CN113742709A - Information processing method and device, readable medium and electronic equipment - Google Patents

Information processing method and device, readable medium and electronic equipment Download PDF

Info

Publication number
CN113742709A
CN113742709A CN202111070777.1A CN202111070777A CN113742709A CN 113742709 A CN113742709 A CN 113742709A CN 202111070777 A CN202111070777 A CN 202111070777A CN 113742709 A CN113742709 A CN 113742709A
Authority
CN
China
Prior art keywords
processing
information
data
key
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111070777.1A
Other languages
Chinese (zh)
Inventor
张尧
蔡权伟
王聪
刘洋
吴烨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ByteDance Network Technology Co Ltd
Original Assignee
Beijing ByteDance Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ByteDance Network Technology Co Ltd filed Critical Beijing ByteDance Network Technology Co Ltd
Priority to CN202111070777.1A priority Critical patent/CN113742709A/en
Publication of CN113742709A publication Critical patent/CN113742709A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Abstract

The disclosure relates to an information processing method, an information processing device, a readable medium and electronic equipment, and relates to the technical field of electronic information processing, wherein the method comprises the following steps: and sending an authentication request to a processing node in the trusted execution environment, wherein the authentication request is used for instructing the processing node to generate authentication information according to the authentication request based on the trusted execution environment. Receiving authentication information sent by a processing node, determining whether the authentication information is generated according to an authentication request, determining that the processing node is credible under the condition that the authentication information is generated according to the authentication request, and encrypting the information to be processed of the target service end according to a preset transaction key to obtain intermediate data. And encrypting the intermediate data according to a preset encryption mode to obtain transmission data, and sending the transmission data to the processing node. And receiving a processing result sent by the processing node, and determining repeated target information between the information to be processed and the information to be processed corresponding to other service terminals according to the processing result. The data security can be improved.

Description

Information processing method and device, readable medium and electronic equipment
Technical Field
The present disclosure relates to electronic information processing technology, and in particular, to a method and an apparatus for processing information, a readable medium, and an electronic device.
Background
With the continuous development of electronic information processing technology, the application of the privacy Protection Set Interaction (PSI) technology is more and more emphasized by various industries. The PSI technique allows two parties holding respective data to jointly perform an intersection process on the respective data to obtain common data in the two portions of data. Generally, PSI may be implemented based on a Trusted Execution Environment (TEE), that is, multiple participants send respective data to a hardware device in the Trusted Execution Environment, the hardware device performs an intersection processing on the data sent by the participants, and then the hardware device feeds back an intersection result to each participant. However, the security level of the hardware device in the trusted execution environment is dynamic in practice, and if a hardware bug exists and the CPU microcode is not updated in time, the security level of the hardware device may be lowered, resulting in data leakage.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
In a first aspect, the present disclosure provides a method for processing information, the method including:
sending an authentication request to a processing node in a trusted execution environment, wherein the authentication request is used for instructing the processing node to generate authentication information according to the authentication request based on the trusted execution environment, and the authentication information is used for determining whether the processing node is trusted;
receiving the authentication information sent by the processing node, and determining whether the authentication information is generated according to the authentication request;
determining that the processing node is credible under the condition that the authentication information is generated according to the authentication request, and encrypting the information to be processed of a target service end according to a preset transaction key to obtain intermediate data, wherein the transaction key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in a service system;
encrypting the intermediate data according to a preset encryption mode to obtain transmission data, and sending the transmission data to the processing node;
receiving a processing result sent by the processing node, wherein the processing result is obtained by decrypting the transmission data by the processing node to obtain the intermediate data and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service ends;
and determining repeated target information between the information to be processed and the information to be processed corresponding to the other service terminals according to the processing result.
In a second aspect, the present disclosure provides a method for processing information, the method comprising:
based on a trusted execution environment, generating authentication information according to an authentication request sent by a target service end, and sending the authentication information to the target service end, wherein the authentication information is used for determining whether the processing node is trusted, and the target service end is any service end of a service system;
receiving transmission data sent by the target service end under the condition that the authentication information is determined to be generated according to the authentication request, wherein the transmission data is generated by encrypting intermediate data by the target service end according to a preset encryption mode, the intermediate data is obtained by encrypting information to be processed by the target service end according to a preset intersection key, the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in the service system;
decrypting the transmission data to obtain the intermediate data, and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service terminals;
and sending the processing result to the target service end and the other service ends, wherein the target service end and the other service ends are used for determining repeated target information between the information to be processed and the information to be processed corresponding to the other service ends according to the processing result.
In a third aspect, the present disclosure provides an apparatus for processing information, the apparatus comprising:
an authentication module, configured to send an authentication request to a processing node in a trusted execution environment, where the authentication request is used to instruct the processing node to generate, based on the trusted execution environment, authentication information according to the authentication request, where the authentication information is used to determine whether the processing node is trusted;
the confirming module is used for receiving the authentication information sent by the processing node and determining whether the authentication information is generated according to the authentication request;
the processing module is used for determining that the processing node is credible under the condition that the authentication information is generated according to the authentication request, and encrypting the information to be processed of the target service end according to a preset intersection key to obtain intermediate data, wherein the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in the service system;
the sending module is used for encrypting the intermediate data according to a preset encryption mode to obtain transmission data and sending the transmission data to the processing node;
a receiving module, configured to receive a processing result sent by the processing node, where the processing result is obtained by decrypting, by the processing node, the transmission data to obtain intermediate data, and performing intersection processing on the intermediate data and intermediate data corresponding to the other service terminals; and determining repeated target information between the information to be processed and the information to be processed corresponding to the other service terminals according to the processing result.
In a fourth aspect, the present disclosure provides an apparatus for processing information, the apparatus comprising:
the authentication module is used for generating authentication information according to an authentication request sent by a target service end based on a trusted execution environment, and sending the authentication information to the target service end, wherein the authentication information is used for determining whether the processing node is trusted, and the target service end is any service end of a service system;
a receiving module, configured to receive transmission data sent by the target service end when it is determined that the authentication information is generated according to the authentication request, where the transmission data is generated by encrypting, by the target service end, intermediate data in a preset encryption manner, the intermediate data is obtained by encrypting, by the target service end, information to be processed according to a preset intersection key, the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends in the service system except the target service end;
the intersection module is used for decrypting the transmission data to obtain the intermediate data and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service ends;
and the sending module is used for sending the processing result to the target service end and the other service ends, and the target service end and the other service ends are used for determining repeated target information between the information to be processed and the information to be processed corresponding to the other service ends according to the processing result.
In a fifth aspect, the present disclosure provides a computer readable medium having stored thereon a computer program which, when executed by a processing apparatus, performs the steps of the method of the first aspect of the present disclosure.
In a sixth aspect, the present disclosure provides an electronic device comprising:
a storage device having a computer program stored thereon;
processing means for executing the computer program in the storage means to implement the steps of the method of the first aspect of the present disclosure.
In a seventh aspect, the present disclosure provides a computer readable medium having stored thereon a computer program which, when executed by a processing apparatus, performs the steps of the method of the second aspect of the present disclosure.
In an eighth aspect, the present disclosure provides an electronic device comprising:
a storage device having a computer program stored thereon;
processing means for executing the computer program in the storage means to implement the steps of the method of the second aspect of the present disclosure.
Through the technical scheme, the target service end firstly sends the authentication request to the processing node, and the processing node generates the authentication information for determining whether the processing node is credible or not based on the credible execution environment. And then, the target service end receives the authentication information sent by the processing node and determines whether the authentication information is generated according to the authentication request. And under the condition that the authentication information is generated according to the authentication request, the target service end determines that the processing node is credible, and encrypts the information to be processed of the target service end according to a preset transaction key to obtain intermediate data. And then, the target service end encrypts the intermediate data according to a preset encryption mode to obtain transmission data, the transmission data are sent to a processing node, and the processing node performs intersection processing on the intermediate data. And finally, the target service end receives the processing result sent by the processing node, and determines repeated target information between the information to be processed and the information to be processed corresponding to other service ends according to the processing result. In the method and the system, the information to be processed is encrypted through the pre-agreed rendezvous key of the target service terminal and other service terminals, so that the processing node can not acquire the information to be processed, the rendezvous processing of the information to be processed can be realized, the problem of data leakage caused by security holes of the processing node is solved, and the data security is improved.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale. In the drawings:
FIG. 1 is a schematic illustration of a deployment of an information handling system;
FIG. 2 is a flow diagram illustrating a method of processing information in accordance with an exemplary embodiment;
FIG. 3 is a flow chart illustrating another method of processing information in accordance with an exemplary embodiment;
FIG. 4 is a flow diagram illustrating another method of processing information in accordance with an illustrative embodiment;
FIG. 5 is a flow chart illustrating another method of processing information in accordance with an illustrative embodiment;
FIG. 6 is a flow chart illustrating another method of processing information in accordance with an illustrative embodiment;
FIG. 7 is a flow chart illustrating another method of processing information in accordance with an illustrative embodiment;
FIG. 8 is a flow chart illustrating a method of processing information in accordance with an exemplary embodiment;
FIG. 9 is a flow chart illustrating another method of processing information in accordance with an illustrative embodiment;
FIG. 10 is a flow chart illustrating another method of processing information in accordance with an illustrative embodiment;
FIG. 11 is a flow chart illustrating another method of processing information in accordance with an illustrative embodiment;
FIG. 12 is a flow chart illustrating another method of processing information in accordance with an illustrative embodiment;
FIG. 13 is a block diagram illustrating an apparatus for processing information in accordance with an exemplary embodiment;
FIG. 14 is a block diagram illustrating another information processing apparatus according to an example embodiment;
FIG. 15 is a block diagram illustrating another information processing apparatus according to an example embodiment;
FIG. 16 is a block diagram illustrating another information processing apparatus according to an example embodiment;
FIG. 17 is a block diagram illustrating an apparatus for processing information in accordance with an exemplary embodiment;
FIG. 18 is a block diagram illustrating another information processing apparatus according to an example embodiment;
FIG. 19 is a block diagram illustrating an electronic device in accordance with an example embodiment.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
Before introducing the information processing method, apparatus, readable medium and electronic device provided by the present disclosure, an application scenario related to various embodiments of the present disclosure is first introduced. The application scenario may be an information processing system 100 for implementing PSI, as shown in fig. 1, which includes: the service system comprises a plurality of service terminals 101, and the trusted execution environment comprises one or more processing nodes. The services processed by each service end 101 in the service system may have an association therebetween, and each service end 101 stores respective information to be processed. When a plurality of business terminals 101 need to cooperate (for example, federal learning, advertisement hiding, financial wind control, etc.), the intersection of the information to be processed of each of the business terminals 101 needs to be obtained without revealing any additional information, where the additional information refers to any information except the intersection. The service end 101 may include, but is not limited to, a mobile terminal, a fixed terminal, a server, and the like.
One or more hardware devices, such as servers, may be deployed in the trusted execution environment, and a processing node may be understood as a process created on the hardware devices based on the trusted execution environment. Further, the processing node may include an authentication node 1021 and a plurality of working nodes 1022, where the authentication node 1021 and the working nodes 1022 may be understood as processes that are isolated from each other and can run in parallel, and the authentication node 1021 and the working nodes 1022 may be disposed on the same hardware device or may be disposed on different hardware devices, which is not limited in this disclosure. It should be noted that, the implementations of the trusted execution environment mentioned in the present disclosure may include, but are not limited to: intel SGX (English: Intel Software Guard Extensions), AMD SEV (AMD Secure Encrypted visualization), ARM TrustZone, and the like.
Fig. 2 is a flow chart illustrating a method of processing information, as shown in fig. 2, according to an example embodiment, the method comprising:
step 201, sending an authentication request to a processing node in the trusted execution environment, where the authentication request is used to instruct the processing node to generate authentication information according to the authentication request based on the trusted execution environment, and the authentication information is used to determine whether the processing node is trusted.
Step 202, receiving the authentication information sent by the processing node, and determining whether the authentication information is generated according to the authentication request.
For example, the execution subject of the embodiment of the present disclosure is a target service end in a service system, and the target service end may be understood as any service end in the service system, and correspondingly, other service ends except the target service end in the service system are other service ends. The target service end and other service ends can be mutually converted. When the target service end needs to cooperate with other service ends to determine the intersection of respective information to be processed, an authentication request may be sent to a processing node in the trusted execution environment, where the authentication request is used to indicate that the processing node generates authentication information based on the trusted execution environment according to the authentication request, and correspondingly, the authentication information is used to verify whether the processing node is trusted. The authentication request may be, for example, a randomly generated, fixed length (e.g., 32 byte) string. After receiving the authentication request, the processing node may generate authentication information according to the authentication request, and feed back the authentication information to the target service end, so that the target service end determines whether the authentication information is generated according to the authentication request, or determines whether the authentication request is matched with the authentication information. It is understood that the authentication information generated by the processing nodes and the authentication request are mutually anchored, and can mutually verify the respective identities. If the authentication information is generated from the authentication request, i.e. the authentication request matches the authentication information, it is said that the processing node is authentic. If the authentication information is not generated according to the authentication request, the processing node is not trusted, and the target service end can give up executing subsequent steps or send the authentication request to the trusted execution environment again until the authentication information is determined to be generated according to the authentication request.
Step 203, determining that the processing node is trusted when the authentication information is generated according to the authentication request, and encrypting the information to be processed of the target service end according to a preset transaction key to obtain intermediate data, wherein the transaction key is generated by the target service end and other service ends, and the other service ends are service ends except the target service end in the service system.
For example, when the target service end determines that the authentication information is generated according to the authentication request, it may determine that the processing node is trusted, and may encrypt the information to be processed according to a preset rendezvous key to obtain intermediate data. The key is generated by the target service terminal and other service terminals together, and the other service terminals are one or more service terminals except the target service terminal in the service system. It is understood that the rendezvous key is a key that is determined by participation of all service terminals in the service system, and the processing node does not know the rendezvous key.
Specifically, the information to be processed is encrypted according to the intersection key, the intersection key may be used as a key, the information to be processed is encrypted by using a hash algorithm with the key, or the information to be processed is encrypted by using a symmetric encryption algorithm (for example, AES-256) with the key, which is not specifically limited in this disclosure. The information to be processed may be, for example, a large amount of ID information including: { ID1,ID2,…,IDi,…,IDNWhere, IDiIndicating the ith of the N ID information. Then the intermediate data may be represented as F (key, ID)i) And F denotes an algorithm for encrypting information to be processed.
And step 204, encrypting the intermediate data according to a preset encryption mode to obtain transmission data, and sending the transmission data to the processing node.
And step 205, receiving a processing result sent by the processing node, where the processing result is obtained by decrypting the transmission data by the processing node to obtain intermediate data and performing intersection processing on the intermediate data and intermediate data corresponding to other service ends.
And step 206, determining repeated target information between the information to be processed and the information to be processed corresponding to other service terminals according to the processing result.
For example, after obtaining the intermediate data, the target service end may encrypt the intermediate data according to a preset encryption manner to generate the transmission data. For example, the intermediate data may be packed according to a packing rule agreed with the processing node in advance to obtain the transmission data, or the intermediate data may be encrypted by using an encryption method agreed with the processing node in advance to obtain the transmission data, which is not limited in this disclosure. The target service end may then send the transmission data to the processing node. The processing node may decrypt the transmitted data to obtain intermediate data. For example, the processing node may parse the transmission data according to the corresponding packing rule to obtain the intermediate data therein, and the processing node may also decrypt the transmission data by using the corresponding decryption method to obtain the intermediate data therein.
And then, the processing node can perform intersection processing on the intermediate data and the intermediate data corresponding to other service ends, and send the processing result to the target service end and other service ends. The intermediate data corresponding to the other service end may be understood as intermediate data that is obtained by the processing node receiving the transmission data sent to the processing node in steps 201 to 204 executed by the other service end and extracting the transmission data therefrom. Finally, the target service end may receive the processing result sent by the processing node, and meanwhile, other service ends may also receive the processing result sent by the processing node. Further, the target service end (or other service ends) may decrypt the processing result according to the intersection key to obtain which information is repeated with the information to be processed of other service ends in the information to be processed, that is, the target information is the intersection of the information to be processed of the target service end and the information to be processed of other service ends. Because the processing node does not know the secret key for transaction, even if the processing node has a hardware bug, a malicious third party can only obtain the intermediate data from the processing node at most and cannot obtain the original information to be processed, so that the leakage of the data is avoided, and the safety of the data is improved. Meanwhile, the intersection key is generated between all the service ends, so that the intersected parts in the respective information to be processed are still intersected through encryption processing of the intersection key, and the correctness of the processing result obtained by executing intersection processing by the processing node is ensured.
After obtaining the target information, each service end in the service system may perform a designation process using the target information, where the designation process may include, for example: federal learning, advertisement hiding, financial wind control, etc. For example, each service end in the service system is a shopping platform, and each shopping platform wants to use its own shopping information to perform federal learning, to predict CTR (english: Click-Through-Rate, chinese: Click Through Rate), or to train a recommendation model. Each shopping platform stores a large amount of user IDs as information to be processed. Each shopping platform can execute steps 201 to 206 to obtain the intersection (i.e. target information) of the user IDs of all shopping platforms in the service system, that is, each shopping platform can know which users are common users in the service system. Each shopping platform may then integrate the shopping information corresponding to the common user to enable federal learning.
In summary, in the present disclosure, the target service end first sends an authentication request to the processing node, and the processing node generates authentication information for determining whether the processing node is trusted based on the trusted execution environment. And then, the target service end receives the authentication information sent by the processing node and determines whether the authentication information is generated according to the authentication request. And under the condition that the authentication information is generated according to the authentication request, the target service end determines that the processing node is credible, and encrypts the information to be processed of the target service end according to a preset transaction key to obtain intermediate data. And then, the target service end encrypts the intermediate data according to a preset encryption mode to obtain transmission data, the transmission data are sent to a processing node, and the processing node performs intersection processing on the intermediate data. And finally, the target service end receives the processing result sent by the processing node, and determines repeated target information between the information to be processed and the information to be processed corresponding to other service ends according to the processing result. In the method and the system, the information to be processed is encrypted through the pre-agreed rendezvous key of the target service terminal and other service terminals, so that the processing node can not acquire the information to be processed, the rendezvous processing of the information to be processed can be realized, the problem of data leakage caused by security holes of the processing node is solved, and the data security is improved.
Fig. 3 is a flowchart illustrating another information processing method according to an exemplary embodiment, where, as shown in fig. 3, the authentication request includes a randomly generated declaration string, and the step 202 may be implemented by:
step 2021, acquiring a signature public key, a transmission public key, signature data and verification data included in the authentication information, where the signature data is obtained by the processing node by signing the declaration string with a signature private key corresponding to the signature public key, the verification data is generated by the processing node based on the trusted execution environment according to the signature public key and the transmission public key, and the verification data is used for verifying the trusted execution environment.
For example, the authentication request may include a randomly generated declaration string, which may be denoted as nonce, for example. The authentication information generated by the processing node according to the authentication request may include signature data, verification data, signature data, and verification data. Specifically, after receiving the authentication request, the processing node may generate a public signature key and a corresponding private signature key (the public signature key may be denoted as PK1, and the private signature key may be denoted as SK1), and generate a public transport key and a corresponding private transport key (the public transport key may be denoted as PK2, and the private transport key may be denoted as SK 2). The generation (PK1, SK1), (PK2, SK2) may be any method for generating public and private keys, such as RSA-3072, which is not specifically limited by the present disclosure. The processing node may then sign the nonce with SK1, resulting in signed data, which may be denoted as Sig. The processing node may then generate check data from PK1 and PK2 based on the trusted execution environment, which may be denoted Proof. Verification data may be understood as data generated using CPU microcode of a hardware device in the trusted execution environment to validate the trusted execution environment with PK1 and PK2 as input parameters. In particular, the Proof may be divided into two parts, a first part for verifying the trusted execution environment and a second part for storing data generated according to PK1 and PK2, thereby enabling the verification data and PK1 and PK2 to be anchored to each other, i.e. to be mutually verified. For example, PK1 and PK2 may be hashed separately, and the resulting hash values are concatenated, i.e., hash (PK1) | hash (PK2), to obtain 64 bytes of data as the second part in the Proof. If the trusted execution environment is implemented in Intel SGX, Proof is SGXQuote, and hash (PK1) | hash (PK2) can be stored in the reportdata field in SGXQuote.
Finally, the processing node can generate authentication information from the signature public key, the transmission public key, the signature data and the verification data according to a preset format, and send the authentication information to the target service end, wherein the authentication information includes: proof + Sig + PK1+ PK 2. The target service end can extract the signature public key, the transmission public key, the signature data and the verification data from the authentication information.
Step 2022, if the authentication information satisfies the predetermined condition, determining that the authentication information is generated according to the authentication request.
For example, the target service end may determine whether the authentication information is generated according to the authentication request by judging whether the signature public key, the transmission public key, the signature data, and the verification data satisfy a preset condition. Specifically, the preset conditions may include: if the verification data passes the verification, it can be understood that the trusted execution environment is verified according to the verification data. And secondly, generating the verification data according to the signature public key and the transmission public key, wherein the target service end acquires a second part in the verification data, and then compares the second part with the signature public key and the transmission public key to determine whether the verification data is generated according to the signature public key and the transmission public key. For example, the second part of the verification data is hash (PK1) | hash (PK2), then the target service end may also perform hash operation on PK1 and PK2, and splice the obtained hash values, if the splicing result is the same as hash (PK1) | hash (PK2), then the verification data is generated according to the signature public key and the transmission public key, which can be understood as that the verification data matches the signature public key and the transmission public key, and if the splicing result is different from hash (PK1) | hash (PK2), then the verification data is not generated according to the signature public key and the transmission public key, that is, the verification data does not match the signature public key and the transmission public key. And thirdly, performing signature verification on the signature data by using the signature public key, wherein the signature verification result is matched with the declaration character string. That is, the signature of Sig is verified by PK1, and the result is compared with nonce, and if the result is the same as nonce, the condition three is satisfied, and if the result is not the same as nonce, the condition three is not satisfied.
Fig. 4 is a flowchart illustrating another information processing method according to an exemplary embodiment, and as shown in fig. 4, the implementation manner of step 204 may include:
step 2041, encrypt the intermediate data according to the randomly generated session key to obtain a data cipher text, and encrypt the session key according to the transmission public key included in the authentication information to obtain a key cipher text.
And step 2042, generating transmission data according to the data ciphertext and the key ciphertext.
Step 2043, the transmission data is sent to the processing node, the processing node is used for decrypting the key ciphertext according to the transmission private key corresponding to the transmission public key to obtain a session key, decrypting the data ciphertext according to the session key to obtain intermediate data, and performing intersection processing on the intermediate data and the intermediate data corresponding to other service ends.
For example, the target service end may first randomly generate a session key, and the size of the session key may be 256 bits, for example. Thereafter, the intermediate data is encrypted by using the session key to obtain a data ciphertext, and the encryption mode may be, for example, AES-GCM-256, which is not specifically limited by the present disclosure. Meanwhile, the target service end can also encrypt the session key by using the transmission public key to obtain a key ciphertext. And then, generating transmission data according to the data ciphertext and the key ciphertext. For example, the data cipher text and the key cipher text may be encapsulated in a data envelope format to obtain the transmission data. And finally, transmitting the transmission data to a processing node.
Correspondingly, the processing node decrypts the key ciphertext according to the transmission private key corresponding to the transmission public key, so as to obtain the session key included in the key ciphertext. And then, the data ciphertext is decrypted according to the session key to obtain the intermediate data included in the data ciphertext. Therefore, the processing node can obtain the intermediate data and carry out intersection processing on the intermediate data and the intermediate data corresponding to other service ends. Because the processing node does not know the key for transaction, the original information to be processed cannot be obtained from the intermediate data, and the safety of the information to be processed is ensured. Meanwhile, the intermediate data corresponding to the target service end and the intermediate data corresponding to other service ends are encrypted by the intersection key, so that the processing result obtained by intersection processing of the processing node on the intermediate data is consistent with the intersection processing of the original information to be processed directly.
In an application scenario, step 206 may be implemented as follows:
and decrypting the processing result according to the session key to obtain the target information. And the processing result is obtained by encrypting the result of the intersection processing by the processing node according to the session key.
For example, the processing node performs intersection processing on the intermediate data and the intermediate data corresponding to other service ends to obtain an intersection of the intermediate data corresponding to the target service end and the intermediate data corresponding to other service ends. Before sending the result of the intersection processing to the target service end and other service ends, the processing node may encrypt the result of the intersection processing to send the result as a processing result to the target service end and other service ends, thereby further improving the security of data. For example, the result of the rendezvous process may be encrypted according to the session key obtained from the key cipher, and sent to the target service end. Correspondingly, the target service end can decrypt the processing result according to the session key, so as to obtain the intersection of the intermediate data corresponding to the target service end and the intermediate data corresponding to other service ends. Further, different service terminals have their corresponding session keys (i.e., the target service terminal does not know the session keys of other service terminals). For each service end, the processing node may encrypt the result of the rendezvous processing by using the session key corresponding to the service end, and send the processing result to the service end. Correspondingly, the service end can decrypt the processing result by using the corresponding session key.
Fig. 5 is a flowchart illustrating another information processing method according to an exemplary embodiment, and as shown in fig. 5, before step 201, the method may further include:
step 207, determining an intersection key with at least one other service end through a preset handshake protocol.
For example, the exchange key may be obtained by negotiation between all service terminals that need to participate in the exchange process, and the exchange key may be generated by a plurality of service terminals through a preset handshake protocol. The handshake protocol may be, for example, a Diffie-Hellman handshake protocol, a BD (BD-license) group key agreement protocol, or another protocol capable of participating in the common key establishment by multiple parties, which is not specifically limited by this disclosure.
Fig. 6 is a flowchart illustrating another information processing method according to an exemplary embodiment, and as shown in fig. 6, step 207 may be implemented by:
step 2071, processing the preset generation element according to the randomly generated first processing factor to obtain a first initial key, and sending the first initial key to other service terminals, where the other service terminals are configured to process the first initial key according to the randomly generated second processing factor to obtain an intersection key.
Step 2072, receiving a second initial key sent by the other service end, where the second initial key is obtained by processing the generator by the other service end according to the second processing factor.
Step 2073, process the second initial key according to the first processing factor to obtain the intersection key.
For example, the target service end may randomly generate a first processing factor a, and then process a preset generator g by using the first processing factor, so as toA first initial key is obtained. The generator may be a value predetermined between the target service end and another service end. The way of processing the generator with the first processing factor may be, for example, performing an exponentiation, i.e. the first initial key is ga
And then, the target service end sends the first initial key to other service ends, and the other service ends process the first initial key by using a second processing factor b generated randomly to obtain an intersection key. The first initial key may be processed by the second processing factor in the same way as an exponentiation, i.e. an intersection key (g)a)b. Meanwhile, other service terminals can also process the generator g by using a second processing factor to obtain a second initial key, and send the second initial key to the target service terminal. Similarly, after receiving the second initial key, the target service end processes the second initial key according to the first processing factor to obtain the rendezvous key. The second initial key may also be processed by the first processing factor in the form of an exponentiation, i.e. an intersection key (g)b)a. Thus, the target service end and other service ends obtain the intersection key.
Fig. 7 is a flowchart illustrating another information processing method according to an exemplary embodiment, and as shown in fig. 7, a processing node includes: an authentication node and a first number of worker nodes.
In one application scenario, the trusted execution environment includes two processing nodes, one is an authentication node for generating authentication information, and the other is a work node for performing an intersection process. The number of the working nodes may be a first number, and the first number may be 2 or more than 2, for example.
Accordingly, the implementation manner of step 201 may be:
and sending an authentication request to the authentication node, wherein the authentication request is used for indicating the authentication node to generate authentication information according to the authentication request based on the trusted execution environment, and enabling the first number of working nodes.
The implementation of step 202 may be:
and receiving authentication information sent by the authentication node.
For example, the target service end may send an authentication request to the authentication node, and the authentication node generates authentication information according to the authentication request and feeds back the authentication information to the target service end. The authentication node may also enable the first number of working nodes while generating the authentication information. Furthermore, when the authentication node starts the working node, the authentication node can perform bidirectional internal authentication with the working node, and after the authentication is passed, the transmission public key and the transmission private key are synchronized to each working node. Accordingly, the target service end may receive authentication information from the authentication node.
Step 204 may include:
step 2044, assign a plurality of values included in the intermediate data to a second number of value groupings.
Step 2045, encrypt each value packet according to encryption method, generate corresponding transmission packet, and obtain the transmission data including the second number of transmission packets.
Step 2046, for each transmission packet, according to the correspondence between the identifier of the transmission packet and the identifier of the working node, sending the transmission packet to the corresponding working node, where the corresponding working node is configured to decrypt the transmission packet to obtain a corresponding value packet, and perform intersection processing on the value packet and the value packets corresponding to other service terminals.
For example, the amount of data of the information to be processed is often large, and the intersection processing is streaming processing, so that the intersection efficiency of a large amount of data is low. Therefore, the intermediate data can be divided into a plurality of groups, and the first number of working nodes process the plurality of groups in parallel, so that distributed streaming intersection is realized, and the effect of improving the intersection processing efficiency is achieved.
Specifically, a plurality of numerical values included in the intermediate data may be assigned to the second number of numerical value groups. The second number may be the same as the first number, and may be different. Each value grouping includes at least one value. The dividing value grouping mode may be to establish a second number of value groups in advance, perform a remainder operation on the second number according to the lowest bit (or the highest bit, or a designated bit) of each value, and divide the data according to a remainder result. For example, the second number is M, and each value group corresponds to a sequence number M, where M belongs to [0, M-1 ]. If the lowest bit of a value is x, y is mod (x, M), the value is divided into value groups with sequence number y.
Thereafter, a corresponding transport packet may be generated from each value packet to obtain transport data comprising a second number of transport packets. That is, the transmission packet includes the values in the corresponding value packet. The manner of generating the transmission packet according to the value packet is the same as the manner of generating the transmission data according to the intermediate data, and is not described herein again.
Finally, for each transmission packet, the transmission packet may be sent to the corresponding working node according to the correspondence between the identifier of the transmission packet and the identifier of the working node. The corresponding working node can obtain the corresponding numerical value grouping from the transmission grouping and carry out intersection processing on the numerical value grouping and the numerical value grouping corresponding to other service ends. The manner in which the working node obtains the corresponding value packet from the transmission packet is the same as the manner in which the working node obtains the intermediate data from the transmission data, and is not described herein again.
The correspondence between the identifier of the transmission packet and the identifier of the working node may be predetermined, or may be determined according to a preset algorithm. For example, the identity of the transport packet may be complemented by the first number to obtain the identity of the working node. For example, the first number is N, and the identifier corresponding to each working node is N, where N belongs to [0, N-1 ]. If the identifier of a certain transmission packet is p, q is mod (p, N), then the identifier of the working node corresponding to the transmission packet is q.
Step 206 may be used to:
and combining the processing results sent by the first number of working nodes to determine the target information.
For example, after receiving the first number of processing results sent by the first number of working nodes, the target service end may merge the first number of processing results to obtain target information, that is, a result of intersection between the information to be processed and information to be processed of other service ends. Specifically, if each working node encrypts the result of the intersection processing by using the session key, the target service end may first decrypt the first number of processing results by using the session key to obtain the first number of results of the intersection processing, then merge the first number of results of the intersection processing, and finally decrypt the merged results according to the intersection key to obtain the target information.
It should be noted that the working node may be deleted by the authentication node after the performing of the transaction processing is completed, which may be understood as that the authentication node deletes the process corresponding to the working node, and the working node is enabled by the authentication node when the transaction processing is required next time. After the working node executes the transaction processing, the working node may also be suspended by the authentication node to wait for the next transaction processing, which is not specifically limited by the present disclosure.
In an application scenario, step 2044 may be implemented by:
first, for each numerical value, the numerical value is assigned to the corresponding numerical value group according to the correspondence between the numerical value and the identifier of the numerical value group.
Thereafter, the numerical values included in each numerical value group are sorted.
For example, when performing intersection processing on data, a processing node generally has two steps of sorting (i.e., sort) and intersection (i.e., join). In order to further implement distributed streaming intersection to improve the efficiency of intersection processing, when the target service end allocates a plurality of numerical values included in the intermediate data to a second number of numerical value groups, the target service end may allocate the numerical values to corresponding numerical value groups according to a correspondence between the numerical values and the identifiers of the numerical value groups. The corresponding relationship between the numerical value and the identifier of the numerical value group may be predetermined, or may be determined according to a preset algorithm. For example, the least significant bit of the value may be complemented by the second number to obtain an identifier of the value group. For example, the second number is M, and each value group corresponds to a sequence number M, where M belongs to [0, M-1 ]. If the lowest bit of a value is x, y is mod (x, M), the value is divided into value groups with sequence number y. Then, the values included in each value group are sorted. Thus, the values included in the value group are arranged in order of magnitude. Correspondingly, when the working node acquires the corresponding numerical value packet from the transmission packet, the ordering processing is not needed, and the intersection processing can be directly carried out, so that the intersection processing efficiency is further improved.
In summary, in the present disclosure, the target service end first sends an authentication request to the processing node, and the processing node generates authentication information for determining whether the processing node is trusted based on the trusted execution environment. And then, the target service end receives the authentication information sent by the processing node and determines whether the authentication information is generated according to the authentication request. And under the condition that the authentication information is generated according to the authentication request, the target service end determines that the processing node is credible, and encrypts the information to be processed of the target service end according to a preset transaction key to obtain intermediate data. And then, the target service end encrypts the intermediate data according to a preset encryption mode to obtain transmission data, the transmission data are sent to a processing node, and the processing node performs intersection processing on the intermediate data. And finally, the target service end receives the processing result sent by the processing node, and determines repeated target information between the information to be processed and the information to be processed corresponding to other service ends according to the processing result. In the method and the system, the information to be processed is encrypted through the pre-agreed rendezvous key of the target service terminal and other service terminals, so that the processing node can not acquire the information to be processed, the rendezvous processing of the information to be processed can be realized, the problem of data leakage caused by security holes of the processing node is solved, and the data security is improved.
Fig. 8 is a flow chart illustrating a method of processing information, as shown in fig. 8, according to an exemplary embodiment, the method including the steps of:
step 301, based on the trusted execution environment, generating authentication information according to an authentication request sent by a target service end, and sending the authentication information to the target service end, where the authentication information is used to determine whether a processing node is trusted, and the target service end is any service end of a service system.
Step 302, receiving transmission data sent by the target service end when the authentication information is determined to be generated according to the authentication request, wherein the transmission data is generated by encrypting intermediate data by the target service end according to a preset encryption mode, the intermediate data is obtained by encrypting information to be processed by the target service end according to a preset transaction key, the transaction key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in the service system.
And 303, decrypting the transmission data to obtain intermediate data, and performing intersection processing on the intermediate data and the intermediate data corresponding to other service terminals.
And step 304, sending the processing result to the target service terminal and other service terminals, wherein the target service terminal and other service terminals are used for determining repeated target information between the information to be processed and the information to be processed corresponding to other service terminals according to the processing result.
For example, the execution subject of an embodiment of the present disclosure is a processing node in a trusted execution environment. When the target service end has the information to be processed and needs to cooperate with other service ends to determine the intersection of the respective information to be processed, an authentication request may be sent to a processing node in the trusted execution environment, where the authentication request is used to indicate that the processing node generates authentication information based on the trusted execution environment according to the authentication request, and the authentication information is used to verify whether the processing node is trusted. After receiving the authentication request, the processing node may generate authentication information according to the authentication request, and feed back the authentication information to the target service end, so that the target service end determines whether the authentication information is generated according to the authentication request. It is understood that the authentication information generated by the processing nodes and the authentication request are mutually anchored, and can mutually verify the respective identities. If the authentication information is generated from the authentication request, i.e. the authentication request matches the authentication information, it is said that the processing node is authentic. If the authentication information is not generated from the authentication request, then the processing node is deemed untrusted.
If the target service end determines that the authentication information is generated according to the authentication request, the information to be processed can be encrypted according to a preset transaction key to obtain intermediate data. Then, the target service end may encrypt the intermediate data according to a preset encryption manner to generate transmission data, and send the transmission data to the processing node. It is understood that intermediate data is included in the transmission data. The traffic key is generated by the target service end and other service ends together, and the other service ends are one or more service ends except the target service end in the service system, which can be understood that the traffic key is a key determined by all the service ends participating together in the service system, and the processing node does not know the traffic key.
The processing node may decrypt the transmitted data to obtain intermediate data. For example, the processing node may parse the transmission data according to the corresponding packing rule to obtain the intermediate data therein, and the processing node may also decrypt the transmission data by using the corresponding decryption method to obtain the intermediate data therein.
And finally, the processing node can perform intersection processing on the intermediate data and the intermediate data corresponding to other service ends, and send the processing result to the target service end and other service ends. Accordingly, the target service end may receive the processing result sent by the processing node, and meanwhile, other service ends may also receive the processing result sent by the processing node. Further, the target service end (or other service ends) may decrypt the processing result according to the intersection key to obtain which information is repeated with the information to be processed of other service ends in the information to be processed, that is, the target information is the intersection of the information to be processed of the target service end and the information to be processed of other service ends. Because the processing node does not know the secret key for transaction, even if the processing node has a hardware bug, a malicious third party can only obtain the intermediate data from the processing node at most and cannot obtain the original information to be processed, so that the leakage of the data is avoided, and the safety of the data is improved. Meanwhile, the intersection key is generated between all the service ends, so that the intersected parts in the respective information to be processed are still intersected through encryption processing of the intersection key, and the correctness of the processing result obtained by executing intersection processing by the processing node is ensured.
Fig. 9 is a flowchart illustrating another information processing method according to an exemplary embodiment, where, as shown in fig. 9, the authentication request includes a declaration string randomly generated by the target service, and the implementation manner of step 301 may include:
step 3011, generate a public signature key, a corresponding private signature key, a public transmission key, and a corresponding private transmission key.
Step 3012, sign the declaration string with the private signature key to obtain signature data.
And 3013, generating verification data according to the signature public key and the transmission public key based on the trusted execution environment.
And 3014, generating authentication information according to the signature public key, the transmission public key, the signature data and the verification data.
For example, a randomly generated declaration string may be included in the authentication request, which may be denoted as nonce, for example. The authentication information generated by the processing node according to the authentication request may include signature data, verification data, signature data, and verification data. Specifically, after receiving the authentication request, the processing node may generate a public signature key and a corresponding private signature key (the public signature key may be denoted as PK1, and the private signature key may be denoted as SK1), and generate a public transport key and a corresponding private transport key (the public transport key may be denoted as PK2, and the private transport key may be denoted as SK 2). The generation (PK1, SK1), (PK2, SK2) may be any method for generating public and private keys, such as RSA-3072, which is not specifically limited by the present disclosure. The processing node may then sign the nonce with SK1, resulting in signed data, which may be denoted as Sig. The processing node may then generate check data from PK1 and PK2 based on the trusted execution environment, which may be denoted Proof. Verification data may be understood as data generated using CPU microcode of a hardware device in the trusted execution environment to validate the trusted execution environment with PK1 and PK2 as input parameters. In particular, the Proof may be divided into two parts, a first part for verifying the trusted execution environment and a second part for storing data generated according to PK1 and PK2, thereby enabling the verification data and PK1 and PK2 to be anchored to each other, i.e. to be mutually verified. For example, PK1 and PK2 may be hashed separately, and the resulting hash values are concatenated, i.e., hash (PK1) | hash (PK2), to obtain 64 bytes of data as the second part in the Proof. If the trusted execution environment is implemented in Intel SGX, Proof is SGXQuote, and hash (PK1) | hash (PK2) can be stored in the reportdata field in SGXQuote.
Finally, the processing node can generate authentication information from the signature public key, the transmission public key, the signature data and the verification data according to a preset format, and send the authentication information to the target service end, wherein the authentication information includes: proof + Sig + PK1+ PK 2. Correspondingly, the target service end can extract the signature public key, the transmission public key, the signature data and the verification data from the authentication information so as to determine whether the authentication information is generated according to the authentication request.
Fig. 10 is a flowchart illustrating another information processing method according to an exemplary embodiment, and as shown in fig. 10, step 303 may include:
step 3031, the key ciphertext included in the transmission data is decrypted according to the transmission private key to obtain the session key.
Step 3032, the data cipher text included in the transmission data is decrypted according to the session key to obtain the intermediate data.
The key ciphertext is obtained by encrypting the session key by the target service end according to the transmission public key, the data ciphertext is obtained by encrypting the intermediate data by the target service end according to the session key, and the session key is randomly generated by the target service end.
For example, the target service end root may randomly generate a session key, and the size of the session key may be 256 bits, for example. Thereafter, the intermediate data is encrypted by using the session key to obtain a data ciphertext, and the encryption mode may be, for example, AES-GCM-256, which is not specifically limited by the present disclosure. Meanwhile, the target service end can also encrypt the session key by using the transmission public key to obtain a key ciphertext. And then, generating transmission data according to the data ciphertext and the key ciphertext.
Correspondingly, the processing node decrypts the key ciphertext according to the transmission private key corresponding to the transmission public key, so as to obtain the session key included in the key ciphertext. And then, the data ciphertext is decrypted according to the session key to obtain the intermediate data included in the data ciphertext. Therefore, the processing node can obtain the intermediate data and carry out intersection processing on the intermediate data and the intermediate data corresponding to other service ends. Because the processing node does not know the key for transaction, the original information to be processed cannot be obtained from the intermediate data, and the safety of the information to be processed is ensured. Meanwhile, the intermediate data corresponding to the target service end and the intermediate data corresponding to other service ends are encrypted by the intersection key, so that the processing result obtained by intersection processing of the processing node on the intermediate data is consistent with the intersection processing of the original information to be processed directly.
Fig. 11 is a flowchart illustrating another information processing method according to an exemplary embodiment, and as shown in fig. 11, the implementation manner of step 304 may include:
step 3041, encrypt the result of the transaction processing according to the session key to obtain the processing result.
Step 3042, sending the processing result to the target service end, where the target service end is configured to decrypt the processing result according to the session key to obtain the target information.
For example, the processing node performs intersection processing on the intermediate data and the intermediate data corresponding to other service ends to obtain an intersection of the intermediate data corresponding to the target service end and the intermediate data corresponding to other service ends. Before sending the result of the intersection processing to the target service end and other service ends, the processing node may encrypt the result of the intersection processing to send the result as a processing result to the target service end and other service ends, thereby further improving the security of data. For example, the result of the rendezvous process may be encrypted according to the session key obtained from the key cipher, and sent to the target service end. Correspondingly, the target service end can decrypt the processing result according to the session key, so as to obtain the intersection of the intermediate data corresponding to the target service end and the intermediate data corresponding to other service ends. Further, different target service terminals have their corresponding session keys (i.e., the target service terminal does not know the session keys of other service terminals). For each service end, the processing node may encrypt the data to be handed over using the session key corresponding to the service end, and send the processing result to the service end. Correspondingly, the service end can decrypt the processing result by using the corresponding session key.
Fig. 12 is a flowchart illustrating another information processing method according to an exemplary embodiment, and as shown in fig. 12, a processing node includes: an authentication node and a first number of worker nodes. The transmission data comprises a second number of transmission packets, the transmission packets are generated by distributing a plurality of numerical values included in the intermediate data to the second number of numerical value packets for the target service end and encrypting each numerical value packet according to an encryption mode.
In one application scenario, the trusted execution environment includes two processing nodes, one is an authentication node for generating authentication information, and the other is a work node for performing an intersection process. The number of the working nodes may be a first number, and the first number may be 2 or more than 2, for example.
Accordingly, the implementation manner of step 301 may include:
and step 3015, generating authentication information by the authentication node according to the authentication request, and sending the authentication information to the target service end.
At step 3016, a first number of working nodes are enabled by the authentication node.
The implementation of step 302 may be:
and receiving the transmission packet corresponding to the working node through each working node.
Step 303 may include:
step 3033, the corresponding transmission packet is decrypted by the working node to obtain the corresponding numerical value packet.
Step 3034, the numerical value grouping and the numerical value grouping corresponding to other service terminals are subjected to intersection processing through the working node.
The implementation of step 304 may be:
and sending the processing results of the working nodes to a target service end through each working node, wherein the target service end is used for combining the first number of processing results and determining target information.
For example, the target service end may send an authentication request to the authentication node, and the authentication node generates authentication information according to the authentication request and feeds back the authentication information to the target service end. The authentication node may also enable the first number of working nodes while generating the authentication information. Furthermore, when the authentication node starts the working node, the authentication node can perform bidirectional internal authentication with the working node, and after the authentication is passed, the transmission public key and the transmission private key are synchronized to each working node. Accordingly, the target service end may receive authentication information from the authentication node.
The amount of data of the information to be processed is often large, and the intersection processing is streaming processing, so that the intersection efficiency of a large amount of data is low. Therefore, the target service end can divide the intermediate data into a plurality of groups, and the first number of working nodes process the plurality of groups in parallel, thereby realizing distributed streaming intersection and achieving the effect of improving the intersection processing efficiency.
Specifically, the target service end may first allocate a plurality of numerical values included in the intermediate data to a second number of numerical value groups. The second number may be the same as the first number, and may be different. Each value grouping includes at least one value. And then generating corresponding transmission packets according to each numerical value packet to obtain transmission data comprising a second number of transmission packets. Finally, for each transmission packet, the transmission packet may be sent to the corresponding working node according to the correspondence between the identifier of the transmission packet and the identifier of the working node.
Correspondingly, the corresponding working node can obtain the corresponding numerical value packet from the transmission packet, and perform intersection processing on the numerical value packet and the numerical value packets corresponding to other service ends. The manner in which the working node obtains the corresponding value packet from the transmission packet is the same as the manner in which the working node obtains the intermediate data from the transmission data, and is not described herein again.
After receiving the first number of processing results sent by the first number of working nodes, the target service end may merge the first number of processing results, so as to obtain target information, that is, a result of performing intersection between the information to be processed and information to be processed of other service ends. Specifically, if each working node encrypts the result of the intersection processing by using the session key, the target service end may first decrypt the first number of processing results by using the session key to obtain the first number of results of the intersection processing, then merge the first number of results of the intersection processing, and finally decrypt the merged results according to the intersection key to obtain the target information.
It should be noted that the working node may be deleted by the authentication node after the performing of the transaction processing is completed, which may be understood as that the authentication node deletes the process corresponding to the working node, and the working node is enabled by the authentication node when the transaction processing is required next time. After the working node executes the transaction processing, the working node may also be suspended by the authentication node to wait for the next transaction processing, which is not specifically limited by the present disclosure.
In an application scenario, the implementation of step 3016 may include the following steps:
step 1) generating first internal verification data based on the trusted execution environment through the authentication node, wherein the first internal verification data is used for verifying the trusted execution environment.
And step 2) sending first internal verification data to the first number of working nodes through the authentication nodes so that the working nodes verify the first internal verification data.
And 3) receiving second internal verification data generated by each working node based on the trusted execution environment through the authentication node, wherein the second internal verification data is used for verifying the trusted execution environment.
And 4) sending a transmission public key and a corresponding transmission private key to each working node by the authentication node under the condition that each second internal verification data passes the verification, wherein the transmission public key and the transmission private key are used for generating authentication information.
For example, the authentication node may perform bidirectional authentication with the working node when the working node is enabled. Specifically, the authentication node may generate first internal check data based on the trusted execution environment, and then send the first internal check data to each working node. And enabling the working node to check the first internal check data. In contrast to the aforementioned verification data, the first internal verification data does not need to use the signature public key and the transmission public key as input parameters.
Further, the authentication node receives second internal check data generated by each working node based on the trusted execution environment. Wherein the second internal check data may be used to verify the trusted execution environment. The authentication node may send the transmission public key and the corresponding transmission private key to each working node under the condition that it is determined that each second internal verification data passes verification, so that each working node can obtain a corresponding numerical value packet from a corresponding transmission packet.
In summary, in the present disclosure, the target service end first sends an authentication request to the processing node, and the processing node generates authentication information for determining whether the processing node is trusted based on the trusted execution environment. And then, the target service end receives the authentication information sent by the processing node and determines whether the authentication information is generated according to the authentication request. And under the condition that the authentication information is generated according to the authentication request, the target service end determines that the processing node is credible, and encrypts the information to be processed of the target service end according to a preset transaction key to obtain intermediate data. And then, the target service end encrypts the intermediate data according to a preset encryption mode to obtain transmission data, the transmission data are sent to a processing node, and the processing node performs intersection processing on the intermediate data. And finally, the target service end receives the processing result sent by the processing node, and determines repeated target information between the information to be processed and the information to be processed corresponding to other service ends according to the processing result. In the method and the system, the information to be processed is encrypted through the pre-agreed rendezvous key of the target service terminal and other service terminals, so that the processing node can not acquire the information to be processed, the rendezvous processing of the information to be processed can be realized, the problem of data leakage caused by security holes of the processing node is solved, and the data security is improved.
Fig. 13 is a block diagram illustrating an apparatus for processing information according to an exemplary embodiment, and as shown in fig. 13, the apparatus 400 includes:
the authentication module 401 is configured to send an authentication request to a processing node in the trusted execution environment, where the authentication request is used to instruct the processing node to generate authentication information according to the authentication request based on the trusted execution environment, and the authentication information is used to determine whether the processing node is trusted.
A confirmation module 402, configured to receive the authentication information sent by the processing node, and determine whether the authentication information is generated according to the authentication request.
The processing module 403 is configured to determine that the processing node is trusted when the authentication information is generated according to the authentication request, and encrypt the to-be-processed information of the target service end according to a preset transaction key to obtain intermediate data, where the transaction key is generated by the target service end and other service ends, and the other service ends are service ends in the service system except the target service end.
The sending module 404 is configured to encrypt the intermediate data according to a preset encryption manner to obtain transmission data, and send the transmission data to the processing node.
The receiving module 405 is configured to receive a processing result sent by the processing node, where the processing result is obtained by decrypting the transmission data by the processing node to obtain intermediate data, and performing intersection processing on the intermediate data and intermediate data corresponding to other service ends. And determining repeated target information between the information to be processed and the information to be processed corresponding to other service terminals according to the processing result.
Fig. 14 is a block diagram illustrating another information processing apparatus according to an example embodiment, where, as shown in fig. 14, the authentication request includes a randomly generated declaration string, and the confirmation module 402 may include:
the obtaining sub-module 4021 is configured to obtain a signature public key, a transmission public key, signature data, and check data included in the authentication information, where the signature data is obtained by the processing node signing the declaration string with a signature private key corresponding to the signature public key, the check data is generated by the processing node based on the trusted execution environment according to the signature public key and the transmission public key, and the check data is used to check the trusted execution environment.
The authentication sub-module 4022 is configured to determine that the authentication information is generated according to the authentication request if the authentication information meets a preset condition.
Wherein the preset conditions include:
the verification data passes the verification.
The verification data is generated according to the signature public key and the transmission public key.
And the result of signature verification of the signature data by using the public signature key is matched with the declaration character string.
Fig. 15 is a block diagram illustrating another information processing apparatus according to an exemplary embodiment, and as shown in fig. 15, the sending module 404 may include:
the encryption submodule 4041 is configured to encrypt the intermediate data according to the randomly generated session key to obtain a data cipher text, and encrypt the session key according to the transmission public key included in the authentication information to obtain a key cipher text.
And the generating sub-module 4042 is configured to generate transmission data according to the data ciphertext and the key ciphertext.
The sending submodule 4043 is configured to send the transmission data to the processing node, where the processing node is configured to decrypt the key ciphertext according to the transmission private key corresponding to the transmission public key to obtain a session key, decrypt the data ciphertext according to the session key to obtain intermediate data, and perform intersection processing on the intermediate data and intermediate data corresponding to other service ends.
In one application scenario, the receiving module 405 may be configured to:
and decrypting the processing result according to the session key to obtain the target information. And the processing result is obtained by encrypting the result of the intersection processing by the processing node according to the session key.
Fig. 16 is a block diagram illustrating another information processing apparatus according to an exemplary embodiment, and as shown in fig. 16, the apparatus 400 may further include:
the establishing module 406 is configured to determine, through a preset handshake protocol, an intersection key with at least one other service end before sending the authentication request to the processing node in the trusted execution environment.
In one application scenario, the setup module 406 may be configured to perform the following steps:
step a) processing a preset generation element according to a first processing factor generated randomly to obtain a first initial key, and sending the first initial key to other service terminals, wherein the other service terminals are used for processing the first initial key according to a second processing factor generated randomly to obtain an intersection key.
And step b) receiving second initial keys sent by other service terminals, wherein the second initial keys are obtained by processing the generating elements by the other service terminals according to the second processing factors.
And c) processing the second initial key according to the first processing factor to obtain an intersection key.
In another application scenario, a processing node comprises: an authentication node and a first number of worker nodes.
Accordingly, the authentication module 401 is configured to:
and sending an authentication request to the authentication node, wherein the authentication request is used for indicating the authentication node to generate authentication information according to the authentication request based on the trusted execution environment, and enabling the first number of working nodes.
The validation module 402 is configured to:
and receiving authentication information sent by the authentication node.
The sending module 404 may be configured to:
the plurality of values included in the intermediate data are assigned to a second number of value groups. And encrypting each numerical value packet according to an encryption mode to generate a corresponding transmission packet, so as to obtain transmission data comprising a second number of transmission packets. And aiming at each transmission packet, sending the transmission packet to a corresponding working node according to the corresponding relation between the identifier of the transmission packet and the identifier of the working node, wherein the corresponding working node is used for decrypting the transmission packet to obtain a corresponding numerical value packet and performing intersection processing on the numerical value packet and the numerical value packets corresponding to other service terminals.
The receiving module 405 may be configured to:
and combining the processing results sent by the first number of working nodes to determine the target information.
In another application scenario, the sending module 404 may be configured to implement the following steps:
first, for each numerical value, the numerical value is assigned to the corresponding numerical value group according to the correspondence between the numerical value and the identifier of the numerical value group.
Thereafter, the numerical values included in each numerical value group are sorted.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
In summary, in the present disclosure, the target service end first sends an authentication request to the processing node, and the processing node generates authentication information for determining whether the processing node is trusted based on the trusted execution environment. And then, the target service end receives the authentication information sent by the processing node and determines whether the authentication information is generated according to the authentication request. And under the condition that the authentication information is generated according to the authentication request, the target service end determines that the processing node is credible, and encrypts the information to be processed of the target service end according to a preset transaction key to obtain intermediate data. And then, the target service end encrypts the intermediate data according to a preset encryption mode to obtain transmission data, the transmission data are sent to a processing node, and the processing node performs intersection processing on the intermediate data. And finally, the target service end receives the processing result sent by the processing node, and determines repeated target information between the information to be processed and the information to be processed corresponding to other service ends according to the processing result. In the method and the system, the information to be processed is encrypted through the pre-agreed rendezvous key of the target service terminal and other service terminals, so that the processing node can not acquire the information to be processed, the rendezvous processing of the information to be processed can be realized, the problem of data leakage caused by security holes of the processing node is solved, and the data security is improved.
Fig. 17 is a block diagram illustrating an apparatus for processing information according to an exemplary embodiment, and as shown in fig. 17, the apparatus 500 includes:
the authentication module 501 is configured to generate authentication information according to an authentication request sent by a target service end based on a trusted execution environment, and send the authentication information to the target service end, where the authentication information is used to determine whether a processing node is trusted, and the target service end is any service end of a service system.
A receiving module 502, configured to receive transmission data sent by the target service end when it is determined that the authentication information is generated according to the authentication request, where the transmission data is generated by the target service end encrypting intermediate data according to a preset encryption manner, the intermediate data is obtained by the target service end encrypting information to be processed according to a preset transaction key, the transaction key is generated by the target service end and other service ends together, and the other service ends are service ends in the service system except the target service end.
And the intersection module 503 is configured to decrypt the transmission data to obtain intermediate data, and perform intersection processing on the intermediate data and intermediate data corresponding to other service ends.
A sending module 504, configured to send the processing result to the target service end and other service ends, where the target service end and other service ends are configured to determine, according to the processing result, repeated target information between the information to be processed and information to be processed corresponding to other service ends.
In an application scenario, the authentication request includes a declaration string randomly generated by the target service end, and the authentication module 501 may be configured to perform the following steps:
step d) generating a signature public key, a corresponding signature private key, a transmission public key and a corresponding transmission private key.
And e) signing the declaration character string by using the signature private key to obtain signature data.
Step f) generating verification data according to the signature public key and the transmission public key based on the trusted execution environment.
And g) generating authentication information according to the signature public key, the transmission public key, the signature data and the verification data.
Fig. 18 is a block diagram illustrating another information processing apparatus according to an exemplary embodiment, and as shown in fig. 18, the intersection module 503 may include:
the first decryption module 5031 decrypts the key ciphertext included in the transmission data according to the transmission private key to obtain the session key.
The second decryption module 5032 decrypts the data ciphertext included in the transmission data according to the session key to obtain intermediate data.
The key ciphertext is obtained by encrypting the session key by the target service end according to the transmission public key, the data ciphertext is obtained by encrypting the intermediate data by the target service end according to the session key, and the session key is randomly generated by the target service end.
In another application scenario, the sending module 504 may be configured to:
and encrypting the result of the intersection processing according to the session key to obtain a processing result. And sending the processing result to a target service end, wherein the target service end is used for decrypting the processing result according to the session key to obtain target information.
In yet another application scenario, a processing node comprises: an authentication node and a first number of worker nodes. The transmission data comprises a second number of transmission packets, the transmission packets are generated by distributing a plurality of numerical values included in the intermediate data to the second number of numerical value packets for the target service end and encrypting each numerical value packet according to an encryption mode.
Accordingly, the authentication module 501 may be configured to:
and generating authentication information according to the authentication request through the authentication node, and sending the authentication information to the target service terminal. A first number of worker nodes are enabled by the authentication node.
The receiving module 502 may be configured to:
and receiving the transmission packet corresponding to the working node through each working node.
The intersection module 503 may be configured to:
and decrypting the corresponding transmission packet through the working node to obtain the corresponding numerical value packet. And the numerical value groups corresponding to other service ends are subjected to intersection processing through the working node.
The sending module 504 may be configured to:
and sending the processing results of the working nodes to a target service end through each working node, wherein the target service end is used for combining the first number of processing results and determining target information.
In yet another application scenario, the authentication module 501 may be used to implement the following steps:
step 1) generating first internal verification data based on the trusted execution environment through the authentication node, wherein the first internal verification data is used for verifying the trusted execution environment.
And step 2) sending first internal verification data to the first number of working nodes through the authentication nodes so that the working nodes verify the first internal verification data.
And 3) receiving second internal verification data generated by each working node based on the trusted execution environment through the authentication node, wherein the second internal verification data is used for verifying the trusted execution environment.
And 4) sending a transmission public key and a corresponding transmission private key to each working node by the authentication node under the condition that each second internal verification data passes the verification, wherein the transmission public key and the transmission private key are used for generating authentication information.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
In summary, in the present disclosure, the target service end first sends an authentication request to the processing node, and the processing node generates authentication information for determining whether the processing node is trusted based on the trusted execution environment. And then, the target service end receives the authentication information sent by the processing node and determines whether the authentication information is generated according to the authentication request. And under the condition that the authentication information is generated according to the authentication request, the target service end determines that the processing node is credible, and encrypts the information to be processed of the target service end according to a preset transaction key to obtain intermediate data. And then, the target service end encrypts the intermediate data according to a preset encryption mode to obtain transmission data, the transmission data are sent to a processing node, and the processing node performs intersection processing on the intermediate data. And finally, the target service end receives the processing result sent by the processing node, and determines repeated target information between the information to be processed and the information to be processed corresponding to other service ends according to the processing result. In the method and the system, the information to be processed is encrypted through the pre-agreed rendezvous key of the target service terminal and other service terminals, so that the processing node can not acquire the information to be processed, the rendezvous processing of the information to be processed can be realized, the problem of data leakage caused by security holes of the processing node is solved, and the data security is improved.
Referring now to fig. 19, a schematic diagram of an electronic device (e.g., any of the service ends or any of the processing nodes of fig. 1) 600 suitable for use in implementing embodiments of the present disclosure is shown. The terminal device in the embodiments of the present disclosure may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle terminal (e.g., a car navigation terminal), and the like, and a stationary terminal such as a digital TV, a desktop computer, and the like. The electronic device shown in fig. 19 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 19, electronic device 600 may include a processing means (e.g., central processing unit, graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are also stored. The processing device 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Generally, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 600 to communicate with other devices wirelessly or by wire to exchange data. While fig. 19 illustrates an electronic device 600 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 609, or may be installed from the storage means 608, or may be installed from the ROM 602. The computer program, when executed by the processing device 601, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the terminal devices, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: sending an authentication request to a processing node in a trusted execution environment, wherein the authentication request is used for instructing the processing node to generate authentication information according to the authentication request based on the trusted execution environment, and the authentication information is used for determining whether the processing node is trusted; receiving the authentication information sent by the processing node, and determining whether the authentication information is generated according to the authentication request; determining that the processing node is credible under the condition that the authentication information is generated according to the authentication request, and encrypting the information to be processed of a target service end according to a preset transaction key to obtain intermediate data, wherein the transaction key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in a service system; encrypting the intermediate data according to a preset encryption mode to obtain transmission data, and sending the transmission data to the processing node; receiving a processing result sent by the processing node, wherein the processing result is obtained by decrypting the transmission data by the processing node to obtain the intermediate data and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service ends; and determining repeated target information between the information to be processed and the information to be processed corresponding to the other service terminals according to the processing result.
Alternatively, the computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: based on a trusted execution environment, generating authentication information according to an authentication request sent by a target service end, and sending the authentication information to the target service end, wherein the authentication information is used for determining whether the processing node is trusted, and the target service end is any service end of a service system; receiving transmission data sent by the target service end under the condition that the authentication information is determined to be generated according to the authentication request, wherein the transmission data is generated by encrypting intermediate data by the target service end according to a preset encryption mode, the intermediate data is obtained by encrypting information to be processed by the target service end according to a preset intersection key, the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in the service system; decrypting the transmission data to obtain the intermediate data, and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service terminals; and sending the processing result to the target service end and the other service ends, wherein the target service end and the other service ends are used for determining repeated target information between the information to be processed and the information to be processed corresponding to the other service ends according to the processing result.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of a module does not in some cases constitute a limitation on the module itself, for example, the challenge module may also be described as a "module sending an authentication request to the processing node".
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Example 1 provides a method of processing information, according to one or more embodiments of the present disclosure, including: sending an authentication request to a processing node in a trusted execution environment, wherein the authentication request is used for instructing the processing node to generate authentication information according to the authentication request based on the trusted execution environment, and the authentication information is used for determining whether the processing node is trusted; receiving the authentication information sent by the processing node, and determining whether the authentication information is generated according to the authentication request; determining that the processing node is credible under the condition that the authentication information is generated according to the authentication request, and encrypting the information to be processed of a target service end according to a preset transaction key to obtain intermediate data, wherein the transaction key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in a service system; encrypting the intermediate data according to a preset encryption mode to obtain transmission data, and sending the transmission data to the processing node; receiving a processing result sent by the processing node, wherein the processing result is obtained by decrypting the transmission data by the processing node to obtain the intermediate data and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service ends; and determining repeated target information between the information to be processed and the information to be processed corresponding to the other service terminals according to the processing result.
Example 2 provides the method of example 1, the authentication request including a randomly generated claim string, the determining whether the authentication information is generated from the authentication request including: acquiring a signature public key, a transmission public key, signature data and verification data which are included in the authentication information, wherein the signature data are obtained by the processing node by signing the declaration character string by using a signature private key corresponding to the signature public key, the verification data are generated by the processing node based on the trusted execution environment according to the signature public key and the transmission public key, and the verification data are used for verifying the trusted execution environment; if the authentication information meets a preset condition, determining that the authentication information is generated according to the authentication request; the preset conditions include: the verification data passes verification; the verification data is generated according to the signature public key and the transmission public key; and the result of signature verification of the signature data by using the signature public key is matched with the declaration character string.
According to one or more embodiments of the present disclosure, example 3 provides the method of example 1, where encrypting the intermediate data according to a preset encryption manner to obtain transmission data, and sending the transmission data to the processing node includes: encrypting the intermediate data according to a randomly generated session key to obtain a data ciphertext, and encrypting the session key according to a transmission public key included in the authentication information to obtain a key ciphertext; generating the transmission data according to the data ciphertext and the key ciphertext; and sending the transmission data to the processing node, wherein the processing node is used for decrypting the key ciphertext according to a transmission private key corresponding to the transmission public key to obtain the session key, decrypting the data ciphertext according to the session key to obtain the intermediate data, and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service terminals.
Example 4 provides the method of example 3, wherein determining, according to the processing result, repeated target information between the information to be processed and information to be processed corresponding to the other service end includes: decrypting the processing result according to the session key to obtain the target information; and the processing result is obtained by encrypting the result of the intersection processing by the processing node according to the session key.
Example 5 provides the method of example 1, wherein, prior to the sending of the authentication request to the processing node in the trusted execution environment, the method further comprises: and determining the intersection key with at least one other service end through a preset handshake protocol.
Example 6 provides the method of example 5, wherein the determining the rendezvous key with the at least one other service end through a preset handshake protocol includes: processing a preset generation element according to a first processing factor generated randomly to obtain a first initial key, and sending the first initial key to the other service terminals, wherein the other service terminals are used for processing the first initial key according to a second processing factor generated randomly to obtain the intersection key; receiving a second initial key sent by the other service end, wherein the second initial key is obtained by processing the generator by the other service end according to the second processing factor; and processing the second initial key according to the first processing factor to obtain the intersection key.
Example 7 provides the methods of examples 1-6, the processing node comprising: an authentication node and a first number of working nodes; the sending an authentication request to a processing node in a trusted execution environment includes: sending the authentication request to the authentication node, wherein the authentication request is used for instructing the authentication node to generate the authentication information according to the authentication request based on the trusted execution environment and enabling a first number of the working nodes; the receiving the authentication information sent by the processing node includes: receiving the authentication information sent by the authentication node; the encrypting the intermediate data according to a preset encryption mode to obtain transmission data and sending the transmission data to the processing node includes: assigning a plurality of values included in the intermediate data to a second number of value groups; encrypting each numerical value packet according to the encryption mode to generate a corresponding transmission packet, so as to obtain the transmission data comprising a second number of transmission packets; for each transmission packet, sending the transmission packet to the corresponding working node according to the corresponding relationship between the identifier of the transmission packet and the identifier of the working node, where the corresponding working node is configured to decrypt the transmission packet to obtain the corresponding numerical value packet, and perform intersection processing on the numerical value packet and the numerical value packets corresponding to the other service terminals; the determining, according to the processing result, repeated target information between the information to be processed and the information to be processed corresponding to the other service end includes: and combining the processing results sent by the working nodes of the first number to determine the target information.
Example 8 provides the method of example 7, wherein assigning the plurality of numerical values included in the intermediate data to a second number of numerical value groups, according to one or more embodiments of the present disclosure, includes: for each numerical value, distributing the numerical value to the corresponding numerical value group according to the corresponding relation between the numerical value and the identifier of the numerical value group; sorting the values included in each of the value groups.
Example 9 provides, in accordance with one or more embodiments of the present disclosure, a method of processing information, including: based on a trusted execution environment, generating authentication information according to an authentication request sent by a target service end, and sending the authentication information to the target service end, wherein the authentication information is used for determining whether the processing node is trusted, and the target service end is any service end of a service system; receiving transmission data sent by the target service end under the condition that the authentication information is determined to be generated according to the authentication request, wherein the transmission data is generated by encrypting intermediate data by the target service end according to a preset encryption mode, the intermediate data is obtained by encrypting information to be processed by the target service end according to a preset intersection key, the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in the service system; decrypting the transmission data to obtain the intermediate data, and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service terminals; and sending the processing result to the target service end and the other service ends, wherein the target service end and the other service ends are used for determining repeated target information between the information to be processed and the information to be processed corresponding to the other service ends according to the processing result.
Example 10 provides the method of example 9, wherein the authentication request includes a declaration string randomly generated by the target service end, and the generating authentication information according to the authentication request sent by the target service end includes: generating a signature public key, a corresponding signature private key, a transmission public key and a corresponding transmission private key; signing the statement character string by using the signature private key to obtain signature data; generating verification data according to the signature public key and the transmission public key based on the trusted execution environment; and generating the authentication information according to the signature public key, the transmission public key, the signature data and the verification data.
Example 11 provides the method of example 10, the decrypting the transmission data to obtain the intermediate data, including: decrypting a key ciphertext included in the transmission data according to the transmission private key to obtain a session key; decrypting a data ciphertext included in the transmission data according to the session key to obtain the intermediate data; the key ciphertext is obtained by encrypting the session key by the target service end according to the transmission public key, the data ciphertext is obtained by encrypting the intermediate data by the target service end according to the session key, and the session key is randomly generated by the target service end.
Example 12 provides the method of example 11, wherein the sending the processing result to the target service end and the other service ends includes: encrypting the result of the intersection processing according to the session key to obtain the processing result; and sending the processing result to the target service end, wherein the target service end is used for decrypting the processing result according to the session key to obtain the target information.
Example 13 provides the methods of examples 9 to 12, the processing node comprising: an authentication node and a first number of working nodes; the transmission data comprises a second number of transmission packets, the transmission packets are generated by distributing a plurality of numerical values included in the intermediate data to a second number of numerical value packets by the target service terminal and encrypting each numerical value packet according to the encryption mode; the generating authentication information according to the authentication request sent by the target service terminal and sending the authentication information to the target service terminal includes: generating the authentication information according to the authentication request through the authentication node, and sending the authentication information to the target service terminal; enabling a first number of the worker nodes by the authentication node; the receiving of the transmission data sent by the target service terminal under the condition that the authentication information is determined to be generated according to the authentication request includes: receiving the transmission packet corresponding to each working node through each working node; the decrypting the transmission data to obtain the intermediate data and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service terminals includes: decrypting the corresponding transmission packet through the working node to obtain the corresponding numerical value packet; the numerical value groups corresponding to the numerical value groups and the other service ends are subjected to intersection processing through the working node; the sending the processing result to the target service end and the other service ends includes: and sending the processing results of the working nodes to the target service end through each working node, wherein the target service end is used for combining the processing results of a first quantity and determining the target information.
Example 14 provides the method of example 13, the enabling a first number of the worker nodes, according to one or more embodiments of the present disclosure, including: first internal verification data generated by the authentication node based on the trusted execution environment, the first internal verification data being used to verify the trusted execution environment; sending the first internal verification data to a first number of working nodes through the authentication node so that the working nodes verify the first internal verification data; receiving, by the authentication node, second internal verification data generated by each of the working nodes based on the trusted execution environment, the second internal verification data being used to verify the trusted execution environment; and sending a transmission public key and a corresponding transmission private key to each working node through the authentication node under the condition that each second internal verification data passes the verification, wherein the transmission public key and the transmission private key are used for generating the authentication information.
Example 15 provides, in accordance with one or more embodiments of the present disclosure, an apparatus for processing information, the apparatus comprising: an authentication module, configured to send an authentication request to a processing node in a trusted execution environment, where the authentication request is used to instruct the processing node to generate, based on the trusted execution environment, authentication information according to the authentication request, where the authentication information is used to determine whether the processing node is trusted; the confirming module is used for receiving the authentication information sent by the processing node and determining whether the authentication information is generated according to the authentication request; the processing module is used for determining that the processing node is credible under the condition that the authentication information is generated according to the authentication request, and encrypting the information to be processed of the target service end according to a preset intersection key to obtain intermediate data, wherein the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in the service system; the sending module is used for encrypting the intermediate data according to a preset encryption mode to obtain transmission data and sending the transmission data to the processing node; a receiving module, configured to receive a processing result sent by the processing node, where the processing result is obtained by decrypting, by the processing node, the transmission data to obtain intermediate data, and performing intersection processing on the intermediate data and intermediate data corresponding to the other service terminals; and determining repeated target information between the information to be processed and the information to be processed corresponding to the other service terminals according to the processing result.
Example 16 provides, in accordance with one or more embodiments of the present disclosure, an apparatus for processing information, the apparatus comprising: the authentication module is used for generating authentication information according to an authentication request sent by a target service end based on a trusted execution environment, and sending the authentication information to the target service end, wherein the authentication information is used for determining whether the processing node is trusted, and the target service end is any service end of a service system; a receiving module, configured to receive transmission data sent by the target service end when it is determined that the authentication information is generated according to the authentication request, where the transmission data is generated by encrypting, by the target service end, intermediate data in a preset encryption manner, the intermediate data is obtained by encrypting, by the target service end, information to be processed according to a preset intersection key, the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends in the service system except the target service end; the intersection module is used for decrypting the transmission data to obtain the intermediate data and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service ends; and the sending module is used for sending the processing result to the target service end and the other service ends, and the target service end and the other service ends are used for determining repeated target information between the information to be processed and the information to be processed corresponding to the other service ends according to the processing result.
Example 17 provides a computer readable medium having stored thereon a computer program that, when executed by a processing apparatus, implements the steps of the methods of examples 1-8, 9-14.
Example 18 provides, in accordance with one or more embodiments of the present disclosure, an electronic device, comprising: a storage device having a computer program stored thereon; processing means for executing the computer program in the storage means to implement the steps of the methods of examples 1 to 8, and examples 9 to 14.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims. With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.

Claims (18)

1. A method for processing information, the method comprising:
sending an authentication request to a processing node in a trusted execution environment, wherein the authentication request is used for instructing the processing node to generate authentication information according to the authentication request based on the trusted execution environment, and the authentication information is used for determining whether the processing node is trusted;
receiving the authentication information sent by the processing node, and determining whether the authentication information is generated according to the authentication request;
determining that the processing node is credible under the condition that the authentication information is generated according to the authentication request, and encrypting the information to be processed of a target service end according to a preset transaction key to obtain intermediate data, wherein the transaction key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in a service system;
encrypting the intermediate data according to a preset encryption mode to obtain transmission data, and sending the transmission data to the processing node;
receiving a processing result sent by the processing node, wherein the processing result is obtained by decrypting the transmission data by the processing node to obtain the intermediate data and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service ends;
and determining repeated target information between the information to be processed and the information to be processed corresponding to the other service terminals according to the processing result.
2. The method of claim 1, wherein the authentication request includes a randomly generated claim string, and wherein the determining whether the authentication information is generated from the authentication request comprises:
acquiring a signature public key, a transmission public key, signature data and verification data which are included in the authentication information, wherein the signature data are obtained by the processing node by signing the declaration character string by using a signature private key corresponding to the signature public key, the verification data are generated by the processing node based on the trusted execution environment according to the signature public key and the transmission public key, and the verification data are used for verifying the trusted execution environment;
if the authentication information meets a preset condition, determining that the authentication information is generated according to the authentication request;
the preset conditions include:
the verification data passes verification;
the verification data is generated according to the signature public key and the transmission public key;
and the result of signature verification of the signature data by using the signature public key is matched with the declaration character string.
3. The method according to claim 1, wherein the encrypting the intermediate data according to a preset encryption manner to obtain transmission data and sending the transmission data to the processing node comprises:
encrypting the intermediate data according to a randomly generated session key to obtain a data ciphertext, and encrypting the session key according to a transmission public key included in the authentication information to obtain a key ciphertext;
generating the transmission data according to the data ciphertext and the key ciphertext;
and sending the transmission data to the processing node, wherein the processing node is used for decrypting the key ciphertext according to a transmission private key corresponding to the transmission public key to obtain the session key, decrypting the data ciphertext according to the session key to obtain the intermediate data, and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service terminals.
4. The method according to claim 3, wherein the determining, according to the processing result, target information that is repeated between the information to be processed and the information to be processed corresponding to the other service end includes:
decrypting the processing result according to the session key to obtain the target information; and the processing result is obtained by encrypting the result of the intersection processing by the processing node according to the session key.
5. The method of claim 1, wherein prior to said sending an authentication request to a processing node in a trusted execution environment, the method further comprises:
and determining the intersection key with at least one other service end through a preset handshake protocol.
6. The method according to claim 5, wherein the determining the rendezvous key with the at least one other service end through a preset handshake protocol includes:
processing a preset generation element according to a first processing factor generated randomly to obtain a first initial key, and sending the first initial key to the other service terminals, wherein the other service terminals are used for processing the first initial key according to a second processing factor generated randomly to obtain the intersection key;
receiving a second initial key sent by the other service end, wherein the second initial key is obtained by processing the generator by the other service end according to the second processing factor;
and processing the second initial key according to the first processing factor to obtain the intersection key.
7. The method according to any of claims 1-6, wherein the processing node comprises: an authentication node and a first number of working nodes;
the sending an authentication request to a processing node in a trusted execution environment includes:
sending the authentication request to the authentication node, wherein the authentication request is used for instructing the authentication node to generate the authentication information according to the authentication request based on the trusted execution environment and enabling a first number of the working nodes;
the receiving the authentication information sent by the processing node includes:
receiving the authentication information sent by the authentication node;
the encrypting the intermediate data according to a preset encryption mode to obtain transmission data and sending the transmission data to the processing node includes:
assigning a plurality of values included in the intermediate data to a second number of value groups;
encrypting each numerical value packet according to the encryption mode to generate a corresponding transmission packet, so as to obtain the transmission data comprising a second number of transmission packets;
for each transmission packet, sending the transmission packet to the corresponding working node according to the corresponding relationship between the identifier of the transmission packet and the identifier of the working node, where the corresponding working node is configured to decrypt the transmission packet to obtain the corresponding numerical value packet, and perform intersection processing on the numerical value packet and the numerical value packets corresponding to the other service terminals;
the determining, according to the processing result, repeated target information between the information to be processed and the information to be processed corresponding to the other service end includes:
and combining the processing results sent by the working nodes of the first number to determine the target information.
8. The method of claim 7, wherein assigning the plurality of values included in the intermediate data into a second number of value groups comprises:
for each numerical value, distributing the numerical value to the corresponding numerical value group according to the corresponding relation between the numerical value and the identifier of the numerical value group;
sorting the values included in each of the value groups.
9. A method for processing information, the method comprising:
based on a trusted execution environment, generating authentication information according to an authentication request sent by a target service end, and sending the authentication information to the target service end, wherein the authentication information is used for determining whether the processing node is trusted, and the target service end is any service end of a service system;
receiving transmission data sent by the target service end under the condition that the authentication information is determined to be generated according to the authentication request, wherein the transmission data is generated by encrypting intermediate data by the target service end according to a preset encryption mode, the intermediate data is obtained by encrypting information to be processed by the target service end according to a preset intersection key, the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in the service system;
decrypting the transmission data to obtain the intermediate data, and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service terminals;
and sending the processing result to the target service end and the other service ends, wherein the target service end and the other service ends are used for determining repeated target information between the information to be processed and the information to be processed corresponding to the other service ends according to the processing result.
10. The method according to claim 9, wherein the authentication request includes a declaration string randomly generated by the target service end, and the generating authentication information according to the authentication request sent by the target service end includes:
generating a signature public key, a corresponding signature private key, a transmission public key and a corresponding transmission private key;
signing the statement character string by using the signature private key to obtain signature data;
generating verification data according to the signature public key and the transmission public key based on the trusted execution environment;
and generating the authentication information according to the signature public key, the transmission public key, the signature data and the verification data.
11. The method of claim 10, wherein decrypting the transmission data to obtain the intermediate data comprises:
decrypting a key ciphertext included in the transmission data according to the transmission private key to obtain a session key;
decrypting a data ciphertext included in the transmission data according to the session key to obtain the intermediate data;
the key ciphertext is obtained by encrypting the session key by the target service end according to the transmission public key, the data ciphertext is obtained by encrypting the intermediate data by the target service end according to the session key, and the session key is randomly generated by the target service end.
12. The method according to claim 11, wherein the sending the processing result to the target service end and the other service ends comprises:
encrypting the result of the intersection processing according to the session key to obtain the processing result;
and sending the processing result to the target service end, wherein the target service end is used for decrypting the processing result according to the session key to obtain the target information.
13. The method according to any of claims 9-12, wherein the processing node comprises: an authentication node and a first number of working nodes; the transmission data comprises a second number of transmission packets, the transmission packets are generated by distributing a plurality of numerical values included in the intermediate data to a second number of numerical value packets by the target service terminal and encrypting each numerical value packet according to the encryption mode;
the generating authentication information according to the authentication request sent by the target service terminal and sending the authentication information to the target service terminal includes:
generating the authentication information according to the authentication request through the authentication node, and sending the authentication information to the target service terminal;
enabling a first number of the worker nodes by the authentication node;
the receiving of the transmission data sent by the target service terminal under the condition that the authentication information is determined to be generated according to the authentication request includes:
receiving the transmission packet corresponding to each working node through each working node;
the decrypting the transmission data to obtain the intermediate data and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service terminals includes:
decrypting the corresponding transmission packet through the working node to obtain the corresponding numerical value packet;
the numerical value groups corresponding to the numerical value groups and the other service ends are subjected to intersection processing through the working node;
the sending the processing result to the target service end and the other service ends includes:
and sending the processing results of the working nodes to the target service end through each working node, wherein the target service end is used for combining the processing results of a first quantity and determining the target information.
14. The method of claim 13, wherein enabling the first number of the worker nodes comprises:
first internal verification data generated by the authentication node based on the trusted execution environment, the first internal verification data being used to verify the trusted execution environment;
sending the first internal verification data to a first number of working nodes through the authentication node so that the working nodes verify the first internal verification data;
receiving, by the authentication node, second internal verification data generated by each of the working nodes based on the trusted execution environment, the second internal verification data being used to verify the trusted execution environment;
and sending a transmission public key and a corresponding transmission private key to each working node through the authentication node under the condition that each second internal verification data passes the verification, wherein the transmission public key and the transmission private key are used for generating the authentication information.
15. An apparatus for processing information, the apparatus comprising:
an authentication module, configured to send an authentication request to a processing node in a trusted execution environment, where the authentication request is used to instruct the processing node to generate, based on the trusted execution environment, authentication information according to the authentication request, where the authentication information is used to determine whether the processing node is trusted;
the confirming module is used for receiving the authentication information sent by the processing node and determining whether the authentication information is generated according to the authentication request;
the processing module is used for determining that the processing node is credible under the condition that the authentication information is generated according to the authentication request, and encrypting the information to be processed of the target service end according to a preset intersection key to obtain intermediate data, wherein the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends except the target service end in the service system;
the sending module is used for encrypting the intermediate data according to a preset encryption mode to obtain transmission data and sending the transmission data to the processing node;
a receiving module, configured to receive a processing result sent by the processing node, where the processing result is obtained by decrypting, by the processing node, the transmission data to obtain intermediate data, and performing intersection processing on the intermediate data and intermediate data corresponding to the other service terminals; and determining repeated target information between the information to be processed and the information to be processed corresponding to the other service terminals according to the processing result.
16. An apparatus for processing information, the apparatus comprising:
the authentication module is used for generating authentication information according to an authentication request sent by a target service end based on a trusted execution environment, and sending the authentication information to the target service end, wherein the authentication information is used for determining whether the processing node is trusted, and the target service end is any service end of a service system;
a receiving module, configured to receive transmission data sent by the target service end when it is determined that the authentication information is generated according to the authentication request, where the transmission data is generated by encrypting, by the target service end, intermediate data in a preset encryption manner, the intermediate data is obtained by encrypting, by the target service end, information to be processed according to a preset intersection key, the intersection key is generated by the target service end and other service ends together, and the other service ends are service ends in the service system except the target service end;
the intersection module is used for decrypting the transmission data to obtain the intermediate data and performing intersection processing on the intermediate data and the intermediate data corresponding to the other service ends;
and the sending module is used for sending the processing result to the target service end and the other service ends, and the target service end and the other service ends are used for determining repeated target information between the information to be processed and the information to be processed corresponding to the other service ends according to the processing result.
17. A computer-readable medium, on which a computer program is stored, which program, when being executed by processing means, is adapted to carry out the steps of the method of any one of claims 1 to 8 or 9 to 14.
18. An electronic device, comprising:
a storage device having a computer program stored thereon;
processing means for executing said computer program in said storage means to carry out the steps of the method according to any one of claims 1 to 8, or 9 to 14.
CN202111070777.1A 2021-09-13 2021-09-13 Information processing method and device, readable medium and electronic equipment Pending CN113742709A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111070777.1A CN113742709A (en) 2021-09-13 2021-09-13 Information processing method and device, readable medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111070777.1A CN113742709A (en) 2021-09-13 2021-09-13 Information processing method and device, readable medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN113742709A true CN113742709A (en) 2021-12-03

Family

ID=78738403

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111070777.1A Pending CN113742709A (en) 2021-09-13 2021-09-13 Information processing method and device, readable medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN113742709A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114417324A (en) * 2022-04-01 2022-04-29 中电云数智科技有限公司 Query method based on trusted execution environment privacy intersection

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114417324A (en) * 2022-04-01 2022-04-29 中电云数智科技有限公司 Query method based on trusted execution environment privacy intersection

Similar Documents

Publication Publication Date Title
US10880732B2 (en) Authentication of phone caller identity
CN108566381A (en) A kind of security upgrading method, device, server, equipment and medium
CN101720071B (en) Short message two-stage encryption transmission and secure storage method based on safety SIM card
CN108650080B (en) A kind of tagged keys management method and system
CN107342861B (en) Data processing method, device and system
CN110335043B (en) Transaction privacy protection method, device and system based on blockchain system
CN109800588B (en) Dynamic bar code encryption method and device and dynamic bar code decryption method and device
CN110224976B (en) Encrypted communication method, device and computer readable storage medium
CN110365662B (en) Business approval method and device
CN113742709A (en) Information processing method and device, readable medium and electronic equipment
CN106096424A (en) One is encrypted method and terminal to local data
CN112640510A (en) Method and apparatus for establishing a wireless secure link while maintaining privacy from tracking
CN111246407B (en) Data encryption and decryption method and device for short message transmission
CN114173328A (en) Key exchange method and device and electronic equipment
CN107483197B (en) VPN network terminal key distribution method and device
CN113038463B (en) Communication encryption authentication experimental device
CN113282951A (en) Security verification method, device and equipment for application program
CN112329044A (en) Information acquisition method and device, electronic equipment and computer readable medium
CN110851210A (en) Interface program calling method, device, equipment and storage medium
CN111314320B (en) Communication method, terminal, server and system based on HTTP
CN111327605B (en) Method, terminal, server and system for transmitting private information
CN112926076A (en) Data processing method, device and system
CN104901932A (en) Secure login method based on CPK (Combined Public Key Cryptosystem) identity authentication technology
CN113626848A (en) Sample data generation method and device, electronic equipment and computer readable medium
CN114090893A (en) Data query method, system, device, computer readable medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination