CN107919954A - A kind of block chain user key guard method and device based on SGX - Google Patents
A kind of block chain user key guard method and device based on SGX Download PDFInfo
- Publication number
- CN107919954A CN107919954A CN201710989478.5A CN201710989478A CN107919954A CN 107919954 A CN107919954 A CN 107919954A CN 201710989478 A CN201710989478 A CN 201710989478A CN 107919954 A CN107919954 A CN 107919954A
- Authority
- CN
- China
- Prior art keywords
- key
- block chain
- user
- sgx
- transaction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Strategic Management (AREA)
- Finance (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of block chain user key protective device based on SGX, including:SGX encrypting modules, confidence space is generated based on software protecting extended instruction, and generates the access key for being used for verifying the confidence space access rights;The confidence space is used for the user key and cipher key operation function of memory block chain network;Transaction common recognition module, receives the transaction from block chain network, by the access cipher key access SGX encrypting modules, calls cipher key operation function therein, realizes the verification common recognition to transaction;Transaction constructing module, initiates transaction according to the user's intention, by the access cipher key access SGX encrypting modules, calls cipher key operation function therein, realizes the filling of Transaction Information with legalizing, and broadcast the transaction to block chain network.The invention also discloses block chain user key guard method.This method can effectively resist Malware to the sniff of user local key with cracking, and protect the block chain assets of user from infringement.
Description
Technical field
The present invention relates to block chain application field, more particularly to a kind of block chain user key guard method based on SGX
And device.
Background technology
The development of the emerging technologies such as cloud computing, internet and big data so that conventional center system information data is total to
It is increasingly urgent to enjoy demand.However, centralized system lacks a kind of safe and reliable mechanism, it is always the pain spot of reality.With than
Deeply, bottom block chain technology is drawn in recent years to solve the problems, such as that real pain spot provides effective means for the rise and application of special coin
Extensive concern is played.Block chain technology is born as bit coin Floor layer Technology with architecture, it is substantially one and goes
The accounting system of the heart, a similar Distributed sharing account book.New block catenary system uses P2P network technologies, cryptography, is total to
Know algorithm, the intelligent technology such as contract and distributed data base, there are data can not distort, system collective safeguards, information discloses
The bright characteristic for waiting traditional account book system too far behind to catch up, this makes a kind of great potential, decentralization Assets Reorganization Taking science and engineering
Tool and technology.
Publicly-owned block chain using bit coin as representative so that block chain has the key property of issue value assets.User
Key is the significant data in block catenary system.The safety of key is the important leverage of user's right.In block catenary system, number
The ownership of word assets (such as bit coin) is established by digital cipher and digital signature.Digital cipher is not deposited actually
Block chain network is stored in, but keeping is responsible for by each user, is maintained secrecy to other people.The security of block chain is just to rely on key
Decentralised control.Meanwhile the decentralization trust of block chain is also all based on modern password with characteristics such as control, ownership certifications
What key mechanism was realized.According to Cryptography Principles, only effective key could generate effective digital signature, only have
The digital signature of effect can just make the transaction on chain effective.This has fundamentally prevented the possibility that transaction is forged on block chain, ensures
The interests of user.
As soon as however, possess the key or its copy of a user account if there is third party, then third party user's energy
Account assets of the actual control corresponding to the key.Therefore, for a user, once lose or damage key, user
Oneself corresponding total assets may be thoroughly lost, and means are given for change without any.For a healthy and strong block link network
Network, careless omission of the unique user in key management can't influence the stabilization of whole network, but user will undertake whole
Consequence.In addition, the modern general-purpose operating system is not fool proof, be also not suitable for storing key information with document form.Especially with
The popularization of Internet technology, our computer is for a long time by internet exposed to outer, and during which Malware or program can be with
It is concealed and easily steal local data;Or the carelessness due to operator, it is mixed into Malware and is installed on local, Jin Erwei
Coerce all important local datas.
To protect key, mainly there are two kinds of common methods.The first is stored after key is encrypted.This is a kind of common
Security means, but the effect of this method is influenced by specific Encryption Algorithm and means.Because by data simple encryption and it is stored in
Operating system is local, and Malware still has an opportunity continuous access, and can attempt to decrypt and obtain key, complicated evil in period
Meaning software even can directly extract confidential data from memory, threaten key safety;Excessively complicated encryption method is then use
The maintenance at family brings very big burden, in some instances it may even be possible to " loss " key because of forgetting or lost part encryption details.It is another opposite
Safer method is to use physical store, i.e., key or encrypted key information is recorded in the physics such as paper, plastics, metal
Medium, and back up multiple be subject to respectively securely held (being such as locked into safety box).But this method can cause using key just
Victory declines.(particularly part professional user, or block chain are handed over using itself because once the frequency of use of key rises
Easily frequently), user just has to handle cumbersome write operation one by one.
For compromise between security and availability, anti-tamper " wallet " technology of professional hardware is come into being.Unlike be easy to by
To the common soft and hardware of attack, hardware wallet only provides very limited amount of interface, or even the generation system and correlation of built-in key
Proving program, externally only exports the signature of private key, so as to provide safe class almost safe against all possibilities for unprofessional user, at the same time
Also there is suitable ease for operation.For the risk evaded damage with lost, hardware wallet is usually very firm, and provides to the user
The approach of physical backup private key.But the framework of its highly-specialised generally requires tightly to dock with the application of specific block chain,
So as to be allowed to be difficult to be designed to a common apparatus.Do not have general type block chain key storage hardware at present, only for specific
The dedicated hardware wallet (such as Trezor) of block chain application (such as bit coin).
Intel SGX (Software Guard Extensions) is a set of cpu instruction, can be supported safe using creating
Area (enclave):Shielded region in application address space, it may be ensured that the machine of the terminal operating system environmentally information content
Close property and integrality.The memory content for attempting to access enclave from software respective is not allowed to, even enhanced privileges are soft
Part (such as master operating system, monitor of virtual machine etc.) does not allow to access.The secure border of enclave only comprising CPU and it from
Body.The enclave that SGX is created is it can be appreciated that a credible performing environment TEE.A CPU can be run more in SGX technologies
A safe enclaves, support concurrently perform.
The content of the invention
The present invention provides a kind of block chain user key protective device based on SGX, in the visitor of block chain application system
Family end node introduces SGX, and the block chain user key protective device and various block chain network are compatible, can be used as block chain
The node administration component of network, key preservation and the service for checking credentials are provided for block chain network user.
A kind of block chain user key protective device based on SGX, including:
SGX encrypting modules, confidence space is generated based on software protecting extended instruction, and is generated and be used to verify the credible sky
Between access rights access key;The confidence space is used for the user key and cipher key operation function of memory block chain network;
Transaction common recognition module, receives the transaction from block chain network, and mould is encrypted by the access cipher key access SGX
Block, calls cipher key operation function therein, realizes the verification common recognition to transaction;
Transaction constructing module, initiates transaction according to the user's intention, and cipher key access SGX encrypting modules are accessed by described,
Cipher key operation function therein is called, realizes the filling of Transaction Information with legalizing, and the transaction is broadcasted to block chain network.
Preferably, the SGX encrypting modules include:
User's space, including processing space and confidence space;The processing space is used to load user key and key behaviour
Make the certificate information of function, the confidence space is used to store user key and cipher key operation function;
SGX drivers, are the user by being measured to the certificate information of user key and cipher key operation function
Key and cipher key operation function distribution confidence space, it is hard to pass to SGX by the certificate information of user key and cipher key operation function
Part processor;
SGX hardware processors, carry out user key and cipher key operation function certificate information and the integrality of confidence space
Verification, gives birth to according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor characteristics of user key and cipher key operation function certificate
Into the access key of confidence space, confidence space is encrypted by accessing key.
The SGX drivers belong to operating system;SGX hardware processors belong to hardware architecture.
The access key of confidence space is block chain network user key, cipher key operation function and the SGX hardware by user
The physical hardware information of processor intersects generation, ensure that the security and validity of associated verification step.
Present invention also offers a kind of block chain user key guard method based on SGX, this method is by introducing Intel
SGX hardware to block chain network user client node, using enclave (confidence space) mechanism of SGX, in local structure
Safe user key memory space and corresponding accessing operation are built, realizes secure storage and the use of local user's key.
A kind of block chain user key guard method based on SGX, including:
(1) obtain user key and be stored in SGX encrypting modules;
(2) relevant cipher key operation is handled.
Step (1) includes:
(1-1) obtains the user key of block chain accreditation with secure way;
In the case of needing user to be autonomously generated user key, generate user key the step of should be in the equipment of safety
(such as from the emergency PC of failed cluster) is by the complete seed of cryptography and algorithm according to regulation form generation.
For the user key for needing block chain network to issue, then by the communications conduit of strict protection, with adding for safety
Close mode obtains;Or obtained by the secured fashion under line.
(1-2) backs up user key;
To evade the risk for causing key to be lost due to various reasons in the future, which kind of key keeping mode no matter is taken, all
It is recommended that user carries out safe backup in advance to the user key of acquisition.It is proposed with physical store or the storage of offline secure equipment
User key is backed up etc. mode;And more parts are backed up, give secure storage respectively.
(1-3) generates public key from user key and is stored in local;
Under normal circumstances, user need to generate public key by user key, and block chain address (such as bit of oneself is generated with public key
Coin), oneself it is transacting targeted so that other people specify.So needs perform the step to generate and user before user key is stored
The corresponding public key of key, is stored in local.
The address of public key generation can be disclosed to the whole network, without encryption.For being responsible for handling client public key by block chain network
With the block catenary system (such as each user can inquire the address of each user to block chain network) of address, which can be by block chain
Network is completed.
User key is stored in SGX encrypting modules by (1-4).
Step (1-4) includes:
(a) certificate of user key and cipher key operation function is generated, by user key and cipher key operation function and the card
Book is uploaded in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX drivers,
Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to
In confidence space, data in delete processing space afterwards;
(c) SGX drivers obtain the certificate information of user key and cipher key operation function and pass to SGX hardware handles
Device;SGX hardware processors generate confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processors itself of certificate information
Access key, confidence space is encrypted by accessing key;
(d) repeat step (a)~(c), establishes multiple confidence spaces, and more parts of user keys of backup are stored in difference respectively
Confidence space in.
In step (2), handling relevant cipher key operation includes processing key behaviour as caused by block chain network is passed to transaction
Work and the cipher key operation as caused by user initiates transaction.
Processing cipher key operation as caused by block chain network is passed to transaction comprises the following steps:
(i) block chain client receives the Transaction Information that block chain network is passed to;
(ii) calling in the verification function pair transaction outside SGX places of safety is not required the part of user key to be verified, counts
Calculate the priority of transaction and be ranked up;
The verification of the part is limited to the verification that user key is not required, for example, verify transaction whether version correct, transaction
Whether amount of assets is legal etc..The framework depending on specific block chain selectively completes the behaviour such as priority calculating and the sequence of transaction at the same time
Make.
(iii) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain credible
The part of user key is needed to be verified in key authentication function pair transaction in space;
Need the verification of the part of user key to be limited to the verification for needing user key, for example, determine it is transacting targeted whether be
Oneself etc..
(iv) check the call result to key authentication function, if call result is abnormal, call another credible sky
Interior key authentication function, until call result is normal;Checking information is packed into verification result afterwards, completes testing for transaction
Card;
(v) sent and fed back to block chain network according to verification result;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or it is illegal to block chain network feedback trading.
Processing cipher key operation as caused by user initiates transaction comprises the following steps:
(I) block chain client builds transaction outside SGX places of safety;
In the step, block chain client needs to merchandise according to the regular legal construction of respective block chain, is supplemented for transaction
The necessary informations such as destination address, turnover;At the same time the signing messages of oneself need not be provided in the step, block chain client;
(II) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain credible sky
Interior key signature function obtains user key signature;
(I II) checks the call result to key signature function, if call result is abnormal, calls another credible sky
Interior key signature function, until call result is normal;Signing messages is packed into Transaction Information afterwards, completes the structure of transaction
Build;
(IV) broadcast and merchandise to block chain network.
Compared with prior art, beneficial effects of the present invention are:
(1) the block chain user key protective device based on SGX of the invention has both security, availability and general at the same time
Property, Malware can be effectively resisted to the sniff of user local key with cracking, and protect the block chain assets of user from infringement;
(2) operation of block chain client is divided into two independent sectors, and each part uses different key call functions,
Improve the operational paradigm of block chain client.Operation of two parts to key at the same time is placed on Enclave (confidence space)
Interior execution, external program can not learn key information and relevant operation.Key will not be come across with clear-text way it is any can not
Believe memory, memory overflow attack can be resisted;
(3) a kind of more Enclave mechanism are given, further improve the security of key preservation.It is even if single
Enclave is damaged, and client remains to normal operation, and user can receive the feedback of Enclave damages at the same time, is taken further
Client is safeguarded in specific aim measure, protects key;
(4) a set of safe operating process is given for being not affected by the key pre-write of SGX protections, can effectively reduces use
The security threat that family key is subject to before being protected by SGX.
Brief description of the drawings
Fig. 1 is the structure and workflow schematic diagram that the block chain user key based on SGX protects client;
Fig. 2 is acquisition user key and is stored in the flow diagram of SGX encrypting modules;
Fig. 3 is the flow diagram of processing cipher key operation as caused by block chain network is passed to transaction;
Fig. 4 is the flow diagram of processing cipher key operation as caused by user initiates transaction.
Embodiment
The present invention is described in further detail with reference to the accompanying drawings and examples.
The block chain user key protective device based on SGX of the present embodiment, including 3 software modules:Transaction common recognition mould
Block, transaction constructing module and SGX encrypting modules, its Row control is as shown in Figure 1, specific as follows:
(1) preliminary treatment:The acquisition and write-in of progress block chain key in advance are needed before the operation of block chain client
SGX, its flow are as shown in Figure 2.
(1-1) obtains the user key of block chain accreditation with secure way;
In the case of needing user to be autonomously generated user key, generate user key the step of should be in the equipment of safety
(such as from the emergency PC of failed cluster) is by the complete seed of cryptography and algorithm according to regulation form generation.
For the user key for needing block chain network to issue, then by the communications conduit of strict protection, with adding for safety
Close mode obtains;Or obtained by the secured fashion under line.
(1-2) backs up user key;
To evade the risk for causing key to be lost due to various reasons in the future, which kind of key keeping mode no matter is taken, all
It is recommended that user carries out safe backup in advance to the user key of acquisition.It is proposed with physical store or the storage of offline secure equipment
User key is backed up etc. mode;And more parts are backed up, give secure storage respectively.
(1-3) is from user key generation public key and storage and locally;
Under normal circumstances, user need to generate public key by user key, and block chain address (such as bit of oneself is generated with public key
Coin), oneself it is transacting targeted so that other people specify.So needs perform the step to generate and user before user key is stored
The corresponding public key of key, is stored in local.
The address of public key generation can be disclosed to the whole network, without encryption.For being responsible for handling client public key by block chain network
With the block catenary system (such as each user can inquire the address of each user to block chain network) of address, which can be by block chain
Network is completed.
User key is stored in SGX encrypting modules by (1-4).
Step (1-4) includes:
(a) generate the certificate of user key and cipher key operation function, by user key and and cipher key operation function with it is described
Certificate is uploaded in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX drivers,
Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to
In confidence space, data in delete processing space afterwards;
(c) SGX drivers obtain the certificate information of user key and cipher key operation function and pass to SGX hardware handles
Device;SGX hardware processors generate confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processors itself of certificate information
Access key, confidence space is encrypted by accessing key.
(d) repeat step (a)~(c), establishes multiple confidence spaces, and more parts of user keys of backup are stored in difference respectively
Confidence space in.
Key deposit SGX SGX encrypting modules are used into wherein, its effect is generated based on software protecting extended instruction
Enclave stores the key information of user and cipher key operation function, and generates to verify the close of confidence space access rights
Key, operates with for subsequent access.The process establishes multiple enclave (being 3 in this example, such as Fig. 1) at the same time, to ensure
Block chain client remains to normal operation when extremely single enclave is damaged in special circumstances, and gives user feedback to repair
The enclave of damage, avoids user's Lost Security Key in the case of unwitting.
(2) common recognition of merchandising processing:The part is common to complete transaction common recognition using transaction common recognition module and SGX encrypting modules
Processing, its flow are as shown in Figure 3.The effect of transaction common recognition module is to receive the transaction flow from block chain network, and carries out lattice
The authentication functions such as formula verification, number of deals verification, by calling SGX encrypting modules to complete to need user key in verification process
Verification, final realize know together the verification merchandised in network.Once the verification function in place of safety returns to exception, just call another
Identical verification function in a place of safety, until completing verification.The effect of SGX encrypting modules herein is provided for common recognition processing
It is capable of the verification function of security invocation user blocks chain account key.
Comprise the following steps:
(i) block chain client receives the Transaction Information that block chain network is passed to;
(ii) calling in the verification function pair transaction outside SGX places of safety is not required the part of user key to be verified, counts
Calculate the priority of transaction and be ranked up;
The verification of the part is limited to the verification that user key is not required, for example, verify transaction whether version correct, transaction
Whether amount of assets is legal etc..The framework depending on specific block chain selectively completes the behaviour such as priority calculating and the sequence of transaction at the same time
Make.
(iii) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain credible
The part of user key is needed to be verified in key authentication function pair transaction in space;
Need the verification of the part of user key to be limited to the verification for needing user key, for example, determine it is transacting targeted whether be
Oneself etc..
(iv) check the call result to key authentication function, if call result is abnormal, call another credible sky
Interior key authentication function, until call result is normal;Checking information is packed into verification result afterwards, completes testing for transaction
Card;
(v) sent and fed back to block chain network according to verification result;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or it is illegal to block chain network feedback trading.
(3) transaction Construction treatment:The part is common to complete transaction construction using transaction constructing module and SGX encrypting modules
It is as shown in Figure 4 with initiation, its flow.Constructing module of merchandising initiates transaction according to the intention of user, by calling SGX encrypting modules
The filling of Transaction Information is realized with legalizing, and the transaction is broadcasted to the whole network.Once the signature function in place of safety returns to exception,
Just the same signature function in another place of safety is called, until completing transaction structure.The effect of SGX encrypting modules herein is
The signature function for being capable of security invocation user blocks chain account key is provided for transaction construction.
Comprise the following steps:
(I) block chain client builds transaction outside SGX places of safety;
In the step, block chain client needs to merchandise according to the regular legal construction of respective block chain, is supplemented for transaction
The necessary informations such as destination address, turnover;At the same time the signing messages of oneself need not be provided in the step, block chain client;
(II) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain credible sky
Interior key signature function obtains user key signature;
The signature of the step is used to confirm that the assets that oneself is initiated in transaction are effective.
(I II) checks the call result to key signature function, if call result is abnormal, calls another credible sky
Interior key signature function, until call result is normal;Signing messages is packed into Transaction Information afterwards, completes the structure of transaction
Build;
If call result is abnormal, illustrates the user key damage in the confidence space, then call another confidence space
Interior signature function reacquires signature.
(IV) broadcast and merchandise to block chain network.
Technical scheme and beneficial effect is described in detail in embodiment described above, it should be understood that
The foregoing is merely the specific embodiment of the present invention, it is not intended to limit the invention, it is all to be done in the spirit of the present invention
Any modification, supplementary, and equivalent replacement etc., should all be included in the protection scope of the present invention.
Claims (7)
- A kind of 1. block chain user key protective device based on SGX, it is characterised in that including:SGX encrypting modules, confidence space is generated based on software protecting extended instruction, and is generated and be used to verify that the confidence space is visited Ask the access key of authority;The confidence space is used for the user key and cipher key operation function of memory block chain network;Transaction common recognition module, receives the transaction from block chain network, by the access cipher key access SGX encrypting modules, adjusts With cipher key operation function therein, the verification common recognition to transaction is realized;Transaction constructing module, initiates transaction according to the user's intention, passes through the access cipher key access SGX encrypting modules, calls Cipher key operation function therein, realizes the filling of Transaction Information with legalizing, and broadcast the transaction to block chain network.
- 2. block chain user key protective device according to claim 1, it is characterised in that the SGX encrypting modules Including:User's space, including processing space and confidence space;The processing space is used to load user key and cipher key operation letter Several certificate informations, the confidence space are used to store user key and cipher key operation function;SGX drivers, are the user key by being measured to the certificate information of user key and cipher key operation function Confidence space is distributed with cipher key operation function, the certificate information of user key and cipher key operation function is passed at SGX hardware Manage device;SGX hardware processors, verify user key and cipher key operation function certificate information and the integrality of confidence space, Generated according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor characteristics of user key and cipher key operation function certificate credible The access key in space, is encrypted confidence space by accessing key.
- A kind of 3. block chain user key guard method based on SGX, it is characterised in that including:(1) obtain user key and be stored in SGX encrypting modules;(2) relevant cipher key operation is handled, including processing cipher key operation as caused by block chain network is passed to transaction and by user Initiate cipher key operation caused by transaction.
- 4. block chain user key guard method according to claim 3, it is characterised in that step (1) includes:(1-1) obtains the user key of block chain accreditation with secure way;(1-2) backs up user key;(1-3) generates public key from user key and is stored in local;User key is stored in SGX encrypting modules by (1-4).
- 5. block chain user key guard method according to claim 4, it is characterised in that step (1-4) includes:(a) certificate of user key and cipher key operation function is generated, by user key and cipher key operation function and the certificate one Rise and upload in processing space;The cipher key operation function includes key authentication function and key signature function;(b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX drivers, being can Believe space distribution address space and page, create confidence space, and user key and cipher key operation function copied to credible In space, data in delete processing space afterwards;(c) SGX drivers obtain the certificate information of user key and cipher key operation function and pass to SGX hardware processors;SGX Hardware processor generates the access of confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processors itself of certificate information Key, is encrypted confidence space by accessing key;(d) repeat step (a)~(c), establishes multiple confidence spaces, by more parts of user keys of backup be stored in respectively it is different can Believe in space.
- 6. block chain user key guard method according to claim 3, it is characterised in that in step (2), handle by area Block chain network be passed to transaction caused by cipher key operation comprise the following steps:(i) block chain client receives the Transaction Information that block chain network is passed to;(ii) calling in the verification function pair transaction outside SGX places of safety is not required the part of user key to be verified, calculates and hands over Easy priority is simultaneously ranked up;(iii) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls a certain confidence space The part of user key is needed to be verified in interior key authentication function pair transaction;(iv) check the call result to key authentication function, if call result is abnormal, call in another confidence space Key authentication function, until call result is normal;Checking information is packed into verification result afterwards, completes the verification of transaction;(v) sent and fed back to block chain network according to verification result;If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;If authentication failed, stop propagating the transaction, or it is illegal to block chain network feedback trading.
- 7. block chain user key guard method according to claim 3, it is characterised in that in step (2), handle by with Cipher key operation caused by the initiation transaction of family comprises the following steps:(I) block chain client builds transaction outside SGX places of safety;(II) block chain client is initiated to ask to SGX drivers, after accessing key authentication, calls in a certain confidence space Key signature function obtain user key signature;(III) check the call result to key signature function, if call result is abnormal, call in another confidence space Key signature function, until call result is normal;Signing messages is packed into Transaction Information afterwards, completes the structure of transaction;(IV) broadcast and merchandise to block chain network.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710989478.5A CN107919954B (en) | 2017-10-20 | 2017-10-20 | A kind of block chain user key guard method and device based on SGX software protecting extended instruction |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710989478.5A CN107919954B (en) | 2017-10-20 | 2017-10-20 | A kind of block chain user key guard method and device based on SGX software protecting extended instruction |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107919954A true CN107919954A (en) | 2018-04-17 |
CN107919954B CN107919954B (en) | 2019-05-14 |
Family
ID=61894889
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710989478.5A Active CN107919954B (en) | 2017-10-20 | 2017-10-20 | A kind of block chain user key guard method and device based on SGX software protecting extended instruction |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107919954B (en) |
Cited By (37)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108921557A (en) * | 2018-07-06 | 2018-11-30 | 佛山伊苏巨森科技有限公司 | A method of it is traded by the system and protection of block chain network protection transaction |
CN109101822A (en) * | 2018-07-10 | 2018-12-28 | 西安交通大学 | A method of solving data-privacy leakage problem in multi-party calculate |
CN109150517A (en) * | 2018-09-04 | 2019-01-04 | 大唐高鸿信安(浙江)信息科技有限公司 | Key security management system and method based on SGX |
CN109766712A (en) * | 2018-12-14 | 2019-05-17 | 华东师范大学 | A kind of reference report circulation method based on block chain and Intel SGX |
CN109831298A (en) * | 2019-01-31 | 2019-05-31 | 阿里巴巴集团控股有限公司 | The method of security update key and node, storage medium in block chain |
CN109934579A (en) * | 2018-11-30 | 2019-06-25 | 上海点融信息科技有限责任公司 | For the key generation method of block chain network, endorsement method, storage medium, calculate equipment |
CN110011801A (en) * | 2018-11-16 | 2019-07-12 | 阿里巴巴集团控股有限公司 | Remote certification method and device, the electronic equipment of trusted application |
CN110022316A (en) * | 2019-03-29 | 2019-07-16 | 阿里巴巴集团控股有限公司 | The method and apparatus for creating block chain account and resetting account key |
CN110020855A (en) * | 2019-01-31 | 2019-07-16 | 阿里巴巴集团控股有限公司 | Method, the node, storage medium of secret protection are realized in block chain |
CN110032876A (en) * | 2019-02-19 | 2019-07-19 | 阿里巴巴集团控股有限公司 | Method, node and the storage medium of secret protection are realized in block chain |
CN110222485A (en) * | 2019-05-14 | 2019-09-10 | 浙江大学 | Industry control white list management system and method based on SGX software protecting extended instruction |
CN110223172A (en) * | 2019-05-20 | 2019-09-10 | 阿里巴巴集团控股有限公司 | The receipt storage method and node of conditional combination code mark and type dimension |
CN110266659A (en) * | 2019-05-31 | 2019-09-20 | 联想(北京)有限公司 | A kind of data processing method and equipment |
CN110264196A (en) * | 2019-05-20 | 2019-09-20 | 阿里巴巴集团控股有限公司 | In conjunction with the conditional receipt storage method and node of code mark and user type |
CN110443710A (en) * | 2019-08-02 | 2019-11-12 | 中国工商银行股份有限公司 | A kind of the block catenary system and method for batch signature |
CN110675253A (en) * | 2019-08-15 | 2020-01-10 | 山大地纬软件股份有限公司 | Block chain-based exclusive digital asset trusted keeping and transferring device and method |
CN110781492A (en) * | 2018-07-31 | 2020-02-11 | 阿里巴巴集团控股有限公司 | Data processing method, device, equipment and storage medium |
CN110889696A (en) * | 2019-11-27 | 2020-03-17 | 杭州趣链科技有限公司 | Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology |
CN110892696A (en) * | 2019-04-19 | 2020-03-17 | 阿里巴巴集团控股有限公司 | Method and apparatus for establishing communication between blockchain networks |
CN111095899A (en) * | 2019-04-26 | 2020-05-01 | 阿里巴巴集团控股有限公司 | Distributed key management for trusted execution environments |
CN111160905A (en) * | 2019-12-17 | 2020-05-15 | 浙江大学 | Block chain node user request processing protection method and device |
CN111159018A (en) * | 2019-12-17 | 2020-05-15 | 浙江大学 | Software protection extended instruction SGX-based online fuzzy test system and method |
CN111325545A (en) * | 2018-12-13 | 2020-06-23 | 北京沃东天骏信息技术有限公司 | Key management method, device and equipment based on block chain |
CN111404896A (en) * | 2020-03-06 | 2020-07-10 | 杭州云象网络技术有限公司 | Non-central identity authentication method based on SGX |
CN111475782A (en) * | 2020-04-08 | 2020-07-31 | 浙江大学 | API (application program interface) key protection method and system based on SGX (secure gateway) software extension instruction |
CN111709745A (en) * | 2020-06-09 | 2020-09-25 | 浙江大学 | SGX-based block chain transaction security protection system and method thereof |
CN111767556A (en) * | 2019-01-31 | 2020-10-13 | 阿里巴巴集团控股有限公司 | Method for realizing privacy protection in block chain, node and storage medium |
CN111767555A (en) * | 2019-01-31 | 2020-10-13 | 阿里巴巴集团控股有限公司 | Method for realizing privacy protection in block chain, node and storage medium |
CN111898156A (en) * | 2019-01-31 | 2020-11-06 | 创新先进技术有限公司 | Method, node and storage medium for realizing contract calling in block chain |
CN112119610A (en) * | 2018-05-14 | 2020-12-22 | 区块链控股有限公司 | Improved system and method for storage, generation and verification of tokens for controlling access to resources |
CN112235301A (en) * | 2020-10-14 | 2021-01-15 | 北京金山云网络技术有限公司 | Method and device for verifying access authority and electronic equipment |
CN112765595A (en) * | 2018-11-16 | 2021-05-07 | 创新先进技术有限公司 | Cross-block-chain data processing method and device, client and block chain system |
CN113037477A (en) * | 2021-03-08 | 2021-06-25 | 北京工业大学 | Kerberos security enhancement method based on Intel SGX |
CN113055376A (en) * | 2021-03-10 | 2021-06-29 | 电子科技大学 | Block chain data protection system |
CN114301928A (en) * | 2021-11-29 | 2022-04-08 | 之江实验室 | SGX-based chain uplink and downlink mixed consensus method and system |
CN114629684A (en) * | 2022-02-16 | 2022-06-14 | 深圳番多拉信息科技有限公司 | Permission token processing method, system, device and storage medium based on block chain |
CN116260595A (en) * | 2023-05-15 | 2023-06-13 | 豪符密码检测技术(成都)有限责任公司 | Cloud password detection method and system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160379212A1 (en) * | 2015-06-26 | 2016-12-29 | Intel Corporation | System, apparatus and method for performing cryptographic operations in a trusted execution environment |
CN106533694A (en) * | 2016-11-03 | 2017-03-22 | 浙江大学 | Method and system for implementation of Openstack token access protection mechanism |
US20170091467A1 (en) * | 2015-09-25 | 2017-03-30 | Mcafee, Inc. | Provable traceability |
CN107113284A (en) * | 2014-11-26 | 2017-08-29 | 英特尔公司 | For the trusted computing base evidence binding of transportable virtual machine |
CN107209722A (en) * | 2015-02-23 | 2017-09-26 | 英特尔公司 | For instruction and the logic for making the process forks of Secure Enclave in Secure Enclave page cache He setting up sub- enclave |
US20170285633A1 (en) * | 2016-04-01 | 2017-10-05 | Lntel Corporation | Drone control registration |
-
2017
- 2017-10-20 CN CN201710989478.5A patent/CN107919954B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107113284A (en) * | 2014-11-26 | 2017-08-29 | 英特尔公司 | For the trusted computing base evidence binding of transportable virtual machine |
CN107209722A (en) * | 2015-02-23 | 2017-09-26 | 英特尔公司 | For instruction and the logic for making the process forks of Secure Enclave in Secure Enclave page cache He setting up sub- enclave |
US20160379212A1 (en) * | 2015-06-26 | 2016-12-29 | Intel Corporation | System, apparatus and method for performing cryptographic operations in a trusted execution environment |
US20170091467A1 (en) * | 2015-09-25 | 2017-03-30 | Mcafee, Inc. | Provable traceability |
US20170285633A1 (en) * | 2016-04-01 | 2017-10-05 | Lntel Corporation | Drone control registration |
CN106533694A (en) * | 2016-11-03 | 2017-03-22 | 浙江大学 | Method and system for implementation of Openstack token access protection mechanism |
Cited By (52)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112119610A (en) * | 2018-05-14 | 2020-12-22 | 区块链控股有限公司 | Improved system and method for storage, generation and verification of tokens for controlling access to resources |
CN112166578A (en) * | 2018-05-14 | 2021-01-01 | 区块链控股有限公司 | Improved system and method for storage, generation and verification of tokens for controlling access to resources |
CN108921557A (en) * | 2018-07-06 | 2018-11-30 | 佛山伊苏巨森科技有限公司 | A method of it is traded by the system and protection of block chain network protection transaction |
CN109101822A (en) * | 2018-07-10 | 2018-12-28 | 西安交通大学 | A method of solving data-privacy leakage problem in multi-party calculate |
CN110781492B (en) * | 2018-07-31 | 2023-09-26 | 阿里巴巴集团控股有限公司 | Data processing method, device, equipment and storage medium |
CN110781492A (en) * | 2018-07-31 | 2020-02-11 | 阿里巴巴集团控股有限公司 | Data processing method, device, equipment and storage medium |
CN109150517A (en) * | 2018-09-04 | 2019-01-04 | 大唐高鸿信安(浙江)信息科技有限公司 | Key security management system and method based on SGX |
CN110011801A (en) * | 2018-11-16 | 2019-07-12 | 阿里巴巴集团控股有限公司 | Remote certification method and device, the electronic equipment of trusted application |
CN110011801B (en) * | 2018-11-16 | 2020-10-20 | 创新先进技术有限公司 | Remote certification method and device for trusted application program and electronic equipment |
CN112765595B (en) * | 2018-11-16 | 2024-05-10 | 创新先进技术有限公司 | Cross-blockchain data processing method, device, client and blockchain system |
CN112765595A (en) * | 2018-11-16 | 2021-05-07 | 创新先进技术有限公司 | Cross-block-chain data processing method and device, client and block chain system |
CN109934579A (en) * | 2018-11-30 | 2019-06-25 | 上海点融信息科技有限责任公司 | For the key generation method of block chain network, endorsement method, storage medium, calculate equipment |
CN111325545A (en) * | 2018-12-13 | 2020-06-23 | 北京沃东天骏信息技术有限公司 | Key management method, device and equipment based on block chain |
CN111325545B (en) * | 2018-12-13 | 2023-05-02 | 北京沃东天骏信息技术有限公司 | Key management method, device and equipment based on blockchain |
CN109766712A (en) * | 2018-12-14 | 2019-05-17 | 华东师范大学 | A kind of reference report circulation method based on block chain and Intel SGX |
CN111767556A (en) * | 2019-01-31 | 2020-10-13 | 阿里巴巴集团控股有限公司 | Method for realizing privacy protection in block chain, node and storage medium |
CN109831298A (en) * | 2019-01-31 | 2019-05-31 | 阿里巴巴集团控股有限公司 | The method of security update key and node, storage medium in block chain |
CN110020855A (en) * | 2019-01-31 | 2019-07-16 | 阿里巴巴集团控股有限公司 | Method, the node, storage medium of secret protection are realized in block chain |
CN111898156A (en) * | 2019-01-31 | 2020-11-06 | 创新先进技术有限公司 | Method, node and storage medium for realizing contract calling in block chain |
CN111898156B (en) * | 2019-01-31 | 2024-04-16 | 创新先进技术有限公司 | Method, node and storage medium for realizing contract call in block chain |
CN111767555A (en) * | 2019-01-31 | 2020-10-13 | 阿里巴巴集团控股有限公司 | Method for realizing privacy protection in block chain, node and storage medium |
CN110032876A (en) * | 2019-02-19 | 2019-07-19 | 阿里巴巴集团控股有限公司 | Method, node and the storage medium of secret protection are realized in block chain |
CN110022316A (en) * | 2019-03-29 | 2019-07-16 | 阿里巴巴集团控股有限公司 | The method and apparatus for creating block chain account and resetting account key |
CN110892696B (en) * | 2019-04-19 | 2021-08-27 | 创新先进技术有限公司 | Method and apparatus for establishing communication between blockchain networks |
CN110892696A (en) * | 2019-04-19 | 2020-03-17 | 阿里巴巴集团控股有限公司 | Method and apparatus for establishing communication between blockchain networks |
CN111095899B (en) * | 2019-04-26 | 2021-12-24 | 创新先进技术有限公司 | Distributed key management for trusted execution environments |
CN111095899A (en) * | 2019-04-26 | 2020-05-01 | 阿里巴巴集团控股有限公司 | Distributed key management for trusted execution environments |
US11356285B2 (en) | 2019-04-26 | 2022-06-07 | Advanced New Technologies Co., Ltd. | Distributed key management for trusted execution environments |
CN110222485A (en) * | 2019-05-14 | 2019-09-10 | 浙江大学 | Industry control white list management system and method based on SGX software protecting extended instruction |
CN110222485B (en) * | 2019-05-14 | 2021-01-12 | 浙江大学 | Industrial control white list management system and method based on SGX software protection extended instruction |
CN110223172A (en) * | 2019-05-20 | 2019-09-10 | 阿里巴巴集团控股有限公司 | The receipt storage method and node of conditional combination code mark and type dimension |
CN110264196A (en) * | 2019-05-20 | 2019-09-20 | 阿里巴巴集团控股有限公司 | In conjunction with the conditional receipt storage method and node of code mark and user type |
CN110264196B (en) * | 2019-05-20 | 2021-04-23 | 创新先进技术有限公司 | Conditional receipt storage method and node combining code labeling and user type |
CN110266659A (en) * | 2019-05-31 | 2019-09-20 | 联想(北京)有限公司 | A kind of data processing method and equipment |
CN110443710A (en) * | 2019-08-02 | 2019-11-12 | 中国工商银行股份有限公司 | A kind of the block catenary system and method for batch signature |
CN110443710B (en) * | 2019-08-02 | 2022-06-07 | 中国工商银行股份有限公司 | Block chain system and method for batch signature |
CN110675253A (en) * | 2019-08-15 | 2020-01-10 | 山大地纬软件股份有限公司 | Block chain-based exclusive digital asset trusted keeping and transferring device and method |
CN110889696A (en) * | 2019-11-27 | 2020-03-17 | 杭州趣链科技有限公司 | Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology |
CN111159018A (en) * | 2019-12-17 | 2020-05-15 | 浙江大学 | Software protection extended instruction SGX-based online fuzzy test system and method |
CN111160905B (en) * | 2019-12-17 | 2023-07-18 | 浙江大学 | Block chain link point user request processing protection method and device |
CN111160905A (en) * | 2019-12-17 | 2020-05-15 | 浙江大学 | Block chain node user request processing protection method and device |
CN111404896B (en) * | 2020-03-06 | 2022-03-04 | 杭州云象网络技术有限公司 | Non-central identity authentication method based on SGX |
CN111404896A (en) * | 2020-03-06 | 2020-07-10 | 杭州云象网络技术有限公司 | Non-central identity authentication method based on SGX |
CN111475782B (en) * | 2020-04-08 | 2022-11-08 | 浙江大学 | API (application program interface) key protection method and system based on SGX (generalized Standard X) software extension instruction |
CN111475782A (en) * | 2020-04-08 | 2020-07-31 | 浙江大学 | API (application program interface) key protection method and system based on SGX (secure gateway) software extension instruction |
CN111709745A (en) * | 2020-06-09 | 2020-09-25 | 浙江大学 | SGX-based block chain transaction security protection system and method thereof |
CN112235301A (en) * | 2020-10-14 | 2021-01-15 | 北京金山云网络技术有限公司 | Method and device for verifying access authority and electronic equipment |
CN113037477A (en) * | 2021-03-08 | 2021-06-25 | 北京工业大学 | Kerberos security enhancement method based on Intel SGX |
CN113055376A (en) * | 2021-03-10 | 2021-06-29 | 电子科技大学 | Block chain data protection system |
CN114301928A (en) * | 2021-11-29 | 2022-04-08 | 之江实验室 | SGX-based chain uplink and downlink mixed consensus method and system |
CN114629684A (en) * | 2022-02-16 | 2022-06-14 | 深圳番多拉信息科技有限公司 | Permission token processing method, system, device and storage medium based on block chain |
CN116260595A (en) * | 2023-05-15 | 2023-06-13 | 豪符密码检测技术(成都)有限责任公司 | Cloud password detection method and system |
Also Published As
Publication number | Publication date |
---|---|
CN107919954B (en) | 2019-05-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107919954B (en) | A kind of block chain user key guard method and device based on SGX software protecting extended instruction | |
CN108418680B (en) | Block chain key recovery method and medium based on secure multi-party computing technology | |
CN109697365B (en) | Information processing method, block chain node and electronic equipment | |
CN109274652B (en) | Identity information verification system, method and device and computer storage medium | |
CN110990827A (en) | Identity information verification method, server and storage medium | |
CN110519049A (en) | A kind of cloud data protection system based on credible performing environment | |
CN107959567A (en) | Date storage method, data capture method, apparatus and system | |
CN111914293B (en) | Data access right verification method and device, computer equipment and storage medium | |
CN101977183B (en) | High reliable digital content service method applicable to multiclass terminal equipment | |
US11405198B2 (en) | System and method for storing and managing keys for signing transactions using key of cluster managed in trusted execution environment | |
CN105740725A (en) | File protection method and system | |
CN111859446A (en) | Agricultural product traceability information sharing-privacy protection method and system | |
CN106936588A (en) | A kind of trustship method, the apparatus and system of hardware controls lock | |
Mashima et al. | Enabling Robust Information Accountability in E-healthcare Systems. | |
CN109309645A (en) | A kind of software distribution security guard method | |
CN103268435A (en) | Intranet license generation method and system, and intranet license protection method and system | |
US20240062301A1 (en) | Secure and trustworthy computing environments for exchanges | |
CN112364305A (en) | Digital content copyright protection method and device based on block chain platform | |
CN113592497A (en) | Financial transaction service security authentication method and device based on block chain | |
CN110290125B (en) | Data security system based on block chain and data security processing method | |
US8756433B2 (en) | Associating policy with unencrypted digital content | |
CN113901507B (en) | Multi-party resource processing method and privacy computing system | |
CN107273725A (en) | A kind of data back up method and system for classified information | |
Reedy et al. | A Secure Framework for Ensuring EHR's Integrity Using Fine-Grained Auditing and CP-ABE | |
KR102055888B1 (en) | Encryption and decryption method for protecting information |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |