CN113849777A - Application publishing method, application using method, AI model publishing method and device - Google Patents

Application publishing method, application using method, AI model publishing method and device Download PDF

Info

Publication number
CN113849777A
CN113849777A CN202010884617.XA CN202010884617A CN113849777A CN 113849777 A CN113849777 A CN 113849777A CN 202010884617 A CN202010884617 A CN 202010884617A CN 113849777 A CN113849777 A CN 113849777A
Authority
CN
China
Prior art keywords
application
key
encrypted
accelerator card
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010884617.XA
Other languages
Chinese (zh)
Inventor
曾雪红
彭财元
赵品华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN113849777A publication Critical patent/CN113849777A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Multimedia (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

An application issuing method, an application using method, an AI model issuing method and an AI model issuing device. In the application, the application owner can perform security verification on the first signature information in the application authorization request based on the application authorization request sent by the user, after the security verification is passed, the encrypted application can be loaded to the accelerator card, and after the accelerator card obtains the encrypted application, the application can be decrypted for the user to use. The accelerator card has a decryption function, can decrypt the encrypted application, runs the application, and can greatly reduce the cost without using an additional hardware encryption device for all application parties. The application does not need to transmit plaintext in the transmission process, so that the safety of the application can be ensured, and the possibility of stealing or stealing the application is reduced.

Description

Application publishing method, application using method, AI model publishing method and device
The priority of the chinese patent application entitled "AI model protection method and apparatus" filed by the intellectual property office of the people's republic of china at 28/6/2020, application No. 202010598752.8, is claimed in the present application, the entire contents of which are incorporated herein by reference.
Technical Field
The present application relates to the field of communications technologies, and in particular, to an application publishing method, an application using method, an AI model publishing method, and an AI model publishing device.
Background
Various applications (also referred to as application software) cover aspects of people's life, such as applications installed on mobile terminal devices, and services provided by servers belong to applications. For some applications that need to execute a large number of operation processes, such as an Artificial Intelligence (AI) model, it is usually required to load the applications into a specific hardware device, such as an accelerator card, and the hardware device can support a large number of operation processes, so as to ensure that the applications can run smoothly.
Since such applications involve issues such as payment permission and application privacy, a user needs to acquire the usage right of the application from an application owner before using the application, and the user can use the application after acquiring the usage right of the application.
In view of the high value of such applications, in order to prevent the application from being abused or stolen, the application owner generally secures the application in the following manner:
the application owner sends the encrypted application and the hardware encryption device to the user, the encrypted application is loaded into a server of the user, the server is connected with the hardware encryption device, the server obtains a secret key from the hardware encryption device, the encrypted application is decrypted, and then the application is pushed to the accelerator card.
In this way, a hardware encryption device needs to be additionally configured for all the application parties, so that the cost is increased, and the server and the accelerator card transmit the application plaintext, so that the application plaintext is easy to detect, and the application is easy to steal, and the security is poor.
Disclosure of Invention
The application provides an application publishing method, an application using method, an AI model publishing method and an AI model publishing device, which are used for ensuring the safety of an application A.
In a first aspect, an embodiment of the present application provides an application issuing method, in which an application owner may load an application into an accelerator card to issue the application to a user, and the method is applied to the application owner, in which the application owner may receive an application authorization request from the user, where the application authorization request may be used to request a right to use the application, and the application authorization request carries a first certificate, where the first certificate includes a first public key and first signature information from the accelerator card; then, the application owner acquires the first signature information from the first certificate, the first signature information is subjected to security verification, and after the security verification is passed, the application owner can encrypt the application; and then, loading the encrypted application into the accelerator card.
By the method, the application owner carries out security verification on the first signature information sent by the user to determine whether the first signature information is from the accelerator card, the encrypted application is loaded into the accelerator card after the first signature information is determined to be from the accelerator card, the security of the accelerator card to which the encrypted application needs to be loaded can be ensured through the security verification, a trust chain between the application owner and the accelerator card can be established through the first signature information, the encrypted application is loaded into the accelerator card, the application can be ensured not to be transmitted in a plaintext mode, and the security of the application can be ensured.
In one possible implementation, there are many ways for the application owner to encrypt the application, for example, the application owner may obtain the first public key from the first certificate and encrypt the application by using the first public key.
By the method, the mode of encrypting the application by using the first public key is more convenient, the interaction between all the application parties and the accelerator card can be reduced, and the encrypted application can be loaded into the accelerator card more quickly.
In a possible implementation manner, before the application owner encrypts the application, the application owner may further obtain a second certificate generated by the accelerator card, where the second certificate includes a second public key and second signature information generated by the accelerator card. The manner in which the application owner acquires the second certificate is not limited here, and the application owner may acquire the second certificate directly from the accelerator card or may acquire the second certificate from the accelerator card through the user. After acquiring the second certificate, the application owner can perform security verification on the second signature information, and after the security verification is successful, an encryption process of the application is started; when the application owner encrypts the application, the application owner can obtain the second public key from the second certificate, and then encrypt the application by using the second public key.
By the method, the accelerator card can provide the second public key for encrypting the application to the application owner, and before the application owner encrypts the application by using the second public key, the application owner determines that the second signature information comes from the accelerator card through the security verification of the second signature information, so that the second public key also comes from the accelerator card, the reliability of the second public key is ensured, and further the security of the encrypted application is ensured.
In a possible implementation manner, the second signature information is obtained by encrypting the first private key, and when the application owner performs security verification on the second signature information, the application owner may perform security verification on the second signature information according to the first public key.
By the method, the owner can perform security verification on the second signature information according to the first public key, a trust chain established by the first signature information of the card can be maintained and accelerated, and the security verification of the second signature information through the first public key is safer and more reliable.
In a possible implementation manner, when the application owner encrypts the application, the application owner may also generate a key for encrypting the application by itself, where the generated key is, for example, a second public key and a second private key, and the application owner encrypts the application by using the second public key, and may also send the second private key to the accelerator card, so that the accelerator card can decrypt the encrypted application.
By the method, the application owner does not need to acquire the key for encrypting the application from the accelerator card any more, and encrypts the application by using the self-generated key for encrypting the application, so that the application encryption efficiency can be improved, and the encrypted application can be loaded into the accelerator card more quickly in the following process.
In a possible implementation manner, when the application owner sends the second private key to the accelerator card, the application owner may first encrypt the second private key by using the first public key; and then, sending the encrypted second private key to the accelerator card.
By the method, the first public key is used for encrypting the second private key, so that the safety of the second private key can be better ensured.
In a possible implementation manner, the application owner encrypts the application, or encrypts the application by using a key other than the first public key and the second public key, where the key other than the first public key and the second public key is taken as the first encryption key as an example, the application owner generates the first encryption key, and encrypts the application according to the first encryption key; then, acquiring a second encryption key, wherein the second encryption key can be a first public key or a second public key, and then encrypting the first encryption key according to the second encryption key; after the first encryption key is encrypted, the encrypted application and the encrypted first encryption key are loaded into the accelerator card.
By the method, all the application parties can encrypt the application by using the self-generated first encryption key, and then encrypt the first encryption key by using the first public key or the second public key, so that the safety of the first encryption key can be ensured, the accelerator card can obtain the first encryption key, and the application can be obtained by decryption.
In a possible implementation manner, before the application owner loads the encrypted application into the accelerator card, the application owner may also perform signature protection on the encrypted application and the encrypted first encryption key.
By the method, the encrypted application and the encrypted first encryption key are subjected to signature protection, so that the integrity of the encrypted application and the encrypted application key can be ensured, and the encrypted application and the encrypted first encryption key are prevented from being tampered or damaged in the transmission process.
In one possible implementation, the application owner may also sign protect the application before encrypting the application. The application owner may also sign protect the first encryption key prior to encrypting the first encryption key.
By the method, signature protection is carried out before the application is encrypted, and the integrity of the application and the first encryption key before encryption can be ensured.
In a possible implementation manner, the application owner can also load the authorization information of the application into the accelerator card, and the application owner can directly load the authorization information of the application into the accelerator card, or generate an authorization key for encrypting the authorization information of the application in a manner similar to that of loading the application, and encrypt the authorization information according to the authorization key; and then, encrypting the authorization key according to the second encryption key, and loading the encrypted authorization information to the accelerator card.
By the method, the application owner loads the authorization information of the application into the accelerator card, so that the accelerator card can verify the validity of the application through the authorization information of the application.
In a possible implementation manner, the application may be an AI model, or may be a cloud application deployed in a cloud.
By the method, a plurality of types of applications exist, and the application scene can be effectively expanded.
In a second aspect, an embodiment of the present application provides an application using method, where an application owner loads an application to an accelerator card in a cloud system to issue the application to a user, and the method may be executed by the accelerator card, in the method, the accelerator card may first obtain a first certificate, where the first certificate includes a first public key and first signature information, and the accelerator card may further store a first private key corresponding to the first public key; then, the accelerator card can issue a first certificate, so that a user can acquire the first certificate and apply all parties to perform security verification according to the first certificate; then, the accelerator card can receive and load the encrypted application sent by the application owner after the security verification is passed; and decrypting the encrypted application to obtain the application.
By the method, the accelerator card can prompt a user to utilize the first certificate to perform security verification from an application owner by issuing the first certificate, so that the application owner can verify the source of the first certificate, the first certificate is determined to come from the accelerator card, the accelerator card can obtain the encrypted application instead of the application in a plaintext form, the security of the application can be ensured, the accelerator card has a decryption function, decryption operation is not required to be performed through other equipment, the application is always stored in the accelerator card, and the application is prevented from being stolen.
In a possible implementation manner, when the accelerator card decrypts the obtained application, the accelerator card may directly decrypt the obtained application by using the first private key related to the first certificate.
By the method, the mode of decrypting the application by using the first private key is more convenient, multiple interactions between all application parties and the accelerator card are avoided, and the application use efficiency is improved.
In a possible implementation manner, before decryption to obtain an application, the accelerator card may further generate a second certificate, where the second certificate includes a second public key and second signature information, and the accelerator card may further store a second private key corresponding to the second public key; then, the accelerator card may issue a second certificate, so that the application owner performs security verification on the second certificate; when the accelerator card decrypts to obtain the application, the application can be decrypted by using a second private key related to the second certificate.
By the method, the accelerator card can provide the second public key for encrypting the application to the application owner through the second certificate, and after the application owner acquires the second certificate, the second signature information can be determined to come from the accelerator card through the security verification of the second signature information, so that the second public key is ensured to come from the accelerator card, and the reliability of the second public key is ensured.
In one possible implementation, the second signature information is obtained by encrypting the first private key.
By the method, the second signature information is obtained by the first private key, and a trust chain established by the first signature information of the card can be maintained and accelerated.
In a possible implementation manner, the accelerator card may further receive a second private key generated by the producer and sent by the application owner; thereafter, when decrypting the obtained application, the obtained application may be decrypted using the second private key.
By the method, the application owner encrypts the application by using the self-generated key for encrypting the application, the accelerator card can also obtain the key (namely the second private key) for decrypting from the application owner, and the keys for encrypting and decrypting the application come from the application owner, so that the application security can be further ensured.
In a possible implementation manner, the second private key may be encrypted by the first public key associated with the first certificate and then loaded into the accelerator card, so that the accelerator card may obtain the second private key according to decryption of the first private key.
By the method, the first public key is used for encrypting the second private key, so that the safety of the second private key can be better ensured.
In a possible implementation manner, the accelerator card may also verify the integrity of the encrypted application, and load the encrypted application after the verification is successful. The accelerator card may also verify the integrity of the encrypted first encryption key.
By the method, the integrity of the encrypted application can be ensured by verifying the integrity of the encrypted application, so that the encrypted application and the encrypted first encryption key are prevented from being tampered or damaged in the transmission process.
In a possible implementation manner, when the accelerator card obtains an application by decryption, the first encrypted key after encryption can be decrypted according to a key corresponding to a second encrypted key to obtain the first encrypted key, where the key corresponding to the second encrypted key may be the first private key or the second private key; and then, the application is obtained by adopting the first encryption key for decryption.
By the method, the first private key or the second private key decrypts the first encryption key, so that the accelerator card can acquire the first encryption key and can further decrypt to acquire the application.
In one possible implementation, the accelerator card may also obtain authorization information of the application, for example, the accelerator card may obtain the authorization information directly from the owner of the application, or may obtain the authorization information in a manner similar to obtaining the application. For example, the accelerator card may decrypt the encrypted authorization key according to a key corresponding to the second encryption key to obtain the authorization key, where the key corresponding to the second encryption key may be the first private key or the second private key; and then, decrypting the acquired authorization information of the application by using the authorization key.
By the method, the accelerator card can acquire the authorization information of the application, so that the accelerator card can verify the validity of the application through the authorization information of the application.
In a possible implementation manner, the accelerator card may further receive an authorization information update request sent by an application owner, where the authorization information update request carries encrypted updated authorization information; and then updating the authorization information according to the authorization information updating request.
By the method, the accelerator card can acquire the updated authorization information of the application in time, so that the accelerator card can verify the validity of the application through the updated authorization information of the application.
In one possible implementation, the application includes an AI model or a cloud application.
By the method, a plurality of types of applications exist, and the application scene can be effectively expanded.
In a third aspect, an embodiment of the present application provides an AI model issuing method, in which an AI model owner may load an AI model into an accelerator card to issue the AI model to a user, and the method may be executed by the AI model owner, and in the method, the AI model owner may first obtain a model key and then encrypt the AI model according to the model key; an encryption key can be obtained, and the model key is encrypted according to the encryption key, wherein the encryption key can be generated by the accelerator card and verified by an AI model owner or generated by the AI model owner; the AI model owner may then load the encrypted AI model and the encrypted model key into the accelerator card.
Correspondingly, after receiving the encrypted AI model and the encrypted model key, the accelerator card may decrypt the encrypted model key using the stored key corresponding to the encrypted key to obtain the model key, and then decrypt the encrypted AI model using the model key to obtain the AI model.
By the method, all parties of the AI model can encrypt the application by using the model key, and then encrypt the model key by using the encryption key, so that the security of the model key can be ensured, the accelerator card can obtain the model key more safely, and the AI model can be obtained by decryption.
In a possible implementation manner, the accelerator card generates and issues a first certificate, where the first certificate includes a first public key and first signature information generated by the accelerator card, the accelerator card may further include a first private key corresponding to the first public key, and the user may send an AI model authorization request carrying the first certificate to an AI model owner. After receiving the AI model authorization request from the user, the AI model owner may verify the first signature information according to the root certificate issued by the accelerator card, and after the verification is successful, determine that the first certificate is from the accelerator card, and store the first public key.
By the method, the AI model owner verifies the first signature information, can determine whether the first signature information comes from the accelerator card, further determine whether the first public key comes from the accelerator card, and store the first public key after determining that the first public key comes from the accelerator card, so that the source of the stored first public key can be ensured to be reliable.
In one possible implementation, the encryption key obtained by the AI model owner may be the first public key.
By the method, the first public key is used as the encryption key, so that the method is convenient and simpler in implementation mode.
In one possible implementation, the encryption key obtained by the AI model owner may be another key from the accelerator card, and the another key is taken as the second key as an example.
The accelerator card may generate the second certificate by itself, or generate the second certificate under the trigger of the AI model owner or the user, where the second certificate includes a second public key and second signature information generated by the accelerator card, the second signature information is obtained by encrypting the first private key, and the accelerator card may further include a second private key corresponding to the second public key. And then, the accelerator card can also issue the second certificate, after the AI model owner obtains the second certificate, the AI model owner can verify the second signature information according to the stored first public key, and after the verification is successful, the second public key is used as an encryption key.
By the method, the accelerator card can provide the second public key to the AI model owner through the second certificate, and before the application owner uses the second public key as the encryption key, the AI model owner can verify the second signature information to determine that the second signature information comes from the accelerator card, thereby ensuring that the second public key also comes from the accelerator card to ensure the reliability of the second public key.
In a possible implementation manner, when the AI model owner obtains the encryption key, the AI model owner can also generate a second public key and a second private key by himself, and the second public key is used as the encryption key; and then, encrypting the second private key by adopting the first public key, and loading the encrypted second private key into the accelerator card.
After the acceleration card obtains the encrypted second private key, the second private key can be obtained by using the first private key, and then the model key is removed after the encrypted model key is decrypted by using the second private key, so that the AI model can be obtained by decryption.
By the method, the AI model owner can not obtain the encryption key from the accelerator card any more, and can generate the encryption key by himself, so that the application encryption efficiency can be improved, and the encrypted application can be loaded into the accelerator card more quickly in the following.
In a possible implementation manner, before the AI model owner loads the encrypted AI model and the encrypted model key into the accelerator card, the encrypted AI model and the encrypted model key may be subjected to signature protection.
The accelerator card may verify integrity of the encrypted AI model and the encrypted model key, and load the encrypted AI model and the encrypted model key after the verification is passed.
By the method, the encrypted AI model and the encrypted model key are subjected to signature protection, so that the integrity of the encrypted application and the encrypted application key can be ensured, and the encrypted AI model and the encrypted model key are prevented from being tampered or damaged in the transmission process.
In one possible implementation, before the AI model is encrypted by the AI model owner according to the model key, the AI model may also be signature protected. After the accelerator card decrypts the obtained AI model, the integrity of the AI model may be verified, and after the verification is passed, the AI model may be run.
By the method, signature protection is carried out before the AI model is encrypted, so that the integrity of the AI model before encryption can be ensured.
In a possible implementation manner, the AI model owner may also load authorization information of the AI model into the accelerator card, and the AI model owner may directly load the AI model owner into the accelerator card, or may load the authorization information in a manner similar to the loading of the AI model. For example, an AI model owner may generate authorization information and an authorization key for the AI model, encrypt the authorization information according to the authorization key; and then, encrypting the authorization key according to the encryption key, and loading the encrypted authorization information and the encrypted authorization key to the accelerator card.
After receiving the encrypted authorization information and the encrypted authorization key, the accelerator card may obtain the authorization key by using the encryption key, and then decrypt the encrypted authorization information by using the authorization key to obtain the authorization information.
Through the method, the AI model owner loads the authorization information of the AI model into the accelerator card, so that the accelerator card can verify the validity of the application through the authorization information of the AI model.
In a possible implementation manner, before the AI model owner loads the encrypted authorization information to the accelerator card, the AI model owner may also perform signature protection on the encrypted authorization information.
After the accelerator card decrypts to obtain the encrypted authorization information, the integrity of the encrypted authorization information can be verified, and after the verification is passed, the authorization information can be decrypted to obtain.
By the method, the integrity of the encrypted authorization information can be ensured, and the encrypted authorization information of the newspaper is tampered.
In one possible implementation, the AI model owner may also update the authorization information; the AI model owner can directly load the updated authorization information into the accelerator card, or encrypt the updated authorization key according to the encryption key and load the encrypted updated authorization information into the accelerator card.
After receiving the encrypted and updated authorization information, the accelerator card can acquire the authorization key by using the encryption key, then decrypt the encrypted and updated authorization information by using the authorization key to acquire the updated authorization information, and then verify the validity of the application according to the updated authorization information.
By the method, all parties of the AI model update the authorization information of the AI model in time, and the validity of the AI model is ensured.
In a possible implementation manner, the first public key and the first private key are generated by an accelerator card, and the first private key is stored in the accelerator card after being encrypted.
By the method, the first private key is always stored in the accelerator card, and the security of the first private key can be ensured.
In a fourth aspect, an application publishing apparatus is further provided in the embodiments of the present application, where the apparatus is applicable to all parties of an application, and for beneficial effects, reference may be made to the description of the first aspect and details are not described here again. The apparatus has functionality to implement the actions in the method instance of the first aspect described above. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions. In a possible design, the structure of the device includes an obtaining unit, a verifying unit, an encrypting unit, and a loading unit, which may execute corresponding functions in the method example of the first aspect, for which specific reference is made to detailed description in the method example, and details are not repeated here.
In a fifth aspect, an application using apparatus is further provided in the embodiments of the present application, where the apparatus may be applied to an accelerator card, and for beneficial effects, reference may be made to the description of the second aspect and details are not described here again. The apparatus has the functionality to implement the actions in the method instance of the second aspect described above. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions. In a possible design, the structure of the device includes an obtaining unit, a decrypting unit, and a sending unit, which may execute corresponding functions in the method example of the second aspect, for specific reference, detailed description in the method example is given, and details are not repeated here.
In a sixth aspect, an embodiment of the present application further provides an AI model publishing device, where the device is applicable to an AI model owner to execute a method executed by the AI model owner, and beneficial effects may be seen in the description of the third aspect and are not described herein again. The apparatus has the functionality to implement the actions in the method instance of the third aspect described above. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions. In a possible design, the structure of the device includes an obtaining unit, an encrypting unit, and a loading unit, which may execute corresponding functions in the method example of the third aspect, for specific reference, detailed description in the method example is given, and details are not repeated here.
In a seventh aspect, an embodiment of the present application further provides an AI model using apparatus, where the AI model using apparatus may be applied to an accelerator card to execute a method executed by the accelerator card, and for beneficial effects, reference may be made to the description of the third aspect and details are not repeated here. The apparatus has the functionality to implement the actions in the method instance of the third aspect described above. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions. In a possible design, the structure of the device includes an obtaining unit, a decrypting unit, and a sending unit, which may execute corresponding functions in the method example of the third aspect, for specific reference, detailed description in the method example is given, and details are not repeated here.
In an eighth aspect, an embodiment of the present application further provides a computing device, and for beneficial effects, reference may be made to the description of the first aspect, which is not described herein again. The structure of the computing device comprises a processor and a memory, the processor being configured to enable the device to perform the corresponding functions of the method of the first aspect. The memory is coupled to the processor and holds the program instructions and data necessary for the device. The structure of the device also comprises a communication interface used for communicating with other devices.
In a ninth aspect, embodiments of the present application further provide a computing device, and beneficial effects may refer to the description of the second aspect and are not described herein again. The structure of the computing device comprises a processor and a memory, and the processor is configured to support the device to perform the corresponding functions of the method of the second aspect. The memory is coupled to the processor and holds the program instructions and data necessary for the device. The structure of the device also comprises a communication interface used for communicating with other devices.
In a tenth aspect, an embodiment of the present application further provides a computing device, configured to execute the method performed by the AI model owner, and beneficial effects may be seen in the description of the third aspect and are not described herein again. The device comprises a processor and a memory, and the processor can execute the corresponding functions in the method of the third aspect. The memory is coupled to the processor and holds the program instructions and data necessary for the device. The structure of the device also comprises a communication interface used for communicating with other devices.
In an eleventh aspect, an embodiment of the present application further provides a computing device, configured to execute the method executed by the accelerator card, and for beneficial effects, reference may be made to the description of the third aspect and details are not repeated here. The device comprises a processor and a memory, and the processor and the encryption module can cooperate to perform the corresponding functions of the method of the third aspect. The memory is coupled to the processor and holds the program instructions and data necessary for the device. The structure of the device also comprises a communication interface used for communicating with other devices.
In a twelfth aspect, the present application also provides a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to perform the method of the above-described aspects.
In a thirteenth aspect, the present application also provides a computer program product containing instructions which, when run on a computer, cause the computer to perform the method of the above-described aspects.
In a fourteenth aspect, the present application further provides a computer chip, where the chip is connected to a memory, and the chip is used to read and execute a software program stored in the memory, and perform the method in the above aspects.
Drawings
FIG. 1 is a schematic diagram of the relationship between an application owner, a user and an accelerator card manufacturer according to the present application;
FIG. 2 is a block diagram of a system according to the present application;
fig. 3 is a schematic diagram of an application publishing method provided in the present application;
fig. 4 is a schematic diagram of an application publishing method provided in the present application;
fig. 5 is a schematic diagram of an application publishing method provided in the present application;
fig. 6 is a schematic diagram of an application publishing method provided in the present application;
fig. 7 is a schematic structural diagram of an application issuing apparatus provided in the present application;
FIG. 8 is a schematic structural diagram of an application using device provided in the present application;
fig. 9 is a schematic structural diagram of an AI model issuing device provided in the present application;
fig. 10 is a schematic structural diagram of an AI model using apparatus provided in the present application;
fig. 11 is a schematic structural diagram of a computing device provided in the present application.
Detailed Description
At present, in order to ensure the security of the application, when the application owner sends the application to the user, the application owner also provides a hardware encryption device to the user, and this manner is described as follows:
first, the application owner may read the hardware identifier of the server from the server of the user, import the hardware identifier into the hardware encryption device, trigger the hardware encryption device to generate the key 1 by the application owner, and save the hardware identifier of the server. The application owner encrypts the application by using the secret key 1, the encrypted application and the hardware encryption device are delivered to a user, the user introduces the encrypted application into the server and connects the hardware encryption device to the server, the hardware encryption device obtains a hardware identifier of the server from the server and compares the hardware identifier with a stored hardware identifier of the server, after the encrypted application is determined to be consistent with the stored hardware identifier of the server, the encrypted application is decrypted by using the secret key 1 in the hardware encryption device and is sent to the server in a plaintext form, the server transmits the application to the accelerator card in the plaintext form, and the accelerator card is triggered to operate the application.
In the above manner, the application owner needs to provide a hardware encryption device, which increases the cost; after decryption, the application has a process of passing in the clear, increasing the likelihood that the application will be stolen.
In order to reduce cost and improve application security, an application distribution method, an application use method, an AI model distribution method, and an AI model distribution device according to embodiments of the present application will be described before describing an application distribution method, an application use method, and an AI model distribution method according to embodiments of the present application.
(1) And application.
The application refers to a program set capable of implementing one or more functions, and the type of the application is not limited in the embodiment of the present application, and for example, the application may be application software installed on a mobile terminal device, or a program instruction running on a server, and may also be used in an operational model for artificial intelligence inference, that is, an AI model. The application in the embodiment of the application may be a cloud application deployed in a cloud, or may be an application local to a running device.
(2) Application owner, user and accelerator card manufacturer.
Referring to fig. 1, a schematic diagram of the relationship between an application owner, a user and an accelerator card manufacturer is shown.
The application owner is the party with the application ownership right, and the application owner can decide who can use the application and the period of using the application, namely who has the use right and the valid period of the application. In practical application, the owner of the application can provide the use right of the application in a selling or renting mode.
The user is a party that needs to use the application, and the user may apply the usage right of the application to the application owner, where the method is not limited to applying the usage right of the application, for example, the usage right of the application may be applied in advance by an email, the usage right of the application may be applied to the application owner by using a negotiation method on line, or the usage right of the application may be obtained on line by sending a request (for example, by sending an application authorization request in this embodiment of the application).
An accelerator card manufacturer refers to a party that produces an accelerator card, which is a hardware module capable of loading applications. The accelerator card has an independent computing capability and is capable of running a loaded application, and the embodiment of the present application does not limit the specific form of the accelerator card and the type of the application that can run on the accelerator card, for example, the accelerator card may be a peripheral component interconnect express (PCIe) expansion module, and has a capability of performing AI computation, and the accelerator card may also be a hardware module having another interface.
The accelerator card manufacturer can sell or lease the produced accelerator card to a user who needs to use the application or an application owner who has the application ownership right.
In the embodiment of the present application, the following two relationships may exist between the application owner, the user and the accelerator card manufacturer:
relationship one, shown by a solid line in fig. 1, an application owner may obtain (e.g., purchase or lease) an accelerator card from an accelerator card manufacturer, load an encrypted application into the accelerator card, and then, a user obtains the accelerator card loaded with the encrypted application from the application owner, applies the usage right of the application to the application owner, and after the user takes the accelerator card and obtains the usage right of the application, the accelerator card may decrypt the encrypted application and run the application.
It should be noted that, in relation to the first, when the user applies for the right to use the application to the application owner, the user may apply for the right to use the application to the application owner in the manner mentioned in the foregoing, or may apply for the right to use the application by applying for acquiring the accelerator card loaded with the encrypted application, and if the application owner gives the accelerator card to the user, it indicates that the user obtains the right to use the application, otherwise, the user does not obtain the right to use the application.
The operation of the accelerator card to decrypt the encrypted application may be triggered by the accelerator card to execute after the user determines that the application needs to be used. For example, when a user needs to implement a certain function by using the application, the user may send a decryption instruction to the accelerator card, and after receiving the decryption instruction, the accelerator card may decrypt the encrypted application and run the application. For another example, a key is arranged on the accelerator card, and the user can trigger the accelerator card to decrypt the encrypted application in a key mode. Thus, when the user decrypts the application according to the need and instructs to run the application.
The operation of the accelerator card to decrypt the encrypted application may also be triggered by the application owner. For example, the application owner may verify the identity of the user, and after determining that the identity of the user is safe or has the right to use the application, the accelerator card may be triggered to execute the operation of decrypting the encrypted application by means of an instruction or a key. Therefore, the user can directly run the application through the accelerator card without triggering the operation of decrypting the encrypted application by himself, the time of the user can be saved, and the use experience is good.
And secondly, the user can obtain the accelerator card from the accelerator card manufacturer, the user can also apply the use right of the application to the application owner, and the application owner can load the encrypted application into the accelerator card obtained by the user after confirming the use right of the application by the user. The accelerator card then decrypts the encrypted application and operates on the application.
The operation of the accelerator card for decrypting the encrypted application may be automatically performed by the accelerator card after the accelerator card detects that the encrypted application is loaded to the accelerator card.
The operation of the accelerator card for decrypting the encrypted application may also be executed under the trigger of the user or the application owner, and the manner of triggering the accelerator card by the user or the application owner to decrypt the encrypted application may refer to the foregoing description, and is not described herein again.
It should be noted that, the embodiment of the present application is not limited to the manner in which the application owner loads the encrypted application to the accelerator card acquired by the user, for example, the application owner may directly load the encrypted application to the accelerator card acquired by the user without going through a third party. For another example, the application owner may also load the encrypted application into the accelerator card acquired by the user through the user, that is, the user acquires the encrypted application from the application owner, and then loads the encrypted application into the accelerator card by itself.
From the above description, no matter which of the above relationships is adopted among the application owner, the user and the accelerator card manufacturer, the application is encrypted in the transmission process, so that the security of the application in the transmission process can be ensured. In addition, the encrypted application is stored in the accelerator card, the decryption operation on the encrypted application is also executed in the accelerator card, and the application cannot be separated from the accelerator card in a plaintext form, so that the application is further ensured not to be stolen easily.
It should be noted that various operations performed by the application owner, the user and the accelerator card manufacturer mentioned in the embodiments of the present application may be performed by the application owner, the user and the accelerator card manufacturer themselves, or may be performed by the application owner, the user and the accelerator card manufacturer driving the computing device. For example, when the application owner loads the encrypted application to the accelerator card, the application owner may connect the accelerator card to the computing device storing the application, copy the encrypted application from the computing device to the accelerator card, and send a message carrying the encrypted application to the accelerator card through the computing device, so that the accelerator card obtains the encrypted application. The embodiments of the present application do not limit the manner in which various operations are performed by the owner, the user, and the accelerator card manufacturer.
(3) Secret key, public key, private key.
The key is used to encrypt or decrypt information. The key can be divided into an asymmetric key and a symmetric key, the asymmetric key means that the keys used for encryption and decryption are different, and the asymmetric key comprises two keys, a public key (public key) and a private key (private key). The public key is public and can be known by an owner or related personnel, the private key is private, and can be obtained only by the owner of the public-private key pair (namely, the public key and the private key). The public key and the private key are mutually corresponding, and information encrypted by the public key can be decrypted by the corresponding private key, and similarly, information encrypted by the private key can be decrypted by the corresponding public key.
In some application scenarios, some information may be signed (its essence is encryption) by using a private key to generate signature information, and the signature information may be securely verified by using a public key, so that it can be determined whether the signature information is generated by signature of the private key, thereby realizing verification of a party providing the signature information and confirming the integrity of the signed information.
In the embodiment of the present application, in order to distinguish between different public keys and private keys, the first public key, the first private key, the second public key, the second private key, the third public key, and the third private key are respectively referred to as a first public key, a first private key, and a second public key, a second private key, and a third private key. The first public key and the first private key are corresponding, the second public key and the second private key are corresponding, and the third public key and the third private key are corresponding.
Symmetric keys mean that the keys used for encryption and decryption are the same. In the embodiment of the present application, it is described by taking an example that the key (e.g., the first encryption key, the authorization key, the model encryption key) used for encrypting the authorization information of the application and the application is a symmetric key, but of course, the key used for encrypting the authorization information of the application and the application may also be an asymmetric key, in which case, the application owner does not send the key used for encrypting the authorization information of the application and the application to the accelerator card, but needs to send the key corresponding to the key to the accelerator card.
(4) Certificate, root certificate.
The certificate is used for recording a public key, and the validity of the public key in the certificate can be determined through verification of the certificate.
Taking an example that a needs to publish its own public key and B needs to acquire the public key of a, a may generate a certificate by using its own public key (optionally, may also include identity information), and issue the certificate. Thus, if B can obtain the certificate, the public key of a is obtained from the certificate, and if the certificate includes the identity information, the identity information of a can also be read from the certificate. The type of the identity information is not limited here, for example, the identity information may be the address, identification, etc. of a. The certificate may further include signature information, by which the source of the public key in the certificate can be verified, for example, after B obtains the certificate, B may verify through the signature information to determine whether the public key of a recorded in the certificate is authentic from a. The embodiment of the present application does not limit the generation manner and the verification manner of the signature information, and refer to the related descriptions in steps 302 and 304 and steps 403 and 405 specifically.
In order to increase the fairness of the certificate, a may generate and issue the certificate through a trusted third party, such as a Certificate Authority (CA), a may send its public key (optionally, may also include identity information) to the third party, the third party applies signature information to the public key of a to generate the certificate, B acquires the certificate from the third party or a, and after acquiring the certificate, B may verify the signature information on the certificate to obtain the validity of the public key of a in the certificate, and after the verification passes, may acquire the public key of a from the certificate. The root certificate referred to in the embodiments of the present application may be generated by a third party. In this embodiment, the public key of the root certificate record may be referred to as a public key of the root certificate, and the private key corresponding to the public key of the root certificate is referred to as a private key of the root certificate.
In the embodiment of the present application, in order to distinguish the public keys and the signature information recorded in different certificates, the related different certificates and signature information are named as a first certificate and a second certificate, respectively. The first certificate comprises a first public key and first signature information. The second certificate includes a second public key and second signature information.
Fig. 2 is a schematic diagram of a system architecture provided in the embodiment of the present application, where the system architecture includes an accelerator card, an application owner (including a computing device used by the application owner), and a user (including a computing device used by the user).
The application owner may store the application, such as in a computing device used to store the application. The user may establish a connection with the accelerator card. The embodiment of the application does not limit the way in which the user establishes the connection with the accelerator card. For example, the user can establish a connection with the accelerator card in a wired or wireless manner; as another example, an accelerator card may be plugged into an interface of a computing device used by a user.
It should be noted that the embodiments of the present application do not limit the types and deployment locations of the computing devices used by the application owner and the computing devices used by the users. For example, the computing devices used by the application owner and the computing devices used by the user may be deployed in a central computing device system (including at least one cloud computing device, such as a server, a desktop computer, etc.) or may be deployed in an edge computing device system (including at least one edge computing device, such as a server, a desktop computer, etc.). The computing devices used by the application owners and the computing devices used by the users may also be devices deployed in other locations, such as on land, including indoors or outdoors, hand-held or vehicle-mounted; can also be deployed on the water surface (such as a ship and the like); and may also be deployed in the air (e.g., airplanes, balloons, satellites, etc.).
The computing device used by the application owner and the computing device used by the user may be a server or a server cluster, and may also be a personal device, such as a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiving function, a Virtual Reality (VR) terminal, an Augmented Reality (AR) terminal, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote medical (remote medical), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), and the like.
In the embodiment of the application, the application owner can perform security verification based on the application authorization request sent by the user, after the security verification is passed, the encrypted application can be loaded to the accelerator card, and after the accelerator card obtains the encrypted application, the application can be decrypted for the user to use. The application owner can send the encrypted application to the accelerator card, the accelerator card can decrypt the encrypted application, the application is run, the application owner does not need to use an additional hardware encryption device, and the cost can be greatly reduced. And because the accelerator card has a decryption function, the accelerator card does not need to transmit plaintext in the transmission process, so that the application security can be ensured, and the possibility that the application is stolen or stolen is reduced.
Referring to fig. 3, the application issuing and using method provided by the embodiment of the present application is described below, and the method includes two parts, one of which is a process of performing security verification by an application owner based on an application authorization request sent by a user, in the steps 301 to 305. And secondly, the process that the application owner loads the encrypted application to the accelerator card, and the accelerator card decrypts the application to obtain the application is shown in steps 306 to 308. The method comprises the following steps:
step 301: the accelerator card first obtains a first public key and a first private key, the first public key corresponds to the first private key, and the accelerator card can store the first private key.
There are many ways for the accelerator card to obtain the first public key and the first private key, two of which are listed below:
in a first manner, before the accelerator card leaves the factory, the accelerator card may be configured with a first public key and a first private key in advance, or the accelerator card may generate the first public key and the first private key, for example, a chip exists in the accelerator card, and the chip may generate the first public key and the first private key.
Before leaving the factory, the accelerator card may store the first private key, and in order to ensure the security of the first private key, the accelerator card may store the first private key in the nonvolatile memory of the accelerator card, or may encrypt the first private key first and then store the encrypted first private key, for example, store the encrypted first private key in the nonvolatile memory of the accelerator card. The key used by the accelerator card to encrypt the first private key is not limited here, and may be, for example, a root key, a derivative key of the root key, or another key. The root key may be randomly generated by the accelerator card, and the root key may be only accessed by the accelerator card in a trusted execution environment, so that the security of the root key may be ensured, and the derivative key of the root key is a key generated by the accelerator card based on the root key.
The second mode is that after the accelerator card leaves the factory, if the user acquires the accelerator card, the user may trigger the accelerator card to generate the first public key and the first private key, where the user is not limited to the mode in which the user triggers the accelerator card to generate the first public key and the first private key, for example, the user may send a key generation instruction to the accelerator card; for another example, a key 1 is disposed on the accelerator card, where the key 1 is used to trigger generation of a first public key and a first private key, and if the key 1 is a power-on key, after the power-on key is clicked, the accelerator card may generate the first public key and the first private key. The accelerator card may further store the first private key, and the storage manner of the first private key may refer to the foregoing contents, which are not described herein again.
If the application owner acquires the accelerator card, the application owner may trigger the accelerator card to generate the first public key and the first private key, and the manner in which the application owner triggers the accelerator card to generate the first public key and the first private key is similar to the manner in which the user triggers the accelerator card to generate the first public key and the first private key may be specifically referred to the foregoing content.
Step 302: the accelerator card acquires a first certificate, wherein the first certificate comprises a first public key and first signature information.
There are many ways for the accelerator card to obtain the first certificate, for example, the accelerator card may generate the first certificate itself or obtain the first certificate from other devices.
(1) And the accelerator card automatically generates a first certificate.
After obtaining the first public key and the first private key, the accelerator card may use the first private signature key to sign the first information, and generate first signature information, where the first information includes the first public key, and may also include device information of the accelerator card, for example, a device identifier of the accelerator card, a name or a number of a manufacturer of the accelerator card, and the like.
The first private signature key may be a preconfigured private key, or a private key obtained from another device, where the first private signature key may be generated by a trusted third party, such as a CA, or generated by another device, where the generation manner of the first private signature key is not limited, and any secure private key of the source may be used as the first private signature key. For example, the first signature private key may be a private key of a root certificate, or may be another private key, and here, the description is given by taking the first signature private key as a private key of the root certificate as an example, where the root certificate may be generated by a third party for an accelerator card manufacturer or an accelerator card, and the private key of the root certificate may be configured in advance in the accelerator card, or may be obtained by the accelerator card from a request of the accelerator card manufacturer.
Then, the accelerator card generates a first certificate based on the first public key and the first signature information.
(2) And the acceleration card generates a first certificate under the trigger of a user side.
When the user determines that the application authorization request needs to be sent to the application owner, the user can send a signature generation instruction to the accelerator card, and after receiving the signature generation instruction, the accelerator card signs the first information by using a first signature private key (such as a private key of a root certificate) to generate first signature information. Then, the accelerator card generates a first certificate based on the first public key and the first signature information. For another example, a key 2 is provided on the accelerator card, and the key 2 is used to trigger generation of the first certificate, and if the key 2 is also a boot key, after the boot key is clicked, the accelerator card may generate the first public key and the first private key, and then generate the first certificate.
Of course, the accelerator card may also generate the first certificate under the trigger of the application owner, for example, if the application owner acquires the accelerator card, after the application owner triggers the accelerator card to generate the first public key and the first private key, the application owner may trigger the accelerator card to generate the first certificate, and the manner in which the application owner triggers the accelerator card to generate the first certificate is similar to the manner in which the user triggers the accelerator card to generate the first certificate, which may be specifically referred to the foregoing content.
(3) And the accelerator card acquires the first certificate from other equipment.
The first certificate may be configured in the accelerator card by the accelerator card manufacturer. For example, after the accelerator card generates the first public key and the first private key, the accelerator card manufacturer may read the first public key from the accelerator card by using a related computing device, encrypt first information including the first public key by using a first signature private key (a private key of a root key), and generate first signature information, the accelerator card manufacturer may generate a first certificate by itself by using the first public key and the first signature information, and may also request a third party, generate a first certificate according to the first public key and the first signature information by the third party, send the first certificate to the accelerator card manufacturer by the third party, and then load the first certificate into the accelerator card.
It should be noted that, in step 302, the first signature information is described as an example of generating the first signature information by using the private key of the root certificate to sign the first information, and in practical applications, the first signature information may also be generated in other manners, for example, the first public key that may be included in the first certificate is the encrypted first public key, the key that is required to decrypt the encrypted first public key is the key #1, and the first signature information may be generated by using the private key of the root certificate to sign the key #1 (optionally, the device information of the accelerator card may also be included). When the first signature information is generated, the first signature private key may also be another private key, such as a key generated based on a private key of a root certificate, and a key corresponding to the first signature private key, that is, a key used for performing security verification on the first signature information may be obtained by an application owner from a trusted party.
Step 303: the accelerator card issues the first certificate, and the user acquires the first certificate from the accelerator card.
Step 304: and after obtaining the first certificate, the user sends an application authorization request to the application owner, wherein the application authorization request carries the first certificate.
In order to obtain the application from the application owner, the user needs to apply authorization to use the application to the application owner, that is, apply for the right to use the application, and the user needs to send an application authorization request to the computing device of the application owner.
Step 305: and after the application owner receives the application authorization request sent by the user, the security verification is carried out on the first signature information.
The mode of the application owner for carrying out the safety verification on the first signature information is related to the generation mode of the first signature information, the generation mode of the first signature information is different, and the verification mode is also different.
The following describes a manner in which the application owner performs security verification on the first signature information based on the first signature information generated in step 302:
and the application owner verifies the first signature information by using a public key (such as the public key of the root certificate) corresponding to the first signature private key. The public key corresponding to the first signature private key is a public key that can be obtained by the application owner, for example, when the first signature private key is a private key of the root certificate, the public key corresponding to the first signature private key is a public key of the root certificate, where an obtaining manner of the public key corresponding to the first signature private key is not limited, the public key corresponding to the first signature private key may be obtained after the application owner receives the application authorization request, or may be pre-loaded locally at the application owner, so that when the application authorization request is subsequently received, the public key may be used to verify the first signature information more quickly.
Optionally, after the application owner successfully verifies the first signature information, an application authorization success response may be sent to the user.
The application owner performs security verification on the first signature information, and can determine whether the first signature information is from the accelerator card, and further determine whether the first public key is from the accelerator card and not a forged first public key provided by the user.
In steps 301 to 305, taking the accelerator card as an example to send the first certificate to the user, in practical application, the accelerator card may also directly send the first certificate to the application owner, and then the application owner performs security verification on the first signature information, in this case, the application owner may determine whether the public key in the first certificate is from the accelerator card through the security verification on the first signature information, and verify the reliability of the first public key.
If the application owner can directly load the encrypted application into the accelerator card, if the accelerator card is obtained by the application owner from an accelerator card manufacturer; or, the steps 301 to 305 may not be executed on the premise that the application owner trusts the accelerator card manufacturer.
The encrypted application may then be passed between the application owner and the accelerator card.
Step 306: and after the application owner passes the security verification, encrypting the application.
Step 307: and the application owner loads the encrypted application into the accelerator card.
Step 308: and the accelerator card receives the encrypted application and decrypts the application to obtain the application.
In steps 306 to 308, the encrypted application is transferred between the application owner and the accelerator card, and the embodiment of the present application does not limit the manner in which the encrypted application is transferred between the application owner and the accelerator card.
For example, after the application owner acquires the first public key, the application owner may directly encrypt the application by using the first public key, and send the encrypted application to the accelerator card. After obtaining the encrypted application, the accelerator card may decrypt the application using the first private key.
For example, the application owner may also generate a key for encrypting the application, and for convenience of description, the key is referred to as a first encryption key, and the application owner encrypts the application using the first encryption key, sends the encrypted application to the accelerator card, and transfers the encrypted application and the first encryption key to the accelerator card in a relatively secure manner.
For example, the application owner may encrypt the first encryption key by using the first public key, and then send the encrypted first encryption key to the accelerator card; for another example, the application owner may encrypt the first encryption key using the second public key obtained from the accelerator card or generated by itself, and then send the encrypted first encryption key to the accelerator card.
For another example, the application may generate the second public key and the second private key by itself, encrypt the application using the second public key, and then send the second private key to the accelerator card in a secure manner.
For example, the application owner may encrypt the second private key with the first public key and then send the encrypted second private key to the accelerator card.
The way in which the application owner communicates the encrypted application with the accelerator card by means of the first encryption key and the second public key generated by the accelerator card is further described below with reference to fig. 4. In fig. 4, the first encryption key is taken as a symmetric key for illustration, and for the case that the first encryption key is not a symmetric key, the transmission manner is similar, except that all parties of the application need to encrypt the key corresponding to the first encryption key (i.e. the key required for decrypting the encrypted application) and transmit the encrypted key.
Step 401: the accelerator card generates a second public key and a second private key.
The embodiment of the application does not limit the way of generating the second public key and the second private key by the accelerator card. For example, the second public key and the second private key may be generated by the accelerator card itself, and the accelerator card may directly generate the second public key and the second private key after sending the first certificate to the user. For another example, the second public key and the second private key may be generated by the acceleration card under the trigger of the application owner or the user. For example, after receiving an authorization request response sent by the application owner or determining that the security verification of the application owner is passed, the user may send an instruction to the accelerator card to instruct the accelerator card to generate the second public key and the second private key. For another example, after the application owner passes the security, the application owner may communicate with the accelerator card to send an instruction to instruct the accelerator card to generate the second public key and the second private key.
Step 402: and the accelerator card generates second signature information and generates a second certificate according to the second signature information and the second public key.
When generating the second signature information, the accelerator card may use a second signature private key to sign the second information, where the second information may include the second public key, or may include other information, for example, the second public key in the second certificate is the encrypted second public key, a key required for decrypting the encrypted second public key is the key #2, and the second information may also include the key # 2. The embodiment of the present application does not limit the content included in the second information, and the above manner is merely an example.
The second private signature key may be a preconfigured private key, such as the first private key, or a private key obtained from another device, such as the first private key, or a private key generated by a trusted third party, such as a CA, or generated by another device, where the specific type of the second private signature key is not limited, and the private key originating from a trusted authority or device may be used as the second private signature key.
Step 403: the accelerator card issues the second certificate, and the user acquires the second certificate from the accelerator card.
Step 404: the user sends the second certificate to the application owner.
It should be noted that, in steps 403 to 404, the accelerator card sends the second certificate to the application owner through the user, if the accelerator card can directly communicate with the application owner, for example, the application owner obtains the accelerator card from the accelerator card manufacturer, and if the user hands the accelerator card to the application owner, the application owner can directly obtain the second certificate from the accelerator card.
Step 405: and after the application owner acquires the second certificate, performing security verification on the second signature information.
When the application owner performs security verification on the second signature information, the application owner can verify the second signature information by using a public key corresponding to the second signature private key. For example, if the second private signature key is the first private key, the public key corresponding to the second private signature key is the first public key.
Step 406: and after the application owner passes the security verification, acquiring the second public key according to the second certificate.
Steps 401 to 406 are processes of acquiring the second public key from the accelerator card by the application owner, and after acquiring the second public key, the application owner may send the encrypted application to the accelerator card, that is, steps 401 to 406 may be executed between step 305 and step 306.
Step 407: the application owner generates a first encryption key, encrypts the application by using the first encryption key, and encrypts the first encryption key by using the second public key.
Step 407 is one implementation of step 306, where the key used for encrypting the application is the first encryption key.
Optionally, before step 407 is executed, in order to ensure that the application is not tampered or damaged and ensure the integrity and validity of the application, an application owner may first sign the application by using a pre-generated or stored third private key (which may also be referred to as performing signature protection), generate third signature information, and then encrypt the third signature information by using the first encryption key, so that when decrypting the encrypted third signature information, decryption may be performed by using the first encryption key first, and then verification is performed by using the third public key. Similarly, in order to ensure the integrity and validity of the first encryption key, the application owner may also sign the first encryption key application with the third private key to generate first key signature information, and then encrypt the first key signature information with the second public key, where the encrypted first key signature information includes the encrypted first encryption key.
The third private key is a key which can only be obtained by an application owner, and other equipment cannot obtain the third private key. The public key corresponding to the third private key is a third public key, and the third public key is public and can be acquired by other devices.
Optionally, after the application owner encrypts the encrypted application (or the third signature information) by using the first encryption key, the application owner may further sign the encrypted application (or the encrypted third signature information) by using a third private key to generate fourth signature information, or sign the encrypted first encryption key (or the encrypted first key signature information) by using a third private key to generate second key signature information.
The applied process is as follows:
1. and signing the application by using a third private key to generate third signature information. 2. The third signature information is encrypted using the first encryption key. 3. And signing the encrypted third signature information by using a third private key to generate fourth signature information.
The processing procedure of the first encryption key is as follows:
1. and signing the first encryption key by using a third private key to generate first key signature information. 2. The first key signature information is encrypted with the second public key. 3. And signing the encrypted first key signature information by using a third private key to generate second key signature information.
It should be noted that, only the application and the first encryption key are signed by using the third private key as an example, actually, other trusted private keys may also be used for signing, and the private key used for signing the encrypted third signature information and the private key used for signing the encrypted first key signature information may also be different, which is not limited in this application.
Besides sending the encrypted application and the encrypted first encryption key to the accelerator card, the application owner can also send authorization information of the application to the accelerator card, wherein the authorization information of the application is used for indicating the legality of the application. The authorization information of the application may include device information of the accelerator card for indicating that only the accelerator card identified by the device information can use the application. Optionally, the authorization information of the application further includes related information of the application, such as an identifier of the application, an expiration date of the application, and the number of times of decryption on the application.
For the sake of convenience, a key used by the application owner to encrypt the authorization information of the application is referred to as an authorization key, for example, the authorization key may be the second public key, may also be the first public key, and may also be a key generated by the computing device of the application owner and used for encrypting the authorization information of the application. The authorization key may or may not be a symmetric key. In the application embodiment, the authorization key is taken as a symmetric key for example, and the manner of transferring the authorization key by the owner is similar to the manner of transferring the first encryption key by the owner, that is, the authorization key may be encrypted by the second public key and then sent to the accelerator card. For the case that the authorization key is not a symmetric key, the transfer is similar, except that the application owner needs to encrypt the key corresponding to the authorization key and import the encrypted key corresponding to the authorization key into the accelerator card.
Optionally, before the application owner encrypts the authorization information of the application, the third private key may also be used to sign the authorization information of the application; after the application owner encrypts the authorization information of the application (or the authorization information of the signed application), the authorization information of the encrypted application (or the authorization information of the encrypted signed application) may also be signed by using the third private key.
The processing procedure of the authorization information of the application is as follows:
1. and signing the applied authorization information by using the third private key to generate first signature authorization information. 2. The first signed authorization information is encrypted using an authorization key encryption. 3. And signing the encrypted first signature authorization information by using a third private key to generate second signature authorization information.
The signature is performed on the encrypted application (or the third signature information), the encrypted first encryption key (or the encrypted first key signature information), and the encrypted authorization information of the application (or the encrypted first signature authorization information), so as to ensure the integrity of the encrypted application, the encrypted first encryption key, and the encrypted authorization information of the application, and avoid that the encrypted application, the encrypted first encryption key, and the encrypted authorization information of the application are damaged or maliciously tampered in the transmission process of the encrypted application, the encrypted first encryption key, and the encrypted authorization information of the application. That is to say, the third public key is used to verify the encrypted application, the encrypted first encryption key, the encrypted application and the authorization information, and if the verification fails, it is indicated that the encrypted application, the encrypted first encryption key and the authorization information of the encrypted application are damaged or maliciously tampered, so that the fact that the encrypted application, the encrypted first encryption key and the authorization information of the encrypted application are damaged or maliciously tampered can be timely found.
In addition, the signing of the application authorization information and the encrypted first signature authorization information by using the third private key is only an example, and actually, other trusted private keys may be used for signing, and the private key used for signing the application authorization information and the private key used for signing the encrypted first signature authorization information may also be different, which is not limited in the present application.
Step 408: and the application owner loads the encrypted application and the encrypted first encryption key to the accelerator card. The application owner can also load the authorization information of the application or the encrypted authorization information of the application to the accelerator card. Step 408 is one implementation of step 307.
If the application owner further signs the application, the encryption of the first encryption key, and the authorization information of the application (which may also be referred to as signature protection) before encrypting the application and the first encryption key, the computing device of the application owner may send the encrypted third signature information, the encrypted first key signature information, and the signed first signature authorization information to the accelerator card when performing step 408.
If the application owner also signs the encrypted application, the encryption of the first encryption key, and the authorization information of the application after encrypting the application and the first encryption key, the computing device of the application owner may send the fourth signing information, the second key signing information, and the second signing authorization information to the accelerator card when performing step 408.
When the application owner performs step 408, the application owner may send the encrypted application and the encrypted first encryption key to the accelerator card through the user, that is, the application owner may first transmit the encrypted application and the encrypted first encryption key (the encrypted third signature information and the encrypted first key signature information, or the fourth signature information and the second key signature information) to the user, and then the user loads the encrypted application and the encrypted first encryption key into the accelerator card. The application owner or user may also load a third public key into the accelerator card. The application owner can also directly send the encrypted application and the encrypted first encryption key to the accelerator card.
Step 409: after the accelerator card receives the encrypted application and the encrypted first encryption key, the second private key can be used for decrypting the encrypted first encryption key to obtain the first encryption key, and then the first encryption key is used for decrypting the encrypted application to obtain the application. Step 409 is one implementation of step 308.
In step 409, the decryption process of the application is executed inside the accelerator card, and the user cannot obtain the application, that is, the application is not transmitted to a device outside the accelerator card in a plaintext form, and is only stored inside the accelerator card, so as to avoid being obtained by the user or other parties, and effectively ensure the security of the application.
Optionally, the accelerator card may decrypt the encrypted authorization key by using the second private key to obtain the authorization key, and decrypt the encrypted authorization information of the application by using the authorization key to obtain the authorization information of the application.
Optionally, if the encrypted application, the encrypted first encryption key, and the encrypted authorization information of the application are protected in the application owner, the accelerator card may first verify the integrity of the fourth signature information, the second key signature information, and the second signature authorization information by using the third public key, and after the verification passes, then execute step 409, that is, obtain the first encryption key according to the second private key and the second key signature information, obtain the application according to the fourth signature information and the first encryption key, and obtain the authorization information of the application according to the second signature authorization information and the second private key.
If the application owner performs signature protection on the application and the authorization information of the application before encryption, after the accelerator card performs step 409, the accelerator card may verify the integrity of the third signature information and the first signature authorization information of the third public key pair.
After obtaining the authorization information of the application, the accelerator card may also verify the validity of the application according to the authorization information of the application, which includes but is not limited to: and comparing the equipment ID of the accelerator card in the authorization information of the application with the ID of the accelerator card stored in the accelerator card, comparing whether the current time belongs to the valid period or not, and whether the decryption times of the application are less than the decryption times of the authorization information of the application or not, and decrypting the encrypted application by using the first encryption key after the validity verification of the authorization information of the application is passed, and acquiring and using the application.
The accelerator card can run and load the application after acquiring the application, the accelerator card can allocate a memory for the application and store the application in the memory, and the accelerator card can also run the application and perform operation by using the application. For example, the accelerator card may run the application under the trigger of the user.
The application owner can also update the authorization information of the application, change the identification of the application, the valid period of the application, the decryption times of the application and the like. After updating the authorization information of the application, the application owner may also load the updated authorization information of the application into the accelerator card, and the application owner may directly load the updated authorization information of the application into the accelerator card, or may perform similar processing (such as signing and encrypting) on the updated authorization information of the application by using the processing method for the application authorization information in the foregoing content, and then load the updated authorization information of the application into the accelerator card. The accelerator card may obtain the updated authorization information of the application in a corresponding manner (e.g., integrity check and decryption), and verify the validity of the application according to the updated authorization information.
In the embodiment shown in fig. 4, the second public key and the second private key are generated by the accelerator card, which needs to pass the second public key to the application owner. As another possible implementation, the second public key and the second private key may also be generated by the application owner. In the following description of this embodiment, referring to fig. 5, an application publishing method provided in an embodiment of the present application includes:
step 501: the application owner generates a second public key and a second private key. The embodiment of the present application does not limit the way in which the application owner generates the second public key and the second private key.
Step 502: the application owner encrypts the second private key with the first public key.
Step 503: and the application owner sends the encrypted second private key to the accelerator card.
The application owner can directly load the encrypted second private key into the accelerator card, and can also send the encrypted second private key to the accelerator card through the user, namely, the encrypted second private key is sent to the user, and then the user loads the encrypted second private key into the accelerator card.
Step 504: the accelerator card decrypts the encrypted second private key by using the first private key to obtain the second private key.
Step 501 to step 504 are processes of sending the second private key to the accelerator card by all the application parties, and after the application parties generate the second public key and import the second private key to the accelerator card, the encrypted application may be sent to the accelerator card, that is, step 501 to step 504 may be executed between step 305 and step 306.
Step 505: the same as steps 407 to 409, refer to the foregoing specifically, and are not described herein again.
An AI model publishing method provided in the embodiments of the present application is described below by taking an application as an AI model as an example, and refer to fig. 6. The method comprises the following steps:
step 601: and the AI model owner acquires the model key and encrypts the AI model according to the model key. The AI model owner encrypts the AI model according to the model key in a similar manner to the way in which the AI model owner encrypts the application by using the first encryption key in step 407, which is specifically referred to the foregoing, and is not described herein again.
Optionally, before and after the AI model owner encrypts the AI model according to the model key, signature protection may also be performed, and signature protection performed before and after the AI model owner encrypts the AI model according to the model key is similar to signature protection performed before and after the AI model owner encrypts the application by using the first encryption key.
The mode of obtaining the model key is not limited here, and the AI model owner may generate the model key by itself or may obtain the model key from another device.
Step 602: and the AI model owner acquires the encryption key and encrypts the model key according to the encryption key.
The type of the encryption key is not limited, and the encryption key may be a key obtained from the accelerator card in advance, such as a first public key and a second public key that can be generated by the accelerator card. The manner in which the AI model owner obtains the first public key and obtains the second public key generated by the accelerator card can be referred to the relevant description in the embodiments shown in fig. 3 and 4. The encryption key may also be a second public key generated by the AI model owner, and a manner for the AI model owner to generate the second public key and send the second private key to the accelerator card may refer to the relevant description in the embodiment shown in fig. 5, which is not described herein again.
Step 603: and the AI model owner loads the encrypted AI model and the encrypted model key into the accelerator card.
Besides loading the encrypted AI model and the encrypted model key into the accelerator card, the AI model owner may also load authorization information of the AI model into the accelerator card, where a manner in which the AI model owner loads the authorization information of the AI model into the accelerator card is similar to a manner in which the AI model owner loads the authorization information of the application into the accelerator card in the embodiment shown in fig. 4, and details of the method may be found in the foregoing description and are not repeated here.
Step 604: the accelerator card decrypts the encrypted model key by using the key corresponding to the encryption key to obtain the model key, and then decrypts the encrypted AI model by using the model key to obtain the AI model.
If the encryption key is the first public key, the key corresponding to the encryption key is the first private key, and if the encryption key is the second public key, the key corresponding to the encryption key is the second private key.
Optionally, the accelerator card may further obtain the authorization information of the AI model, and a manner of obtaining the authorization information of the AI model by the accelerator card is similar to a manner of obtaining the authorization information of the application by the accelerator card in the embodiment shown in fig. 4, which is specifically referred to the foregoing description and is not described herein again.
Based on the same inventive concept as the method embodiment, an embodiment of the present application further provides an application issuing apparatus, configured to execute the method executed by the application owner in the method embodiment, and related features may refer to the method embodiment described above, which are not described herein again, as shown in fig. 7, where the application issuing apparatus 700 includes a receiving unit 701, a verifying unit 702, an encrypting unit 703, and a loading unit 704.
A receiving unit 701, configured to receive an application authorization request sent by the user, where the application authorization request carries a first certificate, where the first certificate includes a first public key and first signature information from the accelerator card.
A verification unit 702, configured to perform security verification on the first signature information.
An encryption unit 703, configured to encrypt the application after the security verification of the verification unit is passed.
A loading unit 704, configured to load the encrypted application into the accelerator card.
The application issuing apparatus 700 may be configured to execute the method executed by the application owner in fig. 3 to 5, where the receiving unit 701 may execute the method of receiving the application authorization request by the application owner in step 304 in the embodiment shown in fig. 3; the verification unit 702 may perform step 305 as in the embodiment shown in fig. 3. The encryption unit 703 may perform step 306 in the embodiment shown in fig. 3; the loading unit 704 may perform step 307 in the embodiment shown in fig. 3.
Based on the same inventive concept as the method embodiment, an embodiment of the present application further provides an application using apparatus, configured to execute the method executed by the accelerator card in the foregoing method embodiment, and related features may refer to the foregoing method embodiment and are not described herein again, as shown in fig. 8, where the application using apparatus 800 includes an obtaining unit 801, a sending unit 802, and a decrypting unit 803.
An obtaining unit 801, configured to obtain a first certificate, where the first certificate includes a first public key and first signature information, and store a first private key corresponding to the first public key.
A sending unit 802, configured to issue the first certificate, so that the application owner performs security verification on the producer according to the first certificate.
The obtaining unit 801 is further configured to receive and load the encrypted application sent by the application owner after the security verification passes;
a decryption unit 803, configured to decrypt and obtain the application.
The application using apparatus 800 may be used for executing the method executed by the accelerator card shown in fig. 3 to 5, wherein the obtaining unit 801 may execute step 301 and step 302 in the embodiment shown in fig. 3; the sending unit 802 may perform a method of accelerating the card to issue the first certificate in step 303 in the embodiment shown in fig. 3; the decryption unit 803 may perform step 308 in the embodiment shown in fig. 3.
Based on the same inventive concept as the method embodiment, an AI model publishing device is further provided in the embodiment of the present application, configured to execute the method executed by the AI model owner in the method embodiment, and relevant features may refer to the method embodiment, which are not described herein again, as shown in fig. 9, where the AI model publishing device 900 includes an obtaining unit 901, an encrypting unit 902, and a loading unit 903; optionally, a verification unit 904 may also be included.
An obtaining unit 901, configured to obtain a model key and obtain an encryption key.
An encryption unit 902, configured to encrypt the AI model according to the model key and encrypt the model key according to the encryption key, where the encryption key is generated by the accelerator card and verified by the AI model owner;
a loading unit 903, configured to load the encrypted AI model and the encrypted model key into the accelerator card.
The above-described AI model issuing apparatus 900 may be configured to execute the method performed by the AI model owner in fig. 6, wherein the obtaining unit 901 may execute the method for the AI model owner to obtain the model key and obtain the encryption key as in step 601 and step 602 in the embodiment shown in fig. 6; the encryption unit 902 may perform the encryption method performed by the AI model owner in step 601 and step 602 in the embodiment shown in fig. 6; the loading unit 903 may perform step 603 in the embodiment shown in fig. 6. The verification unit 904 may also verify the first signature information in the first certificate and the second signature information in the second certificate from the accelerator card.
Based on the same inventive concept as the method embodiment, an AI model using apparatus is further provided in the embodiment of the present application, and is used for executing the method executed by the accelerator card in the above method embodiment, and related features may refer to the above method embodiment, and are not described herein again, as shown in fig. 9, the AI model using apparatus 1000 includes an obtaining unit 1001 and a decrypting unit 1002, and optionally, may further include a sending unit 1003.
An obtaining unit 1001 is configured to receive the encrypted AI model and the encrypted model key.
A decryption unit 1002, configured to decrypt the encrypted model key with a stored key corresponding to the encryption key to obtain the model key, and then decrypt the encrypted AI model with the model key to obtain the AI model;
the AI model using apparatus 1000 may be configured to execute the method executed by the accelerator card shown in fig. 6, wherein the obtaining unit 1001 may execute the method of obtaining the encrypted AI model and the encrypted model key by the accelerator card in step 603 in the embodiment shown in fig. 6; decryption unit 1002 may perform step 604 in the embodiment shown in fig. 6. The transmitting unit 1003 may also issue the first certificate and the second certificate.
It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation. The functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In a simple embodiment, those skilled in the art can appreciate that the AI model owner, the application owner, and the accelerator card in the above embodiments can all adopt the form shown in fig. 11.
The device 1100 shown in fig. 11 includes at least one processor 1110, memory 1120, and optionally a communication interface 1130.
The memory 1120 may be a volatile memory, such as a random access memory; the memory may also be a non-volatile memory such as, but not limited to, a read-only memory, a flash memory, a Hard Disk Drive (HDD) or a solid-state drive (SSD), or the memory 1120 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 1120 may be a combination of the above.
The specific connection medium between the processor 1110 and the memory 1120 is not limited in the embodiments of the present application.
In the device of fig. 11, a communication interface 1130 is also included, and the processor 1110 can perform data transmission through the communication interface 1130 when communicating with other devices.
When the application owner takes the form shown in fig. 11, processor 1110 in fig. 11 may cause device 1100 to perform the methods performed by the application owner in any of the above-described method embodiments by invoking computer-executable instructions stored in memory 1120; such as the device 1100, may perform the methods performed by the application owners in the method embodiments shown in fig. 3-5.
In particular, the functions/implementation processes of the loading unit, the obtaining unit, the verifying unit and the encrypting unit in fig. 7 can be implemented by the processor 1110 in fig. 11 calling the computer-executable instructions stored in the memory 1120. Alternatively, the functions/implementation procedures of the authentication unit and the encryption unit in fig. 7 may be implemented by the processor 1110 in fig. 11 calling a computer executing instruction stored in the memory 1120, and the functions/implementation procedures of the loading unit and the obtaining unit in fig. 7 may be implemented by the communication interface 1130 in fig. 11.
When the accelerator card takes the form shown in fig. 11, the processor 1110 in fig. 11 may cause the device 1100 to perform the method performed by the accelerator card in any of the above-described method embodiments by calling the computer-executable instructions stored in the memory 1120; such as the device 1100, may perform the methods performed by the accelerator card in the method embodiments shown in fig. 3-6.
In particular, the functions/implementation processes of the acquiring unit, the sending unit and the decrypting unit in fig. 8 and 10 can be implemented by the processor 1110 in fig. 11 calling a computer executing instruction stored in the memory 1120. Alternatively, the functions/implementation procedures of the decryption unit in fig. 8 and 10 may be implemented by the processor 1110 in fig. 11 calling a computer-executable instruction stored in the memory 1120, and the functions/implementation procedures of the transmission unit and the acquisition unit in fig. 8 and 10 may be implemented by the communication interface 1130 in fig. 11.
When the AI model owner takes the form shown in fig. 11, processor 1110 in fig. 11 may cause device 1100 to perform the method performed by the application owner in any of the above method embodiments by calling computer-executable instructions stored in memory 1120; the device 1100 may perform the method performed by the AI model owner in the method embodiment shown in fig. 6.
In particular, the functions/implementation processes of the loading unit, the obtaining unit, the verifying unit and the encrypting unit in fig. 11 can be implemented by the processor 1110 in fig. 11 calling the computer-executable instructions stored in the memory 1120. Alternatively, the functions/implementation procedures of the authentication unit and the encryption unit in fig. 11 may be implemented by the processor 1110 in fig. 11 calling a computer executing instruction stored in the memory 1120, and the functions/implementation procedures of the loading unit and the obtaining unit in fig. 11 may be implemented by the communication interface 1130 in fig. 11.
It should be appreciated that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.

Claims (72)

1. An application issuing method, wherein an application owner loads an application into an accelerator card to issue to a user, the method comprising:
receiving an application authorization request sent by the user, wherein the application authorization request carries a first certificate, and the first certificate comprises a first public key and first signature information from the accelerator card;
performing security verification on the first signature information, and encrypting the application after the security verification is passed;
and loading the encrypted application into the accelerator card.
2. The method of claim 1, wherein encrypting the application comprises:
and acquiring the first public key in the first certificate, and encrypting the application by adopting the first public key.
3. The method of claim 1, wherein prior to encrypting the application, the method further comprises:
acquiring a second certificate generated by the accelerator card, wherein the second certificate comprises a second public key and second signature information generated by the accelerator card,
carrying out security verification on the second signature information, and starting an encryption process of the application after the security verification is successful;
the encrypting the application comprises: and acquiring the second public key in the second certificate, and encrypting the application by adopting the second public key.
4. The method of claim 3, wherein the second signature information is obtained by encrypting with the first private key, and the performing the security verification on the second signature information comprises: and performing security verification on the second signature information according to the first public key.
5. The method of claim 1, wherein encrypting the application comprises:
generating a second public key and a second private key;
and encrypting the application by adopting the second public key, and sending the second private key to the accelerator card.
6. The method of claim 5, further comprising: encrypting the second private key by adopting the first public key; then, the encrypted second private key is sent to the accelerator card.
7. The method of any of claims 1-6, wherein encrypting the application comprises:
generating a first encryption key, and encrypting the application according to the first encryption key;
acquiring a second encryption key, and encrypting the first encryption key according to the second encryption key, wherein the second encryption key comprises the first public key or the second public key;
the loading the encrypted application into the accelerator card comprises: and loading the encrypted application and the encrypted first encryption key into the accelerator card.
8. The method according to any of claims 1-7, wherein before loading the encrypted application into the accelerator card, further comprising:
and performing signature protection on the encrypted application and the encrypted first encryption key.
9. The method according to any of claims 1-7, wherein said encrypting said application is preceded by:
and performing signature protection on the application.
10. The method according to any one of claims 1-9, further comprising:
generating authorization information and an authorization key of the application, and encrypting the authorization information according to the authorization key;
and encrypting the authorization key according to the encryption key, and loading the encrypted authorization information to the accelerator card.
11. The method of any one of claims 1-10, wherein the application comprises an Artificial Intelligence (AI) model or a cloud application.
12. An application using method, wherein an application owner side loads an application into an accelerator card in a cloud system to issue to a user side, the method comprising:
acquiring a first certificate, wherein the first certificate comprises a first public key and first signature information, and storing a first private key corresponding to the first public key;
issuing the first certificate so that the user can perform security verification on the application owner according to the first certificate;
receiving and loading the encrypted application sent by the application owner after the security verification is passed;
and decrypting to obtain the application.
13. The method of claim 12, wherein the decrypting obtains the application comprises:
and directly adopting the first private key related to the first certificate to decrypt and obtain the application.
14. The method of claim 12, further comprising:
generating a second certificate, wherein the second certificate comprises a second public key and second signature information, and storing a second private key corresponding to the second public key;
issuing the second certificate so that the application owner performs security verification on the second certificate;
then, the decrypting obtains the application, including:
and decrypting by using the second private key related to the second certificate to obtain the application.
15. The method of claim 14, wherein the second signature information is obtained by encrypting the first private key.
16. The method of claim 11, further comprising:
receiving a second private key which is sent by the application owner and is produced by the application owner;
then, the decrypting obtains the application, including:
and decrypting by adopting the second private key to obtain the application.
17. The method of claim 16, wherein the second private key is encrypted by a first public key associated with the first certificate;
the method further comprises: and decrypting according to the first private key to obtain the second private key.
18. The method of any of claims 12-17, wherein the decrypting obtains the application comprises:
decrypting the encrypted first encryption key according to a key corresponding to a second encryption key to obtain the first encryption key, wherein the key corresponding to the second encryption key comprises the first private key or the second private key;
and decrypting by adopting the first encryption key to obtain the application.
19. The method according to any one of claims 12-18, further comprising:
decrypting the encrypted authorization key according to a key corresponding to a second encryption key to obtain the authorization key, wherein the key corresponding to the second encryption key comprises the first private key or the second private key;
and decrypting the acquired authorization information of the application by using the authorization key.
20. The method of any of claims 12-19, wherein prior to said loading said encrypted application, further comprising:
and verifying the integrity of the encrypted application, and loading the encrypted application after the verification is successful.
21. The method of claim 19,
receiving an authorization information updating request sent by the application owner, wherein the authorization information updating request carries encrypted updated authorization information;
and updating the authorization information according to the authorization information updating request.
22. The method according to any of claims 12-21, wherein the application comprises an Artificial Intelligence (AI) model or a cloud application.
23. An Artificial Intelligence (AI) model publishing method, wherein an AI model owner loads an AI model into an accelerator card for publication to a user, the method comprising:
obtaining a model key, and encrypting the AI model according to the model key;
acquiring an encryption key, and encrypting the model key according to the encryption key, wherein the encryption key is generated by the accelerator card and verified by the AI model owner, or the encryption key is generated by the AI model owner;
and loading the encrypted AI model and the encrypted model key into the accelerator card.
24. The method of claim 23, further comprising:
receiving the AI model authorization request sent by the user, wherein the model authorization request comprises a first certificate, the first certificate is generated and issued by the accelerator card, the first certificate comprises a first public key and first signature information, and a first private key corresponding to the first public key is stored by the accelerator card;
and verifying the first signature information according to the root certificate, and storing the first public key after the verification is successful.
25. The method of claim 24, wherein obtaining the encryption key comprises:
and using the first public key as the encryption key.
26. The method of claim 24, wherein obtaining the encryption key comprises:
triggering the accelerator card to generate a second certificate, wherein the second certificate comprises a second public key and second signature information generated by the accelerator card, the second signature information is obtained by encrypting the first private key, and a second private key corresponding to the second public key is stored by the accelerator card;
and verifying the second signature information according to the stored first public key, and taking the second public key as an encryption key after the verification is successful.
27. The method of claim 24, wherein obtaining the encryption key comprises:
generating a second public key and a second private key, and taking the second public key as the encryption key;
and encrypting the second private key by adopting the first public key, and loading the encrypted second private key into the accelerator card.
28. The method according to any of claims 23-27, wherein before loading the encrypted AI model and the encrypted model key into the accelerator card, the method further comprises:
and performing signature protection on the encrypted AI model and the encrypted model key.
29. The method according to any of claims 23-28, wherein before encrypting the AI model according to the model key, the method further comprises:
and performing signature protection on the AI model.
30. The method of any one of claims 23-29, further comprising:
generating authorization information and an authorization key of the AI model, and encrypting the authorization information according to the authorization key;
and encrypting the authorization key according to the encryption key, and loading the encrypted authorization information and the encrypted authorization key to the accelerator card.
31. The method of claim 30, wherein before loading the encrypted authorization information into the accelerator card, further comprising:
and performing signature protection on the encrypted authorization information.
32. The method of claim 30 or 31, further comprising:
updating the authorization information;
and encrypting the updated authorization information according to the encryption key, and loading the encrypted updated authorization information to the accelerator card.
33. The method according to any one of claims 24-27, wherein the first public key and the first private key are generated by an accelerator card, and wherein the first private key is stored in the accelerator card after being encrypted.
34. An application issuing apparatus applied to an application producing side that loads an application into an accelerator card to issue to a user, the apparatus comprising:
a receiving unit, configured to receive an application authorization request sent by the user, where the application authorization request carries a first certificate, where the first certificate includes a first public key and first signature information from the accelerator card;
a verification unit for performing security verification on the first signature information,
the encryption unit is used for encrypting the application after the security verification of the verification unit is passed;
and the loading unit is used for loading the encrypted application into the accelerator card.
35. The apparatus according to claim 34, wherein the encryption unit is specifically configured to:
and acquiring the first public key in the first certificate, and encrypting the application by adopting the first public key.
36. The apparatus of claim 34,
the receiving unit is further configured to obtain a second certificate generated by the accelerator card, where the second certificate includes a second public key and second signature information generated by the accelerator card,
the verification unit is further used for performing security verification on the second signature information;
the encryption unit is further used for starting an encryption process of the application after the verification unit successfully verifies the security;
when encrypting the application, the encryption unit is specifically configured to: and acquiring the second public key in the second certificate, and encrypting the application by adopting the second public key.
37. The apparatus of claim 36, wherein the second signature information is obtained by encrypting with the first private key, and the performing the secure verification on the second signature information comprises: and performing security verification on the second signature information according to the first public key.
38. The apparatus according to claim 34, wherein the encryption unit is specifically configured to:
generating a second public key and a second private key;
encrypting the application by adopting the second public key;
the loading unit is further configured to send the second private key to the accelerator card.
39. The apparatus according to claim 38, wherein the encrypting unit is further configured to encrypt the second private key with the first public key;
the loading unit is further configured to send the encrypted second private key to the accelerator card.
40. The apparatus according to any of claims 34-39, wherein the encryption unit is specifically configured to:
generating a first encryption key, and encrypting the application according to the first encryption key;
acquiring a second encryption key, and encrypting the first encryption key according to the second encryption key, wherein the second encryption key comprises the first public key or the second public key;
the loading unit is specifically configured to load the encrypted application and the encrypted first encryption key into the accelerator card.
41. The apparatus according to any of claims 34-40, wherein the encryption unit, prior to loading the encrypted application into the accelerator card, is further configured to:
and performing signature protection on the encrypted application and the encrypted first encryption key.
42. The apparatus according to any of claims 34-40, wherein the encryption unit, prior to encrypting the application, is further configured to:
and performing signature protection on the application.
43. The apparatus according to any of claims 34-42, wherein the encryption unit is further configured to:
generating authorization information and an authorization key of the application, and encrypting the authorization information according to the authorization key;
and encrypting the authorization key according to the encryption key, and loading the encrypted authorization information to the accelerator card.
44. The apparatus of any of claims 34-43, wherein the application comprises an Artificial Intelligence (AI) model or a cloud application.
45. An application using apparatus, applied to an accelerator card, wherein an application owner loads an application into the accelerator card in a cloud system to issue the application to the user, the apparatus comprising:
the device comprises an acquisition unit, a verification unit and a verification unit, wherein the acquisition unit is used for acquiring a first certificate, the first certificate comprises a first public key and first signature information, and a first private key corresponding to the first public key is stored;
a sending unit, configured to issue the first certificate, so that the application owner performs security verification on the producer according to the first certificate;
the obtaining unit is further configured to receive and load the encrypted application sent by the application owner after the security verification passes;
and the decryption unit is used for decrypting to obtain the application.
46. The apparatus according to claim 45, wherein the decryption unit is specifically configured to:
and directly adopting the first private key related to the first certificate to decrypt and obtain the application.
47. The apparatus of claim 45, wherein the obtaining unit is further configured to:
generating a second certificate, wherein the second certificate comprises a second public key and second signature information, and storing a second private key corresponding to the second public key;
the sending unit is configured to issue the second certificate, so that the application owner performs security verification on the second certificate;
the encryption unit is specifically configured to:
and decrypting by using the second private key related to the second certificate to obtain the application.
48. The apparatus of claim 47, wherein the second signature information is obtained by encrypting with the first private key.
49. The apparatus of claim 44, wherein the obtaining unit is further configured to:
receiving a second private key which is sent by the application owner and is produced by the application owner;
the encryption unit is specifically configured to:
and decrypting by adopting the second private key to obtain the application.
50. The apparatus according to claim 49, wherein the second private key is encrypted by a first public key associated with the first certificate;
the decryption unit is further configured to decrypt the first private key to obtain the second private key.
51. The method according to any one of claims 45 to 50, wherein the decryption module, when decrypting to obtain the application, is specifically configured to:
decrypting the encrypted first encryption key according to a key corresponding to a second encryption key to obtain the first encryption key, wherein the key corresponding to the second encryption key comprises the first private key or the second private key;
and decrypting by adopting the first encryption key to obtain the application.
52. The method of any one of claims 45-51, wherein the decryption module is further configured to:
decrypting the encrypted authorization key according to a key corresponding to a second encryption key to obtain the authorization key, wherein the key corresponding to the second encryption key comprises the first private key or the second private key;
and decrypting the acquired authorization information of the application by using the authorization key.
53. Apparatus according to claims 45-52, wherein the obtaining unit, before loading the encrypted application, is further configured to:
and verifying the integrity of the encrypted application, and loading the encrypted application after the verification is successful.
54. The apparatus of claim 52,
the obtaining unit is further configured to: receiving an authorization information updating request sent by the application owner, wherein the authorization information updating request carries encrypted updated authorization information;
the loading unit is further configured to update the authorization information according to the authorization information update request.
55. The apparatus of any one of claims 44-54, wherein the application comprises an Artificial Intelligence (AI) model or a cloud application.
56. An artificial intelligence AI model publication apparatus applied to an AI model owner who loads an AI model into an accelerator card for publication to a user, the apparatus comprising:
an obtaining unit, configured to obtain a model key and obtain an encryption key, where the encryption key is generated by the accelerator card and verified by the AI model owner, or the encryption key is generated by the AI model owner;
an encryption unit, configured to encrypt the AI model according to the model key and encrypt the model key according to the encryption key;
and the loading unit is used for loading the encrypted AI model and the encrypted model key into the accelerator card.
57. The apparatus according to claim 56, further comprising an authentication unit;
the obtaining unit is further configured to receive the AI model authorization request sent by the user, where the model authorization request includes a first certificate, the first certificate is generated and issued by the accelerator card, the first certificate includes a first public key and first signature information generated by the accelerator card, and a first private key corresponding to the first public key is stored by the accelerator card;
and the verification unit is used for verifying the first signature information according to the root certificate and storing the first public key after the verification is successful.
58. The apparatus according to claim 57, wherein the obtaining unit, when obtaining the encryption key, is specifically configured to:
and using the first public key as the encryption key.
59. The apparatus according to claim 57, wherein the obtaining unit is configured to obtain the encryption key by:
triggering the accelerator card to generate a second certificate, wherein the second certificate comprises a second public key and second signature information generated by the accelerator card, the second signature information is obtained by encrypting the first private key, and a second private key corresponding to the second public key is stored by the accelerator card;
the verification unit is further configured to verify the second signature information according to the stored first public key;
the obtaining unit is further configured to use the second public key as an encryption key after the verification unit successfully verifies the second public key.
60. The apparatus according to claim 57, wherein the obtaining unit, when obtaining the encryption key, is specifically configured to:
generating a second public key and a second private key, and taking the second public key as the encryption key;
and encrypting the second private key by adopting the first public key, and loading the encrypted second private key into the accelerator card.
61. The apparatus according to any one of claims 56-60, wherein the encryption unit, before the loading unit loads the AI model after encryption and the model key after encryption into the accelerator card, is further configured to:
and performing signature protection on the encrypted AI model and the encrypted model key.
62. The apparatus according to any of claims 56-61, wherein the encryption unit, prior to encrypting the AI model according to the model key, is further configured to:
and performing signature protection on the AI model.
63. The apparatus of any one of claims 56-62,
the obtaining unit is further configured to generate authorization information and an authorization key of the AI model, and encrypt the authorization information according to the authorization key;
the encryption unit is further used for encrypting the authorization key according to the encryption key;
the loading unit is further configured to load the encrypted authorization information and the encrypted authorization key to the accelerator card.
64. The apparatus according to claim 63, wherein the encryption unit, prior to loading the encrypted authorization information into the accelerator card, is further configured to:
and performing signature protection on the encrypted authorization information.
65. The apparatus according to claim 63 or 64, wherein the encryption unit is further configured to: updating the authorization information; encrypting the updated authorization key according to the encryption key;
the loading unit is further configured to load the encrypted updated authorization information to the accelerator card.
66. The apparatus according to any one of claims 57-60, wherein the first public key and the first private key are generated by an accelerator card, and the first private key is stored in the accelerator card after being encrypted.
67. A computing device, comprising a memory to store computer instructions and a processor; the processor invokes the memory-stored computer instructions to perform the method of any of claims 1 to 11.
68. A computing device, comprising a memory to store computer instructions and a processor; the processor invokes the memory-stored computer instructions to perform the method of any of the preceding claims 12 to 22.
69. A computing device, comprising a memory to store computer instructions and a processor; the processor invokes the memory-stored computer instructions to perform the method of any of claims 23 to 33.
70. A computer storage medium comprising instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 1-11.
71. A computer storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 12-22.
72. A computer storage medium comprising instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 23-33.
CN202010884617.XA 2020-06-28 2020-08-28 Application publishing method, application using method, AI model publishing method and device Pending CN113849777A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010598752 2020-06-28
CN2020105987528 2020-06-28

Publications (1)

Publication Number Publication Date
CN113849777A true CN113849777A (en) 2021-12-28

Family

ID=78972800

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010884617.XA Pending CN113849777A (en) 2020-06-28 2020-08-28 Application publishing method, application using method, AI model publishing method and device

Country Status (1)

Country Link
CN (1) CN113849777A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114936365A (en) * 2022-01-27 2022-08-23 华为技术有限公司 System, method and device for protecting secret data
CN115186286A (en) * 2022-09-09 2022-10-14 北京数牍科技有限公司 Model processing method, device, equipment, readable storage medium and program product

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114936365A (en) * 2022-01-27 2022-08-23 华为技术有限公司 System, method and device for protecting secret data
CN115186286A (en) * 2022-09-09 2022-10-14 北京数牍科技有限公司 Model processing method, device, equipment, readable storage medium and program product

Similar Documents

Publication Publication Date Title
CN110784491B (en) Internet of things safety management system
CN109309565B (en) Security authentication method and device
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
EP3286867B1 (en) Method, apparatus, and system for cloud-based encryption machine key injection
EP4040717B1 (en) Method and device for secure communications over a network using a hardware security engine
US10411903B2 (en) Information security realizing method and system based on digital certificate
Seo et al. A security framework for a drone delivery service
EP2461564A1 (en) Key transport protocol
CN103136463A (en) System and method for temporary secure boot process of an electronic device
CN110198295A (en) Safety certifying method and device and storage medium
CN109981562B (en) Software development kit authorization method and device
CN107920052B (en) Encryption method and intelligent device
CN102215221A (en) Methods and systems for secure remote wake, boot, and login to a computer from a mobile device
JP2007511810A (en) Proof of execution using random number functions
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
CN101771680B (en) Method for writing data to smart card, system and remote writing-card terminal
CN112241527B (en) Secret key generation method and system of terminal equipment of Internet of things and electronic equipment
CN108462700A (en) Background server, terminal device, safe early warning method and storage medium suitable for recognition of face
CN106464739A (en) Securing communications with enhanced media platforms
CN111970114A (en) File encryption method, system, server and storage medium
CN113849777A (en) Application publishing method, application using method, AI model publishing method and device
CN110838919B (en) Communication method, storage method, operation method and device
CN110716724B (en) Method and device for realizing privacy block chain based on FPGA
CN117081736A (en) Key distribution method, key distribution device, communication method, and communication device
CN111556064B (en) Key management method, device, medium and terminal equipment based on power gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination