CN113472668B - Routing method and system in multiparty security computation - Google Patents
Routing method and system in multiparty security computation Download PDFInfo
- Publication number
- CN113472668B CN113472668B CN202110844584.0A CN202110844584A CN113472668B CN 113472668 B CN113472668 B CN 113472668B CN 202110844584 A CN202110844584 A CN 202110844584A CN 113472668 B CN113472668 B CN 113472668B
- Authority
- CN
- China
- Prior art keywords
- gateway
- application
- computing participant
- computing
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The embodiment of the specification provides a routing method and a system in multiparty security computation, wherein the method comprises the following steps: the first gateway of the first computing participant receives an access request from a first application of the first computing participant, wherein the access request carries a domain name of a second application to be accessed; the first gateway determines that the second application belongs to a second computing participant according to the domain name of the second application; the first gateway takes a second computing participant as a target node, and searches the address of a first relay node of the next hop from a first routing table; the first gateway sends the access request to the first relay gateway of the first relay node according to the address of the first relay node, so that the first relay gateway forwards the access request to the second gateway of the second computing participant, the second gateway forwards the access request to the second application, and the first application and the second application are used for executing multiparty security computation. The requirement of multiparty security calculation on network topology can be reduced.
Description
Technical Field
One or more embodiments of the present description relate to the field of computers, and more particularly, to routing methods and systems in multiparty secure computing.
Background
The multiparty security calculation is also called secure multiparty calculation, namely, on the premise of meeting the requirements of data security, privacy protection and supervision compliance, the multiparty data is realized without going out of domain by utilizing secret sharing, a garbled circuit, homomorphic encryption and other cryptographic algorithms, and the data value is mined. Where the data of each party is often private data. Generally, applications are set in each party respectively, the applications correspond to computing tasks of multiparty secure computation, and the computing tasks of multiparty secure computation are realized through access to the applications among the parties.
Disclosure of Invention
One or more embodiments of the present specification describe a routing method and system in multiparty security computing that can reduce the requirements of the multiparty security computing on network topology.
In a first aspect, a routing method in multiparty security computing is provided, the method comprising:
a first gateway of a first computing participant receives an access request from a first application of the first computing participant, wherein the access request carries a domain name of a second application to be accessed;
the first gateway determines that the second application belongs to a second computing participant according to the domain name of the second application;
the first gateway takes the second computing participant as a target node, and searches the address of a first relay node of the next hop from a first routing table;
The first gateway sends the access request to a first relay gateway of the first relay node according to the address of the first relay node, so that the first relay gateway forwards the access request to a second gateway of the second computing participant, the second gateway forwards the access request to the second application, and the first application and the second application are used for executing multiparty security computation.
In one possible implementation, before the first gateway of the first computing participant receives the access request from the first application of the first computing participant, the method further comprises:
the first application sends a domain name resolution request to a first domain name resolver of the first computing participant, wherein the domain name resolution request carries a domain name of the second application;
the first domain name resolver judges whether the second application belongs to the first computing participant according to the domain name of the second application;
when the first domain name resolver judges that the second application does not belong to the first computing participant, resolving a gateway network protocol (internet protocol, IP) address of the first gateway, and returning the gateway IP address to the first application;
And the first application sends the access request to the first gateway according to the gateway IP address.
Further, the domain name of each application includes: an application identifier and a domain identifier of a computing participant in which the application is located;
the first domain name resolver judges whether the second application belongs to the first computing participant according to the domain name of the second application, and the method comprises the following steps:
and the first domain name resolver judges whether the second application belongs to the first computing participant according to whether the domain identifier included in the domain name of the second application is the domain identifier of the first computing participant.
In one possible implementation, the domain name of each application includes: an application identifier and a domain identifier of a computing participant in which the application is located;
the first gateway determines that the second application belongs to a second computing participant according to the domain name of the second application, and the method comprises the following steps:
and the first gateway determines that the second application belongs to the second computing participant according to the domain identifier included in the domain name of the second application as the domain identifier of the second computing participant.
In a possible implementation manner, the first gateway uses the second computing party as a target node, searches an address of a first relay node of a next hop from a first routing table, and includes:
The first gateway takes the second computing participant as a target node, and searches a first relay node of a next hop corresponding to the target node from a first routing table;
and the first gateway takes the first relay node as a target node, and searches the address of the first relay node from the first routing table.
In a possible implementation manner, after the first gateway sends the access request to the first relay gateway of the first relay node according to the address of the first relay node, the method further includes:
the first relay gateway determines that the second application belongs to a second computing participant according to the domain name of the second application;
the first relay gateway takes the second computing participant as a target node, and searches the address of a second relay node of the next hop from a second routing table;
and the first relay gateway sends the access request to a second relay gateway of the second relay node according to the address of the second relay node, so that the second relay gateway forwards the access request to a second gateway of the second computing participant, and the second gateway forwards the access request to the second application.
In a possible implementation manner, after the first gateway sends the access request to the first relay gateway of the first relay node according to the address of the first relay node, the method further includes:
the first relay gateway determines that the second application belongs to a second computing participant according to the domain name of the second application;
the first relay gateway takes the second computing participant as a target node, and searches the address of the second computing participant from a second routing table;
and the first relay gateway sends the access request to a second gateway of the second computing participant according to the address of the second computing participant, and the second gateway forwards the access request to the second application.
In one possible implementation manner, the first gateway sends the access request to a first relay gateway of the first relay node according to an address of the first relay node, including:
the first gateway encrypts the access request using a symmetric key shared with the second computing participant;
and sending the encrypted access request to a first relay gateway of the first relay node according to the address of the first relay node, so that the first relay gateway forwards the encrypted access request to a second gateway of the second computing participant, and the second gateway decrypts the encrypted access request by using the symmetric key shared with the first computing participant to obtain the access request and forwards the access request to the second application.
Further, the first computing participant has a first gateway cluster formed by a plurality of gateways, and the second computing participant has a second gateway cluster formed by a plurality of gateways; the symmetric key is generated in the following way:
generating a first key by a third gateway corresponding to the first computing participant, encrypting the first key by using a second public key of the second computing participant to obtain a first encryption key, and sending the first encryption key to a fourth gateway corresponding to the second computing participant;
the fourth gateway decrypts the first encryption key by using a second private key corresponding to the second public key to obtain the first key;
the fourth gateway generates a second key, encrypts the second key by using the first public key of the first computing participant to obtain a second encryption key, and sends the second encryption key to the third gateway;
the third gateway decrypts the second encryption key by using a first private key corresponding to the first public key to obtain the second key;
and the third gateway and the fourth gateway generate the symmetric key according to a preset algorithm according to the first key and the second key respectively.
Further, before the third gateway generates the first key, the method further includes:
and the center platform issues the first public key to the fourth gateway and issues the second public key to the third gateway.
Further, before the central platform issues the first public key to the fourth gateway and issues the second public key to the third gateway, the method further includes:
and the center platform selects a third gateway from the first gateway cluster and selects a fourth gateway from the second gateway cluster.
Further, after the symmetric key is generated according to a preset algorithm, the method further includes:
the third gateway encrypts the symmetric key by using the first public key to obtain a first encrypted symmetric key, and uploads the first encrypted symmetric key to the center platform;
the fourth gateway encrypts the symmetric key by using the second public key to obtain a second encrypted symmetric key, and uploads the second encrypted symmetric key to the center platform;
the center platform issues the first encryption symmetric key to the first gateway cluster, and issues the second encryption symmetric key to the second gateway cluster;
Each gateway in the first gateway cluster decrypts the first encryption symmetric key by using the first private key to obtain the symmetric key;
and each gateway in the second gateway cluster decrypts the second encrypted symmetric key by using the second private key to obtain the symmetric key.
In a second aspect, a routing system in multiparty secure computing is provided, the system comprising:
the method comprises the steps that a first computing participant is used for receiving an access request from a first application of the first computing participant through a first gateway of the first computing participant, wherein the access request carries a domain name of a second application to be accessed; determining, by the first gateway, that the second application belongs to a second computing participant according to a domain name of the second application; the first gateway takes the second computing participant as a target node, and the address of a first relay node of the next hop is searched from a first routing table; sending the access request to a first relay gateway of the first relay node through the first gateway according to the address of the first relay node;
the first relay node is configured to forward, through the first relay gateway, the access request to a second gateway of the second computing participant;
The second computing participant is configured to forward the access request to the second application through the second gateway, and the first application and the second application are configured to perform multiparty security computation.
In a third aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first aspect.
In a fourth aspect, there is provided a computing device comprising a memory having executable code stored therein and a processor which, when executing the executable code, implements the method of the first aspect.
Through the method and the system provided by the embodiment of the specification, firstly, a first gateway of a first computing participant receives an access request from a first application of the first computing participant, wherein the access request carries a domain name of a second application to be accessed; then the first gateway determines that the second application belongs to a second computing participant according to the domain name of the second application; then the first gateway takes the second computing participant as a target node, and searches the address of a first relay node of the next hop from a first routing table; and finally, the first gateway sends the access request to a first relay gateway of the first relay node according to the address of the first relay node, so that the first relay gateway forwards the access request to a second gateway of the second computing participant, the second gateway forwards the access request to the second application, and the first application and the second application are used for executing multiparty security computation. From the above, in the embodiment of the present disclosure, the first computing participant and the second computing participant cannot be directly connected, but are all connected to the first relay node, and for the message between the first computing participant and the second computing participant, the message can be forwarded by the first relay node, so that the first computing participant and the second computing participant are indirectly interconnected, and the requirement of multiparty security computation on network topology can be reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic illustration of an implementation scenario of an embodiment disclosed herein;
FIG. 2 is a schematic diagram of a network architecture of one embodiment of the disclosure;
FIG. 3 illustrates a schematic diagram of routing method interactions in multiparty security computing, according to one embodiment;
FIG. 4 illustrates a schematic diagram of training tasks in a multiparty security calculation performed by a three party according to one embodiment;
FIG. 5 illustrates a domain name resolution schematic according to one embodiment;
FIG. 6 illustrates a link operation diagram for a particular access request, according to one embodiment;
fig. 7 illustrates a schematic block diagram of a routing system in multiparty security computing in accordance with one embodiment.
Detailed Description
The following describes the scheme provided in the present specification with reference to the drawings.
Fig. 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in the present specification. This implementation scenario involves routing in multiparty secure computing, which may be understood to involve multiple computing participants, between which a message interaction is required, where the routing may be understood to be a process of determining a path of a message from a source to a destination, and the multiple may be two or more, for example, 3, 5, 10, 20, etc., and in this embodiment, only 3 computing participants are illustrated as an example. Referring to fig. 1, the multiparty secure computation involves 3 computing participants, namely, computing participant a, computing participant B and computing participant C, respectively, (1) in fig. 1 shows a network architecture of the computing task requirement of the multiparty secure computation, that is, any two computing participants of the 3 computing participants are required to communicate with each other; fig. 1 (2) shows an actual network architecture of multiparty secure computing, where computing party B and computing party a may be directly connected, computing party C and computing party a may be directly connected, and computing party B and computing party C may not be directly connected; fig. 1 (3) shows a virtual direct link of multiparty secure computation, where computing party a acts as a relay node, responsible for relaying messages interacted between computing party B and computing party C, forming a virtual direct link between computing party B and computing party C.
According to the embodiment of the specification, under the condition that two computing participants in multiparty security computation cannot be directly connected, the virtual direct connection link is formed between the two computing participants by providing the corresponding routing scheme, so that the two computing participants are indirectly connected, and the requirement of multiparty security computation on network topology can be reduced.
In addition, it should be noted that the application corresponds to a computing task of multiparty secure computation, and the computing task of multiparty secure computation is implemented by accessing the application between the parties. For example, computing party B has application 1 and application 2, computing party C has application 3 and application 4, and the multiparty security computation may involve not only access to application 2 by application 1 for communication within a party, or access to application 4 by application 3, but also access to application 4 by application 2 for communication between two parties.
In the embodiment of the present disclosure, an application is a program that performs a specific function, such as model training, model prediction, data reflow, etc., and may be executed in a short job form or may be resident in a service form.
The model training may employ federal learning techniques. Federal study: a machine learning technology can train a model across a plurality of scattered edge devices or a server for storing local data samples, realize common modeling on the basis of guaranteeing data privacy safety and legal compliance, and improve the effect of a neural network model.
It will be appreciated that the data of each party in the multiparty secure computation is private data, which may be any data that is inconvenient to disclose, may be, but is not limited to, data representing personal information of the user, or a trade secret, etc.
Optionally, a central platform may also be provided, with instructions being sent by the central platform to computing participants for coordinating multiparty secure computing procedures, such as multiparty model training and model deployment.
It should be noted that, in the embodiments of the present specification, the computing participants and the central platform are names given from roles, and may physically be formed by one module, one computing device, or a computing cluster.
Fig. 2 is a schematic diagram of a network architecture according to an embodiment of the disclosure. The network architecture may correspond to the implementation scenario shown in fig. 1, with each computing participant comprising an application executor, a domain name resolver and a gateway, e.g., computing participant 1 having an exclusive application executor, a domain name resolver and a gateway, and computing participant 2 also having an exclusive application executor, a domain name resolver and a gateway. The application executor is used for executing one or more applications in the computing participant, the applications correspond to computing tasks of multiparty secure computing, each application corresponds to a domain name capable of uniquely identifying the application, application access of the computing participant is required to pass through a gateway, application access of the computing participant is not required to pass through the gateway, for example, access of application 2 to application 4 is required to pass through the gateway, and access of application 1 to application 2 is not required to pass through the gateway, which can be realized by means of domain name resolution of the application to be accessed.
In the embodiments of the present description, a domain name resolver is used to implement a service that maps domain names to network protocol (internet protocol, IP) addresses. The gateway can be used for identity authentication among all computing participants, and the proxy computes the exit and entrance flows of the participants and records the request log.
Wherein each computing participant can employ a containerized deployment, the application executor, domain name resolver and gateway acting as a base container for each computing participant.
Fig. 3 illustrates a schematic diagram of routing method interactions in multiparty secure computing, which may be interactively performed by a first computing participant, a first relay node, and a second computing participant based on the implementation scenario illustrated in fig. 1 and the network architecture illustrated in fig. 2, according to one embodiment. As shown in fig. 3, the routing method in the multiparty security computation in this embodiment includes the following steps:
step 31, a first gateway of a first computing participant receives an access request from a first application of the first computing participant, wherein the access request carries a domain name of a second application to be accessed; step 32, the first gateway determines that the second application belongs to a second computing participant according to the domain name of the second application; step 33, the first gateway uses the second computing participant as a target node, and searches the address of the first relay node of the next hop from the first routing table; step 34, the first gateway sends the access request to the first relay gateway of the first relay node according to the address of the first relay node; step 35, the first relay gateway forwards the access request to a second gateway of the second computing participant; step 36, the second gateway forwards the access request to the second application, and the first application and the second application are used for executing multiparty security computation. Specific implementations of the above steps are described below.
First, in step 31, a first gateway of a first computing participant receives an access request from a first application of the first computing participant, the access request carrying a domain name of a second application to be accessed. It will be appreciated that the second application does not belong to the first computing participant, and thus access to the second application by the first application requires passage through the gateway.
In one example, before the first gateway of the first computing participant receives the access request from the first application of the first computing participant, the method further comprises:
the first application sends a domain name resolution request to a first domain name resolver of the first computing participant, wherein the domain name resolution request carries a domain name of the second application;
the first domain name resolver judges whether the second application belongs to the first computing participant according to the domain name of the second application;
when the first domain name resolver judges that the second application does not belong to the first computing participant, resolving a gateway network protocol (IP) address of the first gateway, and returning the gateway IP address to the first application;
and the first application sends the access request to the first gateway according to the gateway IP address.
Further, the domain name of each application includes: an application identifier and a domain identifier of a computing participant in which the application is located;
the first domain name resolver judges whether the second application belongs to the first computing participant according to the domain name of the second application, and the method comprises the following steps:
and the first domain name resolver judges whether the second application belongs to the first computing participant according to whether the domain identifier included in the domain name of the second application is the domain identifier of the first computing participant.
In the present embodiment, each application (also referred to as a service) corresponds to a domain name that can uniquely identify the application. Optionally, the domain name adopts the following structure: service-name. Domain-name. Svc. Wherein, service-name represents application identification, domain-name represents domain identification of computing participant where the application is located, svc is extension of the application.
FIG. 4 illustrates a schematic diagram of training tasks in a three-party performed multiparty security calculation, according to one embodiment. Referring to fig. 4, three parties of computing party a, computing party B and computing party C cooperate to complete a training task job-1. The system framework pulls up a pod at each party and assigns a domain name to its applications, which are accessed by each other. The domain name of the application in the computing party A is http:// job-1.A.svc, wherein a identifies that the application belongs to the computing party A; the domain name of the application in the computing party B is http:// job-1.B.svc, wherein B identifies that the application belongs to the computing party B; the domain name of the application in computing party C is http:// job-1.C.svc, where C identifies that the application belongs to computing party C. Applications are mutually accessed through domain names.
Fig. 5 illustrates a domain name resolution schematic according to one embodiment. Referring to fig. 5, the domain of the first computing participant is identified as domain-bob, the domain of the second computing participant is identified as domain-alice, the domain name of the second application is identified as foo.
The first gateway then determines, in step 32, that the second application belongs to a second computing party based on the domain name of the second application. It will be appreciated that the domain name of the second application may reflect the computing party in which it is located.
In one example, the domain name for each application includes: an application identifier and a domain identifier of a computing participant in which the application is located;
the first gateway determines that the second application belongs to a second computing participant according to the domain name of the second application, and the method comprises the following steps:
and the first gateway determines that the second application belongs to the second computing participant according to the domain identifier included in the domain name of the second application as the domain identifier of the second computing participant.
Next, in step 33, the first gateway uses the second computing party as a target node, and searches the first routing table for the address of the first relay node of the next hop. It can be understood that the first gateway belongs to a first computing participant, the first computing participant is a source node, the first computing participant and a second computing participant cannot be directly connected, and a virtual interconnection link needs to be realized through a first relay node.
In one example, the first gateway uses the second computing party as a target node, searches the address of the first relay node of the next hop from the first routing table, and includes:
the first gateway takes the second computing participant as a target node, and searches a first relay node of a next hop corresponding to the target node from a first routing table;
and the first gateway takes the first relay node as a target node, and searches the address of the first relay node from the first routing table.
In the embodiment of the present disclosure, the gateway has a routing table generally formed by triplets < source, destination, host >, where source represents a source node, destination represents a destination node, and host represents an entry address of the destination node. The gateways each maintain a routing table to the target node by inter-node authorization. As shown in table one, the source node may not be included in the routing table since each node maintains its own routing table to the destination node.
Table one: routing table structure
| Source node | Target node | Ingress address of target node |
| B | A | https://mpctrain.alipay.com |
| A | B | https://mpctrain.inst-a.com |
| C | A | https://mpctrain.alipay.com |
| A | C | https://mpctrain.inst-c.com |
Referring to table one, the node a and the node B may be directly connected, and the node a and the node C may also be directly connected, where the node a serves as a relay node, and establishes a bidirectional authorization link with B, C respectively.
Due to various limiting factors, the node B and the node C cannot establish a direct bidirectional authorization link. At this point, a special node authorization < source, destination, next-hop > may be established, where next-hop represents the next hop node for the source node to access the target node.
And (II) table: another routing table structure
| Source node | Target node | Next hop node |
| B | C | A |
| C | B | A |
Referring to table two, the node B and the node C cannot be directly connected, the node A is used as the next hop node, and the interactive message between the node B and the node C needs to be forwarded through the node A.
In step 34, the first gateway sends the access request to the first relay gateway of the first relay node according to the address of the first relay node. It may be understood that only one relay node may be passed through in the indirect access link between the first computing participant and the second computing participant, for example, an a node, which is the first relay node, may be passed through in the indirect access link from the B node formed by b→a→e to the E node; in the indirect access link between the first computing participant and the second computing participant, a plurality of relay nodes, for example, 3 relay nodes, namely an A node, a C node and a D node, are passed through in the indirect access link from a B node to an E node formed by B, A, C, D and E, wherein the first relay node is the first relay node, and the A node is the first relay node.
In one example, after the first gateway sends the access request to the first relay gateway of the first relay node according to the address of the first relay node, the method further includes:
the first relay gateway determines that the second application belongs to a second computing participant according to the domain name of the second application;
the first relay gateway takes the second computing participant as a target node, and searches the address of a second relay node of the next hop from a second routing table;
and the first relay gateway sends the access request to a second relay gateway of the second relay node according to the address of the second relay node, so that the second relay gateway forwards the access request to a second gateway of the second computing participant, and the second gateway forwards the access request to the second application.
In this example, multiple relay nodes are traversed in an indirect access link between a first computing participant and a second computing participant, and an access request of the first computing participant needs to be forwarded sequentially through the multiple relay nodes before reaching the second computing participant. It may be appreciated that, in the access request sent by the first relay gateway, initial source information and source node information may be carried, where the first computing participant is an initial source of the access request, and the first relay node is a source node.
In another example, after the first gateway sends the access request to the first relay gateway of the first relay node according to the address of the first relay node, the method further includes:
the first relay gateway determines that the second application belongs to a second computing participant according to the domain name of the second application;
the first relay gateway takes the second computing participant as a target node, and searches the address of the second computing participant from a second routing table;
and the first relay gateway sends the access request to a second gateway of the second computing participant according to the address of the second computing participant, and the second gateway forwards the access request to the second application.
In this example, only one relay node is passed in the indirect access link between the first computing participant and the second computing participant, and the access request of the first computing participant can reach the second computing participant only by being forwarded by the relay node. It may be appreciated that, in the access request sent by the first relay gateway, initial source information and source node information may be carried, where the first computing participant is an initial source of the access request, and the first relay node is a source node.
In one example, the first gateway sends the access request to a first relay gateway of the first relay node according to an address of the first relay node, including:
the first gateway encrypts the access request using a symmetric key shared with the second computing participant;
and sending the encrypted access request to a first relay gateway of the first relay node according to the address of the first relay node, so that the first relay gateway forwards the encrypted access request to a second gateway of the second computing participant, and the second gateway decrypts the encrypted access request by using the symmetric key shared with the first computing participant to obtain the access request and forwards the access request to the second application.
In this example, the first relay node cannot acquire the symmetric key, so that the encrypted access request cannot be decrypted, the relay node is prevented from stealing sensitive information in the process of forwarding the message, and safety is improved.
Further, the first computing participant has a first gateway cluster formed by a plurality of gateways, and the second computing participant has a second gateway cluster formed by a plurality of gateways; the symmetric key is generated in the following way:
Generating a first key by a third gateway corresponding to the first computing participant, encrypting the first key by using a second public key of the second computing participant to obtain a first encryption key, and sending the first encryption key to a fourth gateway corresponding to the second computing participant;
the fourth gateway decrypts the first encryption key by using a second private key corresponding to the second public key to obtain the first key;
the fourth gateway generates a second key, encrypts the second key by using the first public key of the first computing participant to obtain a second encryption key, and sends the second encryption key to the third gateway;
the third gateway decrypts the second encryption key by using a first private key corresponding to the first public key to obtain the second key;
and the third gateway and the fourth gateway generate the symmetric key according to a preset algorithm according to the first key and the second key respectively.
In this example, the symmetric key is generated based on the asymmetric key of each of the first computing participant and the second computing participant, and the security is high.
Further, before the third gateway generates the first key, the method further includes:
And the center platform issues the first public key to the fourth gateway and issues the second public key to the third gateway.
Further, before the central platform issues the first public key to the fourth gateway and issues the second public key to the third gateway, the method further includes:
and the center platform selects a third gateway from the first gateway cluster and selects a fourth gateway from the second gateway cluster.
Further, after the symmetric key is generated according to a preset algorithm, the method further includes:
the third gateway encrypts the symmetric key by using the first public key to obtain a first encrypted symmetric key, and uploads the first encrypted symmetric key to the center platform;
the fourth gateway encrypts the symmetric key by using the second public key to obtain a second encrypted symmetric key, and uploads the second encrypted symmetric key to the center platform;
the center platform issues the first encryption symmetric key to the first gateway cluster, and issues the second encryption symmetric key to the second gateway cluster;
each gateway in the first gateway cluster decrypts the first encryption symmetric key by using the first private key to obtain the symmetric key;
And each gateway in the second gateway cluster decrypts the second encrypted symmetric key by using the second private key to obtain the symmetric key.
It can be understood that the central platform can assist the first computing party and the second computing party to generate the symmetric key and issue the symmetric key, but the central platform cannot obtain the plain text symmetric key, so that the security is high.
The first relay gateway forwards the access request to a second gateway of the second computing participant, step 35. It may be understood that the access request carries a domain name of a second application to be accessed, and the first relay gateway may determine, according to the domain name of the second application, that the second application belongs to a second computing participant, and forward the access request to a second gateway of the second computing participant.
In one example, a first relay node may be directly connected to a second computing participant, the first relay node forwarding the access request directly to a second gateway of the second computing participant.
In another example, the first relay node and the second computing participant cannot be directly connected, and at least one relay node is further passed through in an indirect access link between the first relay node and the second computing participant, and the first relay node forwards the access request to other relay nodes, and then the other relay nodes forward the access request to a second gateway of the second computing participant.
Finally, in step 36, the second gateway forwards the access request to the second application, the first application and the second application being configured to perform multiparty security calculations. It will be appreciated that the second gateway and the second application belong to the same second computing party, and that the access request may be sent to the second application by local forwarding.
In one example, each computing participant employs a containerized deployment, the second application running in a target container belonging to a target dispatch unit pod;
the second gateway forwarding the access request to the second application, comprising:
and the second gateway sends the access request to the target pod according to the IP address of the scheduling network protocol of the target pod.
In the embodiment of the present disclosure, a connection may be established between each computing participant or between a computing participant and a relay node through a public network or a private line. The gateway supports http and https, which are typically used under public networks and http under private lines.
Through the method provided by the embodiment of the specification, firstly, a first gateway of a first computing participant receives an access request from a first application of the first computing participant, wherein the access request carries a domain name of a second application to be accessed; then the first gateway determines that the second application belongs to a second computing participant according to the domain name of the second application; then the first gateway takes the second computing participant as a target node, and searches the address of a first relay node of the next hop from a first routing table; and finally, the first gateway sends the access request to a first relay gateway of the first relay node according to the address of the first relay node, so that the first relay gateway forwards the access request to a second gateway of the second computing participant, the second gateway forwards the access request to the second application, and the first application and the second application are used for executing multiparty security computation. From the above, in the embodiment of the present disclosure, the first computing participant and the second computing participant cannot be directly connected, but are all connected to the first relay node, and for the message between the first computing participant and the second computing participant, the message can be forwarded by the first relay node, so that the first computing participant and the second computing participant are indirectly interconnected, and the requirement of multiparty security computation on network topology can be reduced.
FIG. 6 illustrates a link operation diagram for a particular access request, according to one embodiment. Referring to FIG. 6, an example of how the entire link works is illustrated by the node B sending an access request http:// job-1.C. Svc to the node C.
Referring to fig. 6 (1), first, the domain name resolver of the node B resolves the domain name job-1.C.svc, and intercepts the access request to the gateway of the node B.
Referring to (2) in fig. 6, then, the gateway of the node B determines that the access request should be forwarded to the node C according to the entry address Host of the target node, and queries the routing table to learn that the node of the next hop is the node a; the routing table is queried again to learn that the address of the node A is mpctrain.
Next, the gateway of the node B sets the Host to mptmain. Setting MPC-Source as B, indicating the identity of the Source node; the MPC-Host is set to job-1.C.svc, indicating the target application to access. The gateway of node B sends an access request to the gateway of node a.
Referring to fig. 6 (3), the gateway of the a node then receives the access request, determines from the MPC-Host that the request should be forwarded to the C node, and queries the routing table to learn that the address of the C node is mptrain.
Then, the gateway of the A node sets the Host to mpctrain. Setting MPC-Source to A, indicating the identity of the Source node, and setting MPC-Origin-Source to B, indicating the Source of the request; the MPC-Host was maintained unchanged. The gateway of node a sends the request to the gateway of node C.
And finally, the gateway of the C node receives the request and forwards the request to the corresponding back-end pod according to the MPC-Host.
The embodiment of the specification also provides a system framework which is a platform for arranging, deploying and managing various applications in a multiparty secure computing scene. The method is a kubernetes cluster crossing mechanisms, wherein the mechanisms can be understood as computing participants, and k8s master is positioned at a central node and is responsible for managing, scheduling and coordinating the resources and states of the whole cluster. The k8s node is positioned at a downstream node, is deployed at each cooperative mechanism and is responsible for executing offline training tasks and running online model services. In the embodiment of the specification, the virtual link established through the relay node is completed by the frame layer, is transparent to the application layer, and reduces the development difficulty of the application.
In general, most institutions have a unified http access gateway, only http protocol communication is allowed, and the routing method provided by the embodiment of the specification is based on the http protocol, has better applicability in a multiparty secure computing scene, and has lower requirements on network infrastructure of the institutions.
According to an embodiment of another aspect, there is also provided a routing system in multiparty secure computing, the system being configured to perform the method provided by the embodiments of the present specification. Fig. 7 illustrates a schematic block diagram of a routing system in multiparty security computing in accordance with one embodiment. As shown in fig. 7, the system 700 includes:
A first computing participant 71, configured to receive, through a first gateway of the first computing participant 71, an access request from a first application of the first computing participant 71, where the access request carries a domain name of a second application to be accessed; determining, by the first gateway, that the second application belongs to a second computing participant according to a domain name of the second application; searching an address of a first relay node 73 of a next hop from a first routing table by the first gateway with the second computing participant 72 as a target node; transmitting, by the first gateway, the access request to a first relay gateway of the first relay node 73 according to an address of the first relay node 73;
the first relay node 73 is configured to forward, through the first relay gateway, the access request to a second gateway of the second computing participant 72;
the second computing participant 72 is configured to forward the access request to the second application through the second gateway, and the first application and the second application are configured to perform multiparty security calculations.
Optionally, as an embodiment, the first computing participant 71 is further configured to send, by the first application, a domain name resolution request to a first domain name resolver of the first computing participant 71, before receiving, by the first gateway, an access request from a first application of the first computing participant 71, where the domain name resolution request carries a domain name of the second application; judging whether the second application belongs to the first computing participant 71 according to the domain name of the second application through the first domain name resolver; when the first domain name resolver determines that the second application does not belong to the first computing participant 71, resolving a gateway network protocol (IP) address of the first gateway, and returning the gateway IP address to the first application; and the first application sends the access request to the first gateway according to the gateway IP address.
Further, the domain name of each application includes: an application identifier and a domain identifier of a computing participant in which the application is located;
the first computing participant 71 is specifically configured to determine, by using the first domain name resolver, whether the second application belongs to the first computing participant 71 according to whether a domain identifier included in the domain name of the second application is the domain identifier of the first computing participant 71.
Optionally, as an embodiment, the domain name of each application includes: an application identifier and a domain identifier of a computing participant in which the application is located;
the first computing participant 71 is specifically configured to determine, through the first gateway, that the second application belongs to the second computing participant 72 according to a domain identifier included in the domain name of the second application as a domain identifier of the second computing participant 72.
Optionally, as an embodiment, the first computing participant 71 is specifically configured to, by using the first gateway and the second computing participant 72 as a target node, find, from a first routing table, a first relay node 73 of a next hop corresponding to the target node; the first gateway uses the first relay node 73 as a target node, and searches the address of the first relay node 73 from the first routing table.
Optionally, as an embodiment, the first relay node 73 is specifically configured to determine, by using the first relay gateway, that the second application belongs to the second computing participant 72 according to a domain name of the second application; the first relay gateway uses the second computing participant 72 as a target node, and searches the address of a second relay node of the next hop from a second routing table; the first relay gateway sends the access request to a second relay gateway of the second relay node according to the address of the second relay node, so that the second relay gateway forwards the access request to a second gateway of the second computing participant 72, and the second gateway forwards the access request to the second application.
Optionally, as an embodiment, the first relay node 73 is specifically configured to determine, by using the first relay gateway, that the second application belongs to the second computing participant 72 according to a domain name of the second application; the first relay gateway uses the second computing participant 72 as a target node, and searches the address of the second computing participant 72 from a second routing table; the first relay gateway sends the access request to a second gateway of the second computing participant 72 according to the address of the second computing participant 72, and the second gateway forwards the access request to the second application.
Optionally, as an embodiment, the first computing participant 71 is specifically configured to encrypt, by the first gateway, the access request with a symmetric key shared with the second computing participant 72; and sending the encrypted access request to a first relay gateway of the first relay node 73 according to the address of the first relay node 73, so that the first relay gateway forwards the encrypted access request to a second gateway of the second computing participant 72, and the second gateway decrypts the encrypted access request by using the symmetric key shared with the first computing participant 71 to obtain the access request and forwards the access request to the second application.
Further, the first computing participant 71 has a first gateway cluster composed of a plurality of gateways, and the second computing participant 72 has a second gateway cluster composed of a plurality of gateways; the symmetric key is generated in the following way:
the third gateway corresponding to the first computing participant 71 generates a first key, encrypts the first key by using the second public key of the second computing participant 72 to obtain a first encryption key, and sends the first encryption key to the fourth gateway corresponding to the second computing participant 72;
The fourth gateway decrypts the first encryption key by using a second private key corresponding to the second public key to obtain the first key;
the fourth gateway generates a second key, encrypts the second key by using the first public key of the first computing participant 71 to obtain a second encryption key, and sends the second encryption key to the third gateway;
the third gateway decrypts the second encryption key by using a first private key corresponding to the first public key to obtain the second key;
and the third gateway and the fourth gateway generate the symmetric key according to a preset algorithm according to the first key and the second key respectively.
Further, the system further comprises:
and the center platform is used for issuing the first public key to the fourth gateway and issuing the second public key to the third gateway before the third gateway generates the first secret key.
Further, the central platform is further configured to select a third gateway from the first gateway cluster and select a fourth gateway from the second gateway cluster before issuing the first public key to the fourth gateway and issuing the second public key to the third gateway.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 3.
According to an embodiment of yet another aspect, there is also provided a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, implements the method described in connection with fig. 3.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.
Claims (23)
1. A routing method in multiparty secure computing, the method comprising:
a first gateway of a first computing participant receives an access request from a first application of the first computing participant, wherein the access request carries a domain name of a second application to be accessed;
the first gateway determines that the second application belongs to a second computing participant according to the domain name of the second application;
the first gateway takes the second computing participant as a target node, and searches the address of a first relay node of the next hop from a first routing table;
the first gateway sends the access request to a first relay gateway of the first relay node according to the address of the first relay node, so that the first relay gateway forwards the access request to a second gateway of the second computing participant, the second gateway forwards the access request to the second application, and the first application and the second application are used for executing multiparty security computation;
wherein, before the first gateway of the first computing participant receives the access request from the first application of the first computing participant, the method further comprises:
the first application sends a domain name resolution request to a first domain name resolver of the first computing participant, wherein the domain name resolution request carries a domain name of the second application;
The first domain name resolver judges whether the second application belongs to the first computing participant according to the domain name of the second application;
when the first domain name resolver judges that the second application does not belong to the first computing participant, resolving a gateway network protocol (IP) address of the first gateway, and returning the gateway IP address to the first application;
and the first application sends the access request to the first gateway according to the gateway IP address.
2. The method of claim 1, wherein the domain name of each application comprises: an application identifier and a domain identifier of a computing participant in which the application is located;
the first domain name resolver judges whether the second application belongs to the first computing participant according to the domain name of the second application, and the method comprises the following steps:
and the first domain name resolver judges whether the second application belongs to the first computing participant according to whether the domain identifier included in the domain name of the second application is the domain identifier of the first computing participant.
3. The method of claim 1, wherein the domain name of each application comprises: an application identifier and a domain identifier of a computing participant in which the application is located;
The first gateway determines that the second application belongs to a second computing participant according to the domain name of the second application, and the method comprises the following steps:
and the first gateway determines that the second application belongs to the second computing participant according to the domain identifier included in the domain name of the second application as the domain identifier of the second computing participant.
4. The method of claim 1, wherein the first gateway looking up the address of the first relay node of the next hop from the first routing table with the second computing participant as a target node, comprising:
the first gateway takes the second computing participant as a target node, and searches a first relay node of a next hop corresponding to the target node from a first routing table;
and the first gateway takes the first relay node as a target node, and searches the address of the first relay node from the first routing table.
5. The method of claim 1, wherein after the first gateway sends the access request to the first relay gateway of the first relay node according to the address of the first relay node, the method further comprises:
the first relay gateway determines that the second application belongs to a second computing participant according to the domain name of the second application;
The first relay gateway takes the second computing participant as a target node, and searches the address of a second relay node of the next hop from a second routing table;
and the first relay gateway sends the access request to a second relay gateway of the second relay node according to the address of the second relay node, so that the second relay gateway forwards the access request to a second gateway of the second computing participant, and the second gateway forwards the access request to the second application.
6. The method of claim 1, wherein after the first gateway sends the access request to the first relay gateway of the first relay node according to the address of the first relay node, the method further comprises:
the first relay gateway determines that the second application belongs to a second computing participant according to the domain name of the second application;
the first relay gateway takes the second computing participant as a target node, and searches the address of the second computing participant from a second routing table;
and the first relay gateway sends the access request to a second gateway of the second computing participant according to the address of the second computing participant, and the second gateway forwards the access request to the second application.
7. The method of claim 1, wherein the first gateway sending the access request to a first relay gateway of the first relay node according to an address of the first relay node comprises:
the first gateway encrypts the access request using a symmetric key shared with the second computing participant;
and sending the encrypted access request to a first relay gateway of the first relay node according to the address of the first relay node, so that the first relay gateway forwards the encrypted access request to a second gateway of the second computing participant, and the second gateway decrypts the encrypted access request by using the symmetric key shared with the first computing participant to obtain the access request and forwards the access request to the second application.
8. The method of claim 7, wherein the first computing participant has a first gateway cluster of multiple gateways and the second computing participant has a second gateway cluster of multiple gateways; the symmetric key is generated in the following way:
generating a first key by a third gateway corresponding to the first computing participant, encrypting the first key by using a second public key of the second computing participant to obtain a first encryption key, and sending the first encryption key to a fourth gateway corresponding to the second computing participant;
The fourth gateway decrypts the first encryption key by using a second private key corresponding to the second public key to obtain the first key;
the fourth gateway generates a second key, encrypts the second key by using the first public key of the first computing participant to obtain a second encryption key, and sends the second encryption key to the third gateway;
the third gateway decrypts the second encryption key by using a first private key corresponding to the first public key to obtain the second key;
and the third gateway and the fourth gateway generate the symmetric key according to a preset algorithm according to the first key and the second key respectively.
9. The method of claim 8, wherein prior to the third gateway generating the first key, the method further comprises:
and the center platform issues the first public key to the fourth gateway and issues the second public key to the third gateway.
10. The method of claim 9, wherein the central platform issues the first public key to the fourth gateway and the second public key to the third gateway, the method further comprising:
and the center platform selects a third gateway from the first gateway cluster and selects a fourth gateway from the second gateway cluster.
11. The method of claim 9, wherein after the symmetric key is generated according to a preset algorithm, the method further comprises:
the third gateway encrypts the symmetric key by using the first public key to obtain a first encrypted symmetric key, and uploads the first encrypted symmetric key to the center platform;
the fourth gateway encrypts the symmetric key by using the second public key to obtain a second encrypted symmetric key, and uploads the second encrypted symmetric key to the center platform;
the center platform issues the first encryption symmetric key to the first gateway cluster, and issues the second encryption symmetric key to the second gateway cluster;
each gateway in the first gateway cluster decrypts the first encryption symmetric key by using the first private key to obtain the symmetric key;
and each gateway in the second gateway cluster decrypts the second encrypted symmetric key by using the second private key to obtain the symmetric key.
12. A routing system in multiparty secure computing, the system comprising:
the method comprises the steps that a first computing participant is used for receiving an access request from a first application of the first computing participant through a first gateway of the first computing participant, wherein the access request carries a domain name of a second application to be accessed; determining, by the first gateway, that the second application belongs to a second computing participant according to a domain name of the second application; the first gateway takes the second computing participant as a target node, and the address of a first relay node of the next hop is searched from a first routing table; sending the access request to a first relay gateway of the first relay node through the first gateway according to the address of the first relay node;
The first relay node is configured to forward, through the first relay gateway, the access request to a second gateway of the second computing participant;
the second computing participant is used for forwarding the access request to the second application through the second gateway, and the first application and the second application are used for executing multiparty security computation;
the first computing participant is further configured to send, by the first application, a domain name resolution request to a first domain name resolver of the first computing participant before receiving, by the first gateway, an access request from a first application of the first computing participant, where the domain name resolution request carries a domain name of the second application; judging whether the second application belongs to the first computing participant or not according to the domain name of the second application through the first domain name resolver; when the first domain name resolver judges that the second application does not belong to the first computing participant, resolving a gateway network protocol (IP) address of the first gateway, and returning the gateway IP address to the first application; and the first application sends the access request to the first gateway according to the gateway IP address.
13. The system of claim 12, wherein the domain name of each application comprises: an application identifier and a domain identifier of a computing participant in which the application is located;
the first computing participant is specifically configured to determine, by using the first domain name resolver, whether the second application belongs to the first computing participant according to whether a domain identifier included in the domain name of the second application is a domain identifier of the first computing participant.
14. The system of claim 12, wherein the domain name of each application comprises: an application identifier and a domain identifier of a computing participant in which the application is located;
the first computing participant is specifically configured to determine, through the first gateway, that the second application belongs to the second computing participant according to a domain identifier included in a domain name of the second application as a domain identifier of the second computing participant.
15. The system of claim 12, wherein the first computing participant is specifically configured to, with the second computing participant as a target node, find a first relay node of a next hop corresponding to the target node from a first routing table through the first gateway; and the first gateway takes the first relay node as a target node, and searches the address of the first relay node from the first routing table.
16. The system of claim 12, wherein the first relay node is specifically configured to determine, by the first relay gateway, that the second application belongs to a second computing participant according to a domain name of the second application; the first relay gateway takes the second computing participant as a target node, and searches the address of a second relay node of the next hop from a second routing table; and the first relay gateway sends the access request to a second relay gateway of the second relay node according to the address of the second relay node, so that the second relay gateway forwards the access request to a second gateway of the second computing participant, and the second gateway forwards the access request to the second application.
17. The system of claim 12, wherein the first relay node is specifically configured to determine, by the first relay gateway, that the second application belongs to a second computing participant according to a domain name of the second application; the first relay gateway takes the second computing participant as a target node, and searches the address of the second computing participant from a second routing table; and the first relay gateway sends the access request to a second gateway of the second computing participant according to the address of the second computing participant, and the second gateway forwards the access request to the second application.
18. The system of claim 12, wherein the first computing participant is operable to encrypt the access request through the first gateway with a symmetric key shared with the second computing participant; and sending the encrypted access request to a first relay gateway of the first relay node according to the address of the first relay node, so that the first relay gateway forwards the encrypted access request to a second gateway of the second computing participant, and the second gateway decrypts the encrypted access request by using the symmetric key shared with the first computing participant to obtain the access request and forwards the access request to the second application.
19. The system of claim 18, wherein the first computing participant has a first gateway cluster of a plurality of gateways and the second computing participant has a second gateway cluster of a plurality of gateways; the symmetric key is generated in the following way:
generating a first key by a third gateway corresponding to the first computing participant, encrypting the first key by using a second public key of the second computing participant to obtain a first encryption key, and sending the first encryption key to a fourth gateway corresponding to the second computing participant;
The fourth gateway decrypts the first encryption key by using a second private key corresponding to the second public key to obtain the first key;
the fourth gateway generates a second key, encrypts the second key by using the first public key of the first computing participant to obtain a second encryption key, and sends the second encryption key to the third gateway;
the third gateway decrypts the second encryption key by using a first private key corresponding to the first public key to obtain the second key;
and the third gateway and the fourth gateway generate the symmetric key according to a preset algorithm according to the first key and the second key respectively.
20. The system of claim 19, wherein the system further comprises:
and the center platform is used for issuing the first public key to the fourth gateway and issuing the second public key to the third gateway before the third gateway generates the first secret key.
21. The system of claim 20, wherein the central platform is further configured to select a third gateway from the first gateway cluster and a fourth gateway from the second gateway cluster before issuing the first public key to the fourth gateway and the second public key to the third gateway.
22. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-11.
23. A computing device comprising a memory having executable code stored therein and a processor which, when executing the executable code, implements the method of any of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110844584.0A CN113472668B (en) | 2021-07-26 | 2021-07-26 | Routing method and system in multiparty security computation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110844584.0A CN113472668B (en) | 2021-07-26 | 2021-07-26 | Routing method and system in multiparty security computation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113472668A CN113472668A (en) | 2021-10-01 |
| CN113472668B true CN113472668B (en) | 2023-06-20 |
Family
ID=77882460
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110844584.0A Active CN113472668B (en) | 2021-07-26 | 2021-07-26 | Routing method and system in multiparty security computation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113472668B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114553567B (en) * | 2022-02-25 | 2024-02-06 | 蚂蚁区块链科技(上海)有限公司 | Network transmission method, system, storage medium and computing device in multiparty security computing |
| CN114827031B (en) * | 2022-04-21 | 2023-05-09 | 中国电子科技集团公司第三十研究所 | Routing table security query method based on secure multiparty calculation |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519402A (en) * | 2019-07-25 | 2019-11-29 | 烽火通信科技股份有限公司 | Entity home gateway access of virtual home gateway method, equipment and system |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2323221A1 (en) * | 2000-08-18 | 2002-02-18 | Etunnels Inc. | Method and apparatus for data communication between a plurality of parties |
| US7788378B2 (en) * | 2005-04-22 | 2010-08-31 | Microsoft Corporation | Apparatus and method for community relay node discovery |
| US8266672B2 (en) * | 2008-03-21 | 2012-09-11 | Sophos Plc | Method and system for network identification via DNS |
| AU2018347193B2 (en) * | 2018-11-16 | 2020-05-14 | Advanced New Technologies Co., Ltd. | Cross-chain interactions using a domain name scheme in blockchain systems |
| CN113037891B (en) * | 2021-03-26 | 2022-04-08 | 腾讯科技(深圳)有限公司 | Access method and device for stateful application in edge computing system and electronic equipment |
-
2021
- 2021-07-26 CN CN202110844584.0A patent/CN113472668B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519402A (en) * | 2019-07-25 | 2019-11-29 | 烽火通信科技股份有限公司 | Entity home gateway access of virtual home gateway method, equipment and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113472668A (en) | 2021-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| US6557037B1 (en) | System and method for easing communications between devices connected respectively to public networks such as the internet and to private networks by facilitating resolution of human-readable addresses | |
| CN111612466B (en) | Consensus and resource transmission method, device and storage medium | |
| CN113472668B (en) | Routing method and system in multiparty security computation | |
| CN103036867A (en) | Apparatus and method for providing virtual private network service based on mutual authentication | |
| US11784813B2 (en) | Crypto tunnelling between two-way trusted network devices in a secure peer-to-peer data network | |
| Wang et al. | An efficient and privacy-preserving blockchain-based authentication scheme for low earth orbit satellite-assisted internet of things | |
| CN107196918B (en) | Data matching method and device | |
| US20230209345A1 (en) | Device-specific selection between peer-to-peer connections and core-based hybrid peer-to-peer connections in a secure data network | |
| US10158610B2 (en) | Secure application communication system | |
| Zhang et al. | Short Paper:'A peer to peer security protocol for the internet of things': Secure communication for the sensiblethings platform | |
| WO2023116027A1 (en) | Cross-domain identity verification method in secure multi-party computation, and server | |
| CN114186213B (en) | Data transmission method, device, equipment and medium based on federal learning | |
| US11582201B1 (en) | Establishing and maintaining trusted relationship between secure network devices in secure peer-to-peer data network based on obtaining secure device identity containers | |
| Alvarenga et al. | DAGSec: A hybrid distributed ledger architecture for the secure management of the Internet of Things | |
| US20220399995A1 (en) | Identity management system establishing two-way trusted relationships in a secure peer-to-peer data network | |
| CN101471938B (en) | Authentication method, system and device for point-to-point network | |
| Nia et al. | A Novel Anonymous Cloud Architecture Design; Providing Secure Online Services and Electronic Payments | |
| Gopi et al. | A guaranteed data transmission system for wireless ad hoc networks | |
| Manoj | Developing a Systematic Blockchain System for Security and Privacy Management in Iot | |
| Kallash et al. | A security framework for node-to-node communications based on the LISP architecture | |
| US11924177B2 (en) | Crypto-signed switching between two-way trusted network devices in a secure peer-to-peer data network | |
| US20230199001A1 (en) | Secure streaming media based on updating hypercontent in a secure peer-to-peer data network | |
| Fischer et al. | Enhancing privacy in collaborative scenarios utilising a flexible proxy layer | |
| US20230125556A1 (en) | Secure autonomic recovery from unusable data structure via a trusted device in a secure peer-to-peer data network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |