CN110858246A

CN110858246A - Authentication method and system of security code space, and registration method thereof

Info

Publication number: CN110858246A
Application number: CN201810972864.8A
Authority: CN
Inventors: 肖鹏; 付颖芳
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2018-08-24
Filing date: 2018-08-24
Publication date: 2020-03-03
Anticipated expiration: 2038-08-24
Also published as: CN110858246B

Abstract

The invention discloses an authentication method and system of a security code space and a registration method thereof. Wherein, the method comprises the following steps: a first program acquires a first report key; the first program uses the first report key to calculate the first integral measurement value of the first security code space, and generates a first message authentication code; the first program sends a first message authentication code to the second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space. The invention solves the technical problem of insufficient security of Enclave in the prior art.

Description

Authentication method and system of security code space, and registration method thereof

Technical Field

The invention relates to the field of computers, in particular to an authentication method and system of a security code space and a registration method thereof.

Background

The Intel SGX is an extension of the Intel instruction architecture (ISA), and primarily provides instructions for creating an Enclave of a trusted execution environment. The user mode application can be executed safely in Enclave without being attacked by malicious OS, hypervisor (VM). SGX uses processor-provided instructions to partition a portion of memory (i.e., EPC) and map Enclave in the application address space to this portion of memory. The memory area is encrypted, and encryption and address conversion are carried out through a Memory Control Unit (MCU) in the CPU.

When the processor accesses the data in the Enclave, the CPU will automatically switch to a new CPU mode, namely the Enclave mode, which will force additional hardware checks for each memory access. Because the data is placed in the EPC, in order to prevent known memory attacks (such as memory sniffing), the memory contents in the EPC are encrypted by a Memory Encryption Engine (MEE), so that the memory contents in the EPC are decrypted only when entering the CPU; and the encrypted message is returned to the EPC memory.

Enclave is a security code space used in the SGX to protect legitimate programs, and when programs corresponding to two or more different enclaves of the Local computer need to access contents in other enclaves, trusted program authentication needs to be performed on the programs, so as to ensure the security of the entire trusted execution environment TEE (also called Local security). In addition, when a program needs to use SGX, it can provide its own Enclave certificate to the authentication server, and after the authentication is passed, the SGX service is allowed to be used (i.e. Remote Attestation). This process is known as trusted program authentication (enclavetatstation).

However, in the existing local authentication scheme for trusted programs in the SGX, a program corresponding to an Enclave can access content in any other Enclave of the platform, so that the content in the sensitive Enclave is at risk of being accessed by an unauthorized program corresponding to the Enclave, and the security of the Enclave is insufficient.

Aiming at the problem of insufficient security of Enclave in the prior art, no effective solution is provided at present.

Disclosure of Invention

The embodiment of the invention provides an authentication method and system of a security code space and a registration method thereof, which at least solve the technical problem of insufficient security of Enclave in the prior art.

According to an aspect of an embodiment of the present invention, there is provided an authentication method of a secure code space, including: a first program acquires a first report key; the first program uses the first report key to calculate the first integral measurement value of the first security code space, and generates a first message authentication code; the first program sends a first message authentication code to the second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

According to an aspect of an embodiment of the present invention, there is provided an authentication method of a secure code space, including: the second program acquires a second report key; the second program uses the second report key to calculate the first integral measurement value of the first security code space, and generates a second message authentication code; the second program obtains a verification result based on a second message authentication code and a first message authentication code, wherein the first message authentication code is obtained by the first program through operation on a first overall metric value of a first security code space by using a first report key; the second program returns the verification result to the first program.

According to another aspect of the embodiments of the present invention, there is also provided a method for registering a secure code space, including: determining the identity of the security code space in the process of creating the security code space; storing an authorization key of a program corresponding to the security code space into the security code space, wherein the authorization key is used for protecting an asymmetric key of the security code space created by the security chip; acquiring an integral measurement value of a security code space; encrypting the integral metric value by calling the authorization key and using the asymmetric key to obtain integral metric value information; and storing the identity identification and the integral metric value information of the security code space.

According to another aspect of the embodiments of the present invention, there is also provided a storage medium including a stored program, wherein when the program runs, a device on which the storage medium is located is controlled to perform the following steps: a first program acquires a first report key; the first program uses the first report key to calculate the first integral measurement value of the first security code space, and generates a first message authentication code; the first program sends a first message authentication code to the second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

According to another aspect of the embodiments of the present invention, there is also provided a processor, configured to execute a program, where the program executes the following steps: a first program acquires a first report key; the first program uses the first report key to calculate the first integral measurement value of the first security code space, and generates a first message authentication code; the first program sends a first message authentication code to the second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

According to another aspect of the embodiments of the present invention, there is also provided an authentication system of a secure code space, including: a processor; and a memory coupled to the processor for providing instructions to the processor for processing the following processing steps: a first program acquires a first report key; the first program uses the first report key to calculate the first integral measurement value of the first security code space, and generates a first message authentication code; the first program sends a first message authentication code to the second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

In the embodiments of the present application, the first report key corresponding to the program in the security code space is obtained, and the message authentication code is generated through the report key, so that the authentication of the security code space based on the message authentication code is realized. In the authentication method provided by the application, it can be determined that the second secure code space passes the authentication of the first secure code space only if the second program of the second secure code space passes the verification of the first message authentication code of the first secure code space.

Therefore, even if the first security code space and the second security code space belong to the same platform, if the first security code space and the second security code space are not authenticated, the content in the second security code space cannot be accessed, so that the situation that a program corresponding to unauthorized Enclave in the same platform can access the content in sensitive Enclave is avoided, and the technical problem that the security of Enclave in the prior art is insufficient is solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

fig. 1 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing an authentication method of a secure code space;

FIG. 2a is a schematic diagram of a trusted program authentication scheme according to SGX;

FIG. 2b is a schematic diagram of a method for generating a Message Authentication Code (MAC);

FIG. 2c is a schematic diagram of an authentication process according to a trusted program;

FIG. 2d is a schematic diagram of a calculation of measures & Attributes;

fig. 3 is a flowchart of an authentication method of a secure code space according to embodiment 1 of the present invention;

fig. 4 is a schematic diagram of generating a first message authentication code according to embodiment 1 of the present application;

fig. 5 is a schematic diagram of program authentication according to embodiment 1 of the present application;

fig. 6 is a flowchart of a method for registering a secure code space according to embodiment 2 of the present application;

FIG. 7 is a schematic diagram of registering a secure code space according to embodiment 2 of the present application;

fig. 8 is a schematic diagram of an authentication apparatus of a secure code space according to embodiment 3 of the present application;

fig. 9 is a schematic diagram of a device for registering a secure code space according to embodiment 4 of the present application;

FIG. 10 is a flowchart of a method for authenticating a secure code space according to embodiment 5 of the present application;

fig. 11 is a schematic diagram of an authentication apparatus of a secure code space according to embodiment 6 of the present application; and

fig. 12 is a block diagram of a computer terminal according to embodiment 7 of the present invention.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:

trusted Computing (Trusted Computing): the technology developed and popularized by the international Trusted computing group TCG uses a Trusted computing platform supported by a hardware-based security module in a computing and communication system to improve the overall security of the system.

Trusted Platform Module (TPM), Trusted Platform Model: TPM is an international standard for a secure cryptoprocessor, written by TCG, to protect hardware by integrating encryption keys into the device through a specialized microcontroller. The TPM security chip is a security chip conforming to TPM standards, and is generally bound to a computing platform by a physical mode, so that a PC can be effectively protected, and illegal users can be prevented from accessing the security chip.

Sgx (tntel Software Guard extensions): and the extension of the Intel system is used for enhancing the safety of the program. This approach does not identify and isolate all malicious programs on the platform, but encapsulates the security operations of the legitimate programs in an Enclave, protecting them from the attack of malicious programs, and the privileged or non-privileged programs cannot access the contents of the Enclave, i.e., once the programs and data are in the Enclave, even the operating system or vmm (hypervisor) cannot affect the code and data in the Enclave. The security boundary for Enclave contains only the CPU and itself. The envelope created by SGX may also be understood as a trusted execution environment tee (trusted execution environment).

Enclave: the SGX is used for protecting the security code space of a legal program and encrypting and storing the security code space, and data and codes in the Enclave cannot be acquired by a non-local Enclave program.

Measurement & Attributes: the overall metric value of Enclave includes code, data, stack, memory page, security identifier, etc., and fig. 2d is a schematic diagram for calculating measures & Attributes, where the metric for Enclave includes data and memory page. The calculation of the overall metric value can be performed according to the illustration of fig. 2d, where ECREATE \ EADD \ EEXTEND \ EINT refers to the x86cpu instruction newly added by Intel for the SGX to call; MRENCLAVE is a register space used for storing an Enclave metric value; the data chunk and chunk metadata refer to data in Enclave, and are calculated in blocks when a hash value is calculated; the page metadata refers to a page layout element of Enclave in the memory, wherein MRENCLAVE is used to store the final metric value.

Shared Authentication Key: and an authorization key, which is proposed by the application and is prestored in the Enclose, and cannot be accessed by any other program (including the OS). The contents in multiple enclaves with the same authorization key can only access each other, that is, the enclaves of both parties of the locally certified trusted program need to include the same authorization key (which is guaranteed by codes during program development). Meanwhile, the authorization key is used as an authorization key for the RSA key in the TPM, that is, the RSA key in the TPM can be used only when the authorization key is provided. Taking TPM2.0(TPM2-tools) as an example, in TPM2.0(TPM2-tools) operation:

tpm2_creat-H handle–Kauth-key–g sha256–G rsa–u pub–r priv，

wherein, Kauth-Key is an authorization Key when RSA Key is created, that is, sharedauthentiation Key herein, and when it is necessary to use the RSA Key in TPM to encrypt and decrypt, the authorization Key is provided.

TARGETINFO: the data structure of Measurement & Attributes is stored.

Enclave _ ID: each Enclave, when created, will generate a unique corresponding ID number.

TPM2_ rsaencypt/TPM2_ rsadderypt: the encryption and decryption operation is carried out by using the RSA public Key corresponding to the Shared Authentication Key in the TPM, the operation can be carried out in the TPM security chip, and the RSA Key cannot appear outside the TPM security chip, so that the security of the Key is ensured.

Owner's Epoch: when the SGX server is started, the 128-bit value loaded into two MSRs (Model Specific Registers, which are a set of 64-bit Registers of the CPU) of sgxownrepoch 0 and sgxownrepoch 1 may be defined by the user, and when the SGX server is started, the value is maintained and the full platform is shared.

Platform Specific Info: platform-related information, for example, SVM (Security Version Number), CPUSVN (Central Processing Unit SVN, CPU Security Version Number), ISVSVN (Independent Software vendor Security Version Number), and the like.

Processor's Fused Seal Key: the CPU is internally provided with a secret key, and the secret key is burnt by Intel when the CPU chip is produced.

AES-CMAC Key derivation: the Key generation algorithm has the input of Owner's Epoch, platformSpecific Info, Processor's Fused Seal Key and Enclave's measures & Attributes and the output of 128-bit symmetric Key.

128-bitSymmetric Key: the result of the Key generation algorithm is used directly as a Report Key in the original SGX prior art authentication method.

Report Key: the Report Key in the application is not a 128-bit Symmetric Key, but a result obtained by encrypting the 128-bit Symmetric Key in the previous step by using RSA is used as the Report Key of Enclave, and the Report Key has the following two effects that a, the Symmetric Key is encrypted and protected; b. the Report Key can be updated, the forward/backward safety of the Key is ensured, and even one-time pad can be realized.

AES-CMAC: AES Cipher-based Message Authentication Code algorithm, Message Authentication signature algorithm based on AES encryption algorithm.

MAC: message Authentication Code, using AES-CMAC algorithm.

Example 1

There is also provided, in accordance with an embodiment of the present invention, an embodiment of a method for authentication of a secure code space, it being noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.

The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Fig. 1 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing an authentication method of a secure code space. As shown in fig. 1, computer terminal 20 (or mobile device 20) may include one or more (shown as 202a, 202b, … …, 202 n) processors 202 (processor 202 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), memory 104 for storing data, and a transmission module 206 for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 20 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.

It should be noted that the one or more processors 202 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 20 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).

The memory 204 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the authentication method of the secure code space in the embodiment of the present invention, and the processor 202 executes various functional applications and data processing by running the software programs and modules stored in the memory 204, that is, implements the authentication method of the secure code space described above. Memory 204 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 204 may further include memory located remotely from the processor 202, which may be connected to the computer terminal 20 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission means 206 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 20. In one example, the transmission device 206 includes a network adapter (NIC) that can be connected to other network devices through a base station to communicate with the internet. In one example, the transmission device 206 can be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.

The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 20 (or mobile device).

It should be noted here that in some alternative embodiments, the computer device (or mobile device) shown in fig. 1 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 2 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computer device (or mobile device) described above.

Fig. 2a is a schematic diagram of a trusted program authentication scheme according to SGX, which is described in conjunction with fig. 2 for a prior art SGX;

(1) and the source Enclave acquires the TARGETINFO structure of the target Enclave according to the identity information of the target Enclave.

(2) The source Enclave calls the instruction ereprt (one of SGX instructions) to obtain a REPORT structure (one of SGX structures) of the source Enclave. The EREPORT instruction comprises the following steps: a. using the identity information of the source Enclave to derive a REPORT structure of the source Enclave; b. calculating a Report Key (symmetric Key) of the target Enclave by using a TARGETINFO structure body of the target Enclave; c. and (3) performing Message authentication signature (AES-CMAC, AES Cipher-based Message Au) on the Report structure of the source Enclave by using the Report Key of the target Enclave.

(3) And transmitting the REPORT of the source Enclave to the target Enclave through an untrusted channel.

(4) The target Enclave calls instruction EGETKEY (one of SGX instructions) to obtain ReportKey of the target Enclave.

(5) The target Enclave uses the Report Key to verify the message authentication signature of the Report structure of the source Enclave, so as to confirm whether the identity of the source Enclave is legal.

(6) The source Enclave and the target Enclave interact identity, and the source Enclave uses the same steps to authenticate the identity of the target Enclave.

Fig. 2b is a schematic diagram of generating a Message Authentication Code (MAC) according to the prior art, fig. 2c is a schematic diagram of an authentication process according to a trusted program in the prior art, and generation of a Report Key includes that for an Owner's Epoch, platform related Info (platform related information), and a Processor's Fused Seal Key (CPU built-in Key), it is ensured that an envelope of both authentication parties uses the same platform, and any one of the three will generate different Report keys. Report Key is the 128-bit Symmetric Key (Symmetric Key) in fig. 2b and fig. 2c, TAGETINFO is the overall metric value of the Target security code space (Target Enclave's measures & Attributes) in fig. 2b, and the overall metric value of the source security code space (Caller Enclave's measures & Attributes) in fig. 2 c; REPORT is the overall metric value of the source security code space in fig. 2b (Caller Enclave's measures & Attributes) and fig. 2c (Sender Enclave's measures & Attributes).

Therefore, the above solution has the following disadvantages:

(1) in the step (1) of the above scheme, the entire TARGETINFO information of Enclave can be obtained only through the identity ID information of Enclave, so that any Enclave of the platform can obtain the TARGETINFO information of any target Enclave, and at the same time, the Report Key of the target Enclave can be calculated. Therefore, there is a risk that the Report keys of all enclaves are obtained by means of traversal and the like, and then a legal Report signature MAC is forged.

(2) Through SGX local authentication, only Enclave is proved to belong to the platform (the platform information is the same), but the credibility of the Enclave cannot be proved, and the enclaves of any same platform can pass through mutual authentication so as to be accessed or invoked mutually. There is therefore a security risk that unauthorized enclaves may gain access to sensitive enclaves.

(3) When Enclave is generated, its related keys (Report keys, etc.) are also generated and are only fixed and unchanged. The existing security risk is that the forward security and the backward security of the secret key cannot be guaranteed, if the secret key is cracked, all the previously stored sensitive information can be leaked, and the security of the later information cannot be guaranteed.

In order to solve the above-mentioned defects existing in the trusted program authentication, under the above-mentioned operating environment, the present application provides an authentication method of a secure code space as shown in fig. 3. The security code space in this embodiment is Enclave, that is, the security code space used in SGX to protect a legitimate program, fig. 3 is a flowchart of an authentication method for a security code space according to embodiment 1 of the present invention, and as shown in fig. 3, the method includes the following steps:

in step S31, the first program acquires a first report key.

Specifically, the first program is a program running on a first secure code space, and the first secure code space is a first Enclave.

In an alternative embodiment, the first encraves all have corresponding first authorization keys, and the first authorization keys may be keys written during program development, and are stored in the encraves, and are unique and fixed and do not change. The first program can call the first asymmetric key from the security chip through the first authorization key, and then encrypt the pre-acquired symmetric key through the first asymmetric key, so as to obtain a first report key.

In step S37, the first program uses the first report key to calculate a first overall metric value of the first secure code space, and generates a first message authentication code.

In an optional embodiment, the CPU obtains a first overall metric value of the first Enclave, a symmetric Key obtained in advance of the CPU, and a first authorization Key of the first Enclave, and the CPU calls the TPM secure chip through the first authorization Key to use the first asymmetric Key to encrypt the symmetric Key obtained in advance of the CPU to obtain a first Report Key, and then performs message authentication signature operation on the first overall metric value of the first Enclave through the first Report Key, so as to obtain the first message authentication code.

The operation of generating the first message authentication code may be an AES-CMAC operation for performing an AES-based message authentication signature algorithm on the first overall metric value. Optionally, the operation may also be an algorithm such as DSA or ECDSA, which is not limited herein.

In step S39, the first program sends the first message authentication code to the second program.

Specifically, the second program is a program running on a second secure code space, the second secure code space is a second Enclave, and since the first program needs to access the content in the second Enclave, the first program sends the first message authentication code to the second program, which is used for the second secure code space to authenticate the first secure code space.

In step S311, the first program receives a verification result returned by the second program, where the verification result is used to characterize whether the second security code space of the second program successfully authenticates the first security code space.

Specifically, after receiving the first message authentication code, the second program performs verification based on the first message authentication code, and returns a verification result to the first program.

In an optional embodiment, the second program may verify the first message authentication code in a manner that the first message authentication code is compared with a second message authentication code acquired in advance, so that the verification is determined to be passed under the condition that the first message authentication code is the same as the second message authentication code.

According to the embodiment of the application, the report key is generated through the authorization key, and the message authentication code is generated through the report key, so that the authentication of the security code space based on the message authentication code is realized. In the authentication method provided by the application, it can be determined that the second secure code space passes the authentication of the first secure code space only if the second program of the second secure code space passes the verification of the first message authentication code of the first secure code space.

As an alternative embodiment, the first program obtains the first report key, including:

in step S311, the first program obtains a first authorization key of the first secure code space.

Specifically, the first program is a program running on a first secure code space, the first secure code space is a first Enclave, the first enclaves all have corresponding first authorization keys, and the first authorization keys may be keys written during program development, and are stored in the Enclave, and are unique and fixed to the Enclave, and do not change.

In step S313, the first program retrieves the first asymmetric key from the security chip based on the first authorization key of the first security code space.

Specifically, the first asymmetric key and the first authorization key have a corresponding relationship and are protected by the first authorization key, and only if the first authorization key corresponding to the first asymmetric key is provided, the first asymmetric key can be obtained and encrypted and decrypted by using the first asymmetric key. In an alternative embodiment, the first asymmetric key may be generated by a TPM security chip (i.e., the security chip described above), and in use, the CPU retrieves the first asymmetric key from the TPM security chip for encryption and decryption through the first authorization key. In the above step, the first asymmetric key is an asymmetric key corresponding to the first authorization key of the first Enclave.

In step S315, the first program encrypts the obtained symmetric key using the first asymmetric key to generate a first report key.

Specifically, the Report Key is a Report Key, and the first Report Key is a Report Key of the first envelope, and is used to perform message authentication signature operation on the first overall metric value to obtain a first message authentication code.

The pre-obtained symmetric Key may be a preset symmetric Key or a pre-calculated symmetric Key, for example, the pre-obtained symmetric Key may be a 128-bit symmetric Key, and the Enclave in the same Platform has the same symmetric Key according to the Owner's epoch, Platform Specific Info (Platform related information) of the CPU and the Processor's Fused Seal Key.

It should be noted that in the SGX authentication in the prior art, as long as the first Enclave and the second Enclave are proved to belong to the same platform, the authentication can be passed, so that a program corresponding to an unauthorized Enclave may access the content in the sensitive Enclave. In the embodiment of the application, the report key is generated through the authorization key, and the message authentication code is generated through the report key, so that the authentication of the security code space based on the message authentication code is realized. In the authentication method provided by the application, it can be determined that the second secure code space passes the authentication of the first secure code space only if the second program of the second secure code space passes the verification of the first message authentication code of the first secure code space.

As an alternative embodiment, in the case where it is determined that the first secure code space is successfully authenticated, it is determined whether the first secure code space is successfully authenticated to the second secure code space by performing the reverse process.

Specifically, executing the reverse process may refer to exchanging identities of the first security code space and the second security code space after the second security code space passes authentication of the first security code space, and using the same manner to authenticate the first security code space as a target security code space and the second security code space as a source security code space.

As an alternative embodiment, when it is determined that the first secure code space and the second secure code space are successfully authenticated with each other, the first program and the second program are mutually trusted programs, and when the first program and the second program are mutually trusted programs, the first authorization key and the second authorization key of the second secure code space are the same authorization key.

In the above scheme, after the first secure code space and the second secure code space are authenticated by each other by executing the inverse process, it is determined that the first program in the first secure code space and the second program in the second secure code space are trusted programs, that is, the first program may access the content in the second secure code space, and meanwhile, the second program may also access the content in the first secure code space.

In an alternative case, if the first program and the second program are trusted programs, the first message authentication code and the second message authentication code are equal, that is, the first reporting key and the second reporting key are equal. Since the first report key is obtained by encrypting the symmetric key obtained in advance with the first asymmetric key corresponding to the first authorization key, and the second report key is obtained by encrypting the symmetric key obtained in advance with the second asymmetric key corresponding to the second authorization key, the first authorization key and the second authorization key can be obtained to be the same under the condition that the first program is equal to the second program.

As an alternative embodiment, the first program encrypts the obtained symmetric key by using a first asymmetric key to generate a first report key, including:

in step S351, the first program generates a symmetric key.

Specifically, the symmetric Key may be a 128-bit symmetric Key, and may be obtained according to the Owner's epoch, Platform Specific Info (Platform related information) and Processor's Fused Seal Key of the CPU, where enclaves in the same Platform have the same symmetric Key.

In step S353, the first program encrypts the symmetric key by using the first asymmetric key to obtain a first report key.

Specifically, the first asymmetric key may be generated by the TPM security chip and protected by the first authorization key, so that the CPU needs to call the first asymmetric key in the TPM security chip through the first authorization key to encrypt the pre-obtained symmetric key.

In an alternative embodiment, still referring to fig. 4, a corresponding first asymmetric Key (RSA) is obtained by using a first authorized Key (Shared Authentication Key), and then the symmetric Key (128-bitSymmetric Key) is encrypted (TPM2_ rsatyp) by using a public Key in the first asymmetric Key (public Key), so as to obtain a first reporting Key (Report Key).

As an alternative embodiment, the first program operating on the first overall metric value of the first secure code space using the first reporting key to generate the first message authentication code includes:

in step S371, the first program obtains a first overall metric value of the first security code space.

The first overall metric value is obtained by performing metric operation on the contents of codes, data, stacks, memory pages, security identifiers and the like in the first Enclave.

The first report key is obtained by encrypting a pre-acquired symmetric key through a first asymmetric key corresponding to the first authorization key, so that the first report key can be obtained by acquiring the pre-acquired symmetric key and the first asymmetric key.

In step S373, the first program determines a message authentication code corresponding to the first overall metric value through a message authentication signature algorithm based on the first report key.

In step S375, the first program determines the message authentication code determined based on the first report key as the first message authentication code.

In the above step, the message authentication code obtained by performing message authentication signature operation on the first overall metric value by the second report key is used as the second message authentication code. Fig. 4 is a schematic diagram of generating a first message authentication code according to embodiment 1 of the present application, and AES-CMAC operation is performed on a first overall metric value (sourceenclaves' measures & Attributes) of a first Enclave through a first Report Key (Report Key) to obtain the first Message Authentication Code (MAC).

As an alternative embodiment, the first program generates a symmetric key, comprising:

step S3511, the first program obtains a first encryption parameter and a second encryption parameter, where the first encryption parameter is a root key preset when the SGX is started, and the second encryption parameter is platform information.

Specifically, the first encryption parameter is Owner's Epoch, which is a preset value when the SGX is started, and is not changed after the SGX is started, and the first encryption parameter mainly acts on the BIOS layer, so that oem/odm/user defines a root key, and once the key is set, an ordinary user is difficult to change and can only change in the BIOS layer. The second encryption parameter is Platform Specific Info, i.e. Platform related information, such as SVM (Security Version Number), CPUSVN, ISVSVN, etc.

Step S3513, the first program obtains the overall measurement information of the second security code space according to the identity of the second security code space, wherein the overall measurement information is obtained by encrypting the second overall measurement value of the second security code space through the second asymmetric key of the second security code space.

Specifically, the identity of the second security code is an Enclave _ ID of the second Enclave, and the security code space and the identity have a one-to-one correspondence relationship. This Enclave _ ID is generated for Enclave at the time each Enclave is created. The first Enclave can find the overall metric information of the second Enclave _ ID according to the Enclave _ ID of the second Enclave.

The above-mentioned overall metric information refers to TARGETINFO for cryptographically storing the second overall metric value of the second Enclave.

In an optional embodiment, when creating Enclave, the overall metric value of Enclave is acquired, the overall metric value of Enclave is encrypted by using an asymmetric key of the Enclave and then stored in TARGETINFO, and Enclave _ ID and TARGETINFO of Enclave are correspondingly stored, so that the second overall metric value of the second Enclave can be acquired according to the identity of the second Enclave.

Step S3515, the first program decrypts the overall metric information by the first asymmetric key, and obtains a second overall metric value if decryption is successful.

After the above step S3115 is executed, there may be two cases:

(1) the first asymmetric key is the same as the second asymmetric key, in which case the decryption of the global metric information is successful to obtain a second global metric value, and the process continues to step S33117.

(2) The first asymmetric key is different from the second asymmetric key, in which case decryption of the overall metric information fails and the second overall metric value cannot be obtained. Therefore, the authentication fails, and the program corresponding to the first Enclave cannot access the content in the second Enclave.

In an alternative embodiment, still referring to fig. 4, the first key parameter and the second key parameter can be directly obtained, and then the TPM is invoked by the first authorization key to decrypt (TPM2_ rsadcrypt) the integral metric information (Encrypted Target encryption Target info) of the second secure code space by using the first asymmetric key, so as to obtain the integral metric value of the second secure code space.

And then, calculating the first key parameter, the second key parameter and the integral measurement value of the second security code space by using a CPU built-in key report key generation algorithm, thereby obtaining a symmetric key.

It should be noted that, in step S33113, the overall metric information obtained is obtained by encrypting the second overall metric value of the second secure code space through the second asymmetric key of the second secure code space, so in step S33115, when decrypting the overall metric information, if the first authorization key needs to be different from the second authorization key, the first asymmetric key and the second asymmetric key obtained by the called TPM secure chip are also different, and therefore the overall metric information cannot be decrypted to obtain the second overall metric value; only under the condition that the first authorization key is the same as the second authorization key, the first asymmetric key can be the same as the second asymmetric key, so that the integral measurement information can be decrypted to obtain a second integral measurement value.

In the prior art, only the Enclave _ ID of the second Enclave is possessed, the overall metric value of any Enclave on the platform can be obtained, so that the report key of any Enclave on the platform can be calculated, and the message authentication code can be forged. Therefore, the above embodiment further ensures the security of authentication, and avoids the risk of forging the message authentication code.

And S3517, the first program performs a key generation algorithm on the first encryption parameter, the second encryption parameter and the second overall metric value through a built-in key of the central processing unit to obtain a symmetric key.

Specifically, the internal Key of the CPU is a Processor's Fused serial Key, which is burned by an Intel during the production of a CPU chip, and is fixed and unchangeable, the Key generation algorithm is AES-CMAC Key derivation, and the symmetric Key obtained through operation is a 128-bitSymmetric Key.

As an alternative embodiment, before the first program obtains the first authorization key of the first secure code space, the method further includes:

in step S323, the central processor creates a plurality of secure code spaces.

In step S325, the central processor determines a first security code space and a second security code space.

In an alternative embodiment, it is determined that the security code space corresponding to the program that needs to access the content in the other security code spaces is the first security code space, and the security code space in which the content is accessed by the programs corresponding to the other security code spaces is the second security code space.

It should be noted that, when the programs corresponding to the two secure code spaces need to access the contents of the secure code spaces mutually, one of the two secure code spaces is used as the first secure code space, and the other secure code space is used as the second secure code space for authentication, after the authentication is successful, the identities of the two secure code spaces are exchanged, the authentication process is executed again, and after the two authentications are successful, the programs corresponding to the two secure code spaces can access the contents of the other side mutually.

As an alternative embodiment, after creating a plurality of secure code spaces, the method may further include: registering an authorization key for the secure code space, the step of registering an authorization key for the secure code space comprising:

step S327, the central processing unit determines the identity of the secure code space during the process of creating the secure code space.

Specifically, when creating the security code space, an independent unique identity, namely, an Enclave _ ID, of the security code space is obtained.

Step S329, the central processing unit stores the authorization key of the program corresponding to the security code space in the security code space, where the authorization key is used to protect the asymmetric key corresponding to the authorization key.

In particular, the authorization key may be pre-written and stored in the secure code space as sensitive data after the secure code space is created. The authorization key is used to protect the asymmetric key corresponding to the authorization key, which means that the corresponding authorization key must be provided before the asymmetric key is used later to allow encryption and decryption using the asymmetric key.

In an alternative embodiment, after storing the authorization key corresponding to the secure code space in the secure code space, an asymmetric key protected by the authorization key is created.

Step S3211, the central processing unit obtains an overall metric value of the security code space.

The overall metric of the secure code space is used to determine whether the secure code space has been tampered with, and is directly available for use after the secure code space is created or, thus, when the program is authenticated.

Step S3213, the central processing unit calls the security chip to encrypt the overall metric value by using the asymmetric key through the authorization key to obtain overall metric information.

Through the steps, the security code space can not randomly obtain the integral measurement value of any other security code space of the same platform, but only obtain the integral measurement value of the security code space with the same authorization key.

Step S3215, the central processing unit registers the identity and the overall measurement information of the security code space.

The identity and the overall metric information of the security code space may be registered in the Memory of the CPU, i.e., < envelope _ ID, Encrypted _ target info >.

As an alternative embodiment, the central processor updates the asymmetric key of the secure code space according to a predetermined cycle.

Specifically, the authorization key corresponding to the secure code space is fixed and unique, but the asymmetric key thereof may be generated according to a predetermined rule, for example, according to a predetermined rule, and for example, the corresponding asymmetric key may be generated once, that is, each time for the secure code space requiring authentication. It should be noted that each time the asymmetric key is generated, it is protected by the authorization key of the secure code space.

In the prior art, the Report Key of the security code space is unique and fixed, and the forward/backward security of the Key cannot be guaranteed, in the scheme of the application, the asymmetric Key used for generating the Report Key is not unique, and the TPM security chip can generate a new asymmetric Key, so that the technical problem that the forward/backward security is difficult to guarantee in the prior art is solved, and even if one Key is cracked, the security of forward or backward data cannot be influenced.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.

Example 2

According to an embodiment of the present invention, an embodiment of a method for registering a secure code space is further provided, and fig. 6 is a flowchart of a method for registering a secure code space according to embodiment 2 of the present application, which is shown in fig. 6, and includes the following steps:

step S61, the identity of the secure code space is determined during the process of creating the secure code space.

And step S63, storing the authorization key of the program corresponding to the secure code space into the secure code space, wherein the authorization key is used for protecting the asymmetric key of the secure code space created by the secure chip.

Step S65, an overall metric value of the security code space is obtained.

And step S67, the integral metric value is encrypted by using the asymmetric key through calling the authorization key, and integral metric value information is obtained.

And step S69, storing the identity identification and the integral metric value information of the security code space.

Fig. 7 is a schematic diagram of registering a secure code space according to embodiment 2 of the present application, and with reference to fig. 7, after a secure code space is created, an authorization key corresponding to the secure code space is obtained and stored in the secure code space, so as to protect an asymmetric key of the secure code space created by a TPM secure chip; an overall metric value for the secure code space is then calculated.

After the integral Measurement value of the security code space is obtained, a TPM security chip is called to encrypt the integral Measurement value (measures & Attributes) by using a public Key of a corresponding asymmetric Key (RSA) through a stored authorization Key (SharedAuthentication Key) (TPM2_ rsatypt) to obtain integral Measurement information (Encrypted TARGETINFO), and finally the identity information and the integral Measurement information of the security code space are registered in the Memory in a mode of < Encrypted _ ID, Encrypted _ TARGETINFO >.

After the security code space is created, the authorization key corresponding to the security code space is also obtained, the asymmetric key corresponding to the authorization key corresponding to the security code space is created, the overall measurement value of the security code space is encrypted by using the symmetric key to obtain overall measurement information, and finally the identity identifier and the overall measurement information of the security code space are registered in the memory. According to the scheme, in the process of creating the security code space, the authorization key is introduced, and the whole metric value is encrypted through the asymmetric key corresponding to the authorization key and then stored, so that the security code space with different authorization keys cannot decrypt the whole metric information of other security code spaces, further the whole metric value of other security code spaces cannot be obtained, and only the whole metric value of the security code space which is the same as the authorization key of the security code space can be obtained.

Therefore, the above embodiment further ensures the security of authentication, and avoids the risk of forging the message authentication code. The technical problem of insufficient security of Enclave in the prior art is solved.

As an alternative embodiment, the asymmetric key of the secure code space is updated according to a predetermined period.

In the prior art, the Report Key of the security code space is unique and fixed, and the forward/backward security of the Key cannot be ensured, but in the above scheme of the application, the asymmetric Key used for generating the Report Key is not unique, and the TPM security chip can generate a new asymmetric Key, thereby solving the technical problem that the forward/backward security is difficult to ensure in the prior art.

Example 3

According to an embodiment of the present invention, there is also provided an authentication apparatus for a secure code space, which is used for implementing the authentication method for a secure code space, and fig. 8 is a schematic diagram of an authentication apparatus for a secure code space according to embodiment 3 of the present application, and as shown in fig. 8, the apparatus 800 includes:

an obtaining module 802, configured to obtain, by a first program, a first reporting key.

A first operation module 804, configured to perform an operation on the first overall metric value of the first security code space by using the first report key by the first program, so as to generate a first message authentication code.

A sending module 806, configured to send, by the first program, the first message authentication code to the second program.

A receiving module 808, configured to receive, by the first program, a verification result returned by the second program, where the verification result is used to characterize whether the second security code space of the second program successfully authenticates the first security code space.

It should be noted that the obtaining module 802, the first operation module 804, the sending module 806 and the receiving module 808 correspond to steps S31 to S37 in embodiment 1, and the two modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.

As an alternative embodiment, the obtaining module includes: the obtaining submodule is used for obtaining a first authorization key of a first security code space by a first program; the calling submodule is used for calling a first asymmetric key from the security chip by a first program based on a first authorization key of a first security code space; and the generation submodule is used for encrypting the first authorization key by using the first asymmetric key by the first program to generate a first report key.

As an optional embodiment, when it is determined that the mutual authentication between the first secure code space and the second secure code space is successful, the first program corresponding to the first secure code space and the second program corresponding to the second secure code space are mutually trusted programs, and when the first program and the second program are mutually trusted programs, the first authorization key and the second authorization key of the second secure code space are the same authorization key.

As an alternative embodiment, the first encryption module comprises: a first generation unit for generating a symmetric key by a first program; and the first calling unit is used for calling the first asymmetric key by the first program through the first authorization key, and encrypting the symmetric key to obtain a first report key.

As an alternative embodiment, the first operation module includes: the first obtaining submodule is used for obtaining a first overall metric value of a first security code space by a first program; the first determining module is used for determining a message authentication code corresponding to the first integral metric value through a message authentication signature algorithm by the first program based on the first report key; and a second determination module for the first program to determine the message authentication code determined based on the first reporting key as the first message authentication code.

As an alternative embodiment, the first generating unit includes: the first acquiring subunit is used for acquiring a first encryption parameter and a second encryption parameter by a first program, wherein the first encryption parameter is a root key preset when the SGX is started, and the second encryption parameter is platform information; the second obtaining subunit is configured to obtain, by the first program, integral metric information of the second secure code space according to the identity identifier of the second secure code space, where the integral metric information is obtained by encrypting a second integral metric value of the second secure code space by using a second asymmetric key of the second secure code space; the calling subunit is used for the first program to decrypt the overall metric information through the first asymmetric key and obtain a second overall metric value under the condition of successful decryption; and the first operation subunit is used for the first program to perform a key generation algorithm on the first encryption parameter, the second encryption parameter and the second overall metric value through the built-in key of the central processing unit to obtain a symmetric key.

As an alternative embodiment, the apparatus further comprises: the system comprises a creating module, a processing module and a processing module, wherein the creating module is used for creating a plurality of security code spaces by a central processing unit before a first program acquires a first authorization key of a first security code space; and the first determining module is used for determining the first safety code space and the second safety code space by the central processing unit.

As an alternative embodiment, the apparatus further comprises: the second determining module is used for determining the identity of the security code space by the central processing unit in the process of creating the security code space; the storage module is used for storing an authorization key of a program corresponding to the security code space into the security code space by the central processing unit, wherein the authorization key is used for protecting an asymmetric key corresponding to the authorization key; the integral measurement value acquisition module is used for acquiring the integral measurement value of the security code space by the central processing unit; the calling module is used for calling the security chip to encrypt the whole metric value by using the asymmetric key through the authorization key by the central processing unit to obtain whole metric information; and the registration module is used for registering the identity identification and the integral measurement information of the security code space by the central processing unit.

Example 4

According to an embodiment of the present invention, there is further provided a secure code space registration apparatus for implementing the above-mentioned secure code space registration method, and fig. 9 is a schematic diagram of a secure code space registration apparatus according to embodiment 4 of the present application, as shown in fig. 9, the apparatus 900 includes:

a determining module 902 for determining an identity of a secure code space in a process of creating the secure code space.

The first storage module 904 is configured to store an authorization key of a program corresponding to the secure code space into the secure code space, where the authorization key is used to protect an asymmetric key of the secure code space created by the secure chip.

An obtaining module 906, configured to obtain an overall metric value of the security code space.

And an encryption module 908, configured to encrypt the overall metric value using the asymmetric key by calling the authorization key, so as to obtain the overall metric value information.

And the second storage module 9010 is configured to store the identity and the overall metric information of the security code space.

As an alternative embodiment. The asymmetric key of the secure code space is updated according to a predetermined period.

It should be noted here that the determining module 902, the first storing module 904, the obtaining module 906, the encrypting module 908, and the second storing module 9010 correspond to steps S61 to S69 in embodiment 2, and the two modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.

Example 5

According to an embodiment of the present invention, an embodiment of a method for registering a secure code space is further provided, and fig. 10 is a flowchart of a method for authenticating a secure code space according to embodiment 5 of the present application, which is shown in fig. 10, and includes the following steps:

in step S101, the second program acquires a second report key.

Specifically, the second program is a program running on a second secure code space, and the second secure code space is a second Enclave.

In an alternative embodiment, the second encraves all have corresponding second authorization keys, and the second authorization keys may be keys written during program development, and are stored in the encraves, and are unique and fixed and do not change. The second program can call a second asymmetric key from the security chip through the second authorization key, and then encrypt the pre-obtained symmetric key through the second asymmetric key, so as to obtain a second report key.

Step S103, the second program uses the second report key to calculate the first overall metric value of the first security code space, and generates a second message authentication code.

In an optional embodiment, the CPU obtains a first overall metric value of the first Enclave, a symmetric Key obtained in advance by the CPU, and a second authorization Key of the second Enclave, and the CPU calls the TPM secure chip through the second authorization Key to use the second asymmetric Key to encrypt the symmetric Key obtained in advance, so as to obtain a second Report Key, and then performs message authentication signature operation on the first overall metric value of the first Enclave through the second Report Key, so as to obtain the second message authentication code.

It should be noted that the security chip for the CPU to obtain the second asymmetric key call may be the same security chip as the security chip for the CPU to obtain the first asymmetric key call in embodiment 1, or may be different security chips.

The operation of generating the second message authentication code may still be an AES-CMAC operation, which is used to perform a message authentication signature algorithm based on an AES encryption algorithm on the first overall metric value. The algorithm may also be DSA or ECDSA, and is not limited herein.

Step S105, the second program obtains a verification result based on the second message authentication code and the first message authentication code, wherein the first message authentication code is obtained by the first program by using the first report key to calculate the first overall metric value of the first security code space.

Specifically, the obtaining of the first message authentication code may be as shown in embodiment 1, and is not described herein again.

In step S107, the second program returns the verification result to the first program.

In an optional embodiment, when the second message authentication code is the same as the second message authentication code, the second security code space successfully authenticates the first security code space, that is, the program corresponding to the first Enclave may access the data and the program in the second Enclave.

As an alternative embodiment, the second program acquires the second report key, including:

in step S101, the second program obtains a second authorization key of the second secure code space.

Specifically, the second security code space is a second Enclave. In step S313, the authorization key may be a key written during program development, and is stored in Enclave, and is unique and fixed and does not change.

It should be noted that after the two secure code spaces pass the mutual authentication, the programs corresponding to the two secure code spaces allow access to the contents in the secure code space of the other side. In this embodiment, the first security code space is authenticated by using the second security code space as an example, that is, in this embodiment, the first security code space is a source security code space that requests authentication, and the second security code space is a target security code space that authenticates the source security code space.

It should be further noted here that, when writing the authorization key into the Enclave, the enclaves of the mutually trusted programs have the same authorization key, that is, the authorization keys of the enclaves of the mutually trusted programs are the same, and the Enclave program authentication is performed based on the same authorization key.

In step S1013, the second program retrieves the second asymmetric key from the secure chip based on the second authorization key of the second secure code space.

The second asymmetric key and the second authorization key have a corresponding relationship and are protected by the second authorization key, and only if the second authorization key corresponding to the second asymmetric key is provided, the second asymmetric key can be used for encryption and decryption. In an alternative embodiment, the asymmetric key may be generated by a TPM security chip (i.e., the security chip and the security chip may be the same security chip), and in use, the CPU invokes a second asymmetric key from the TPM through a second authorization key for encryption and decryption. In the above step, the second asymmetric key is an asymmetric key corresponding to the second authorization key of the second Enclave.

In step S1015, the second program encrypts the obtained symmetric key using the second asymmetric key to generate a second report key.

The second Report Key is a Report Key of the second encrypt, and is still used for performing message authentication signature operation on the first overall metric value to obtain a second message authentication code.

Therefore, when the first authorization key of the first Enclave is the same as the second authorization key of the second Enclave, the second message authentication code may be the same as the first message authentication, and therefore, even if the first security code space and the second security code space belong to the same platform, if the authorization keys are different, the authentication cannot pass, so that the situation that a program corresponding to an unauthorized Enclave in the same platform can access the content in the sensitive Enclave is avoided, and the technical problem that the security of the Enclave in the prior art is insufficient is solved.

In an optional embodiment, the obtaining, by the second program, the verification result based on the second message authentication code and the first message authentication code includes: if the second message authentication code is the same as the first message authentication code or reaches a preset matching condition, determining that the second security code space successfully authenticates the first security code space; and if the second message authentication code is different from the first message authentication code or does not reach the preset matching condition, determining that the authentication of the second security code space to the first security code space fails.

In the above scheme, if the second message authentication code is the same as the first message authentication code or meets the preset matching condition, the second authorization key in the second Enclave and the first authorization key of the first Enclave are necessarily the same, and since the security code spaces of the trusted programs each other have the same authorization key, the second security code space successfully verifies the first security code space, that is, the program corresponding to the first security code space can access the data and the program in the second security code space.

If the second message authentication code is different from the first message authentication code or does not reach the preset matching condition, the second authorization key in the second envelope is certainly different from the first authorization key of the first envelope, so that the first security code space and the second security code space are not mutually credible security code spaces, and the authentication failure is determined.

In an alternative embodiment, there may be a preset correspondence between the message authentication codes, and the meeting of the preset matching condition may be that the first message authentication code and the second message authentication code are in one-to-one correspondence in the preset correspondence.

As an alternative embodiment, the second program encrypts the obtained symmetric key by using a second asymmetric key to generate a second report key, including:

in step S10151, the second program generates a symmetric key.

Step S10153, the second program calls the second asymmetric key through the second authorization key of the central processing unit, and encrypts the symmetric key to obtain the second report key.

Specifically, the second asymmetric key is generated by the TPM security chip and protected by the second authorization key, so the CPU needs to call the second asymmetric key in the TPM security chip through the second authorization key to encrypt the symmetric key.

In an alternative embodiment, still referring to fig. 5, a corresponding second asymmetric Key (RSA) is obtained through a second authorization Key (Shared Authentication Key), and then the symmetric Key (128-bitSymmetric Key) is encrypted (TPM2_ rsatypt) by using a public Key in the second asymmetric Key (TPM2_ rsaelypt), so as to obtain a second reporting Key (Report Key).

As an alternative embodiment, the second program uses the second report key to operate on the second overall metric value of the second security code space to generate the second message authentication code, and includes:

in step S3191, the second program obtains a first overall metric value for the first security code space.

The second report key is obtained by encrypting the symmetric key through the first asymmetric key corresponding to the second authorization key, so that the second report key can be obtained by obtaining the symmetric key and the second asymmetric key.

Step S3193, the second program determines a message authentication code corresponding to the first overall metric value through a message authentication signature algorithm based on the second report key.

In step S3195, the second program determines the message authentication code confirmed based on the second report key as the second message authentication code.

In the above step, the message authentication code obtained by performing message authentication signature operation on the first overall metric value by the second report key is used as the first message authentication code. Fig. 5 is a schematic diagram of program authentication according to embodiment 1 of the present application, and as shown in fig. 5, AES-CMAC operation is performed on a first overall metric value (source entity's measures & Attributes) of a first encapsulated through a second Report Key (Report Key), so as to obtain a second Message Authentication Code (MAC).

As an alternative embodiment, the second program generates a symmetric key, comprising:

in step S101511, the second program obtains a first encryption parameter, a second encryption parameter, and a third encryption parameter, where the first encryption parameter is a root key preset when the SGX is started, the second encryption parameter is platform information, and the third encryption parameter is a second overall metric value of the second security code space.

Specifically, the first encryption parameter is an Owner's Epoch, which is a value preset when the SGX is started and is not changed after the SGX is started. The second encryption parameter is Platform Specific Info, i.e. Platform related information, such as SVM (Security Version Number), CPUSVN, ISVSVN, etc.

In step S101513, the second program performs a key generation algorithm on the first encryption parameter, the second encryption parameter, and the third encryption parameter through the key built in the central processing unit, to obtain a symmetric key.

In an alternative embodiment, still referring to fig. 5, the first key parameter, the second key parameter, and the third key parameter are directly obtained, and the first key parameter, the second key parameter, and the third key parameter are operated by a key report key generation algorithm built in the CPU, so that the symmetric key is obtained.

Example 6

According to an embodiment of the present invention, there is also provided an authentication apparatus for a secure code space, which is used for implementing the authentication method for a secure code space, and fig. 11 is a schematic diagram of an authentication apparatus for a secure code space according to embodiment 6 of the present application, and as shown in fig. 11, the apparatus 1100 includes:

a first obtaining module 1102, configured to obtain, by the second program, a second reporting key.

A production module 1104, configured to perform an operation on the first overall metric value of the first security code space by using the second report key by the second program, so as to generate a second message authentication code.

A second obtaining module 1106, configured to, based on the second message authentication code and the first message authentication code, obtain the verification result by the second program.

A returning module 1108 for the second program to return the verification result to the first program.

It should be noted here that the first obtaining module 1102, the producing module 1104, the second obtaining module 1106 and the returning module 1108 correspond to steps S101 to S107 in embodiment 5, and the two modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.

As an alternative embodiment, the first obtaining module includes: the first obtaining submodule is used for obtaining a second authorization key of a second security code space by a second program; the calling submodule is used for calling a second asymmetric key from the security chip by the second program based on a second authorization key of a second security code space; and the generation submodule is used for encrypting the acquired symmetric key by using a second asymmetric key by the second program to generate a second report key.

As an alternative embodiment, the second obtaining module includes: the first determining submodule is used for determining that the second security code space successfully authenticates the first security code space if the second message authentication code is the same as the first message authentication code or reaches a preset matching condition; and the second determining submodule is used for determining that the second security code space fails to authenticate the first security code space if the second message authentication code is different from the first message authentication code or does not reach the preset matching condition.

As an alternative embodiment, the generating sub-module comprises: a generating unit configured to generate a symmetric key by the second program; and the encryption unit is used for encrypting the symmetric key by the second program through the second asymmetric key to obtain a second report key.

As an alternative embodiment, the production module comprises: the second acquisition submodule is used for acquiring a first overall metric value of the first security code space by a second program; the third determining submodule is used for determining a message authentication code corresponding to the first integral metric value through a message authentication signature algorithm based on the second report secret key by the second program; and the confirmation submodule is used for the second program to determine the message authentication code confirmed based on the second report key as the second message authentication code.

As an alternative embodiment, the generating unit includes: the obtaining subunit is configured to obtain, by the second program, a first encryption parameter, a second encryption parameter, and a third encryption parameter, where the first encryption parameter is a root key preset when the SGX is started, the second encryption parameter is platform information, and the third encryption parameter is a second overall metric value of a second security code space; and the encryption subunit is used for the second program to perform a key generation algorithm on the first encryption parameter, the second encryption parameter and the third encryption parameter through the built-in key of the central processing unit to obtain a symmetric key.

Example 7

The embodiment of the invention can provide a computer terminal which can be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.

Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.

In this embodiment, the computer terminal may execute the program code of the following steps in the authentication method of the secure code space: a first program acquires a first report key; the first program uses the first report key to calculate the first integral measurement value of the first security code space, and generates a first message authentication code; the first program sends a first message authentication code to the second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

Alternatively, fig. 12 is a block diagram of a computer terminal according to embodiment 7 of the present invention. As shown in fig. 12, the computer terminal a may include: one or more processors 1202 (only one of which is shown), a memory 1204, and a peripheral interface 1206.

The memory may be configured to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for authenticating a secure code space in the embodiments of the present invention, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, that is, implements the above-described method for authenticating a secure code space. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located from the processor, and these remote memories may be connected to terminal a through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: a first program acquires a first report key; the first program uses the first report key to calculate the first integral measurement value of the first security code space, and generates a first message authentication code; the first program sends a first message authentication code to the second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

Optionally, the processor may further execute the program code of the following steps: a first program acquires a first authorization key of a first security code space; the first program calls a first asymmetric key from the security chip based on a first authorization key of a first security code space; the first program encrypts a first authorization key using a first asymmetric key, generating a first reporting key.

Optionally, the processor may further execute the program code of the following steps: in a case where it is determined that the first secure code space is successfully authenticated, it is determined whether the first secure code space is successfully authenticated to the second secure code space by performing an inverse process.

Optionally, the processor may further execute the program code of the following steps: and under the condition that the mutual authentication of the first security code space and the second security code space is determined to be successful, the first program and the second program are mutually trusted programs, wherein under the condition that the first program and the second program are mutually trusted programs, the first authorization key and the second authorization key of the second security code space are the same authorization key.

Optionally, the processor may further execute the program code of the following steps: if the second message authentication code is the same as the first message authentication code, determining that the second security code space successfully authenticates the first security code space; and if the second message authentication code is different from the first message authentication code, determining that the second security code space fails to authenticate the first security code space.

Optionally, the processor may further execute the program code of the following steps: the first program generates a symmetric key; the first program encrypts the symmetric key through the first asymmetric key to obtain a first report key.

Optionally, the processor may further execute the program code of the following steps: a first program acquires a first overall metric value of a first security code space; the first program determines a message authentication code corresponding to the first overall metric value through a message authentication signature algorithm based on the first report key; the first program determines a message authentication code determined based on the first reporting key as a first message authentication code.

Optionally, the processor may further execute the program code of the following steps: a first program acquires a first encryption parameter and a second encryption parameter, wherein the first encryption parameter is a root key preset when an SGX is started, and the second encryption parameter is platform information; the first program acquires integral measurement information of the second security code space according to the identity of the second security code space, wherein the integral measurement information is obtained by encrypting a second integral measurement value of the second security code space through a second asymmetric key of the second security code space; the first program decrypts the integral measurement information through the first asymmetric key and obtains a second integral measurement value under the condition of successful decryption; and the first program carries out a key generation algorithm on the first encryption parameter, the second encryption parameter and the second integral metric value through a built-in key of the central processing unit to obtain a symmetric key.

Optionally, the processor may further execute the program code of the following steps: the central processor creates a plurality of secure code spaces; the central processor determines a first security code space and a second security code space.

Optionally, the processor may further execute the program code of the following steps: the central processing unit determines the identity of the security code space in the process of creating the security code space; the central processing unit stores an authorization key of a program corresponding to the security code space, wherein the authorization key is used for protecting an asymmetric key corresponding to the authorization key; the central processing unit obtains an integral measurement value of the security code space; the central processing unit calls the security chip to encrypt the overall metric value by using the asymmetric key through the authorization key to obtain overall metric information; the central processor registers the identity and the overall metric information of the security code space.

Optionally, the processor may further execute the program code of the following steps: and the central processor updates the asymmetric key of the security code space according to a preset period.

It can be understood by those skilled in the art that the structure shown in fig. 12 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 12 is a diagram illustrating a structure of the electronic device. For example, the computer terminal a may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 12, or have a different configuration than shown in fig. 10.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

Example 8

The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the authentication method of the secure code space provided in the first embodiment.

Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: a first program acquires a first report key; the first program uses the first report key to calculate the first integral measurement value of the first security code space, and generates a first message authentication code; the first program sends a first message authentication code to the second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.

The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims

1. A method of authenticating a secure code space, comprising:

a first program acquires a first report key;

the first program uses the first report key to calculate a first integral metric value of a first security code space, and generates a first message authentication code;

the first program sends the first message authentication code to a second program;

and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

2. The method of claim 1, wherein the first program obtaining the first reporting key comprises:

a first program acquires a first authorization key of a first security code space;

the first program retrieves a first asymmetric key from a security chip based on a first authorization key of the first security code space;

the first program encrypts the first authorization key using the first asymmetric key to generate a first reporting key.

3. The method of claim 2, wherein upon determining that the first secure code space authentication is successful, determining whether the first secure code space successfully authenticates the second secure code space by performing a reverse process.

4. The method of claim 3, wherein the first program and the second program are each other trusted programs if it is determined that the first secure code space and the second secure code space successfully authenticate each other, and wherein the first authorization key and the second authorization key of the second secure code space are the same authorization key if the first program and the second program are each other trusted programs.

5. The method according to any one of claims 2 to 4, wherein the first program encrypts the acquired symmetric key using the first asymmetric key to generate a first report key, and comprises:

the first program generating the symmetric key;

and the first program encrypts the symmetric key through the first asymmetric key to obtain the first report key.

6. The method of claim 1, wherein the first program operates on a first overall metric value of the first secure code space using the first reporting key to generate a first message authentication code, comprising:

the first program obtains a first overall metric value of the first security code space;

the first program determines a message authentication code corresponding to the first overall metric value through a message authentication signature algorithm based on the first report key;

the first program determines a message authentication code determined based on the first reporting key as the first message authentication code.

7. The method of claim 5, wherein the first program generates the symmetric key, comprising:

the first program acquires a first encryption parameter and a second encryption parameter, wherein the first encryption parameter is a root key preset when the SGX is started, and the second encryption parameter is platform information;

the first program acquires integral measurement information of the second security code space according to the identity of the second security code space, wherein the integral measurement information is obtained by encrypting a second integral measurement value of the second security code space through a second asymmetric key of the second security code space;

the first program decrypts the overall metric information through the first asymmetric key, and obtains the second overall metric value under the condition of successful decryption;

and the first program carries out a key generation algorithm on the first encryption parameter, the second encryption parameter and the second integral metric value through a built-in key of a central processing unit to obtain the symmetric key.

8. The method of claim 1, wherein prior to the first program obtaining the first authorization key for the first secure code space, the method further comprises:

the central processor creates a plurality of secure code spaces;

the central processor determines the first secure code space and the second secure code space.

9. The method of claim 8, wherein after creating the plurality of secure code spaces, the method further comprises:

the central processor determines the identity of the secure code space in the process of creating the secure code space;

the central processing unit stores an authorization key of a program corresponding to the secure code space, wherein the authorization key is used for protecting an asymmetric key corresponding to the authorization key;

the central processing unit acquires an integral measurement value of the security code space;

the central processing unit calls a security chip to encrypt the integral measurement value by using the asymmetric key through the authorization key to obtain integral measurement information;

the central processor registers the identity and the overall metric information of the security code space.

10. The method of claim 9, wherein the central processor updates the asymmetric key of the secure code space at a predetermined period.

11. The method of claim 1, wherein after the first program receives the verification result returned by the second program, the method further comprises:

and if the verification result shows that the second secure code space successfully authenticates the first secure code space, the second program calls the data of the first program.

12. A method of authenticating a secure code space, comprising:

the second program acquires a second report key;

the second program uses the second report key to calculate a first overall metric value of a first security code space, and generates a second message authentication code;

the second program obtains a verification result based on the second message authentication code and the first message authentication code, wherein the first message authentication code is obtained by the first program through operation on a first overall metric value of a first security code space by using a first report key;

the second program returns the verification result to the first program.

13. The method of claim 12, wherein the second program obtains a second reporting key comprising:

the second program acquires a second authorization key of a second security code space;

the second program retrieves a second asymmetric key from the security chip based on a second authorization key of the second security code space;

and the second program encrypts the acquired symmetric key by using the second asymmetric key to generate a second report key.

14. The method according to claim 12, wherein the second program obtains the verification result based on the second message authentication code and the first message authentication code, and comprises:

if the second message authentication code is the same as the first message authentication code or a preset matching condition is met, determining that the second security code space successfully authenticates the first security code space;

and if the second message authentication code is different from the first message authentication code or does not reach a preset matching condition, determining that the second security code space fails to authenticate the first security code space.

15. The method of claim 13, wherein the second program encrypts the obtained symmetric key using the second asymmetric key to generate a second report key, and wherein the second report key comprises:

the second program generating the symmetric key;

and the second program encrypts the symmetric key through the second asymmetric key to obtain the second report key.

16. The method of claim 15, wherein the second program uses the second reporting key to operate on a second overall metric value of the second secure code space to generate a second message authentication code, comprising:

the second program obtains a first overall metric value of the first security code space;

the second program determines a message authentication code corresponding to the first overall metric value through a message authentication signature algorithm based on the second report key;

the second program determines a message authentication code based on the second reporting key confirmation as the second message authentication code.

17. The method of claim 15, wherein the second program generates the symmetric key, comprising:

the second program obtains a first encryption parameter, a second encryption parameter and a third encryption parameter, wherein the first encryption parameter is a root key preset when the SGX is started, the second encryption parameter is platform information, and the third encryption parameter is a second overall metric value of the second security code space;

and the second program carries out a key generation algorithm on the first encryption parameter, the second encryption parameter and the third encryption parameter through a built-in key of a central processing unit to obtain the symmetric key.

18. A method for registering a secure code space,

determining an identity of the secure code space during creation of the secure code space;

storing an authorization key of a program corresponding to the secure code space into the secure code space, wherein the authorization key is used for protecting an asymmetric key of the secure code space created by a secure chip;

acquiring an integral measurement value of the security code space;

encrypting the integral metric value by using the asymmetric key by calling the authorization key to obtain integral metric value information;

and storing the identity identification and the integral metric value information of the security code space.

19. The method of claim 18, wherein the asymmetric key of the secure code space is updated at a predetermined period.

20. A storage medium, characterized in that the storage medium includes a stored program, wherein when the program runs, a device on which the storage medium is located is controlled to execute the following steps: a first program acquires a first report key; the first program uses the first report key to calculate a first integral metric value of a first security code space, and generates a first message authentication code; the first program sends the first message authentication code to a second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

21. A processor, wherein the processor is configured to execute a program, wherein the program executes to perform the following steps: a first program acquires a first report key; the first program uses the first report key to calculate a first integral metric value of a first security code space, and generates a first message authentication code; the first program sends the first message authentication code to a second program; and the first program receives a verification result returned by the second program, wherein the verification result is used for representing whether the second security code space of the second program successfully authenticates the first security code space.

22. An authentication system of a program, comprising:

a processor; and

a memory coupled to the processor for providing instructions to the processor for processing the following processing steps:

a first program acquires a first report key;