CN110492990A - Private key management method, apparatus and system under block chain scene - Google Patents
Private key management method, apparatus and system under block chain scene Download PDFInfo
- Publication number
- CN110492990A CN110492990A CN201810458967.2A CN201810458967A CN110492990A CN 110492990 A CN110492990 A CN 110492990A CN 201810458967 A CN201810458967 A CN 201810458967A CN 110492990 A CN110492990 A CN 110492990A
- Authority
- CN
- China
- Prior art keywords
- private key
- block chain
- tee
- computer system
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Abstract
The application is private key management method, apparatus and system under block chain scene, a kind of computer system is provided, rich performing environment REE and credible performing environment TEE are deployed in the computer system, the computer system is also deployed with the block chain functional unit based on block chain technology, and the Private key management module and transaction data processing module stated in block chain functional unit are disposed in TEE, wherein the Private key management module is used to create private key, and the private key is stored in TEE;The transaction data processing module is used to execute encryption using the summary data that the private key is related to block chain functional unit.It created, stored and is used by the way that the private key being related under block chain scene is placed into the side TEE, the safety of private key is provided by the credible performing environment of TrustZone framework, to solve the problems, such as private key bring security risk in untrusted environment to a certain extent, the safety of block catenary system is improved.
Description
Technical field
This application involves the management methods of private key, apparatus and system in block chain technology more particularly to a kind of block chain.
Background technique
Block (block) is that unit is generated and stored, and is linked to be chain type sequentially in time to block chain index number accordingly
(chain) data structure, all nodes need the common data verification for participating in block catenary system, storage and maintenance, new block
Creation need to obtain common recognition confirmation, and realize that the whole network is synchronous to each node broadcasts, cannot change or delete later.Block chain is more
The set innovation of kind prior art, mainly solves the problems, such as to trust in many ways and efficiently cooperate with.The technology for constituting block chain is mainly wrapped
Include Hash operation (SHA256), digital signature, P2P (peer-to-peer) network and common recognition algorithm.The typical case of block chain technology
Application scenarios include encryption currency, finance, supply chain, Internet of Things etc..
Digital signature technology for guaranteeing the safety of data transmission to a certain extent.It is to encrypt digital cash scene
, moneytary operations information is store in the block of each node, moneytary operations information includes one or many process of exchange, once
Process of exchange is, for example, that 100 digital currencies (such as bit coin) is transferred accounts to B wallet address in the address of A wallet.Different nodes it
Between transmission Transaction Information before need to process of exchange execute Hash operation to obtain the abstract of the process of exchange, then using hair
The private key for the side of sending encrypts the abstract, sends encrypted abstract and transaction data (or encrypted transaction data) to
Recipient.The ciphertext that recipient is received using corresponding public key decryptions is made a summary to obtain abstract a, and to the number of deals received
According to Hash operation is executed to obtain abstract b, compare abstract a and abstract b, just determines moneytary operations when a that makes a summary is identical with abstract b
Information is safe.As it can be seen that can guarantee the integrality of information transmission by digital signature technology while verify the body of sender
Part certification, to prevent the denial in transaction from occurring.But how to guarantee the safety of private key in digital signature procedure, it avoids sending out
The private key for the person of sending is obtained by malicious third parties, and this problem is urgently to be resolved in block chain field.
The current most common Private key management mode is by private key escrow on the server of ISP, and user is using
It is logged on before private key using account landing approach and carries out relevant operation on server.But there are some defects for this mode:
If server is by hacker attack or generates other loopholes, easilys lead to private key leakage or lose;User account may also be by
It steals;Browser loophole can also have an impact the safety of account during user's game server;Network transmission process
In man-in-the-middle attack behavior and HTTPS certificate to kidnap be also a kind of common security risk.Another way is in block
Chain node device oneself creation and storage private key.The safe design of most of encryption digital cash wallets all fully relies at present
The security boundary of operating system is still rested on the storage and processing of private key and encrypt even directly using fixed key
Save in plain text, fully rely on the security boundary of operating system to avoid unauthorized access, but either Android (Android), iOS,
Windows or Linux has a large amount of System Security Vulnerability to be disclosed and be repaired every year, and just has inside these loopholes
Many local loopholes for proposing power, the safe design boundary of operating system can easily be broken by mentioning power loophole using these, be obtained
The ability of private key must be accessed.
Summary of the invention
The application provides a kind of private key management method, device and system, can specifically apply and answer involved in the block chain
With under scene, for improving the safety of private key, to improve the safety of the information stored in block chain.
Several aspects of the application are described below, so it is easy to understand that it is identical in the implementation of the following aspects or
Similar part can refer to mutually.
In a first aspect, the application provides a kind of computer system, be deployed in the computer system rich performing environment REE and
Credible performing environment TEE, the computer system are also deployed with the block chain functional unit based on block chain technology, such as digital money
Packet software.The Private key management module and transaction data processing module stated in block chain functional unit are disposed in the TEE.It is described
Private key management module is used to create private key, and the private key is stored in TEE.The transaction data processing module is for benefit
Encryption is executed with the summary data that the private key is related to block chain functional unit.
Under some implementations, the generation of the summary data is in the TEE;Under other implementations, institute
The generation of summary data is stated in the REE, then the REE sends the summary data to the TEE.
Under some implementations, the Private key management module is specifically used for before storing the private key to the private key
Execute encryption, wherein the private key of storage is encrypted private key.
Under some implementations, the Private key management module is specifically used for executing encryption to the private key using password,
The password is updated or is periodically updated when condition meets, and executes encryption to the private key again using new password after update,
And the storage encrypted private key of new password.
Under some implementations, the update condition of the password includes having executed once to add the summary data
It is close.
Under some implementations, the password is the random number that hardware random number generator generates.In other realizations
Under mode, which can also be generated by software random number generator.
Second aspect, the application provide a kind of management method of private key, are applied under block chain scene.This method is applied to
It is deployed with the computer system of rich performing environment REE and credible performing environment TEE, such as terminal device.In the computer system
Also it is deployed with block chain functional unit, such as digital wallet software.This method comprises: creating the block chain function list in TEE
Private key involved in member, and the private key is stored in the side TEE;In the side TEE using the private key to the block chain function
The summary data that unit is related to executes encryption.
Under some implementations, the summary data is generated in the side TEE;Under other implementations, in institute
State the side REE and generate the summary data, and send the TEE for the summary data, so as in the side TEE to the abstract number
According to executing encryption.
Under some implementations, the private key foregoing description method is being stored further include: encryption is executed to the private key.
It is readily comprehensible, after encryption, the just not original private key of storage, encrypted private key, and next time uses the private key
It needs first to decrypt before.
Under some implementations, executing to the private key and encrypting and store the encrypted private key includes: using close
Code executes encryption to the private key, and the password is updated or periodically updated when condition meets, and new password weight is utilized after update
Encryption newly is executed to the private key, and stores the encrypted private key of new password.
Under some implementations, it includes: to execute one using the private key that the password is updated when condition meets
The password is updated after the secondary encryption to the summary data.
Under some implementations, it is described periodically update the password include: just updated every the set time it is described close
Code, and re-encrypted and the storage private key.
Under some implementations, the password is the random number that hardware random number generator generates.In other realizations
Under mode, which can also be generated by software random number generator.
The third aspect, the application provide a kind of computer system, which is characterized in that the computer system includes memory
And processor, the memory is for storing computer program, and the processor is for reading and executing the computer program
Method to realize aforementioned any implementation offer.
Fourth aspect, the application provide a kind of block catenary system, which is characterized in that include this Shen in the block catenary system
Please any aspect provide computer system.The computer system can be terminal device, be also possible to other kinds of calculating
Machine system.
As it can be seen that private key management method provided by the present application, device and system, pass through the private being related under block chain scene
Key is placed into the side TEE and is created, stored and used, byThe credible performing environment of framework provides private key
Safety improves block chain to solve the problems, such as private key bring security risk in untrusted environment to a certain extent
The safety of system.Further, private key executes in storage and is encrypted processing, further ensures safety.Moreover, encrypting
The password meeting periodicity or the lower change of condition triggering of private key, the safety of such password is just higher, thus the safety of private key
It is higher.
Detailed description of the invention
In order to illustrate more clearly of technical solution provided by the present application, attached drawing will be briefly described below.It is aobvious and easy
Insight, drawings discussed below are only some embodiments of the present application.
Fig. 1 a is the network architecture schematic diagram of block chain scene;
Fig. 1 b is the system architecture schematic diagram of terminal device;
Fig. 2 is the interaction flow schematic diagram of CA and TA;
Fig. 3 is the function distributing schematic diagram of digital wallet software;
Fig. 4 is the processing flow schematic diagram of transaction data sender in digital wallet software;
Fig. 5 is the processing flow schematic diagram of transaction data recipient in digital wallet software;
Fig. 6 is the flow diagram of private key creation method;
Fig. 7 is the flow diagram of private key encryption method;
Fig. 8 is the structural schematic diagram of computer system.
Specific embodiment
The demand of terminal device processing critical services increasingly increases.From can pay, download and watch a certain specific time period
Newest Hollywood blockbuster, to end can have been made by mobile phone remote payment bill and management bank's account, these development trends
End equipment becomes the emphasis target of attack of the virus such as Malware, wooden horse and rootkit.In order to guarantee the safety of terminal device
Property, occur withFor the terminal device security framework of representative.ExistingUnder frame, system
The safety of grade is by being divided into the software and hardware resources of system on chip (system on chips, SoC) in two worlds respectively
It obtains, i.e., the normal world (normal world) and safer world (secure world) (can also be security domain and non-security
Domain), the two worlds respectively correspond rich performing environment (rich execution environment, REE) and credible execution ring
Border (trusted execution environment, TEE).TEE and REE is run in the same equipment, and TEE can guarantee
Storage, processing and the protection of sensitive data are carried out in believable environment, and are the trusted application (trusted of authorization
Application, TA) performing environment of safety is provided.But the mobile terminal under block chain scene to the management of private key and makes
With being based on REE, since REE there is a problem of so safety is not high, and Private key management and use being moved on to more than attack face
After TEE, it is necessary to solve how the creation and use of private key and digital signature process in TEE interact between REE and TEE
The problem of.
Fig. 1 a is the network architecture schematic diagram of the block chain scene of code key management method provided in this embodiment application.The area
Block catenary system forms one point-to-point (peer-to-peer), decentralization network structure by multiple terminal devices.One
Terminal device can regard the node of a block chain as.Automobile in figure indicates vehicle-mounted terminal equipment.
Fig. 1 b is the system architecture schematic diagram of any one terminal device in Fig. 1 a.The terminal device includes REE and TEE,
It has been separately operable on REE and TEEOperating system and a kind of side TEE operating system (such as the OP-TEE of open source operates system
System).Operating system and TEE OS are divided into User space and kernel state two states again.CA (Client in REE
Application the framework of similar client/server) is constituted with the TA in TEE, TA is as server-side, and CA is as client
Access operation is initiated by the end CA in end, and the two passes through the message channel interaction data of hardware layer, and system is hung up after initiating request in the end CA
System waits TA to return the result.The exploitation of CA needs to call TEE client (client) API (application program
Interface) come to realize with corresponding TA and communicate;TA needs to call (internal) API inside TEE to come using TEE offer
Programming resource realizes correlation function.
The interaction flow of typical CA and TA is as shown in Figure 2:
S201:CA first does necessary context initialization.The specific instructions of realization are TEEC_InitializeContext.
S202: session is opened in the specific path (ta_path) where specified TA file.The specific instructions of realization are TEEC_
OpenSession(ta_path)。
S203: session handle (Return SesstionHandle) is returned to after session establishment success, at this moment TA exists
It is behaved in TEE, waits the order to be received from CA.
S204:CA sends order, and physical layer interface can call SMC (secure monitor call) instruction triggers processor
It is switched to safe mode, and order is passed into the TA in TEE and is handled (by shared drive mode).The specific life realized
Enable is TEEC_InvokeCommand (cmd).
S205:TA returns the result (Return result) to CA after having handled order, and processor switches back into non-security mould
Formula.
It should be noted that processor between safe mode and non-security mode there is also a monitoring mode, cutting
It first can be switched to monitoring mode from safe mode during changing, then be switched to non-security mode again, vice versa.More specifically
Handoff procedure can refer to the prior art, and details are not described herein.
Realize the application based on block chain on the mobile apparatus in the prior art, the Private key management module sum number in the application
It is put into REE and realizes according to processing module.Wherein Private key management module is for creating and storing private/public key, data processing
Module is used to execute data the processing such as relatively of Hash operation, digital signature, abstract, thus identify data whether be tampered and
Verify sender's identity information.
It mainly include 5 modules with reference to Fig. 3 by taking digital wallet software as an example: user management module 301, Assets Reorganization Taking
Manage module 302, code key management module 305, transaction data processing module 304 and network management module 303.Wherein, user management
Module 301 is for authenticating username and password correctness when user logs in.Assets management module 302 is for checking that digital asset is believed
Breath, transfers accounts to third party.Network management module 303 is for connecting network, transmission/receiving network data packet.Code key manages mould
Block is for creating and storing private key and public key.Transaction data processing module 304 be used for produce transaction data carry out Hash operation
And digital signature processing, also need to carry out transaction summarization data to compare to transaction data is transferred to, identification transaction data whether by
Distort and verify the identity information etc. of sender.As shown in figure 3, the present embodiment is by digital signature in transaction data processing module
Function (being equivalent to transaction data processing module 304_B) and code key management module 305 be placed on the side TEE realization, other functions
(being equivalent to transaction data processing module 304_A) and other modules are then still placed on the realization of the side REE.
The present embodiment by original only realize in the side REE becomes digital wallet software to complete jointly in the side REE and TEE.
Digital wallet software realizes the function of aforementioned code key management module and transaction data processing module in the side TEE by one or more TA
Can, the function of other modules can be realized in the side REE by one or more CA.
It should be noted that 4 modules of the side REE are realized by a CA in the present embodiment, 2 modules of the side TEE are by one
A TA realization, and in other embodiments, different functional modules can also be realized by multiple CA or TA.In addition, module is drawn
Dividing also is only citing, and the application is not limited thereto.
Fig. 4 introduces the process flow of transaction data so that wallet A pays 100 digital currencies to wallet B as an example.In this implementation
It is related to the process that REE side form block calls TEE side form block in example, the CA that can refer to foregoing description calls the process of TA, specific to adjust
It is no longer described in detail with process.
S401: wallet A (it can be appreciated that terminal device A) carries out transaction data using SHA256 algorithm in the side REE
Hash operation generates 256bit transaction summarization.In transaction data including the address information of wallet A, the address information of wallet B and
Payment amount information.Transaction data can be embodied in character string.
S402: and then wallet A is sent to transaction summarization the TA of the side TEE by the data channel between CA and TA.Specifically
Being accomplished by the side REE CA calls TEEC_InvokeCommand (cmd) function to send transaction summarization data, wherein cmd are as follows:
SEND_DIGEST order.
If step S401 and S402 can be executed by transaction data processing module 304_A by taking Fig. 3 as an example.
The TA of the side S403:TEE uses the private key and elliptic curve digital signature algorithm (Elliptic Curve of wallet A
Digital Signature Algorithm, ECDSA) transaction summarization is encrypted, generate the digital signature for being less than 320bit
(or being signed data).
The public key of signed data and wallet A is returned to the side REE CA by the TA of the side S404:TEE.Wallet A public key and private key are
It is created in the side TEE by TA, their creation before the use, but is specifically when not limit in the present embodiment
Determine, for example public key can create followed by creating for private key, can also just create before returning to the side REE.The public affairs of wallet A
Key can specifically be obtained according to the private key and ECDSA algorithm of wallet A.
If step S403 and S404 can be executed by transaction data processing module 304_B by taking Fig. 3 as an example.
After the CA of the side S405:REE obtains public key and signed data, transaction data, public key and signed data are beaten together
It is bundled into a network packet and is sent to network management module.The network packet is broadcast to its of the whole network by network management module
Its block chain node.
If step S405 can be executed by transaction data processing module 304_A by taking Fig. 3 as an example.
Fig. 5 hookup 4 receives the processing after the network packet for wallet B (it can be appreciated that terminal device B)
Process.Other nodes receive treatment process after the network packet with it is following similar, be no longer described in detail.
S501:CA parses three parts data: transaction data, public key and signed data.
S502:CA calls SHA256 algorithm to carry out Hash operation to transaction data and obtains 256bit summary data.
S503:CA calls ECDSA verifying signature algorithm that signed data is decrypted, and obtains original transaction summarization data.
S504: compare whether the summary data that S502 and S503 is generated is equal, if equal, expression transaction data is not usurped
Change, receives this transaction data;Otherwise the transaction data is abandoned.
The creation and storage of private key are a crucial links in the above transaction data process flow, if private key is let out
Dew, then the safety of transaction data cannot be guaranteed.Fig. 6 is the flow diagram that TA provided by the present application creates private key, also
It can be understood as the flow diagram of Private key management module creation private key.
S601:TA calls the random number R 1 of one 256bit of a tandom number generator generation.Specifically, the random number produces
Raw device is hardware random number generator or software random number generator, and the randomness of usual hardware random number generator is more preferable, shape
At safety it is also higher.The realization of software random number generator and hardware random number generator is state of the art,
Wherein, software random number generator is a SFU software functional unit, and hardware random number generator is a hardware, and specific implementation is equal
For the prior art, the present embodiment need to only be called, and this will not be repeated here.
S602: the private key that Hash operation obtains a 256bit, the Hash are executed to the random number R 1 using hash algorithm
Algorithm can be SHA (Secure Hash Algorithm) 256 algorithms.
S603: S602 is obtained using another random number R 2 (it can be appreciated that random password, password or key)
Private key is encrypted, specific Encryption Algorithm can be AES (Advanced Encryption Standard) 256 algorithms or its
Its Encryption Algorithm, the present embodiment does not limit.Another random number can by call aforementioned tandom number generator or other with
Machine number producer generates.
S603: the value and encrypted code key of R2 are stored.
In order to improve further security, the value of the R2 in the present embodiment can be updated.After R2 updates, first to adding
Code key after close executes corresponding decipherment algorithm, then with new value re-encrypted private key.
Referring to FIG. 7, the flow diagram updated for random number R 2.
S701: as shown in connection with fig. 4, TA is decrypted current after receiving transaction summarization using the value of currently stored R2
The code key of storage.
S702:TA is encrypted using the secret key pair transaction summarization after decryption to obtain signed data.
S703: triggering tandom number generator generates a new random number, the value as R2.
S704: using updated R2 to private key re-encrypted.
S705: private key and new R2 after storage re-encrypted.
The update of R2 is after having executed a digital signature (S702), in other implementations in realization illustrated in fig. 7
In example, the update of R2 is also possible to periodically, such as updates once every 3 seconds, or mode knot shown in periodical and Fig. 7
Conjunction or other update methods determined according to demand.
The method that above embodiments provide provides the safety of private key using the credible performing environment of TrustZone framework,
It can solve the problems, such as that private key creates in untrusted environment, stores and use brought security risk to a certain extent, improve
The safety of transaction data or other kinds of data under block chain application scenarios.
Referring to FIG. 8, being a kind of structural schematic diagram of computer system provided in this embodiment.The computer system can be with
For terminal device.As shown, the computer system include communication module 510, it is sensor 520, user's input module 530, defeated
Module 540, processor 550, audio-video input module 560, memory 570 and power supply 580 out.
Communication module 510 may include that at least one can make the computer system and communication system or other computer systems
Between the module that is communicated.For example, communication module 510 may include wired network interface, broadcasting reception module, mobile communication
Module, wireless Internet module, local area communication module and position (or positioning) information module etc. one or more.This is more
In the prior art there are many realizing, the application does not describe kind module one by one.
Whether sensor 520 can be connect with the current state of sensing system, such as open/closed state, position with user
Touching, direction and acceleration/deceleration, and the sensing signal of the operation for control system can be generated in sensor 520.
User's input module 530, digital information, character information or contact touch operation for receiving input/non-connect
Touch gesture, and receive signal input related with the user setting of system and function control etc..User's input module 530
Including touch panel and/or other input equipments.
Output module 540 includes display panel, for showing information input by user, being supplied to the information of user or be
The various menu interfaces etc. of system.Optionally, using liquid crystal display (liquid crystal display, LCD) or can have
The forms such as machine light emitting diode (organic light-emitting diode, OLED) configure display panel.Other one
In a little embodiments, touch panel can be covered on display panel, form touch display screen.In addition, output module 540 can also include
Audio output module, alarm device and tactile module etc..
Audio-video input module 560 is used for input audio signal or vision signal.Audio-video input module 560 can wrap
Include camera and microphone.
Power supply 580 can receive external power and internal power under the control of processor 550, and provide each of system
Electric power needed for the operation of a component.
Processor 550 may include one or more processors, for example, processor 150 may include in one or more
Central processor, or including a central processing unit and a graphics processor.When processor 150 includes multiple processors,
This multiple processor can integrate on same chip, can also respectively be independent chip.One processor may include
One or more physical cores, wherein physical core is the smallest processing module.
Memory 570 stores computer program, which includes operating system program 572 and application program 571
Deng.The Windows of typical operating system such as Microsoft, MacOS of Apple Inc. etc. are for desktop computer or notebook
System, for another example Google exploitation based onAndroidThe system that system etc. is used for mobile terminal.Before
The method for stating embodiment offer can be realized by way of software, it is believed that be the specific implementation of application program 571.
Memory 570 can be with one of Types Below or a variety of: flash (flash) memory, hard disk type storage
Device, Multimedia Micro Cards type memory, card type reservoir (such as SD or XD memory), random access memory (random
Access memory, RAM), static random access memory (static RAM, SRAM), read-only memory (read only
Memory, ROM), electrically erasable programmable read-only memory (electrically erasable programmable read-
Only memory, EEPROM), programmable read only memory (programmable ROM, PROM), magnetic memory, disk or light
Disk.In some other embodiment, memory 570 is also possible to the network storage equipment on internet, system can to because
Special online memory 570, which executes, the operation such as updates or reads.
Processor 550 is used to read the computer program in memory 570, then executes the side that computer program defines
Method, such as 550 read operation system program 572 of processor is to run operating system in the system and realize operating system
Various functions, or one or more application programs 571 are read, thus operation application on this system.
Memory 570 is also stored with other data 573 in addition to computer program, such as area involved in the application
Block, private key, transaction data and random number etc..
The connection relationship of modules is only a kind of example in Fig. 8, and the method that the application any embodiment provides can also be with
It applies in the terminal device of other connection types, such as all modules are connected by bus.
It should be noted that method provided in this embodiment also can be applied to the computer equipment of nonterminal, such as cloud
Hold server.
It should be noted that propose that only property is shown as an example for the division of module or unit in previous embodiment,
The function of described modules is merely illustrative of, and the application is not limited thereto.Those of ordinary skill in the art can be with
Merge the function of two of them or more according to demand, or the function of a module is split to which acquisition is more thinner
The module of granularity and other modes of texturing.
The same or similar part can mutually refer between each embodiment described above." multiple " in the application if
Without specified otherwise, refer to two or more, or " at least two ".
The apparatus embodiments described above are merely exemplary, wherein described, module can as illustrated by the separation member
It is physically separated with being or may not be, the component shown as module may or may not be physics mould
Block, it can it is in one place, or may be distributed on multiple network modules.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.In addition, Installation practice attached drawing provided by the invention
In, the connection relationship between module indicates there is communication connection between them, and it is total specifically to can be implemented as one or more communication
Line or signal wire.Those of ordinary skill in the art can understand and implement without creative efforts.
The above, only some specific embodiments of the application, but the protection scope of the application is not limited thereto.
Claims (11)
1. a kind of computer system, which is characterized in that be deployed with rich performing environment REE and credible execution in the computer system
Environment TEE, the computer system is also deployed with the block chain functional unit based on block chain technology, and disposes in TEE
The Private key management module and transaction data processing module in block chain functional unit are stated, wherein
The Private key management module is used for: creation private key, and the private key is stored in TEE;
The transaction data processing module is used for: being executed and is added to the summary data that block chain functional unit is related to using the private key
It is close.
2. computer system according to claim 1, which is characterized in that the Private key management module is specifically used for: depositing
Encryption is executed to the private key before storing up the private key, wherein the private key of storage is encrypted private key.
3. computer system according to claim 2, which is characterized in that the Private key management module is specifically used for: utilizing
Password executes encryption to the private key, and the password is updated or periodically updated when condition meets, and new password is utilized after update
Again encryption is executed to the private key, and stores the encrypted private key of new password.
4. computer system according to claim 3, which is characterized in that the Private key management module is specifically used for: in benefit
It has been executed with the private key and the password is once updated later to the encryption of the summary data.
5. computer system according to claim 3 or 4, which is characterized in that the password is hardware random number generator
The random number of generation.
6. the management method of private key in a kind of block chain technology, which is characterized in that the method is applied to be deployed with rich execution ring
The computer system of border REE and credible performing environment TEE are also deployed with block chain functional unit, institute in the computer system
The method of stating includes: to create private key involved in the block chain functional unit in TEE, and the private key is stored in the side TEE;
Encryption is executed using the summary data that the private key is related to the block chain functional unit in the side TEE.
7. according to the method described in claim 6, it is characterized in that, storing the private key foregoing description method further include: right
The private key executes encryption, then the private key stored is encrypted private key.
8. encrypting and storing described encrypted the method according to the description of claim 7 is characterized in that being executed to the private key
Private key includes:
Encryption is executed to the private key using password, the password is updated or periodically updated when condition meets, sharp after update
Encryption is executed to the private key again with new password, and stores the encrypted private key of new password.
9. according to the method described in claim 8, it is characterized in that, it includes: to utilize that the password is updated when condition meets
The private key has executed once updates the password to the encryption of the summary data later.
10. a kind of computer system, which is characterized in that the computer system includes memory and processor, the memory
For storing computer program, the processor is for reading and executing the computer program to realize such as claim 6-9
Method described in any one.
11. a kind of block catenary system, which is characterized in that include computer as claimed in claim 10 in the block catenary system
System.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810458967.2A CN110492990B (en) | 2018-05-15 | 2018-05-15 | Private key management method, device and system under block chain scene |
PCT/CN2019/086111 WO2019218919A1 (en) | 2018-05-15 | 2019-05-09 | Private key management method and apparatus in blockchain scenario, and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810458967.2A CN110492990B (en) | 2018-05-15 | 2018-05-15 | Private key management method, device and system under block chain scene |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110492990A true CN110492990A (en) | 2019-11-22 |
CN110492990B CN110492990B (en) | 2021-10-15 |
Family
ID=68539534
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810458967.2A Active CN110492990B (en) | 2018-05-15 | 2018-05-15 | Private key management method, device and system under block chain scene |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110492990B (en) |
WO (1) | WO2019218919A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110851851A (en) * | 2020-01-15 | 2020-02-28 | 支付宝(杭州)信息技术有限公司 | Authority management method, device and equipment in block chain type account book |
CN111178884A (en) * | 2019-12-16 | 2020-05-19 | 平安壹钱包电子商务有限公司 | Information processing method, device, equipment and readable storage medium |
CN111429254A (en) * | 2020-03-19 | 2020-07-17 | 腾讯科技(深圳)有限公司 | Business data processing method and device and readable storage medium |
CN111881474A (en) * | 2020-07-24 | 2020-11-03 | 北京千云天下科技有限公司 | Private key management method and device based on trusted computing environment |
CN112214780A (en) * | 2020-08-26 | 2021-01-12 | 腾讯科技(深圳)有限公司 | Data processing method and device, intelligent equipment and storage medium |
CN113014539A (en) * | 2020-11-23 | 2021-06-22 | 杭州安芯物联网安全技术有限公司 | Internet of things equipment safety protection system and method |
CN113656841A (en) * | 2021-07-28 | 2021-11-16 | 复旦大学 | Trustzone-based block chain terminal security guarantee system |
CN114465761A (en) * | 2021-12-22 | 2022-05-10 | 航天信息股份有限公司 | System and method for safety communication and terminal management |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111192050B (en) * | 2019-12-31 | 2023-08-11 | 成都库珀创新科技有限公司 | Digital asset private key storage and extraction method and device |
CN111400743B (en) * | 2020-04-07 | 2023-08-15 | 百度国际科技(深圳)有限公司 | Transaction processing method, device, electronic equipment and medium based on blockchain network |
CN111538782B (en) * | 2020-04-14 | 2023-08-08 | 浙江浙燃能源有限公司 | Energy big data management system based on block chain |
CN111565108B (en) * | 2020-07-15 | 2020-11-24 | 北京信安世纪科技股份有限公司 | Signature processing method, device and system |
CN113395159B (en) * | 2021-01-08 | 2024-03-12 | 腾讯科技(深圳)有限公司 | Data processing method based on trusted execution environment and related device |
CN113221141B (en) * | 2021-05-06 | 2022-07-19 | 杭州复杂美科技有限公司 | Wallet encryption storage method, signature method, computer device and storage medium |
CN114157431A (en) * | 2021-10-27 | 2022-03-08 | 上海朝夕网络技术有限公司 | Block chain transaction processing method based on multivariate signature method and computer equipment |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160218879A1 (en) * | 2015-01-23 | 2016-07-28 | Daniel Robert Ferrin | Method and apparatus for the limitation of the mining of blocks on a block chain |
CN106549749A (en) * | 2016-12-06 | 2017-03-29 | 杭州趣链科技有限公司 | A kind of block chain method for secret protection encrypted based on additive homomorphism |
US20170091467A1 (en) * | 2015-09-25 | 2017-03-30 | Mcafee, Inc. | Provable traceability |
CN106850200A (en) * | 2017-01-25 | 2017-06-13 | 中钞信用卡产业发展有限公司北京智能卡技术研究院 | A kind of method for using the digital cash based on block chain, system and terminal |
CN106991334A (en) * | 2016-11-24 | 2017-07-28 | 阿里巴巴集团控股有限公司 | A kind of method, system and device of data access |
CN107896150A (en) * | 2017-12-21 | 2018-04-10 | 善林(上海)金融信息服务有限公司 | Link block chain network and the system of Internet of Things |
CN107920052A (en) * | 2017-08-02 | 2018-04-17 | 唐盛(北京)物联技术有限公司 | A kind of encryption method and intelligent apparatus |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3520318A4 (en) * | 2016-09-29 | 2020-04-29 | Nokia Technologies Oy | Method and apparatus for trusted computing |
-
2018
- 2018-05-15 CN CN201810458967.2A patent/CN110492990B/en active Active
-
2019
- 2019-05-09 WO PCT/CN2019/086111 patent/WO2019218919A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160218879A1 (en) * | 2015-01-23 | 2016-07-28 | Daniel Robert Ferrin | Method and apparatus for the limitation of the mining of blocks on a block chain |
US20170091467A1 (en) * | 2015-09-25 | 2017-03-30 | Mcafee, Inc. | Provable traceability |
CN106991334A (en) * | 2016-11-24 | 2017-07-28 | 阿里巴巴集团控股有限公司 | A kind of method, system and device of data access |
CN106549749A (en) * | 2016-12-06 | 2017-03-29 | 杭州趣链科技有限公司 | A kind of block chain method for secret protection encrypted based on additive homomorphism |
CN106850200A (en) * | 2017-01-25 | 2017-06-13 | 中钞信用卡产业发展有限公司北京智能卡技术研究院 | A kind of method for using the digital cash based on block chain, system and terminal |
CN107920052A (en) * | 2017-08-02 | 2018-04-17 | 唐盛(北京)物联技术有限公司 | A kind of encryption method and intelligent apparatus |
CN107896150A (en) * | 2017-12-21 | 2018-04-10 | 善林(上海)金融信息服务有限公司 | Link block chain network and the system of Internet of Things |
Non-Patent Citations (1)
Title |
---|
MIRAJE GENTILAL: "TrustZone-backed Bitcoin Wallet", 《PROCEEDINGS OF THE FOURTH WORKSHOP ON CRYPTOGRAPHY AND SECURITY IN COMPUTING SYSTEMS》 * |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111178884A (en) * | 2019-12-16 | 2020-05-19 | 平安壹钱包电子商务有限公司 | Information processing method, device, equipment and readable storage medium |
CN111178884B (en) * | 2019-12-16 | 2024-04-12 | 平安壹钱包电子商务有限公司 | Information processing method, device, equipment and readable storage medium |
CN110851851A (en) * | 2020-01-15 | 2020-02-28 | 支付宝(杭州)信息技术有限公司 | Authority management method, device and equipment in block chain type account book |
CN111429254B (en) * | 2020-03-19 | 2021-09-10 | 腾讯科技(深圳)有限公司 | Business data processing method and device and readable storage medium |
CN111429254A (en) * | 2020-03-19 | 2020-07-17 | 腾讯科技(深圳)有限公司 | Business data processing method and device and readable storage medium |
CN111881474A (en) * | 2020-07-24 | 2020-11-03 | 北京千云天下科技有限公司 | Private key management method and device based on trusted computing environment |
CN111881474B (en) * | 2020-07-24 | 2023-09-15 | 杭州弦冰科技有限公司 | Private key management method and device based on trusted computing environment |
CN112214780B (en) * | 2020-08-26 | 2021-06-25 | 腾讯科技(深圳)有限公司 | Data processing method and device, intelligent equipment and storage medium |
WO2022042301A1 (en) * | 2020-08-26 | 2022-03-03 | 腾讯科技(深圳)有限公司 | Data processing method and apparatus, smart device and storage medium |
EP4120114A4 (en) * | 2020-08-26 | 2023-10-18 | Tencent Technology (Shenzhen) Company Limited | Data processing method and apparatus, smart device and storage medium |
CN112214780A (en) * | 2020-08-26 | 2021-01-12 | 腾讯科技(深圳)有限公司 | Data processing method and device, intelligent equipment and storage medium |
CN113014539A (en) * | 2020-11-23 | 2021-06-22 | 杭州安芯物联网安全技术有限公司 | Internet of things equipment safety protection system and method |
CN113656841A (en) * | 2021-07-28 | 2021-11-16 | 复旦大学 | Trustzone-based block chain terminal security guarantee system |
CN114465761A (en) * | 2021-12-22 | 2022-05-10 | 航天信息股份有限公司 | System and method for safety communication and terminal management |
Also Published As
Publication number | Publication date |
---|---|
WO2019218919A1 (en) | 2019-11-21 |
CN110492990B (en) | 2021-10-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110492990A (en) | Private key management method, apparatus and system under block chain scene | |
JP6869374B2 (en) | Decentralized key management for trusted execution environments | |
CN109309565B (en) | Security authentication method and device | |
US11070368B2 (en) | System, method, and program for transmitting and receiving any type of secure digital data | |
US20210083872A1 (en) | Systems, methods, and devices for secure blockchain transaction and subnetworks | |
CN110417750B (en) | Block chain technology-based file reading and storing method, terminal device and storage medium | |
US11818120B2 (en) | Non-custodial tool for building decentralized computer applications | |
KR102381153B1 (en) | Encryption key management based on identity information | |
US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
CN112765684B (en) | Block chain node terminal management method, device, equipment and storage medium | |
WO2016164275A1 (en) | Security system for data communications including key management and privacy | |
CN110445840B (en) | File storage and reading method based on block chain technology | |
CN109981576B (en) | Key migration method and device | |
JP6756056B2 (en) | Cryptographic chip by identity verification | |
WO2018030289A1 (en) | Ssl communication system, client, server, ssl communication method, and computer program | |
JP2022534677A (en) | Protecting online applications and web pages that use blockchain | |
Mahinderjit Singh et al. | A novel out-of-band biometrics authentication scheme for wearable devices | |
Homoliak et al. | An air-gapped 2-factor authentication for smart-contract wallets | |
Shahidinejad et al. | An All-Inclusive Taxonomy and Critical Review of Blockchain-Assisted Authentication and Session Key Generation Protocols for IoT | |
US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
CN112199695A (en) | Processing method and device for receivable financing, electronic device and storage medium | |
US20230188364A1 (en) | Partial payload encryption with integrity protection | |
US11968206B2 (en) | Non-custodial tool for building decentralized computer applications | |
HAGOS | MOBICLOUD DATA SECURITY FRAMEWORK FOR THE MOBILE BANKING INDUSTRY | |
Eleftherios | FIDO2 Overview, Use Cases, and Security Considerations |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |