CN112100638A - Image data processing method, device and equipment based on hardware security isolation area - Google Patents
Image data processing method, device and equipment based on hardware security isolation area Download PDFInfo
- Publication number
- CN112100638A CN112100638A CN202011206590.5A CN202011206590A CN112100638A CN 112100638 A CN112100638 A CN 112100638A CN 202011206590 A CN202011206590 A CN 202011206590A CN 112100638 A CN112100638 A CN 112100638A
- Authority
- CN
- China
- Prior art keywords
- matrix
- image
- key
- processed
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Facsimile Transmission Control (AREA)
- Storage Device Security (AREA)
Abstract
The invention is suitable for the technical field of image data encryption processing, and provides an image data processing method and device based on a hardware security isolation area, wherein the method obtains matrix data A of an image to be processed according to the provided hardware security isolation area, then generates a key S by using a randomly generated matrix B, replaces the matrix A according to the bit number of the key S to obtain a matrix A1 after primary encryption, operates the matrix A1 by using the matrix B to obtain a matrix E after secondary encryption, and finally encrypts the matrix A1 again by using a symmetric encryption algorithm and the key S to obtain an encrypted file of the image to be processed. According to the invention, through the multiple data encryption processing, the security of the encryption of the image data is realized, and the encrypted file is not easy to attack.
Description
Technical Field
The invention belongs to the technical field of image data encryption processing, and particularly relates to an image data processing method, device and equipment based on a hardware security isolation area.
Background
Since image data is a raw material essential for the development of artificial intelligence in the field of image recognition, security of image data has been a technical focus in this field. In practical applications, there is no need to consider the security of the image data for internal use, but if the image data needs to be transmitted, the security of the data is very important. At present, with the development of hardware technology, a hardware module capable of ensuring data security, such as an SGX module of Intel, appears. In the prior art, a secure encryption method for image data and an image data processing method for image data on SGX are not available.
Disclosure of Invention
In view of this, embodiments of the present invention provide an image data processing method, an apparatus, and a device based on a hardware security isolation area, so as to solve the problem in the prior art how to encrypt image data under a security hardware module.
In a first aspect of the embodiments of the present invention, an image data processing method based on a hardware security isolation region is provided, which includes: acquiring an m multiplied by n multiplied by 3 dimensional matrix A read from an image to be processed in an untrusted execution area; randomly generating an m multiplied by n dimensional matrix B according to a matrix generator; compressing the m × n dimensional matrix B to obtain a secret key S; determining the bit number of the key S, selecting the first x bits of the key S as a round number, and performing replacement processing on the matrix A according to the round number to obtain a matrix A1; performing matrix dot product operation on the matrix A1 by using a matrix B to obtain an encrypted matrix E; according to a symmetric encryption algorithm, encrypting the matrix E by using the key S as a key to generate an encrypted file of the image to be processed; and outputting the encrypted file.
In some alternatives, reading the image to be processed in the untrusted execution area specifically includes: acquiring an image to be processed; identifying the file format of the image to be processed: when the image to be processed is in a static image format, reading the image to be processed into a three-dimensional matrix in an RGB format; when the image to be processed is in a dynamic image format, reading the maximum frame number of the image to be processed, selecting the images with all/part of the frame number to read the images into a three-dimensional matrix in an RGB format, and packing the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
In some alternatives, determining the bit number of the key S, selecting the first x bits of the key S as a round number, and performing permutation processing on the matrix a according to the round number to obtain a matrix a1, which specifically includes: determining the bit number of the secret key S in a binary system; extracting the first x bits of the bit digits and converting the first x bits into a numerical value a represented by decimal; moving the first element in the matrix A to the position of the 2 nd element, and moving the ith element to the position of the (i + 1) th element by the same way until the (m × n) th element moves to the position of the 1 st element, and completing one permutation, wherein i belongs to (1, m × n), and m and n are positive integers; and continuously executing the permutation for a times according to the number a as the number of rounds, and outputting to obtain a matrix A1.
In some alternatives, after outputting the encrypted file, further comprising: adding the key S to a key management system; and establishing an association relation between the secret key S and the encrypted file.
In some alternatives, further comprising: receiving an image data application sent by a data user; establishing a secure channel of communication with the data consumer; and according to the secure channel, returning the encrypted file and the key S corresponding to the image data application to a data user.
In a second aspect of the embodiments of the present invention, an image data processing apparatus based on a hardware security isolation region is provided, which includes: a data acquisition module configured to acquire an m × n × 3-dimensional matrix a read for the image to be processed in the untrusted execution area; a matrix generation module configured to randomly generate an m × n dimensional matrix B according to the matrix generator; a key generation module configured to perform compression processing on the m × n dimensional matrix B to obtain a key S; the matrix replacement module is configured to determine the bit number of the key S, select the first x bits of the key S as a round number, and perform replacement processing on the matrix A according to the round number to obtain a matrix A1; the matrix operation module is configured to perform matrix dot product operation on the matrix A1 by using a matrix B to obtain an encrypted matrix E; the data encryption module is configured to encrypt the matrix E by using the key S as a key according to a symmetric encryption algorithm to generate an encrypted file of the image to be processed; a data output module configured to output the encrypted file.
In some alternatives, the system further comprises a module arranged in the untrusted execution area for reading the image to be processed, wherein the module comprises: an image acquisition module configured to acquire an image to be processed; an image format recognition module configured to recognize a file format of the image to be processed: the first image conversion module is configured to read the image to be processed into a three-dimensional matrix in an RGB format when the image to be processed is in a static image format; and the second image conversion module is configured to read the maximum frame number of the image to be processed when the image to be processed is in a dynamic image format, select images with all/part of the frame number to read as a three-dimensional matrix in an RGB format, and pack the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
In some alternatives, the matrix permutation module specifically includes: a bit number unit configured to determine a bit number of the key S in binary; a round number determination unit configured to extract the first x bits of the bit number and convert the extracted bits into a numerical value a represented in decimal; a single permutation unit, configured to move the first element in the matrix a to the position of the 2 nd element, and so on move the ith element to the position of the (i + 1) th element, until the (m × n) th element moves to the position of the 1 st element, completing one permutation, where i ∈ (1, m × n), m and n are positive integers; and the cyclic permutation unit is configured to continuously execute the permutation for a times according to the condition that the numerical value a is the number of rounds, and output to obtain a matrix A1.
In some alternatives, further comprising: a key saving module configured to add the key S to a key management system; a key association module configured to establish an association relationship between the key S and the encrypted file.
In some alternatives, further comprising: the application receiving module is configured to receive an image data application sent by a data user; a secure channel module configured to establish a secure channel of communication with the data consumer; and the data response module is configured to return the encrypted file and the key S corresponding to the image data application to a data user according to the secure channel.
In a third aspect of the embodiments of the present invention, an image data processing device based on a hardware security isolation area is provided, where an Intel SGX security module is installed, and the image data processing device at least includes: a processor comprising a secure isolation region; a memory in which a computer program operable in the secure enclave is stored, the processor when executing the computer program implementing the steps of the method according to any one of the first aspect.
The invention has the beneficial effects that: according to the provided hardware security isolation area, matrix data A of an image to be processed is obtained, then a key S is generated by using a randomly generated matrix B, the matrix A is replaced according to the bit number of the key S to obtain a first encrypted matrix A1, the matrix A1 is operated by using the matrix B to obtain a second encrypted matrix E, finally the matrix A1 is encrypted again by using a symmetric encryption algorithm and the key S to obtain an encrypted file of the image to be processed, the encryption security of the image data is realized through the multiple data encryption processing, and the encrypted file is not easy to attack.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a schematic diagram of a prior art SGX module;
FIG. 2 is a flow diagram of a method for processing image data based on a hardware security isolation region provided in an embodiment of the invention;
fig. 3 is a flowchart of the step S210 shown in fig. 2 for reading the image to be processed in the untrusted execution area;
FIG. 4 is a schematic diagram of matrix compression using cross-linked list storage;
FIG. 5 is a flowchart of step S240 shown in FIG. 2 in one embodiment;
FIG. 6 is a flow diagram of a data consumer using an encrypted file provided in one embodiment of the invention;
fig. 7 is a schematic diagram of an image data processing apparatus based on a hardware security isolation region according to an embodiment of the present invention.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Fig. 1 is a schematic diagram of an SGX module in the prior art.
Wherein SGX, english, is called: software guard extensions, also called Intel SGX, are new extensions of the Intel architecture, and add a new set of instruction sets and memory access mechanisms to the original architecture, and these extensions allow an application to implement a container called enclave, and partition a protected hardware security isolation area (i.e., trusted execution area) in the address space of the application, so as to provide confidentiality and integrity protection for the code and data in the container from being damaged by malicious software with special rights.
Taking an application as an example, as shown in fig. 1, the application is composed of a trusted part code and an untrusted part code; when the application runs and creates enclave, putting the enclave into the trusted execution area; the trusted function is called, and execution is converted into enclave; enclave can access all process data, and if the enclave data is to be accessed, the outside is prohibited; the trusted function returns enclave data.
Referring to fig. 2, a flowchart of an image data processing method based on a hardware security isolation area provided in an embodiment of the present invention is shown.
In conjunction with fig. 1, the method provided by this embodiment may be applied to the trusted execution area or the untrusted execution area shown in fig. 1, and for example, a computer program capable of implementing the scheme provided by this embodiment may be run in the trusted execution area.
As shown in fig. 2, the image data processing method based on the hardware security isolation area may include the following steps S210 to S270:
s210: an m × n × 3-dimensional matrix a read for the image to be processed in the untrusted execution area is acquired.
The image to be processed may include a static image format and a dynamic image format, and when the image to be processed is in the static image format, the image to be processed may be in the commonly used image formats such as jpg, png, bmp, and the like; when the image to be processed is in a dynamic image format, it may be mp4,. mpg,. avi, etc. which are commonly used. The present example is not limited with respect to the specific format of the image to be processed.
For example, for a static image format, the image to be processed may be read as a three-dimensional matrix in an RGB format, for example, an m × n × 3-dimensional matrix, by an image preprocessing program in the untrusted execution area.
For example, for a dynamic image format, the image to be processed may be first split into frame images in an untrusted execution area by an image preprocessing program, and then each frame image is read as a three-dimensional matrix in an RGB format according to a method in a static image format.
Referring to fig. 3, a flowchart for reading the image to be processed in the untrusted execution area in step S210 shown in fig. 2 is shown.
Referring to fig. 3, reading the to-be-processed image in the untrusted execution area specifically includes steps S310 to S340:
s310: acquiring an image to be processed;
s320: identifying the file format of the image to be processed:
s330: when the image to be processed is in a static image format, reading the image to be processed into a three-dimensional matrix in an RGB format;
s340: when the image to be processed is in a dynamic image format, reading the maximum frame number of the image to be processed, selecting the images with all/part of the frame number to read the images into a three-dimensional matrix in an RGB format, and packing the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
In the above example, by preprocessing the image to be processed in the untrusted execution area, on one hand, the efficiency of data processing is improved, and on the other hand, the difficulty in implementing the program for processing the image to be processed in the trusted execution area is also reduced. The three-dimensional matrix in the RGB format is an m × n × 3-dimensional matrix a.
S220: according to the matrix generator, an m × n dimensional matrix B is randomly generated.
Specifically, it is obvious that the matrix B is a two-dimensional matrix, and as can be seen from the matrix a, the number of rows and columns of the matrix B generated at random is identical to that of the matrix a.
S230: and compressing the m multiplied by n dimensional matrix B to obtain a secret key S.
Specifically, since the matrix B has randomness, the key S generated by compressing is random, so that the key S has high encryption performance.
For example, the method for compressing the m × n dimensional matrix B may include: the method is characterized in that only one storage space is allocated to a plurality of elements with the same value, no space is allocated to zero elements, and a cross linked list is used for storage. For example, referring to fig. 4, a schematic diagram of implementing matrix compression by using cross-linked list storage is shown, wherein, assuming that there is a matrix M, the M × n dimensional matrix B is represented, and a key is obtained by using the cross-linked list storage, as shown in fig. 4, it can be seen that, when the cross-linked list storage matrix M is used, each row and each column in the matrix are stored by using each linked list, and at the same time, the headers of all row linked lists are stored into one array (M · read), and the headers of all column linked lists are stored into another array (M · read). Since the use of the cross-linked list storage is prior art, it is not described here in detail.
S240: and determining the bit number of the key S, selecting the first x bits of the key S as the round number, and performing replacement processing on the matrix A according to the round number to obtain a matrix A1.
Specifically, x may be a positive integer greater than or equal to 1 and smaller than the bit number of the secret key S. The number of bits is based on binary, for example, if the number of bits of the key S is "010010110101010011", the number of bits is 18 bits. x is 3, the first 3 bits of the secret key S are "011". In addition, the number of rounds of matrix permutation is based on decimal, so that the first 3 bits of the key S need to be identified as a decimal value, and in the foregoing example, the number of rounds represented by the first 3 bits "011" of the key S is: 3.
it should be understood that: the first 4 bits or more than 4 bits of the key S can be selected as the round number by the bit number, and the round number determined by different bit numbers is different in that the larger the bit number is, the larger the range of the supported round number is, binary representation is carried out, and the maximum of three bits is 7; the larger the number of digits, the higher the number of supported rounds, the higher the security, but the greater the performance loss. For this reason, how many bits are selected can be selected according to actual conditions.
The method for permuting the matrix a in the step S240 will be described in detail below.
Illustratively, referring to fig. 5, a flowchart of step S240 shown in fig. 2 in one embodiment is shown.
As shown in fig. 5, the step S240 may specifically include the following steps S510 to S540:
s510: determining the bit number of the secret key S in a binary system;
s520: extracting the first 3 bits of the bit number and converting the bits into a numerical value a represented by decimal;
s530: moving the first element in the matrix A to the position of the 2 nd element, and moving the ith element to the position of the (i + 1) th element by the same way until the (m × n) th element moves to the position of the 1 st element, and completing one permutation, wherein i belongs to (1, m × n), and m and n are positive integers;
s540: and continuously executing the permutation for a times according to the number a as the number of rounds, and outputting to obtain a matrix A1.
As can be seen from the above, in this example, by replacing the matrix a, the matrix data corresponding to the image to be processed can be initially scrambled to prepare for the subsequent data encryption processing.
S250: and performing matrix dot product operation on the matrix A1 by using the matrix B to obtain an encrypted matrix E.
Specifically, since the matrix B and the matrix a have the same number of rows and columns, the a1 obtained by performing the permutation processing on the matrix a through the above steps does not change the number of rows and columns of the matrix, so it is demonstrated that the a1 and the matrix B have the same number of rows and columns, and therefore, the matrix E with one encryption can be realized by adopting the matrix dot product operation.
S260: and according to a symmetric encryption algorithm, encrypting the matrix E by using the key S as a key to generate an encrypted file of the image to be processed.
The symmetric encryption algorithm based on the symmetric key may include DES, 3DES (triple DES), AES, RC2, RC4, RC5, Blowfish, and the like. Illustratively, an AES encryption algorithm may be employed. The matrix E obtained by the primary encryption is encrypted for the second time by using an encryption algorithm, so that the security of data encryption is improved.
S270: and outputting the encrypted file.
In some embodiments, after the method shown in fig. 2, the following steps may be further included: adding the key S to a key management system; and establishing the association relation between the secret key S and the encrypted file. Here by saving the key S and associating it with the encrypted file. Since the encrypted file is encrypted based on a symmetric encryption algorithm, and the key S is needed to be used in the subsequent decryption of the encrypted file, the key S is managed and associated with the encrypted file, so that the encrypted file can be used in the subsequent use.
Further, based on the Intel SGX security module shown in fig. 1, after the image to be processed is processed to obtain the encrypted file, when the image data needs to be used, the problem of how to use the encrypted file is involved, and the following may briefly describe the method for using the encrypted file.
For example, it is assumed that the data provider that generates the above-described encrypted file is a data consumer, and the data provider and the data consumer that use the encrypted file are data processing devices, such as computers and the like. It should be understood that since the encrypted file is generated in the environment of the Intel SGX security module, the data reading operation device (i.e., the data user) also needs to be equipped with the Intel SGX security module. In addition, the device where the data user is located also needs to be provided with an encryption and decryption program and an image processing basic algorithm program which can run in an Intel SGX environment; in order to ensure the security of data transmission, a feasible computing environment authorization authentication channel is also required to be established between the two parties during communication.
Referring to fig. 6, a flow chart illustrating a use of an encrypted file by a data consumer provided in an embodiment of the invention is shown.
As shown in fig. 6, after the encrypted file is output by the method shown in fig. 2, the following steps S610 to S630 may be further included:
s610: receiving an image data application sent by a data user;
s620: establishing a secure channel of communication with the data consumer;
s630: and according to the secure channel, returning the encrypted file and the key S corresponding to the image data application to a data user.
Wherein establishing the secure channel may be performed by an encryption algorithm, for example, using an asymmetric encryption algorithm. For example, the establishing a secure channel for communication with the data consumer may specifically include the steps of: and generating a session key, performing mutual authentication by using a public key encryption algorithm to share the session key, and accordingly establishing a secure channel for communication with the requester.
Further, for the data consumer, after receiving the encrypted file, the encrypted file may be imported into the trusted execution area. Then, the image data encryption program (such as the above-mentioned symmetric encryption algorithm and asymmetric encryption algorithm) can be used to read the key S to obtain authorization, and the image is decrypted in the isolated area (i.e. trusted execution area) to obtain the original matrix a. Further, the program in the trusted execution area provides the implementation of the basic image preprocessing algorithm (i.e. the above-mentioned image processing basic algorithm program), including image binarization, image blurring, edge detection, and the like. The data user finally obtains the processed image data. It should be noted that, the application is not limited to the program of the data user in the trusted execution area.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Referring to fig. 7, a schematic diagram of an image data processing apparatus based on a hardware security isolation region provided in an embodiment of the present invention is shown.
As shown in fig. 7, the image data processing apparatus specifically includes: a data acquisition module 710 configured to acquire an m × n × 3-dimensional matrix a read for the image to be processed in the untrusted execution area; a matrix generation module 720 configured to randomly generate an m × n dimensional matrix B according to the matrix generator; a key generation module 730 configured to perform compression processing on the m × n dimensional matrix B to obtain a key S; the matrix permutation module 740 is configured to determine the bit number of the key S, select the first 3 bits of the key S as a round number, and perform permutation processing on the matrix a according to the round number to obtain a matrix a 1; a matrix operation module 750 configured to perform a matrix dot product operation on the matrix a1 by using a matrix B to obtain an encrypted matrix E; a data encryption module 760 configured to encrypt the matrix E with the key S as a key according to a symmetric encryption algorithm, so as to generate an encrypted file of the image to be processed; a data output module 770 configured to output the encrypted file.
In some embodiments, the system further comprises a module arranged in the untrusted execution area for reading the image to be processed, the module comprising: an image acquisition module configured to acquire an image to be processed; an image format recognition module configured to recognize a file format of the image to be processed: the first image conversion module is configured to read the image to be processed into a three-dimensional matrix in an RGB format when the image to be processed is in a static image format; and the second image conversion module is configured to read the maximum frame number of the image to be processed when the image to be processed is in a dynamic image format, select images with all/part of the frame number to read as a three-dimensional matrix in an RGB format, and pack the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
In some embodiments, the matrix permutation module specifically includes: a bit number unit configured to determine a bit number of the key S in binary; a round number determination unit configured to extract the first 3 bits of the bit number and convert into a numerical value a represented in decimal; a single permutation unit, configured to move the first element in the matrix a to the position of the 2 nd element, and so on move the ith element to the position of the (i + 1) th element, until the (m × n) th element moves to the position of the 1 st element, completing one permutation, where i ∈ (1, m × n), m and n are positive integers; and the cyclic permutation unit is configured to continuously execute the permutation for a times according to the condition that the numerical value a is the number of rounds, and output to obtain a matrix A1.
In some embodiments, further comprising: a key saving module configured to add the key S to a key management system; a key association module configured to establish an association relationship between the key S and the encrypted file.
In some embodiments, further comprising: the application receiving module is configured to receive an image data application sent by a data user; a secure channel module configured to establish a secure channel of communication with the data consumer; and the data response module is configured to return the encrypted file and the key S corresponding to the image data application to a data user according to the secure channel.
In addition, referring to fig. 1, in some embodiments, in order to better apply the method shown in fig. 2, an apparatus may be further provided, where the apparatus is equipped with an Intel SGX security module, and the apparatus at least includes: a processor comprising a secure isolation region; a memory having stored therein a computer program operable in the secure enclave, the processor when executing the computer program implementing the steps of the method as shown in any of the schemes of fig. 2-5.
In particular, the device includes any type of electronic device, such as a computer, a tablet, a server, etc.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.
Claims (11)
1. An image data processing method based on a hardware security isolation area is characterized by comprising the following steps:
acquiring an m multiplied by n multiplied by 3 dimensional matrix A read from an image to be processed in an untrusted execution area;
randomly generating an m multiplied by n dimensional matrix B according to a matrix generator;
compressing the m × n dimensional matrix B to obtain a secret key S;
determining the bit number of the key S, selecting the first x bits of the key S as a round number, and performing replacement processing on the matrix A according to the round number to obtain a matrix A1;
performing matrix dot product operation on the matrix A1 by using a matrix B to obtain an encrypted matrix E;
according to a symmetric encryption algorithm, encrypting the matrix E by using the key S as a key to generate an encrypted file of the image to be processed;
and outputting the encrypted file.
2. The image data processing method based on the hardware security isolation area according to claim 1, wherein reading the image to be processed in the untrusted execution area specifically includes:
acquiring an image to be processed;
identifying the file format of the image to be processed:
when the image to be processed is in a static image format, reading the image to be processed into a three-dimensional matrix in an RGB format;
when the image to be processed is in a dynamic image format, reading the maximum frame number of the image to be processed, selecting the images with all/part of the frame number to read the images into a three-dimensional matrix in an RGB format, and packing the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
3. The image data processing method based on the hardware security isolation area according to claim 1, wherein the determining of the bit number of the key S, the selecting of the first x bits of the key S as a round number, and the performing a permutation process on the matrix a according to the round number to obtain a matrix a1 specifically includes:
determining the bit number of the secret key S in a binary system;
extracting the first x bits of the bit digits and converting the first x bits into a numerical value a represented by decimal;
moving the first element in the matrix A to the position of the 2 nd element, and moving the ith element to the position of the (i + 1) th element by the same way until the (m × n) th element moves to the position of the 1 st element, and completing one permutation, wherein i belongs to (1, m × n), and m and n are positive integers;
and continuously executing the permutation for a times according to the number a as the number of rounds, and outputting to obtain a matrix A1.
4. The image data processing method based on the hardware security isolation area as claimed in any one of claims 1 to 3, further comprising, after outputting the encrypted file:
adding the key S to a key management system;
and establishing an association relation between the secret key S and the encrypted file.
5. The image data processing method based on the hardware security isolation area as claimed in claim 4, further comprising:
receiving an image data application sent by a data user;
establishing a secure channel of communication with the data consumer;
and according to the secure channel, returning the encrypted file and the key S corresponding to the image data application to a data user.
6. An image data processing apparatus based on a hardware security isolation area, comprising:
a data acquisition module configured to acquire an m × n × 3-dimensional matrix a read for the image to be processed in the untrusted execution area;
a matrix generation module configured to randomly generate an m × n dimensional matrix B according to the matrix generator;
a key generation module configured to perform compression processing on the m × n dimensional matrix B to obtain a key S;
the matrix replacement module is configured to determine the bit number of the key S, select the first x bits of the key S as a round number, and perform replacement processing on the matrix A according to the round number to obtain a matrix A1;
the matrix operation module is configured to perform matrix dot product operation on the matrix A1 by using a matrix B to obtain an encrypted matrix E;
the data encryption module is configured to encrypt the matrix E by using the key S as a key according to a symmetric encryption algorithm to generate an encrypted file of the image to be processed;
a data output module configured to output the encrypted file.
7. The image data processing device based on the hardware security isolation area as claimed in claim 6, further comprising a module disposed in the untrusted execution area for reading an image to be processed, the module comprising:
an image acquisition module configured to acquire an image to be processed;
an image format recognition module configured to recognize a file format of the image to be processed:
the first image conversion module is configured to read the image to be processed into a three-dimensional matrix in an RGB format when the image to be processed is in a static image format;
and the second image conversion module is configured to read the maximum frame number of the image to be processed when the image to be processed is in a dynamic image format, select images with all/part of the frame number to read as a three-dimensional matrix in an RGB format, and pack the three-dimensional matrix in the RGB format corresponding to each frame of image according to the sequence number.
8. The image data processing device based on the hardware security isolation area according to claim 6, wherein the matrix permutation module specifically includes:
a bit number unit configured to determine a bit number of the key S in binary;
a round number determination unit configured to extract the first x bits of the bit number and convert the extracted bits into a numerical value a represented in decimal;
a single permutation unit, configured to move the first element in the matrix a to the position of the 2 nd element, and so on move the ith element to the position of the (i + 1) th element, until the (m × n) th element moves to the position of the 1 st element, completing one permutation, where i ∈ (1, m × n), m and n are positive integers;
and the cyclic permutation unit is configured to continuously execute the permutation for a times according to the condition that the numerical value a is the number of rounds, and output to obtain a matrix A1.
9. The image data processing apparatus based on hardware security isolation area according to any of claims 6 to 8, further comprising:
a key saving module configured to add the key S to a key management system;
a key association module configured to establish an association relationship between the key S and the encrypted file.
10. The image data processing apparatus based on hardware security isolation area according to claim 9, further comprising:
the application receiving module is configured to receive an image data application sent by a data user;
a secure channel module configured to establish a secure channel of communication with the data consumer;
and the data response module is configured to return the encrypted file and the key S corresponding to the image data application to a data user according to the secure channel.
11. An image data processing device based on a hardware security isolation area is provided with an Intel SGX security module, and is characterized by at least comprising:
a processor comprising a secure isolation region;
memory in which a computer program operable in the secure enclave is stored, which computer program, when being executed by the processor, carries out the steps of the method according to one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011206590.5A CN112100638B (en) | 2020-11-03 | 2020-11-03 | Image data processing method, device and equipment based on hardware security isolation area |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011206590.5A CN112100638B (en) | 2020-11-03 | 2020-11-03 | Image data processing method, device and equipment based on hardware security isolation area |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112100638A true CN112100638A (en) | 2020-12-18 |
| CN112100638B CN112100638B (en) | 2021-03-09 |
Family
ID=73784534
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011206590.5A Active CN112100638B (en) | 2020-11-03 | 2020-11-03 | Image data processing method, device and equipment based on hardware security isolation area |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112100638B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112669068A (en) * | 2020-12-28 | 2021-04-16 | 河南省启研科技评价研究院有限公司 | Market research data transmission method and system based on big data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106228076A (en) * | 2016-07-25 | 2016-12-14 | 武汉大学 | A kind of picture validation code guard method based on SGX and system |
| US20190132136A1 (en) * | 2018-06-20 | 2019-05-02 | Intel Corporation | Technologies for secure authentication and programming of accelerator devices |
| CN109902261A (en) * | 2019-03-06 | 2019-06-18 | 首都师范大学 | A kind of image encryption method and device |
| CN111159737A (en) * | 2019-12-26 | 2020-05-15 | 广东电网有限责任公司 | Image data protection method, device, equipment and storage medium based on SGX |
-
2020
- 2020-11-03 CN CN202011206590.5A patent/CN112100638B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106228076A (en) * | 2016-07-25 | 2016-12-14 | 武汉大学 | A kind of picture validation code guard method based on SGX and system |
| US20190132136A1 (en) * | 2018-06-20 | 2019-05-02 | Intel Corporation | Technologies for secure authentication and programming of accelerator devices |
| CN109902261A (en) * | 2019-03-06 | 2019-06-18 | 首都师范大学 | A kind of image encryption method and device |
| CN111159737A (en) * | 2019-12-26 | 2020-05-15 | 广东电网有限责任公司 | Image data protection method, device, equipment and storage medium based on SGX |
Non-Patent Citations (2)
| Title |
|---|
| DANNY HARNIK 等: ""Securing the Storage Data Path with SGX Enclaves"", 《HTTPS://ARXIV.ORG/PDF/1806,10883.PDF》 * |
| 孙思: ""基于SGX的人脸识别隐私保护方案的设计与实现"", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112669068A (en) * | 2020-12-28 | 2021-04-16 | 河南省启研科技评价研究院有限公司 | Market research data transmission method and system based on big data |
| CN112669068B (en) * | 2020-12-28 | 2024-05-14 | 深圳前海用友力合科技服务有限公司 | Market research data transmission method and system based on big data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112100638B (en) | 2021-03-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hosny et al. | A color image encryption technique using block scrambling and chaos | |
| Ferreira et al. | Practical privacy-preserving content-based retrieval in cloud image repositories | |
| Yang et al. | A new color image encryption scheme based on logistic map over the finite field ZN | |
| Liu et al. | Image encryption algorithm based on chaotic system and dynamic S-boxes composed of DNA sequences | |
| Fan et al. | Cryptanalysis of a plaintext-related chaotic RGB image encryption scheme using total plain image characteristics | |
| Mandal et al. | Symmetric key image encryption using chaotic Rossler system | |
| CN111404952B (en) | Transformer substation data encryption transmission method and device, computer equipment and storage medium | |
| CN111010266B (en) | Message encryption and decryption, reading and writing method and device, computer equipment and storage medium | |
| CN106530206B (en) | Image encryption and decryption method and device based on optical encryption and decryption technology | |
| Zheng et al. | An image encryption algorithm based on multichaotic system and DNA coding | |
| CN112100638B (en) | Image data processing method, device and equipment based on hardware security isolation area | |
| Dharangan et al. | Secure cloud-based E-health system using advanced encryption standard | |
| Yahaya et al. | Cryptosystem for secure data transmission using Advance Encryption Standard (AES) and Steganography | |
| Sha et al. | Cross-plane colour image encryption scheme based on BST model and chaotic map | |
| CN108718232A (en) | Image encryption method based on AES and chaos | |
| CN110611568B (en) | Dynamic encryption and decryption method, device and equipment based on multiple encryption and decryption algorithms | |
| Cheng et al. | A High‐Security Privacy Image Encryption Algorithm Based on Chaos and Double Encryption Strategy | |
| CN112784943A (en) | Two-dimensional code encryption method, system, equipment and storage medium | |
| CN113055155A (en) | Data security storage method based on big data platform | |
| Tahmasbi et al. | Improving organizations security using visual cryptography based on xor and chaotic-based key | |
| CN115170380A (en) | Image layered scrambling encryption method based on chaotic mapping | |
| Yan et al. | Hybrid mapping algorithm based on 1‐DCM and Lorenz | |
| Ortakci et al. | Performance analyses of aes and 3des algorithms for encryption of satellite images | |
| KR20230139647A (en) | System and method for encrypting and decrypting data | |
| JP5945525B2 (en) | KEY EXCHANGE SYSTEM, KEY EXCHANGE DEVICE, ITS METHOD, AND PROGRAM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 2201, block a, 19th floor, building 1, 2 Zhongguancun South Street, Haidian District, Beijing Patentee after: Beijing Dongfang tongwangxin Technology Co.,Ltd. Patentee after: SHANGHAI TONGTAI INFORMATION TECHNOLOGY Co.,Ltd. Patentee after: BEIJING TESTOR TECHNOLOGY Co.,Ltd. Address before: 100089 2201, block a, 19th floor, building 1, 2 Zhongguancun South Street, Haidian District, Beijing Patentee before: BEIJING MICROVISION TECHNOLOGY Co.,Ltd. Patentee before: SHANGHAI TONGTAI INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: BEIJING TESTOR TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |