06-13 豪符密码检测技术(成都)有限责任公司 Cloud password detection method and system

Also Published As

Publication number Publication date
CN107919954B (en) 2019-05-14

Similar Documents

Publication Publication Date Title
CN107919954B (en) A kind of block chain user key guard method and device based on SGX software protecting extended instruction
CN108418680B (en) Block chain key recovery method and medium based on secure multi-party computing technology
CN109697365B (en) Information processing method, block chain node and electronic equipment
CN109274652B (en) Identity information verification system, method and device and computer storage medium
CN109361668A (en) A kind of data trusted transmission method
CN110990827A (en) Identity information verification method, server and storage medium
CN110519049A (en) A kind of cloud data protection system based on credible performing environment
CN111914293B (en) Data access right verification method and device, computer equipment and storage medium
CN101977183B (en) High reliable digital content service method applicable to multiclass terminal equipment
US11405198B2 (en) System and method for storing and managing keys for signing transactions using key of cluster managed in trusted execution environment
CN105740725A (en) File protection method and system
CN111859446A (en) Agricultural product traceability information sharing-privacy protection method and system
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
CN104333545A (en) Method for encrypting cloud storage file data
CN112364305A (en) Digital content copyright protection method and device based on block chain platform
Mashima et al. Enabling Robust Information Accountability in E-healthcare Systems.
CN109309645A (en) A kind of software distribution security guard method
CN103268435A (en) Intranet license generation method and system, and intranet license protection method and system
CN110290125B (en) Data security system based on block chain and data security processing method
US11842395B2 (en) Secure and trustworthy computing environments for exchanges
CN113592497A (en) Financial transaction service security authentication method and device based on block chain
US8756433B2 (en) Associating policy with unencrypted digital content
CN201805447U (en) Electronic information management platform system of Intranet
CN113901507B (en) Multi-party resource processing method and privacy computing system
CN107273725A (en) A kind of data back up method and system for classified information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant