CN114021187B - Data processing system and method and electronic equipment - Google Patents

Data processing system and method and electronic equipment Download PDF

Info

Publication number
CN114021187B
CN114021187B CN202111299087.3A CN202111299087A CN114021187B CN 114021187 B CN114021187 B CN 114021187B CN 202111299087 A CN202111299087 A CN 202111299087A CN 114021187 B CN114021187 B CN 114021187B
Authority
CN
China
Prior art keywords
data
application
private key
trusted
key fragment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111299087.3A
Other languages
Chinese (zh)
Other versions
CN114021187A (en
Inventor
雷虹
燕云
刘科
周谦阁
陈子健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yunhai Chain Holdings Co ltd
Original Assignee
Yunhai Chain Holdings Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yunhai Chain Holdings Co ltd filed Critical Yunhai Chain Holdings Co ltd
Priority to CN202111299087.3A priority Critical patent/CN114021187B/en
Publication of CN114021187A publication Critical patent/CN114021187A/en
Application granted granted Critical
Publication of CN114021187B publication Critical patent/CN114021187B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data processing system, which comprises an identity control end, a data using end and a data providing end; the identity control end receives a new function application initiated by the data using end and generates a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment; the data using end receives the application signature returned by the identity control end, and initiates a function injection application to the data providing end according to the trusted application ID, the application signature and the function code; the data providing end generates a trusted application corresponding to the function injection application in the trusted execution environment and returns a data processing result of the trusted application. The method and the device also carry out charging according to the splicing times of the private key fragments, and ensure the transparency and fairness of the transaction. The application also discloses a data processing method and an electronic device, which have the beneficial effects.

Description

Data processing system and method and electronic equipment
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a data processing system, a data processing method, and an electronic device.
Background
With the development of cloud computing technology, the related art generally realizes secret sharing and privacy protection of multiple parties in a distributed computing environment, but the related art mainly ensures data privacy security through a trusted administrator, and the trustworthiness of the administrator is difficult to ensure in practical application.
Therefore, how to ensure the data privacy security in the data processing process is a technical problem that needs to be solved by those skilled in the art at present.
Disclosure of Invention
The application aims to provide a data processing system, a data processing method and electronic equipment, which can ensure data privacy safety in the data processing process.
In order to solve the technical problem, the application provides a data processing system, which comprises an identity control end, a data using end and a data providing end;
the identity control terminal comprises an application processing module, and the application processing module is used for receiving a new function application initiated by the data using terminal and generating a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment;
the data using end comprises a function injection module, and the function injection module is used for receiving the application signature returned by the identity control end and initiating a function injection application to the data providing end according to a trusted application ID, the application signature and a function code;
the data providing end comprises a function calling module, and the function calling module is used for generating a trusted application corresponding to the function injection application in the trusted execution environment and returning a data processing result of the trusted application.
Optionally, the identity control end further includes:
the registration module is used for receiving a registration application initiated by the data using end, generating a private key of the data using end in the trusted execution environment, fragmenting the private key of the data using end by using a sharer secret sharing algorithm to obtain a first private key fragment and a second private key fragment, storing the first private key fragment to a data source layer of the identity control end, and returning the second private key fragment to the data using end.
Optionally, the identity control end further includes:
and the ID generation module is used for acquiring the second private key fragment from a data source layer of the data using end, splicing the first private key fragment and the second private key fragment in the trusted execution environment to obtain a private key of the data using end, and converting the private key of the data using end into the trusted application ID.
Optionally, the method further includes:
and the application charging module is used for counting the first splicing times of the ID generation module splicing the first private key fragment and the second private key fragment and executing corresponding charging operation on the data using end according to the first splicing times.
Optionally, the identity control terminal further includes:
the remote authentication module is used for acquiring the second private key fragment from a data source layer of the data using end when receiving a remote authentication request of the data using end, and splicing the first private key fragment and the second private key fragment in the trusted execution environment to perform remote authentication on the data using end; the remote authentication request is a request sent to the identity control terminal by the data using terminal after initiating a function call application to the data providing terminal.
Optionally, the method further includes:
and calling a charging module for counting the second splicing times of the remote authentication module for splicing the first private key fragment and the second private key fragment, and executing corresponding charging operation on the data using end according to the second splicing times.
The application also provides a data processing method applied to the identity control end, which comprises the following steps:
receiving a new function application initiated by a data using end;
generating a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment;
and returning the application signature to the data using end, so that after the data using end initiates a function injection application to the data providing end according to the trusted application ID, the application signature and the function code, the data providing end generates a trusted application corresponding to the function injection application in the trusted execution environment and returns a data processing result of the trusted application.
The application also provides a data processing method, which is applied to a data providing end and comprises the following steps:
receiving a function injection application initiated by a data using end to a data providing end according to a trusted application ID, an application signature and a function code; wherein the generation process of the application signature comprises: after receiving a new function application initiated by a data using end, the identity control end generates the application signature corresponding to the new function application in a trusted execution environment;
and generating a trusted application corresponding to the function injection application in the trusted execution environment, and returning a data processing result of the trusted application.
The application also provides a data processing method, which is applied to a data using end and comprises the following steps:
initiating a new function application to an identity control end so that the identity control end can generate a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment;
and initiating a function injection application to a data providing end according to the trusted application ID, the application signature and the function code so that the data using end can generate a trusted application corresponding to the function injection application in the trusted execution environment and return a data processing result of the trusted application.
The application further provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps executed by the data processing method when calling the computer program in the memory.
The present application provides a data processing system comprising: the system comprises an identity control end, a data using end and a data providing end. The identity control terminal comprises an application processing module, and the application processing module is used for receiving a new function application initiated by the data using terminal and generating a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment. The data using end comprises a function injection module, and the function injection module is used for receiving the application signature returned by the identity control end and initiating a function injection application to the data providing end according to the trusted application ID, the application signature and the function code. The data providing end comprises a function calling module, and the function calling module is used for generating a trusted application corresponding to the function injection application in the trusted execution environment and returning a data processing result of the trusted application.
In the method, a data using end firstly initiates a new function application to an identity control end, and the identity control end generates a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment. And the data using end initiates a function injection application to the data providing end by using the application signature, the trusted application ID and the corresponding function code, so that the data providing end generates a trusted application corresponding to the function injection application in a trusted execution environment and returns a data processing result of the trusted application. The new function application and the function injection application are both realized in a trusted execution environment, and the trusted execution environment can ensure the safety and the credibility of the data processing process, so that the application can ensure the data privacy safety in the data processing process. The application also provides a data processing method and an electronic device, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings required for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained by those skilled in the art without inventive effort.
Fig. 1 is a schematic structural diagram of a data processing system according to an embodiment of the present application;
fig. 2 is a flowchart of a user registration provided in an embodiment of the present application;
FIG. 3 is a flow chart illustrating a new function application provided by an embodiment of the present application;
fig. 4 is a schematic diagram of a function injection process according to an embodiment of the present application;
fig. 5 is a schematic diagram of a function call flow provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a data processing system according to an embodiment of the present disclosure, where the data processing system may be a system for performing distributed computing, and includes an identity control end, a data using end, and a data providing end.
The identity control side is also called an identity control side (such as an authentication server) and is used for registering the identities of the data using side and the data providing side and registering the functions required to be used by the data using side. The data user is also called data user, which refers to the user or purchaser of the data analysis result. The data using end does not obtain the original data, and only obtains the data operation result. The data using end can send the computation logic of the data needing operation to the data providing end (namely, the data providing end is injected with the function). The data provider is also called a data owner, and refers to a provider of the original data. The data providing end can process data according to the computing logic provided by the data using end (namely, the function of using data user to inject).
As shown in fig. 1, the structure of the identity control end, the data using end and the data providing end can be divided into the following three layers: a contract layer, a trusted computing layer (containing a trusted propheter), and a data source layer. The data user can register identity, apply for new function and charge to the credible computing layer of the identity control end through the contract layer. The identity control end can return the private key fragments generated by registration and the new ID generated by applying a new function to the trusted computing layer of the data using end. The data providing end can register the identity with the identity control end through the contract layer, and the identity control end returns the private key fragments generated by the registration to the contract layer of the data providing end. Function injection, function calling and charging are carried out between the data using end and the data providing end through the data source layer.
Specifically, the identity control terminal in the present application includes an application processing module, where the application processing module is configured to receive a new function application initiated by the data using terminal, and generate a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment. The new function application may include an application ID of the trusted application, so that the identity control end signs the application ID of the trusted application to obtain an application signature. The process is realized in a trusted execution environment (namely a trusted computing layer of the identity control end), and the identity control end cannot change any flow, so that the process is ensured to be realized in a decentralized mode. The trusted application TA provides authorized and secure software for the trusted execution environment.
The data using end comprises a function injection module, and the function injection module is used for receiving the application signature returned by the identity control end and initiating a function injection application to the data providing end according to the trusted application ID, the application signature and the function code. The data processing system can comprise a plurality of data using terminals, and the data using terminals can launch the function injection application to the data providing terminals and provide trusted application IDs, application signatures and function codes obtained when the function is applied. The functional code is code that needs to be executed to implement the function.
The data providing end comprises a function calling module, and the function calling module is used for generating a trusted application corresponding to the function injection application in the trusted execution environment and returning a data processing result of the trusted application. Specifically, the data providing end may verify the validity of the function injection application according to the application signature, and if the validity is verified, generate a corresponding trusted application in a trusted execution environment (i.e., a trusted computing layer of the data providing end) by using the trusted application ID and the function code, so as to implement function injection.
In this embodiment, the data using end first initiates a new function application to the identity control end, and the identity control end generates an application signature corresponding to the new function embodiment in a trusted execution environment. And the data using end initiates a function injection embodiment to the data providing end by using the application signature, the trusted application ID and the corresponding function code, so that the data providing end generates a trusted application corresponding to the function injection embodiment in a trusted execution environment and returns a data processing result of the trusted application. The new function embodiment and the function injection embodiment are both implemented in a trusted execution environment, and the trusted execution environment can guarantee the security and the credibility of the data processing process, so that the embodiment can guarantee the data privacy security in the data processing process.
Further, the identity control terminal further comprises a registration module, and the registration module can perform identity registration for the data using terminal. The specific process is as follows: receiving a registration application initiated by the data using end, generating a private key of the data using end in the trusted execution environment, fragmenting the private key of the data using end by using a sharer secret sharing algorithm to obtain a first private key fragment and a second private key fragment, storing the first private key fragment to a data source layer of the identity control end, and returning the second private key fragment to the data using end.
Secret Sharing is also called Secret-Sharing (Secret-Sharing), is an important branch in the field of modern cryptography, is an important means in information security and data confidentiality, and is also a basic application technology in the fields of multi-party security computing, federal learning and the like. In practical application, the method plays an important role in key management, digital signature, identity authentication, multi-party security calculation, error correction codes, bank network management, data security and the like. Secret sharing is a technique for sharing a secret among a group of participants, and is mainly used for protecting important information and preventing the information from being lost, destroyed and tampered. In short, secret sharing means that the shared secret is reasonably distributed in a user group so as to achieve the purpose of common secret management by all members. In a system having a plurality of nodes distributed throughout, each node has a highly autonomous character. The nodes can be freely connected with each other to form a new connection unit. Any node may become a phased hub, but does not have mandatory central control functions. The influence between nodes can form a nonlinear causal relationship through the network. This open, flattened, equal system phenomenon or structure is referred to as decentralization. Decentralization can replace the centralization function provided by a third party, and any party in the system cannot change the rules at will, so that convenience is brought to multi-party interaction.
Further, the identity control end further includes an ID generation module, configured to obtain the second private key fragment from a data source layer of the data using end, splice the first private key fragment and the second private key fragment in the trusted execution environment to obtain a private key of the data using end, and convert the private key of the data using end into the trusted application ID. Specifically, the ID generation module may splice the first private key fragment and the second private key fragment to obtain a complete secret key, and convert the complete private key into the trusted application ID by using a fixed function.
Further, the identity control terminal may be a module for performing identity control in a data platform, and the data platform may further include a module related to charging, so as to charge after the data using terminal applies for a function or calls the function. The charging related module comprises a charging applying module and a charging calling module, wherein the charging applying module is used for charging a certain function applying fee for the data using end after the data using end successfully applies a new function to the identity control end; the calling charging module is used for charging a certain function calling fee for the data using end after the data providing end returns the data processing result to the data using end.
Specifically, the application charging module is configured to count a first splicing frequency of the ID generation module splicing the first private key fragment and the second private key fragment, and execute a corresponding charging operation on the data using end according to the first splicing frequency. The data using end needs to execute private key fragment splicing operation every time a new function is applied, and the first splicing times are used for representing the times of generating the credible application ID, so that charging of new function application is realized. By the method, the centralization of the charging process can be ensured, and the transparency and fairness of transaction are ensured.
Further, after the data using end registers the function with the data providing end, a function calling application may be initiated to the data providing end, so that the data providing end obtains data from the data source layer according to the function to be called and performs calculation in the trusted execution environment to obtain the data processing result of the trusted application. Correspondingly, the data using terminal sends a remote authentication request to the identity control terminal after initiating a function call application to the data providing terminal. The identity control end further comprises a remote authentication module used for acquiring the second private key fragment from a data source layer of the data using end when receiving a remote authentication request of the data using end, and splicing the first private key fragment and the second private key fragment in the trusted execution environment to perform remote authentication on the data using end. If the authentication passes the remote authentication, allowing the data providing end to execute the relevant flow of the function call; and if the remote authentication is not passed, the data providing end is prohibited from executing the relevant flow of the function call. And calling a charging module to count the second splicing times of the remote authentication module for splicing the first private key fragment and the second private key fragment, and executing corresponding charging operation on the data using end according to the second splicing times. In this embodiment, the second splicing times are used to represent the times of function call, so as to realize charging of function call. By the method, the centralization of the charging process can be ensured, and the transparency and fairness of transaction are ensured.
Further, the data providing end may further include a verification module, where the verification module is configured to perform validity verification on the application signature in the function injection application, and start a workflow corresponding to the function calling module after the application signature passes the validity verification.
The embodiment of the present application further provides a data processing method applied to an identity control end, where the method may include: receiving a new function application initiated by a data using end; generating a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment; and returning the application signature to the data using end, so that after the data using end initiates a function injection application to the data providing end according to the trusted application ID, the application signature and the function code, the data providing end generates a trusted application corresponding to the function injection application in the trusted execution environment and returns a data processing result of the trusted application.
In this embodiment, the data using end first initiates a new function application to the identity control end, and the identity control end generates an application signature corresponding to the new function embodiment in a trusted execution environment. And the data using end initiates a function injection embodiment to the data providing end by using the application signature, the trusted application ID and the corresponding function code, so that the data providing end generates a trusted application corresponding to the function injection embodiment in a trusted execution environment and returns a data processing result of the trusted application. The new function embodiment and the function injection embodiment are both implemented in a trusted execution environment, and the trusted execution environment can guarantee the security and the credibility of the data processing process, so that the embodiment can guarantee the data privacy security in the data processing process.
Further, the method also comprises the following steps:
receiving a registration application initiated by the data using end, generating a private key of the data using end in the trusted execution environment, fragmenting the private key of the data using end by using a sharer secret sharing algorithm to obtain a first private key fragment and a second private key fragment, storing the first private key fragment to a data source layer of the identity control end, and returning the second private key fragment to the data using end.
Further, the method also comprises the following steps:
and acquiring the second private key fragment from a data source layer of the data using end, splicing the first private key fragment and the second private key fragment in the trusted execution environment to obtain a private key of the data using end, and converting the private key of the data using end into the trusted application ID.
Further, the method also comprises the following steps:
and counting the first splicing times of the first private key fragment and the second private key fragment in the trusted application ID generation process, and executing corresponding charging operation on the data using end according to the first splicing times.
Further, the method also comprises the following steps:
when a remote authentication request of the data using end is received, acquiring the second private key fragment from a data source layer of the data using end, and splicing the first private key fragment and the second private key fragment in the trusted execution environment to perform remote authentication on the data using end; the remote authentication request is a request sent to the identity control terminal by the data using terminal after initiating a function call application to the data providing terminal.
Further, the method also comprises the following steps:
and counting the second splicing times of splicing the first private key fragment and the second private key fragment in the remote process, and executing corresponding charging operation on the data using end according to the second splicing times.
The embodiment of the present application further provides a data processing method applied to a data provider, where the data processing method applied to the data provider includes: receiving a function injection application initiated by a data using end to a data providing end according to a trusted application ID, an application signature and a function code; wherein the generation process of the application signature comprises: after receiving a new function application initiated by a data using end, the identity control end generates the application signature corresponding to the new function application in a trusted execution environment; and generating a trusted application corresponding to the function injection application in the trusted execution environment, and returning a data processing result of the trusted application.
In this embodiment, the data using end first initiates a new function application to the identity control end, and the identity control end generates an application signature corresponding to the new function embodiment in a trusted execution environment. The data using end initiates a function injection embodiment to the data providing end by using the application signature, the trusted application ID and the corresponding function code, so that the data providing end generates a trusted application corresponding to the function injection embodiment in a trusted execution environment and returns a data processing result of the trusted application. The new function embodiment and the function injection embodiment are both implemented in a trusted execution environment, and the trusted execution environment can guarantee the security and the credibility of the data processing process, so that the embodiment can guarantee the data privacy security in the data processing process.
Further, the method also comprises the following steps:
counting the first splicing times of splicing the first private key fragment and the second private key fragment in the trusted application ID generation process, and executing corresponding charging operation on the data using end according to the first splicing times;
the trusted application ID generation process comprises the following steps: the identity control end receives a registration application initiated by the data using end, generates a private key of the data using end in the trusted execution environment, fragments the private key of the data using end by using a sharer secret sharing algorithm to obtain a first private key fragment and a second private key fragment, stores the first private key fragment to a data source layer of the identity control end, and returns the second private key fragment to the data using end; and acquiring the second private key fragment from a data source layer of the data using end, splicing the first private key fragment and the second private key fragment in the trusted execution environment to obtain a private key of the data using end, and converting the private key of the data using end into the trusted application ID.
Further, the method also comprises the following steps:
counting second splicing times of splicing the first private key fragment and the second private key fragment in a remote authentication process, and executing corresponding charging operation on the data using end according to the second splicing times;
wherein, the remote authentication process comprises: when a remote authentication request of the data using end is received, the identity control end acquires the second private key fragment from a data source layer of the data using end, and the first private key fragment and the second private key fragment are spliced in the trusted execution environment to perform remote authentication on the data using end; the remote authentication request is a request sent to the identity control terminal by the data using terminal after initiating a function call application to the data providing terminal.
The embodiment of the present application further provides a data processing method applied to a data using end, including: initiating a new function application to an identity control end so that the identity control end can generate a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment; and initiating a function injection application to a data providing end according to the trusted application ID, the application signature and the function code so that the data using end can generate a trusted application corresponding to the function injection application in the trusted execution environment and return a data processing result of the trusted application. Specifically, the data using end may initiate a function call application to the data providing end, so that the data providing end calls a corresponding function according to the function call application and performs calculation in the trusted execution environment to return a data processing result.
In this embodiment, the data using end first initiates a new function application to the identity control end, and the identity control end generates an application signature corresponding to the new function embodiment in a trusted execution environment. And the data using end initiates a function injection embodiment to the data providing end by using the application signature, the trusted application ID and the corresponding function code, so that the data providing end generates a trusted application corresponding to the function injection embodiment in a trusted execution environment and returns a data processing result of the trusted application. The new function embodiment and the function injection embodiment are both implemented in a trusted execution environment, and the trusted execution environment can ensure the security and the credibility of the data processing process, so that the embodiment can ensure the data privacy security in the data processing process.
Further, the method also comprises the following steps:
counting the first splicing times of splicing the first private key fragment and the second private key fragment in the trusted application ID generation process, and executing corresponding charging operation on the data using end according to the first splicing times;
the trusted application ID generation process comprises the following steps: the identity control end receives a registration application initiated by the data using end, generates a private key of the data using end in the trusted execution environment, fragments the private key of the data using end by using a sharer secret sharing algorithm to obtain a first private key fragment and a second private key fragment, stores the first private key fragment to a data source layer of the identity control end, and returns the second private key fragment to the data using end; and acquiring the second private key fragment from a data source layer of the data using end, splicing the first private key fragment and the second private key fragment in the trusted execution environment to obtain a private key of the data using end, and converting the private key of the data using end into the trusted application ID.
Further, the method also comprises the following steps:
counting second splicing times of splicing the first private key fragment and the second private key fragment in a remote authentication process, and executing corresponding charging operation on the data using end according to the second splicing times;
wherein, the remote authentication process comprises: when a remote authentication request of the data using end is received, the identity control end acquires the second private key fragment from a data source layer of the data using end, and the first private key fragment and the second private key fragment are spliced in the trusted execution environment to perform remote authentication on the data using end; the remote authentication request is a request sent to the identity control terminal by the data using terminal after initiating a function call application to the data providing terminal.
Since the embodiment of the method portion corresponds to the embodiment of the system portion, please refer to the description of the embodiment of the system portion for the embodiment of the method portion, which is not repeated here.
In a distributed computing environment, the related art mainly guarantees data privacy security through a trusted administrator, and does not utilize TEE (trusted execution environment) to guarantee privacy of data each time, but the trust of the trusted administrator is difficult to guarantee. The charging mode is not mentioned in the related scheme. If charging is needed, the administrator is mainly used for helping the user to perform secret sharing operation each time so as to charge, but the charging mode has the precondition that the administrator can reasonably charge, and the charging operation of the administrator in practical application is difficult to guarantee fairness and transparency.
The following describes the flow described in the above embodiment by way of an embodiment in practical application, and can solve the above-described drawbacks of the related art. The embodiment provides a decentralized charging mode based on a TEE (Trusted Execution Environment) and secret sharing, and the embodiment replaces functions provided by a Trusted third party by using characteristics of the TEE, and meanwhile, decentralized control of account information is further guaranteed by using secret sharing to perform key fragmentation. The charging mode can provide a transparent, safe and credible charging mode for data flow under the scenes of a alliance chain, a private cloud or a hybrid cloud and the like. Any party in the charging mode can not change the charging rule at will, and the interaction between the data source and the data user is carried out in the TEE and is not interfered by any party.
Referring to fig. 2, fig. 2 is a user registration flowchart provided in an embodiment of the present application, where the user registration flowchart includes: the data using end initiates a registration application to the identity control end, the identity control end generates a pair of public private keys for the identity control end in the TEE, the public keys are broadcasted, the private keys are split by using a Shamir secret sharing algorithm, one part of the private keys are stored in a data source layer of the identity control end, and the rest part of the private keys are returned to the data using end for storage. The public key can be made available to other parties to the transaction by broadcasting the public key for later authentication with the public key.
Further, the data providing end may also perform user registration by using the above method, which includes the following specific processes: the data providing terminal initiates a registration application to the identity control terminal, the identity control terminal generates a pair of public private keys for the identity control terminal in the TEE, the public keys are broadcasted, the private keys are split by using a Shamir secret sharing algorithm, a part of private key splits are stored in a data source layer of the identity control terminal, and the rest of private key splits are returned to the data providing terminal.
Referring to fig. 3, fig. 3 is a flowchart of a new function application provided in the embodiment of the present application, where the flowchart includes: after a data using end initiates a new function application to an identity control end, the identity control end firstly asks for a private key fragment from an opposite side and a data source layer of the identity control end according to the identity of the data using end (for example, whether the data using end is in a login state is judged), the private key fragment is spliced in a TEE, an ID (the ID of the trusted application is used for establishing a corresponding TA in the TEE of a data provider and loading a required function when a new function is injected into a data providing end subsequently) corresponding to a Trusted Application (TA) of the data using end is generated, the trusted application ID is returned to the data using end and an application signature after the signature is carried out on the trusted application ID, and related information of the trusted application TA can be stored in the data source layer. When the process of applying for the new function is completed, the identity control terminal can collect the cost from the data using terminal.
Referring to fig. 4, fig. 4 is a schematic diagram of a function injection process according to an embodiment of the present application, where the process includes: when the data using end needs to use a new function, the data providing end is initiated with a function injection application and provides a trusted application ID, an application signature and a function code which are obtained when the new function is applied, the data providing end acquires a public key from the data source layer and carries out remote authentication through the identity control end so as to verify the legality of the application signature, and if the legal data using end provides signature verification information and the function code. And the data providing end generates a corresponding trusted application in the TEE according to the trusted application ID and injects the function code into the trusted application.
Referring to fig. 5, fig. 5 is a schematic diagram of a function call flow provided in the embodiment of the present application, where the process includes: when the data using end initiates a function calling application to the data providing end, the TEE of the data providing end acquires data from the data source layer according to the required calling function, calculates a result in the TEE and returns the result to the data using end. The process is completed in the TEE, so that the decentralized process is ensured, the data can be used and can not be seen, the data does not need to be locally taken out, and the data providing end receives the cost for the data using end after the process is completed.
The charging mode based on TEE and secret sharing provided by the embodiment belongs to the field of data transaction, and provides a safe and credible data transfer mode, and the charging mode is based on the number of credible functions applied by a user and the running times of the credible functions. The data flow in the TEE ensures that this billing model is secure and trusted, and the decentralized nature of the billing model also ensures that the transactions of the parties are transparent and fair. The embodiment solves the problem that a third party is required to control data and charge, achieves decentralization, and simultaneously provides a new charging mode, wherein the charging mode is transparent and fair to all parties using the charging mode, and the TEE ensures that the data in the charging mode is safe and credible, so that the TEE is more easily accepted by users. The block chain decentralized characteristic is used in the embodiment, pricing, use frequency statistics and later-period publicity of both transaction parties are all safe and tamper-proof, use is fair and transparent, and the condition that one party carries out charge disorderly by using the advantage of information asymmetry does not exist.
The present application also provides a storage medium having a computer program stored thereon, which when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the electronic device may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the description of the method part. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It should also be noted that, in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.

Claims (8)

1. A data processing system is characterized by comprising an identity control end, a data using end and a data providing end;
the identity control terminal comprises an application processing module, and the application processing module is used for receiving a new function application initiated by the data using terminal and generating a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment;
the data using end comprises a function injection module, and the function injection module is used for receiving the application signature returned by the identity control end and initiating a function injection application to the data providing end according to the trusted application ID, the application signature and the function code;
the data providing end comprises a function calling module, and the function calling module is used for generating a trusted application corresponding to the function injection application in the trusted execution environment and returning a data processing result of the trusted application;
wherein, the identity control end further comprises:
the registration module is used for receiving a registration application initiated by the data using end, generating a private key of the data using end in the trusted execution environment, fragmenting the private key of the data using end by using a sharer secret sharing algorithm to obtain a first private key fragment and a second private key fragment, storing the first private key fragment to a data source layer of the identity control end, and returning the second private key fragment to the data using end;
and the ID generation module is used for acquiring the second private key fragment from a data source layer of the data using end, splicing the first private key fragment and the second private key fragment in the trusted execution environment to obtain a private key of the data using end, and converting the private key of the data using end into the trusted application ID.
2. The data processing system of claim 1, further comprising:
and the charging application module is used for counting the first splicing times of the ID generation module splicing the first private key fragment and the second private key fragment and executing corresponding charging operation on the data using end according to the first splicing times.
3. The data processing system of claim 1, wherein the identity control terminal further comprises:
the remote authentication module is used for acquiring the second private key fragment from a data source layer of the data using end when receiving a remote authentication request of the data using end, and splicing the first private key fragment and the second private key fragment in the trusted execution environment to carry out remote authentication on the data using end; the remote authentication request is a request sent to the identity control terminal by the data using terminal after initiating a function call application to the data providing terminal.
4. The data processing system of claim 3, further comprising:
and calling a charging module for counting the second splicing times of the remote authentication module for splicing the first private key fragment and the second private key fragment, and executing corresponding charging operation on the data using end according to the second splicing times.
5. A data processing method is applied to an identity control end and comprises the following steps:
receiving a new function application initiated by a data using end;
generating a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment;
returning the application signature to the data using end, so that after the data using end initiates a function injection application to the data providing end according to a trusted application ID, the application signature and a function code, the data providing end generates a trusted application corresponding to the function injection application in the trusted execution environment and returns a data processing result of the trusted application;
wherein, the identity control end includes:
the registration module is used for receiving a registration application initiated by the data using end, generating a private key of the data using end in the trusted execution environment, fragmenting the private key of the data using end by using a sharer secret sharing algorithm to obtain a first private key fragment and a second private key fragment, storing the first private key fragment to a data source layer of the identity control end, and returning the second private key fragment to the data using end;
and the ID generation module is used for acquiring the second private key fragment from a data source layer of the data using end, splicing the first private key fragment and the second private key fragment in the trusted execution environment to obtain a private key of the data using end, and converting the private key of the data using end into the trusted application ID.
6. A data processing method is applied to a data providing end and comprises the following steps:
receiving a function injection application initiated by a data using end to a data providing end according to a trusted application ID, an application signature and a function code; wherein the generation process of the application signature comprises: after receiving a new function application initiated by a data using end, an identity control end generates the trusted application ID and the application signature corresponding to the new function application in a trusted execution environment;
generating a trusted application corresponding to the function injection application in the trusted execution environment, and returning a data processing result of the trusted application;
wherein, the identity control end includes:
the registration module is used for receiving a registration application initiated by the data using end, generating a private key of the data using end in the trusted execution environment, fragmenting the private key of the data using end by using a sharer secret sharing algorithm to obtain a first private key fragment and a second private key fragment, storing the first private key fragment to a data source layer of the identity control end, and returning the second private key fragment to the data using end;
and the ID generation module is used for acquiring the second private key fragment from a data source layer of the data using end, splicing the first private key fragment and the second private key fragment in the trusted execution environment to obtain a private key of the data using end, and converting the private key of the data using end into the trusted application ID.
7. A data processing method is applied to a data using end and comprises the following steps:
initiating a new function application to an identity control end so that the identity control end can generate a trusted application ID and an application signature corresponding to the new function application in a trusted execution environment;
initiating a function injection application to a data providing end according to the trusted application ID, the application signature and the function code so that the data using end can generate a trusted application corresponding to the function injection application in the trusted execution environment and return a data processing result of the trusted application;
wherein, the identity control end further comprises:
the registration module is used for receiving a registration application initiated by the data using end, generating a private key of the data using end in the trusted execution environment, fragmenting the private key of the data using end by using a sharer secret sharing algorithm to obtain a first private key fragment and a second private key fragment, storing the first private key fragment to a data source layer of the identity control end, and returning the second private key fragment to the data using end;
and the ID generation module is used for acquiring the second private key fragment from a data source layer of the data using end, splicing the first private key fragment and the second private key fragment in the trusted execution environment to obtain a private key of the data using end, and converting the private key of the data using end into the trusted application ID.
8. An electronic device, comprising a memory in which a computer program is stored and a processor which, when calling the computer program in the memory, carries out the steps of the data processing method according to any one of claims 5 to 7.
CN202111299087.3A 2021-11-04 2021-11-04 Data processing system and method and electronic equipment Active CN114021187B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111299087.3A CN114021187B (en) 2021-11-04 2021-11-04 Data processing system and method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111299087.3A CN114021187B (en) 2021-11-04 2021-11-04 Data processing system and method and electronic equipment

Publications (2)

Publication Number Publication Date
CN114021187A CN114021187A (en) 2022-02-08
CN114021187B true CN114021187B (en) 2023-02-28

Family

ID=80060916

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111299087.3A Active CN114021187B (en) 2021-11-04 2021-11-04 Data processing system and method and electronic equipment

Country Status (1)

Country Link
CN (1) CN114021187B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017175226A (en) * 2016-03-18 2017-09-28 株式会社インテック Program, method and system for issuing public key certificate
CN110177088A (en) * 2019-05-08 2019-08-27 矩阵元技术(深圳)有限公司 A kind of temporary identity authentication method, apparatus and system
CN111431719A (en) * 2020-04-20 2020-07-17 山东确信信息产业股份有限公司 Mobile terminal password protection module, mobile terminal and password protection method
WO2020223918A1 (en) * 2019-05-08 2020-11-12 云图有限公司 Temporary identity authentication method, apparatus and system
CN113360943A (en) * 2021-06-23 2021-09-07 京东数科海益信息科技有限公司 Block chain private data protection method and device
CN113395159A (en) * 2021-01-08 2021-09-14 腾讯科技(深圳)有限公司 Data processing method based on trusted execution environment and related device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8001390B2 (en) * 2007-05-09 2011-08-16 Sony Computer Entertainment Inc. Methods and apparatus for secure programming and storage of data using a multiprocessor in a trusted mode
CN108064050B (en) * 2016-11-05 2021-05-14 华为技术有限公司 Configuration method and device
US11057366B2 (en) * 2018-08-21 2021-07-06 HYPR Corp. Federated identity management with decentralized computing platforms
CN113556230B (en) * 2020-04-24 2024-05-31 华控清交信息科技(北京)有限公司 Data security transmission method, certificate related method, server, system and medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017175226A (en) * 2016-03-18 2017-09-28 株式会社インテック Program, method and system for issuing public key certificate
CN110177088A (en) * 2019-05-08 2019-08-27 矩阵元技术(深圳)有限公司 A kind of temporary identity authentication method, apparatus and system
WO2020223918A1 (en) * 2019-05-08 2020-11-12 云图有限公司 Temporary identity authentication method, apparatus and system
CN111431719A (en) * 2020-04-20 2020-07-17 山东确信信息产业股份有限公司 Mobile terminal password protection module, mobile terminal and password protection method
CN113395159A (en) * 2021-01-08 2021-09-14 腾讯科技(深圳)有限公司 Data processing method based on trusted execution environment and related device
CN113360943A (en) * 2021-06-23 2021-09-07 京东数科海益信息科技有限公司 Block chain private data protection method and device

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems;David Cerdeira;《网页在线公开:https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9152801》;20200730;第1-17页 *
区块链产业发展趋势、重点企业布局及运营商参与建议;夏俊杰等;《邮电设计技术》;20200220(第02期);第27-32页 *
基于机会无证书双向认证在互联网+中应用研究;李郁林;《计算机应用与软件》;20180514;第35卷(第2期);第305-309页 *
安全加密的门限签名混淆;李亚红等;《通信学报》;20201231(第06期);第65-73页 *

Also Published As

Publication number Publication date
CN114021187A (en) 2022-02-08

Similar Documents

Publication Publication Date Title
CN108898389B (en) Content verification method and device based on block chain and electronic equipment
Yavari et al. An Improved Blockchain‐Based Authentication Protocol for IoT Network Management
CN110177124B (en) Identity authentication method based on block chain and related equipment
CN112165382B (en) Software authorization method and device, authorization server side and terminal equipment
CN110908786A (en) Intelligent contract calling method, device and medium
CN110309672B (en) Block chain based privacy protection controllable data management method
CN112953978B (en) Multi-signature authentication method, device, equipment and medium
CN111416709B (en) Voting method, device, equipment and storage medium based on block chain system
CN110619222A (en) Authorization processing method, device, system and medium based on block chain
CN112733121A (en) Data acquisition method, device, equipment and storage medium
CN110910110B (en) Data processing method and device and computer storage medium
CN113328854B (en) Service processing method and system based on block chain
CN109818965B (en) Personal identity verification device and method
CN114519206A (en) Method for anonymously signing electronic contract and signature system
Riad et al. A blockchain‐based key‐revocation access control for open banking
KR101120059B1 (en) Billing verifying apparatus, billing apparatus and method for cloud computing environment
CN114021187B (en) Data processing system and method and electronic equipment
CN116452135A (en) Distributed anonymous voting method, device, equipment and medium based on Ethernet
CN111199007A (en) Configuration method based on Web page, data encryption method and device
CN113869901B (en) Key generation method, key generation device, computer-readable storage medium and computer equipment
CN115622812A (en) Digital identity verification method and system based on block chain intelligent contract
CN112422294B (en) Anonymous voting method and device based on ring signature, electronic equipment and storage medium
Feng et al. Secure data collaborative computing scheme based on blockchain
CN115150178A (en) Cross-platform unified login authentication method and device based on block chain
Li et al. A noninteractive multireplica provable data possession scheme based on smart contract

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 571924 building 8848, Walker Park, Hainan Ecological Software Park, Laocheng high tech industry demonstration zone, Hainan Province

Applicant after: Yunhai Chain Holdings Co., Ltd.

Address before: 571924 building 8848, Walker Park, Hainan Ecological Software Park, Laocheng high tech industry demonstration zone, Hainan Province

Applicant before: Hainan Nanhai cloud Holding Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant