CN111859467A - Cloud data integrity auditing method and device based on SGX - Google Patents
Cloud data integrity auditing method and device based on SGX Download PDFInfo
- Publication number
- CN111859467A CN111859467A CN202010717328.0A CN202010717328A CN111859467A CN 111859467 A CN111859467 A CN 111859467A CN 202010717328 A CN202010717328 A CN 202010717328A CN 111859467 A CN111859467 A CN 111859467A
- Authority
- CN
- China
- Prior art keywords
- file
- outsourced
- hash value
- data integrity
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000012795 verification Methods 0.000 claims abstract description 63
- 238000004891 communication Methods 0.000 claims abstract description 45
- 238000004364 calculation method Methods 0.000 claims abstract description 18
- 238000012550 audit Methods 0.000 claims abstract description 6
- 238000004590 computer program Methods 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 13
- 238000013496 data integrity verification Methods 0.000 claims description 8
- 238000012946 outsourcing Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 11
- 238000012545 processing Methods 0.000 description 7
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000007795 chemical reaction product Substances 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The invention provides a cloud data integrity auditing method and device based on SGX, comprising the following steps: receiving an outsourced file identifier and a corresponding outsourced file hash value sent by a user side through a pre-constructed secure communication channel; and verifying the data integrity of the outsourced file by using the outsourced file identifier and the outsourced file hash value through the local trusted container. According to the method and the device, a trusted container is established on the cloud server for auditing and verifying through an SGX technology (processor security technology), so that the integrity audit of cloud storage data is guaranteed to be supported, meanwhile, the user side is prevented from carrying out complex calculation (such as generation of data block labels), and meanwhile, the user side server can support the integrity verification of the data through a small amount of calculation overhead and communication overhead.
Description
Technical Field
The application belongs to the technical field of trusted cloud computing, and particularly relates to a cloud data integrity auditing method and device based on SGX.
Background
Cloud storage service is more and more favored by people, so that people can acquire own data and share own data at any time and any place through a network, and meanwhile, maintenance and management of a user on storage are released. However, storing data in a cloud server, the user loses physical control over the data and is unable to verify the integrity of the data using conventional methods. In order to solve the above problem, the existing solution is to preprocess the data to generate a corresponding data block tag set and some other metadata for assisting verification. The user then transmits the file data and the corresponding generated metadata to the cloud server. Thereafter, the user may initiate a challenge to the cloud server. And the cloud server generates corresponding evidence information according to the challenge information and the aforementioned metadata and sends the evidence information to the user for verification. If the verification is successful, the data is completely stored, otherwise, the data is damaged. However, this may cause a serious computational overhead for the user, and also increase the communication overhead for the user side and the cloud server side.
Disclosure of Invention
The application provides a cloud data integrity auditing method and device based on SGX, which are used for at least solving the problems that the cost of computing resources of a client server is serious and the communication cost of a client and a cloud server is large in the existing cloud auditing method.
According to one aspect of the application, a cloud data integrity auditing method based on SGX is provided, which comprises the following steps:
receiving an outsourced file identifier and a corresponding outsourced file hash value sent by a user side through a pre-constructed secure communication channel;
and verifying the data integrity of the outsourced file by using the outsourced file identifier and the outsourced file hash value through the local trusted container.
In an embodiment, the cloud data integrity auditing method further includes:
receiving the outsourced file uploaded by the user side and the file signature corresponding to the outsourced file, and verifying the integrity and the validity of the file signature by using the outsourced file.
In one embodiment, the process of constructing the secure communication channel includes:
carrying out communication trust verification on a user side;
and after the verification is passed, a secure communication channel between the user side and the pre-created local trusted container is constructed.
In one embodiment, verifying the data integrity of the outsourced file by the local trusted container and using the outsourced file identifier and the outsourced file hash value includes:
loading the corresponding outsourced file into the trusted container according to the outsourced file identifier;
performing hash value calculation on the outsourced file in the trusted container to obtain a check hash value;
and verifying the data integrity of the outsourced file by comparing the check hash value with the outsourced file hash value.
In one embodiment, verifying the integrity and validity of the file signature using the outsourced file comprises:
calculating a hash value of the outsourcing file to obtain a verification hash value;
and verifying the file signature by using the public key uploaded by the user side, the outsourced file identifier corresponding to the outsourced file and the verification hash value.
According to another aspect of the present application, there is also provided a cloud data integrity auditing apparatus based on SGX, including:
the receiving unit is used for receiving the outsourced file identifier and the corresponding outsourced file hash value sent by the user side through a pre-constructed secure communication channel;
and the data integrity verification unit is used for verifying the data integrity of the outsourced file through the local trusted container by using the outsourced file identifier and the outsourced file hash value.
In an embodiment, the cloud data integrity auditing apparatus further includes:
and the file signature verification unit is used for receiving the outsourced file uploaded by the user side and the file signature corresponding to the outsourced file, and verifying the integrity and the validity of the file signature by using the outsourced file.
In one embodiment, the process of constructing the secure communication channel includes:
carrying out communication trust verification on a user side;
and after the verification is passed, a secure communication channel between the user side and the pre-created local trusted container is constructed.
In one embodiment, the data integrity verification unit includes:
the loading module is used for loading the corresponding outsourced file into the trusted container according to the outsourced file identifier;
the verification hash value acquisition module is used for calculating the hash value of the outsourced file in the trusted container to obtain a verification hash value;
and the integrity verification module is used for verifying the data integrity of the outsourced file by comparing the check hash value with the outsourced file hash value.
In one embodiment, the document signature verification unit includes:
the verification hash value acquisition module is used for calculating the hash value of the outsourced file to obtain a verification hash value;
and the file signature verification module is used for verifying the file signature by using the public key uploaded by the user side, the outsourced file identifier corresponding to the outsourced file and the verification hash value.
According to the method and the device, a trusted container is established on the cloud server for auditing and verifying through an SGX technology (processor security technology), so that the integrity audit of cloud storage data is guaranteed to be supported, meanwhile, the user side is prevented from carrying out complex calculation (such as generation of data block labels), and meanwhile, the user side server can support the integrity verification of the data through a small amount of calculation overhead and communication overhead.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a cloud data integrity auditing method based on SGX according to the present application.
Fig. 2 is a schematic diagram of a cloud auditing system based on SGX in the present application.
Fig. 3 is a flowchart of data integrity verification of an outsourced file in an embodiment of the application.
Fig. 4 is a flowchart of constructing a secure communication channel in an embodiment of the present application.
Fig. 5 is a flowchart for verifying the integrity and validity of a file signature using an outsourced file in an embodiment of the application.
Fig. 6 is a structural block diagram of a cloud data integrity auditing apparatus based on SGX according to the present application.
Fig. 7 is a block diagram of a data integrity verification unit in an embodiment of the present application.
Fig. 8 is a block diagram of a structure of a document signature verification unit in an embodiment of the present application.
Fig. 9 is a specific implementation of an electronic device in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, in a cloud auditing process, a cloud server generates corresponding evidence information according to challenge information and metadata of uploaded file data provided by a user side, and sends the evidence information to the user side for verification, if the verification is successful, the uploaded file data are completely stored, otherwise, the data are damaged, but the method can cause serious calculation overhead to the user side server (for example, calculation overhead is caused by generating a data block label at the user side). Based on the above problems, the present application provides a cloud data integrity auditing method based on SGX, and first introduces an application scenario of the method: after a server SGX (software protection extension) environment of a cloud server, the cloud server includes three modules: the system comprises a file verification module, a trusted environment certification module and a verification data module.
The file verification module is in an area of non-trusted software and is used for receiving files uploaded by a user side and metadata related to file verification. And after receiving the user data, verifying the integrity of the file data and the validity of the signature. And if the verification is passed, storing the data uploaded by the user side, otherwise, requiring the user side to resend correct data.
The trusted environment certification module is used for initiating operation environment authentication to the cloud server. The cloud server creates a trusted container (enclave) locally according to the authentication request. After the trusted container is created, the container sends the hash value of the content of the container to the user side. If the hash value is inconsistent with the expected value, the user end refuses to establish communication with the container; otherwise, the cloud server establishes a trusted channel with the user side.
The verification data module is used for verifying the integrity of the data. The user side transmits the challenge information to the trusted container through the trusted channel, and the cloud server loads the corresponding file to the trusted container according to the challenge information and verifies the integrity of the file. And if the verification is passed, sending information to the user side through the trusted channel to inform that the data of the user is complete, otherwise, informing that the data of the user is damaged.
As shown in fig. 1, the cloud data integrity auditing method based on the above scenario includes:
s101: and receiving the outsourced file identifier and the corresponding outsourced file hash value sent by the user side through a pre-constructed secure communication channel.
In an embodiment, the cloud auditing system model is as shown in fig. 2, and includes a user side and a cloud service side, where there is an untrusted software area in the cloud service side for document verification, the user side transmits a processed document to the untrusted software, then a computing scheduler of the user side establishes a secure communication channel (trusted channel) with a trusted container of the cloud service side, and finally completes information transmission and data integrity verification through the channel. Cryptographic parameters and variables are set based on the system. Setting a system safety parameter as l, wherein a large prime number p meets the condition that | p | ═ l; g is a multiplication cycle group with a large prime number of p, and G is a generator of the group G; h (-) is a cryptographic hash function; h (-) is a secure hash function and is defined as H (-) 0,1 → G.
After the setting is completed, the user side firstly preprocesses a file to be uploaded (an outsourced file), generates a file signature theta of the outsourced file F, a file identifier Fid of the outsourced file F and a corresponding hash value h (F) of the outsourced file F, and then sends the information to a trusted container of the cloud server through a pre-constructed secure communication channel.
S102: and verifying the data integrity of the outsourced file by using the outsourced file identifier and the outsourced file hash value through the local trusted container.
The execution main body of the method shown in fig. 1 can be a PC, a terminal, and the like, a trusted container is established on a cloud server through an SGX technology to perform audit verification on uploaded files, so that complicated calculation performed by a client server is avoided, and a client can support integrity verification of data through a small amount of calculation overhead and communication overhead.
In an embodiment, verifying the data integrity of the outsourced file by the local trusted container and using the outsourced file identifier and the outsourced file hash value, as shown in fig. 3, includes:
s301: and loading the corresponding outsourced file into the trusted container according to the outsourced file identifier.
In a specific embodiment, after receiving the file identifier Fid of the outsourced file F sent from the user side and the corresponding outsourced file hash value h (F), the cloud server loads the outsourced file F corresponding to the file identifier Fid from outside the trusted container into the trusted container according to the file identifier Fid.
S302: and carrying out hash value calculation on the outsourced file in the trusted container to obtain a check hash value.
In an embodiment, the outsourced file F is hashed in the trusted container to obtain a "check hash value h '(F)", and then it is verified whether the check hash value h' (F) is equal to the outsourced file hash value h (F).
S303: and verifying the data integrity of the outsourced file by comparing the check hash value with the outsourced file hash value.
In one embodiment, if the verification hash value h' (F) is verified to be equal to the outsourced file hash value h (F), it indicates that the uploaded outsourced file F is complete, otherwise, the file is corrupted.
In an embodiment, the step of "the user side first pre-processes the file to be uploaded (the outsourced file)" mentioned in S101 specifically includes:
the user end generates a signature key pair (sk, pk), where sk is a private key sk, pk is a public key, and pk is gskAnd issuing a public key pk of the cloud server to the cloud server; generating a file identifier Fid and a hash value h (F) of corresponding file data for the file F, and further calculating to obtain a hash value μ after splicing the file identifier Fid and the hash value h (F):
μ=H(Fid||h(F))
generating a digital signature θ for the hash value μ with the private key sk:
θ=SIG(sk,μ);
where SIG (sk, μ) denotes that a digital signature (BLS signature) is generated for the hash value μ with the private key sk.
The cloud server receives the outsourced file uploaded by the user side and the file signature corresponding to the outsourced file, and verifies the integrity and the effectiveness of the file signature by using the outsourced file.
In one embodiment, as shown in fig. 4, the process of constructing the secure communication channel includes:
s401: and carrying out communication trust verification on the user side.
In one embodiment, the client device authenticates the trusted environment of the cloud server. The user side is verified to actually communicate with the pre-provisioned server software by a software attestation (software attestation) procedure in the SGX, and the software runs in a secure container of trusted hardware.
S402: and after the verification is passed, a secure communication channel between the user side and the pre-created local trusted container is constructed.
In one embodiment, a secure communication channel is established between the user terminal and the trusted container if the communication trust verification passes, otherwise the communication is denied.
In one embodiment, the integrity and validity of the file signature is verified using the outsourced file, as shown in fig. 5, which includes:
s501: and carrying out hash value calculation on the package file to obtain a verification hash value.
S502: and verifying the file signature by using the public key uploaded by the user side, the outsourced file identifier corresponding to the outsourced file and the verification hash value.
In a specific embodiment, the cloud server first performs hash calculation on the file F to obtain a hash value h*(F) Then using the public key pk, the file identifier Fid and the hash value h*(F) And verifying the integrity and validity of the file signature theta. If the cloud server passes the verification, the uploaded data are stored; otherwise, the user terminal is required to upload again. The specific process of verifying the integrity and validity of the file signature is as follows:
and when the cloud server receives the data of the user side, the integrity and the validity of the data are verified. The cloud server firstly carries out hash calculation on the file F to obtain a hash value h*(F) And the file identifier Fid and the hash value h*(F) Computing hash value mu after splicing*The method comprises the following steps:
μ*=H(Fid||h*(F))
then using the public key pk and the hash value mu*The signature θ is verified as follows:
β=Verify(pk,θ,μ*);
wherein Verify (pk, theta, mu)*) Representing the public key pk and the hash value μ*The signature theta is verified and the result is returned. Finally, if the value of the beta is True, the uploaded data is stored; if the value of β is False, the ue is required to upload again.
Based on the same inventive concept, the embodiment of the present application further provides an SGX-based cloud data integrity auditing apparatus, which can be used to implement the methods described in the above embodiments, as described in the following embodiments. Because the problem solving principle of the cloud data integrity auditing device based on the SGX is similar to that of a cloud data integrity auditing method based on the SGX, the implementation of the cloud data integrity auditing device based on the SGX can refer to the implementation of the cloud data integrity auditing method based on the SGX, and repeated parts are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
As shown in fig. 6, the present application provides a cloud data integrity auditing apparatus based on SGX, including:
a receiving unit 601, configured to receive, through a pre-established secure communication channel, an outsourced file identifier and a corresponding outsourced file hash value sent by a user side;
and a data integrity verification unit 602, configured to verify, by using the local trusted container, the data integrity of the outsource file by using the outsource file identifier and the outsource file hash value.
In an embodiment, the cloud data integrity auditing apparatus further includes:
and the file signature verification unit is used for receiving the outsourced file uploaded by the user side and the file signature corresponding to the outsourced file, and verifying the integrity and the validity of the file signature by using the outsourced file.
In one embodiment, the process of constructing the secure communication channel includes:
carrying out communication trust verification on a user side;
and after the verification is passed, a secure communication channel between the user side and the pre-created local trusted container is constructed.
In one embodiment, as shown in fig. 7, the data integrity verification unit 602 includes:
a loading module 701, configured to load a corresponding outsourced file into a trusted container according to an outsourced file identifier;
a check hash value obtaining module 702, configured to perform hash value calculation on the outsourced file in the trusted container to obtain a check hash value;
and the integrity verification module 703 is configured to verify the data integrity of the outsourced file by comparing the check hash value with the outsourced file hash value.
In one embodiment, as shown in fig. 8, the document signature verification unit includes:
a verification hash value obtaining module 801, configured to perform hash value calculation on the outsourced file to obtain a verification hash value;
the file signature verification module 802 is configured to verify the file signature by using the public key uploaded by the user side, the outsourced file identifier corresponding to the outsourced file, and the verification hash value.
The cloud data integrity auditing method and device based on the SGX ensure that cloud storage data integrity auditing is supported, simultaneously avoid complex calculation of a user side, save calculation resources of a user side server, and integrally improve the operation speed.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
An embodiment of the present application further provides a specific implementation manner of an electronic device capable of implementing all steps in the method in the foregoing embodiment, and referring to fig. 9, the electronic device specifically includes the following contents:
a processor (processor)901, a memory 902, a communication Interface (Communications Interface)903, a bus 904, and a nonvolatile memory 905;
the processor 901, the memory 902 and the communication interface 903 complete mutual communication through the bus 904;
the processor 901 is configured to call the computer programs in the memory 902 and the nonvolatile memory 905, and when the processor executes the computer programs, the processor implements all the steps in the method in the foregoing embodiments, for example, when the processor executes the computer programs, the processor implements the following steps:
s101: and receiving the outsourced file identifier and the corresponding outsourced file hash value sent by the user side through a pre-constructed secure communication channel.
S102: and verifying the data integrity of the outsourced file by using the outsourced file identifier and the outsourced file hash value through the local trusted container.
Embodiments of the present application also provide a computer-readable storage medium capable of implementing all the steps of the method in the above embodiments, where the computer-readable storage medium stores thereon a computer program, and the computer program when executed by a processor implements all the steps of the method in the above embodiments, for example, the processor implements the following steps when executing the computer program:
s101: and receiving the outsourced file identifier and the corresponding outsourced file hash value sent by the user side through a pre-constructed secure communication channel.
S102: and verifying the data integrity of the outsourced file by using the outsourced file identifier and the outsourced file hash value through the local trusted container.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the hardware + program class embodiment, since it is substantially similar to the method embodiment, the description is simple, and the relevant points can be referred to the partial description of the method embodiment. Although embodiments of the present description provide method steps as described in embodiments or flowcharts, more or fewer steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or end product executes, it may execute sequentially or in parallel (e.g., parallel processors or multi-threaded environments, or even distributed data processing environments) according to the method shown in the embodiment or the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded. For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, in implementing the embodiments of the present description, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of multiple sub-modules or sub-units, and the like. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein. The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of an embodiment of the specification.
In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction. The above description is only an example of the embodiments of the present disclosure, and is not intended to limit the embodiments of the present disclosure. Various modifications and variations to the embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the embodiments of the present specification should be included in the scope of the claims of the embodiments of the present specification.
Claims (12)
1. A cloud data integrity auditing method based on SGX is characterized by comprising the following steps:
receiving an outsourced file identifier and a corresponding outsourced file hash value sent by a user side through a pre-constructed secure communication channel;
and verifying the data integrity of the outsourced file by using the outsourced file identifier and the outsourced file hash value through a local trusted container.
2. The cloud data integrity auditing method of claim 1, further comprising:
receiving an outsourcing file uploaded by a user side and a file signature corresponding to the outsourcing file, and verifying the integrity and the validity of the file signature by using the outsourcing file.
3. The cloud data integrity auditing method of claim 1 where the process of constructing a secure communication channel comprises:
carrying out communication trust verification on a user side;
and after the verification is passed, a secure communication channel between the user side and the pre-created local trusted container is constructed.
4. The cloud data integrity auditing method of claim 1, where said verifying the data integrity of the outsourced file with a local trusted container and using the outsourced file identifier and the outsourced file hash value comprises:
loading the corresponding outsourced file into the trusted container according to the outsourced file identifier;
performing hash value calculation on the outsourced file in the trusted container to obtain a check hash value;
and verifying the data integrity of the outsourced file by comparing the check hash value with the outsourced file hash value.
5. The cloud data integrity auditing method according to claim 2, where said verifying the integrity and validity of the file signature with the outsourced file comprises:
calculating a hash value of the outsourced file to obtain a verification hash value;
and verifying the file signature by using the public key uploaded by the user side, the outsourced file identifier corresponding to the outsourced file and the verification hash value.
6. The utility model provides a cloud data integrality audit device based on SGX which characterized in that includes:
the receiving unit is used for receiving the outsourced file identifier and the corresponding outsourced file hash value sent by the user side through a pre-constructed secure communication channel;
and the data integrity verification unit is used for verifying the data integrity of the outsourced file through a local trusted container by using the outsourced file identifier and the outsourced file hash value.
7. The cloud data integrity audit device of claim 6, further comprising:
and the file signature verification unit is used for receiving the outsourced file uploaded by the user side and the file signature corresponding to the outsourced file, and verifying the integrity and the validity of the file signature by using the outsourced file.
8. The cloud data integrity audit device of claim 6, wherein the process of constructing a secure communication channel comprises:
carrying out communication trust verification on a user side;
and after the verification is passed, a secure communication channel between the user side and the pre-created local trusted container is constructed.
9. The cloud data integrity auditing apparatus according to claim 6, where the data integrity verifying unit comprises:
the loading module is used for loading the corresponding outsourced file into the trusted container according to the outsourced file identifier;
the verification hash value acquisition module is used for calculating the hash value of the outsourced file in the trusted container to obtain a verification hash value;
and the integrity verification module is used for verifying the data integrity of the outsourced file by comparing the check hash value with the outsourced file hash value.
10. The cloud data integrity auditing apparatus according to claim 7, where the file signature verification unit includes:
the verification hash value acquisition module is used for calculating the hash value of the outsourced file to obtain a verification hash value;
and the file signature verification module is used for verifying the file signature by using the public key uploaded by the user side, the outsourced file identifier corresponding to the outsourced file and the verification hash value.
11. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the SGX-based cloud data integrity auditing method of any one of claims 1-5 when executing the program.
12. A computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the SGX-based cloud data integrity auditing method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010717328.0A CN111859467B (en) | 2020-07-23 | 2020-07-23 | Cloud data integrity auditing method and device based on SGX |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010717328.0A CN111859467B (en) | 2020-07-23 | 2020-07-23 | Cloud data integrity auditing method and device based on SGX |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111859467A true CN111859467A (en) | 2020-10-30 |
| CN111859467B CN111859467B (en) | 2024-03-26 |
Family
ID=72950816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010717328.0A Active CN111859467B (en) | 2020-07-23 | 2020-07-23 | Cloud data integrity auditing method and device based on SGX |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111859467B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112488721A (en) * | 2020-12-08 | 2021-03-12 | 天津津航计算技术研究所 | User-oriented credible verification method |
| CN112632638A (en) * | 2020-12-24 | 2021-04-09 | 中国工商银行股份有限公司 | Multi-copy data integrity verification method and device |
| CN113992389A (en) * | 2021-10-26 | 2022-01-28 | 东北大学秦皇岛分校 | SGX data integrity auditing method based on dynamic frequency table |
| CN114866337A (en) * | 2022-06-10 | 2022-08-05 | 中国工商银行股份有限公司 | Shared data auditing method, device, apparatus, storage medium, and program product |
| CN115174601A (en) * | 2022-06-23 | 2022-10-11 | 中国工商银行股份有限公司 | Data processing method, system, processor and electronic equipment |
| CN115484031A (en) * | 2022-09-13 | 2022-12-16 | 山东大学 | SGX-based method and system for removing duplicate of cloud storage ciphertext without trusted third party |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018113642A1 (en) * | 2016-12-20 | 2018-06-28 | 西安电子科技大学 | Control flow hiding method and system oriented to remote computing |
| CN109104440A (en) * | 2018-10-22 | 2018-12-28 | 青岛大学 | The cloud storage big data integrity verification method of internet of things oriented mobile terminal device |
| CN109561110A (en) * | 2019-01-19 | 2019-04-02 | 北京工业大学 | A kind of cloud platform audit log guard method based on SGX |
| CN109787742A (en) * | 2019-01-16 | 2019-05-21 | 福建师范大学 | Data hold the agreement and its system of integrality in a kind of verifying cloud storage |
| CN109993003A (en) * | 2019-03-12 | 2019-07-09 | 广州大学 | A kind of software flow safe verification method and device based on SGX |
| CN110138799A (en) * | 2019-05-30 | 2019-08-16 | 东北大学 | A kind of secure cloud storage method based on SGX |
| CN110245518A (en) * | 2019-05-31 | 2019-09-17 | 阿里巴巴集团控股有限公司 | A kind of date storage method, device and equipment |
| CN110914851A (en) * | 2019-03-27 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Improving integrity of communications between blockchain networks and external data sources |
-
2020
- 2020-07-23 CN CN202010717328.0A patent/CN111859467B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018113642A1 (en) * | 2016-12-20 | 2018-06-28 | 西安电子科技大学 | Control flow hiding method and system oriented to remote computing |
| CN109104440A (en) * | 2018-10-22 | 2018-12-28 | 青岛大学 | The cloud storage big data integrity verification method of internet of things oriented mobile terminal device |
| CN109787742A (en) * | 2019-01-16 | 2019-05-21 | 福建师范大学 | Data hold the agreement and its system of integrality in a kind of verifying cloud storage |
| CN109561110A (en) * | 2019-01-19 | 2019-04-02 | 北京工业大学 | A kind of cloud platform audit log guard method based on SGX |
| CN109993003A (en) * | 2019-03-12 | 2019-07-09 | 广州大学 | A kind of software flow safe verification method and device based on SGX |
| CN110914851A (en) * | 2019-03-27 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Improving integrity of communications between blockchain networks and external data sources |
| CN110138799A (en) * | 2019-05-30 | 2019-08-16 | 东北大学 | A kind of secure cloud storage method based on SGX |
| CN110245518A (en) * | 2019-05-31 | 2019-09-17 | 阿里巴巴集团控股有限公司 | A kind of date storage method, device and equipment |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112488721A (en) * | 2020-12-08 | 2021-03-12 | 天津津航计算技术研究所 | User-oriented credible verification method |
| CN112632638A (en) * | 2020-12-24 | 2021-04-09 | 中国工商银行股份有限公司 | Multi-copy data integrity verification method and device |
| CN113992389A (en) * | 2021-10-26 | 2022-01-28 | 东北大学秦皇岛分校 | SGX data integrity auditing method based on dynamic frequency table |
| CN114866337A (en) * | 2022-06-10 | 2022-08-05 | 中国工商银行股份有限公司 | Shared data auditing method, device, apparatus, storage medium, and program product |
| CN114866337B (en) * | 2022-06-10 | 2023-12-01 | 中国工商银行股份有限公司 | Shared data auditing method and device, equipment, storage medium and program product thereof |
| CN115174601A (en) * | 2022-06-23 | 2022-10-11 | 中国工商银行股份有限公司 | Data processing method, system, processor and electronic equipment |
| CN115484031A (en) * | 2022-09-13 | 2022-12-16 | 山东大学 | SGX-based method and system for removing duplicate of cloud storage ciphertext without trusted third party |
| CN115484031B (en) * | 2022-09-13 | 2024-03-08 | 山东大学 | SGX-based trusted-free third-party cloud storage ciphertext deduplication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111859467B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111859467B (en) | Cloud data integrity auditing method and device based on SGX | |
| CN111541785B (en) | Block chain data processing method and device based on cloud computing | |
| EP3499847B1 (en) | Efficient validation of transaction policy compliance in a distributed ledger system | |
| Zhao et al. | A security framework in G-Hadoop for big data computing across distributed Cloud data centres | |
| US8856544B2 (en) | System and method for providing secure virtual machines | |
| US8646062B2 (en) | Remote authentication based on challenge-response using digital certificates | |
| EP2999158A1 (en) | Secure communication authentication method and system in distributed environment | |
| US10796001B2 (en) | Software verification method and apparatus | |
| WO2022073264A1 (en) | Systems and methods for secure and fast machine learning inference in trusted execution environment | |
| EP2965192A1 (en) | Configuration and verification by trusted provider | |
| US20200293361A1 (en) | Method and distributed database system for computer-aided execution of a program code | |
| CN104715183A (en) | Trusted verifying method and equipment used in running process of virtual machine | |
| CN111639327A (en) | Authentication method and device for open platform | |
| CN110601896A (en) | Data processing method and equipment based on block chain nodes | |
| CN111880919A (en) | Data scheduling method, system and computer equipment | |
| CN113572619B (en) | Container cloud mirror image credible implementation method and system based on nottry | |
| US11139982B2 (en) | Communication-efficient device delegation | |
| CN110730186A (en) | Token issuing method, accounting node and medium based on block chain | |
| CN104901959A (en) | Method and system for verifying credibility of computing pool | |
| CN115378605A (en) | Data processing method and device based on block chain | |
| CN112632638A (en) | Multi-copy data integrity verification method and device | |
| CN103795694A (en) | License control method and license control system | |
| CN113419769A (en) | Application software management method and device | |
| CN102647273B (en) | Generation methods and devices of user root key and user key for trusted computing platform | |
| CN113810193B (en) | Migration method of virtual trusted root and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |