CN111339536A - Data verification method and device based on secure execution environment - Google Patents

Data verification method and device based on secure execution environment Download PDF

Info

Publication number
CN111339536A
CN111339536A CN202010412501.6A CN202010412501A CN111339536A CN 111339536 A CN111339536 A CN 111339536A CN 202010412501 A CN202010412501 A CN 202010412501A CN 111339536 A CN111339536 A CN 111339536A
Authority
CN
China
Prior art keywords
data
decrypted
user
execution environment
secure execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010412501.6A
Other languages
Chinese (zh)
Other versions
CN111339536B (en
Inventor
韩喆
张鸿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202010412501.6A priority Critical patent/CN111339536B/en
Publication of CN111339536A publication Critical patent/CN111339536A/en
Application granted granted Critical
Publication of CN111339536B publication Critical patent/CN111339536B/en
Priority to PCT/CN2021/093851 priority patent/WO2021228230A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A data verification method and device based on a secure execution environment are disclosed. The decryption key of the intermediate server may be written in the secure execution environment in advance. When a user requests the trusted computing device to prove that the trusted computing device has the ownership of the plaintext data, the trusted computing device obtains first encrypted data specified by the user from the block chain, and the first encrypted data is submitted to the block chain after the intermediate server encrypts the plaintext data by using an own encryption key. The trusted computing device may execute, by the secure execution environment: and decrypting the first encrypted data by using the decryption key of the intermediate service party to obtain first decrypted data. The trusted computing device may prove ownership of the plaintext data by the user if it determines that the plaintext data and the first decrypted data are consistent. By the scheme, the user can be proved to have ownership of the plaintext data on the premise of enhancing the secret key privacy protection of the intermediate service party.

Description

Data verification method and device based on secure execution environment
Technical Field
The embodiment of the specification relates to the technical field of information, in particular to a data verification method and device based on a secure execution environment.
Background
At present, many users have the requirement of carrying out block chain storage on own data and not wishing to disclose own data.
Generally, a user does not directly access a node of a blockchain network for data uploading, but uploads data through some intermediate service parties, and the intermediate service parties have the capability of interfacing with the blockchain node. Specifically, the user designates plaintext data to be stored for certification to the intermediate server, and the intermediate server encrypts the acquired plaintext data by using an encryption key of the intermediate server and uploads the encrypted plaintext data to the butted block link points, so that block chain certification of the encrypted data is realized.
However, this method can only prove that the user is the owner of the encrypted data, but it is difficult to prove that the user is the owner of the plaintext data.
Disclosure of Invention
In order to solve the problem that it is difficult for the existing block chain-based data verification method to prove that a user is the owner of plaintext data, embodiments of the present specification provide a data verification method and apparatus based on a secure execution environment, and the technical scheme is as follows:
according to the 1 st aspect of the embodiments of the present specification, there is provided a data verification method based on a secure execution environment, applied to a trusted computing device, in which a secure execution environment is created, and a decryption key of an intermediate server is stored in the secure execution environment, the method including:
acquiring plaintext data uploaded by a user, and acquiring first encrypted data specified by the user from a block chain; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
executing, by the secure execution environment: decrypting the first encrypted data by using the decryption key of the intermediate server to obtain first decrypted data;
and comparing the first decrypted data with the plaintext data, and if the first decrypted data is consistent with the plaintext data, outputting a proving result for proving that the user has ownership of the plaintext data.
According to the 2 nd aspect of the embodiments of the present specification, there is provided another secure execution environment-based data verification method applied to a trusted computing device, in which a secure execution environment is created, and a decryption key of an intermediate server and a decryption key of a user are stored in the secure execution environment, the method including:
acquiring second encrypted data uploaded by the user, and acquiring first encrypted data specified by the user from a block chain; the second encrypted data is obtained by encrypting the plaintext data by the user by using an own encryption key; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
performing, by the secure execution environment, the steps of:
decrypting the first encrypted data by using the decryption key of the intermediate server to obtain first decrypted data, and decrypting the second encrypted data by using the decryption key of the user to obtain second decrypted data;
and comparing the first decrypted data with the second decrypted data, and if the first decrypted data is consistent with the second decrypted data, outputting a certification result for certifying that the user has ownership of the plaintext data.
According to the 3 rd aspect of the embodiments of the present specification, there is provided a secure execution environment-based data verification apparatus applied to a trusted computing device, the apparatus creating a secure execution environment in which a decryption key of an intermediate server is stored, the apparatus including:
the acquisition module acquires plaintext data uploaded by a user and acquires first encrypted data specified by the user from a block chain; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
a decryption module that executes, by the secure execution environment: decrypting the first encrypted data by using the decryption key of the intermediate server to obtain first decrypted data;
and the comparison module is used for comparing the first decrypted data with the plaintext data, and if the first decrypted data is consistent with the plaintext data, outputting a certification result for certifying that the user has ownership of the plaintext data.
According to the 4 th aspect of the embodiments of the present specification, there is provided another secure execution environment-based data verification apparatus applied to a trusted computing device, the apparatus creating a secure execution environment in which a decryption key of an intermediate server and a decryption key of a user are stored, the apparatus including:
the acquisition module is used for acquiring second encrypted data uploaded by the user and acquiring first encrypted data appointed by the user from a block chain; the second encrypted data is obtained by encrypting the plaintext data by the user by using an own encryption key; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
the decryption module decrypts the first encrypted data by using the decryption key of the intermediate service party through the secure execution environment to obtain first decrypted data, and decrypts the second encrypted data by using the decryption key of the user to obtain second decrypted data;
and the comparison module compares the first decrypted data with the second decrypted data through the secure execution environment, and if the first decrypted data is consistent with the second decrypted data, a certification result is output and used for certifying that the user has ownership of the plaintext data.
According to the technical scheme provided by the embodiment of the specification, the trusted computing device performs data verification to prove that the user has ownership of the plaintext data. In particular, there is a need to create a secure execution environment in a trusted computing device, where information stored in the secure execution environment and executed computing processes are not leaked outside the secure execution environment, and no one (even the controller of the trusted computing device) can access the secure execution environment to obtain the information. The decryption key of the intermediate server may be written in the secure execution environment in advance. When a user requests the trusted computing device to prove that the trusted computing device has the ownership of the plaintext data, the trusted computing device obtains first encrypted data specified by the user from the block chain, and the first encrypted data is submitted to the block chain after the intermediate server encrypts the plaintext data by using an own encryption key. The trusted computing device may execute, by the secure execution environment: and decrypting the first encrypted data by using the decryption key of the intermediate service party to obtain first decrypted data, so that the decryption key and a decryption process (possibly cracking an encryption algorithm through the decryption process) of the intermediate service party are ensured not to be leaked. The trusted computing device may prove ownership of the plaintext data by the user if it determines that the plaintext data and the first decrypted data are consistent.
Through the embodiment of the specification, the user can be proved to have the ownership of the plaintext data on the premise of not revealing the decryption key of the intermediate service party.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of embodiments of the invention.
In addition, any one of the embodiments in the present specification is not required to achieve all of the effects described above.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a flow diagram of a method for data validation based on a secure execution environment;
FIG. 2 is a flow chart illustrating another method for data verification based on a secure execution environment according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a data verification apparatus based on a secure execution environment according to an embodiment of the present specification;
FIG. 4 is a schematic structural diagram of another data verification apparatus based on a secure execution environment according to an embodiment of the present specification;
fig. 5 is a schematic structural diagram of an apparatus for configuring a method according to an embodiment of the present disclosure.
Detailed Description
In a forensics scenario, a user often lacks forensics capability, and therefore forensics is often performed by means of forensics capability of an intermediate service party, and forensics data is further stored by means of blockchain docking capability of the intermediate service party.
Therefore, in a forensics scenario, data owned by a user is not data directly produced by the user, but the user requests an intermediate service party instead of the acquired data. For example, a user creates a song by himself, finds that pirated songs are put on a certain music website, requests the intermediate server to acquire a webpage screenshot of the music website, and submits the webpage screenshot to the block chain for evidence storage. After the intermediate service party executes the evidence obtaining and evidence storing operation, the web screenshot obtained through evidence obtaining is sent to the user for storage.
In this mode of block chaining authentication of data, if a user does not want to disclose data that he wants to authenticate, he can request the intermediate server to encrypt the plaintext data after obtaining the plaintext data and before performing the authentication operation. The intermediate server then submits the encrypted data to the blockchain for credentialing.
However, existing data verification approaches are typically performed by a blockchain network. The blockchain network can only prove that the user is the owner of the encrypted data, and the encrypted data is not encrypted by using the encryption key of the user but encrypted by using the encryption key of the intermediate service party, so that the user can hardly prove to a third party that the encrypted data which is proved to be in the blockchain is actually the ciphertext of the plaintext data which is held by the user.
In the embodiment of the present specification, the key privacy of the intermediate service party can be protected, and it can be verified that the encrypted data stored in the block chain is actually the ciphertext of the plaintext data held by the user.
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of protection.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings.
Fig. 1 is a flow chart of a data verification method based on a secure execution environment, which includes the following steps:
s100: clear data uploaded by a user is obtained, and first encrypted data specified by the user is obtained from a block chain.
The subject of execution of the method shown in fig. 1 is a trusted computing device. A secure execution environment is created in the trusted computing device, the secure execution environment having stored therein a decryption key of an intermediate facilitator.
The secure execution environment has the property that the trusted computing device does not have the right to obtain information stored in the secure execution environment and computing processes executed in the secure execution environment.
It should be noted that the secure execution environment described herein may specifically be a secure SE chip on a hardware level, which is built in a trusted computing device.
Furthermore, the secure execution environment may also be a Trusted Execution Environment (TEE) on a software level. The TEE is a program execution environment that co-exists with the operating system of the trusted computing device.
When a user needs to request the trusted computing device to verify data, on one hand, plaintext data to be verified can be uploaded to the trusted computing device, and on the other hand, encrypted data obtained by encrypting the plaintext data by using an encryption key of an intermediate service party and submitted to a blockchain before block chain data to be compared, namely the intermediate service party, can be specified to the trusted computing device.
S102: executing, by the secure execution environment: and decrypting the first encrypted data by using the decryption key of the intermediate service party to obtain first decrypted data.
Since neither the decryption key of the intermediate server side nor the calculation process for decrypting the first encrypted data using the decryption key of the intermediate server side can be leaked, it is necessary to perform decryption using the decryption key of the intermediate server side in a secure execution environment.
S104: and comparing the first decrypted data with the plaintext data, and if the first decrypted data is consistent with the plaintext data, outputting a proving result for proving that the user has ownership of the plaintext data.
Furthermore, sometimes, the data format (e.g. arrangement rule, encoding rule) of the data sent to the user by the intermediate server during the forensics and forensics phases is not identical to the data format of the data used to generate the first decrypted data, but the two data formats that are different are actually the same proof.
For this purpose, before comparing the first decrypted data with the plaintext data, if it is determined that the data formats of the first decrypted data and the plaintext data are different, the trusted computing device processes the first decrypted data and the plaintext data to have the same data format. This manner of processing data in different data formats into data having the same data format is generally referred to as heterogeneous data interfacing.
In addition, in this embodiment of the present specification, if the first decrypted data does not match the plaintext data, the trusted computing device may refuse to output the proof result, and may further output a negative result to indicate that the user is not the owner of the plaintext data.
Further, it is contemplated that users sometimes worry about the plaintext data being intercepted by others during the process of uploading the plaintext data to the trusted computing device. To this end, the embodiments of the present specification provide another data verification method based on a secure execution environment.
Fig. 2 is a flowchart of another data verification method based on a secure execution environment according to an embodiment of the present specification, including the following steps:
s200: and acquiring second encrypted data uploaded by the user, and acquiring first encrypted data specified by the user from a block chain.
S202: and decrypting the first encrypted data by using the decryption key of the intermediate service party through the secure execution environment to obtain first decrypted data, and decrypting the second encrypted data by using the decryption key of the user to obtain second decrypted data.
S204: and comparing the first decrypted data with the second decrypted data through the secure execution environment, and if the first decrypted data is consistent with the second decrypted data, outputting a certification result for certifying that the user has ownership of the plaintext data.
The process described in figure 2 is modified from that shown in figure 1. Only the differences between the method shown in fig. 2 and the method shown in fig. 1 will be described here.
In the method shown in fig. 2, the secure execution environment stores not only the decryption key of the intermediate server but also the decryption key of the user. In this manner, the user may upload the second encrypted data to the trusted computing device. The second encrypted data is obtained by encrypting the plaintext data by the user using the own encryption key.
Accordingly, the trusted computing device needs to decrypt the second encrypted data in the secure execution environment, so as to ensure that the decryption key of the user is not leaked from the decryption process of the second encrypted data.
In addition, the trusted computing device needs to compare the first decrypted data with the second decrypted data in the secure execution environment to ensure that the first decrypted data and the second decrypted data are not leaked.
In the method shown in fig. 2, before comparing the first decrypted data with the second decrypted data, if it is determined that the data formats of the first decrypted data and the second decrypted data are different, the first decrypted data and the second decrypted data may be processed to have the same data format through the secure execution environment.
In addition, if the first decrypted data is inconsistent with the second decrypted data, the proof result is refused to be output, and a failure result can be further output, so that the user is not the owner of the plaintext data.
Fig. 3 is a schematic structural diagram of a data verification apparatus based on a secure execution environment according to an embodiment of the present specification, which is applied to a trusted computing device, and in which a secure execution environment is created, and a decryption key of an intermediate server is stored in the secure execution environment, and the apparatus includes:
an obtaining module 301, configured to obtain plaintext data uploaded by a user, and obtain first encrypted data specified by the user from a blockchain; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
a decryption module 302, executing, by the secure execution environment: decrypting the first encrypted data by using the decryption key of the intermediate server to obtain first decrypted data;
a comparison module 303, configured to compare the first decrypted data with the plaintext data, and if the first decrypted data is consistent with the plaintext data, output a certification result for certifying that the user has ownership of the plaintext data.
The device further comprises:
the format processing module 304, before comparing the first decrypted data with the plaintext data, processes the first decrypted data and the plaintext data to have the same data format if it is determined that the data formats of the first decrypted data and the plaintext data are different.
Fig. 4 is a schematic structural diagram of another data verification apparatus based on a secure execution environment according to an embodiment of the present specification, which is applied to a trusted computing device, and in which a secure execution environment is created, and a decryption key of an intermediate server and a decryption key of a user are stored in the secure execution environment, where the apparatus includes:
an obtaining module 401, configured to obtain the second encrypted data uploaded by the user, and obtain the first encrypted data specified by the user from the blockchain; the second encrypted data is obtained by encrypting the plaintext data by the user by using an own encryption key; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
a decryption module 402, configured to decrypt, through the secure execution environment, the first encrypted data using the decryption key of the intermediate server to obtain first decrypted data, and decrypt, using the decryption key of the user, the second encrypted data to obtain second decrypted data;
a comparing module 403, comparing the first decrypted data with the second decrypted data through the secure execution environment, and if the first decrypted data is consistent with the second decrypted data, outputting a proving result for proving that the user has ownership of the plaintext data.
The device further comprises:
a format processing module 404, configured to, by the secure execution environment, before comparing the first decrypted data with the second decrypted data, process the first decrypted data and the second decrypted data to have the same data format if it is determined that the data formats of the first decrypted data and the second decrypted data are different.
Embodiments of the present specification further provide a computer device, which at least includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the program to implement the method performed by the client device or the server device in the present specification.
Fig. 5 is a schematic diagram illustrating a more specific hardware structure of a computing device according to an embodiment of the present disclosure, where the computing device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The embodiments of the present specification also provide a computer-readable storage medium, on which a computer program is stored, and the program, when executed by a processor, implements the method performed by the client device or the server device in the present specification.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
From the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present disclosure can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present specification may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a service device, or a network device) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The systems, methods, modules or units described in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described apparatus embodiments are merely illustrative, and the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present disclosure. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is only a specific embodiment of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, a plurality of modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as the protection scope of the embodiments of the present disclosure.

Claims (11)

1. A secure execution environment-based data verification method applied to a trusted computing device, the trusted computing device creating a secure execution environment in which a decryption key of an intermediate server is stored, the method comprising:
acquiring plaintext data uploaded by a user, and acquiring first encrypted data specified by the user from a block chain; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
executing, by the secure execution environment: decrypting the first encrypted data by using the decryption key of the intermediate server to obtain first decrypted data;
and comparing the first decrypted data with the plaintext data, and if the first decrypted data is consistent with the plaintext data, outputting a proving result for proving that the user has ownership of the plaintext data.
2. The method of claim 1, prior to comparing the first decrypted data to the plaintext data, the method further comprising:
and if the data formats of the first decrypted data and the plaintext data are different, processing the first decrypted data and the plaintext data to have the same data format.
3. The method of claim 1, further comprising:
and if the first decrypted data is inconsistent with the plaintext data, refusing to output the proving result.
4. A secure execution environment-based data verification method applied to a trusted computing device, wherein a secure execution environment is created in the trusted computing device, and a decryption key of an intermediate server and a decryption key of a user are stored in the secure execution environment, and the method comprises the following steps:
acquiring second encrypted data uploaded by the user, and acquiring first encrypted data specified by the user from a block chain; the second encrypted data is obtained by encrypting the plaintext data by the user by using an own encryption key; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
performing, by the secure execution environment, the steps of:
decrypting the first encrypted data by using the decryption key of the intermediate server to obtain first decrypted data, and decrypting the second encrypted data by using the decryption key of the user to obtain second decrypted data;
and comparing the first decrypted data with the second decrypted data, and if the first decrypted data is consistent with the second decrypted data, outputting a certification result for certifying that the user has ownership of the plaintext data.
5. The method of claim 4, further performing, by the secure execution environment, the steps of:
before comparing the first decrypted data with the second decrypted data, if it is determined that the data formats of the first decrypted data and the second decrypted data are different, processing the first decrypted data and the second decrypted data to have the same data format.
6. The method of claim 4, further comprising:
and if the first decrypted data is inconsistent with the second decrypted data, refusing to output the proof result.
7. A secure execution environment based data verification apparatus for a trusted computing device, the apparatus having a secure execution environment created therein, the secure execution environment having an intermediate server decryption key stored therein, the apparatus comprising:
the acquisition module acquires plaintext data uploaded by a user and acquires first encrypted data specified by the user from a block chain; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
a decryption module that executes, by the secure execution environment: decrypting the first encrypted data by using the decryption key of the intermediate server to obtain first decrypted data;
and the comparison module is used for comparing the first decrypted data with the plaintext data, and if the first decrypted data is consistent with the plaintext data, outputting a certification result for certifying that the user has ownership of the plaintext data.
8. The apparatus of claim 7, further comprising:
and the format processing module is used for processing the first decrypted data and the plaintext data into the same data format if the data format of the first decrypted data is different from that of the plaintext data before the first decrypted data is compared with the plaintext data.
9. A secure execution environment based data verification apparatus for a trusted computing device, the apparatus creating a secure execution environment in which a decryption key of an intermediate server and a decryption key of a user are stored, the apparatus comprising:
the acquisition module is used for acquiring second encrypted data uploaded by the user and acquiring first encrypted data appointed by the user from a block chain; the second encrypted data is obtained by encrypting the plaintext data by the user by using an own encryption key; the first encrypted data is submitted to a block chain after the intermediate server side encrypts the plaintext data by using an own encryption key;
the decryption module decrypts the first encrypted data by using the decryption key of the intermediate service party through the secure execution environment to obtain first decrypted data, and decrypts the second encrypted data by using the decryption key of the user to obtain second decrypted data;
and the comparison module compares the first decrypted data with the second decrypted data through the secure execution environment, and if the first decrypted data is consistent with the second decrypted data, a certification result is output and used for certifying that the user has ownership of the plaintext data.
10. The apparatus of claim 9, the apparatus further comprising:
and the format processing module is used for processing the first decrypted data and the second decrypted data into the same data format if the data format of the first decrypted data is different from that of the second decrypted data before the first decrypted data is compared with the second decrypted data through the secure execution environment.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 6 when executing the program.
CN202010412501.6A 2020-05-15 2020-05-15 Data verification method and device based on secure execution environment Active CN111339536B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010412501.6A CN111339536B (en) 2020-05-15 2020-05-15 Data verification method and device based on secure execution environment
PCT/CN2021/093851 WO2021228230A1 (en) 2020-05-15 2021-05-14 Data verification method and apparatus based on secure execution environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010412501.6A CN111339536B (en) 2020-05-15 2020-05-15 Data verification method and device based on secure execution environment

Publications (2)

Publication Number Publication Date
CN111339536A true CN111339536A (en) 2020-06-26
CN111339536B CN111339536B (en) 2020-11-24

Family

ID=71186461

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010412501.6A Active CN111339536B (en) 2020-05-15 2020-05-15 Data verification method and device based on secure execution environment

Country Status (2)

Country Link
CN (1) CN111339536B (en)
WO (1) WO2021228230A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111680305A (en) * 2020-07-31 2020-09-18 支付宝(杭州)信息技术有限公司 Data processing method, device and equipment based on block chain
CN112287376A (en) * 2020-11-20 2021-01-29 支付宝(杭州)信息技术有限公司 Method and device for processing private data
WO2021228230A1 (en) * 2020-05-15 2021-11-18 支付宝(杭州)信息技术有限公司 Data verification method and apparatus based on secure execution environment
EP3945695A1 (en) * 2020-07-31 2022-02-02 Alipay (Hangzhou) Information Technology Co., Ltd. Method, apparatus, and device for processing blockchain data

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109472166A (en) * 2018-11-01 2019-03-15 恒生电子股份有限公司 A kind of electronic signature method, device, equipment and medium
CN109768865A (en) * 2019-01-18 2019-05-17 深圳市威赫科技有限公司 Block chain upper body part under credible performing environment digitizes realization method and system
CN109960903A (en) * 2017-12-26 2019-07-02 中移(杭州)信息技术有限公司 A kind of method, apparatus, electronic equipment and storage medium that application is reinforced
CN110851870A (en) * 2019-11-14 2020-02-28 中国人民解放军国防科技大学 Block chain privacy protection method, system and medium based on trusted execution environment
CN111079157A (en) * 2019-11-21 2020-04-28 山东爱城市网信息技术有限公司 Secret fragmentation trusteeship platform based on block chain, equipment and medium
CN111095865A (en) * 2019-07-02 2020-05-01 阿里巴巴集团控股有限公司 System and method for issuing verifiable claims

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107295002B (en) * 2017-07-12 2020-06-19 联动优势科技有限公司 Cloud data storage method and server
CN109308418B (en) * 2017-07-28 2021-09-24 创新先进技术有限公司 Model training method and device based on shared data
CN109740317A (en) * 2018-12-29 2019-05-10 北京奇虎科技有限公司 A kind of digital finger-print based on block chain deposits card method and device
CN111339536B (en) * 2020-05-15 2020-11-24 支付宝(杭州)信息技术有限公司 Data verification method and device based on secure execution environment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109960903A (en) * 2017-12-26 2019-07-02 中移(杭州)信息技术有限公司 A kind of method, apparatus, electronic equipment and storage medium that application is reinforced
CN109472166A (en) * 2018-11-01 2019-03-15 恒生电子股份有限公司 A kind of electronic signature method, device, equipment and medium
CN109768865A (en) * 2019-01-18 2019-05-17 深圳市威赫科技有限公司 Block chain upper body part under credible performing environment digitizes realization method and system
CN111095865A (en) * 2019-07-02 2020-05-01 阿里巴巴集团控股有限公司 System and method for issuing verifiable claims
CN110851870A (en) * 2019-11-14 2020-02-28 中国人民解放军国防科技大学 Block chain privacy protection method, system and medium based on trusted execution environment
CN111079157A (en) * 2019-11-21 2020-04-28 山东爱城市网信息技术有限公司 Secret fragmentation trusteeship platform based on block chain, equipment and medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021228230A1 (en) * 2020-05-15 2021-11-18 支付宝(杭州)信息技术有限公司 Data verification method and apparatus based on secure execution environment
CN111680305A (en) * 2020-07-31 2020-09-18 支付宝(杭州)信息技术有限公司 Data processing method, device and equipment based on block chain
EP3945695A1 (en) * 2020-07-31 2022-02-02 Alipay (Hangzhou) Information Technology Co., Ltd. Method, apparatus, and device for processing blockchain data
US11265174B2 (en) 2020-07-31 2022-03-01 Alipay (Hangzhou) Information Technology Co., Ltd. Method, apparatus, and device for processing blockchain data
CN112287376A (en) * 2020-11-20 2021-01-29 支付宝(杭州)信息技术有限公司 Method and device for processing private data
CN112287376B (en) * 2020-11-20 2024-05-28 支付宝(杭州)信息技术有限公司 Method and device for processing privacy data

Also Published As

Publication number Publication date
WO2021228230A1 (en) 2021-11-18
CN111339536B (en) 2020-11-24

Similar Documents

Publication Publication Date Title
KR102451109B1 (en) Generate key proofs that provide device anonymity
CN111339536B (en) Data verification method and device based on secure execution environment
WO2021013245A1 (en) Data key protection method and system, electronic device and storage medium
CN112291190B (en) Identity authentication method, terminal and server
CN110457898B (en) Operation record storage method, device and equipment based on trusted execution environment
CN110245518B (en) Data storage method, device and equipment
CN111461883A (en) Transaction processing method and device based on block chain and electronic equipment
TW202031010A (en) Data storage method and device, and apparatus
CN114629639A (en) Key management method and device based on trusted execution environment and electronic equipment
CN114553590A (en) Data transmission method and related equipment
CN113282951B (en) Application program security verification method, device and equipment
CN116502189A (en) Software authorization method, system, device and storage medium
TWI546698B (en) Login system based on servers, login authentication server, and authentication method thereof
CN107463808B (en) Method for calling functional module integrated in operating system
CN115525930A (en) Information transfer method, device and related equipment
CN115277225A (en) Data encryption method, data decryption method and related equipment
CN111935138B (en) Protection method and device for secure login and electronic equipment
KR102512871B1 (en) Centralized private key management method for multiple user devices related to a single public key
CN110912697B (en) Scheme request verification method, device and equipment
CN115952518B (en) Data request method, device, electronic equipment and storage medium
CN117040746B (en) CDN client encryption anti-theft chain implementation method and electronic equipment
CN115617323A (en) Low-code development framework-based security component generation method and related equipment
CN118316615A (en) Data transmission method, apparatus, medium, device and computer program product
CN117436875A (en) Service execution method and device, storage medium and electronic equipment
CN115438352A (en) Data processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40030183

Country of ref document: HK