CN111859467B - Cloud data integrity auditing method and device based on SGX - Google Patents
Cloud data integrity auditing method and device based on SGX Download PDFInfo
- Publication number
- CN111859467B CN111859467B CN202010717328.0A CN202010717328A CN111859467B CN 111859467 B CN111859467 B CN 111859467B CN 202010717328 A CN202010717328 A CN 202010717328A CN 111859467 B CN111859467 B CN 111859467B
- Authority
- CN
- China
- Prior art keywords
- file
- hash value
- outsourcing
- verification
- data integrity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000012795 verification Methods 0.000 claims abstract description 73
- 238000012946 outsourcing Methods 0.000 claims abstract description 69
- 238000004891 communication Methods 0.000 claims abstract description 46
- 238000004364 calculation method Methods 0.000 claims abstract description 25
- 238000013496 data integrity verification Methods 0.000 claims abstract description 12
- 238000012550 audit Methods 0.000 claims abstract description 11
- 238000004590 computer program Methods 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 11
- 238000012545 processing Methods 0.000 description 8
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000007795 chemical reaction product Substances 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a cloud data integrity auditing method and device based on SGX, comprising the following steps: receiving an outsourcing file identifier and a corresponding outsourcing file hash value sent by a user side through a pre-constructed secure communication channel; and verifying the data integrity of the outsourced file by using the local trusted container and the outsourced file identifier and the outsourced file hash value. According to the method and the system, the trusted container is established on the cloud server through SGX technology (processor security technology) for audit verification, so that complex calculation (for example, generating a data block label) of a user side is avoided while integrity audit of cloud storage data is ensured, and meanwhile, the user side server can support data integrity verification through a small amount of calculation overhead and communication overhead.
Description
Technical Field
The application belongs to the technical field of trusted cloud computing, and particularly relates to a cloud data integrity auditing method and device based on SGX.
Background
Cloud storage services are increasingly popular with people, and cloud storage enables people to acquire and share own data through a network whenever and wherever, and meanwhile, the maintenance and management of storage by users are released. However, storing the data in the cloud server, the user loses physical control over the data, and cannot verify the integrity of the data using conventional methods. In view of the above, existing solutions are to preprocess data to generate a corresponding set of data block tags and some other metadata that assists in verification. The user then transmits the file data and the corresponding generated metadata to the cloud server. Thereafter, the user may initiate a challenge to the cloud server. And the cloud server generates corresponding evidence information according to the challenge information and the metadata, and sends the corresponding evidence information to the user for verification. If the verification is successful, the data is indicated to be completely saved, otherwise, the data is damaged. However, this brings about serious computational overhead for the user, and increases communication overhead for the user side and the cloud server side.
Disclosure of Invention
The application provides a cloud data integrity auditing method and device based on SGX (service gateway) to at least solve the problems that in the existing cloud auditing method, computing resource expenditure of a user side server is serious and communication expenditure of the user side and the cloud server side is large.
According to one aspect of the application, there is provided a cloud data integrity auditing method based on SGX, including:
receiving an outsourcing file identifier and a corresponding outsourcing file hash value sent by a user side through a pre-constructed secure communication channel;
and verifying the data integrity of the outsourced file by using the local trusted container and the outsourced file identifier and the outsourced file hash value.
In an embodiment, the cloud data integrity auditing method further includes:
and receiving the outsourcing file uploaded by the user side and the file signature corresponding to the outsourcing file, and verifying the integrity and the validity of the file signature by using the outsourcing file.
In one embodiment, the process of establishing a secure communication channel includes:
carrying out communication trust verification on the user;
after passing the verification, a secure communication channel between the user side and the pre-established local trusted container is constructed.
In one embodiment, verifying the data integrity of the outsourced file by the local trusted container and using the outsourced file identifier and the outsourced file hash value comprises:
loading the corresponding outsourcing file into a trusted container according to the outsourcing file identifier;
carrying out hash value calculation on outsourcing files in the trusted container to obtain a check hash value;
and verifying the data integrity of the outsourced file by comparing the verification hash value with the outsourced file hash value.
In one embodiment, verifying the integrity and validity of a file signature using an outsourced file includes:
carrying out hash value calculation on the outsourced file to obtain a verification hash value;
and verifying the file signature by using the public key uploaded by the user side, the outsourcing file identifier corresponding to the outsourcing file and the verification hash value.
According to another aspect of the present application, there is also provided a cloud data integrity auditing apparatus based on SGX, including:
the receiving unit is used for receiving the outsourcing file identifier and the corresponding outsourcing file hash value sent by the user terminal through a pre-constructed secure communication channel;
and the data integrity verification unit is used for verifying the data integrity of the outsourced file through the local trusted container and by utilizing the outsourced file identifier and the outsourced file hash value.
In an embodiment, the cloud data integrity auditing apparatus further includes:
the file signature verification unit is used for receiving the outsourcing file uploaded by the user side and the file signature corresponding to the outsourcing file, and verifying the integrity and the validity of the file signature by utilizing the outsourcing file.
In one embodiment, the process of establishing a secure communication channel includes:
carrying out communication trust verification on the user;
after passing the verification, a secure communication channel between the user side and the pre-established local trusted container is constructed.
In one embodiment, the data integrity verification unit includes:
the loading module is used for loading the corresponding outsourcing file into the trusted container according to the outsourcing file identifier;
the verification hash value acquisition module is used for carrying out hash value calculation on the outsourced files in the trusted container to obtain a verification hash value;
and the integrity verification module is used for verifying the data integrity of the outsourcing file by comparing the verification hash value with the outsourcing file hash value.
In one embodiment, the file signature verification unit includes:
the verification hash value acquisition module is used for carrying out hash value calculation on the outsourced file to obtain a verification hash value;
and the file signature verification module is used for verifying the file signature by using the public key uploaded by the user side, the outsourcing file identifier corresponding to the outsourcing file and the verification hash value.
According to the method and the system, the trusted container is established on the cloud server through SGX technology (processor security technology) for audit verification, so that complex calculation (for example, generating a data block label) of a user side is avoided while integrity audit of cloud storage data is ensured, and meanwhile, the user side server can support data integrity verification through a small amount of calculation overhead and communication overhead.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an SGX-based cloud data integrity auditing method provided in the present application.
Fig. 2 is a schematic diagram of a cloud audit system based on SGX in the present application.
Fig. 3 is a flowchart of data integrity verification of an outsourced file in an embodiment of the present application.
Fig. 4 is a flowchart of constructing a secure communication channel in an embodiment of the present application.
FIG. 5 is a flow chart of verifying the integrity and validity of a document signature using an outsourced document in an embodiment of the present application.
Fig. 6 is a structural block diagram of an SGX-based cloud data integrity auditing apparatus provided in the present application.
Fig. 7 is a block diagram of the data integrity verification unit in the embodiment of the present application.
Fig. 8 is a block diagram showing the structure of a file signature verification unit in the embodiment of the present application.
Fig. 9 is a specific implementation of an electronic device in an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
At present, in the cloud audit process, the cloud server generates corresponding evidence information according to the challenge information and metadata of the uploaded file data provided by the user side, and sends the evidence information to the user side for verification, if the verification is successful, the uploaded file data is indicated to be completely stored, otherwise, the data is damaged, but the method can cause serious calculation overhead to the user side server (for example, the user side generates a data block label and causes calculation overhead). Based on the problems, the application provides a cloud data integrity auditing method based on SGX, and firstly introduces an application scene of the method: after the cloud server side server SGX (software protection extension) environment, the cloud server side comprises three modules: the system comprises a file verification module, a trusted environment proving module and a verification data module.
The file verification module is in an area of non-trusted software, and is used for receiving the file uploaded by the user side and metadata related to file verification. After receiving the user side data, the integrity of the file data and the validity of the signature are verified. If the verification is passed, the data uploaded by the user terminal is stored, otherwise, the user terminal is required to resend the correct data.
The trusted environment proving module is used for initiating operation environment authentication to the cloud server. The cloud server creates a trusted container (enclaspe) locally according to the authentication request. After the trusted container is created, the container sends the hash value of the content of the container to the user side. If the hash value is inconsistent with the expected value, the user terminal refuses to establish communication with the container; otherwise, the cloud server establishes a trusted channel with the user.
The verification data module is used for verifying the integrity of the data. And the user side transmits the challenge information to the trusted container through the trusted channel, and the cloud server loads the corresponding file into the trusted container according to the challenge information and verifies the integrity of the file. If the verification is passed, information is sent to the user side through a trusted channel, and the user is informed that the data is complete, otherwise, the user is informed that the data is damaged.
As shown in fig. 1, the cloud data integrity auditing method based on the above scenario includes:
s101: and receiving the outsourcing file identifier and the corresponding outsourcing file hash value sent by the user terminal through a pre-constructed secure communication channel.
In a specific embodiment, as shown in fig. 2, the cloud audit system model includes a user side and a cloud server side, where an untrusted software area is provided in the cloud server side for file verification, the user side transmits the processed file to the untrusted software, then a computing scheduler of the user side establishes a secure communication channel (trusted channel) with a trusted container of the cloud server side, and finally completes information transmission and data integrity verification through the channel. Cryptographic parameters and variables are set based on the system. Let the system security parameter be l, and the large prime number p satisfies |p|=l; g is a multiplication cyclic group with a large prime number p, and G is a generator of the group G; h (·) is a cryptographic hash function; h (·) is a secure hash function and is defined as H (·) 0,1 → G.
After the setting is finished, the user side firstly carries out preprocessing on the file to be uploaded (the outsourcing file) to generate a file signature theta of the outsourcing file F, a file identifier Fid of the outsourcing file F and a corresponding outsourcing file hash value h (F), and then sends the information to a trusted container of the cloud server through a pre-built secure communication channel.
S102: and verifying the data integrity of the outsourced file by using the local trusted container and the outsourced file identifier and the outsourced file hash value.
The execution main body of the method shown in fig. 1 can be a PC, a terminal, etc., a trusted container is established on a cloud server through SGX technology to audit and verify the uploaded file, so that complex calculation of a client server is avoided, and the client can support data integrity verification through a small amount of calculation overhead and communication overhead.
In one embodiment, verifying the data integrity of the outsourced file by the local trusted container and using the outsourced file identifier and the outsourced file hash value, as shown in fig. 3, comprises:
s301: and loading the corresponding outsourced file into the trusted container according to the outsourced file identifier.
In a specific embodiment, after receiving a file identifier Fid of an outsourced file F and a corresponding outsourced file hash value h (F) sent from a user side, the cloud server loads the outsourced file F corresponding to the file identifier Fid into a trusted container from outside the trusted container according to the file identifier Fid.
S302: and carrying out hash value calculation on the outsourced file in the trusted container to obtain a check hash value.
In a specific embodiment, a hash calculation is performed on the outsourced file F in the trusted container to obtain a "verification hash value h '(F)", and then whether the verification hash value h' (F) is equal to the outsourced file hash value h (F) is verified.
S303: and verifying the data integrity of the outsourced file by comparing the verification hash value with the outsourced file hash value.
In one embodiment, if the verification hash value h' (F) is equal to the outsourced file hash value h (F), it indicates that the uploaded outsourced file F is complete, otherwise, the file is corrupted.
In one embodiment, the step of the "the user terminal first performs preprocessing on the file to be uploaded (the package file)" mentioned in S101 specifically includes:
the user side generates a signature key pair (sk, pk), wherein the private key sk, pk is a public key, and pk=g sk The cloud server is issued with a public key pk of the cloud server;generating a hash value h (F) of the file identifier Fid and corresponding file data for the file F, and further calculating a spliced hash value mu of the file identifier Fid and the hash value h (F):
μ=H(Fid||h(F))
generating a digital signature theta for the hash value mu with the private key sk:
θ=SIG(sk,μ);
where SIG (sk, μ) represents the generation of a digital signature (BLS signature) on the hash value μ with the private key sk.
And the cloud server receives the outsourcing file uploaded by the user side and the file signature corresponding to the outsourcing file, and verifies the integrity and the validity of the file signature by using the outsourcing file.
In one embodiment, as shown in fig. 4, the process of constructing a secure communication channel includes:
s401: and carrying out communication trust verification on the user.
In a specific embodiment, the user equipment performs authentication on the trusted environment of the cloud server. The software in the SGX is used for proving (software attestation) that the program verifies that the user side is really in communication with the preset server software, and the software runs in a safe container of the trusted hardware.
S402: after passing the verification, a secure communication channel between the user side and the pre-established local trusted container is constructed.
In a specific embodiment, if the communication trust verification is passed, a secure communication channel is established between the user side and the trusted container, otherwise the communication is denied.
In one embodiment, the integrity and validity of the file signature is verified using the outsourced file, as shown in FIG. 5, comprising:
s501: and carrying out hash value calculation on the outsourced file to obtain a verification hash value.
S502: and verifying the file signature by using the public key uploaded by the user side, the outsourcing file identifier corresponding to the outsourcing file and the verification hash value.
In a specific embodiment, the cloud server first performs hash calculation on the file F to obtain a hash value h * (F) Then use the maleKey pk, file identifier Fid and hash value h * (F) And verifying the integrity and validity of the file signature theta. If the cloud server passes the verification, the uploaded data are stored; otherwise, the user terminal is required to upload again. The specific process of verifying the integrity and validity of a file signature is as follows:
and after the cloud server receives the data of the user side, carrying out integrity and validity verification on the data. Firstly, the cloud server carries out hash calculation on the file F to obtain a hash value h * (F) And the file identifier Fid and the hash value h * (F) Calculating hash value mu after splicing * The method is characterized by comprising the following steps:
μ * =H(Fid||h * (F))
then using the public key pk and the hash value mu * The signature θ is verified as follows:
β=Verify(pk,θ,μ * );
wherein Verify (pk, θ, μ) * ) Representing the public key pk and the hash value mu * And verifying the signature theta and returning a result. Finally, if the value of beta is True, the uploaded data is saved; if β is False, the ue is required to re-upload.
Based on the same inventive concept, the embodiment of the application also provides a cloud data integrity auditing device based on SGX, which can be used for realizing the method described in the embodiment, as described in the embodiment below. Because the principle of solving the problem of the cloud data integrity auditing device based on SGX is similar to that of the cloud data integrity auditing method based on SGX, implementation of the cloud data integrity auditing device based on SGX can be referred to implementation of the cloud data integrity auditing method based on SGX, and repeated parts are omitted. As used below, the term "unit" or "module" may be a combination of software and/or hardware that implements the intended function. While the system described in the following embodiments is preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
As shown in fig. 6, the present application provides a cloud data integrity auditing apparatus based on SGX, including:
a receiving unit 601, configured to receive, through a pre-constructed secure communication channel, an outsourcing file identifier and a corresponding outsourcing file hash value sent by a user side;
the data integrity verification unit 602 is configured to verify the data integrity of the outsourced file by using the outsourced file identifier and the outsourced file hash value through the local trusted container.
In an embodiment, the cloud data integrity auditing apparatus further includes:
the file signature verification unit is used for receiving the outsourcing file uploaded by the user side and the file signature corresponding to the outsourcing file, and verifying the integrity and the validity of the file signature by utilizing the outsourcing file.
In one embodiment, the process of establishing a secure communication channel includes:
carrying out communication trust verification on the user;
after passing the verification, a secure communication channel between the user side and the pre-established local trusted container is constructed.
In one embodiment, as shown in fig. 7, the data integrity verification unit 602 includes:
the loading module 701 is configured to load the corresponding outsourced file into a trusted container according to the outsourced file identifier;
the verification hash value obtaining module 702 is configured to perform hash value calculation on the outsourced file in the trusted container to obtain a verification hash value;
the integrity verification module 703 is configured to verify the data integrity of the outsourced file by comparing the verification hash value with the outsourced file hash value.
In one embodiment, as shown in fig. 8, the file signature verification unit includes:
the verification hash value obtaining module 801 is configured to perform hash value calculation on the outsourced file to obtain a verification hash value;
the file signature verification module 802 is configured to verify the file signature by using the public key uploaded by the user side, the outsourced file identifier corresponding to the outsourced file, and the verification hash value.
According to the cloud data integrity auditing method and device based on SGX, complex calculation of a user side is avoided while the support of cloud storage data integrity auditing is ensured, the calculation resources of a user side server are saved, and the running speed is improved as a whole.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principles and embodiments of the present invention have been described in detail with reference to specific examples, which are provided to facilitate understanding of the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
The embodiment of the present application further provides a specific implementation manner of an electronic device capable of implementing all the steps in the method in the foregoing embodiment, and referring to fig. 9, the electronic device specifically includes the following:
a processor (processor) 901, memory 902, a communication interface (Communications Interface) 903, a bus 904, and non-volatile storage 905;
wherein, the processor 901, the memory 902 and the communication interface 903 complete the communication with each other through the bus 904;
the processor 901 is configured to invoke the computer program in the memory 902 and the nonvolatile memory 905, where the processor executes the computer program to implement all the steps in the method in the foregoing embodiment, for example, the processor executes the computer program to implement the following steps:
s101: and receiving the outsourcing file identifier and the corresponding outsourcing file hash value sent by the user terminal through a pre-constructed secure communication channel.
S102: and verifying the data integrity of the outsourced file by using the local trusted container and the outsourced file identifier and the outsourced file hash value.
The embodiments of the present application also provide a computer-readable storage medium capable of implementing all the steps of the method in the above embodiments, the computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements all the steps of the method in the above embodiments, for example, the processor implements the following steps when executing the computer program:
s101: and receiving the outsourcing file identifier and the corresponding outsourcing file hash value sent by the user terminal through a pre-constructed secure communication channel.
S102: and verifying the data integrity of the outsourced file by using the local trusted container and the outsourced file identifier and the outsourced file hash value.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for a hardware+program class embodiment, the description is relatively simple, as it is substantially similar to the method embodiment, as relevant see the partial description of the method embodiment. Although the present description provides method operational steps as described in the examples or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented in an actual device or end product, the instructions may be executed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment, or even in a distributed data processing environment) as illustrated by the embodiments or by the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, it is not excluded that additional identical or equivalent elements may be present in a process, method, article, or apparatus that comprises a described element. For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, when implementing the embodiments of the present disclosure, the functions of each module may be implemented in the same or multiple pieces of software and/or hardware, or a module that implements the same function may be implemented by multiple sub-modules or a combination of sub-units, or the like. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form. The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the present specification embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present description embodiments may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments. In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the embodiments of the present specification.
In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction. The foregoing is merely an example of an embodiment of the present disclosure and is not intended to limit the embodiment of the present disclosure. Various modifications and variations of the illustrative embodiments will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principles of the embodiments of the present specification, should be included in the scope of the claims of the embodiments of the present specification.
Claims (10)
1. The cloud data integrity auditing method based on SGX is characterized by being executed by a cloud server side and comprising the following steps:
receiving an outsourcing file identifier sent by a user side and a corresponding outsourcing file hash value through a pre-constructed secure communication channel between the user side and a local trusted container;
verifying the data integrity of the outsourcing file by using the outsourcing file identifier and the outsourcing file hash value through a local trusted container;
the verifying the data integrity of the outsourced file by the local trusted container and by using the outsourced file identifier and the outsourced file hash value comprises the following steps:
loading the corresponding outsourcing file into the trusted container according to the outsourcing file identifier;
carrying out hash value calculation on the outsourced files in the trusted container to obtain a check hash value;
and verifying the data integrity of the outsourcing file by comparing the verification hash value with the outsourcing file hash value.
2. The cloud data integrity auditing method of claim 1, further comprising:
and receiving the outsourcing file uploaded by the user side and the file signature corresponding to the outsourcing file, and verifying the integrity and the validity of the file signature by utilizing the outsourcing file.
3. The cloud data integrity auditing method of claim 1, wherein the process of constructing a secure communication channel comprises:
carrying out communication trust verification on the user;
after passing the verification, a secure communication channel between the user side and the pre-established local trusted container is constructed.
4. The cloud data integrity audit method according to claim 2 wherein said verifying the integrity and validity of said file signature using said outsourced file comprises:
carrying out hash value calculation on the outsourced file to obtain a verification hash value;
and verifying the file signature by using the public key uploaded by the user side, the outsourced file identifier corresponding to the outsourced file and the verification hash value.
5. Cloud data integrity audit device based on SGX, characterized by including:
the receiving unit is used for receiving the outsourcing file identifier and the corresponding outsourcing file hash value sent by the user terminal through a pre-constructed secure communication channel between the user terminal and the local trusted container;
the data integrity verification unit is used for verifying the data integrity of the outsourcing file through a local trusted container by utilizing the outsourcing file identifier and the outsourcing file hash value;
the data integrity verification unit includes:
the loading module is used for loading the corresponding outsourcing file into the trusted container according to the outsourcing file identifier;
the verification hash value acquisition module is used for carrying out hash value calculation on the outsourced files in the trusted container to obtain a verification hash value;
and the integrity verification module is used for verifying the data integrity of the outsourcing file by comparing the verification hash value with the outsourcing file hash value.
6. The cloud data integrity auditing apparatus of claim 5, further comprising:
the file signature verification unit is used for receiving the outsourcing file uploaded by the user side and the file signature corresponding to the outsourcing file, and verifying the integrity and the validity of the file signature by utilizing the outsourcing file.
7. The cloud data integrity auditing apparatus of claim 5, wherein the process of constructing a secure communication channel comprises:
carrying out communication trust verification on the user;
after passing the verification, a secure communication channel between the user side and the pre-established local trusted container is constructed.
8. The cloud data integrity audit device of claim 6, wherein said file signature verification unit comprises:
the verification hash value acquisition module is used for carrying out hash value calculation on the outsourced file to obtain a verification hash value;
and the file signature verification module is used for verifying the file signature by using the public key uploaded by the user side, the outsourcing file identifier corresponding to the outsourcing file and the verification hash value.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the SGX-based cloud data integrity auditing method of any of claims 1-4 when the program is executed by the processor.
10. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the SGX based cloud data integrity auditing method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010717328.0A CN111859467B (en) | 2020-07-23 | 2020-07-23 | Cloud data integrity auditing method and device based on SGX |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010717328.0A CN111859467B (en) | 2020-07-23 | 2020-07-23 | Cloud data integrity auditing method and device based on SGX |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111859467A CN111859467A (en) | 2020-10-30 |
| CN111859467B true CN111859467B (en) | 2024-03-26 |
Family
ID=72950816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010717328.0A Active CN111859467B (en) | 2020-07-23 | 2020-07-23 | Cloud data integrity auditing method and device based on SGX |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111859467B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112488721A (en) * | 2020-12-08 | 2021-03-12 | 天津津航计算技术研究所 | User-oriented credible verification method |
| CN112632638A (en) * | 2020-12-24 | 2021-04-09 | 中国工商银行股份有限公司 | Multi-copy data integrity verification method and device |
| CN113139213A (en) * | 2021-05-13 | 2021-07-20 | 中国工商银行股份有限公司 | Multi-version data integrity cloud auditing method and system |
| CN113992389A (en) * | 2021-10-26 | 2022-01-28 | 东北大学秦皇岛分校 | SGX data integrity auditing method based on dynamic frequency table |
| CN114866337B (en) * | 2022-06-10 | 2023-12-01 | 中国工商银行股份有限公司 | Shared data auditing method and device, equipment, storage medium and program product thereof |
| CN115174601A (en) * | 2022-06-23 | 2022-10-11 | 中国工商银行股份有限公司 | Data processing method, system, processor and electronic equipment |
| CN115484031B (en) * | 2022-09-13 | 2024-03-08 | 山东大学 | SGX-based trusted-free third-party cloud storage ciphertext deduplication method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018113642A1 (en) * | 2016-12-20 | 2018-06-28 | 西安电子科技大学 | Control flow hiding method and system oriented to remote computing |
| CN109104440A (en) * | 2018-10-22 | 2018-12-28 | 青岛大学 | The cloud storage big data integrity verification method of internet of things oriented mobile terminal device |
| CN109561110A (en) * | 2019-01-19 | 2019-04-02 | 北京工业大学 | A kind of cloud platform audit log guard method based on SGX |
| CN109787742A (en) * | 2019-01-16 | 2019-05-21 | 福建师范大学 | Data hold the agreement and its system of integrality in a kind of verifying cloud storage |
| CN109993003A (en) * | 2019-03-12 | 2019-07-09 | 广州大学 | A kind of software flow safe verification method and device based on SGX |
| CN110138799A (en) * | 2019-05-30 | 2019-08-16 | 东北大学 | A kind of secure cloud storage method based on SGX |
| CN110245518A (en) * | 2019-05-31 | 2019-09-17 | 阿里巴巴集团控股有限公司 | A kind of date storage method, device and equipment |
| CN110914851A (en) * | 2019-03-27 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Improving integrity of communications between blockchain networks and external data sources |
-
2020
- 2020-07-23 CN CN202010717328.0A patent/CN111859467B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018113642A1 (en) * | 2016-12-20 | 2018-06-28 | 西安电子科技大学 | Control flow hiding method and system oriented to remote computing |
| CN109104440A (en) * | 2018-10-22 | 2018-12-28 | 青岛大学 | The cloud storage big data integrity verification method of internet of things oriented mobile terminal device |
| CN109787742A (en) * | 2019-01-16 | 2019-05-21 | 福建师范大学 | Data hold the agreement and its system of integrality in a kind of verifying cloud storage |
| CN109561110A (en) * | 2019-01-19 | 2019-04-02 | 北京工业大学 | A kind of cloud platform audit log guard method based on SGX |
| CN109993003A (en) * | 2019-03-12 | 2019-07-09 | 广州大学 | A kind of software flow safe verification method and device based on SGX |
| CN110914851A (en) * | 2019-03-27 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Improving integrity of communications between blockchain networks and external data sources |
| CN110138799A (en) * | 2019-05-30 | 2019-08-16 | 东北大学 | A kind of secure cloud storage method based on SGX |
| CN110245518A (en) * | 2019-05-31 | 2019-09-17 | 阿里巴巴集团控股有限公司 | A kind of date storage method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111859467A (en) | 2020-10-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111859467B (en) | Cloud data integrity auditing method and device based on SGX | |
| EP3499847B1 (en) | Efficient validation of transaction policy compliance in a distributed ledger system | |
| CN109309565B (en) | Security authentication method and device | |
| KR101722631B1 (en) | Secured access to resources using a proxy | |
| US8646062B2 (en) | Remote authentication based on challenge-response using digital certificates | |
| CN110784491A (en) | Internet of things safety management system | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| CN111639327A (en) | Authentication method and device for open platform | |
| US8214646B2 (en) | Bundle verification | |
| CN116491098A (en) | Certificate-based security using post-use quantum cryptography | |
| CN117242463A (en) | Trusted and decentralised aggregation of joint learning | |
| Buschlinger et al. | Plug-and-patch: Secure value added services for electric vehicle charging | |
| CN111131318B (en) | Decentralized key management and distribution method, system and storage medium | |
| CN115378605A (en) | Data processing method and device based on block chain | |
| CN108833104A (en) | A kind of signature method, verification method and the device of file | |
| CN115622812A (en) | Digital identity verification method and system based on block chain intelligent contract | |
| CN104468458A (en) | Method and system for migrating client work load to cloud environment, and migration agent | |
| CN113572619A (en) | Container cloud mirror image credible implementation method and system based on nottry | |
| CN118114222A (en) | Authentication method, device, system, equipment and medium for data product | |
| CN112632638A (en) | Multi-copy data integrity verification method and device | |
| CN110730186A (en) | Token issuing method, accounting node and medium based on block chain | |
| WO2020180365A1 (en) | System and method of establishing a trusted relationship in a distributed system | |
| CN117121435A (en) | Connection elastic multi-factor authentication | |
| EP4141723A1 (en) | Verifying signatures | |
| CN109960939A (en) | Long-range HTML5 page loading method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |