CN109995776A - A kind of internet data verification method and system - Google Patents

A kind of internet data verification method and system Download PDF

Info

Publication number
CN109995776A
CN109995776A CN201910231536.7A CN201910231536A CN109995776A CN 109995776 A CN109995776 A CN 109995776A CN 201910231536 A CN201910231536 A CN 201910231536A CN 109995776 A CN109995776 A CN 109995776A
Authority
CN
China
Prior art keywords
enclave
data
certificate server
sent
tls client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910231536.7A
Other languages
Chinese (zh)
Other versions
CN109995776B (en
Inventor
王虎
杨文韬
李卫
李绪成
易晓春
陈昌
王昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Paper Internet Technology Co Ltd
Original Assignee
Xi'an Paper Internet Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Paper Internet Technology Co Ltd filed Critical Xi'an Paper Internet Technology Co Ltd
Priority to CN201910231536.7A priority Critical patent/CN109995776B/en
Publication of CN109995776A publication Critical patent/CN109995776A/en
Application granted granted Critical
Publication of CN109995776B publication Critical patent/CN109995776B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the present invention provides a kind of internet data verification method and system, wherein provided method includes: the data acquisition request for receiving user terminal and sending, and generates prophesy machine thread, and TLS client is created in the prophesy machine thread;TLS client services end data according to the uniform resource locator in the data acquisition request, the corresponding web server requests of Xiang Suoshu uniform resource locator;The service end data is sent to certificate server to authenticate, is generated by the documentary evidence after certificate server certification, and will demonstrate that file is sent to user terminal;Wherein, the TLS client is run in enclave.Side provided in an embodiment of the present invention, TLS client is operated in credible and secure calculating environment enclave, can guarantee the code of TLS client with obtain TLS connect in symmetric key be not tampered, and then guarantee the authenticity for the data that TLS client is obtained from Server, the reliability of experimental evidence file is carried out for any third party.

Description

A kind of internet data verification method and system
Technical field
The present embodiments relate to field of information security technology more particularly to a kind of internet data verification method and it is System.
Background technique
Current most of Internet services were changed into the past based on HTTPS based on the internet content of http protocol The content of agreement makes these contents obtain better confidentiality and integrity protection.But this protection is only for server-side With two side of client, still lack a kind of method efficiently, safe, can prove that Content of Communication be to be not tampered with to third party , and method of proof has standardization, undeniable characteristic.This undeniable characteristic will allow user to third Side proves that the content obtained at special source is provided by the service side really, and content is true and is not usurped in transmission process Change.
At present on user record and shared internet seen in content common method first is that screenshot, and screenshot is easy to be usurped Change and forge, in the prior art, the service that TLSnotary is provided allows third party auditor to prove server and client side Between secure transport layer protocol (TLS) connection.If client and third party auditor follow specific protocol, starting with When the connection of server, third party auditor is able to demonstrate that client provides the data from server.TLSnotary passes through Utilize the particular community of TLS 1.0 and TLS 1.1, the tls handshake protocol of Lai Xiugai client.Specifically, client cannot Srver MAC Key is generated, only third party auditor can do so, and be effectively prevented client forgery and appear to originate from service The data of device.After clients providing data Hash, third party auditor discharges TLS Sever MAC Key.Then, client can To complete the conversation procedure with server-side.
In the prior art, although TLSnotary provides a kind of proof client and the secure and trusted transmission number of server-side According to scheme, but it exists simultaneously some limitations and safety problem.Although TLSnotary provides a kind of proof client and clothes The scheme for the secure and trusted transmission data in end of being engaged in, but it exists simultaneously some limitations and safety problem.
Firstly, TLSnotary only supports TLS 1.0 and 1.1 version of TLS, the transmission based on TLS1.2 and 1.3 is not supported Agreement, and TLS 1.1 and following version are considered not as good as TLS 1.2 and above version safety;Secondly, TLSnotary can only make With hash function MD5 and SHA-1, but due to safety concerns, both hash functions are not recommended to be used;Furthermore TLSnotary only supports RSA key to exchange, it does not provide forward secrecy;Last TLSnotary needs to lead in most of use-cases Believable third party is crossed, data audit service is provided.During existing TLSNotary is realized, there is no guarantee to examine from technological means Core service it is safe and effective.
Summary of the invention
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of internet data verification method and system.
In a first aspect, the embodiment of the present invention provides a kind of internet data verification method, comprising:
The data acquisition request that user terminal is sent is received, prophesy machine thread is generated, is created in the prophesy machine thread TLS client;
TLS client is according to the uniform resource locator in the data acquisition request, Xiang Suoshu uniform resource locator Corresponding web server requests service end data;
The service end data is sent to certificate server to authenticate, is generated by after certificate server certification Documentary evidence, and will demonstrate that file is sent to user terminal;Wherein, the TLS client is run in enclave.
Wherein, described that the service end data is sent to before the step of certificate server is authenticated, further includes: root According to the service end data, enclave report is generated, the enclave is reported in citation enclave and is signed, citation is generated.
Wherein, described the service end data is sent to certificate server to authenticate, it generates by the authentication service It the step of documentary evidence after device certification, specifically includes: the citation being sent to certificate server and authenticated, described in reception The certification report that certificate server returns;Report in the write-in instrument of evidence that generation is recognized by the certificate server for the certification Documentary evidence after card.
Wherein, according to the service end data, the step of enclave is reported is generated, specifically includes: calculating the network service The request of device and the cryptographic Hash of response contents, and Intel is called to service, generate enclave report.
Wherein, before described the step of creating TLS client in the prophesy machine thread, further includes: column are recalled in acquisition Table;Correspondingly, further including recalling list for described after described the step of creating TLS client in the prophesy machine thread It is sent to the TLS client.
Second aspect, the embodiment of the present invention provide a kind of internet data verifying system, comprising:
Prophesy machine thread generation module, the data acquisition request sent for receiving user terminal, generates prophesy machine thread, TLS client is created in the prophesy machine thread;
Data demand module, for TLS client according to the uniform resource locator in the data acquisition request, to institute State the corresponding web server requests service end data of uniform resource locator;
Instrument of evidence generation module is authenticated for the service end data to be sent to certificate server, generate by Documentary evidence after the certificate server certification, and will demonstrate that file is sent to user terminal;Wherein, the TLS client It is run in enclave.
Wherein, the system also includes citation generation modules, for according to the service end data, generating enclave report, The enclave is reported in citation enclave and is signed, citation is generated.
Wherein, the instrument of evidence generation module is specifically used for: the citation is sent to certificate server and is authenticated, Receive the certification report that the certificate server returns;The certification is reported in the write-in instrument of evidence, is generated by the certification Documentary evidence after server authentication.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, including memory, processor and is stored in memory Computer program that is upper and can running on a processor, the processor are realized when executing described program such as above-mentioned first aspect institute The step of internet data verification method of offer.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, are stored thereon with calculating Machine program realizes the internet data verification method as provided by above-mentioned first aspect when the computer program is executed by processor The step of.
Internet data verification method provided in an embodiment of the present invention and system provide a web services.User submits him Want the network address of the data source of HTTPS agreement grabbed safely, the service by the safe and reliable data for obtaining tls protocol, And generate the complete instrument of evidence that can verify that of an independence.Using Intel SGX technology, TLS client is operated in credible In secured computing environment enclave, it is ensured that nobody can distort the code of TLS client with obtain TLS connect in it is symmetrical Key, therefore nobody can distort the data that TLS client is obtained from Server, realize the verifying journey to the instrument of evidence Sequence carrys out the reliability of experimental evidence file for any third party.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram for the internet data verification method that one embodiment of the invention provides;
Fig. 2 is the structural schematic diagram that the internet data that one embodiment of the invention provides verifies system;
Fig. 3 is the structural schematic diagram for the electronic equipment that one embodiment of the invention provides.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
With reference to Fig. 1, Fig. 1 is the flow diagram for the internet data verification method that one embodiment of the invention provides, and is mentioned The method of confession includes:
S1 receives the data acquisition request that user terminal is sent, and generates prophesy machine thread, creates in the prophesy machine thread Build TLS client.
S2, TLS client are according to the uniform resource locator in the data acquisition request, the positioning of Xiang Suoshu unified resource Accord with corresponding web server requests service end data.
The service end data is sent to certificate server and authenticated by S3, and generation is authenticated by the certificate server Documentary evidence afterwards, and will demonstrate that file is sent to user terminal.
Wherein, the TLS client is run in enclave.
Specifically, in conjunction with Intel SGX technology, providing a set of service for checking credentials in the present embodiment.When operating in safe meter After calculating the believable data of client acquisition in environment, it can ensure that the consistency of code and code are executed by the service for checking credentials The reliability of process.
SGX full name Intel Software Guard Extensions is as its name suggests to Intel system (IA) One extension, for enhancing the safety of software.This mode is not all Malwares on identification and isolation platform, But the safety operation of legal software is encapsulated in an enclave (enclave), the attack of Malware is protected it from, it is special Power or non-privileged software can not all access enclave, that is to say, that once software and data are located in enclave, even if Operating system can not also influence the code and data inside enclave with VMM (Hypervisor).The safety of Enclave Boundary only includes CPU and own.The enclave of SGX creation is it can be appreciated that a credible performing environment TEE (Trusted Execution Environment)。
In the present embodiment, when user issues a data acquisition request to prophesy machine server by user terminal, Server first parses the uniform resource locator (url) for the data source that user goes for, and then server can generate one Independent thread, i.e. prophesy machine thread, create a TLS client, this TLS client in newly-established prophesy machine thread Connect with TLS and be all placed in enclave, by prophesy machine thread control TLS client generation, destroy, establish connection, read data Etc. Life cycle operation.Further, since the code in enclave can not carry out I/O (output/output) operation, therefore this reality It applies and ecall and ocall has been used to transmit data with the TLS client in enclave in example.
TLS client in enclave generates and in store establishes various keys required for TLS safe lane.These information It can only be used by the code in enclave, the program outside enclave can not read these information.Therefore, the number obtained in enclave According to being safe and reliable, it is impossible to which any go-between or code outside by enclave distort forgery.Since the code in enclave can not I/O operation is carried out, therefore we use the mode of ecall and ocall, the I/O read-write part in enclave is transmitted to outside enclave, I/O operation is helped through by prophesy machine thread.
TLS client is by the url in parsing data acquisition request, to the corresponding web server requests server-side of url Data, after obtaining service end data, prophesy machine thread can authenticate service end data.Specific verification process packet It includes, service end data is sent to certificate server (IntelAttestation service), and is remotely tested by Intel Card service obtains the endorsement of Intel, then generates the documentary evidence endorsed by Intel, finally documentary evidence is returned to User terminal, to complete the overall process of data verification.
By the method, a web services are provided.User submits them to want the data of the HTTPS agreement grabbed safely The safe and reliable data for obtaining tls protocol are generated the complete evidence that can verify that of an independence by the network address in source, the service File.Using Intel SGX technology, TLS client is operated in credible and secure calculating environment enclave, it is ensured that nobody Can distort the code of TLS client with obtain TLS connect in symmetric key, therefore nobody can distort TLS client The data obtained from Server realize the proving program to the instrument of evidence, carry out experimental evidence file for any third party Reliability.
Internet data verification method provided in this embodiment, can be applied to multiple application scenarios, and such as copyright protection supplies Answer the fields such as chain finance, settlement of insurance claim.By taking copyright protection as an example, the prophesy machine data capture method based on secured computing environment, Help to solve to deposit card problem in copyright protection.Authorship discloses the digital content of oneself creation on the internet Afterwards, other people or tissue be might have, in the case of unauthorized its pirate content.Authorship wants these to encroach right Card is inside stored, to safeguard the lawful right of oneself, but lacks and effectively deposits card technical solution.Because existing based on the mutual of https Networking transport agreement does not support " undeniable data transmission ", and depositing witness without normal direction third party proves that he is sometime See the content on some webpage, being implicitly present in infringement, (website service quotient may replace content, and depositing witness itself may also It can lie).Using the prophesy machine technology based on secured computing environment, so that it may will be in the infringement that shown on moment website of collecting evidence Hold, it is safe and reliable to remain, and transfer to third party to audit evidence after evidence obtaining, confirmed by technological means and is encroached right Deposit the validity of card.In addition, the prophesy machine technology based on secured computing environment, can be block chain intelligence contract, from reliable letter Safe, credible, auditable external data is obtained at source.This will allow for real world event and block chain to be seamlessly connected, from And facilitates intelligent contract and open new application scenarios.
On the basis of the above embodiments, described that the service end data is sent to the step that certificate server authenticates Before rapid, further includes: according to the service end data, generate enclave report, the enclave is reported in citation enclave and is carried out Signature generates citation.
Described the service end data is sent to certificate server to authenticate, generation is authenticated by the certificate server It the step of rear documentary evidence, specifically includes: the citation being sent to certificate server and is authenticated, receive the certification and take The certification report that business device returns;The certification is reported in the write-in instrument of evidence, is generated by after certificate server certification Documentary evidence.
According to the service end data, the step of enclave is reported is generated, specifically includes: calculating asking for the network server The cryptographic Hash of summation response contents, and Intel is called to service, generate enclave report.
Specifically, can server-side be requested and be responded after the TLS client in each enclave grabs service end data Content calculates cryptographic Hash, and the service creation portion enclave Intel is called to report, prophesy machine thread can report the enclave and be transmitted to It quotes from enclave (quote enclave), citation enclave can sign to this report, generate a citation;Finally, prophesy machine thread meeting In the Final Report write-in instrument of evidence that the citation is sent to intel to be verified, and Intel is returned.
In specific implementation, the related libraries of the prophesy machine routine call Intel SGX Security Computing Platform run in enclave Function generates a enclave report (Report);Enclave report is handed to Intel SGX safety by the server program outside enclave The local citation enclave that computing platform provides generates a enclave citation (Quote);Server program passes through enclave citation Internet HTTPS, which is bi-directionally connected, submits to intel remote validation service;The service of Intel remote validation can verify the enclave of user Whether citation is effective, and verification result includes project: whether the platform for generating enclave quote is that Intel SGX is counted safely Calculate platform.Whether the key that the Security Computing Platform uses is in recalling list.The code run on the Security Computing Platform Hash value.The hash value for the data that the prophesy machine thread is grabbed.There are the report of such portion Intel, any one third Square user can verify and trust the above process, it is therefore believed that prophesy machine service has grabbed long-range number like clockwork According to the data on source.
By the method, for online infringement content, progress is safe and reliable to deposit card;It is the and by technological means Tripartite provides the instrument of evidence, verifies the validity of entire evidence obtaining process.
On the basis of the above embodiments, before described the step of creating TLS client in the prophesy machine thread, also It include: that list is recalled in acquisition;Correspondingly, also being wrapped after described the step of creating TLS client in the prophesy machine thread It includes, recalls list by described and be sent to the TLS client.
Specifically, on each cpu chip for supporting Intel SGX technology, there are two hardware keys RootKey and Seal Key, can not the manufacture of copied cells (PUF) technology by physics.Wherein the correspondence public key of Root Key is that Intel is known, Private key is engraved on cpu chip nobody and can read.Using list mechanism is recalled, Intel can preferably cope with key leakage Or software and hardware defect.After if a certain Intel SGX platform is broken or key leakage situation occurs due to improper use, Intel can be added the public key of the platform and recall list.The calculating carried out on the platform later will be by Intel labeled as uneasiness Entirely.
The service of prophesy machine will first get and recall list, then call Intel SGX SDK correlation library function, arrange recalling Table and the data grabbed are incoming together as parameter, generate a enclave report.Intel SGX SDK correlation function will use Some cryptological techniques, it was demonstrated that the corresponding public key of Root Key of current safety computing platform is not in recalling list.These are close Code is learned evidence and can be included in the report of corresponding enclave.
In conclusion internet data verification method provided in an embodiment of the present invention, operates in credible peace for TLS client It is complete to calculate in environment enclave, it is ensured that nobody can distort TLS client code and acquisition TLS connect in it is symmetrical close Key, therefore nobody can distort the data that TLS client is obtained from server-side, when the TLS client operated in enclave obtains After obtaining believable data, then by remote validation service, examine the reliability of code implementation.It can by this verification process To ensure: performed code (TLS client) is not tampered with;Code operates in the trusted computation environment correctly disposed, number It is safe and reliable according to acquisition process.Safe and reliable external trigger conditions can be provided for intelligent contract, or block Chain provides believable external data, and card, data can also be deposited for copyright and the business such as really weigh, provide technology realization, application surface is extensive.
With reference to Fig. 2, Fig. 2 is the structural schematic diagram that the internet data that one embodiment of the invention provides verifies system, is mentioned The system of confession includes: prophesy machine thread generation module 21, data demand module 22 and instrument of evidence generation module 23.
Wherein, prophesy machine thread generation module 21 is used to receive the data acquisition request of user terminal transmission, generates prophesy Machine thread creates TLS client in the prophesy machine thread.
Data demand module 22 for TLS client according to the uniform resource locator in the data acquisition request, to The corresponding web server requests of the uniform resource locator service end data.
Instrument of evidence generation module 23 is authenticated for the service end data to be sent to certificate server, generation by Documentary evidence after the certificate server certification, and will demonstrate that file is sent to user terminal.
Wherein, the TLS client is run in enclave.
Internet data provided in an embodiment of the present invention verifies system, specifically executes above-mentioned each internet data verification method Embodiment process please specifically be detailed in the content of above-mentioned each internet data verification method embodiment, and details are not described herein.
On the basis of the above embodiments, the system also includes citation generation modules, for according to the server-side number According to, enclave report is generated, the enclave is reported in citation enclave and is signed, generation citation.
The instrument of evidence generation module is specifically used for: the citation being sent to certificate server and is authenticated, is received The certification report that the certificate server returns;The certification is reported in the write-in instrument of evidence, is generated by the authentication service Documentary evidence after device certification.
Specifically, prophesy machine thread first accesses Intel remote validation service acquisition outside enclave and recalls list, and hand to In the environment of enclave.Prophesy machine thread establishes TLS client in enclave, grabs teledata;Using recalling list and grab Teledata, the related library function of the prophesy machine routine call Intel SGX Security Computing Platform run in enclave generates one Part enclave report (Report);Enclave report is handed to Intel SGX Security Computing Platform and mentioned by the server program outside enclave The local citation enclave of confession generates a enclave citation (Quote);Enclave citation is passed through internet by server program HTTPS, which is bi-directionally connected, submits to intel remote validation service;It quotes from the enclave that the service of Intel remote validation can verify user No effective, verification result includes project: whether the platform for generating enclave quote is IntelSGX Security Computing Platform. Whether the key that the Security Computing Platform uses is in recalling list.The hash value of the code run on the Security Computing Platform. The hash value for the data that the prophesy machine thread is grabbed.There is the report of such portion Intel, any one third party user is The above process can be verified and trust, it is therefore believed that prophesy machine service has grabbed on remote data source like clockwork Data.
Fig. 3 illustrates the structural schematic diagram of a kind of electronic equipment, as shown in figure 3, the server may include: processor (processor) 310, communication interface (Communications Interface) 320, memory (memory) 330 and bus 340, wherein processor 310, communication interface 320, memory 330 complete mutual communication by bus 340.Communication interface 340 can be used for the information transmission between server and smart television.Processor 310 can call the logic in memory 330 Instruction, to execute following method: receiving the data acquisition request that user terminal is sent, prophesy machine thread is generated, in the prophesy TLS client is created in machine thread;TLS client is according to the uniform resource locator in the data acquisition request, Xiang Suoshu The corresponding web server requests of uniform resource locator service end data;The service end data is sent to certificate server It is authenticated, is generated by the documentary evidence after certificate server certification, and will demonstrate that file is sent to user terminal;Its In, the TLS client is run in enclave.
The present embodiment also provides a kind of computer program product, and the computer program product includes being stored in non-transient meter Computer program on calculation machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is counted When calculation machine executes, computer is able to carry out method provided by above-mentioned each method embodiment, for example, receives user terminal hair The data acquisition request sent generates prophesy machine thread, and TLS client is created in the prophesy machine thread;TLS client according to Uniform resource locator in the data acquisition request, the corresponding web server requests clothes of Xiang Suoshu uniform resource locator Business end data;The service end data is sent to certificate server to authenticate, is generated by after certificate server certification Documentary evidence, and will demonstrate that file is sent to user terminal;Wherein, the TLS client is run in enclave.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium Computer instruction is stored, the computer instruction makes the computer execute method provided by above-mentioned each method embodiment, example Such as include: the data acquisition request for receiving user terminal and sending, generates prophesy machine thread, created in the prophesy machine thread TLS client;TLS client is according to the uniform resource locator in the data acquisition request, the positioning of Xiang Suoshu unified resource Accord with corresponding web server requests service end data;The service end data is sent to certificate server to authenticate, it is raw At the documentary evidence after being authenticated by the certificate server, and it will demonstrate that file is sent to user terminal;Wherein, the TLS visitor Family end is run in enclave.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member It is physically separated with being or may not be, component shown as a unit may or may not be physics list Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of internet data verification method characterized by comprising
The data acquisition request that user terminal is sent is received, prophesy machine thread is generated, TLS visitor is created in the prophesy machine thread Family end;
For TLS client according to the uniform resource locator in the data acquisition request, Xiang Suoshu uniform resource locator is corresponding Web server requests service end data;
The service end data is sent to certificate server to authenticate, is generated by the proof after certificate server certification File, and will demonstrate that file is sent to user terminal;
Wherein, the TLS client is run in enclave.
2. the method according to claim 1, wherein described be sent to certificate server for the service end data Before the step of being authenticated, further includes:
According to the service end data, enclave report is generated, the enclave is reported in citation enclave and is signed, generation is drawn It states.
3. according to right want 2 described in method, which is characterized in that it is described by the service end data be sent to certificate server into The step of row authenticates, and generates the documentary evidence after being authenticated by the certificate server, specifically includes:
The citation is sent to certificate server to authenticate, receives the certification report that the certificate server returns;
The certification is reported in the write-in instrument of evidence, is generated by the documentary evidence after certificate server certification.
4. according to the method described in claim 2, it is characterized in that, generating the step of enclave report according to the service end data Suddenly, it specifically includes:
The request of the network server and the cryptographic Hash of response contents are calculated, and Intel is called to service, generates enclave report.
5. the method according to claim 1, wherein described create TLS client in the prophesy machine thread The step of before, further includes: acquisition recall list;
Correspondingly, further including recalling column for described after described the step of creating TLS client in the prophesy machine thread Table is sent to the TLS client.
6. a kind of internet data verifies system characterized by comprising
Prophesy machine thread generation module generates prophesy machine thread, in institute for receiving the data acquisition request of user terminal transmission State creation TLS client in prophesy machine thread;
Data demand module, for TLS client according to the uniform resource locator in the data acquisition request, to the system The corresponding web server requests of one Resource Locator service end data;
Instrument of evidence generation module is authenticated for the service end data to be sent to certificate server, is generated by described Documentary evidence after certificate server certification, and will demonstrate that file is sent to user terminal;
Wherein, the TLS client is run in enclave.
7. system according to claim 6, which is characterized in that the system also includes: citation generation module is used for basis The service end data generates enclave report, and the enclave is reported in citation enclave and is signed, citation is generated.
8. system according to claim 6, which is characterized in that the instrument of evidence generation module is specifically used for: will be described Citation is sent to certificate server and is authenticated, and receives the certification report that the certificate server returns;
The certification is reported in the write-in instrument of evidence, is generated by the documentary evidence after certificate server certification.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that the processor realizes the internet as described in any one of claim 1 to 5 when executing described program The step of data verification method.
10. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer It is realized when program is executed by processor as described in any one of claim 1 to 5 the step of internet data verification method.
CN201910231536.7A 2019-03-26 2019-03-26 Internet data verification method and system Active CN109995776B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910231536.7A CN109995776B (en) 2019-03-26 2019-03-26 Internet data verification method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910231536.7A CN109995776B (en) 2019-03-26 2019-03-26 Internet data verification method and system

Publications (2)

Publication Number Publication Date
CN109995776A true CN109995776A (en) 2019-07-09
CN109995776B CN109995776B (en) 2021-10-26

Family

ID=67131429

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910231536.7A Active CN109995776B (en) 2019-03-26 2019-03-26 Internet data verification method and system

Country Status (1)

Country Link
CN (1) CN109995776B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110458662A (en) * 2019-08-06 2019-11-15 西安纸贵互联网科技有限公司 Anti- fraud air control method and device
CN111130800A (en) * 2019-12-25 2020-05-08 上海沄界信息科技有限公司 Trusted prediction machine implementation method and device based on TEE
CN112150266A (en) * 2020-05-07 2020-12-29 北京天德科技有限公司 Design principle of intelligent contract prediction machine
CN113329012A (en) * 2021-05-28 2021-08-31 交叉信息核心技术研究院(西安)有限公司 Rapid authentication method and system for trusted execution environment
CN113761078A (en) * 2021-01-12 2021-12-07 深圳市库链科技有限公司 Prediction machine based on block chain relational database and implementation method thereof
CN114969835A (en) * 2022-08-01 2022-08-30 北京笔新互联网科技有限公司 Webpage information evidence storing method and device

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102355459A (en) * 2011-09-27 2012-02-15 北京交通大学 TPM (Trusted Platform Module)-based trusted Web page realization method
WO2016168487A1 (en) * 2015-04-14 2016-10-20 Gigavation, Inc. Paravirtualized security threat protection of a computer-driven system with networked devices
CN106105146A (en) * 2014-02-24 2016-11-09 亚马逊科技公司 Prove that Energy Resources Service's protection client specifies voucher at password
US9697371B1 (en) * 2015-06-30 2017-07-04 Google Inc. Remote authorization of usage of protected data in trusted execution environments
CN107003889A (en) * 2014-12-24 2017-08-01 英特尔公司 System and method for providing the compatible credible performing environment of global platform
CN107463838A (en) * 2017-08-14 2017-12-12 广州大学 Method for safety monitoring, device, system and storage medium based on SGX
CN107533609A (en) * 2015-05-29 2018-01-02 英特尔公司 For the system, apparatus and method being controlled to multiple credible performing environments in system
CN107533569A (en) * 2015-10-23 2018-01-02 甲骨文国际公司 The system and method supported for the sandbox in multidimensional data lab environment
WO2018013925A1 (en) * 2016-07-15 2018-01-18 Idac Holdings, Inc. Adaptive authorization framework for communication networks
WO2018113642A1 (en) * 2016-12-20 2018-06-28 西安电子科技大学 Control flow hiding method and system oriented to remote computing
CN108418691A (en) * 2018-03-08 2018-08-17 湖南大学 Dynamic network identity identifying method based on SGX
CN108462689A (en) * 2017-02-22 2018-08-28 英特尔公司 Technology for the certification of the long-range enclaves SGX
US10079681B1 (en) * 2014-09-03 2018-09-18 Amazon Technologies, Inc. Securing service layer on third party hardware
CN109313685A (en) * 2016-06-06 2019-02-05 微软技术许可有限责任公司 The encryption application of block catenary system
CN109361668A (en) * 2018-10-18 2019-02-19 国网浙江省电力有限公司 A kind of data trusted transmission method

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102355459A (en) * 2011-09-27 2012-02-15 北京交通大学 TPM (Trusted Platform Module)-based trusted Web page realization method
CN106105146A (en) * 2014-02-24 2016-11-09 亚马逊科技公司 Prove that Energy Resources Service's protection client specifies voucher at password
US10079681B1 (en) * 2014-09-03 2018-09-18 Amazon Technologies, Inc. Securing service layer on third party hardware
CN107003889A (en) * 2014-12-24 2017-08-01 英特尔公司 System and method for providing the compatible credible performing environment of global platform
WO2016168487A1 (en) * 2015-04-14 2016-10-20 Gigavation, Inc. Paravirtualized security threat protection of a computer-driven system with networked devices
CN107533609A (en) * 2015-05-29 2018-01-02 英特尔公司 For the system, apparatus and method being controlled to multiple credible performing environments in system
US9697371B1 (en) * 2015-06-30 2017-07-04 Google Inc. Remote authorization of usage of protected data in trusted execution environments
CN107533569A (en) * 2015-10-23 2018-01-02 甲骨文国际公司 The system and method supported for the sandbox in multidimensional data lab environment
CN109313685A (en) * 2016-06-06 2019-02-05 微软技术许可有限责任公司 The encryption application of block catenary system
WO2018013925A1 (en) * 2016-07-15 2018-01-18 Idac Holdings, Inc. Adaptive authorization framework for communication networks
WO2018113642A1 (en) * 2016-12-20 2018-06-28 西安电子科技大学 Control flow hiding method and system oriented to remote computing
CN108462689A (en) * 2017-02-22 2018-08-28 英特尔公司 Technology for the certification of the long-range enclaves SGX
CN107463838A (en) * 2017-08-14 2017-12-12 广州大学 Method for safety monitoring, device, system and storage medium based on SGX
CN108418691A (en) * 2018-03-08 2018-08-17 湖南大学 Dynamic network identity identifying method based on SGX
CN109361668A (en) * 2018-10-18 2019-02-19 国网浙江省电力有限公司 A kind of data trusted transmission method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
KR ISTOFFER SEVER INSEN: "Secure Programming with Intel SGX and Novel Applications", 《DUO.UIO.NO》 *
LINGER: "Intel SGX学习", 《HTTPS://ZHUANLAN.ZHIHU.COM/P/50894009》 *
于永哲: "基于动态密钥技术的M2M身份认证协议研究", 《中国优秀硕士论文全文库信息科技辑》 *
李赫的博客: "智能合约如何可信的与外部世界交互", 《HTTPS://BLOG.CSDN.NET/SPORTSHARK/ARTICLE/DETAILS/77477842》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110458662A (en) * 2019-08-06 2019-11-15 西安纸贵互联网科技有限公司 Anti- fraud air control method and device
CN111130800A (en) * 2019-12-25 2020-05-08 上海沄界信息科技有限公司 Trusted prediction machine implementation method and device based on TEE
CN112150266A (en) * 2020-05-07 2020-12-29 北京天德科技有限公司 Design principle of intelligent contract prediction machine
CN112150266B (en) * 2020-05-07 2022-07-05 北京天德科技有限公司 Design principle of intelligent contract prediction machine
CN113761078A (en) * 2021-01-12 2021-12-07 深圳市库链科技有限公司 Prediction machine based on block chain relational database and implementation method thereof
CN113761078B (en) * 2021-01-12 2024-05-10 深圳市大中华区块链科技有限公司 Predictors based on block chain relational database and implementation method thereof
CN113329012A (en) * 2021-05-28 2021-08-31 交叉信息核心技术研究院(西安)有限公司 Rapid authentication method and system for trusted execution environment
CN114969835A (en) * 2022-08-01 2022-08-30 北京笔新互联网科技有限公司 Webpage information evidence storing method and device
CN114969835B (en) * 2022-08-01 2022-10-25 北京笔新互联网科技有限公司 Webpage information evidence storing method and device

Also Published As

Publication number Publication date
CN109995776B (en) 2021-10-26

Similar Documents

Publication Publication Date Title
US11323271B2 (en) Retrieving public data for blockchain networks using highly available trusted execution environments
Alvarenga et al. Securing configuration management and migration of virtual network functions using blockchain
US11165579B2 (en) Decentralized data authentication
CN109995776A (en) A kind of internet data verification method and system
CN105721500B (en) A kind of safe Enhancement Method of the Modbus/TCP agreement based on TPM
AU2019204708A1 (en) Retrieving public data for blockchain networks using highly available trusted execution environments
KR20200116012A (en) Program execution and data verification system using multi-key pair signature
CN111164948A (en) Managing network security vulnerabilities using blockchain networks
CN105681470B (en) Communication means, server based on hypertext transfer protocol, terminal
CN110189184B (en) Electronic invoice storage method and device
US20180130056A1 (en) Method and system for transaction security
US20170070486A1 (en) Server public key pinning by url
US20140250008A1 (en) Service assisted reliable transaction signing
US20180302217A1 (en) System and method for secure electronic communications by means of security hardware based on threshold cryptography
CN115580413B (en) Zero-trust multi-party data fusion calculation method and device
Abubakar et al. A lightweight and user-centric two-factor authentication mechanism for iot based on blockchain and smart contract
CN113869901B (en) Key generation method, key generation device, computer-readable storage medium and computer equipment
Mupila et al. An Innovative Authentication Model for the Enhancement of Cloud Security
Solbakken Certificate security visualization
Munir et al. Simple authentication process for cloud user
CN112541199A (en) Block chain-based electronic storage certificate integrity verification method and electronic equipment
CN116226932A (en) Service data verification method and device, computer medium and electronic equipment
CN117061127A (en) Digital signature generation method and system, device, electronic equipment and storage medium
CN114003892A (en) Credible authentication method, safety authentication equipment and user terminal
Soares Secure Authentication Mechanisms for the Management Interface in Cloud Computing Environments

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Yang Wentao

Inventor after: Wang Hu

Inventor after: Li Wei

Inventor after: Li Xucheng

Inventor after: Yi Xiaochun

Inventor after: Chen Chang

Inventor after: Wang Hao

Inventor before: Wang Hu

Inventor before: Yang Wentao

Inventor before: Li Wei

Inventor before: Li Xucheng

Inventor before: Yi Xiaochun

Inventor before: Chen Chang

Inventor before: Wang Hao

GR01 Patent grant
GR01 Patent grant