CN111769935A - User private key protection system based on SGX and ORAM technology - Google Patents
User private key protection system based on SGX and ORAM technology Download PDFInfo
- Publication number
- CN111769935A CN111769935A CN202010488464.7A CN202010488464A CN111769935A CN 111769935 A CN111769935 A CN 111769935A CN 202010488464 A CN202010488464 A CN 202010488464A CN 111769935 A CN111769935 A CN 111769935A
- Authority
- CN
- China
- Prior art keywords
- data
- enclave
- oram
- control node
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a user private key protection system based on SGX and ORAM technology, which comprises a user terminal and a server, wherein the user terminal and the server are in communication connection; the user terminal is provided with a user node Enclave which comprises a private key storage and encryption area; a control node Enclave and a data node Enclave are arranged on the server; the control node Enclave comprises a code execution area, an ORAM controller and a data storage area, wherein the code execution area is used for executing codes, the ORAM controller comprises an ORAM data mapping table and a cache area and is used for extracting data from the data node Enclave after receiving a data request in the code execution area; the data storage area is used for temporarily storing data required by the code retrieved from the cache area; the data node Enclave is used for storing user data and comprises an ORAM tree and a data reader; and the data node encrypt the control node and the control node through mutual key agreement, and perform mutual security authentication. The technical scheme provided by the invention can improve the security of the user private key storage.
Description
Technical Field
The invention belongs to the technical field of user private key protection, and particularly relates to a user private key protection system based on SGX and ORAM technologies.
Background
With the rapid development of cloud computing, cloud services with high reliability and expandability bring convenience to people, and general users encrypt data contents before uploading private data to a cloud server, so that even if an unauthorized person steals the encrypted data, real information of the data cannot be obtained.
In a cloud outsourcing computing environment, the local computing capacity of participants is very limited, a cloud computing service provider provides computing resources at a low price, the cloud computing service provider provides encryption service and key management service, and a user only needs to store a private key for verifying the identity of the user. In this scenario, if a user needs to view data at the cloud virtual user terminal, the user must send its private key to the cloud virtual machine, and the private key needs to be mapped to the memory when verifying the identity and decrypting the key.
The SGX is used as a trusted computing, can protect the confidentiality and integrity of user data with technologies such as TPM and the like, can realize strict access control, and protects the safety of a user application program during operation. SGX reduces each Enclave's Trusted Computing Base (TCB) to the CPU and itself, and any unauthorized visitors, including operating systems and privileged users, or even the kernel, cannot access this particular region.
While the SGX provides confidentiality and integrity guarantee for code and data against memory attacks, it is possible to indirectly infer the code and critical data that the user runs in the envelope by using some special code injection attacks or side channel attacks. The following protection methods are currently available in dealing with these attacks:
the scheme proposed by Jaebaek is an SGX-shield for enhancing the security, a single structure is arranged to strictly grant the read, write and execution authority of each memory interface when a fine-grained randomization method is used for solving the limited memory space, coarse-grained software fault isolation is adopted to protect some non-relocatable data structures, and the ASLR technology is realized in the SGX. When the program runs in the SGX-shield, the structures such as a heap, a stack and the like in the program are relocated each time the program runs, and the positions of key codes and data are hidden, so that the code injection attack and some SGX side channel attacks can be resisted. However, during the running process of the program, through the research on the access mode of the program, the attacker can also deduce the position of the key data of the attacker.
Ahmad et al proposed an obfusscuro system that pioneered a solution to access mode leakage resistance using software and hardware combinations of SGX + ORAM technology. Before Enclave runs, codes and data are compiled into fine-grained code blocks and data blocks through an LLVM compiler, and the number of data accesses of one code block is strictly controlled to be one. OBFUSCURO initializes the following structure when Enclave builds: the system comprises two ORAM trees C-Tree and D-Tree, and two corresponding ORAM controllers, wherein the two ORAM trees C-Tree and the two corresponding ORAM controllers are used for caching the D-PAD of the data to be used by the code and the code operation space C-PAD.
The reading of the codes is controlled by a controller of the C-Tree, the execution time of each code block is fixed, and the data access of the code blocks is read into the D-PAD by the controller of the D-Tree so as to ensure that the data are read at fixed positions. In order to completely hide the access mode of the code and the data, some false data access and false code execution are added in the scheme to ensure that the running time of each program is the same. However, as mentioned in the paper, the time consumed by the program running in the system is 51 times more than that consumed by the original program on average, and secondly, the system needs to prepare and process all the code and data required by the application before creating Enclave, which may cause the user private key to be exposed in the storage in the form of clear text, and thus the security of the system is reduced.
Disclosure of Invention
The invention aims to provide a user private key protection system based on SGX and ORAM technologies, so as to solve the problem that the security of a user private key in the prior art is poor.
In order to achieve the purpose, the invention adopts the following technical scheme:
a user private key protection system based on SGX and ORAM technology comprises a user terminal and a server which are in communication connection; the user terminal is provided with a user node Enclave, and the user node Enclave comprises a private key storage and encryption area; the server is provided with a control node Enclave and a data node Enclave; the control node Enclave comprises a code execution area, an ORAM controller and a data storage area, wherein the code execution area is used for executing codes, the ORAM controller comprises an ORAM data mapping table and a cache area and is used for extracting data from the data node Enclave after receiving a data request in the code execution area; the data storage area is used for temporarily storing data required by the code retrieved from the cache area; the data node instance is used for storing user data and comprises an ORAM tree and a data reader; and the data node encrypt and mutually perform security authentication by mutual key agreement between the data node encrypt and the control node.
Further, the ORAM tree is a binary tree, each node includes one data bucket, each data bucket includes a set number of data blocks, each data block corresponds to one node, and the position is determined according to the data bucket and the offset in the data bucket.
Further, symmetric encryption is performed between the control node Enclave and the data node Enclave in the server through key agreement, and the encryption method includes the following steps:
(1) the control node Enable uses the RDRAND instruction to generate a random prime number p and a native root q of the prime number p, and then generates a private value XACalculating Y by a calculation formulaA:
YA=q^XBmod p
Where mod p is a modulo operation of p, and ^ is a 32-bit AND operation;
(2) the control node Enable uses an EREPORT instruction to generate a control node report, and the control node report comprises parameters p, q and Y for key agreementAA value;
(3) the control node Enclave sends the generated control node report to the data node Enclave;
(4) after receiving the control node Enclave point report, the data node Enclave verifies the message authentication code by using an EGETKEY instruction, and if the verification is passed, the data node Enclave generates a private parameter X by using an RDRAND instructionBAnd calculating Y by a calculation formulaB
YB=q^XBmod p
(5) The data node Enclave calls an EREPORT instruction to generate a data node report, and the data node report comprises YBThe value and the MRENCLAVE value of the data node;
(6) calculating the final encryption key K by adopting a calculation formula
K=YA^XBmod p。
Further, mutual authentication security between the control node Enclave and the data node Enclave is realized, and the authentication process comprises authentication of the control node Enclave and authentication of the log byte point Enclave;
authentication of control node Enclave: the control node Enclave generates an authentication report containing MRENCLAVE and sends the authentication report to the data node Enclave; the data node Enclave acquires the key in the authentication report through an EGETKEY instruction, verifies the message authentication code in the authentication report, judges that the control node Enclave is in the same platform if the verification is passed, acquires the security of the TCB hardware component through a check report of the TCB hardware credibility of the control node Enclave, and checks the security of the TCB software component through the identifiers MRENCLAVE and MRSIGNED; if the hardware security and the software security of the control node Enclave pass corresponding security tests, judging that the control node Enclave conforms to the security model of the SGX;
authentication of the data node Enclave: the data node Enclave generates an authentication report containing MRENCLAVE and sends the authentication report to the control node Enclave; the control node Enclave acquires the key in the authentication report through an EGETKEY instruction, verifies the message authentication code in the authentication report, judges that the data node Enclave is in the same platform if the verification is passed, acquires the security of the TCB hardware component through a check report of the TCB hardware reliability of the data node Enclave, and checks the security of the TCB software component through the identifiers MRENCLAVE and MRSIGNED; and if the hardware security and the software security of the data node Enclave pass corresponding security tests, judging that the digital node Enclave conforms to the security model of the SGX.
Further, after the server receives a private key generated by the user, the control node encrypt performs private key processing:
in the control node envelope, the private key is decrypted and divided into data blocks with set sizes, and the data blocks are stored in a cache region;
recording each data block in a data storage position table of the ORAM controller;
in the preheating step of ORAM tree initialization, when reading any data and refreshing and expelling data blocks, the data are written back to the data nodes to hide the access mode.
Further, the step of digitally signing comprises:
(1) the SM3 hash algorithm is adopted to obtain the hash value Z of the userC(ii) a The value of a, the value of b, and xG、yG、xC、yC、IDCAnd ENTLCAll the values are converted into bit strings, and the hash value of the user is obtained through the processes of filling, iterative compression, hash value generation and the like
ZC=SM3(ENTLC||IDC||a||b||xG||yG||xC||yC)
Wherein a is a primary item parameter in the encrypted elliptic curve, b is a constant item parameter in the encrypted elliptic curve, M is a message to be signed, and E (Fq) is a set consisting of all rational points of the elliptic curve E on the Fq and comprises a finite field of q elements; dCIs the user private key, (x)C,yC) Public key PC=[dC]G=(xC,yC),(xG,yG) For encrypting the coordinate values, ID, of base points on the elliptic curve E (Fq)CFor the identity of the user, ENTLCIs represented by the integer entlenCConverted into two bytes, entlenCFor the length of the user ID converted into binary number, SM3 is a SM3 hashA normal function;
(2) using a random number generator at [1, n-1 ]]A random number k is generated, the parameters of the encrypted elliptic curve are taken out from the ORAM tree, and the point (x) on the encrypted elliptic curve is calculated1,y1)=[k]G, mixing x1Converting the data type of (A) into an integer;
(3) calculating the value of r:
r=(e+x1)mod n
e=Hv(ZC||M)
where M is the message to be signed Hv() A cryptographic hash algorithm with the length of the message digest being v;
if r is 0 or r + k is n, returning to the step (2), otherwise, executing the step (5);
(5) all intermediate values are stored in an ORAM tree;
if s is not 0, then calculate
s=((1+dC)-1*(k-r*dC))mod n;
If s is 0, re-executing the step (5);
otherwise, converting r and s into byte strings, and then the final signature of the user is (r, s).
Further, executing the decrypting of the digital envelope comprises the following steps:
(1) setting a ciphertext bit string C as C1| | C3| | | C2, namely dividing the ciphertext bit string C into three sections of C1, C3 and C2, taking out C1, converting the C into a point on an encrypted elliptic curve, and storing the ciphertext bit string C back into the ORAM tree;
(2) verify C1:
calculating encrypted elliptic curve point S
S=[h]C1
H is an auxiliary factor of the curve parameter, and if S is an infinite point, the verification is judged to fail;
(3) computing
(x2,y2)=[dB]C1
Delete C1;
wherein d isBA private key for user B;
(4) computing
t=KDF(x2||y2,klen),
KDF is a key derivation function, and klen is the key length obtained by the key derivation function;
if t is an all 0 bit string, judging that an error occurs;
if t is not an all 0 bit string, storing the t value in an ORAM tree;
(5) C-C1 | | C3| | | C2 and t value are taken out from the ORAM tree, C2 is taken out from the ORAM tree, C is stored back in the ORAM tree, M ═ C2 ≦ t is calculated, and ≦ 32-bit exclusive or operation is performed;
(6) computing
u=Hash(x2||M’||y2)
Hash () is a cryptographic Hash value algorithm;
taking C3 in the C value from the ORAM tree, and comparing whether u is equal to C3;
if not, judging as an error;
if equal, M' is the desired plaintext value.
The invention has the beneficial effects that: according to the technical scheme provided by the invention, the Enclave is constructed through the SGX technology to protect user data, a secure communication path between the Enclaves is constructed by using the remote authentication of the SGX and the authentication in the platform, and the security of a user private key in the transmission process is improved; the security of the user private key in the storage process is improved by using the memory encryption technology of the SGX, and the security of the operation of the user private key is improved by using the ORAM obfuscation technology. The technical scheme provided by the invention can improve the security of the user private key storage.
Drawings
Fig. 1 is a schematic structural diagram of a user private key protection system based on SGX and ORAM technologies in an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a user node Enclave in the embodiment of the present invention;
fig. 3 is a schematic structural diagram of a control node Enclave in the embodiment of the present invention;
fig. 4 is a schematic structural diagram of a data node Enclave in the embodiment of the present invention.
Detailed Description
The embodiment provides a user private key protection system based on an SGX and ORAM technology, which is characterized in that an Enclave is constructed by the SGX technology to protect user data, a secure communication path between the enclaves is constructed by using remote authentication of the SGX and in-platform authentication, and the security of a user private key in a transmission process is improved; the security of the user private key in the storage process is improved by using the memory encryption technology of the SGX, and the security of the operation of the user private key is improved by using the ORAM obfuscation technology.
The hardware structure of the user private key protection system based on the SGX and ORAM technologies, which is provided by this embodiment is shown in fig. 1, includes a user terminal and a server, which are in communication connection with each other, where the user terminal is provided with a user node Enclave, and the server is provided with a control node Enclave and a data node Enclave.
The structure of the user node Enclave is shown in fig. 2, and comprises a private key storage and encryption area, wherein the private key of the user is stored in the private key storage and encryption area; in this embodiment, the process of transferring the user private key from the U-key to the Enclave is required to be secure.
The control node Enclave is shown in fig. 3, and its structure includes a code execution area, an ORAM controller, and a data storage area. The code execution area is used for executing the code; the ORAM controller comprises two parts, namely a data storage location table and a data cache region, and is used for extracting data from the data node Enclave after receiving a data request in the execution code execution region; the data storage area is used for temporarily storing the data required by retrieving the codes from the data cache area.
The data node Enclave is a main structure for storing user data, is equivalent to a server side in an ORAM model, and safely stores all data in a tree model structure. The internal structure of the data node Enclave is shown in fig. 4, and the structure includes an ORAM tree and a data reader, where the ORAM tree is a binary tree structure, and each data block corresponds to one ORAM tree root node. Each node in the ORAM tree contains a bucket, each bucket holding M data blocks, the location of each data block being determined according to the bucket and the offset in the bucket, and each data block being 4KB in size.
The process of initializing the data node Enclave comprises the following steps:
creating an ORAM tree in a data node Enclave;
mapping the data in the ORAM data mapping table to corresponding positions according to the ORAM tree nodes and the offset:
setting the total number of data blocks to be N, and the maximum number of real data blocks in each data bucket to be 2, the number of layers of the ORAM tree isHash function construction using direct addressing
H(data)=a*data+b mod(N/2)
The data is a value obtained by converting a data block into an integer, selecting linear detection and re-hashing by using a hash collision solution method, hashing each data block into an ORAM tree, and recording the data in a data mapping table.
In this embodiment, the secure communication path between the authentication control node Enclave and the data node Enclave in the server includes two parts, namely key agreement and mutual authentication.
The key agreement is the agreement between the control node Enclave and the data node Enclave, and is a process of symmetric encryption key, the key agreement in this embodiment adopts a Diffie-Hellman key exchange mechanism, and the exchange mechanism includes the following steps:
(1) the control node Enclave uses the RDRAND instruction to generate a random prime number p and an original root q of p, wherein q is an integer, and then generates a private value X not greater than pAIs calculated by a calculation formula
YA=q^XAmod p
Where mod p is a modulo operation of p, and ^ is a 32-bit AND operation;
(2) the control node Enable uses an EREPORT instruction to generate a control node report, the report of the control node comprises common parameters p and q used for key agreement and the generated Y used for calculating symmetryAA value;
(3) the control node Enclave sends the generated control node report to the data node Enclave;
(4) after receiving the report of the control node, the data node Enclave verifies the message authentication code by using an EGETKEY instruction; if the verification passes, then the RDRAND instruction is used to generate the private parameter XBAnd calculating Y by formulaB
YB=q^XBmod p
(5) The data node Enclave calls an EREPORT instruction to generate a data node report, and the data node report comprises YBAnd the MRENCLAVE value of the data node, and finally calculating a final encryption key K by a calculation formula:
K=YA^XBmod p。
after the key agreement, the control node Enclave and the data node Enclave are subjected to identity authentication to judge whether the control node Enclave and the data node Enclave conform to the SGX security model. The control node Enclave and the data node Enclave adopt a mutual authentication mode for authentication, and the mutual authentication comprises the following steps:
authentication of the security of the control node Enclave: the control node Enclave generates an authentication report containing MRENCLAVE and sends the authentication report to the data node Enclave; the data node Enclave acquires a key in the authentication report through the EGET key instruction, verifies a message authentication code in the authentication report, and if the message authentication code passes the verification, determines that the control node Enclave is on the same platform; when the control node Enclave is in the same platform, the security of the TCB hardware component is obtained through a check report of the reliability of the TCB hardware, and the security of the TCB software component is checked through identification MRENCLAVE and MRSIGNED; if the hardware security and the software security of the control node Enclave pass corresponding security tests, determining that the control node Enclave conforms to the security model of the SGX;
authentication of the security of the data node Enclave: the data node Enclave generates an authentication report containing MRENCLAVE and sends the authentication report to the control node Enclave; the control node Enclave acquires a key in the authentication report through the EGET key instruction, verifies a message authentication code in the authentication report, and if the verification is passed, the control node Enclave judges that the data node Enclave is on the same platform; when the data node Enclave is in the same platform, the security of the TCB hardware component is obtained through a check report of the reliability of the TCB hardware, and the security of the TCB software component is checked through identification of MRENCLAVE and MRSIGNED; if the hardware security and the software security of the data node Enclave both pass corresponding security tests, it can be determined that the digital node Enclave conforms to the security model of the SGX.
After key agreement and security authentication are carried out between the control node Enclave and the digital node Enclave, the user terminal sends a user private key in the user node Enclave and a file encrypted by using a private key and an encryption technology in the SGX to the control node Enclave of the server.
The user terminal sends a user private key to the server, and the user private key is a digital signature or a digital envelope needing to be decrypted; after receiving the private key of the user, the server carries out preprocessing on the private key:
dividing the data of the digital signature or the digital envelope needing to be decrypted into data blocks with the size of 4 KB;
creating an ORAM data mapping table, wherein the ORAM data mapping table comprises an ORAM tree; the location of all databases in the ORAM tree is then determined by the number of databases and the hash function.
After receiving the data sent by the user terminal, the control node encrypt performs private key processing on the data, where the processing method is as follows:
in the control node encrypt, dividing the private key into data blocks with the size of 4KB after decryption, and storing the data blocks in a cache region;
recording each decomposed data block in a data storage position table of the ORAM controller;
in the preheating step of ORAM tree initialization, when reading any data and refreshing and evicting a data block, the data is written back to the data node archive, and the access mode is hidden.
The server processes the private key of the user, including two methods, namely executing the digital signature and decrypting the digital envelope, and the following introduces methods for the digital signature and decrypting the digital envelope.
The method for performing digital signature using a private key includes the steps of:
(1) the SM3 hash algorithm is adopted to obtain the hash value Z of the userC(ii) a The value of a, the value of b, and xG、yG、xC、yC、IDCAnd ENTLCAll the values are converted into bit strings, and the hash value of the user is obtained through the processes of filling, iterative compression, hash value generation and the like
ZC=SM3(ENTLC||IDC||a||b||xG||yG||xC||yC)
The elliptic curve is set as:
y2=x3+ax+b
wherein a is a primary item parameter in the encrypted elliptic curve, b is a constant item parameter in the encrypted elliptic curve, M is a message to be signed, and E (Fq) is a set consisting of all rational points of the elliptic curve E on the Fq and comprises a finite field of q elements; dCIs the user private key, (x)C,yC) Public key PC=[dC]G=(xC,yC),(xG,yG) For encrypting the coordinate values, ID, of base points on the elliptic curve E (Fq)CFor the identity of the user, ENTLCIs represented by the integer entlenCConverted into two bytes, entlenCConverting the user identification into the length of binary number;
(2) generating a random number k ∈ [1, n-1 ] using a random number generator]Taking the encrypted elliptic curve parameters from the ORAM tree, and calculating the point (x) on the encrypted elliptic curve1,y1)=[k]G, mixing x1Converting the data type of (A) into an integer;
(3) the value of r is calculated and,
r=(e+x1)mod n
e=Hv(ZC||M)
where M is the message to be signed Hv() A cryptographic hash algorithm with the length of the message digest being v;
if r is 0 or r + k is n, returning to the step (2), otherwise, executing the step (5);
(5) all intermediate values are stored in an ORAM tree;
if s is not 0, then calculate
s=((1+dC)-1*(k-r*dC))mod n;
If s is 0, re-executing the step (5);
otherwise, converting r and s into byte strings, and then the final signature of the user is (r, s).
The method for performing decryption of a digital envelope using a private key comprises the steps of:
(1) setting a ciphertext bit string C as C1| | C3| | | C2, namely dividing the ciphertext bit string C into three sections of C1, C3 and C2, taking out C1, converting the C into a point on an encrypted elliptic curve, and storing the ciphertext bit string C back into the ORAM tree;
(2) verify C1:
calculating encrypted elliptic curve point S
S=[h]C1
H is an auxiliary factor of the curve parameter, and if S is an infinite point, the verification is judged to fail;
(3) computing
(x2,y2)=[dB]C1
Delete C1;
wherein d isBA private key for user B;
(4) computing
t=KDF(x2||y2,klen),
KDF is a key derivation function, and klen is the key length obtained by the key derivation function;
if t is an all 0 bit string, judging that an error occurs;
if t is not an all 0 bit string, storing the t value in an ORAM tree;
(5) C-C1 | | C3| | | C2 and t value are taken out from the ORAM tree, C2 is taken out from the ORAM tree, C is stored back in the ORAM tree, M ═ C2 ≦ t is calculated, and ≦ 32-bit exclusive or operation is performed;
(6) computing
u=Hash(x2||M’||y2)
Hash () is a cryptographic Hash value algorithm;
taking C3 in the C value from the ORAM tree, and comparing whether u is equal to C3;
if not, judging as an error;
if equal, M' is the desired plaintext value.
All data reads of the above process are performed according to the following ORAM protocol to hide the access pattern of the data. In the access protocol of the storage area ORAM, each access consists of an access path to look up the data storage location table, a read path and write back the user terminal, flush the data bucket write back and eviction path.
Searching a data storage position table to obtain an access path: and if the position found in the position map is in the stash, directly taking out the data from the stash. And if the searched position is in the ORAM tree, sending a read request to the ORAM tree, wherein the request sequence is a certain data block in all data buckets in the path corresponding to the leaf node. Unlike Ring ORAM, we determine each chunk on the user terminal execution path, rather than compute or find the location of the chunk in each bucket on the path from the metadata from the server side. So the data block read sequence at any one time is { P (l, i) }1,j1),P(l,i2,j2),...,P(l,iL,jL) And fourthly, calculating the offset of the data block in the undesired data bucket in the reading sequence by using a pseudo-random algorithm in the user terminal so as to ensure the safety of the data. Where P (1, i, j) is the jth slot in bucket P (1, i), and P (1, i) is the ith bucket on path l from the root node.
Read path and write back to user terminal: and sequentially finding each data bucket in the path from the root node of the ORAM tree according to a request sequence given by the user terminal, and retrieving the corresponding data block according to the offset of the data block in the request sequence. Since the data blocks are all randomly arranged, an attacker can only see that the random data blocks in each data bucket are read, but cannot prove whether the random data blocks are real data blocks or fake data blocks.
Refreshing the data bucket and writing back: when the number of times of reading the data bucket at the server reaches a certain value, in order to satisfy the confusion capability of the data bucket and write back the data block in the storage area, a refresh operation needs to be executed on the data bucket. The specific steps are that the data bucket is taken back to the user terminal, then a data bucket is selected from a buffer area of the user terminal and written back to the position of the data bucket of the ORAM tree, the retrieved real data block is encrypted again, a false data block position in the buffer area is selected by a hash function, and the data block is put in.
An eviction path: the eviction path refers to a path of the server side selected according to the eviction strategy of Ring ORAM based on the reverse lexicographic order when the real data blocks in the cache area are saturated, all the data in the cache area are written back to the server side on the path, all the data blocks on the original path are fetched back to the user terminal, the cache area is filled with the dummy data blocks, the fetched real data blocks are re-encrypted, and a hash function is used for hashing and covering a position of the dummy data block in the cache area.
The following is a detailed description of each step.
And confirming the access sequence and generating the access sequence for acquiring the required data block.
The leaf node of the target data block is first determined in the data storage location table along with the path l, the location i of the data bucket, and the offset j in the bucket, and added to the access sequence List. And secondly, determining an access sequence of the target data block at the user terminal, and calculating an offset j for each node on the path in sequence from a leaf node to a root node except for the node of the data bucket where the known target data block is located, wherein the offset j is given by a random number algorithm. The access location of each node on the path is added to the List, forming an inadvertent access sequence.
And reading the ORAM path and refreshing and writing back the data bucket, and reading the ORAM path and writing back the data block according to the access sequence.
According to the access sequence, from the leaf node data buckets to the root node of the ORAM tree, reading a specific data block in each data bucket according to the access sequence, filling an empty data slot after reading with a dummy data block, and finally extracting all the data blocks into a storage area. All other data blocks, except the target data block, are randomly selected, may be true, and may be false. Since we only take one data block in each bucket, we do not need to write it back, but keep the real data block in it in the storage area.
Data bucket refresh write-back is the primary way to write back blocks of data stored in a storage area. After the ORAM path is read, the count value count in each data bucket is incremented by 1, and if the count value of one data bucket reaches S, a refresh is performed on the data bucket. The bucket is first retrieved from the server-side ORAM tree and its location is recorded. And then according to a hierarchical structure, selecting a data bucket in the storage area from left to right from top to bottom, sequentially distributing a reasonable random leaf node for all real data blocks in the data bucket in the storage area, and writing the data bucket back to the position of the data bucket with the count value of the ORAM tree reaching S after recording in a data storage position table. And finally, randomly writing the real data in the retrieved data bucket into a storage area, wherein all write-back data buckets in the storage area are filled with dummy data blocks, and in order to ensure that the number of data blocks in write-back operation and read operation is the same, the number of the data blocks in the data bucket is required to be set to be the same as the depth of an ORAM tree so as to meet the consistency of the read-write operation.
And path eviction, namely refreshing the data bucket to realize confusion after certain conditions are met.
The memory area eviction operation selects a path l according to a reverse lexicographic order, and all the data buckets on the path l are retrieved. And randomly allocating a leaf node for the real data blocks in the storage area in sequence from the last node of the storage area. The allocation method is as follows, because the leaf node can only be allocated to itself, starting from above the leaf node, the number of the allocated reasonable leaf nodes is increased by exponential number, a random number is calculated by using a pseudo random algorithm in sequence, the data block is allocated to a specific leaf node according to the number until the leaf node is allocated to the real data block in the whole memory area, and finally the memory area with the size of logN is written back to the eviction path, wherein the last node of the memory area corresponds to the leaf node on the ORAM tree. After writing back, all positions in the storage area are filled with dummy data blocks, and the remaining real data blocks in the retrieval path are re-encrypted and then hashed according to the hash function to cover one dummy data block in the storage area.
The embodiments of the present invention disclosed above are intended merely to help clarify the technical solutions of the present invention, and it is not intended to describe all the details of the invention nor to limit the invention to the specific embodiments described. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (7)
1. A user private key protection system based on SGX and ORAM technology is characterized by comprising a user terminal and a server which are in communication connection; the user terminal is provided with a user node Enclave, and the user node Enclave comprises a private key storage and encryption area; the server is provided with a control node Enclave and a data node Enclave; the control node Enclave comprises a code execution area, an ORAM controller and a data storage area, wherein the code execution area is used for executing codes, the ORAM controller comprises an ORAM data mapping table and a cache area and is used for extracting data from the data node Enclave after receiving a data request in the code execution area; the data storage area is used for temporarily storing data required by the code retrieved from the cache area; the data node instance is used for storing user data and comprises an ORAM tree and a data reader; and the data node encrypt and mutually perform security authentication by mutual key agreement between the data node encrypt and the control node.
2. The SGX and ORAM technology-based user private key protection system of claim 1, wherein the ORAM tree is a binary tree, each node comprises a data bucket, each data bucket comprises a set number of data blocks, each data block corresponds to a node, and the location is determined according to the data bucket and an offset in the data bucket.
3. The SGX and ORAM technology-based user private key protection system according to claim 1, wherein symmetric encryption is performed between the control node Enclave and the data node Enclave in the server through key agreement, and the encryption method includes the following steps:
(1) the control node Enable uses the RDRAND instruction to generate a random prime number p and a native root q of the prime number p, and then generates a private value XACalculating Y by a calculation formulaA:
YA=q^XBmod p
Where mod p is a modulo operation of p, and ^ is a 32-bit AND operation;
(2) the control node Enable uses an EREPORT instruction to generate a control node report, and the control node report comprises parameters p, q and Y for key agreementAA value;
(3) the control node Enclave sends the generated control node report to the data node Enclave;
(4) after receiving the control node Enclave point report, the data node Enclave verifies the message authentication code by using an EGETKEY instruction, and if the verification is passed, the data node Enclave generates a private parameter X by using an RDRAND instructionBAnd calculating Y by a calculation formulaB
YB=q^XBmod p
(5) The data node Enclave calls an EREPORT instruction to generate a data node report, and the data node report comprises YBThe value and the MRENCLAVE value of the data node;
(6) calculating the final encryption key K by adopting a calculation formula
K=YA^XBmod p。
4. The SGX and ORAM technology-based user private key protection system according to claim 1, wherein the control node Enclave and the data node Enclave mutually authenticate security, and the authentication process includes authentication of the control node Enclave and authentication of a log-byte point Enclave;
authentication of control node Enclave: the control node Enclave generates an authentication report containing MRENCLAVE and sends the authentication report to the data node Enclave; the data node Enclave acquires the key in the authentication report through an EGETKEY instruction, verifies the message authentication code in the authentication report, judges that the control node Enclave is in the same platform if the verification is passed, acquires the security of the TCB hardware component through a check report of the TCB hardware credibility of the control node Enclave, and checks the security of the TCB software component through the identifiers MRENCLAVE and MRSIGNED; if the hardware security and the software security of the control node Enclave pass corresponding security tests, judging that the control node Enclave conforms to the security model of the SGX;
authentication of the data node Enclave: the data node Enclave generates an authentication report containing MRENCLAVE and sends the authentication report to the control node Enclave; the control node Enclave acquires the key in the authentication report through an EGETKEY instruction, verifies the message authentication code in the authentication report, judges that the data node Enclave is in the same platform if the verification is passed, acquires the security of the TCB hardware component through a check report of the TCB hardware reliability of the data node Enclave, and checks the security of the TCB software component through the identifiers MRENCLAVE and MRSIGNED; and if the hardware security and the software security of the data node Enclave pass corresponding security tests, judging that the digital node Enclave conforms to the security model of the SGX.
5. The SGX and ORAM technology-based user private key protection system of claim 1, wherein the server receives a private key from a user, and the control node encrypt performs private key processing:
in the control node envelope, the private key is decrypted and divided into data blocks with set sizes, and the data blocks are stored in a cache region;
recording each data block in a data storage position table of the ORAM controller;
in the warm-up step of ORAM tree initialization, when reading any data and refreshing and ejecting data blocks, the data is written back to the data nodes of the ORAM tree, and the access mode is hidden.
6. The SGX and ORAM technology-based user private key protection system of claim 1, wherein the step of digitally signing comprises:
(1) the SM3 hash algorithm is adopted to obtain the hash value Z of the userC(ii) a The value of a, the value of b, and xG、yG、xC、yC、IDCAnd ENTLCAll the values are converted into bit strings, and the hash value of the user is obtained through the processes of filling, iterative compression, hash value generation and the like
ZC=SM3(ENTLC||IDC||a||b||xG||yG||xC||yC)
Wherein a is a primary item parameter in the encrypted elliptic curve, b is a constant item parameter in the encrypted elliptic curve, M is a message to be signed, and E (Fq) is a set consisting of all rational points of the elliptic curve E on the Fq and comprises a finite field of q elements; dCIs the user private key, (x)C,yC) Public key PC=[dC]G=(xC,yC),(xG,yG) For encrypting the coordinate values, ID, of base points on the elliptic curve E (Fq)CFor the identity of the user, ENTLCIs represented by the integer entlenCConverted into two bytes, entlenCFor the length of the user identification converted into binary number, the SM3 is a SM3 hash algorithm function;
(2) using a random number generator at [1, n-1 ]]A random number k is generated, the parameters of the encrypted elliptic curve are taken out from the ORAM tree, and the point (x) on the encrypted elliptic curve is calculated1,y1)=[k]G, mixing x1Converting the data type of (A) into an integer;
(3) calculating the value of r:
r=(e+x1)mod n
e=Hv(ZC||M)
where M is the message to be signed Hv() A cryptographic hash algorithm with the length of the message digest being v;
if r is 0 or r + k is n, returning to the step (2), otherwise, executing the step (5);
(5) all intermediate values are stored in an ORAM tree;
if s is not 0, then calculate
s=((1+dC)-1*(k-r*dC))mod n;
If s is 0, re-executing the step (5);
otherwise, converting r and s into byte strings, and then the final signature of the user is (r, s).
7. The SGX and ORAM technology based user private key protection system of claim 1, wherein performing decryption of the digital envelope comprises the steps of:
(1) setting a ciphertext bit string C as C1| | C3| | | C2, namely dividing the ciphertext bit string C into three sections of C1, C3 and C2, taking out C1, converting the C into a point on an encrypted elliptic curve, and storing the ciphertext bit string C back into the ORAM tree;
(2) verify C1:
calculating encrypted elliptic curve point S
S=[h]C1
H is an auxiliary factor of the curve parameter, and if S is an infinite point, the verification is judged to fail;
(3) computing
(x2,y2)=[dB]C1
Delete C1;
wherein d isBA private key for user B;
(4) computing
t=KDF(x2||y2,klen),
KDF is a key derivation function, and klen is the key length obtained by the key derivation function;
if t is an all 0 bit string, judging that an error occurs;
if t is not an all 0 bit string, storing the t value in an ORAM tree;
(5) C-C1 | | C3| | | C2 and t value are taken out from the ORAM tree, C2 is taken out from the ORAM tree, C is stored back in the ORAM tree, M ═ C2 ≦ t is calculated, and ≦ 32-bit exclusive or operation is performed;
(6) computing
u=Hash(x2||M’||y2)
Hash () is a cryptographic Hash value algorithm;
taking C3 in the C value from the ORAM tree, and comparing whether u is equal to C3;
if not, judging as an error;
if equal, M' is the desired plaintext value.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010488464.7A CN111769935A (en) | 2020-06-02 | 2020-06-02 | User private key protection system based on SGX and ORAM technology |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010488464.7A CN111769935A (en) | 2020-06-02 | 2020-06-02 | User private key protection system based on SGX and ORAM technology |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111769935A true CN111769935A (en) | 2020-10-13 |
Family
ID=72719317
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010488464.7A Withdrawn CN111769935A (en) | 2020-06-02 | 2020-06-02 | User private key protection system based on SGX and ORAM technology |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111769935A (en) |
-
2020
- 2020-06-02 CN CN202010488464.7A patent/CN111769935A/en not_active Withdrawn
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5757919A (en) | Cryptographically protected paging subsystem | |
CN109716375B (en) | Block chain account processing method, device and storage medium | |
US6708274B2 (en) | Cryptographically protected paging subsystem | |
Blass et al. | Toward robust hidden volumes using write-only oblivious RAM | |
Ren et al. | Design space exploration and optimization of path oblivious ram in secure processors | |
Ren et al. | Constants count: Practical improvements to oblivious {RAM} | |
Tamrakar et al. | The circle game: Scalable private membership test using trusted hardware | |
EP1451664B1 (en) | Systems, methods and devices for secure computing | |
JP5700481B2 (en) | Method and apparatus for encrypting memory with integrity check and protection against replay attacks | |
US11775177B2 (en) | Integrity tree for memory integrity checking | |
Yun et al. | On protecting integrity and confidentiality of cryptographic file system for outsourced storage | |
US7631195B1 (en) | System and method for providing security to a portable storage device | |
CN112182615A (en) | Cloud computing key protection system based on SGX and ORAM technology | |
CN111367834A (en) | Self-encrypting driver (SED) | |
CN109144894B (en) | Memory access mode protection method based on data redundancy | |
CN112433817A (en) | Information configuration method, direct storage access method and related device | |
CN113918528B (en) | Safe cloud data deduplication method and system based on trusted hardware | |
Bakas et al. | Power range: Forward private multi-client symmetric searchable encryption with range queries support | |
CN107911221B (en) | Key management method for secure storage of solid-state disk data | |
CN110113151B (en) | Non-invasive real-time encryption and decryption method for ELF format program | |
US20230259660A1 (en) | Integrity tree for memory security | |
Benadjila et al. | Secure storage—Confidentiality and authentication | |
US20240080193A1 (en) | Counter integrity tree | |
US20240078323A1 (en) | Counter tree | |
Mayberry et al. | Multi-client Oblivious RAM secure against malicious servers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20201013 |
|
WW01 | Invention patent application withdrawn after publication |