CN113904806A - Multi-node authentication method for trusted execution environment - Google Patents
Multi-node authentication method for trusted execution environment Download PDFInfo
- Publication number
- CN113904806A CN113904806A CN202111042285.1A CN202111042285A CN113904806A CN 113904806 A CN113904806 A CN 113904806A CN 202111042285 A CN202111042285 A CN 202111042285A CN 113904806 A CN113904806 A CN 113904806A
- Authority
- CN
- China
- Prior art keywords
- computing
- user
- tee
- node
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
Abstract
The invention discloses a multi-node authentication method for a trusted execution environment.A plurality of TEE computing nodes are assumed to form a computing resource pool, and computing resources are uniformly distributed by a computing resource management system; the resource pool is provided with a unified access and authentication node (Authnode), which assists the user to complete the remote authentication process of all the distributed TEE computing nodes. The invention has the following beneficial effects: 1. the user can authenticate the code security in the cloud computing environment and realize security protection on the computing process through the TEE; 2. privacy protection of user data can be realized, the user data is uploaded to a cloud environment in an encrypted state, and the data is only decrypted and used in the TEE; 3. the user can authenticate the correctness of the calculation result to ensure that the calculation result is not tampered; 4. complete remote authentication is only carried out in the program deployment stage, the authentication process of the TEE is completed in the cloud environment, a user only needs simple local verification in the computing process, and the execution efficiency is high.
Description
Technical Field
The invention relates to the fields of trusted execution environment, cloud environment, remote authentication and privacy protection, in particular to a multi-node authentication method for the trusted execution environment.
Background
A Trusted Execution Environment (TEE) is a secure computing framework that implements data security protection by setting a secure area based on hardware protection in a general-purpose CPU, and the computing process, the used memory, registers, and the like are protected by the native security of a chip and are not tampered or stolen. Unlike a traditional simple security chip, the TEE can implement a general computing function supported by the CPU. In a traditional architecture of a CPU + a security chip, the security chip provides functions of encryption, signature, authentication and the like, and the CPU realizes general calculation, so that data in the CPU cannot be effectively protected. In the TEE, functions such as general calculation, encryption, authentication and the like are all completed in the CPU, and encryption and access control of the memory are protected by the TEE, so that data security protection in the whole calculation process can be realized. Remote secure computing can be achieved through the TEE. Typical TEE devices include the SGX environment provided by intel CPUs and the trunk ZONE provided by ARM chips, among others. The TEE can realize the authentication of the user to the execution code in the TEE and the encryption function of the data through a remote identity authentication protocol. The currently existing authentications are for a single device (TEE),
cloud computing integrates computing resources at the cloud end through hardware virtualization, provides dynamic extensible computing, storage and network management services for users, promotes the growth of many internet companies based on cloud application, and is a typical mode of current large-scale computing resource management and application. However, cloud computing also faces a lot of security problems, a user needs to send data to a cloud end for storage and computing processing, and sensitive data of the user is at risk of leakage. In order to realize cloud computing, user data cannot be uploaded in a ciphertext mode, that is, a cloud service provider can obtain all plaintext data of a user. In order to solve the problem, a cryptographic tool such as a homomorphic encryption algorithm can be used, but the algorithm has the problem of low efficiency and cannot provide a high-performance practical solution. The hardware security scheme based on the TEE can provide a more efficient and practical scheme for user data protection in the cloud computing environment. Because the TEE is a general-purpose computing CPU with a security protection function, the TEE can be used as a CPU in cloud computing to achieve security protection of user data.
In a native TEE authentication scheme, remote authentication of a user to a single TEE device may be achieved. In a cloud computing environment, computing resources comprise a plurality of entity nodes, and therefore a single authentication interface needs to be provided for a user to complete multi-point security authentication. The scheme designs a remote authentication scheme which is suitable for a multi-node trusted execution environment of a cloud computing environment.
Disclosure of Invention
The technical problem to be solved by the invention is to overcome the defects of the prior art and provide a multi-node authentication method for a trusted execution environment.
In order to solve the technical problems, the invention provides the following technical scheme:
the invention provides a multi-node authentication method for a trusted execution environment, which is characterized in that a plurality of TEE computing nodes are assumed to form a computing resource pool, and computing resources are uniformly distributed by a computing resource management system; the resource pool is provided with a unified access and authentication node (Authnode), the node assists a user to complete the remote authentication process of all distributed TEE computing nodes, and the scheme comprises two links: safe deployment of a user program and safe calculation of user data; the main flow is described as follows:
(1) secure deployment of user programs
Uploading the computing program to a TEE cloud computing environment by a user, applying for required computing resources, distributing the TEE computing resources for the user by a computing resource pool, and deploying the user program in a safe computing environment TEE; the AutNode starts a remote authentication process, and the TEE node and the AutNode of all the deployed user programs complete the following two functions through a safe communication channel;
1) generating remote authentication reports
The TEE node generates an abstract report from data containing basic information such as node information, memory state, executive program and the like, and uploads the report to the AutNode; AutNode detects the correctness and completeness of a TEE node report, and the TEE node is added into a trusted resource list after the report is checked;
2) obtaining session keys
The AutNode generates an encryption session key and an authentication session key shared with all TEEs, and shares the two keys to all the TEE nodes and the user nodes through a secure channel;
AutNode generates a summary report of data containing basic information such as self node information, memory state, executive program and the like and sends the summary report to a user; the user checks the correctness and completeness of the report, and confirms that the computing resource is a trusted environment after checking;
(2) user data security computation
The user realizes the calculation of data and the acquisition of results by using the checked trusted environment, and the method mainly comprises the following two functions;
1) data upload and computation
The user encrypts and signs data required by calculation by using a session key and uploads the encrypted and signed data to the secure computing environment, and the secure computing environment distributes computing tasks to corresponding TEE computing resources according to a resource scheduling strategy; the TEE decrypts the data and verifies the signature to complete calculation to obtain a calculation result;
2) confirmation of calculation results
And the TEE computing node encrypts and signs the computing result by using the session key and then transmits the computing result back to the user, and the user verifies and decrypts the signature to obtain a credible computing result.
Compared with the prior art, the invention has the following beneficial effects:
1. the user can authenticate the code security in the cloud computing environment and realize security protection on the computing process through the TEE.
2. Privacy protection of user data can be achieved, the user data is uploaded to a cloud environment in an encrypted state, and the data is only decrypted and used inside the TEE.
3. The user can authenticate the correctness of the calculation result and ensure that the calculation result is not tampered.
4. Complete remote authentication is only carried out in the program deployment stage, the authentication process of the TEE is completed in the cloud environment, a user only needs simple local verification in the computing process, and the execution efficiency is high.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic diagram of a TEE computing resource pool system framework in the present invention;
FIG. 2 is a flow diagram of program safe deployment;
fig. 3 is a data security computation flow diagram.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
Example 1
As shown in FIGS. 1-3, the present invention provides a multi-node authentication method for trusted execution environment, wherein a plurality of TEE computing nodes are assumed to form a computing resource pool, and computing resources are uniformly distributed by a computing resource management system; the resource pool is provided with a unified access and authentication node (Authnode), the node assists a user to complete the remote authentication process of all distributed TEE computing nodes, and the scheme comprises two links: safe deployment of a user program and safe calculation of user data; the main flow is described as follows:
(1) secure deployment of user programs
Uploading the computing program to a TEE cloud computing environment by a user, applying for required computing resources, distributing the TEE computing resources for the user by a computing resource pool, and deploying the user program in a safe computing environment TEE; the AutNode starts a remote authentication process, and the TEE node and the AutNode of all the deployed user programs complete the following two functions through a safe communication channel;
1) generating remote authentication reports
The TEE node generates an abstract report from data containing basic information such as node information, memory state, executive program and the like, and uploads the report to the AutNode; AutNode detects the correctness and completeness of a TEE node report, and the TEE node is added into a trusted resource list after the report is checked;
2) obtaining session keys
The AutNode generates an encryption session key and an authentication session key shared with all TEEs, and shares the two keys to all the TEE nodes and the user nodes through a secure channel;
AutNode generates a summary report of data containing basic information such as self node information, memory state, executive program and the like and sends the summary report to a user; the user checks the correctness and completeness of the report, and confirms that the computing resource is a trusted environment after checking;
(2) user data security computation
The user realizes the calculation of data and the acquisition of results by using the checked trusted environment, and the method mainly comprises the following two functions;
1) data upload and computation
The user encrypts and signs data required by calculation by using a session key and uploads the encrypted and signed data to the secure computing environment, and the secure computing environment distributes computing tasks to corresponding TEE computing resources according to a resource scheduling strategy; the TEE decrypts the data and verifies the signature to complete calculation to obtain a calculation result;
2) confirmation of calculation results
And the TEE computing node encrypts and signs the computing result by using the session key and then transmits the computing result back to the user, and the user verifies and decrypts the signature to obtain a credible computing result.
Specifically, the method is applied to a TEE-based secure cloud computing environment, and the security protection and the trusted computing of the user data are realized through two stages of program security deployment and data security computing. The implementation flow of the two processes is as follows:
1. program safe deployment
The program security deployment is used for deploying verifiable codes in a cloud computing environment by a user and initializing the secure computing environment, and the specific implementation flow is shown in fig. 2;
1) and the user node applies for deploying the user program to the TEE node cluster, and the node cluster starts the corresponding TEE computing resource to complete the correct deployment of the user program.
2) The TEE cluster correctly deploys the node of the user program to interact with the AutNode, generates an authentication report of the self execution environment and a corresponding digital signature and sends the authentication report to the AutNode. AutNode verifies that the node is added to the user program execution list after the remote report.
3) AutNode generates uniform authentication key and encryption key K for all nodes in user program listaut、KEnc. Will Kaut、KEncAnd sending the data to the TEE node.
4) AutNode generates a remote report from its execution environment, and sends the remote report and Kaut、KEncAnd sending the data to the user node. After the user node passes the remote report verification, the user node is accepted as a safe remote computing environment and stores Kaut、KEnc。
2. Data security computation
The data security computing is used for completing data computing safely and reliably in a cloud computing environment by a user, the computing logic is realized based on a security computing environment applied in a security deployment stage, and the specific implementation flow is shown in fig. 3;
1) and the user node encrypts data by using the KEnc and generates a signature of the data by using the Kaut, and the encrypted data and the signature are sent to the node in the TEE cluster, wherein the user program is deployed.
2) The TEE node cluster decrypts the data using KEnc and checks the data integrity using Kaut. The decrypted data completes calculation inside the cluster TEE, and calculation functions can be executed in cooperation among TEE nodes.
3) And after the calculation is finished, encrypting the calculation result by using the KEnc, and sending the calculation result to the user node by using the Kaut signature. And the user node decrypts the execution result and verifies the signature, and if the execution result passes the signature, the user node accepts the calculation result.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (1)
1. A multi-node authentication method for a trusted execution environment is characterized in that a plurality of TEE computing nodes are assumed to form a computing resource pool, and computing resources are uniformly distributed by a computing resource management system; the resource pool is provided with a unified access and authentication node (Authnode), the node assists a user to complete the remote authentication process of all distributed TEE computing nodes, and the scheme comprises two links: safe deployment of a user program and safe calculation of user data; the main flow is described as follows:
(1) secure deployment of user programs
Uploading the computing program to a TEE cloud computing environment by a user, applying for required computing resources, distributing the TEE computing resources for the user by a computing resource pool, and deploying the user program in a safe computing environment TEE; the AutNode starts a remote authentication process, and the TEE node and the AutNode of all the deployed user programs complete the following two functions through a safe communication channel;
1) generating remote authentication reports
The TEE node generates an abstract report from data containing basic information such as node information, memory state, executive program and the like, and uploads the report to the AutNode; AutNode detects the correctness and completeness of a TEE node report, and the TEE node is added into a trusted resource list after the report is checked;
2) obtaining session keys
The AutNode generates an encryption session key and an authentication session key shared with all TEEs, and shares the two keys to all the TEE nodes and the user nodes through a secure channel;
AutNode generates a summary report of data containing basic information such as self node information, memory state, executive program and the like and sends the summary report to a user; the user checks the correctness and completeness of the report, and confirms that the computing resource is a trusted environment after checking;
(2) user data security computation
The user realizes the calculation of data and the acquisition of results by using the checked trusted environment, and the method mainly comprises the following two functions;
1) data upload and computation
The user encrypts and signs data required by calculation by using a session key and uploads the encrypted and signed data to the secure computing environment, and the secure computing environment distributes computing tasks to corresponding TEE computing resources according to a resource scheduling strategy; the TEE decrypts the data and verifies the signature to complete calculation to obtain a calculation result;
2) confirmation of calculation results
And the TEE computing node encrypts and signs the computing result by using the session key and then transmits the computing result back to the user, and the user verifies and decrypts the signature to obtain a credible computing result.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111042285.1A CN113904806A (en) | 2021-09-07 | 2021-09-07 | Multi-node authentication method for trusted execution environment |
| PCT/CN2021/142976 WO2023035507A1 (en) | 2021-09-07 | 2021-12-30 | Trusted executive environment multi-node authentication method |
| JP2023513540A JP2023545895A (en) | 2021-09-07 | 2021-12-30 | Trusted execution environment multi-node authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111042285.1A CN113904806A (en) | 2021-09-07 | 2021-09-07 | Multi-node authentication method for trusted execution environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113904806A true CN113904806A (en) | 2022-01-07 |
Family
ID=79188639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111042285.1A Pending CN113904806A (en) | 2021-09-07 | 2021-09-07 | Multi-node authentication method for trusted execution environment |
Country Status (3)
| Country | Link |
|---|---|
| JP (1) | JP2023545895A (en) |
| CN (1) | CN113904806A (en) |
| WO (1) | WO2023035507A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114189392A (en) * | 2022-02-15 | 2022-03-15 | 中电云数智科技有限公司 | Data privacy processing method and device based on executable environment |
| CN114186266A (en) * | 2022-02-16 | 2022-03-15 | 国家超级计算天津中心 | Big data security and privacy computing control method in super computing and cloud computing environment |
| CN114697107A (en) * | 2022-03-29 | 2022-07-01 | 杭州安恒信息技术股份有限公司 | Communication method, communication device, computer equipment and readable storage medium |
| CN117332442A (en) * | 2023-09-28 | 2024-01-02 | 浙江大学 | Safe and reliable fingerprint authentication method for three-party equipment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117235693B (en) * | 2023-11-14 | 2024-02-02 | 杭州安恒信息技术股份有限公司 | Trusted authentication and secure channel establishment method of trusted execution environment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107566184A (en) * | 2017-09-22 | 2018-01-09 | 天翼电子商务有限公司 | A kind of resource unified management method and its system |
| CN112380578A (en) * | 2020-11-20 | 2021-02-19 | 天翼电子商务有限公司 | Edge computing framework based on block chain and trusted execution environment |
| CN112288435A (en) * | 2020-11-20 | 2021-01-29 | 天翼电子商务有限公司 | Intelligent contract execution method supporting trusted execution environment |
| CN112926051B (en) * | 2021-03-25 | 2022-05-06 | 支付宝(杭州)信息技术有限公司 | Multi-party security computing method and device |
-
2021
- 2021-09-07 CN CN202111042285.1A patent/CN113904806A/en active Pending
- 2021-12-30 WO PCT/CN2021/142976 patent/WO2023035507A1/en unknown
- 2021-12-30 JP JP2023513540A patent/JP2023545895A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114189392A (en) * | 2022-02-15 | 2022-03-15 | 中电云数智科技有限公司 | Data privacy processing method and device based on executable environment |
| CN114189392B (en) * | 2022-02-15 | 2022-05-20 | 中电云数智科技有限公司 | Data privacy processing method and device based on executable environment |
| CN114186266A (en) * | 2022-02-16 | 2022-03-15 | 国家超级计算天津中心 | Big data security and privacy computing control method in super computing and cloud computing environment |
| CN114697107A (en) * | 2022-03-29 | 2022-07-01 | 杭州安恒信息技术股份有限公司 | Communication method, communication device, computer equipment and readable storage medium |
| CN114697107B (en) * | 2022-03-29 | 2023-09-19 | 杭州安恒信息技术股份有限公司 | Communication method, communication device, computer equipment and readable storage medium |
| CN117332442A (en) * | 2023-09-28 | 2024-01-02 | 浙江大学 | Safe and reliable fingerprint authentication method for three-party equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| JP2023545895A (en) | 2023-11-01 |
| WO2023035507A1 (en) | 2023-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113904806A (en) | Multi-node authentication method for trusted execution environment | |
| CN110784491B (en) | Internet of things safety management system | |
| CN110311883B (en) | Identity management method, device, communication network and storage medium | |
| US20170302646A1 (en) | Identity authentication method and apparatus | |
| CN108880800B (en) | Power distribution and utilization communication system and method based on quantum secret communication | |
| JP2016512374A5 (en) | ||
| CN102025503B (en) | Data security implementation method in cluster environment and high-security cluster | |
| EP3387576B1 (en) | Apparatus and method for certificate enrollment | |
| CN110889696A (en) | Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology | |
| US20160323100A1 (en) | Key generation device, terminal device, and data signature and encryption method | |
| CN104394172A (en) | Single sign-on device and method | |
| WO2016122581A1 (en) | Systems and methods for secure data exchange | |
| CN110635904B (en) | Remote attestation method and system for software-defined Internet of things node | |
| WO2016184221A1 (en) | Password management method, device and system | |
| CN109698744B (en) | Satellite networking session key negotiation method and device | |
| CN114035907A (en) | Private computing system based on supercomputing center Slurm job scheduling and secure virtual machine container | |
| KR20190134924A (en) | Hardware secure module | |
| CN105119719A (en) | Key management method of secure storage system | |
| CN105281901A (en) | Encryption method for cloud tenant key information | |
| CN106452730B (en) | Md5 encryption authentication method and system based on Light Directory Access Protocol | |
| CN116132043B (en) | Session key negotiation method, device and equipment | |
| CN113132097B (en) | Lightweight certificateless cross-domain authentication method, system and application suitable for Internet of things | |
| US20150082026A1 (en) | Systems and methods for locking an application to device without storing device information on server | |
| CN113722726B (en) | Encryption and decryption method and system based on software and hardware cooperation | |
| WO2021170049A1 (en) | Method and apparatus for recording access behavior |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |