Summary of the invention
This specification proposes a kind of remote certification method of trusted application, protected in the trusted application
Code is isolated load in the target container as credible performing environment;Wherein, the protected code includes pending generation
Code, and the objective function for generating private key and public key;The described method includes:
It calls the objective function to generate private key and public key in the target container, and the private key of generation is added
It is close, and persistent storage is carried out to encrypted private key;Wherein, the private key of encryption, which is provided with, is only held by the target
The decryption policy that device is decrypted;
By third party's remote proving server-side to the long-range remote proving for receiving object initiation and being directed to the public key, and
When the public key passes through remote proving, the public key is sent to the long-range reception object and carries out persistent storage;
Obtain the implementing result of the pending code;Wherein, the implementing result is based on decryption by the target container
The private key out has carried out signature processing;
The implementing result is sent to the long-range reception object, by the institute of the long-range reception object based on storage
It states public key to verify the signature of the implementing result, to confirm whether the implementing result is trust data.
Optionally, the objective function is called to generate private key and public key in the target container, comprising:
In response to executing instruction for the pending code, the objective function is called to generate private in the target container
Key and public key;Alternatively,
Based on the preset calling period, the periodically invoked objective function generated in the target container private key and
Public key.
Optionally, the long-range card for being directed to the public key is initiated to the long-range object that receives by third party's remote proving server-side
It is bright, and when the public key passes through remote proving, the public key is sent to the long-range reception object and carries out persistent storage,
Include:
The public key based on generation creates remote proving voucher;
The remote proving voucher is sent to third party's remote proving server-side, to be serviced by the remote proving
End is verified by the remote proving voucher;
Obtain the verification result that the remote proving server-side returns;Wherein, the verification result is by the remote proving
Server-side has carried out signature processing based on the private key held;
The public key of the verification result and generation is sent to the long-range reception object, remotely to be connect by described
Public key of the object at least based on third party's remote proving server-side is received to verify the signature of the verification result, and
After the signature verification passes through, the public key of generation is locally subjected to persistent storage in the long-range reception object.
Optionally, the credible performing environment is the credible performing environment built based on SGX technology;The target container is
Enclave program in SGX technology;Wherein, the decryption policy of the encrypted private key is arranged to keypolicy-
MRENCLAVE strategy.
Optionally, the long-range reception object is the intelligent contract for being distributed to block chain.
This specification also proposes a kind of remote proving device of trusted application, being protected in the trusted application
Shield code is isolated load in the target container as credible performing environment;Wherein, the protected code includes pending
Code, and the objective function for generating private key and public key;Described device includes:
Generation module calls the objective function to generate private key and public key in the target container, and to generation
Private key is encrypted, and carries out persistent storage to encrypted private key;Wherein, the private key of encryption be provided with only by
The decryption policy that the target container is decrypted;
It proves module, is initiated to the long-range object that receives for the long-range of the public key by third party's remote proving server-side
It proves, and when the public key passes through remote proving, the public key is sent to the long-range reception object progress persistence and is deposited
Storage;
Module is obtained, the implementing result of the pending code is obtained;Wherein, the implementing result is by the target container
Signature processing has been carried out based on the private key decrypted;
The implementing result is sent to the long-range reception object, by the long-range reception object base by authentication module
The signature of the implementing result is verified in the public key of storage, to confirm whether the implementing result is credible number
According to.
Optionally, the generation module:
In response to executing instruction for the pending code, the objective function is called to generate private in the target container
Key and public key;Alternatively,
Based on the preset calling period, the periodically invoked objective function generated in the target container private key and
Public key.
Optionally, the proof module:
The public key based on generation creates remote proving voucher;
The remote proving voucher is sent to third party's remote proving server-side, to be serviced by the remote proving
End is verified by the remote proving voucher;
Obtain the verification result that the remote proving server-side returns;Wherein, the verification result is by the remote proving
Server-side has carried out signature processing based on the private key held;
The public key of the verification result and generation is sent to the long-range reception object, remotely to be connect by described
Public key of the object at least based on third party's remote proving server-side is received to verify the signature of the verification result, and
After the signature verification passes through, the public key of generation is locally subjected to persistent storage in the long-range reception object.
Optionally, the credible performing environment is the credible performing environment built based on SGX technology;The target container is
Enclave program in SGX technology;Wherein, the decryption policy of the encrypted private key is arranged to keypolicy-
MRENCLAVE strategy.
Optionally, the long-range reception object is the intelligent contract for being distributed to block chain.
This specification also proposes a kind of electronic equipment, comprising:
Processor;
For storing the memory of machine-executable instruction;
Wherein, the long-range card with the trusted application based on block chain stored by reading and executing the memory
The corresponding machine-executable instruction of bright control logic, the protected code in the trusted application are isolated load and are making
In target container for credible performing environment;Wherein, the protected code includes pending code, and for generate private key with
And the objective function of public key;The processor is prompted to:
It calls the objective function to generate private key and public key in the target container, and the private key of generation is added
It is close, and persistent storage is carried out to encrypted private key;Wherein, the private key of encryption, which is provided with, is only held by the target
The decryption policy that device is decrypted;
By third party's remote proving server-side to the long-range remote proving for receiving object initiation and being directed to the public key, and
When the public key passes through remote proving, the public key is sent to the long-range reception object and carries out persistent storage;
Obtain the implementing result of the pending code;Wherein, the implementing result is based on decryption by the target container
The private key out has carried out signature processing;
The implementing result is sent to the long-range reception object, by the institute of the long-range reception object based on storage
It states public key to verify the signature of the implementing result, to confirm whether the implementing result is trust data.
In above technical scheme, on the one hand, since the public private key pair for remote proving is as credible performing environment
Target container in be autonomously generated, no longer generated by software supplier;Also, the encrypted private key of persistent storage, quilt
Provided with the decryption policy being only decrypted by the target container;Therefore, even software developer can not also get generation
Private key, so as to be obviously improved the security level of private key;
On the other hand, since trusted application is only needed through third party's remote proving server-side, to long-range reception pair
It is subsequent as initiating once for the remote proving for the public key being autonomously generated, and after the public key is by remote proving
It is directly signed using the private key generated to the implementing result of the pending code in protected code, and by holding after signature
Row result is sent to the long-range object that receives and completes the remote proving for being directed to the implementing result, and no longer needs long-range by third party
Prove that server-side is initiated the remote proving for being directed to the implementing result to the long-range object that receives;Therefore, it can no longer need and the
Tripartite's remote proving server-side is frequently interacted, so that it may can be easily to remote based on the public private key pair being autonomously generated
Journey, which receives object, proves that the implementing result is trust data.
Specific embodiment
In practical applications, usually can by build TEE (Trusted Execution Environment, it is credible to hold
Row environment), and by the protected code in trusted application, it is isolated in TEE, to realize to these protected codes
Security protection.
It wherein, usually can be using the processor of equipment bottom as hardware support, to build one only when building TEE
The container (container) that can be accessed by processor is used as credible performing environment, and will be protected in trusted application
Code-insulated loads in this embodiment, to carry out insulation blocking to the protected code in container.
For example, to be taken using the SGX of Intel (Software Guard Extensions, software protection extension) technology
It builds for TEE, is based on SGX technology, it will usually using the CPU of equipment as hardware support, to create the referred to as program of Enclave
As protection container, and the code-insulated being protected will be needed to load in Enclave program, protects it from being attacked.
And in some scenes, the implementing result of the protected code in above-mentioned trusted application, if necessary to participate in
Long-range trust computing, then the trusted application remotely connects in addition to needing the implementing result by above-mentioned protected code to be sent to
It receives other than object, usually also needs based on remote proving technology, on the basis of not revealing protected code, to long-range reception pair
As proving that the implementing result of these protected codes is trust data.
For example, under a scene, it is assumed that the intelligent contract being deployed on block chain needs will be in trusted application
The implementing result of protected code carries out trust computing as input data on block chain;In this case, due to credible
Application program is not node on chain, is a side of non-credit for intelligent contract;Therefore, trusted application is will be by
When the implementing result of protection code is sent to the intelligent contract being deployed on block chain, then need to rely on remote proving technology,
On the basis of not revealing protected code, Xiang Zhineng contract proves the implementing result of these protected codes for trust data (i.e.
It is proved on chain).
And based on current remote proving technology, trusted application is initiated to the long-range object that receives for specific data
When remote proving, it usually needs rely on third party's remote proving server-side to complete;
For example, being based on SGX technology still by taking the remote proving mechanism in the SGX technology of Intel as an example, Intel can be provided
Third-party IAS (intel attestation service, because of special authentication service) server for remote proving.Isolation
The implementing result for loading protected code in Enclave, if necessary to participate in trust computing, then trusted application can be with
It is interacted with IAS server, the implementing result for being directed to the protected code is initiated to the long-range object that receives by IAS server
Remote authentication, prove that the implementing result of the protected code is trust data to the long-range object that receives.
Remote proving is completed due to relying on third party's remote proving server-side, is needed and third party's remote proving server-side
It is frequently interacted, it is therefore desirable to a kind of more convenient and fast remote proving mechanism.
Based on this, this specification proposes a kind of public private key pair independently generated based on the container as credible performing environment,
Carry out the convenient remote proving scheme initiated to long-range reception object to the implementing result of protected code.
Realize when, the software developer of trusted application, can based on specific TEE build technology (for example, using
The SGX technology of Intel), to develop the target container (for example, Enclave program in SGX technology) as TEE, and will be credible
Protected code isolation load in application program is in the target container.
Wherein, in the present solution, protected code of the isolation load in above-mentioned target container, may include implementing result
Need to carry out the pending code of remote proving, and objective function (this for generating private key and public key to remote recipient
It is some special codes for generating private-public key in matter).
Further, trusted application can call isolation load in the protected code in above-mentioned target container
Objective function generates a pair of of public key and private key in target container;
On the one hand, it for the private key of generation, can also be encrypted in target container;Wherein, in target container
In when being encrypted to the private key of generation, the decryption plan that be only decrypted by the target container can be set for encrypted private key
Slightly (i.e. only the target container has decrypted rights);Then, encrypted private key is subjected to persistent storage by processor.
On the other hand, for the public key of generation, third party's remote proving server-side, Xiang Yuancheng accepting object hair can be passed through
The remote proving for the public key is played, and when the public key passes through remote proving, the public key of generation is sent to long-range reception
Object carries out persistent storage by remotely receiving object.
Subsequent, when above-mentioned pending code is finished, above-mentioned target container can be solved the private key of above-mentioned encryption
It is close, signature processing is carried out based on implementing result of the private key to the pending code.And trusted application is available by upper
State target container signature treated implementing result, and by the implementing result be sent to it is long-range receive object, to initiate for should
The remote proving of implementing result.
The long-range object that receives, can be based on stored public affairs after the implementing result for receiving trusted application transmission
Key verifies the signature of the implementing result, to determine whether the implementing result is trust data.
In above technical scheme, on the one hand, since the public private key pair for remote proving is as credible performing environment
Target container in be autonomously generated, no longer generated by software supplier;Also, the encrypted private key of persistent storage, quilt
Provided with the decryption policy being only decrypted by the target container;Therefore, even software developer can not also get generation
Private key, so as to be obviously improved the security level of private key;
On the other hand, since trusted application is only needed through third party's remote proving server-side, to long-range reception pair
It is subsequent as initiating once for the remote proving for the public key being autonomously generated, and after the public key is by remote proving
It is directly signed using the private key generated to the implementing result of the pending code in protected code, and by holding after signature
Row result is sent to the long-range object that receives and completes the remote proving for being directed to the implementing result, and no longer needs long-range by third party
Prove that server-side is initiated the remote proving for being directed to the implementing result to the long-range object that receives;Therefore, it can no longer need and the
Tripartite's remote proving server-side is frequently interacted, so that it may can be easily to remote based on the public private key pair being autonomously generated
Journey, which receives object, proves that the implementing result is trust data.
This specification is described below by specific embodiment and in conjunction with specific application scenarios.
Referring to FIG. 1, Fig. 1 is a kind of remote certification method for trusted application that one embodiment of this specification provides,
Applied to trusted application;Protected code in the trusted application is isolated load as credible performing environment
Target container in;Wherein, the protected code includes pending code, and the target letter for generating private key and public key
Number;The method executes following steps:
Step 102, the objective function is called to generate private key and public key, and the private to generation in the target container
Key is encrypted, and carries out persistent storage to encrypted private key;Wherein, the private key of encryption is provided with only by institute
State the decryption policy that target container is decrypted;
Step 104, it is initiated to the long-range object that receives for the long-range of the public key by third party's remote proving server-side
It proves, and when the public key passes through remote proving, the public key is sent to the long-range reception object progress persistence and is deposited
Storage;
Step 106, the implementing result of the pending code is obtained;Wherein, the implementing result is by the target container
Signature processing has been carried out based on the private key decrypted;
Step 108, the implementing result is sent to the long-range reception object, to be based on by the long-range reception object
The public key of storage verifies the signature of the implementing result, to confirm whether the implementing result is trust data.
Above-mentioned trusted application can provide the application of trusted service to third party including what is developed from software developer
Program;Wherein, the program code in trusted application generally includes protected portion and unprotected.
Above-mentioned target container refers in this specification and builds technology based on specific TEE, and one built can be can
Believe that the protected code in application program provides the secure operating environment of the isolation of safeguard protection;
Wherein, in practical applications, above-mentioned target container can be one and be supported using processor as bottom hardware, and only
It can be by the software environment for the isolation that processor accesses;For example, by taking the SGX technology using Intel builds TEE as an example, it is above-mentioned
Target container specifically can be the Enclave program in SGX technology, and usually the protected code in trusted application is isolated
It is loaded into Enclave program, security protection is carried out to above-mentioned protected code.
Certainly, in practical applications, also it is not excluded for above-mentioned target container and is specifically also possible to one being physically segregated
Hardware environment;For example, above-mentioned target container specifically can be the phy chip being physically segregated, it can be by trusted application
Protected code isolation load in program carries out security protection in the phy chip, to above-mentioned protected code.
Wherein, it is emphasized that, it builds TEE used by TEE and builds technology, in the present specification without especially limiting
Fixed, those skilled in the art can flexibly be selected based on actual exploitation demand.It is understandable to be, above-mentioned target container
Specific form, be also generally dependent on TEE used by those skilled in the art and build technology;That is, above-mentioned target container is most
It is the software environment an of isolation or the hardware environment of an isolation eventually, depends on TEE used by those skilled in the art
Build technology;For example, above-mentioned target container is if those skilled in the art build TEE using the SGX technology of Intel
One is supported using CPU as bottom hardware, and is only capable of the software environment (i.e. Enclave program) of the isolation to be accessed by CPU.
The long-range number of the implementing result of above-mentioned long-range reception object, in particular to the protected code in trusted application
According to user;For example, in practical applications, above-mentioned long-range reception object can be independent trusted host, a trusted system;
Alternatively, being also possible to the intelligent contract disposed on block chain.
In the examples below, it will be illustrated for building TEE based on the SGX technology of Intel;Wherein, it needs
, it is emphasized that for building TEE based on the SGX technology of Intel, only schematically;It will be apparent that in practical application
In, it is clear that technology can also be built using others TEE, to build TEE;For example, can also be using such as ARM's
TrustZone technology is not being enumerated in the present specification.
In the present specification, the software developer of trusted application can be made based on the SGX technology of Intel to create
For the Enclave program of TEE, and by the protected code isolation load in trusted application in the target container.
It should be noted that creating Enclave program based on SGX technology, and by protected code isolation load at this
Specific implementation process in target container, is no longer described in detail in the present specification, and art technology shield personnel incite somebody to action this
It, can be with reference to record in the related technology when the technical solution of specification is put into effect.
For protected code of the isolation load in the Enclave program, the normally referred to as trusted application
Confidence region (Trusted Part);And other be not isolated loads codes in Enclave program, then is referred to as this and credible answers
With the untrusted areas (Untrusted Part) of program.
Wherein, the protected code for isolation load in above-mentioned Enclave program at least may include pending generation
Code and objective function two parts;
Above-mentioned pending code, as implementing result need to be sent to the long-range object that receives and carry out the protected of trust computing
Code;That is, trusted application is needed through credible proof technology, above-mentioned pending code is proved to the long-range object that receives
Implementing result is trust data.And above-mentioned objective function, it is specifically used for generating public key and private key for above-mentioned target container.
In SGX technology, trusted application is initiated to the long-range object that receives to the remote of the implementing result of protected code
Journey proves, usually interacts to completion by the IAS server with deployment.
And in this specification, existing remote proving mechanism in SGX technology can not be recycled, by with IAS server
It interacts, receives object initiation to the remote proving of the implementing result of protected code to long-range, but merely with SGX skill
Existing remote proving mechanism in art is initiated to the long-range object that receives once to the public affairs generated in Enclave program internal independence
The remote proving of private key pair then can be based on above-mentioned public private key pair, come just after the remote proving of above-mentioned public private key pair passes through
Victory receives object initiation to the remote proving of the implementing result of protected code to long-range, and no longer needs to interact with IAS.
In the initial state, the untrusted areas of trusted application can call isolation load by way of ECALL
Objective function in the protected code in the Enclave program generates a pair of of public key and private inside Enclave program
Key.
Wherein, it should be noted that untrusted areas is by way of ECALL, for isolation load in the Enclave program
In protected code in objective function calling, can execute protected code in pending code when adjust in real time
With, can also based on certain calling period, come periodically call.
For example, in one implementation, untrusted areas is being received for the pending code in protected code
It when executing instruction, this can be executed instruction with real-time response, immediately by way of ECALL, call isolation load in the Enclave
The objective function in protected code in program generates a pair of of public key and private key inside Enclave.
In another implementation, or untrusted areas presets a calling period, so that untrusted areas
It can be based on the calling period, carry out target of the periodically invoked isolation load in the protected code in the Enclave program
Function generates a pair of of public key and private key inside Enclave program.In this way, can timing to Enclave program
Public key and private key be updated.
On the one hand, for the private key of generation, (key can be encrypted inside Enclave program by processor
Held by processor), and be that decryption policy is arranged in encrypted private key by processor, then encrypted private key is held
Change storage;
Wherein, keypolicy- is generally included for the decryption policy of encrypted information based on SGX technology
MRENCLAVE (hereinafter referred to as MRENCLAVE strategy) and two kinds of plans of keypolicy-MRSIGNER (hereinafter referred to as MRSIGNER)
Slightly.
So-called MRENCLAVE strategy, referring to can only be decrypted by current ENCLAVE;And so-called MRSIGNER strategy, it is
Refer to that all ENCLAVE that can be developed and be signed by same developer are decrypted.
Due to needing to trust developer using MRSIGNER strategy;Therefore, for getting the malice of the private key of developer
For person, by developing the ENCLAVE of malice, and the private key of the developer based on grasp signs the ENCLAVE of the malice
Administration, so that it may encrypted private key is decrypted by the ENCLAVE of the malice, so as to cause the plaintext of encrypted private key
Leaking data.
Based on this, in the present specification, processor can will decrypt plan when decryption policy is arranged for encrypted private key
Slightly it is set as MRENCLAVE strategy;That is, only current ENCLAVE have the encrypted private key of persistent storage is solved
Close permission.
In this way, it can be ensured that even software developer can not also get the private that ENCLAVE is independently generated
Key, so as to be obviously improved the security level of private key.
On the other hand, for the public key of generation, IAS server, Xiang Yuan can be passed through by the credible confidence region for executing program
Journey accepting object initiates the remote proving for being directed to the public key, and when the public key passes through remote proving, the public key of generation is sent out
It send to long-range and receives object, carry out persistent storage by remotely receiving object.
Based on SGX technology, the credible confidence region for executing program, Xiang Yuancheng accepting object initiates the long-range card for being directed to the public key
When bright, first can public key or public key based on generation hash value, create a Quote as remote proving voucher;
For example, be based on SGX technology, above-mentioned Quote be usually by Enclave and special Quote Enclave into
The internal interaction of row, creates completion by Quote Enclave.It wherein, is that Enclave creation is used for by Quote Enclave
The specific implementation process of the Quote of remote proving be not described in detail in the present specification, and those skilled in the art say by this
It, can be with reference to technology in the related technology when the technical solution non-cutting time of bright book.
In the present specification, the Quote that final creation is completed, by may include EPID signature, the public key generated or
The information such as the hash value (userdata for needing remote proving) of public key, MRENCLAVE are identified, the EPID of processor is identified.
That is, the Quote that final creation is completed, (is needed long-range for the public key of generation or the hash value of public key
The userdata of proof), MRENCLAVE mark, the information such as the EPID mark of processor integrally carry out obtaining after EPID signature
Information.
Wherein, MRENCLAVE is identified, usually the hash value of Enclave code, is used for one Enclave of unique identification.
EPID mark, also referred to as basename are used for one processor of anonymous identification.And EPID signs, and is the SGX technology of Intel
One kind of use can keep anonymous group ranking technology, the signature treatment process signed in the present specification for EPID, with
And the signature-verification process of EPID signature, it is no longer described in detail, those skilled in the art can be with reference to record in the related technology.
In the present specification, credible to execute the credible of program after generating the Quote as remote proving voucher
The Quote can be sent to IAS server and carry out remote validation by area.And after IAS server receives the Quote, it can be right
The EPID signature of the Quote is verified, and the private key that IAS server is held is then based on, and to the Quote and is directed to the Quote
Verification result integrally carry out signature processing, generate corresponding AVR (Attestation Verification Report, it was demonstrated that
Verifying report).
That is, in the present specification, above-mentioned AVR usually may include above-mentioned Quote, Quote verification result and IAS signature
Etc. information.
In the present specification, the AVR of generation can be returned to the credible confidence region for executing program by IAS server, credible
The confidence region of program is executed after the AVR for receiving the return of IAS server, it can be by the AVR and by calling above-mentioned target letter
The public key that number generates is further transmitted to long-range reception object.
Alternatively, the credible confidence region for executing program can also be by the AVR and by calling above-mentioned objective function to generate
Public key, be further transmitted to it is credible execute program untrusted areas, by above-mentioned untrusted areas by the AVR and by call it is above-mentioned
The public key that objective function generates is further transmitted to long-range reception object.
And object is remotely received after receiving the AVR that the credible confidence region for executing program is sent, it first can be to AVR's
State is verified;For example whether the value of the mode field in verifying AVR is to indicate the normal particular value of AVR state;When
After the state verification of AVR passes through, the corresponding public key of private key that can be held based on IAS server signs to the IAS of the AVR
It is verified;It, at this time can be further directed to the public key or public affairs in the Quote carried in the AVR if signature verification passes through
The information such as the hash value of key, MRENCLAVE are identified, the EPID of processor is identified are verified.
Wherein, the public key in Quote is as verified in the verifying carried out to the hash value of public key or public key in Quote
Or the hash value of public key, the whether matched process of public key sent with the credible confidence region for executing program;For example, if
What is carried in Quote is the hash value of public key, then can further calculate the public key that the credible confidence region for executing program is sent
Hash value is matched then by calculated hash value with the hash value of the public key carried in Quote;If the two matches,
It then can be confirmed and be verified.
Wherein, the verifying carried out to the information such as EPID of MRENCLAVE mark and processor in Quote, is as verified
Enclave corresponding with MRENCLAVE mark, and the verifying whether believable process of processor corresponding with the EPID of processor.
When realizing, the developer of Enclave can be proved in Enclave code not by open source Enclave code
Comprising malicious code, and remotely receive the administrator of object, can Enclave code to open source carry out security audit, be remote
Journey receives object and MRENCLAVE white list is arranged.Equally, EPID can also be set for the long-range object that receives according to actual demand
Identify white list.So that the long-range object that receives is believed to the EPID mark of MRENCLAVE mark and processor etc. in Quote
It when breath is verified, can be matched by identifying the MRENCLAVE in Quote with MRENCLAVE white list, and will
The EPID mark of processor in Quote is matched with EPID mark white list, corresponding with MRENCLAVE mark to confirm
Whether Enclave, and processor corresponding with the EPID of processor are credible.
Continuing with referring to fig. 2, when the IAS of AVR signs;And public key in the Quote carried in the AVR or public key
Hash value, MRENCLAVE mark, EPID mark of processor etc. be after information are verified, and the long-range object that receives can will
The credible confidence region for executing program send by the above-mentioned public key that calls above-mentioned objective function to generate and corresponding
MRENCLAVE and EPID is locally carrying out persistent storage.
That is, using MRENCLAVE corresponding with the above-mentioned public key for calling above-mentioned objective function to generate as trusted program mark
Know, EPID corresponding with above-mentioned public key is identified as reliable hardware, persistent storage is carried out together with above-mentioned public key.
In this specification, when above-mentioned long-range reception object will be by calling the above-mentioned public key of above-mentioned objective function generation at it
After local progress persistent storage, subsequent above-mentioned trusted application can no longer need to interact with IAS server, come
The remote proving of the implementing result for above-mentioned pending code is initiated, but directly by calling above-mentioned objective function creation
Above-mentioned public private key pair carrys out the convenient remote proving initiated to long-range reception object to the implementing result of protected code.
Specifically, the pending code when isolation load in above-mentioned Enclave is finished, and above-mentioned Enclave can be with
(the only Enclave has decrypted rights) is decrypted to the encrypted private key of persistent storage, and based on decryption
Private key out carries out signature processing to the implementing result waited for.
Wherein, it should be noted that in practical application, above-mentioned implementing result is in addition to may include that above-mentioned pending code exists
Other than output result after being finished, other information can also be introduced;Can be according to actual business demand, it will be above-mentioned
Other information other than the output result of pending code is also used as a part of implementing result to carry out signature processing, then initiates
Remote authentication;It, can be (such as pending by the input data of above-mentioned pending code when being executed for example, in one example
The execution parameter that code inputs when being executed), also a part as above-mentioned implementing result, carries out signature processing.
And the untrusted areas of trusted application, it is available by above-mentioned Enclave signature treated implementing result, it will
The implementing result is transmitted directly to remotely receive object, initiates the remote proving for being directed to the implementing result.
Certainly, in practical applications, can also be by the confidence region of trusted application, directly signing, it is above-mentioned that treated
Implementing result is sent to the long-range remote proving for receiving object, initiating to be directed to the implementing result.
And object is remotely received after receiving the implementing result, it can be based on the above-mentioned public key in local persistent storage
(public key for calling above-mentioned objective function to generate), is verified based on signature of the public key to the implementing result;If the label
Name is verified, then can directly assert that the implementing result is that the believable Enclave created on believable processor is given birth to
At trust data;It is completed at this time for the remote proving of the implementing result of above-mentioned pending code.
In this way, remote proving is being carried out to implementing result of the long-range reception object to above-mentioned pending code
When, it can no longer need to interact with IAS server, so as to more easily complete remote proving.
In above technical scheme, on the one hand, since the public private key pair for remote proving is as credible performing environment
Target container in be autonomously generated, no longer generated by software supplier;Also, the encrypted private key of persistent storage, quilt
Provided with the decryption policy being only decrypted by the target container;Therefore, even software developer can not also get generation
Private key, so as to be obviously improved the security level of private key;
On the other hand, since trusted application is only needed through third party's remote proving server-side, to long-range reception pair
It is subsequent as initiating once for the remote proving for the public key being autonomously generated, and after the public key is by remote proving
It is directly signed using the private key generated to the implementing result of the pending code in protected code, and by holding after signature
Row result is sent to the long-range object that receives and completes the remote proving for being directed to the implementing result, and no longer needs long-range by third party
Prove that server-side is initiated the remote proving for being directed to the implementing result to the long-range object that receives;Therefore, it can no longer need and the
Tripartite's remote proving server-side is frequently interacted, so that it may can be easily to remote based on the public private key pair being autonomously generated
Journey, which receives object, proves that the implementing result is trust data.
Corresponding with above method embodiment, this specification additionally provides a kind of remote proving device of trusted application
Embodiment.The embodiment of the remote proving device of the trusted application of this specification can be using on an electronic device.Dress
Setting embodiment can also be realized by software realization by way of hardware or software and hardware combining.It is implemented in software to be
Example, as the device on a logical meaning, being will be right in nonvolatile memory by the processor of electronic equipment where it
The computer program instructions answered are read into memory what operation was formed.For hardware view, as shown in Fig. 2, being this specification
Trusted application remote proving device where electronic equipment a kind of hardware structure diagram, in addition to processor shown in Fig. 2,
Except memory, network interface and nonvolatile memory, the electronic equipment in embodiment where device is generally according to the electronics
The actual functional capability of equipment can also include other hardware, repeat no more to this.
Fig. 3 is a kind of frame of the remote proving device of trusted application shown in one exemplary embodiment of this specification
Figure.
Referring to FIG. 3, the remote proving device 30 of the trusted application can be applied in aforementioned electronics shown in Fig. 2
In equipment;Wherein, the protected code in the trusted application is isolated load in the target as credible performing environment
In container;The protected code includes pending code, and the objective function for generating private key and public key;
Described device 30 includes:
Generation module 301 calls the objective function to generate private key and public key in the target container, and to generation
Private key encrypted, and to encrypted private key carry out persistent storage;Wherein, the private key of encryption is provided with only
The decryption policy being decrypted by the target container;
It proves module 302, is initiated to the long-range object that receives for the public key by third party's remote proving server-side
Remote proving, and when the public key passes through remote proving, the public key is sent to the long-range reception object and is carried out persistently
Change storage;
Module 303 is obtained, the implementing result of the pending code is obtained;Wherein, the implementing result is by the target
Container has carried out signature processing based on the private key decrypted;
The implementing result is sent to the long-range reception object, by the long-range reception object by authentication module 304
The public key based on storage verifies the signature of the implementing result, to confirm whether the implementing result is credible number
According to.
In the present embodiment, the generation module 301:
In response to executing instruction for the pending code, the objective function is called to generate private in the target container
Key and public key;Alternatively,
Based on the preset calling period, the periodically invoked objective function generated in the target container private key and
Public key.
In the present embodiment, the proof module 302:
The public key based on generation creates remote proving voucher;
The remote proving voucher is sent to third party's remote proving server-side, to be serviced by the remote proving
End is verified by the remote proving voucher;
Obtain the verification result that the remote proving server-side returns;Wherein, the verification result is by the remote proving
Server-side has carried out signature processing based on the private key held;
The public key of the verification result and generation is sent to the long-range reception object, remotely to be connect by described
Public key of the object at least based on third party's remote proving server-side is received to verify the signature of the verification result, and
After the signature verification passes through, the public key of generation is locally subjected to persistent storage in the long-range reception object.
In the present embodiment, the credible performing environment is the credible performing environment built based on SGX technology;The mesh
Marking container is the Enclave program in SGX technology;Wherein, the decryption policy of the encrypted private key is arranged to
Keypolicy-MRENCLAVE strategy.
In the present embodiment, the long-range reception object is the intelligent contract for being distributed to block chain.
The function of modules and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The module of explanation may or may not be physically separated, and the component shown as module can be or can also be with
It is not physical module, it can it is in one place, or may be distributed on multiple network modules.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize this specification scheme.Those of ordinary skill in the art are not
In the case where making the creative labor, it can understand and implement.
System, device, module or the module that above-described embodiment illustrates can specifically realize by computer chip or entity,
Or it is realized by the product with certain function.A kind of typically to realize that equipment is computer, the concrete form of computer can
To be personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play
In device, navigation equipment, E-mail receiver/send equipment, game console, tablet computer, wearable device or these equipment
The combination of any several equipment.
Corresponding with above method embodiment, this specification additionally provides the embodiment of a kind of electronic equipment.The electronics is set
Standby includes: processor and the memory for storing machine-executable instruction;Wherein, in processor and memory usually pass through
Portion's bus is connected with each other.In other possible implementations, the equipment is also possible that external interface, with can be with other
Equipment or component are communicated.
In the present embodiment, the protected code in the trusted application is isolated load as credible execution ring
In the target container in border;Wherein, the protected code includes pending code, and the target for generating private key and public key
Function;
By reading and executing the corresponding with the control logic of the remote proving of trusted application of the memory storage
Machine-executable instruction, the processor is prompted to:
It calls the objective function to generate private key and public key in the target container, and the private key of generation is added
It is close, and persistent storage is carried out to encrypted private key;Wherein, the private key of encryption, which is provided with, is only held by the target
The decryption policy that device is decrypted;
By third party's remote proving server-side to the long-range remote proving for receiving object initiation and being directed to the public key, and
When the public key passes through remote proving, the public key is sent to the long-range reception object and carries out persistent storage;
Obtain the implementing result of the pending code;Wherein, the implementing result is based on decryption by the target container
The private key out has carried out signature processing;
The implementing result is sent to the long-range reception object, by the institute of the long-range reception object based on storage
It states public key to verify the signature of the implementing result, to confirm whether the implementing result is trust data.
In the present embodiment, by reading and executing memory storage and the remote proving of trusted application
The corresponding machine-executable instruction of control logic, the processor are prompted to:
In response to executing instruction for the pending code, the objective function is called to generate private in the target container
Key and public key;Alternatively,
Based on the preset calling period, the periodically invoked objective function generated in the target container private key and
Public key.
In the present embodiment, by reading and executing memory storage and the remote proving of trusted application
The corresponding machine-executable instruction of control logic, the processor are prompted to:
The public key based on generation creates remote proving voucher;
The remote proving voucher is sent to third party's remote proving server-side, to be serviced by the remote proving
End is verified by the remote proving voucher;
Obtain the verification result that the remote proving server-side returns;Wherein, the verification result is by the remote proving
Server-side has carried out signature processing based on the private key held;
The public key of the verification result and generation is sent to the long-range reception object, remotely to be connect by described
Public key of the object at least based on third party's remote proving server-side is received to verify the signature of the verification result, and
After the signature verification passes through, the public key of generation is locally subjected to persistent storage in the long-range reception object.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to this specification
Other embodiments.This specification is intended to cover any variations, uses, or adaptations of this specification, these modifications,
Purposes or adaptive change follow the general principle of this specification and undocumented in the art including this specification
Common knowledge or conventional techniques.The description and examples are only to be considered as illustrative, the true scope of this specification and
Spirit is indicated by the following claims.
It should be understood that this specification is not limited to the precise structure that has been described above and shown in the drawings,
And various modifications and changes may be made without departing from the scope thereof.The range of this specification is only limited by the attached claims
System.
The foregoing is merely the preferred embodiments of this specification, all in this explanation not to limit this specification
Within the spirit and principle of book, any modification, equivalent substitution, improvement and etc. done should be included in the model of this specification protection
Within enclosing.