CN110492990A - Private key management method, apparatus and system under block chain scene - Google Patents

Private key management method, apparatus and system under block chain scene Download PDF

Info

Publication number
CN110492990A
CN110492990A CN201810458967.2A CN201810458967A CN110492990A CN 110492990 A CN110492990 A CN 110492990A CN 201810458967 A CN201810458967 A CN 201810458967A CN 110492990 A CN110492990 A CN 110492990A
Authority
CN
China
Prior art keywords
private key
block chain
tee
computer system
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810458967.2A
Other languages
Chinese (zh)
Other versions
CN110492990B (en
Inventor
文白林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201810458967.2A priority Critical patent/CN110492990B/en
Priority to PCT/CN2019/086111 priority patent/WO2019218919A1/en
Publication of CN110492990A publication Critical patent/CN110492990A/en
Application granted granted Critical
Publication of CN110492990B publication Critical patent/CN110492990B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The application is private key management method, apparatus and system under block chain scene, a kind of computer system is provided, rich performing environment REE and credible performing environment TEE are deployed in the computer system, the computer system is also deployed with the block chain functional unit based on block chain technology, and the Private key management module and transaction data processing module stated in block chain functional unit are disposed in TEE, wherein the Private key management module is used to create private key, and the private key is stored in TEE;The transaction data processing module is used to execute encryption using the summary data that the private key is related to block chain functional unit.It created, stored and is used by the way that the private key being related under block chain scene is placed into the side TEE, the safety of private key is provided by the credible performing environment of TrustZone framework, to solve the problems, such as private key bring security risk in untrusted environment to a certain extent, the safety of block catenary system is improved.

Description

Private key management method, apparatus and system under block chain scene
Technical field
This application involves the management methods of private key, apparatus and system in block chain technology more particularly to a kind of block chain.
Background technique
Block (block) is that unit is generated and stored, and is linked to be chain type sequentially in time to block chain index number accordingly (chain) data structure, all nodes need the common data verification for participating in block catenary system, storage and maintenance, new block Creation need to obtain common recognition confirmation, and realize that the whole network is synchronous to each node broadcasts, cannot change or delete later.Block chain is more The set innovation of kind prior art, mainly solves the problems, such as to trust in many ways and efficiently cooperate with.The technology for constituting block chain is mainly wrapped Include Hash operation (SHA256), digital signature, P2P (peer-to-peer) network and common recognition algorithm.The typical case of block chain technology Application scenarios include encryption currency, finance, supply chain, Internet of Things etc..
Digital signature technology for guaranteeing the safety of data transmission to a certain extent.It is to encrypt digital cash scene , moneytary operations information is store in the block of each node, moneytary operations information includes one or many process of exchange, once Process of exchange is, for example, that 100 digital currencies (such as bit coin) is transferred accounts to B wallet address in the address of A wallet.Different nodes it Between transmission Transaction Information before need to process of exchange execute Hash operation to obtain the abstract of the process of exchange, then using hair The private key for the side of sending encrypts the abstract, sends encrypted abstract and transaction data (or encrypted transaction data) to Recipient.The ciphertext that recipient is received using corresponding public key decryptions is made a summary to obtain abstract a, and to the number of deals received According to Hash operation is executed to obtain abstract b, compare abstract a and abstract b, just determines moneytary operations when a that makes a summary is identical with abstract b Information is safe.As it can be seen that can guarantee the integrality of information transmission by digital signature technology while verify the body of sender Part certification, to prevent the denial in transaction from occurring.But how to guarantee the safety of private key in digital signature procedure, it avoids sending out The private key for the person of sending is obtained by malicious third parties, and this problem is urgently to be resolved in block chain field.
The current most common Private key management mode is by private key escrow on the server of ISP, and user is using It is logged on before private key using account landing approach and carries out relevant operation on server.But there are some defects for this mode: If server is by hacker attack or generates other loopholes, easilys lead to private key leakage or lose;User account may also be by It steals;Browser loophole can also have an impact the safety of account during user's game server;Network transmission process In man-in-the-middle attack behavior and HTTPS certificate to kidnap be also a kind of common security risk.Another way is in block Chain node device oneself creation and storage private key.The safe design of most of encryption digital cash wallets all fully relies at present The security boundary of operating system is still rested on the storage and processing of private key and encrypt even directly using fixed key Save in plain text, fully rely on the security boundary of operating system to avoid unauthorized access, but either Android (Android), iOS, Windows or Linux has a large amount of System Security Vulnerability to be disclosed and be repaired every year, and just has inside these loopholes Many local loopholes for proposing power, the safe design boundary of operating system can easily be broken by mentioning power loophole using these, be obtained The ability of private key must be accessed.
Summary of the invention
The application provides a kind of private key management method, device and system, can specifically apply and answer involved in the block chain With under scene, for improving the safety of private key, to improve the safety of the information stored in block chain.
Several aspects of the application are described below, so it is easy to understand that it is identical in the implementation of the following aspects or Similar part can refer to mutually.
In a first aspect, the application provides a kind of computer system, be deployed in the computer system rich performing environment REE and Credible performing environment TEE, the computer system are also deployed with the block chain functional unit based on block chain technology, such as digital money Packet software.The Private key management module and transaction data processing module stated in block chain functional unit are disposed in the TEE.It is described Private key management module is used to create private key, and the private key is stored in TEE.The transaction data processing module is for benefit Encryption is executed with the summary data that the private key is related to block chain functional unit.
Under some implementations, the generation of the summary data is in the TEE;Under other implementations, institute The generation of summary data is stated in the REE, then the REE sends the summary data to the TEE.
Under some implementations, the Private key management module is specifically used for before storing the private key to the private key Execute encryption, wherein the private key of storage is encrypted private key.
Under some implementations, the Private key management module is specifically used for executing encryption to the private key using password, The password is updated or is periodically updated when condition meets, and executes encryption to the private key again using new password after update, And the storage encrypted private key of new password.
Under some implementations, the update condition of the password includes having executed once to add the summary data It is close.
Under some implementations, the password is the random number that hardware random number generator generates.In other realizations Under mode, which can also be generated by software random number generator.
Second aspect, the application provide a kind of management method of private key, are applied under block chain scene.This method is applied to It is deployed with the computer system of rich performing environment REE and credible performing environment TEE, such as terminal device.In the computer system Also it is deployed with block chain functional unit, such as digital wallet software.This method comprises: creating the block chain function list in TEE Private key involved in member, and the private key is stored in the side TEE;In the side TEE using the private key to the block chain function The summary data that unit is related to executes encryption.
Under some implementations, the summary data is generated in the side TEE;Under other implementations, in institute State the side REE and generate the summary data, and send the TEE for the summary data, so as in the side TEE to the abstract number According to executing encryption.
Under some implementations, the private key foregoing description method is being stored further include: encryption is executed to the private key. It is readily comprehensible, after encryption, the just not original private key of storage, encrypted private key, and next time uses the private key It needs first to decrypt before.
Under some implementations, executing to the private key and encrypting and store the encrypted private key includes: using close Code executes encryption to the private key, and the password is updated or periodically updated when condition meets, and new password weight is utilized after update Encryption newly is executed to the private key, and stores the encrypted private key of new password.
Under some implementations, it includes: to execute one using the private key that the password is updated when condition meets The password is updated after the secondary encryption to the summary data.
Under some implementations, it is described periodically update the password include: just updated every the set time it is described close Code, and re-encrypted and the storage private key.
Under some implementations, the password is the random number that hardware random number generator generates.In other realizations Under mode, which can also be generated by software random number generator.
The third aspect, the application provide a kind of computer system, which is characterized in that the computer system includes memory And processor, the memory is for storing computer program, and the processor is for reading and executing the computer program Method to realize aforementioned any implementation offer.
Fourth aspect, the application provide a kind of block catenary system, which is characterized in that include this Shen in the block catenary system Please any aspect provide computer system.The computer system can be terminal device, be also possible to other kinds of calculating Machine system.
As it can be seen that private key management method provided by the present application, device and system, pass through the private being related under block chain scene Key is placed into the side TEE and is created, stored and used, byThe credible performing environment of framework provides private key Safety improves block chain to solve the problems, such as private key bring security risk in untrusted environment to a certain extent The safety of system.Further, private key executes in storage and is encrypted processing, further ensures safety.Moreover, encrypting The password meeting periodicity or the lower change of condition triggering of private key, the safety of such password is just higher, thus the safety of private key It is higher.
Detailed description of the invention
In order to illustrate more clearly of technical solution provided by the present application, attached drawing will be briefly described below.It is aobvious and easy Insight, drawings discussed below are only some embodiments of the present application.
Fig. 1 a is the network architecture schematic diagram of block chain scene;
Fig. 1 b is the system architecture schematic diagram of terminal device;
Fig. 2 is the interaction flow schematic diagram of CA and TA;
Fig. 3 is the function distributing schematic diagram of digital wallet software;
Fig. 4 is the processing flow schematic diagram of transaction data sender in digital wallet software;
Fig. 5 is the processing flow schematic diagram of transaction data recipient in digital wallet software;
Fig. 6 is the flow diagram of private key creation method;
Fig. 7 is the flow diagram of private key encryption method;
Fig. 8 is the structural schematic diagram of computer system.
Specific embodiment
The demand of terminal device processing critical services increasingly increases.From can pay, download and watch a certain specific time period Newest Hollywood blockbuster, to end can have been made by mobile phone remote payment bill and management bank's account, these development trends End equipment becomes the emphasis target of attack of the virus such as Malware, wooden horse and rootkit.In order to guarantee the safety of terminal device Property, occur withFor the terminal device security framework of representative.ExistingUnder frame, system The safety of grade is by being divided into the software and hardware resources of system on chip (system on chips, SoC) in two worlds respectively It obtains, i.e., the normal world (normal world) and safer world (secure world) (can also be security domain and non-security Domain), the two worlds respectively correspond rich performing environment (rich execution environment, REE) and credible execution ring Border (trusted execution environment, TEE).TEE and REE is run in the same equipment, and TEE can guarantee Storage, processing and the protection of sensitive data are carried out in believable environment, and are the trusted application (trusted of authorization Application, TA) performing environment of safety is provided.But the mobile terminal under block chain scene to the management of private key and makes With being based on REE, since REE there is a problem of so safety is not high, and Private key management and use being moved on to more than attack face After TEE, it is necessary to solve how the creation and use of private key and digital signature process in TEE interact between REE and TEE The problem of.
Fig. 1 a is the network architecture schematic diagram of the block chain scene of code key management method provided in this embodiment application.The area Block catenary system forms one point-to-point (peer-to-peer), decentralization network structure by multiple terminal devices.One Terminal device can regard the node of a block chain as.Automobile in figure indicates vehicle-mounted terminal equipment.
Fig. 1 b is the system architecture schematic diagram of any one terminal device in Fig. 1 a.The terminal device includes REE and TEE, It has been separately operable on REE and TEEOperating system and a kind of side TEE operating system (such as the OP-TEE of open source operates system System).Operating system and TEE OS are divided into User space and kernel state two states again.CA (Client in REE Application the framework of similar client/server) is constituted with the TA in TEE, TA is as server-side, and CA is as client Access operation is initiated by the end CA in end, and the two passes through the message channel interaction data of hardware layer, and system is hung up after initiating request in the end CA System waits TA to return the result.The exploitation of CA needs to call TEE client (client) API (application program Interface) come to realize with corresponding TA and communicate;TA needs to call (internal) API inside TEE to come using TEE offer Programming resource realizes correlation function.
The interaction flow of typical CA and TA is as shown in Figure 2:
S201:CA first does necessary context initialization.The specific instructions of realization are TEEC_InitializeContext.
S202: session is opened in the specific path (ta_path) where specified TA file.The specific instructions of realization are TEEC_ OpenSession(ta_path)。
S203: session handle (Return SesstionHandle) is returned to after session establishment success, at this moment TA exists It is behaved in TEE, waits the order to be received from CA.
S204:CA sends order, and physical layer interface can call SMC (secure monitor call) instruction triggers processor It is switched to safe mode, and order is passed into the TA in TEE and is handled (by shared drive mode).The specific life realized Enable is TEEC_InvokeCommand (cmd).
S205:TA returns the result (Return result) to CA after having handled order, and processor switches back into non-security mould Formula.
It should be noted that processor between safe mode and non-security mode there is also a monitoring mode, cutting It first can be switched to monitoring mode from safe mode during changing, then be switched to non-security mode again, vice versa.More specifically Handoff procedure can refer to the prior art, and details are not described herein.
Realize the application based on block chain on the mobile apparatus in the prior art, the Private key management module sum number in the application It is put into REE and realizes according to processing module.Wherein Private key management module is for creating and storing private/public key, data processing Module is used to execute data the processing such as relatively of Hash operation, digital signature, abstract, thus identify data whether be tampered and Verify sender's identity information.
It mainly include 5 modules with reference to Fig. 3 by taking digital wallet software as an example: user management module 301, Assets Reorganization Taking Manage module 302, code key management module 305, transaction data processing module 304 and network management module 303.Wherein, user management Module 301 is for authenticating username and password correctness when user logs in.Assets management module 302 is for checking that digital asset is believed Breath, transfers accounts to third party.Network management module 303 is for connecting network, transmission/receiving network data packet.Code key manages mould Block is for creating and storing private key and public key.Transaction data processing module 304 be used for produce transaction data carry out Hash operation And digital signature processing, also need to carry out transaction summarization data to compare to transaction data is transferred to, identification transaction data whether by Distort and verify the identity information etc. of sender.As shown in figure 3, the present embodiment is by digital signature in transaction data processing module Function (being equivalent to transaction data processing module 304_B) and code key management module 305 be placed on the side TEE realization, other functions (being equivalent to transaction data processing module 304_A) and other modules are then still placed on the realization of the side REE.
The present embodiment by original only realize in the side REE becomes digital wallet software to complete jointly in the side REE and TEE. Digital wallet software realizes the function of aforementioned code key management module and transaction data processing module in the side TEE by one or more TA Can, the function of other modules can be realized in the side REE by one or more CA.
It should be noted that 4 modules of the side REE are realized by a CA in the present embodiment, 2 modules of the side TEE are by one A TA realization, and in other embodiments, different functional modules can also be realized by multiple CA or TA.In addition, module is drawn Dividing also is only citing, and the application is not limited thereto.
Fig. 4 introduces the process flow of transaction data so that wallet A pays 100 digital currencies to wallet B as an example.In this implementation It is related to the process that REE side form block calls TEE side form block in example, the CA that can refer to foregoing description calls the process of TA, specific to adjust It is no longer described in detail with process.
S401: wallet A (it can be appreciated that terminal device A) carries out transaction data using SHA256 algorithm in the side REE Hash operation generates 256bit transaction summarization.In transaction data including the address information of wallet A, the address information of wallet B and Payment amount information.Transaction data can be embodied in character string.
S402: and then wallet A is sent to transaction summarization the TA of the side TEE by the data channel between CA and TA.Specifically Being accomplished by the side REE CA calls TEEC_InvokeCommand (cmd) function to send transaction summarization data, wherein cmd are as follows: SEND_DIGEST order.
If step S401 and S402 can be executed by transaction data processing module 304_A by taking Fig. 3 as an example.
The TA of the side S403:TEE uses the private key and elliptic curve digital signature algorithm (Elliptic Curve of wallet A Digital Signature Algorithm, ECDSA) transaction summarization is encrypted, generate the digital signature for being less than 320bit (or being signed data).
The public key of signed data and wallet A is returned to the side REE CA by the TA of the side S404:TEE.Wallet A public key and private key are It is created in the side TEE by TA, their creation before the use, but is specifically when not limit in the present embodiment Determine, for example public key can create followed by creating for private key, can also just create before returning to the side REE.The public affairs of wallet A Key can specifically be obtained according to the private key and ECDSA algorithm of wallet A.
If step S403 and S404 can be executed by transaction data processing module 304_B by taking Fig. 3 as an example.
After the CA of the side S405:REE obtains public key and signed data, transaction data, public key and signed data are beaten together It is bundled into a network packet and is sent to network management module.The network packet is broadcast to its of the whole network by network management module Its block chain node.
If step S405 can be executed by transaction data processing module 304_A by taking Fig. 3 as an example.
Fig. 5 hookup 4 receives the processing after the network packet for wallet B (it can be appreciated that terminal device B) Process.Other nodes receive treatment process after the network packet with it is following similar, be no longer described in detail.
S501:CA parses three parts data: transaction data, public key and signed data.
S502:CA calls SHA256 algorithm to carry out Hash operation to transaction data and obtains 256bit summary data.
S503:CA calls ECDSA verifying signature algorithm that signed data is decrypted, and obtains original transaction summarization data.
S504: compare whether the summary data that S502 and S503 is generated is equal, if equal, expression transaction data is not usurped Change, receives this transaction data;Otherwise the transaction data is abandoned.
The creation and storage of private key are a crucial links in the above transaction data process flow, if private key is let out Dew, then the safety of transaction data cannot be guaranteed.Fig. 6 is the flow diagram that TA provided by the present application creates private key, also It can be understood as the flow diagram of Private key management module creation private key.
S601:TA calls the random number R 1 of one 256bit of a tandom number generator generation.Specifically, the random number produces Raw device is hardware random number generator or software random number generator, and the randomness of usual hardware random number generator is more preferable, shape At safety it is also higher.The realization of software random number generator and hardware random number generator is state of the art, Wherein, software random number generator is a SFU software functional unit, and hardware random number generator is a hardware, and specific implementation is equal For the prior art, the present embodiment need to only be called, and this will not be repeated here.
S602: the private key that Hash operation obtains a 256bit, the Hash are executed to the random number R 1 using hash algorithm Algorithm can be SHA (Secure Hash Algorithm) 256 algorithms.
S603: S602 is obtained using another random number R 2 (it can be appreciated that random password, password or key) Private key is encrypted, specific Encryption Algorithm can be AES (Advanced Encryption Standard) 256 algorithms or its Its Encryption Algorithm, the present embodiment does not limit.Another random number can by call aforementioned tandom number generator or other with Machine number producer generates.
S603: the value and encrypted code key of R2 are stored.
In order to improve further security, the value of the R2 in the present embodiment can be updated.After R2 updates, first to adding Code key after close executes corresponding decipherment algorithm, then with new value re-encrypted private key.
Referring to FIG. 7, the flow diagram updated for random number R 2.
S701: as shown in connection with fig. 4, TA is decrypted current after receiving transaction summarization using the value of currently stored R2 The code key of storage.
S702:TA is encrypted using the secret key pair transaction summarization after decryption to obtain signed data.
S703: triggering tandom number generator generates a new random number, the value as R2.
S704: using updated R2 to private key re-encrypted.
S705: private key and new R2 after storage re-encrypted.
The update of R2 is after having executed a digital signature (S702), in other implementations in realization illustrated in fig. 7 In example, the update of R2 is also possible to periodically, such as updates once every 3 seconds, or mode knot shown in periodical and Fig. 7 Conjunction or other update methods determined according to demand.
The method that above embodiments provide provides the safety of private key using the credible performing environment of TrustZone framework, It can solve the problems, such as that private key creates in untrusted environment, stores and use brought security risk to a certain extent, improve The safety of transaction data or other kinds of data under block chain application scenarios.
Referring to FIG. 8, being a kind of structural schematic diagram of computer system provided in this embodiment.The computer system can be with For terminal device.As shown, the computer system include communication module 510, it is sensor 520, user's input module 530, defeated Module 540, processor 550, audio-video input module 560, memory 570 and power supply 580 out.
Communication module 510 may include that at least one can make the computer system and communication system or other computer systems Between the module that is communicated.For example, communication module 510 may include wired network interface, broadcasting reception module, mobile communication Module, wireless Internet module, local area communication module and position (or positioning) information module etc. one or more.This is more In the prior art there are many realizing, the application does not describe kind module one by one.
Whether sensor 520 can be connect with the current state of sensing system, such as open/closed state, position with user Touching, direction and acceleration/deceleration, and the sensing signal of the operation for control system can be generated in sensor 520.
User's input module 530, digital information, character information or contact touch operation for receiving input/non-connect Touch gesture, and receive signal input related with the user setting of system and function control etc..User's input module 530 Including touch panel and/or other input equipments.
Output module 540 includes display panel, for showing information input by user, being supplied to the information of user or be The various menu interfaces etc. of system.Optionally, using liquid crystal display (liquid crystal display, LCD) or can have The forms such as machine light emitting diode (organic light-emitting diode, OLED) configure display panel.Other one In a little embodiments, touch panel can be covered on display panel, form touch display screen.In addition, output module 540 can also include Audio output module, alarm device and tactile module etc..
Audio-video input module 560 is used for input audio signal or vision signal.Audio-video input module 560 can wrap Include camera and microphone.
Power supply 580 can receive external power and internal power under the control of processor 550, and provide each of system Electric power needed for the operation of a component.
Processor 550 may include one or more processors, for example, processor 150 may include in one or more Central processor, or including a central processing unit and a graphics processor.When processor 150 includes multiple processors, This multiple processor can integrate on same chip, can also respectively be independent chip.One processor may include One or more physical cores, wherein physical core is the smallest processing module.
Memory 570 stores computer program, which includes operating system program 572 and application program 571 Deng.The Windows of typical operating system such as Microsoft, MacOS of Apple Inc. etc. are for desktop computer or notebook System, for another example Google exploitation based onAndroidThe system that system etc. is used for mobile terminal.Before The method for stating embodiment offer can be realized by way of software, it is believed that be the specific implementation of application program 571.
Memory 570 can be with one of Types Below or a variety of: flash (flash) memory, hard disk type storage Device, Multimedia Micro Cards type memory, card type reservoir (such as SD or XD memory), random access memory (random Access memory, RAM), static random access memory (static RAM, SRAM), read-only memory (read only Memory, ROM), electrically erasable programmable read-only memory (electrically erasable programmable read- Only memory, EEPROM), programmable read only memory (programmable ROM, PROM), magnetic memory, disk or light Disk.In some other embodiment, memory 570 is also possible to the network storage equipment on internet, system can to because Special online memory 570, which executes, the operation such as updates or reads.
Processor 550 is used to read the computer program in memory 570, then executes the side that computer program defines Method, such as 550 read operation system program 572 of processor is to run operating system in the system and realize operating system Various functions, or one or more application programs 571 are read, thus operation application on this system.
Memory 570 is also stored with other data 573 in addition to computer program, such as area involved in the application Block, private key, transaction data and random number etc..
The connection relationship of modules is only a kind of example in Fig. 8, and the method that the application any embodiment provides can also be with It applies in the terminal device of other connection types, such as all modules are connected by bus.
It should be noted that method provided in this embodiment also can be applied to the computer equipment of nonterminal, such as cloud Hold server.
It should be noted that propose that only property is shown as an example for the division of module or unit in previous embodiment, The function of described modules is merely illustrative of, and the application is not limited thereto.Those of ordinary skill in the art can be with Merge the function of two of them or more according to demand, or the function of a module is split to which acquisition is more thinner The module of granularity and other modes of texturing.
The same or similar part can mutually refer between each embodiment described above." multiple " in the application if Without specified otherwise, refer to two or more, or " at least two ".
The apparatus embodiments described above are merely exemplary, wherein described, module can as illustrated by the separation member It is physically separated with being or may not be, the component shown as module may or may not be physics mould Block, it can it is in one place, or may be distributed on multiple network modules.It can be selected according to the actual needs In some or all of the modules achieve the purpose of the solution of this embodiment.In addition, Installation practice attached drawing provided by the invention In, the connection relationship between module indicates there is communication connection between them, and it is total specifically to can be implemented as one or more communication Line or signal wire.Those of ordinary skill in the art can understand and implement without creative efforts.
The above, only some specific embodiments of the application, but the protection scope of the application is not limited thereto.

Claims (11)

1. a kind of computer system, which is characterized in that be deployed with rich performing environment REE and credible execution in the computer system Environment TEE, the computer system is also deployed with the block chain functional unit based on block chain technology, and disposes in TEE The Private key management module and transaction data processing module in block chain functional unit are stated, wherein
The Private key management module is used for: creation private key, and the private key is stored in TEE;
The transaction data processing module is used for: being executed and is added to the summary data that block chain functional unit is related to using the private key It is close.
2. computer system according to claim 1, which is characterized in that the Private key management module is specifically used for: depositing Encryption is executed to the private key before storing up the private key, wherein the private key of storage is encrypted private key.
3. computer system according to claim 2, which is characterized in that the Private key management module is specifically used for: utilizing Password executes encryption to the private key, and the password is updated or periodically updated when condition meets, and new password is utilized after update Again encryption is executed to the private key, and stores the encrypted private key of new password.
4. computer system according to claim 3, which is characterized in that the Private key management module is specifically used for: in benefit It has been executed with the private key and the password is once updated later to the encryption of the summary data.
5. computer system according to claim 3 or 4, which is characterized in that the password is hardware random number generator The random number of generation.
6. the management method of private key in a kind of block chain technology, which is characterized in that the method is applied to be deployed with rich execution ring The computer system of border REE and credible performing environment TEE are also deployed with block chain functional unit, institute in the computer system The method of stating includes: to create private key involved in the block chain functional unit in TEE, and the private key is stored in the side TEE; Encryption is executed using the summary data that the private key is related to the block chain functional unit in the side TEE.
7. according to the method described in claim 6, it is characterized in that, storing the private key foregoing description method further include: right The private key executes encryption, then the private key stored is encrypted private key.
8. encrypting and storing described encrypted the method according to the description of claim 7 is characterized in that being executed to the private key Private key includes:
Encryption is executed to the private key using password, the password is updated or periodically updated when condition meets, sharp after update Encryption is executed to the private key again with new password, and stores the encrypted private key of new password.
9. according to the method described in claim 8, it is characterized in that, it includes: to utilize that the password is updated when condition meets The private key has executed once updates the password to the encryption of the summary data later.
10. a kind of computer system, which is characterized in that the computer system includes memory and processor, the memory For storing computer program, the processor is for reading and executing the computer program to realize such as claim 6-9 Method described in any one.
11. a kind of block catenary system, which is characterized in that include computer as claimed in claim 10 in the block catenary system System.
CN201810458967.2A 2018-05-15 2018-05-15 Private key management method, device and system under block chain scene Active CN110492990B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810458967.2A CN110492990B (en) 2018-05-15 2018-05-15 Private key management method, device and system under block chain scene
PCT/CN2019/086111 WO2019218919A1 (en) 2018-05-15 2019-05-09 Private key management method and apparatus in blockchain scenario, and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810458967.2A CN110492990B (en) 2018-05-15 2018-05-15 Private key management method, device and system under block chain scene

Publications (2)

Publication Number Publication Date
CN110492990A true CN110492990A (en) 2019-11-22
CN110492990B CN110492990B (en) 2021-10-15

Family

ID=68539534

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810458967.2A Active CN110492990B (en) 2018-05-15 2018-05-15 Private key management method, device and system under block chain scene

Country Status (2)

Country Link
CN (1) CN110492990B (en)
WO (1) WO2019218919A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110851851A (en) * 2020-01-15 2020-02-28 支付宝(杭州)信息技术有限公司 Authority management method, device and equipment in block chain type account book
CN111178884A (en) * 2019-12-16 2020-05-19 平安壹钱包电子商务有限公司 Information processing method, device, equipment and readable storage medium
CN111429254A (en) * 2020-03-19 2020-07-17 腾讯科技(深圳)有限公司 Business data processing method and device and readable storage medium
CN111881474A (en) * 2020-07-24 2020-11-03 北京千云天下科技有限公司 Private key management method and device based on trusted computing environment
CN112214780A (en) * 2020-08-26 2021-01-12 腾讯科技(深圳)有限公司 Data processing method and device, intelligent equipment and storage medium
CN113014539A (en) * 2020-11-23 2021-06-22 杭州安芯物联网安全技术有限公司 Internet of things equipment safety protection system and method
CN113656841A (en) * 2021-07-28 2021-11-16 复旦大学 Trustzone-based block chain terminal security guarantee system
CN114465761A (en) * 2021-12-22 2022-05-10 航天信息股份有限公司 System and method for safety communication and terminal management

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111192050B (en) * 2019-12-31 2023-08-11 成都库珀创新科技有限公司 Digital asset private key storage and extraction method and device
CN111400743B (en) * 2020-04-07 2023-08-15 百度国际科技(深圳)有限公司 Transaction processing method, device, electronic equipment and medium based on blockchain network
CN111538782B (en) * 2020-04-14 2023-08-08 浙江浙燃能源有限公司 Energy big data management system based on block chain
CN111565108B (en) * 2020-07-15 2020-11-24 北京信安世纪科技股份有限公司 Signature processing method, device and system
CN113395159B (en) * 2021-01-08 2024-03-12 腾讯科技(深圳)有限公司 Data processing method based on trusted execution environment and related device
CN113221141B (en) * 2021-05-06 2022-07-19 杭州复杂美科技有限公司 Wallet encryption storage method, signature method, computer device and storage medium
CN114157431A (en) * 2021-10-27 2022-03-08 上海朝夕网络技术有限公司 Block chain transaction processing method based on multivariate signature method and computer equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160218879A1 (en) * 2015-01-23 2016-07-28 Daniel Robert Ferrin Method and apparatus for the limitation of the mining of blocks on a block chain
CN106549749A (en) * 2016-12-06 2017-03-29 杭州趣链科技有限公司 A kind of block chain method for secret protection encrypted based on additive homomorphism
US20170091467A1 (en) * 2015-09-25 2017-03-30 Mcafee, Inc. Provable traceability
CN106850200A (en) * 2017-01-25 2017-06-13 中钞信用卡产业发展有限公司北京智能卡技术研究院 A kind of method for using the digital cash based on block chain, system and terminal
CN106991334A (en) * 2016-11-24 2017-07-28 阿里巴巴集团控股有限公司 A kind of method, system and device of data access
CN107896150A (en) * 2017-12-21 2018-04-10 善林(上海)金融信息服务有限公司 Link block chain network and the system of Internet of Things
CN107920052A (en) * 2017-08-02 2018-04-17 唐盛(北京)物联技术有限公司 A kind of encryption method and intelligent apparatus

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3520318A4 (en) * 2016-09-29 2020-04-29 Nokia Technologies Oy Method and apparatus for trusted computing

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160218879A1 (en) * 2015-01-23 2016-07-28 Daniel Robert Ferrin Method and apparatus for the limitation of the mining of blocks on a block chain
US20170091467A1 (en) * 2015-09-25 2017-03-30 Mcafee, Inc. Provable traceability
CN106991334A (en) * 2016-11-24 2017-07-28 阿里巴巴集团控股有限公司 A kind of method, system and device of data access
CN106549749A (en) * 2016-12-06 2017-03-29 杭州趣链科技有限公司 A kind of block chain method for secret protection encrypted based on additive homomorphism
CN106850200A (en) * 2017-01-25 2017-06-13 中钞信用卡产业发展有限公司北京智能卡技术研究院 A kind of method for using the digital cash based on block chain, system and terminal
CN107920052A (en) * 2017-08-02 2018-04-17 唐盛(北京)物联技术有限公司 A kind of encryption method and intelligent apparatus
CN107896150A (en) * 2017-12-21 2018-04-10 善林(上海)金融信息服务有限公司 Link block chain network and the system of Internet of Things

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MIRAJE GENTILAL: "TrustZone-backed Bitcoin Wallet", 《PROCEEDINGS OF THE FOURTH WORKSHOP ON CRYPTOGRAPHY AND SECURITY IN COMPUTING SYSTEMS》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111178884A (en) * 2019-12-16 2020-05-19 平安壹钱包电子商务有限公司 Information processing method, device, equipment and readable storage medium
CN111178884B (en) * 2019-12-16 2024-04-12 平安壹钱包电子商务有限公司 Information processing method, device, equipment and readable storage medium
CN110851851A (en) * 2020-01-15 2020-02-28 支付宝(杭州)信息技术有限公司 Authority management method, device and equipment in block chain type account book
CN111429254B (en) * 2020-03-19 2021-09-10 腾讯科技(深圳)有限公司 Business data processing method and device and readable storage medium
CN111429254A (en) * 2020-03-19 2020-07-17 腾讯科技(深圳)有限公司 Business data processing method and device and readable storage medium
CN111881474A (en) * 2020-07-24 2020-11-03 北京千云天下科技有限公司 Private key management method and device based on trusted computing environment
CN111881474B (en) * 2020-07-24 2023-09-15 杭州弦冰科技有限公司 Private key management method and device based on trusted computing environment
CN112214780B (en) * 2020-08-26 2021-06-25 腾讯科技(深圳)有限公司 Data processing method and device, intelligent equipment and storage medium
WO2022042301A1 (en) * 2020-08-26 2022-03-03 腾讯科技(深圳)有限公司 Data processing method and apparatus, smart device and storage medium
EP4120114A4 (en) * 2020-08-26 2023-10-18 Tencent Technology (Shenzhen) Company Limited Data processing method and apparatus, smart device and storage medium
CN112214780A (en) * 2020-08-26 2021-01-12 腾讯科技(深圳)有限公司 Data processing method and device, intelligent equipment and storage medium
CN113014539A (en) * 2020-11-23 2021-06-22 杭州安芯物联网安全技术有限公司 Internet of things equipment safety protection system and method
CN113656841A (en) * 2021-07-28 2021-11-16 复旦大学 Trustzone-based block chain terminal security guarantee system
CN114465761A (en) * 2021-12-22 2022-05-10 航天信息股份有限公司 System and method for safety communication and terminal management

Also Published As

Publication number Publication date
WO2019218919A1 (en) 2019-11-21
CN110492990B (en) 2021-10-15

Similar Documents

Publication Publication Date Title
CN110492990A (en) Private key management method, apparatus and system under block chain scene
JP6869374B2 (en) Decentralized key management for trusted execution environments
CN109309565B (en) Security authentication method and device
US11070368B2 (en) System, method, and program for transmitting and receiving any type of secure digital data
US20210083872A1 (en) Systems, methods, and devices for secure blockchain transaction and subnetworks
CN110417750B (en) Block chain technology-based file reading and storing method, terminal device and storage medium
US11818120B2 (en) Non-custodial tool for building decentralized computer applications
KR102381153B1 (en) Encryption key management based on identity information
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN112765684B (en) Block chain node terminal management method, device, equipment and storage medium
WO2016164275A1 (en) Security system for data communications including key management and privacy
CN110445840B (en) File storage and reading method based on block chain technology
CN109981576B (en) Key migration method and device
JP6756056B2 (en) Cryptographic chip by identity verification
WO2018030289A1 (en) Ssl communication system, client, server, ssl communication method, and computer program
JP2022534677A (en) Protecting online applications and web pages that use blockchain
Mahinderjit Singh et al. A novel out-of-band biometrics authentication scheme for wearable devices
Homoliak et al. An air-gapped 2-factor authentication for smart-contract wallets
Shahidinejad et al. An All-Inclusive Taxonomy and Critical Review of Blockchain-Assisted Authentication and Session Key Generation Protocols for IoT
US20240113898A1 (en) Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity
CN112199695A (en) Processing method and device for receivable financing, electronic device and storage medium
US20230188364A1 (en) Partial payload encryption with integrity protection
US11968206B2 (en) Non-custodial tool for building decentralized computer applications
HAGOS MOBICLOUD DATA SECURITY FRAMEWORK FOR THE MOBILE BANKING INDUSTRY
Eleftherios FIDO2 Overview, Use Cases, and Security Considerations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant