CN113391880B - Trusted mirror image transmission method for layered double hash verification - Google Patents

Trusted mirror image transmission method for layered double hash verification Download PDF

Info

Publication number
CN113391880B
CN113391880B CN202110688097.XA CN202110688097A CN113391880B CN 113391880 B CN113391880 B CN 113391880B CN 202110688097 A CN202110688097 A CN 202110688097A CN 113391880 B CN113391880 B CN 113391880B
Authority
CN
China
Prior art keywords
layer
mirror image
container
hash
trusted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110688097.XA
Other languages
Chinese (zh)
Other versions
CN113391880A (en
Inventor
于治楼
李岩
孙大军
李婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chaoyue Technology Co Ltd
Original Assignee
Chaoyue Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chaoyue Technology Co Ltd filed Critical Chaoyue Technology Co Ltd
Priority to CN202110688097.XA priority Critical patent/CN113391880B/en
Publication of CN113391880A publication Critical patent/CN113391880A/en
Application granted granted Critical
Publication of CN113391880B publication Critical patent/CN113391880B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a trusted image transmission method for layered double hash verification, which comprises the steps of carrying out hash calculation on each layer of image of a container to obtain a single-layer hash value HashN, combining a plurality of HashNs into a aggregated hash value, carrying out hash operation on the combined aggregated hash value again to obtain a static measurement value HashS, carrying out encryption transmission on the static measurement value HashS to a trusted image warehouse, carrying out first-time security verification on the images of the container corresponding to the single-layer hash values HashN and the single-layer hash values after decryption, carrying out second-time security verification on the static HashS, and storing the images of a new container if the two-time verification is passed. The trusted mirror image transmission method provided by the invention can effectively solve the safety problem caused by tampering of the mirror image in the mirror image transmission process of the container. The data consistency in the transmission process is verified, and a reliable data transmission scheme is provided.

Description

Trusted mirror image transmission method for layered double hash verification
Technical Field
The invention belongs to the field of computers, and particularly relates to a trusted image transmission method for layered double hash verification.
Background
As a lightweight virtualization technology, compared with a virtual machine technology, the container has the advantages of small performance loss, high resource utilization rate and the like, and becomes an important direction for the next technical development of cloud computing. The mirror image is a lightweight, executable, independent software package for packaging the software operating environment and the software developed based on the operating environment, and it contains all the contents required for operating a certain software, including code, runtime libraries, environment variables and configuration files. The mirror image is the basis of a container, and different from a virtual machine, the container mirror image utilizes a joint mounting technology, and the same container mirror image can run in hundreds of containers.
In practice, images are often saved by establishing a repository that centrally stores container images of various functions, so as to facilitate the rapid pulling of a given image for establishing some services when in use. It is therefore necessary to save and send the established image to the repository of container images. However, in the transmission process, the safe mirror image can be maliciously attacked or replaced, and when the mirror image is received by the mirror image warehouse, the verification can not be carried out according to the production scene. There is a great potential safety hazard. If a dangerous image is pulled in a large number into different containers for operation, the hazard caused by the dangerous image is huge.
Therefore, there is a need for a verification scheme that provides a complete and secure authentication of containers during their mirror transfer.
Disclosure of Invention
In order to solve the above problems, the present invention provides a trusted mirror image transmission method for layered double hash verification, including:
the management node performs Hash calculation on a mirror layer of the container to obtain a plurality of single-layer Hash values, combines the single-layer Hash values according to a preset sequence, and performs Hash calculation on the combined aggregate Hash value again through a TCM trusted chip to obtain a static measurement value Hash S of the container;
the management node generates a static metric value protection secret key KeyP through a TCM (trusted cryptography Module) trusted chip, and encrypts the static metric value Hash S by using the static metric value protection secret key KeyP to obtain a static metric value ciphertext;
the management node sends a warehousing request to a trusted mirror image warehouse node, receives a public key from the trusted mirror image warehouse node, and encrypts the static metric value protection secret key KeyP by using the public key to obtain a ciphertext of the static metric value protection secret key;
the management node sends the mirror image of the container, the single-layer hash value HashN of each layer of mirror image, the static metric value ciphertext and the ciphertext of the static metric value protection secret key to the trusted mirror image warehouse node;
the trusted mirror image warehouse decrypts the received ciphertext of the static metric value protection secret key according to a private key to obtain a static metric value protection secret key KeyP, and decrypts the static metric value ciphertext according to the decrypted static metric value protection secret key KeyP to obtain the static metric value Hash S;
and the trusted mirror image warehouse carries out mirror image layer data verification and container static measurement value verification on the container according to the single-layer HashN and the static measurement value HashS of each layer, and stores the mirror image data of the container if the verification is passed.
In some embodiments of the invention, performing a mirror layer data check of a container comprises:
the trusted mirror image warehouse searches in a single-layer hash value HashN list of the stored mirror image layer data according to the received single-layer hash value HashN;
and in response to the retrieval result is matched, skipping the verification of the image layer corresponding to the received single-layer hash value HashN, and executing the verification of the single-layer hash value HashN of the next image layer.
In some embodiments of the invention, the method further comprises:
in response to the fact that the retrieval result is not matched, the trusted mirror warehouse carries out hash calculation on mirror layer data of a container corresponding to the single-layer hash value HashN to generate a new single-layer hash value HashN2;
comparing the single-layer hash value HashN with a new single-layer hash value HashN2 generated by HashIng calculation;
and responding to the consistency of the comparison result, and executing single-layer hash value verification of the next mirror layer.
In some embodiments of the invention, the method further comprises:
and in response to the inconsistency of the comparison result, ending the container mirror image storage, and deleting all data of the container.
In some embodiments of the invention, performing a container static metric value check comprises:
in response to the fact that the mirror layer verification is completed and the verification result is that the mirror layer verification passes, combining a plurality of single-layer hash values HashN which pass the mirror layer verification according to a preset sequence, carrying out Hash operation on the combined aggregate hash value again through a TCM trusted chip to obtain a new static measurement value HashS2, and comparing the new static measurement value HashS with the decrypted static measurement value HashS;
and if the comparison result is consistent, storing the mirror image of which the single-layer hash value HashN is equal to HashN2 in the mirror image layer of the container.
In some embodiments of the invention, the method further comprises:
and responding to the inconsistency of the comparison result, ending the container mirror image storage, and deleting all data of the container.
In some embodiments of the invention, the method further comprises:
after the static measurement value of the container is verified, calling a vulnerability scanning program of a credible mirror image warehouse to scan the content of the container mirror image, and if the scanning result is no threat of leaking holes, storing the container mirror image;
and if the scanning result is that the loophole exists, deleting the mirror image of the container.
In some embodiments of the present invention, the communication mode in which the management node sends the static metric value ciphertext to the trusted mirror repository includes:
digital envelope security mechanisms or secure tunnel approaches.
In some embodiments of the invention, merging the plurality of single-layer hash values in the predetermined order comprises:
splicing the corresponding single-layer HashN according to the generation sequence of the container mirror image layers; or
And combining the plurality of single-layer hash values HashN in a mode of parity or logic operation.
In some embodiments of the invention, further comprising:
in response to the fact that the management node pulls a container mirror image from the trusted mirror image warehouse node, the trusted mirror image warehouse node performs hash calculation on a mirror image layer of the container to obtain a plurality of single-layer hash values HashN, the single-layer hash values are combined according to a preset sequence, and the combined aggregate hash value is subjected to hash calculation again through the TCM trusted chip to obtain a static measurement value HashS of the container;
the trusted mirror image warehouse node generates a static metric value protection secret key KeyP through a TCM trusted chip, and encrypts the static metric value HashS by using the static metric value protection secret key KeyP to obtain a static metric value ciphertext;
the trusted mirror image warehouse sends a data transmission request to a management node, receives a public key from the management node, and encrypts the static metric value protection secret key KeyP by using the public key to obtain a ciphertext of the static metric value protection secret key;
the trusted mirror image warehouse node sends mirror images of the container, the single-layer hash value HashN of each layer of mirror images, the static metric value ciphertext and the ciphertext of the static metric value protection secret key to the management node;
the management node decrypts the received ciphertext of the static metric value protection key according to a private key to obtain a static metric value protection key KeyP, and decrypts the static metric value ciphertext according to the decrypted static metric value protection key KeyP to obtain the static metric value HashS;
and the management node performs mirror image layer data verification and container static measurement value verification on the container according to the single-layer HashN and the static measurement value HashS of each layer, and stores the mirror image data of the container if the verification is passed.
The trusted image transmission method for layered storage double hash verification comprises the steps of hashing a container image layer by layer to obtain a single-layer hash value of each layer, merging the single-layer hash values of multiple layers of images, hashing the merged aggregated hash value again to obtain a static measurement value of the container, encrypting and sending the static measurement value, and performing first verification on each layer of image of the container in a trusted image warehouse to ensure that the image of each layer is matched with the corresponding single-layer hash value; and then, carrying out second check on the static measurement value of the decryption container received by the trusted mirror image warehouse so as to verify that the mirror image of the container and the single-layer hash value corresponding to the mirror image are not replaced at the same time. Through the double verification and the isolated secure hash calculation of the TCM trusted chip, the mirror image of the container can be effectively prevented from being tampered in the transmission process and/or the mirror image of the container and the single-layer hash value can be prevented from being tampered simultaneously.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of one embodiment of the method of the present invention;
FIG. 2 is a diagram of a container mirror data structure in accordance with one embodiment of the method of the present invention;
FIG. 3 is a flow chart of an exemplary embodiment of a method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
As shown in fig. 1, the present invention provides a trusted image transmission method for layered double hash verification, including:
step S100, the management node performs Hash calculation on a mirror image layer of the container to obtain a plurality of single-layer Hash values, the single-layer Hash values are combined according to a preset sequence, and the combined aggregate Hash value is subjected to Hash calculation again through a TCM (trusted cryptography module) chip to obtain a static measurement value Hash S of the container;
step S200, the management node generates a static metric value protection secret key KeyP through a TCM trusted chip, and encrypts the static metric value HashS by using the static metric value protection secret key KeyP to obtain a static metric value ciphertext;
step S300, the management node sends a warehousing request to a trusted mirror image warehouse node, receives a public key from the trusted mirror image warehouse node, and encrypts the static metric value protection secret key KeyP by using the public key to obtain a ciphertext of the static metric value protection secret key;
step S400, the management node sends the mirror image of the container, the single-layer hash value HashN of each layer of mirror image, the static metric value ciphertext and the ciphertext of the static metric value protection secret key to the trusted mirror image warehouse node;
step S500, the trusted mirror image warehouse obtains a static metric value protection secret key KeyP according to a secret key decryption received ciphertext of the static metric value protection secret key, and obtains the static metric value HashS according to the static metric value protection secret key KeyP decryption obtained through decryption;
and step S600, the trusted mirror image warehouse carries out mirror image layer data verification and container static measurement value verification on the container according to the single-layer HashN and the static measurement value HashS of each layer, and if the verification is passed, the mirror image data of the container is stored.
It should be noted that, in Docker, an image may be regarded as a file system (implemented by a union fs and AUFS file system) in which a plurality of image layers are stacked, and an image layer may also be simply understood as a basic image.
In this embodiment, before step S100, the management node needs to obtain required contents of program operation according to the specific service requirement, where the required contents include a code, a runtime library, an environment variable, a configuration file, and the like, and specifically: installing the required tools, configuration item codes and configuration environments in the created blank container, and submitting the blank container by means of a docker commit command to generate a container mirror image.
In step S100, the management node performs hash calculation on the generated mirror image of the container to obtain a single-layer hash value HashN of the mirror image, where N represents a generation order of the mirror image in the container, and since Docker commits (commit) once, one mirror image is generated. As shown in fig. 2, each additional layer of mirroring adds 1 to the single-layer hash value number N of the layer of mirroring. The management node continuously conducts Hash calculation on the mirror image of each layer of the container to obtain a single-layer Hash value Hash N of each layer of mirror image, combines a plurality of single-layer Hash values Hash1, hash2, 8230, hash N of all layers of the container according to a certain sequence to obtain an aggregated Hash value, and conducts Hash calculation on the aggregated Hash value again through a TCM trusted chip to obtain a static measurement value Hash S of the container.
In step S200, in order to securely send the static metric value of the container to the trusted mirror repository, it needs to be encrypted, and for this purpose, the management node randomly generates a set of random numbers as a static metric value protection key KeyP through the TCM trusted chip. In some embodiments of the present invention, the key KeyP is protected by using the hash value of the static metric value + the current time as the static metric value. And the static metric protection secret key KeyP and the static metric HashS are sent to the TCM trusted chip for encryption by calling the TCM trusted chip so as to obtain a ciphertext of the static metric.
In step S300, after the static metric value ciphertext is obtained, the static metric value protection key KeyP needs to be encrypted and transmitted for subsequent decryption by the trusted mirror image warehouse, the management node sends a corresponding request to the trusted mirror image warehouse to obtain a public key used for encryption from the trusted mirror image warehouse, and encrypts the static metric value protection key KeyP by the public key to obtain the ciphertext of the static metric value protection key.
In step S400, the management node sends the static metric ciphertext, the static metric protection key ciphertext, the single-layer hash values HashN of all mirror layers of the container, and all mirror layer data of the container to the trusted mirror repository.
As shown in fig. 3, in some embodiments of the invention, the management node does not uniformly send the static metric value ciphertext, the static metric value protection key ciphertext, the single-layer hash value HashN of all mirror layers of the container, and all mirror layer data of the container to the trusted mirror repository.
In some embodiments, the management node performs hash calculation on the mirror image of the container to obtain a single-layer hash value HashN, and then sends the single-layer hash value HashN to the trusted mirror image warehouse, the trusted mirror image warehouse retrieves the single-layer hash value HashN from the hash value list of the stored container mirror image after receiving the single-layer hash value HashN, and feeds back the single-layer hash value HashN to the management node if the single-layer hash value HashN is the same, and the management node does not send the layer of mirror image data of the container located in the management node to the trusted mirror image warehouse any more so as to save transmission bandwidth.
In step S500, the trusted mirror warehouse first performs decryption operation on the static metric value protection key ciphertext by using the private key to obtain a static metric value protection key KeyP, and after obtaining the static metric value protection key KeyP, decrypts the static metric value ciphertext by using the static metric value protection key KeyP to obtain the static metric value HashS of the container generated at the management node.
In step S600, the trusted mirror repository performs matching check on the HashN value of each layer of mirror of the container and the mirror content data itself; if the matching check is passed, recalculating the single-layer Hash values HashN of all the image layers, combining the HashN of all the image layers into a new aggregated Hash value, further recalculating the aggregated Hash value again through a TCM trusted chip according to the same algorithm used by the management node to obtain a new static metric value HashS2, judging whether the new static metric value HashS2 is consistent with the static metric value HashS obtained by decryption and calculated by the management node, and if the judgment result is consistent, proving that the image data of each layer of the container is not changed. The transmission process is not tampered.
In some embodiments of the invention, performing mirror layer data checks of the container comprises:
the trusted mirror image warehouse searches in a single-layer hash value HashN list of the stored mirror image layer data according to the received single-layer hash value HashN;
and in response to the retrieval result is matched, skipping the verification of the mirror image layer corresponding to the received single-layer hash value HashN, and executing the verification of the single-layer hash value HashN of the next mirror image layer.
In this embodiment, the trusted mirror repository searches each received single-layer hash value HashN in the stored single-layer hash value list of the mirror, and if the single-layer hash value HashN is found, it indicates that the mirror is already stored. This is due to the Docker generation mechanism because there are many modifications to the container that have the same operation, such as in other data cases where both container 1 and container 2 have just one identical piece of software installed in the next commit. In order to prevent the phenomenon from causing redundant storage of data, mirror image data which is stored in a mirror image layer and is in a trusted mirror image warehouse is subjected to one-layer hash value HashN-based retrieval, and if the mirror image data exists, verification of the mirror image layer is skipped. The verification of the mirrored single-layer hash value HashN of the next layer is directly performed.
In some embodiments of the invention, the method further comprises:
in response to the fact that the retrieval result is not matched, the trusted mirror image warehouse carries out hash calculation on mirror image layer data of a container corresponding to the single-layer hash value HashN to generate a new single-layer hash value HashN2;
comparing the single-layer hash value HashN with a new single-layer hash value HashN2 generated by HashIng calculation;
and responding to the consistency of the comparison result, and executing single-layer hash value verification of the next mirror layer.
In this embodiment, for an image of an unstored container, performing hash calculation on data content of the container again in the trusted image repository to obtain a single-layer hash value HashN2, and then comparing the hashns from the hash calculation of the management node, where if the comparison result of the two hashes is the same, it indicates that the image data file is consistent with the corresponding hash value thereof in the transmission process. And the mirror layer passes the verification, and the matching verification of the hash value and the data is carried out on the single-layer hash value HashN +1 of the next layer.
In some embodiments of the invention, the method further comprises:
and responding to the inconsistency of the comparison result, ending the container mirror image storage, and deleting all data of the container.
In this embodiment, if the single-layer hash value HashN2 recalculated in the trusted image repository is different from the single-layer hash value HashN calculated in the management node, it indicates that the layer of image of the container is tampered or damaged in the transmission process. The storage process of the container is directly finished, and all the mirror image data of the container to be stored are deleted.
In some embodiments of the invention, performing a container static metric check comprises:
in response to the fact that the mirror image layer is verified and the verification result is that the mirror image layer passes, combining a plurality of single-layer hash values HashN which pass the mirror image layer in a preset sequence, performing Hash operation on the combined aggregate hash value through a TCM trusted chip to obtain a new static measurement value HashS2, and comparing the new static measurement value HashS with the decrypted static measurement value HashS;
and if the comparison result is consistent, storing the mirror image of which the single-layer hash value HashN is equal to HashN2 in the mirror image layer of the container.
In this embodiment, if the verification of the single-layer hash value HashN of the container mirror image is completed, that is, the verification of the container mirror image layer is completed, it is described that all the mirror images of the container are matched with the single-layer hash values HashN thereof, the single-layer hash values of the mirror images are combined into an aggregated hash value in the same order and in the same manner as the management nodes, the aggregated hash value is sent to the TCM trusted chip, the TCM trusted chip performs hash calculation to obtain a new static measurement value HashS2, the new static measurement value HashS2 is compared with HashS, if the two values are completely the same, the verification is passed, the verification of the container mirror image at this time is completed, and the mirror image of the container and the corresponding single-layer hash value HashN thereof are not replaced at the same time in the data transmission process. The data may be saved.
In addition, after the static metric value passes the verification, the mirror image data of the container can be stored, and in this case, only the mirror image data with HashN2 is stored, because the security of the mirror image of the container which is already stored in the mirror image of the container is verified and stored in the trusted mirror image warehouse, and the mirror image of the container which is not stored is subjected to Hash calculation again to obtain a new single-layer HashN value, the mirror image of the container with the new single-layer HashN value can be directly stored, and the time and the storage space consumed by the storage process can be greatly saved.
In some embodiments, for the security of the Hash algorithm, the Hash calculation based on the single-layer Hash values HashN of the new multiple mirror layers under the condition of obtaining the Hash algorithm is prevented from forging the static metric value HashS. The algorithm adopted by the TCM trusted chip to calculate the static metric value HashS is not specified by a management node or a trusted mirror image warehouse node during Hash calculation, but the TCM trusted chip is set firstly, and the method comprises the steps of selecting a certain Hash algorithm and adopting the algorithm during calculation. The TCM trusted chip only receives the data string (aggregated hash value) and hashes the data according to a preset hash algorithm or a mode of optionally adding some specific confusion characters, for example, the unique identification of the TCM trusted chip is used as an additional character string to be spliced with the received aggregated hash value back and forth again, under the condition, the TCM trusted chip at the management node and the TCM trusted chip at the trusted mirror warehouse node should be matched in pair, that is, the TCM trusted chips at the management node and the trusted mirror warehouse node should store the unique identification of the TCM trusted chip at the opposite side, of course, other preset character identifications occurring in pair can be adopted, and when the static metric value generated by the trusted chip at the opposite side (the management node or the trusted mirror warehouse node) is verified (Hash and Hash 2), the unique identification of the opposite side is used for recalculation so as to meet the premise of the same algorithm. And then outputting the static metric value HashS after the Hash calculation. An independent operation environment is formed, and the safety is high.
In some embodiments, when performing Hash calculation on the image layer data of the container to obtain a single-layer Hash value HashN, the Hash algorithm used by the container cannot be the same as the Hash algorithm used in the TCM for security, and the Hash calculation on the image layer data can be performed by selecting software as needed due to the huge number or by accelerating the Hash calculation through a physical cryptographic card at a hardware level.
In some embodiments of the invention, the method further comprises:
and in response to the inconsistency of the comparison result, ending the container mirror image storage, and deleting all data of the container.
In this embodiment, if the verification of the static metric value is unsuccessful, it means that there is a possibility that some image of the container is tampered or modified during the transmission process, and the modification modifies its corresponding single-layer hash value HashN at the same time, so that it is not found that the single-layer hash value is checked at the first time. Therefore, in this case, it is not necessary to determine which layer of the container has been tampered with, and it is only necessary to delete all data of the container and terminate the storage process of the container mirror image.
In some embodiments of the invention, the method further comprises:
after the static measurement value of the container is verified, calling a vulnerability scanning program of a credible mirror image warehouse to scan the content of the container mirror image, and if the scanning result is no threat of leaking holes, storing the container mirror image;
and if the scanning result is that the loophole exists, deleting the mirror image of the container.
In this embodiment, after the trusted mirror image warehouse passes the verification of the static metric value HashS and before the container data is stored, security detection is performed on mirror image data of a warehousing container through antivirus software or a vulnerability scanning tool in consideration of security, and if the security detection is passed, the mirror image data that is passed through the security detection is stored in the trusted mirror image warehouse.
In some embodiments, if some mirrors of the container are found to have a vulnerability through security detection and some mirrors are secure, the secure mirrors are directly stored in a trusted mirror repository, mirror data of the container with the vulnerability is deleted, and information of the mirror of the container with the security vulnerability is fed back to the management node.
In some embodiments, the image data of the container with the vulnerability is also stored in the trusted image warehouse and marked, so that the user is reminded of which vulnerabilities exist during use, and the user is advised of what way to maintain or protect.
In some embodiments of the present invention, the communication mode in which the management node sends the static metric value ciphertext to the trusted mirror repository includes:
digital envelope security mechanisms or means of secure tunnels.
In this embodiment, to further improve the security of data transmission, when the management node transmits the static metric ciphertext, the mirror image data of the container, the single-layer hash value HashN, and the static metric protection key ciphertext to the trusted mirror image repository, a digital envelope technology or a transmission technology such as a secure channel may be used to ensure the consistency of data during transmission. And the static metric value ciphertext can be transmitted only by a digital envelope technology or a secure channel and the like according to the network transmission condition.
In some embodiments of the invention, combining the plurality of single-layer hash values in the predetermined order comprises:
and splicing the corresponding single-layer HashN according to the generation sequence of the container mirror image layers.
In this embodiment, when generating the aggregated hash value, the single-layer hash values of the multiple images of the container may be sequentially spliced into a group of longer character strings as the aggregated hash value according to the image level order of the container in a manner of splicing the single-layer hash values back and forth. The uniqueness of the mirror image data characteristics of the splicing container can be ensured by the splicing mode. There may be some computational performance consumption for containers with more container mirroring layers.
In some embodiments of the invention, merging the plurality of single-layer hash values in the predetermined order further comprises
And combining the plurality of single-layer hash values HashN in a mode of parity or logic operation.
In this embodiment, for container data with a small number of mirror layers of a container, when the aggregate hash value is merged, the original single-layer hash value HashN may be converted into 2-ary data to perform parity logical or operation, so as to obtain an aggregate hash value with the same data length as the single-layer hash value HashN.
In some exemplary forms of the invention, the method further comprises:
in response to the fact that the management node pulls a container mirror image from the trusted mirror image warehouse node, the trusted mirror image warehouse node performs hash calculation on a mirror image layer of the container to obtain a plurality of single-layer hash values HashN, the single-layer hash values are combined according to a preset sequence, and the combined aggregate hash value is subjected to hash calculation again through the TCM trusted chip to obtain a static measurement value HashS of the container;
the trusted mirror image warehouse node generates a static metric value protection secret key KeyP through a TCM trusted chip, and encrypts the static metric value HashS by using the static metric value protection secret key KeyP to obtain a static metric value ciphertext;
the trusted mirror image warehouse sends a data transmission request to a management node, receives a public key from the management node, and encrypts the static metric value protection secret key KeyP by using the public key to obtain a ciphertext of the static metric value protection secret key;
the trusted mirror image warehouse node sends the mirror image of the container, the single-layer hash value HashN of each layer of mirror image, the static metric value ciphertext and the ciphertext of the static metric value protection key to the management node;
the management node decrypts the received ciphertext of the static metric value protection key according to a private key to obtain a static metric value protection key KeyP, and decrypts the static metric value ciphertext according to the decrypted static metric value protection key KeyP to obtain the static metric value HashS;
and the management node performs mirror image layer data verification and container static measurement value verification on the container according to the single-layer HashN and the static measurement value HashS of each layer, and stores the mirror image data of the container if the verification is passed.
In this embodiment, when a container mirror establishing container that needs to obtain a response from the trusted mirror repository node runs a corresponding service, the management node first sends a container pulling request to the trusted mirror repository node. After receiving a pulling request of a corresponding container, the trusted mirror image warehouse performs hash calculation on all mirror images of the corresponding container to obtain a single-layer hash value HashN, splices a plurality of single-layer hash values HashN into an aggregate hash value, submits the aggregate hash value to a TCM trusted chip to calculate to obtain a static measurement value HashS, generates a static measurement value protection key KeyP through the TCM trusted chip, encrypts the static measurement value HashS through the static measurement value protection key, and obtains a ciphertext.
And the trusted mirror image warehouse node sends a request for acquiring an encrypted public key to the management node, and after receiving the encrypted public key, the encrypted public key is used for encrypting the static metric value protection secret key KeyP and acquiring a ciphertext.
The trusted mirror image warehouse node sends mirror image data of the container to the management node, and the sent data mainly comprises: the method comprises the steps of mirroring a plurality of mirror image data of a mirroring layer of a container, a static metric Hash S ciphertext of the container, and protecting a key KeyP ciphertext of a plurality of single-layer Hash values Hash N and static metric values of the container. It should be noted that the data transmission is not a unified transmission, but an immediate transmission according to the completion situation and the network situation.
After the management node receives the data, the static metric value protection key KeyP is obtained by decrypting the static metric value protection key KeyP ciphertext through the private key, and the static metric value HashS ciphertext is obtained by decrypting the static metric value HashS ciphertext through the static metric value protection key KeyP. And after all the mirror image data of the container are received, performing hash calculation on one word of each mirror image to obtain a plurality of single-layer hash values HashN2, splicing the single-layer hash values HashN2 into an aggregate hash value, and calculating the aggregate hash value by a TCM trusted chip to obtain a static measurement value HashS2.
Judging whether the recalculated single-layer hash value HashN2 is the same as the single-layer hash value from the trusted mirror image warehouse node or not, if a certain group of hash values are not matched, the verification is not passed, directly deleting the content of the container, and the subsequent steps are not executed when the pulling fails.
And finally, judging whether the static metric value Hash S2 obtained by recalculation is the same as the static metric value Hash S obtained by decryption, if so, indicating that the mirror image data of the container is not tampered in the transmission process and is safe, and issuing the mirror image of the container to a specified container platform by the management node for operation. If the data in the container is not the same as the data in the container, the data in the container is modified or damaged in the transmission process, and the content of the container is deleted.
And the management node pulls the mirror image of the corresponding container to the trusted mirror image warehouse node. The management node and the trusted mirror image warehouse execute the method as described above, and the difference is that the identities in the verification process are exchanged, the trusted warehouse node sends data, and the management node performs verification, so that the process of searching the stored mirror image is omitted.
A preferred embodiment of the present invention is shown in fig. 3, in which:
step S301, the management node 1 starts a container mirror image storage task;
step S302, the management node 1 generates mirror image layer content of a new container mirror image according to a mirror image construction file transmitted by a platform user;
step S303, the management node 1 uses a physical password card to accelerate Hash operation to generate Hash values Hash1, hash2, \ 8230 \ 8230;, hashN of each layer of the new container mirror image according to the mirror image layer content of the generated new container mirror image;
step S304, the management node 1 splices Hash values Hash1, hash2, \8230 \ Hash N of each layer of the new container mirror image back and forth according to the hierarchical sequence of the mirror image to generate an aggregate Hash value, sends the aggregate Hash value to a TCM (trusted computing module) trusted chip, and carries out Hash calculation through a Hash algorithm with a number preset by the TCM trusted chip to obtain a static measurement value Hash S;
step S305, the management node 1 calls a TCM trusted chip to generate a randomly generated static metric value protection key KeyP;
step S306, the management node 1 sends a request to the trusted mirror image warehouse node to acquire an encrypted public key, encrypts a static metric value protection key KeyP by using the public key of the mirror image warehouse node, and sends a static metric value protection key ciphertext to the trusted mirror image warehouse 2;
step S307, the management node 1 encrypts the static metric value HashS by using a static metric value protection secret key KeyP, and sends an encrypted static metric value ciphertext to the trusted mirror image warehouse 2;
step S308, the management node 1 sends the single-layer hash value HashN of each layer of the new container mirror image to the trusted mirror image warehouse 2 and receives feedback of the mirror image layer;
step S301, if the management node 1 receives the retrieval result fed back by the trusted mirror image warehouse and the trusted mirror image warehouse does not have the mirror image of the container, the management node sends the mirror image layer data of the container which is corresponding to the single-layer hash value HashN and does not exist in the trusted mirror image warehouse to the trusted mirror image warehouse 2;
step S310, after receiving the encrypted static metric value protection key ciphertext, the trusted mirror image warehouse 2 decrypts the encrypted static metric value protection key ciphertext through a private key to obtain a static metric value protection key KeyP;
step S311, the trusted mirror warehouse 2 decrypts the static metric value ciphertext through the decrypted static metric value protection key to obtain a static metric value Hash S;
step S312, the trusted mirror repository 2 performs retrieval according to the received single-layer hash value HashN of each layer of the new container mirror.
Step S313, the trusted warehouse node 2 searches whether an item matching the HashN exists in the hash value list of the stored container image, and if the item matching the HashN exists, it indicates that the image layer N already exists, and then executes step S3131;
step S3131 is a step S312 of processing the mirroring layer number N +1 and jumping;
step S314, if it is determined in step S313 that the mirrored nth layer data of the new container does not exist, notifying the management node 1 and receiving the mirrored nth layer data of the new container sent from the management node 1;
step S315, after receiving the mirror image data of the nth layer of the new container sent from the management node 1, performing hash calculation on the mirror image data of the nth layer of the new container to obtain a single-layer hash value HashN2 of the mirror image data of the nth layer of the new container;
step S316 compares whether the single-layer hash value HashN of the mirror image data of the nth layer of the new container is the same as the new single-layer hash value HashN2; if the same, execute step S3131; otherwise, executing S320;
step S317, after mirror image layer measurement of Hash1, hash2, \ 8230; \ 8230;, hashN and the like is completed, a plurality of corresponding single-layer Hash values Hash1, hash2, \ 8230; \ 8230;, hashN are recombined according to the same splicing method as step S304 to obtain a new aggregated Hash value, and the new aggregated Hash value is sent to a TCM trusted chip in the trusted mirror image warehouse 2 to be subjected to Hash operation to obtain a new static Hash value 2;
step S318 compares whether the static metric value HashS sent from the management node 1 and decrypted is the same as the new static metric value recalculated in step S317, if the static metric value HashS is the same, step S319 is executed, and if the static metric value HashS is not the same, step S320 is executed to end the procedure of storing the new container image into the trusted image warehouse.
Step S319, in response to the success of the measurement of the static metric value, scanning all images of the new container through a vulnerability scanning program, if no security vulnerability exists, storing the new container in a trusted image warehouse, and executing step S320;
step S320 ends the storage process of this container image.
It should be noted that the above steps are not performed in a complete order, and some steps may be performed in parallel to save the flow without affecting the next step.
The trusted mirror image storage method for hierarchical storage double hash verification is provided by the invention. Carrying out hash on container images layer by layer to obtain a single-layer hash value of each layer, combining the single-layer hash values of the multi-layer images, carrying out hash on the combined aggregate hash value again to obtain a static measurement value of the container, encrypting and sending the static measurement value, and carrying out first check on the single-layer hash value HashN of each layer of image of the container in a trusted image warehouse to ensure that the image of each layer is matched with the corresponding single-layer hash value; and then, carrying out second check on the static metric value HashS of the decryption container received by the trusted mirror image warehouse so as to verify that the mirror image of the container and the single-layer hash value corresponding to the mirror image are not replaced at the same time. By the double verification, the container image can be effectively prevented from being tampered and/or the container image and the single-layer hash value can be simultaneously tampered.
And ensuring that the static metric value generated by the Hash calculation is subjected to secret Hash calculation at a management node through the TCM trusted chip to generate a unique static metric value. Even after the single-layer hash values HashN of all the images of a certain container are obtained, a certain image is modified, and the single-layer hash value HashN is modified, the same static measurement value cannot be generated under the condition that a TCM trusted chip and an internal hash algorithm thereof are not available, so that the consistency check of data can be safely and reliably completed.

Claims (10)

1. A trusted mirror image transmission method for layered double hash verification is characterized by comprising the following steps:
the management node performs Hash calculation on a mirror layer of the container to obtain a plurality of single-layer Hash values, combines the single-layer Hash values according to a preset sequence, and performs Hash calculation on the combined aggregate Hash value through a TCM trusted chip to obtain a static measurement value Hash S of the container;
the management node generates a static metric value protection secret key KeyP through a TCM trusted chip, and encrypts the static metric value Hashs by using the static metric value protection secret key KeyP to obtain a static metric value ciphertext;
the management node sends a warehousing request to a trusted mirror image warehouse node, receives a public key from the trusted mirror image warehouse node, and encrypts the static metric value protection secret key KeyP by using the public key to obtain a ciphertext of the static metric value protection secret key;
the management node sends the mirror image of the container, the single-layer hash value of each layer of mirror image, the static metric value ciphertext and the ciphertext of the static metric value protection key to the trusted mirror image warehouse node;
the trusted mirror image warehouse decrypts the received ciphertext of the static metric value protection key according to a private key to obtain a static metric value protection key KeyP, and decrypts the static metric value ciphertext according to the decrypted static metric value protection key KeyP to obtain the static metric value HashS;
and the trusted mirror image warehouse performs mirror image layer data verification and container static measurement value verification on the container according to the single-layer hash value and the static measurement value HashS of each layer, and stores the mirror image data of the container if the verification is passed.
2. The method according to claim 1, wherein the performing of the mirror layer data check of the container comprises:
the trusted mirror image warehouse searches in a single-layer hash value list of the stored mirror image layer data according to the received single-layer hash value;
and in response to the retrieval result is matched, skipping the verification of the image layer corresponding to the received single-layer hash value, and executing the verification of the single-layer hash value of the next image layer.
3. The method for transferring a trusted image according to claim 2, further comprising:
in response to the fact that the retrieval result is not matched, the trusted mirror image warehouse carries out hash calculation on mirror image layer data of a container corresponding to the single-layer hash value to generate a new single-layer hash value;
comparing the single-layer hash value with a new single-layer hash value generated by hash calculation;
and responding to the consistency of the comparison result, and executing single-layer hash value verification of the next mirror layer.
4. The method according to claim 3, further comprising:
and in response to the inconsistency of the comparison result, ending the container mirror image storage, and deleting all data of the container.
5. The method according to claim 3, wherein the performing the container static metric value check comprises:
in response to that the mirror layer verification is completed and the verification result is that the mirror layer verification passes, combining a plurality of single-layer hash values which pass the mirror layer verification according to a preset sequence, performing hash operation on the combined aggregated hash value again through a TCM trusted chip to obtain a new static measurement value Hash S2, and comparing the new static measurement value Hash S with the decrypted static measurement value Hash S;
and if the comparison result is consistent, storing the mirror image of which the single-layer hash value in the mirror image layer of the container is equal to the new single-layer hash value generated by hash calculation.
6. The method according to claim 5, further comprising:
and in response to the inconsistency of the comparison result, ending the container mirror image storage, and deleting all data of the container.
7. The method according to claim 5, further comprising:
after the static measurement value of the container is verified, calling a vulnerability scanning program of a credible mirror image warehouse to scan the content of the container mirror image, and if the scanning result is no threat of leaking holes, storing the container mirror image;
and if the scanning result is that the loophole exists, deleting the mirror image of the container.
8. The trusted image transmission method according to claim 1, wherein the communication mode in which the management node sends the static metric value ciphertext to the trusted image repository includes:
digital envelope security mechanisms or means of secure tunnels.
9. The method according to claim 1, wherein the combining the plurality of single-layer hash values in a predetermined order comprises:
splicing the corresponding single-layer hash values back and forth according to the generation sequence of the container mirror image layers; or
And merging the single-layer hash values by adopting a mode of parity or logic operation.
10. The method for transferring a trusted image according to claim 1, further comprising:
in response to the fact that the management node pulls a container mirror image from the trusted mirror image warehouse node, the trusted mirror image warehouse node performs hash calculation on a mirror image layer of the container to obtain a plurality of single-layer hash values, the single-layer hash values are combined according to a preset sequence, and the combined aggregate hash value is subjected to hash calculation again through the TCM trusted chip to obtain a static measurement value HashS of the container;
the trusted mirror image warehouse node generates a static metric value protection secret key KeyP through a TCM trusted chip, and encrypts the static metric value HashS by using the static metric value protection secret key KeyP to obtain a static metric value ciphertext;
the trusted mirror image warehouse sends a data transmission request to a management node, receives a public key from the management node, and encrypts the static metric value protection secret key KeyP by using the public key to obtain a ciphertext of the static metric value protection secret key;
the trusted mirror image warehouse node sends the mirror image of the container, the single-layer hash value of each layer of mirror image, the static metric value ciphertext and the ciphertext of the static metric value protection key to the management node;
the management node decrypts the received ciphertext of the static metric value protection key according to a private key to obtain a static metric value protection key KeyP, and decrypts the static metric value ciphertext according to the decrypted static metric value protection key KeyP to obtain the static metric value HashS;
and the management node performs mirror image layer data verification and container static measurement value verification on the container according to the single-layer hash value and the static measurement value HashS of each layer, and stores the mirror image data of the container if the verification is passed.
CN202110688097.XA 2021-06-21 2021-06-21 Trusted mirror image transmission method for layered double hash verification Active CN113391880B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110688097.XA CN113391880B (en) 2021-06-21 2021-06-21 Trusted mirror image transmission method for layered double hash verification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110688097.XA CN113391880B (en) 2021-06-21 2021-06-21 Trusted mirror image transmission method for layered double hash verification

Publications (2)

Publication Number Publication Date
CN113391880A CN113391880A (en) 2021-09-14
CN113391880B true CN113391880B (en) 2023-04-07

Family

ID=77623464

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110688097.XA Active CN113391880B (en) 2021-06-21 2021-06-21 Trusted mirror image transmission method for layered double hash verification

Country Status (1)

Country Link
CN (1) CN113391880B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172729B (en) * 2021-12-08 2024-03-26 中国电信股份有限公司 Trusted migration method and equipment based on container and storage medium
CN114638604A (en) * 2022-03-22 2022-06-17 成都质数斯达克科技有限公司 Financial service charging method and device based on block chain
CN114490544B (en) * 2022-04-18 2022-06-28 梯度云科技(北京)有限公司 Method and device for downloading container mirror image by newly adding host
CN116561772B (en) * 2023-07-11 2023-09-22 北京智芯微电子科技有限公司 Trusted static metric calculation method, trusted static metric calculation device, storage medium and processor

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102024123A (en) * 2010-12-20 2011-04-20 北京世纪互联工程技术服务有限公司 Method and device for importing mirror image of virtual machine in cloud calculation
WO2017024934A1 (en) * 2015-08-07 2017-02-16 阿里巴巴集团控股有限公司 Electronic signing method, device and signing server
CN108270574A (en) * 2018-02-11 2018-07-10 浙江中控技术股份有限公司 A kind of method for secure loading and device of white list library file
WO2021073170A1 (en) * 2019-10-18 2021-04-22 支付宝(杭州)信息技术有限公司 Method and apparatus for data provision and fusion

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105989306B (en) * 2015-02-13 2020-04-28 中兴通讯股份有限公司 File signature method and device and file verification method and device for operating system
CN106295318A (en) * 2015-06-05 2017-01-04 北京壹人壹本信息科技有限公司 A kind of system start-up bootstrap technique and device
CN105069353B (en) * 2015-08-11 2017-10-24 武汉大学 A kind of credible vessel safety reinforcement means based on Docker
EP3267351A1 (en) * 2016-07-07 2018-01-10 Gemalto Sa Method for securely managing a docker image
CN108628658B (en) * 2017-03-17 2022-04-05 华为技术有限公司 License management method and device for container
CN108733455B (en) * 2018-05-31 2020-08-18 上海交通大学 Container isolation enhancing system based on ARM TrustZone
CN110647740B (en) * 2018-06-27 2023-12-05 复旦大学 Container trusted starting method and device based on TPM
US10936725B2 (en) * 2018-10-17 2021-03-02 Accenture Global Solutions Limited Container image vulnerability reduction
US11475138B2 (en) * 2019-02-06 2022-10-18 International Business Machines Corporation Creation and execution of secure containers
CN110007933A (en) * 2019-03-26 2019-07-12 山东超越数控电子股份有限公司 One kind running terminal and storage medium towards multi-tenant container mirror-image safety configuration method, system
CN110069921B (en) * 2019-04-12 2021-01-01 中国科学院信息工程研究所 Container platform-oriented trusted software authorization verification system and method
CN111625320B (en) * 2020-05-27 2022-05-17 苏州浪潮智能科技有限公司 Mirror image management method, system, device and medium
CN111787116B (en) * 2020-07-07 2021-08-20 上海道客网络科技有限公司 System and method for trusted authentication of container mirror image based on block chain technology
CN112054899A (en) * 2020-08-28 2020-12-08 航天科工网络信息发展有限公司 Container mirror image encryption management method based on encryption machine
CN112784280A (en) * 2021-01-12 2021-05-11 苏州浪潮智能科技有限公司 SoC chip security design method and hardware platform
CN112732407B (en) * 2021-01-15 2024-04-16 上海浪潮云计算服务有限公司 Container full life cycle management method for realizing multi-CPU architecture

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102024123A (en) * 2010-12-20 2011-04-20 北京世纪互联工程技术服务有限公司 Method and device for importing mirror image of virtual machine in cloud calculation
WO2017024934A1 (en) * 2015-08-07 2017-02-16 阿里巴巴集团控股有限公司 Electronic signing method, device and signing server
CN108270574A (en) * 2018-02-11 2018-07-10 浙江中控技术股份有限公司 A kind of method for secure loading and device of white list library file
WO2021073170A1 (en) * 2019-10-18 2021-04-22 支付宝(杭州)信息技术有限公司 Method and apparatus for data provision and fusion

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈兰香 ; 邱林冰 ; .基于Merkle哈希树的可验证密文检索方案.信息网络安全.2017,(04),全文. *

Also Published As

Publication number Publication date
CN113391880A (en) 2021-09-14

Similar Documents

Publication Publication Date Title
CN113391880B (en) Trusted mirror image transmission method for layered double hash verification
US9977918B2 (en) Method and system for verifiable searchable symmetric encryption
CN114726643B (en) Data storage and access methods and devices on cloud platform
US10904231B2 (en) Encryption using multi-level encryption key derivation
US6968456B1 (en) Method and system for providing a tamper-proof storage of an audit trail in a database
CN111047450A (en) Method and device for calculating down-link privacy of on-link data
CN117278224A (en) Method and system for verifying identity attribute information
CN112800450B (en) Data storage method, system, device, equipment and storage medium
KR100702499B1 (en) System and method for guaranteeing software integrity
CN111709038A (en) File encryption and decryption method, distributed storage system, equipment and storage medium
CN111506901A (en) Data processing method based on block chain, terminal and storage medium
KR20030082485A (en) Saving and retrieving data based on symmetric key encryption
CN101443774A (en) Optimized integrity verification procedures
KR20030082484A (en) Saving and retrieving data based on public key encryption
JPH0816104A (en) Method and device for verifying information security with dispersed collator
CN113435888B (en) Account data processing method, device, equipment and storage medium
CN112347508A (en) Block chain data sharing encryption and decryption method and system
CN117155549A (en) Key distribution method, key distribution device, computer equipment and storage medium
US20220216999A1 (en) Blockchain system for supporting change of plain text data included in transaction
US9135449B2 (en) Apparatus and method for managing USIM data using mobile trusted module
CN116132041A (en) Key processing method and device, storage medium and electronic equipment
CN115865461A (en) Method and system for distributing data in high-performance computing cluster
CN114553557A (en) Key calling method, key calling device, computer equipment and storage medium
CN114091072A (en) Data processing method and device
CN114915416B (en) Method for encrypting file, method for decrypting and verifying file and related products

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20230320

Address after: 250104 No. 2877 Kehang Road, Sun Village Town, Jinan High-tech Zone, Shandong Province

Applicant after: Chaoyue Technology Co.,Ltd.

Address before: Room 102, 1 / F, block a, Huihang Plaza, middle section of Hangtuo Road, national civil aerospace industry base, Xi'an, Shaanxi 710000

Applicant before: Xi'an Chaochao Shentai Information Technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant