Summary of the invention
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of internet data verification method and system.
In a first aspect, the embodiment of the present invention provides a kind of internet data verification method, comprising:
The data acquisition request that user terminal is sent is received, prophesy machine thread is generated, is created in the prophesy machine thread
TLS client;
TLS client is according to the uniform resource locator in the data acquisition request, Xiang Suoshu uniform resource locator
Corresponding web server requests service end data;
The service end data is sent to certificate server to authenticate, is generated by after certificate server certification
Documentary evidence, and will demonstrate that file is sent to user terminal;Wherein, the TLS client is run in enclave.
Wherein, described that the service end data is sent to before the step of certificate server is authenticated, further includes: root
According to the service end data, enclave report is generated, the enclave is reported in citation enclave and is signed, citation is generated.
Wherein, described the service end data is sent to certificate server to authenticate, it generates by the authentication service
It the step of documentary evidence after device certification, specifically includes: the citation being sent to certificate server and authenticated, described in reception
The certification report that certificate server returns;Report in the write-in instrument of evidence that generation is recognized by the certificate server for the certification
Documentary evidence after card.
Wherein, according to the service end data, the step of enclave is reported is generated, specifically includes: calculating the network service
The request of device and the cryptographic Hash of response contents, and Intel is called to service, generate enclave report.
Wherein, before described the step of creating TLS client in the prophesy machine thread, further includes: column are recalled in acquisition
Table;Correspondingly, further including recalling list for described after described the step of creating TLS client in the prophesy machine thread
It is sent to the TLS client.
Second aspect, the embodiment of the present invention provide a kind of internet data verifying system, comprising:
Prophesy machine thread generation module, the data acquisition request sent for receiving user terminal, generates prophesy machine thread,
TLS client is created in the prophesy machine thread;
Data demand module, for TLS client according to the uniform resource locator in the data acquisition request, to institute
State the corresponding web server requests service end data of uniform resource locator;
Instrument of evidence generation module is authenticated for the service end data to be sent to certificate server, generate by
Documentary evidence after the certificate server certification, and will demonstrate that file is sent to user terminal;Wherein, the TLS client
It is run in enclave.
Wherein, the system also includes citation generation modules, for according to the service end data, generating enclave report,
The enclave is reported in citation enclave and is signed, citation is generated.
Wherein, the instrument of evidence generation module is specifically used for: the citation is sent to certificate server and is authenticated,
Receive the certification report that the certificate server returns;The certification is reported in the write-in instrument of evidence, is generated by the certification
Documentary evidence after server authentication.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, including memory, processor and is stored in memory
Computer program that is upper and can running on a processor, the processor are realized when executing described program such as above-mentioned first aspect institute
The step of internet data verification method of offer.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, are stored thereon with calculating
Machine program realizes the internet data verification method as provided by above-mentioned first aspect when the computer program is executed by processor
The step of.
Internet data verification method provided in an embodiment of the present invention and system provide a web services.User submits him
Want the network address of the data source of HTTPS agreement grabbed safely, the service by the safe and reliable data for obtaining tls protocol,
And generate the complete instrument of evidence that can verify that of an independence.Using Intel SGX technology, TLS client is operated in credible
In secured computing environment enclave, it is ensured that nobody can distort the code of TLS client with obtain TLS connect in it is symmetrical
Key, therefore nobody can distort the data that TLS client is obtained from Server, realize the verifying journey to the instrument of evidence
Sequence carrys out the reliability of experimental evidence file for any third party.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
With reference to Fig. 1, Fig. 1 is the flow diagram for the internet data verification method that one embodiment of the invention provides, and is mentioned
The method of confession includes:
S1 receives the data acquisition request that user terminal is sent, and generates prophesy machine thread, creates in the prophesy machine thread
Build TLS client.
S2, TLS client are according to the uniform resource locator in the data acquisition request, the positioning of Xiang Suoshu unified resource
Accord with corresponding web server requests service end data.
The service end data is sent to certificate server and authenticated by S3, and generation is authenticated by the certificate server
Documentary evidence afterwards, and will demonstrate that file is sent to user terminal.
Wherein, the TLS client is run in enclave.
Specifically, in conjunction with Intel SGX technology, providing a set of service for checking credentials in the present embodiment.When operating in safe meter
After calculating the believable data of client acquisition in environment, it can ensure that the consistency of code and code are executed by the service for checking credentials
The reliability of process.
SGX full name Intel Software Guard Extensions is as its name suggests to Intel system (IA)
One extension, for enhancing the safety of software.This mode is not all Malwares on identification and isolation platform,
But the safety operation of legal software is encapsulated in an enclave (enclave), the attack of Malware is protected it from, it is special
Power or non-privileged software can not all access enclave, that is to say, that once software and data are located in enclave, even if
Operating system can not also influence the code and data inside enclave with VMM (Hypervisor).The safety of Enclave
Boundary only includes CPU and own.The enclave of SGX creation is it can be appreciated that a credible performing environment TEE (Trusted
Execution Environment)。
In the present embodiment, when user issues a data acquisition request to prophesy machine server by user terminal,
Server first parses the uniform resource locator (url) for the data source that user goes for, and then server can generate one
Independent thread, i.e. prophesy machine thread, create a TLS client, this TLS client in newly-established prophesy machine thread
Connect with TLS and be all placed in enclave, by prophesy machine thread control TLS client generation, destroy, establish connection, read data
Etc. Life cycle operation.Further, since the code in enclave can not carry out I/O (output/output) operation, therefore this reality
It applies and ecall and ocall has been used to transmit data with the TLS client in enclave in example.
TLS client in enclave generates and in store establishes various keys required for TLS safe lane.These information
It can only be used by the code in enclave, the program outside enclave can not read these information.Therefore, the number obtained in enclave
According to being safe and reliable, it is impossible to which any go-between or code outside by enclave distort forgery.Since the code in enclave can not
I/O operation is carried out, therefore we use the mode of ecall and ocall, the I/O read-write part in enclave is transmitted to outside enclave,
I/O operation is helped through by prophesy machine thread.
TLS client is by the url in parsing data acquisition request, to the corresponding web server requests server-side of url
Data, after obtaining service end data, prophesy machine thread can authenticate service end data.Specific verification process packet
It includes, service end data is sent to certificate server (IntelAttestation service), and is remotely tested by Intel
Card service obtains the endorsement of Intel, then generates the documentary evidence endorsed by Intel, finally documentary evidence is returned to
User terminal, to complete the overall process of data verification.
By the method, a web services are provided.User submits them to want the data of the HTTPS agreement grabbed safely
The safe and reliable data for obtaining tls protocol are generated the complete evidence that can verify that of an independence by the network address in source, the service
File.Using Intel SGX technology, TLS client is operated in credible and secure calculating environment enclave, it is ensured that nobody
Can distort the code of TLS client with obtain TLS connect in symmetric key, therefore nobody can distort TLS client
The data obtained from Server realize the proving program to the instrument of evidence, carry out experimental evidence file for any third party
Reliability.
Internet data verification method provided in this embodiment, can be applied to multiple application scenarios, and such as copyright protection supplies
Answer the fields such as chain finance, settlement of insurance claim.By taking copyright protection as an example, the prophesy machine data capture method based on secured computing environment,
Help to solve to deposit card problem in copyright protection.Authorship discloses the digital content of oneself creation on the internet
Afterwards, other people or tissue be might have, in the case of unauthorized its pirate content.Authorship wants these to encroach right
Card is inside stored, to safeguard the lawful right of oneself, but lacks and effectively deposits card technical solution.Because existing based on the mutual of https
Networking transport agreement does not support " undeniable data transmission ", and depositing witness without normal direction third party proves that he is sometime
See the content on some webpage, being implicitly present in infringement, (website service quotient may replace content, and depositing witness itself may also
It can lie).Using the prophesy machine technology based on secured computing environment, so that it may will be in the infringement that shown on moment website of collecting evidence
Hold, it is safe and reliable to remain, and transfer to third party to audit evidence after evidence obtaining, confirmed by technological means and is encroached right
Deposit the validity of card.In addition, the prophesy machine technology based on secured computing environment, can be block chain intelligence contract, from reliable letter
Safe, credible, auditable external data is obtained at source.This will allow for real world event and block chain to be seamlessly connected, from
And facilitates intelligent contract and open new application scenarios.
On the basis of the above embodiments, described that the service end data is sent to the step that certificate server authenticates
Before rapid, further includes: according to the service end data, generate enclave report, the enclave is reported in citation enclave and is carried out
Signature generates citation.
Described the service end data is sent to certificate server to authenticate, generation is authenticated by the certificate server
It the step of rear documentary evidence, specifically includes: the citation being sent to certificate server and is authenticated, receive the certification and take
The certification report that business device returns;The certification is reported in the write-in instrument of evidence, is generated by after certificate server certification
Documentary evidence.
According to the service end data, the step of enclave is reported is generated, specifically includes: calculating asking for the network server
The cryptographic Hash of summation response contents, and Intel is called to service, generate enclave report.
Specifically, can server-side be requested and be responded after the TLS client in each enclave grabs service end data
Content calculates cryptographic Hash, and the service creation portion enclave Intel is called to report, prophesy machine thread can report the enclave and be transmitted to
It quotes from enclave (quote enclave), citation enclave can sign to this report, generate a citation;Finally, prophesy machine thread meeting
In the Final Report write-in instrument of evidence that the citation is sent to intel to be verified, and Intel is returned.
In specific implementation, the related libraries of the prophesy machine routine call Intel SGX Security Computing Platform run in enclave
Function generates a enclave report (Report);Enclave report is handed to Intel SGX safety by the server program outside enclave
The local citation enclave that computing platform provides generates a enclave citation (Quote);Server program passes through enclave citation
Internet HTTPS, which is bi-directionally connected, submits to intel remote validation service;The service of Intel remote validation can verify the enclave of user
Whether citation is effective, and verification result includes project: whether the platform for generating enclave quote is that Intel SGX is counted safely
Calculate platform.Whether the key that the Security Computing Platform uses is in recalling list.The code run on the Security Computing Platform
Hash value.The hash value for the data that the prophesy machine thread is grabbed.There are the report of such portion Intel, any one third
Square user can verify and trust the above process, it is therefore believed that prophesy machine service has grabbed long-range number like clockwork
According to the data on source.
By the method, for online infringement content, progress is safe and reliable to deposit card;It is the and by technological means
Tripartite provides the instrument of evidence, verifies the validity of entire evidence obtaining process.
On the basis of the above embodiments, before described the step of creating TLS client in the prophesy machine thread, also
It include: that list is recalled in acquisition;Correspondingly, also being wrapped after described the step of creating TLS client in the prophesy machine thread
It includes, recalls list by described and be sent to the TLS client.
Specifically, on each cpu chip for supporting Intel SGX technology, there are two hardware keys RootKey and Seal
Key, can not the manufacture of copied cells (PUF) technology by physics.Wherein the correspondence public key of Root Key is that Intel is known,
Private key is engraved on cpu chip nobody and can read.Using list mechanism is recalled, Intel can preferably cope with key leakage
Or software and hardware defect.After if a certain Intel SGX platform is broken or key leakage situation occurs due to improper use,
Intel can be added the public key of the platform and recall list.The calculating carried out on the platform later will be by Intel labeled as uneasiness
Entirely.
The service of prophesy machine will first get and recall list, then call Intel SGX SDK correlation library function, arrange recalling
Table and the data grabbed are incoming together as parameter, generate a enclave report.Intel SGX SDK correlation function will use
Some cryptological techniques, it was demonstrated that the corresponding public key of Root Key of current safety computing platform is not in recalling list.These are close
Code is learned evidence and can be included in the report of corresponding enclave.
In conclusion internet data verification method provided in an embodiment of the present invention, operates in credible peace for TLS client
It is complete to calculate in environment enclave, it is ensured that nobody can distort TLS client code and acquisition TLS connect in it is symmetrical close
Key, therefore nobody can distort the data that TLS client is obtained from server-side, when the TLS client operated in enclave obtains
After obtaining believable data, then by remote validation service, examine the reliability of code implementation.It can by this verification process
To ensure: performed code (TLS client) is not tampered with;Code operates in the trusted computation environment correctly disposed, number
It is safe and reliable according to acquisition process.Safe and reliable external trigger conditions can be provided for intelligent contract, or block
Chain provides believable external data, and card, data can also be deposited for copyright and the business such as really weigh, provide technology realization, application surface is extensive.
With reference to Fig. 2, Fig. 2 is the structural schematic diagram that the internet data that one embodiment of the invention provides verifies system, is mentioned
The system of confession includes: prophesy machine thread generation module 21, data demand module 22 and instrument of evidence generation module 23.
Wherein, prophesy machine thread generation module 21 is used to receive the data acquisition request of user terminal transmission, generates prophesy
Machine thread creates TLS client in the prophesy machine thread.
Data demand module 22 for TLS client according to the uniform resource locator in the data acquisition request, to
The corresponding web server requests of the uniform resource locator service end data.
Instrument of evidence generation module 23 is authenticated for the service end data to be sent to certificate server, generation by
Documentary evidence after the certificate server certification, and will demonstrate that file is sent to user terminal.
Wherein, the TLS client is run in enclave.
Internet data provided in an embodiment of the present invention verifies system, specifically executes above-mentioned each internet data verification method
Embodiment process please specifically be detailed in the content of above-mentioned each internet data verification method embodiment, and details are not described herein.
On the basis of the above embodiments, the system also includes citation generation modules, for according to the server-side number
According to, enclave report is generated, the enclave is reported in citation enclave and is signed, generation citation.
The instrument of evidence generation module is specifically used for: the citation being sent to certificate server and is authenticated, is received
The certification report that the certificate server returns;The certification is reported in the write-in instrument of evidence, is generated by the authentication service
Documentary evidence after device certification.
Specifically, prophesy machine thread first accesses Intel remote validation service acquisition outside enclave and recalls list, and hand to
In the environment of enclave.Prophesy machine thread establishes TLS client in enclave, grabs teledata;Using recalling list and grab
Teledata, the related library function of the prophesy machine routine call Intel SGX Security Computing Platform run in enclave generates one
Part enclave report (Report);Enclave report is handed to Intel SGX Security Computing Platform and mentioned by the server program outside enclave
The local citation enclave of confession generates a enclave citation (Quote);Enclave citation is passed through internet by server program
HTTPS, which is bi-directionally connected, submits to intel remote validation service;It quotes from the enclave that the service of Intel remote validation can verify user
No effective, verification result includes project: whether the platform for generating enclave quote is IntelSGX Security Computing Platform.
Whether the key that the Security Computing Platform uses is in recalling list.The hash value of the code run on the Security Computing Platform.
The hash value for the data that the prophesy machine thread is grabbed.There is the report of such portion Intel, any one third party user is
The above process can be verified and trust, it is therefore believed that prophesy machine service has grabbed on remote data source like clockwork
Data.
Fig. 3 illustrates the structural schematic diagram of a kind of electronic equipment, as shown in figure 3, the server may include: processor
(processor) 310, communication interface (Communications Interface) 320, memory (memory) 330 and bus
340, wherein processor 310, communication interface 320, memory 330 complete mutual communication by bus 340.Communication interface
340 can be used for the information transmission between server and smart television.Processor 310 can call the logic in memory 330
Instruction, to execute following method: receiving the data acquisition request that user terminal is sent, prophesy machine thread is generated, in the prophesy
TLS client is created in machine thread;TLS client is according to the uniform resource locator in the data acquisition request, Xiang Suoshu
The corresponding web server requests of uniform resource locator service end data;The service end data is sent to certificate server
It is authenticated, is generated by the documentary evidence after certificate server certification, and will demonstrate that file is sent to user terminal;Its
In, the TLS client is run in enclave.
The present embodiment also provides a kind of computer program product, and the computer program product includes being stored in non-transient meter
Computer program on calculation machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is counted
When calculation machine executes, computer is able to carry out method provided by above-mentioned each method embodiment, for example, receives user terminal hair
The data acquisition request sent generates prophesy machine thread, and TLS client is created in the prophesy machine thread;TLS client according to
Uniform resource locator in the data acquisition request, the corresponding web server requests clothes of Xiang Suoshu uniform resource locator
Business end data;The service end data is sent to certificate server to authenticate, is generated by after certificate server certification
Documentary evidence, and will demonstrate that file is sent to user terminal;Wherein, the TLS client is run in enclave.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium
Computer instruction is stored, the computer instruction makes the computer execute method provided by above-mentioned each method embodiment, example
Such as include: the data acquisition request for receiving user terminal and sending, generates prophesy machine thread, created in the prophesy machine thread
TLS client;TLS client is according to the uniform resource locator in the data acquisition request, the positioning of Xiang Suoshu unified resource
Accord with corresponding web server requests service end data;The service end data is sent to certificate server to authenticate, it is raw
At the documentary evidence after being authenticated by the certificate server, and it will demonstrate that file is sent to user terminal;Wherein, the TLS visitor
Family end is run in enclave.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member
It is physically separated with being or may not be, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.