Disclosure of Invention
In view of this, embodiments of the present invention provide an image data processing method, an apparatus, and a device based on a hardware security isolation area, so as to solve the problem in the prior art how to encrypt image data under a security hardware module.
In a first aspect of the embodiments of the present invention, an image data processing method based on a hardware security isolation region is provided, which includes: acquiring an m multiplied by n multiplied by 3 dimensional matrix A read from an image to be processed in an untrusted execution area; randomly generating an m multiplied by n dimensional matrix B according to a matrix generator; compressing the m × n dimensional matrix B to obtain a secret key S; determining the bit number of the key S, selecting the first x bits of the key S as a round number, and performing replacement processing on the matrix A according to the round number to obtain a matrix A1; performing matrix dot product operation on the matrix A1 by using a matrix B to obtain an encrypted matrix E; according to a symmetric encryption algorithm, encrypting the matrix E by using the key S as a key to generate an encrypted file of the image to be processed; and outputting the encrypted file.
In some alternatives, reading the image to be processed in the untrusted execution area specifically includes: acquiring an image to be processed; identifying the file format of the image to be processed: when the image to be processed is in a static image format, reading the image to be processed into a three-dimensional matrix in an RGB format; when the image to be processed is in a dynamic image format, reading the maximum frame number of the image to be processed, selecting the images with all/part of the frame number to read the images into a three-dimensional matrix in an RGB format, and packing the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
In some alternatives, determining the bit number of the key S, selecting the first x bits of the key S as a round number, and performing permutation processing on the matrix a according to the round number to obtain a matrix a1, which specifically includes: determining the bit number of the secret key S in a binary system; extracting the first x bits of the bit digits and converting the first x bits into a numerical value a represented by decimal; moving the first element in the matrix A to the position of the 2 nd element, and moving the ith element to the position of the (i + 1) th element by the same way until the (m × n) th element moves to the position of the 1 st element, and completing one permutation, wherein i belongs to (1, m × n), and m and n are positive integers; and continuously executing the permutation for a times according to the number a as the number of rounds, and outputting to obtain a matrix A1.
In some alternatives, after outputting the encrypted file, further comprising: adding the key S to a key management system; and establishing an association relation between the secret key S and the encrypted file.
In some alternatives, further comprising: receiving an image data application sent by a data user; establishing a secure channel of communication with the data consumer; and according to the secure channel, returning the encrypted file and the key S corresponding to the image data application to a data user.
In a second aspect of the embodiments of the present invention, an image data processing apparatus based on a hardware security isolation region is provided, which includes: a data acquisition module configured to acquire an m × n × 3-dimensional matrix a read for the image to be processed in the untrusted execution area; a matrix generation module configured to randomly generate an m × n dimensional matrix B according to the matrix generator; a key generation module configured to perform compression processing on the m × n dimensional matrix B to obtain a key S; the matrix replacement module is configured to determine the bit number of the key S, select the first x bits of the key S as a round number, and perform replacement processing on the matrix A according to the round number to obtain a matrix A1; the matrix operation module is configured to perform matrix dot product operation on the matrix A1 by using a matrix B to obtain an encrypted matrix E; the data encryption module is configured to encrypt the matrix E by using the key S as a key according to a symmetric encryption algorithm to generate an encrypted file of the image to be processed; a data output module configured to output the encrypted file.
In some alternatives, the system further comprises a module arranged in the untrusted execution area for reading the image to be processed, wherein the module comprises: an image acquisition module configured to acquire an image to be processed; an image format recognition module configured to recognize a file format of the image to be processed: the first image conversion module is configured to read the image to be processed into a three-dimensional matrix in an RGB format when the image to be processed is in a static image format; and the second image conversion module is configured to read the maximum frame number of the image to be processed when the image to be processed is in a dynamic image format, select images with all/part of the frame number to read as a three-dimensional matrix in an RGB format, and pack the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
In some alternatives, the matrix permutation module specifically includes: a bit number unit configured to determine a bit number of the key S in binary; a round number determination unit configured to extract the first x bits of the bit number and convert the extracted bits into a numerical value a represented in decimal; a single permutation unit, configured to move the first element in the matrix a to the position of the 2 nd element, and so on move the ith element to the position of the (i + 1) th element, until the (m × n) th element moves to the position of the 1 st element, completing one permutation, where i ∈ (1, m × n), m and n are positive integers; and the cyclic permutation unit is configured to continuously execute the permutation for a times according to the condition that the numerical value a is the number of rounds, and output to obtain a matrix A1.
In some alternatives, further comprising: a key saving module configured to add the key S to a key management system; a key association module configured to establish an association relationship between the key S and the encrypted file.
In some alternatives, further comprising: the application receiving module is configured to receive an image data application sent by a data user; a secure channel module configured to establish a secure channel of communication with the data consumer; and the data response module is configured to return the encrypted file and the key S corresponding to the image data application to a data user according to the secure channel.
In a third aspect of the embodiments of the present invention, an image data processing device based on a hardware security isolation area is provided, where an Intel SGX security module is installed, and the image data processing device at least includes: a processor comprising a secure isolation region; a memory in which a computer program operable in the secure enclave is stored, the processor when executing the computer program implementing the steps of the method according to any one of the first aspect.
The invention has the beneficial effects that: according to the provided hardware security isolation area, matrix data A of an image to be processed is obtained, then a key S is generated by using a randomly generated matrix B, the matrix A is replaced according to the bit number of the key S to obtain a first encrypted matrix A1, the matrix A1 is operated by using the matrix B to obtain a second encrypted matrix E, finally the matrix A1 is encrypted again by using a symmetric encryption algorithm and the key S to obtain an encrypted file of the image to be processed, the encryption security of the image data is realized through the multiple data encryption processing, and the encrypted file is not easy to attack.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Fig. 1 is a schematic diagram of an SGX module in the prior art.
Wherein SGX, english, is called: software guard extensions, also called Intel SGX, are new extensions of the Intel architecture, and add a new set of instruction sets and memory access mechanisms to the original architecture, and these extensions allow an application to implement a container called enclave, and partition a protected hardware security isolation area (i.e., trusted execution area) in the address space of the application, so as to provide confidentiality and integrity protection for the code and data in the container from being damaged by malicious software with special rights.
Taking an application as an example, as shown in fig. 1, the application is composed of a trusted part code and an untrusted part code; when the application runs and creates enclave, putting the enclave into the trusted execution area; the trusted function is called, and execution is converted into enclave; enclave can access all process data, and if the enclave data is to be accessed, the outside is prohibited; the trusted function returns enclave data.
Referring to fig. 2, a flowchart of an image data processing method based on a hardware security isolation area provided in an embodiment of the present invention is shown.
In conjunction with fig. 1, the method provided by this embodiment may be applied to the trusted execution area or the untrusted execution area shown in fig. 1, and for example, a computer program capable of implementing the scheme provided by this embodiment may be run in the trusted execution area.
As shown in fig. 2, the image data processing method based on the hardware security isolation area may include the following steps S210 to S270:
s210: an m × n × 3-dimensional matrix a read for the image to be processed in the untrusted execution area is acquired.
The image to be processed may include a static image format and a dynamic image format, and when the image to be processed is in the static image format, the image to be processed may be in the commonly used image formats such as jpg, png, bmp, and the like; when the image to be processed is in a dynamic image format, it may be mp4,. mpg,. avi, etc. which are commonly used. The present example is not limited with respect to the specific format of the image to be processed.
For example, for a static image format, the image to be processed may be read as a three-dimensional matrix in an RGB format, for example, an m × n × 3-dimensional matrix, by an image preprocessing program in the untrusted execution area.
For example, for a dynamic image format, the image to be processed may be first split into frame images in an untrusted execution area by an image preprocessing program, and then each frame image is read as a three-dimensional matrix in an RGB format according to a method in a static image format.
Referring to fig. 3, a flowchart for reading the image to be processed in the untrusted execution area in step S210 shown in fig. 2 is shown.
Referring to fig. 3, reading the to-be-processed image in the untrusted execution area specifically includes steps S310 to S340:
s310: acquiring an image to be processed;
s320: identifying the file format of the image to be processed:
s330: when the image to be processed is in a static image format, reading the image to be processed into a three-dimensional matrix in an RGB format;
s340: when the image to be processed is in a dynamic image format, reading the maximum frame number of the image to be processed, selecting the images with all/part of the frame number to read the images into a three-dimensional matrix in an RGB format, and packing the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
In the above example, by preprocessing the image to be processed in the untrusted execution area, on one hand, the efficiency of data processing is improved, and on the other hand, the difficulty in implementing the program for processing the image to be processed in the trusted execution area is also reduced. The three-dimensional matrix in the RGB format is an m × n × 3-dimensional matrix a.
S220: according to the matrix generator, an m × n dimensional matrix B is randomly generated.
Specifically, it is obvious that the matrix B is a two-dimensional matrix, and as can be seen from the matrix a, the number of rows and columns of the matrix B generated at random is identical to that of the matrix a.
S230: and compressing the m multiplied by n dimensional matrix B to obtain a secret key S.
Specifically, since the matrix B has randomness, the key S generated by compressing is random, so that the key S has high encryption performance.
For example, the method for compressing the m × n dimensional matrix B may include: the method is characterized in that only one storage space is allocated to a plurality of elements with the same value, no space is allocated to zero elements, and a cross linked list is used for storage. For example, referring to fig. 4, a schematic diagram of implementing matrix compression by using cross-linked list storage is shown, wherein, assuming that there is a matrix M, the M × n dimensional matrix B is represented, and a key is obtained by using the cross-linked list storage, as shown in fig. 4, it can be seen that, when the cross-linked list storage matrix M is used, each row and each column in the matrix are stored by using each linked list, and at the same time, the headers of all row linked lists are stored into one array (M · read), and the headers of all column linked lists are stored into another array (M · read). Since the use of the cross-linked list storage is prior art, it is not described here in detail.
S240: and determining the bit number of the key S, selecting the first x bits of the key S as the round number, and performing replacement processing on the matrix A according to the round number to obtain a matrix A1.
Specifically, x may be a positive integer greater than or equal to 1 and smaller than the bit number of the secret key S. The number of bits is based on binary, for example, if the number of bits of the key S is "010010110101010011", the number of bits is 18 bits. x is 3, the first 3 bits of the secret key S are "011". In addition, the number of rounds of matrix permutation is based on decimal, so that the first 3 bits of the key S need to be identified as a decimal value, and in the foregoing example, the number of rounds represented by the first 3 bits "011" of the key S is: 3.
it should be understood that: the first 4 bits or more than 4 bits of the key S can be selected as the round number by the bit number, and the round number determined by different bit numbers is different in that the larger the bit number is, the larger the range of the supported round number is, binary representation is carried out, and the maximum of three bits is 7; the larger the number of digits, the higher the number of supported rounds, the higher the security, but the greater the performance loss. For this reason, how many bits are selected can be selected according to actual conditions.
The method for permuting the matrix a in the step S240 will be described in detail below.
Illustratively, referring to fig. 5, a flowchart of step S240 shown in fig. 2 in one embodiment is shown.
As shown in fig. 5, the step S240 may specifically include the following steps S510 to S540:
s510: determining the bit number of the secret key S in a binary system;
s520: extracting the first 3 bits of the bit number and converting the bits into a numerical value a represented by decimal;
s530: moving the first element in the matrix A to the position of the 2 nd element, and moving the ith element to the position of the (i + 1) th element by the same way until the (m × n) th element moves to the position of the 1 st element, and completing one permutation, wherein i belongs to (1, m × n), and m and n are positive integers;
s540: and continuously executing the permutation for a times according to the number a as the number of rounds, and outputting to obtain a matrix A1.
As can be seen from the above, in this example, by replacing the matrix a, the matrix data corresponding to the image to be processed can be initially scrambled to prepare for the subsequent data encryption processing.
S250: and performing matrix dot product operation on the matrix A1 by using the matrix B to obtain an encrypted matrix E.
Specifically, since the matrix B and the matrix a have the same number of rows and columns, the a1 obtained by performing the permutation processing on the matrix a through the above steps does not change the number of rows and columns of the matrix, so it is demonstrated that the a1 and the matrix B have the same number of rows and columns, and therefore, the matrix E with one encryption can be realized by adopting the matrix dot product operation.
S260: and according to a symmetric encryption algorithm, encrypting the matrix E by using the key S as a key to generate an encrypted file of the image to be processed.
The symmetric encryption algorithm based on the symmetric key may include DES, 3DES (triple DES), AES, RC2, RC4, RC5, Blowfish, and the like. Illustratively, an AES encryption algorithm may be employed. The matrix E obtained by the primary encryption is encrypted for the second time by using an encryption algorithm, so that the security of data encryption is improved.
S270: and outputting the encrypted file.
In some embodiments, after the method shown in fig. 2, the following steps may be further included: adding the key S to a key management system; and establishing the association relation between the secret key S and the encrypted file. Here by saving the key S and associating it with the encrypted file. Since the encrypted file is encrypted based on a symmetric encryption algorithm, and the key S is needed to be used in the subsequent decryption of the encrypted file, the key S is managed and associated with the encrypted file, so that the encrypted file can be used in the subsequent use.
Further, based on the Intel SGX security module shown in fig. 1, after the image to be processed is processed to obtain the encrypted file, when the image data needs to be used, the problem of how to use the encrypted file is involved, and the following may briefly describe the method for using the encrypted file.
For example, it is assumed that the data provider that generates the above-described encrypted file is a data consumer, and the data provider and the data consumer that use the encrypted file are data processing devices, such as computers and the like. It should be understood that since the encrypted file is generated in the environment of the Intel SGX security module, the data reading operation device (i.e., the data user) also needs to be equipped with the Intel SGX security module. In addition, the device where the data user is located also needs to be provided with an encryption and decryption program and an image processing basic algorithm program which can run in an Intel SGX environment; in order to ensure the security of data transmission, a feasible computing environment authorization authentication channel is also required to be established between the two parties during communication.
Referring to fig. 6, a flow chart illustrating a use of an encrypted file by a data consumer provided in an embodiment of the invention is shown.
As shown in fig. 6, after the encrypted file is output by the method shown in fig. 2, the following steps S610 to S630 may be further included:
s610: receiving an image data application sent by a data user;
s620: establishing a secure channel of communication with the data consumer;
s630: and according to the secure channel, returning the encrypted file and the key S corresponding to the image data application to a data user.
Wherein establishing the secure channel may be performed by an encryption algorithm, for example, using an asymmetric encryption algorithm. For example, the establishing a secure channel for communication with the data consumer may specifically include the steps of: and generating a session key, performing mutual authentication by using a public key encryption algorithm to share the session key, and accordingly establishing a secure channel for communication with the requester.
Further, for the data consumer, after receiving the encrypted file, the encrypted file may be imported into the trusted execution area. Then, the image data encryption program (such as the above-mentioned symmetric encryption algorithm and asymmetric encryption algorithm) can be used to read the key S to obtain authorization, and the image is decrypted in the isolated area (i.e. trusted execution area) to obtain the original matrix a. Further, the program in the trusted execution area provides the implementation of the basic image preprocessing algorithm (i.e. the above-mentioned image processing basic algorithm program), including image binarization, image blurring, edge detection, and the like. The data user finally obtains the processed image data. It should be noted that, the application is not limited to the program of the data user in the trusted execution area.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Referring to fig. 7, a schematic diagram of an image data processing apparatus based on a hardware security isolation region provided in an embodiment of the present invention is shown.
As shown in fig. 7, the image data processing apparatus specifically includes: a data acquisition module 710 configured to acquire an m × n × 3-dimensional matrix a read for the image to be processed in the untrusted execution area; a matrix generation module 720 configured to randomly generate an m × n dimensional matrix B according to the matrix generator; a key generation module 730 configured to perform compression processing on the m × n dimensional matrix B to obtain a key S; the matrix permutation module 740 is configured to determine the bit number of the key S, select the first 3 bits of the key S as a round number, and perform permutation processing on the matrix a according to the round number to obtain a matrix a 1; a matrix operation module 750 configured to perform a matrix dot product operation on the matrix a1 by using a matrix B to obtain an encrypted matrix E; a data encryption module 760 configured to encrypt the matrix E with the key S as a key according to a symmetric encryption algorithm, so as to generate an encrypted file of the image to be processed; a data output module 770 configured to output the encrypted file.
In some embodiments, the system further comprises a module arranged in the untrusted execution area for reading the image to be processed, the module comprising: an image acquisition module configured to acquire an image to be processed; an image format recognition module configured to recognize a file format of the image to be processed: the first image conversion module is configured to read the image to be processed into a three-dimensional matrix in an RGB format when the image to be processed is in a static image format; and the second image conversion module is configured to read the maximum frame number of the image to be processed when the image to be processed is in a dynamic image format, select images with all/part of the frame number to read as a three-dimensional matrix in an RGB format, and pack the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
In some embodiments, the matrix permutation module specifically includes: a bit number unit configured to determine a bit number of the key S in binary; a round number determination unit configured to extract the first 3 bits of the bit number and convert into a numerical value a represented in decimal; a single permutation unit, configured to move the first element in the matrix a to the position of the 2 nd element, and so on move the ith element to the position of the (i + 1) th element, until the (m × n) th element moves to the position of the 1 st element, completing one permutation, where i ∈ (1, m × n), m and n are positive integers; and the cyclic permutation unit is configured to continuously execute the permutation for a times according to the condition that the numerical value a is the number of rounds, and output to obtain a matrix A1.
In some embodiments, further comprising: a key saving module configured to add the key S to a key management system; a key association module configured to establish an association relationship between the key S and the encrypted file.
In some embodiments, further comprising: the application receiving module is configured to receive an image data application sent by a data user; a secure channel module configured to establish a secure channel of communication with the data consumer; and the data response module is configured to return the encrypted file and the key S corresponding to the image data application to a data user according to the secure channel.
In addition, referring to fig. 1, in some embodiments, in order to better apply the method shown in fig. 2, an apparatus may be further provided, where the apparatus is equipped with an Intel SGX security module, and the apparatus at least includes: a processor comprising a secure isolation region; a memory having stored therein a computer program operable in the secure enclave, the processor when executing the computer program implementing the steps of the method as shown in any of the schemes of fig. 2-5.
In particular, the device includes any type of electronic device, such as a computer, a tablet, a server, etc.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.