CN113922969A - Method and system for realizing cluster deployment of Intel SGX trusted service and electronic equipment - Google Patents
Method and system for realizing cluster deployment of Intel SGX trusted service and electronic equipment Download PDFInfo
- Publication number
- CN113922969A CN113922969A CN202111257826.2A CN202111257826A CN113922969A CN 113922969 A CN113922969 A CN 113922969A CN 202111257826 A CN202111257826 A CN 202111257826A CN 113922969 A CN113922969 A CN 113922969A
- Authority
- CN
- China
- Prior art keywords
- key
- ecc
- cluster
- data
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
Abstract
The invention discloses a method, a system and electronic equipment for realizing cluster deployment of Intel SGX trusted service, wherein the method comprises the following steps: generating a complete ECC master key; the ECC master key is divided into a plurality of key fragments, and the plurality of key fragments are stored in a scattered manner; receiving input key fragments reaching a preset number when a trusted service based on Intel SGX in a cluster is initialized; in an Enclave program space, recovering a complete ECC master key according to input key fragments; inputting the ECC main key into a key derivation function to derive a security key; and encrypting and decrypting the service data by using the security key. The invention adopts the same ECC main key and the same key derivation function, and all Intel SGX trusted services in the same cluster can derive the same security key, thereby achieving the purpose of safely sharing service data in the cluster, realizing the technical effect of clustered deployment of the Intel SGX trusted services, and solving the technical problem that the clustered deployment of the trusted services cannot be realized.
Description
Technical Field
The invention relates to the field of trusted computing application, in particular to a method, a system and electronic equipment for realizing cluster deployment of Intel SGX trusted services.
Background
At present, in the field of trusted computing (TEE) application, the Intel SGX technology is the most mature and widely applied, and most cloud service businesses support developers to realize applications such as data encryption and confidential computing by adopting the Intel SGX technology. The principle of the SGX technology of Intel is to isolate an area called Enclave inside an Intel CPU, and program codes and data loaded in the Enclave area will not be tampered and peeped by the outside. In short, Enclave is like a hardware-based security black box inside the CPU, so that the program logic and data storage executed inside the Enclave are secure.
Meanwhile, the Intel SGX provides an SGX _ keyolic _ MRENCLAVE policy for Enclave to internally generate a security key, and the Enclave program can generate the security key to encrypt and decrypt data by using the policy.
For the SGX _ keyline _ mrencave policy provided by Intel SGX, the security key is derived from the code, data, signature, and CPU hardware information of its own Enclave, so data encrypted using such security key can only be decrypted by that Enclave itself. The steps for implementing data security application using this policy are as follows: the data to be processed is transmitted into an Enclave; the program of Enclave generates a security key by using an SGX _ KEYPOLICY _ MRENCLAVE strategy; then, encrypting the data by using a security key, and then storing the data in a database; the same security key can be derived by the same Enclave program under the hardware platform, so that the data can be decrypted only in the Enclave.
In practical application, in order to meet high availability and high load, a cloud security application platform often needs to be deployed in a clustering manner, which requires that business data can be safely shared among a plurality of Intel SGX trusted services in a cluster.
However, as can be seen from the above steps of implementing data security application by using the SGX _ keyline _ MRENCLAVE policy, data can only be used and stored in a single trusted service, and interaction and sharing of data among multiple trusted services cannot be achieved; for example, for two trusted services a and B, after encrypted business data of the trusted service a is stored in a database, the trusted service B in the cluster can read a ciphertext from the database but cannot decrypt the ciphertext, and thus, clustered deployment of the trusted service cannot be realized.
Disclosure of Invention
The invention mainly aims to provide a method and a system for realizing cluster deployment of an Intel SGX trusted service, so as to solve the problem that cluster deployment of the trusted service cannot be realized in the related technology.
In order to achieve the above object, a first aspect of the present invention provides a method for implementing an Intel SGX trusted service clustered deployment, including:
generating a complete ECC master key;
the ECC master key is divided into a plurality of key fragments, and the key fragments are stored in a scattered manner;
receiving input key fragments reaching a preset number when a trusted service based on Intel SGX in a cluster is initialized;
in an Enclave program space, recovering a complete ECC master key according to input key fragments;
inputting the ECC main key into a key derivation function to derive a security key;
and encrypting and decrypting the service data by using the security key.
Optionally, the inputting the ECC master key into a key derivation function to derive a security key includes:
determining a key derivation function meeting preset requirements;
inputting a public key of an ECC master key into the key derivation function;
inputting a private key of an ECC master key into the key derivation function;
carrying out Hash operation on a public key by utilizing a Hash function in the key derivation function to obtain a Hash value of the public key;
and carrying out hash operation on the public key hash value and the private key by using a hash function in the key derivation function to obtain a secure key.
Further, a key derivation function KDF satisfying the preset requirement is determined according to the following formula:
KDF(p,d)=SHA256(SHA256(p),d)
wherein, p is the public key of the ECC master key, d is the private key of the ECC master key, and SHA256 is a standard SHA256 hash function.
Further, the preset requirements include: a first preset requirement and a second preset requirement;
the first preset requirement comprises: when the inputs of the key derivation functions are the same, the output results are consistent;
the second preset requirement includes: the length of data obtained by the output result of the key derivation function is the same as the length of the ECC master key.
Optionally, the service data includes original text data and ciphertext data;
the encrypting and decrypting the service data by using the security key comprises the following steps:
carrying out symmetric encryption operation on the original text data by using the security key to obtain ciphertext data;
storing the ciphertext data into a ciphertext database of the cluster;
and carrying out symmetric decryption operation on the ciphertext data by using the security key to obtain the original text data.
Optionally, a plurality of trusted services are deployed in the cluster, and each trusted service is used for providing the same business function;
all trusted services in the same cluster adopt the same ECC master key and the same key derivation function to derive the same security key, so that the business data can be shared in the cluster.
Optionally, before the Intel SGX-based trusted service in the cluster is initialized, the method further includes:
and randomly selecting any one trusted service in the cluster for access through the scheduling of the load balancing service.
A second aspect of the present invention provides a system for implementing an Intel SGX trusted service clustered deployment, including:
the generating unit is used for generating a complete ECC master key;
the slicing unit is used for slicing the ECC master key into a plurality of key slices and storing the key slices in a scattered manner;
the receiving unit is used for receiving the input key fragments with the preset number when the trusted service based on the Intel SGX in the cluster is initialized;
the recovery unit is used for recovering a complete ECC (error correction code) main key according to the input key fragments in the Enclave program space;
the derivation unit is used for inputting the ECC main key into a key derivation function and deriving a security key;
and the encryption and decryption unit is used for encrypting and decrypting the service data by using the security key.
A third aspect of the present invention provides a computer-readable storage medium storing computer instructions for causing a computer to execute an implementation method of the Intel SGX trusted service clustered deployment provided in any one of the first aspects.
A fourth aspect of the present invention provides an electronic apparatus, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to cause the at least one processor to perform a method of implementing an Intel SGX trusted service clustered deployment as provided in any of the first aspects.
In the method for realizing cluster deployment of the Intel SGX trusted service, provided by the embodiment of the invention, a complete ECC master key is generated; the ECC master key is divided into a plurality of key fragments, and the key fragments are stored in a scattered manner; receiving input key fragments reaching a preset number when a trusted service based on Intel SGX in a cluster is initialized; in an Enclave program space, recovering a complete ECC master key according to input key fragments; inputting the ECC main key into a key derivation function to derive a security key; and encrypting and decrypting the service data by using the security key. Because the same ECC master key and the same key derivation function are adopted, all Intel SGX trusted services in the same cluster can derive the same security key, the purpose of safely sharing service data in the cluster is achieved, the technical effect of clustered deployment of the Intel SGX trusted services is achieved, and the technical problem that the clustered deployment of the trusted services cannot be achieved due to the fact that data can only be used and stored in a single trusted service in the related technology is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a system structure diagram of an implementation system for an Intel SGX trusted service clustered deployment according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a method for implementing an Intel SGX trusted service clustered deployment according to an embodiment of the present invention;
fig. 3 is a block diagram of an implementation system for an Intel SGX trusted service clustered deployment according to an embodiment of the present invention;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged under appropriate circumstances in order to facilitate the description of the embodiments of the invention herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
Trusted computing (TEE) is a computing method for executing programs in a secure and trusted environment, and program codes, logic and computing results running in the TEE cannot be tampered and hijacked by attackers. Trusted computing has been widely applied to the application fields of confidential computing, cloud computing and the like. In practical application, in order to meet high availability and high load, a cloud security application platform often needs to be deployed in a clustering manner, which requires that service data can be safely shared among a plurality of Intel SGX trusted services in a cluster; the Intel SGX is a technical scheme for realizing the trusted computing based on the CPU level by the Intel.
However, when the data security application is implemented by using the SGX _ keyline _ MRENCLAVE policy in the related art, data of the data can only be used and stored in a single trusted service, and interaction and sharing of the data among a plurality of trusted services cannot be achieved; for example, for two trusted services a and B, after encrypted business data of the trusted service a is stored in a database, the trusted service B in the cluster can read a ciphertext from the database but cannot decrypt the ciphertext, and thus, clustered deployment of the trusted service cannot be realized.
In order to solve the above problem, an embodiment of the present invention provides a system for implementing an Intel SGX trusted service clustered deployment, where when the system includes two trusted services based on an Intel SGX technology, a structure diagram of the system is shown in fig. 1, where:
trusted service a and trusted service B: two credible services based on Intel SGX technology deployed in a cluster provide the same service function; in addition, the system can be expanded to the clustering deployment of a plurality of Intel SGX trusted services;
load balancing service: the cluster scheduling service is responsible for randomly selecting A, B one of the two trusted services for access;
ECC master key fragmentation: when the trusted service is initialized, a manager who manages each key fragment inputs the key fragment into the trusted service respectively, and the trusted service recovers the complete ECC main key by using the key fragment in an Enclave program; the ECC is an elliptic curve algorithm and is an asymmetric cryptographic algorithm, a secret key consists of a private key and a public key, the private key is kept by a secret key holder, and the public key is public;
KDF: a key derivation function, the input parameter of which is a complete ECC master key;
k: a security key, which only appears in Enclave's program space;
ciphertext ═ K (plaintext data): in the data encryption process, symmetric encryption operation is carried out on the original text data by using a security key K to obtain ciphertext data;
original text ═ K (ciphertext data): in the data decryption process, symmetric decryption operation is carried out on the ciphertext data by using a security key K to obtain original text data;
a ciphertext database: and the service data is stored in the database in the form of ciphertext data.
Firstly, generating a uniform ECC (error correction code) master key for an Intel SGX trusted service in a cluster, and then carrying out distributed storage on the ECC master key after fragmentation; respectively inputting the key fragments by a manager of the key fragments when the Intel SGX trusted service is initialized, and recovering the fragments by the trusted service to obtain a complete ECC (error correction code) main key; and finally, deriving a security key K through the ECC master key, and encrypting and decrypting the service data by using the K.
The embodiment of the invention provides a method for realizing cluster deployment of an Intel SGX trusted service, a flow diagram is shown in FIG. 2, and the method comprises the following steps S101 to S106:
step S101: generating a complete ECC master key by adopting a standard generation algorithm; firstly, a complete ECC main key is generated by a common ECC main key generation algorithm, so that the same ECC main key is recovered when a subsequent trusted service keeps the key of the ECC main key in a split manner.
Step S102: the ECC master key is divided into a plurality of key fragments, and the key fragments are stored in a scattered manner; for example, the ECC master key is divided into n key slices, and the n key slices are respectively kept in storage for n administrators, each administrator keeps and keeps only 1 key slice, where n > 1.
Step S103: receiving input key fragments reaching a preset number when a trusted service based on Intel SGX in a cluster is initialized; when the Intel SGX trusted service is initialized, an administrator respectively inputs key fragments stored by the administrator, the input number of the key fragments is at least k preset, and the input key fragments reaching k preset are received, wherein k is the minimum number of the key fragments required when an ECC main key is recovered, and 1< k < ═ n;
specifically, a plurality of trusted services are deployed in the cluster, and each trusted service is used for providing the same business function;
all trusted services in the same cluster adopt the same ECC master key and the same key derivation function to derive the same security key, so that the business data can be shared in the cluster.
Further, before the Intel SGX-based trusted service in the cluster is initialized, the method further includes:
and randomly selecting any one trusted service in the cluster for access through the scheduling of the load balancing service. The trusted service based on the Intel SGX is widely applied at present, and in practical application, in order to ensure high availability and high load of the service, the trusted service is often required to be deployed in a clustering manner, and any trusted service in a cluster is randomly called to complete service calculation through scheduling of load balancing service.
Step S104: in an Enclave program space, recovering a complete ECC master key according to input key fragments;
step S105: inputting the ECC main key into a key derivation function to derive a security key;
specifically, the step S105 includes:
determining a key derivation function meeting preset requirements; wherein the preset requirements include: a first preset requirement and a second preset requirement; the first preset requirement comprises: when the inputs of the key derivation functions are the same, the output results are consistent; the second preset requirement includes: the length of data obtained by the output result of the key derivation function is the same as that of the ECC master key, and the length of the ECC master key is 32 bytes in fixed length.
Further, a key derivation function KDF satisfying the preset requirement is determined according to the following formula:
KDF(p,d)=SHA256(SHA256(p),d)
wherein, p is the public key of the ECC master key, d is the private key of the ECC master key, and SHA256 is a standard SHA256 hash function. The Hash operation is an irreversible cipher operation, and can perform operation processing on original text data with any length, the operation result data is data with fixed length, and the original text data cannot be deduced from the result data; SHA256 is a common hash algorithm, and the length of the result data is 32 bytes.
Inputting a public key of an ECC master key into the key derivation function;
inputting a private key of an ECC master key into the key derivation function;
carrying out Hash operation on a public key by utilizing a Hash function in the key derivation function to obtain a Hash value of the public key;
and carrying out hash operation on the public key hash value and the private key by using a hash function in the key derivation function to obtain a secure key.
The invention carries out two times of hash calculation by carrying out hash operation on the public key and carrying out hash operation on the public key hash value and the private key, and compared with directly carrying out one time of hash operation on the public key and the private key, the derived safe key is safer. And a key obtained by a derivative function determined by the two hash functions is used as a security key, so that data sharing can be performed between trusted services of the Intel SGX, and cluster deployment is realized.
The key derivation function KDF adopts the standard SHA256 hash function, so that the calculation results are the same under the condition that the input parameters are the same, the length of the ECC main key is the same as the data length of the operation result of the SHA256 hash function and is 32 bytes in fixed length, and the key derivation function KDF adopting the SHA256 hash function meets the first preset requirement and the second preset requirement. Therefore, the invention requires that the input parameter of the key derivation function KDF is the master key shared by the Intel SGX trusted services, and ensures that each Intel SGX trusted service can derive the same security key K. By establishing a master key, the same security key K is derived from the master key for the Intel SGX trusted services in the cluster, thereby realizing the purpose of cluster deployment.
Step S106: and encrypting and decrypting the service data by using the security key.
The business data comprises original text data and ciphertext data;
the encrypting and decrypting the service data by using the security key comprises the following steps:
carrying out symmetric encryption operation on the original text data by using the security key to obtain ciphertext data;
storing the ciphertext data into a ciphertext database of the cluster;
and carrying out symmetric decryption operation on the ciphertext data by using the security key to obtain the original text data. For safety, the business data in the trusted service is encrypted and then stored in the database, and when the business data is used, the ciphertext in the database needs to be decrypted first to perform business processing, so that the business data is calculated in a safe trusted computing environment. The invention achieves the technical effect that the business data stored by the encryption of one credible service and other credible services in the cluster can be decrypted through the encryption and the decryption.
Through the steps, the Intel SGX trusted service in the cluster can derive the same security key K through the same ECC master key, so that the method can share service data through the database and meet the requirement of clustered deployment. The Intel SGX trusted service in the cluster encrypts the business data by using the ECC main key and generating a uniform security key K through a key derivation function, so that the sharing of the business data is realized, and the technical effect that the business data stored in the encrypted trusted service and other trusted services in the cluster can be decrypted is achieved by encrypting and decrypting the business data by using the security key.
From the above description, it can be seen that the present invention achieves the following technical effects:
because the same ECC master key and the same key derivation function are adopted, all Intel SGX trusted services in the same cluster can derive the same security key, so that the aim of safely sharing service data in the cluster is fulfilled, the technical effect of clustered deployment of the Intel SGX trusted services is realized, and the technical problem that the clustered deployment of the trusted services cannot be realized because the data can only be used and stored in a single trusted service in the related technology is solved;
the Intel SGX trusted service in the cluster can derive the same security key K through the same ECC main key, and can share service data through a database to meet the requirement of clustered deployment; the Intel SGX trusted service in the cluster encrypts the business data by using the ECC main key and generating a uniform security key K through a key derivation function, so that the sharing of the business data is realized, and the technical effect that the business data stored in the encrypted trusted service and other trusted services in the cluster can be decrypted is achieved by encrypting and decrypting the business data by using the security key.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
An embodiment of the present invention further provides an implementation system for implementing the Intel SGX trusted service clustered deployment, where a schematic diagram is shown in fig. 3, and the system includes:
a generating unit 31 for generating a complete ECC master key;
the slicing unit 32 is configured to slice the ECC master key, divide the ECC master key into a plurality of key slices, and store the key slices in a distributed manner;
the receiving unit 33 is configured to receive input key fragments of which the number is up to a preset number when a trusted service based on an Intel SGX in a cluster is initialized;
a recovery unit 34, configured to recover, in the Enclave program space, a complete ECC master key according to the input key fragment;
a derivation unit 35, configured to input the ECC master key into a key derivation function, and derive a security key;
and the encryption and decryption unit 36 is used for encrypting and decrypting the service data by using the security key.
An embodiment of the present invention further provides an electronic device, as shown in fig. 4, the electronic device includes one or more processors 41 and a memory 42, where one processor 41 is taken as an example in fig. 4.
The controller may further include: an input device 43 and an output device 44.
The processor 41, the memory 42, the input device 43 and the output device 44 may be connected by a bus or other means, and fig. 4 illustrates the connection by a bus as an example.
The Processor 41 may be a Central Processing Unit (CPU), the Processor 41 may also be other general-purpose processors, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or any combination thereof, and the general-purpose Processor may be a microprocessor or any conventional Processor.
The memory 42, which is a non-transitory computer readable storage medium, may be used for storing non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the control method in the embodiments of the present invention. The processor 41 executes various functional applications and data processing of the server by running non-transitory software programs, instructions and modules stored in the memory 42, that is, the implementation method of the Intel SGX trusted service clustered deployment of the above method embodiment is implemented.
The memory 42 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of a processing device operated by the server, and the like. Further, the memory 42 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 42 may optionally include memory located remotely from processor 41, which may be connected to a network connection device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 43 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the processing device of the server. The output device 44 may include a display device such as a display screen.
One or more modules are stored in the memory 42, which when executed by the one or more processors 41, perform the method as shown in fig. 1.
Those skilled in the art will appreciate that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and the processes of the embodiments of the motor control methods described above can be included when the computer program is executed. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (FM), a Hard Disk (Hard Disk Drive, HDD), or a Solid-State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (10)
1. A method for realizing cluster deployment of Intel SGX trusted services is characterized by comprising the following steps:
generating a complete ECC master key;
the ECC master key is divided into a plurality of key fragments, and the key fragments are stored in a scattered manner;
receiving input key fragments reaching a preset number when a trusted service based on Intel SGX in a cluster is initialized;
in an Enclave program space, recovering a complete ECC master key according to input key fragments;
inputting the ECC main key into a key derivation function to derive a security key;
and encrypting and decrypting the service data by using the security key.
2. The method of claim 1, wherein inputting the ECC master key to a key derivation function to derive a security key comprises:
determining a key derivation function meeting preset requirements;
inputting a public key of an ECC master key into the key derivation function;
inputting a private key of an ECC master key into the key derivation function;
carrying out Hash operation on a public key by utilizing a Hash function in the key derivation function to obtain a Hash value of the public key;
and carrying out hash operation on the public key hash value and the private key by using a hash function in the key derivation function to obtain a secure key.
3. Method according to claim 2, characterized in that the key derivation function KDF meeting the preset requirements is determined as follows:
KDF(p,d)=SHA256(SHA256(p),d)
wherein, p is the public key of the ECC master key, d is the private key of the ECC master key, and SHA256 is a standard SHA256 hash function.
4. The method of claim 2, wherein the preset requirements comprise: a first preset requirement and a second preset requirement;
the first preset requirement comprises: when the inputs of the key derivation functions are the same, the output results are consistent;
the second preset requirement includes: the length of data obtained by the output result of the key derivation function is the same as the length of the ECC master key.
5. The method of claim 1, wherein the business data comprises textual data and ciphertext data;
the encrypting and decrypting the service data by using the security key comprises the following steps:
carrying out symmetric encryption operation on the original text data by using the security key to obtain ciphertext data;
storing the ciphertext data into a ciphertext database of the cluster;
and carrying out symmetric decryption operation on the ciphertext data by using the security key to obtain the original text data.
6. The method of claim 1, wherein a plurality of trusted services are deployed in the cluster, and each trusted service is configured to provide the same business function;
all trusted services in the same cluster adopt the same ECC master key and the same key derivation function to derive the same security key, so that the business data can be shared in the cluster.
7. The method of claim 1, wherein prior to initialization of an Intel SGX-based trusted service in a cluster, the method further comprises:
and randomly selecting any one trusted service in the cluster for access through the scheduling of the load balancing service.
8. An implementation system for cluster deployment of an Intel SGX trusted service, comprising:
the generating unit is used for generating a complete ECC master key;
the slicing unit is used for slicing the ECC master key into a plurality of key slices and storing the key slices in a scattered manner;
the receiving unit is used for receiving the input key fragments with the preset number when the trusted service based on the Intel SGX in the cluster is initialized;
the recovery unit is used for recovering a complete ECC (error correction code) main key according to the input key fragments in the Enclave program space;
the derivation unit is used for inputting the ECC main key into a key derivation function and deriving a security key;
and the encryption and decryption unit is used for encrypting and decrypting the service data by using the security key.
9. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform a method for implementing an Intel SGX trusted service clustered deployment as claimed in any one of claims 1 to 7.
10. An electronic device, characterized in that the electronic device comprises: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to cause the at least one processor to perform a method of implementing an Intel SGX trusted service clustered deployment as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111257826.2A CN113922969A (en) | 2021-10-27 | 2021-10-27 | Method and system for realizing cluster deployment of Intel SGX trusted service and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111257826.2A CN113922969A (en) | 2021-10-27 | 2021-10-27 | Method and system for realizing cluster deployment of Intel SGX trusted service and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113922969A true CN113922969A (en) | 2022-01-11 |
Family
ID=79243085
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111257826.2A Pending CN113922969A (en) | 2021-10-27 | 2021-10-27 | Method and system for realizing cluster deployment of Intel SGX trusted service and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113922969A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114584307A (en) * | 2022-05-07 | 2022-06-03 | 腾讯科技(深圳)有限公司 | Trusted key management method and device, electronic equipment and storage medium |
-
2021
- 2021-10-27 CN CN202111257826.2A patent/CN113922969A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114584307A (en) * | 2022-05-07 | 2022-06-03 | 腾讯科技(深圳)有限公司 | Trusted key management method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3291481B1 (en) | Decrypting encrypted data on an electronic device | |
| US9086819B2 (en) | System and method for combining deduplication and encryption of data | |
| CN112926051B (en) | Multi-party security computing method and device | |
| US8732462B2 (en) | Methods and apparatus for secure data sharing | |
| EP3324572B1 (en) | Information transmission method and mobile device | |
| CN107770159B (en) | Vehicle accident data recording method and related device and readable storage medium | |
| US9020149B1 (en) | Protected storage for cryptographic materials | |
| EP2814199A1 (en) | Method and system for downloading file | |
| CN111245597A (en) | Key management method, system and equipment | |
| CN109921902B (en) | Key management method, security chip, service server and information system | |
| US20130290731A1 (en) | Systems and methods for storing and verifying security information | |
| CN110661748B (en) | Log encryption method, log decryption method and log encryption device | |
| EP3291482B1 (en) | Encrypting and decrypting data on an electronic device | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| CN107342861B (en) | Data processing method, device and system | |
| CN114006741A (en) | Method and system for realizing cluster security deployment of Intel SGX trusted service | |
| CN114157415A (en) | Data processing method, computing node, system, computer device and storage medium | |
| CN103731423A (en) | Safe method for repeated data deleting | |
| CN110708291A (en) | Data authorization access method, device, medium and electronic equipment in distributed network | |
| CN114584306A (en) | Data processing method and related device | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| US10142306B1 (en) | Methods for providing a secure network channel and devices thereof | |
| Lai et al. | Secure file storage on cloud using hybrid cryptography | |
| US10432596B2 (en) | Systems and methods for cryptography having asymmetric to symmetric key agreement | |
| CN113922969A (en) | Method and system for realizing cluster deployment of Intel SGX trusted service and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |