CN114091059A - Data security processing method, device, terminal, medium and system - Google Patents

Data security processing method, device, terminal, medium and system Download PDF

Info

Publication number
CN114091059A
CN114091059A CN202111319425.5A CN202111319425A CN114091059A CN 114091059 A CN114091059 A CN 114091059A CN 202111319425 A CN202111319425 A CN 202111319425A CN 114091059 A CN114091059 A CN 114091059A
Authority
CN
China
Prior art keywords
data
task
execution environment
trusted execution
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111319425.5A
Other languages
Chinese (zh)
Inventor
许国良
陈青山
郑晓华
康祖荫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CCB Finetech Co Ltd
Original Assignee
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CCB Finetech Co Ltd filed Critical CCB Finetech Co Ltd
Priority to CN202111319425.5A priority Critical patent/CN114091059A/en
Publication of CN114091059A publication Critical patent/CN114091059A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of data security, and particularly discloses a data security processing method, a device, a terminal, a medium and a system. The method is applied to a trusted execution environment; the method comprises the following steps: acquiring a function file sent by a function provider, a task file sent by a task initiator, privacy data sent by a data provider and path information sent by a result receiver; the function file, the privacy data and the path information are all in binding matching with the task file; after receiving a task starting instruction sent by the task initiator, processing the privacy data by adopting the function file to obtain result data; and sending the result data to the result receiver according to the path information. Compared with the prior art, the embodiment of the invention improves the operation efficiency of data safety processing and reduces the algorithm expansion cost on the basis of ensuring that the data is usable and invisible.

Description

Data security processing method, device, terminal, medium and system
Technical Field
The embodiment of the invention relates to the technical field of data security, in particular to a data security processing method, a data security processing device, a data security processing terminal, a data security processing medium and a data security processing system.
Background
With enterprise integration and cross-industry, cross-domain data sharing and applications becoming more and more desirable. More and more business scenarios require multi-party data sharing to release the application value of the data. The existing data fusion calculation, such as joint modeling and joint statistical analysis, needs data demands to provide data demands for data partners, and the data partners need to directly provide plaintext data or desensitized data for the data partners, so that data privacy cannot be guaranteed.
In the prior art, the processing modes of data security include secure multiparty calculation, federal learning and the like. The secure multi-party calculation is based on cryptography technology, such as a garbled circuit, secret sharing, careless transmission, homomorphic encryption and the like, data intermediate calculation results are exchanged, original data cannot be locally generated, and multi-party data fusion calculation is completed. Federal learning mainly aims at performing combined modeling under the condition that original data cannot be out of a domain, exchanging non-original data such as a model intermediate result and gradient on the basis of cryptographic technologies such as homomorphic encryption and the like, and performing model iterative training. Due to data expansion caused by encryption and decryption of data and encryption results thereof, secure multi-party computing and federal learning require more computing and transmission resources and time, and the overall operation efficiency is low. And the algorithm expansion cost of safe multi-party calculation and federal learning is higher, each algorithm needs to be designed independently, the adaptation of cryptology data calculation and interaction needs to be carried out, and whether privacy leakage can be caused by the exchanged data is considered.
Disclosure of Invention
The invention provides a data security processing method, a device, a terminal, a medium and a system, which are used for ensuring that data can be used and invisible, improving the operation efficiency of data security processing and reducing the algorithm expansion cost.
In a first aspect, an embodiment of the present invention provides a data security processing method, where the method is applied to a trusted execution environment; the method comprises the following steps:
acquiring a function file sent by a function provider, a task file sent by a task initiator, privacy data sent by a data provider and path information sent by a result receiver; the function file, the privacy data and the path information are all in binding matching with the task file;
after receiving a task starting instruction sent by the task initiator, processing the privacy data by adopting the function file to obtain result data;
and sending the result data to the result receiver according to the path information.
In a second aspect, an embodiment of the present invention provides a data security processing apparatus, where the apparatus is applied to a trusted execution environment; the device comprises:
the data acquisition module is used for acquiring the function file sent by the function provider, the task file sent by the task initiator, the privacy data sent by the data provider and the path information sent by the result receiver; the function file, the privacy data and the path information are all in binding matching with the task file;
the data processing module is used for processing the private data by adopting the function file after receiving an approval task instruction sent by the data provider and the result receiver and a task starting instruction sent by the task initiator to obtain result data;
and the data sending module is used for sending the result data to the result receiver according to the path information.
In a third aspect, an embodiment of the present invention provides a data security processing method, where the method is applied to a function provider; the method comprises the following steps:
acquiring a data dictionary of a data provider;
creating a function file according to the function definition and the data dictionary;
and sending the function file to a trusted execution environment.
In a fourth aspect, an embodiment of the present invention provides a data security processing apparatus, where the apparatus is applied to a function provider; the device comprises:
the data dictionary acquisition module is used for acquiring a data dictionary of a data provider;
the function creating module is used for creating a function file according to the function definition and the data dictionary;
and the function sending module is used for sending the function file to the trusted execution environment.
In a fifth aspect, an embodiment of the present invention provides a data security processing method, where the method is applied to a data provider; the method comprises the following steps:
after being encrypted, the private data are sent to a trusted execution environment;
acquiring a first data number returned by the trusted execution environment;
and binding the first data number to an input parameter of a function corresponding to the task number.
In a sixth aspect, an embodiment of the present invention provides a data security processing apparatus, where the apparatus is applied to a data provider; the device comprises:
the encryption module is used for encrypting the private data and then sending the encrypted private data to the trusted execution environment;
the first data number acquisition module is used for acquiring a first data number returned by the trusted execution environment;
and the input parameter binding module is used for binding the first data number to the input parameter of the function corresponding to the task number.
In a seventh aspect, an embodiment of the present invention provides a data security processing method, where the method is applied to a result receiver; the method comprises the following steps:
sending path information and a data receiving mode to the trusted execution environment;
acquiring a path number and a second data number returned by the trusted execution environment;
binding the second data number to an output parameter of a function corresponding to the task number;
and receiving result data sent by the trusted execution environment.
In an eighth aspect, an embodiment of the present invention provides a data security processing apparatus, where the apparatus is applied to a result receiving party; the device comprises:
the path information sending module is used for sending path information and a data receiving mode to the trusted execution environment;
the second data number acquisition module is used for acquiring a path number and a second data number returned by the trusted execution environment;
the output parameter binding module is used for binding the second data number to the output parameter of the function corresponding to the task number;
and the result data receiving module is used for receiving the result data sent by the trusted execution environment.
In a ninth aspect, an embodiment of the present invention provides a data security processing method, where the method is applied to a task initiator; the method comprises the following steps:
creating a task file and sending the task file to a trusted execution environment;
acquiring a task number returned by the trusted execution environment;
and sending a task starting instruction to the trusted execution environment according to the task number.
In a tenth aspect, an embodiment of the present invention provides a data security processing apparatus, where the apparatus is applied to a task initiator; the device comprises:
the task creating and sending module is used for creating a task file and sending the task file to the trusted execution environment;
the task number acquisition module is used for acquiring a task number returned by the trusted execution environment;
and the starting instruction sending module is used for sending a starting task instruction to the trusted execution environment according to the task number.
In an eleventh aspect, an embodiment of the present invention provides a data security processing method, including:
a function providing direction sends a function file to a trusted execution environment, a task initiating direction sends a task file to the trusted execution environment, a data providing direction sends private data to the trusted execution environment, and a result receiving direction sends path information to the trusted execution environment; the function file, the privacy data and the path information are all in binding matching with the task file;
after receiving a task starting instruction sent by the task initiator, the trusted execution environment processes the private data by adopting the function file to obtain result data and sends the result data to the result receiver;
the result receiver receives the result data.
In a twelfth aspect, an embodiment of the present invention provides a data security processing apparatus, including:
the function provider is used for sending the function file to the trusted execution environment;
the task initiator is used for sending a task file to the trusted execution environment;
a data provider for sending private data to the trusted execution environment;
a result receiver to send path information to the trusted execution environment; the function file, the privacy data and the path information are all in binding matching with the task file;
the trusted execution environment is used for processing the private data by adopting the function file after receiving a task starting instruction sent by the task initiator to obtain result data and sending the result data to the result receiver;
the result receiver is used for receiving the result data.
In a thirteenth aspect, an embodiment of the present invention provides a terminal, a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the program to implement the data security processing method according to any of the above aspects.
In a fourteenth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a data security processing method according to any embodiment of the present invention.
In a fifteenth aspect, an embodiment of the present invention provides a data security processing system, including: the system comprises a function provider terminal, a task initiator terminal, a data provider terminal, a result receiver terminal and a trusted execution environment terminal;
the trusted execution environment terminal comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and the processor implements the data security processing method according to any one of the first aspect when executing the program;
the function provider terminal comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and the processor implements the data security processing method according to any one of the third aspect when executing the program;
the data provider terminal comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and the processor realizes the data security processing method according to any one of the fifth aspect when executing the program;
the result receiving terminal comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and the processor implements the data security processing method according to any one of the seventh aspects when executing the program;
the task initiator terminal comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and the processor implements the data security processing method according to any one of the ninth aspect when executing the program.
The embodiment of the invention provides a private data cooperation method based on a trusted execution environment, which is characterized in that for the trusted execution environment, a function file sent by a function provider, a task file sent by a task initiator, private data sent by a data provider and path information sent by a result receiver are obtained; after a task starting instruction sent by a task initiator is received, processing the private data by adopting a function file to obtain result data; and sending the result data to a result receiver according to the path information. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
Drawings
Fig. 1 is a schematic flow chart of a data security processing method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a data security processing apparatus according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of another data security processing method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention;
fig. 5 is a schematic flow chart of another data security processing method according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of another data security processing method according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention;
fig. 9 is a schematic flowchart of another data security processing method according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention;
fig. 11 is a schematic flowchart of another data security processing method according to an embodiment of the present invention;
fig. 12 is a schematic flowchart of another data security processing method according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention;
fig. 14 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
The embodiment of the invention provides a data security processing method, which is suitable for multi-party data cooperation (including joint modeling, joint statistical analysis and the like) tasks and is executed by a data security processing device, and the device can be realized by software and/or hardware. The method defines a trusted execution environment, a function provider, a data provider, a result receiver, a task initiator, and other data processors, and is first described below with each of the data processors being a separate execution subject.
It should be noted that, in the embodiment of the present invention, the acquisition, storage and/or processing of the related private data complies with the relevant regulations of the national laws and regulations, and does not violate the customs of the public order.
Fig. 1 is a schematic flow chart of a data security processing method according to an embodiment of the present invention. The method is applied to a trusted execution environment. A Trusted Execution Environment (TEE) is a secure area within a host processor. It ensures that internally loaded code and data are protected in terms of confidentiality and integrity. The trusted execution environment, as a separate execution environment, provides security features such as isolated execution, integrity of applications executing with the trusted execution environment, and confidentiality of their data. The trusted execution environment provides an execution space that provides a higher level of security for trusted applications running on the device than for operating systems. Referring to fig. 1, the data security processing method is applied to a trusted execution environment, and includes the following steps:
s110, acquiring a function file sent by a function provider, a task file sent by a task initiator, privacy data sent by a data provider and path information sent by a result receiver.
The function file, the privacy data and the path information are all bound and matched with the task file, so that the safety and the accuracy of data transmission and processing are ensured. Illustratively, bank A and insurance B cooperate, and the private data of bank A and the private data of insurance B need to be jointly calculated, inquired and analyzed, so as to analyze conversion rate, marketability, combination of tables, calculation of summary value and the like. Illustratively, a trusted execution environment may be established on a computer of bank a or insurance company B.
The function provider defines the processing logic according to the task, and particularly, the function provider can acquire a table structure of each data provider, so that a function file containing the service logic is provided according to the table structure. Illustratively, the function provider may be established within the computer of bank a or insurance company B. The task initiator creates a task file according to the specific task, so that the task is created in the trusted execution environment. Illustratively, the function provider or result receiver may be established within the computers of bank a or insurance company B. The path information sent by the result recipient is a path, such as a URL (uniform resource locator), on the computer on which the result recipient is located.
And S120, after receiving a task starting instruction sent by the task initiator, processing the private data by adopting the function file to obtain result data.
After receiving the private data, the trusted execution environment can start data processing only by receiving a start instruction, and thus the setting is favorable for improving the security of the private data.
And S130, sending the result data to a result receiver according to the path information.
The result data refers to result information required for data collaboration such as conversion rate, marketability, table association, summary value, and the like. That is, after providing the private data to the trusted execution environment, the trusted execution environment outputs only the final result, thereby avoiding leakage of the private data.
The embodiment of the invention provides a private data cooperation method based on a trusted execution environment, which is characterized in that for the trusted execution environment, a function file sent by a function provider, a task file sent by a task initiator, private data sent by a data provider and path information sent by a result receiver are obtained; after a task starting instruction sent by a task initiator is received, processing the private data by adopting a function file to obtain result data; and sending the result data to a result receiver according to the path information. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
On the basis of the foregoing embodiments, optionally, after acquiring the function file sent by the function provider, the method further includes: numbering the function files to obtain function numbers; and sending the function number to the function provider and the task initiator. Wherein, the function number is the function ID, and the function identifier. The setting is favorable for binding and matching the function ID and the task ID subsequently, so that the safety of the private data is further improved.
On the basis of the foregoing embodiments, optionally, after obtaining the private data sent by the data provider, the method further includes: numbering the private data to obtain a first data number; and sending the first data number to the data provider. The first data number is a data ID, and the identity of the private data. The setting is favorable for binding and matching the data ID and the task ID subsequently, so that the safety of the private data is further improved.
Optionally, the number of the data providers is at least two, and the first data numbers corresponding to different data providers are different. Illustratively, bank A and insurance company B are both data providers, and the data file sent by bank A is marked as data ID1, and the data file sent by insurance company B is marked as data ID 2.
On the basis of the foregoing embodiments, optionally, after obtaining the path information sent by the result receiver, the method further includes: numbering the path information to obtain a path number; and sending the path number to a result receiver. The path number is a path ID, and the identifier of the path. The setting is favorable for binding and matching the path ID and the task ID subsequently, so that the safety of the private data is further improved.
Optionally, the number of the result receivers is at least two, and the path numbers corresponding to different result receivers are different. The bank A and the insurance company B both receive results, the path information sent by the bank A is marked as path ID1, and the path information sent by the insurance company B is marked as path ID 2.
On the basis of the foregoing embodiments, optionally, the method further includes: acquiring a data receiving mode sent by a result receiving party; numbering the data receiving modes to obtain a second data number; and sending the second data number to a result receiver. Wherein, the second data number is result data ID and result data identification. Illustratively, the result data ID is bound to the output parameters of the function, so that the result is sent according to the result data ID.
Optionally, the number of the result receivers is at least two, and the second data numbers corresponding to the result receivers are the same. The arrangement is such that the result data received by each result receiver is the same.
Optionally, the task initiator, the function provider, the data provider and the result receiver send a function signature to generate a hash (hash) in the process of transmitting file data to the trusted execution environment; correspondingly, the trusted execution environment returns the hash to each party, so that each party confirms that the file data is not tampered, and the safety of the data is further improved.
On the basis of the foregoing embodiments, optionally, the data security processing method further includes: authentication of the third party is obtained. The third party is used for authenticating the security characteristics of the trusted execution environment and ensuring the storage and execution security of data and codes. Illustratively, the third party authenticates the trusted execution environment, which may support remote authentication, offline authentication.
On the basis of the above embodiments, optionally, the private data is encrypted private data, and the encryption modes of different data providers are not completely the same. By means of the arrangement, the safety of the private data is further improved.
On the basis of the foregoing embodiments, optionally, before sending the result data to the result receiver according to the path information, the method further includes: and encrypting the result data, and outputting the result through a trusted channel of a secure transport layer protocol (TLS). In particular, the private data is encrypted at the time of transmission by the temporary key negotiated at the time of TLS handshake. By means of the arrangement, the safety of the private data is further improved.
On the basis of the foregoing embodiments, optionally, the data security processing method further includes: and carrying out memory encryption on the trusted execution environment to form memory isolation environment (enclave) protection, thereby ensuring the security of private data and codes in the storage and execution processes.
On the basis of the foregoing embodiments, optionally, after sending the result data to the result receiver according to the path information, the method further includes: the step of destroying the trusted execution environment is performed. The setting ensures that the private data can be used only once, and the next use needs to establish a task again and obtain the agreement of all parties, thereby ensuring that the private data cannot be abused.
In summary, embodiments of the present invention provide a private data cooperation method based on a trusted execution environment, which can perform business processing according to a certain data cooperation process in a private calculation manner, perform joint calculation or modeling of multi-party data, and fully mine and release data values. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
The embodiment of the invention also provides a data security processing device which can be realized by software and/or hardware. Fig. 2 is a schematic structural diagram of a data security processing apparatus according to an embodiment of the present invention. The device is applied to a trusted execution environment. Referring to fig. 2, the apparatus includes: a data acquisition module 210, a data processing module 220 and a data transmission module 230.
The data obtaining module 210 is configured to obtain a function file sent by a function provider, a task file sent by a task initiator, private data sent by a data provider, and path information sent by a result receiver; and the function file, the privacy data and the path information are all bound and matched with the task file.
The data processing module 220 is configured to, after receiving an approval task instruction sent by the data provider and the result receiver and a task starting instruction sent by the task initiator, process the private data by using the function file to obtain result data.
The data sending module 230 is configured to send the result data to the result recipient according to the path information.
The embodiment of the invention provides a data security processing device applied to a trusted execution environment, which comprises a data acquisition module, a data processing module and a data sending module. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
On the basis of the foregoing embodiments, optionally, the data obtaining module is further configured to number the function file after obtaining the function file sent by the function provider, so as to obtain a function number; and sending the function number to the function provider and the task initiator.
On the basis of the foregoing embodiments, optionally, the data obtaining module is further configured to number the private data after obtaining the private data sent by the data provider, so as to obtain a first data number; and sending the first data number to the data provider.
On the basis of the above embodiments, optionally, the number of the data providers is at least two. Correspondingly, the data acquisition module is also used for corresponding different first data numbers to different data providers.
On the basis of the foregoing embodiments, optionally, the data obtaining module is further configured to number the path information after obtaining the path information sent by the result receiving party, so as to obtain a path number; and sending the path number to a result receiver.
On the basis of the above embodiments, optionally, the number of the result receivers is at least two. Correspondingly, the data acquisition module is also used for corresponding different path numbers to different result receivers.
On the basis of the foregoing embodiments, optionally, the data security processing apparatus further includes: a receiving mode obtaining module for obtaining the data receiving mode sent by the result receiver; numbering the data receiving modes to obtain a second data number; and sending the second data number to a result receiver.
On the basis of the above embodiments, optionally, the number of the result receivers is at least two. Correspondingly, the receiving mode obtaining module is further configured to enable each result receiving party to correspond to the same second data number.
On the basis of the foregoing embodiments, optionally, the data security processing apparatus further includes: and the authentication module is used for acquiring the authentication of the third party.
On the basis of the above embodiments, optionally, the private data is encrypted private data, and the encryption modes of different data providers are not completely the same.
On the basis of the foregoing embodiments, optionally, the data sending module is further configured to encrypt the result data before sending the result data to the result receiver according to the path information, and output the result through the secure transport layer protocol trusted channel.
On the basis of the foregoing embodiments, optionally, the data security processing apparatus further includes: and the memory encryption module is used for encrypting the memory of the trusted execution environment.
On the basis of the foregoing embodiments, optionally, the data security processing apparatus further includes: and the destroying module is used for executing the step of destroying the trusted execution environment after the result data is sent to the result receiver according to the path information.
Fig. 3 is a schematic flow chart of another data security processing method according to an embodiment of the present invention. The method is applied to function providers. Referring to fig. 3, the data security processing method includes the steps of:
s310, acquiring a data dictionary of the data provider.
The data dictionary is defined and described for data items, data structures, data streams, data storage and/or processing logic, and the like of data, that is, the data dictionary is an information set describing data. The function provider needs to establish functions according to tasks, and therefore the function provider has the right to acquire the data dictionary of each data provider so as to establish the functions.
And S320, creating a function file according to the function definition and the data dictionary.
The process of creating the function can adopt an input device to obtain software codes typed by a programmer, and can also automatically generate a function file according to a function definition and a data dictionary.
And S330, sending the function file to the trusted execution environment.
The embodiment of the invention provides a private data cooperation method based on a trusted execution environment. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
The embodiment of the invention also provides a data security processing device which can be realized by software and/or hardware. Fig. 4 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention, where the apparatus is applied to a function provider. Referring to fig. 4, the apparatus includes: a data dictionary obtaining module 410, a function creating module 420, and a function sending module 430. The data dictionary obtaining module 410 is configured to obtain a data dictionary of a data provider; the function creating module 420 is configured to create a function file according to the function definition and the data dictionary; the function sending module 430 is configured to send the function file to the trusted execution environment.
The embodiment of the invention provides a data security processing device applied to a function provider, which comprises a data dictionary acquisition module 410, a function creation module 420 and a function sending module 430. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
Fig. 5 is a schematic flow chart of another data security processing method according to an embodiment of the present invention. The method is applied to data providers. Referring to fig. 5, the data security processing method includes the steps of:
and S510, encrypting the private data and then sending the encrypted private data to the trusted execution environment.
The data encryption mode may be symmetric encryption or asymmetric encryption, and the present invention is not limited thereto. Further, the encrypted private data is transmitted to the trusted execution environment through a secure transport layer protocol, that is, the private data is encrypted by a temporary key negotiated during TLS handshake during transmission, so as to further improve the security of the private data.
S520, acquiring a first data number returned by the trusted execution environment.
The first data number is a data ID, and the identity of the private data. The setting is favorable for binding and matching the data ID and the task ID subsequently, so that the safety of the private data is further improved.
And S530, binding the first data number to the input parameter of the function corresponding to the task number.
By means of the setting, the application range of the privacy data is defined and is only used as the input parameter of the function, and other purposes are not used.
The embodiment of the invention provides a private data cooperation method based on a trusted execution environment. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
Optionally, the data security processing method further includes: and sending an approval task instruction to the task initiator according to the task number. The arrangement enables the trusted execution environment to execute after receiving the approval of the data provider, thereby further improving the security of data processing.
The embodiment of the invention also provides a data security processing device which can be realized by software and/or hardware. Fig. 6 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention, where the apparatus is applied to a data provider. Referring to fig. 6, the apparatus includes: an encryption module 610, a first data number obtaining module 620 and an input parameter binding module 630. The encryption module 610 is configured to encrypt the private data and send the encrypted private data to the trusted execution environment; the first data number obtaining module 620 is configured to obtain a first data number returned by the trusted execution environment; the input parameter binding module 630 is configured to bind the first data number to an input parameter of a function corresponding to the task number.
The embodiment of the invention provides a data security processing device applied to a data provider, which comprises an encryption module 610, a first data number acquisition module 620 and an input parameter binding module 630. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
Fig. 7 is a schematic flowchart of another data security processing method according to an embodiment of the present invention. The method is applied to a result receiver. Referring to fig. 7, the data security processing method includes the steps of:
and S710, sending the path information and the data receiving mode to the trusted execution environment.
S720, acquiring a path number and a second data number returned by the trusted execution environment.
The path number is a path ID, and the identifier of the path. The second data number is the result data ID, the result data identification.
And S730, binding the second data number to the output parameter of the function corresponding to the task number.
And binding the result data ID to the output parameter of the function so as to send the result according to the result data ID.
And S740, receiving result data sent by the trusted execution environment.
The result receiving party only receives the final result output by the trusted execution environment and cannot receive the private data, so that the private data is prevented from being leaked.
The embodiment of the invention provides a private data cooperation method based on a trusted execution environment, wherein for a result receiver, a path information and data receiving mode are sent to the trusted execution environment; acquiring a path number and a second data number returned by the trusted execution environment; binding the second data number to the output parameter of the function corresponding to the task number; and receiving result data sent by the trusted execution environment. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
On the basis of the foregoing embodiments, optionally, the method for processing the private data further includes: and sending an approval task instruction to the task initiator according to the task number. By the arrangement, the trusted execution environment can be executed after receiving the approval of the result receiver, so that the data processing safety is further improved.
The embodiment of the invention also provides a data security processing device which can be realized by software and/or hardware. Fig. 8 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention, which is applied to a result receiving side. Referring to fig. 8, the apparatus includes: a path information sending module 810, a second data number obtaining module 820, an output parameter binding module 830 and a result data receiving module 840. The path information sending module 810 is configured to send path information and a data receiving manner to the trusted execution environment; the second data number obtaining module 820 is configured to obtain a path number and a second data number returned by the trusted execution environment; the output parameter binding module 830 is configured to bind the second data number to the output parameter of the function corresponding to the task number; the result data receiving module 840 is configured to receive result data sent by the trusted execution environment.
The embodiment of the invention provides a data security processing device applied to a result receiver, which comprises a path information sending module 810, a second data number obtaining module 820, an output parameter binding module 830 and a result data receiving module 840. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
Fig. 9 is a schematic flowchart of another data security processing method according to an embodiment of the present invention. The method is applied to the task initiator. Referring to fig. 9, the data security processing method includes the steps of:
s910, creating a task file, and sending the task file to a trusted execution environment.
The process of creating the task can adopt an input device to obtain a software code typed by a programmer, and can also automatically generate a task file according to task attributes.
And S920, acquiring a task number returned by the trusted execution environment.
The task number is a task ID, and the task identifier. The function ID, data ID, path ID, and/or result data ID, etc. all need to be in binding association with the task ID.
And S930, sending a task starting instruction to the trusted execution environment according to the task number.
Optionally, after receiving the approval task instruction sent by the function provider, sending a launch task instruction to the trusted execution environment. The setting is equivalent to that the user authorizes the data and code use authority, so that the trusted execution environment ensures the integrity and confidentiality of the data and the code and ensures that the data can be used and can not be seen.
The embodiment of the invention provides a private data cooperation method based on a trusted execution environment, wherein for a task initiator, a task file is created and sent to the trusted execution environment; acquiring a task number returned by the trusted execution environment; and sending a task starting instruction to the trusted execution environment according to the task number. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
The embodiment of the invention also provides a data security processing device which can be realized by software and/or hardware. Fig. 10 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention, which is applied to a task initiator. Referring to fig. 10, the apparatus includes: a task creation sending module a10, a task number acquisition module a20, and a start command sending module a 30. The task creating and sending module A10 is used for creating a task file and sending the task file to the trusted execution environment; the task number obtaining module A20 is used for obtaining a task number returned by the trusted execution environment; the starting instruction sending module a30 is configured to send a starting task instruction to the trusted execution environment according to the task number.
The embodiment of the invention provides a data security processing device applied to a task initiator, which comprises a task creating and sending module A10, a task number acquiring module A20 and a starting instruction sending module A30. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
Fig. 11 is a flowchart illustrating another data security processing method according to an embodiment of the present invention. Referring to fig. 11, the data security processing method includes the steps of:
SB10, the function provider sends the function file to the trusted execution environment.
SB20, the task initiator sends the task file to the trusted execution environment.
SB30, the data provider sends private data to the trusted execution environment.
SB40, the result receiver sends path information to the trusted execution environment.
And the function file, the privacy data and the path information are all bound and matched with the task file.
And the SB50, after receiving the task starting instruction sent by the task initiator, the trusted execution environment processes the private data by using the function file to obtain result data, and sends the result data to the result receiver.
SB60, the result receiver receives the result data.
The embodiment of the invention provides a private data cooperation method based on a trusted execution environment, which defines a plurality of roles of a data cooperation task and comprises the following steps: the system comprises a data provider, a result receiver, a function provider, a task initiator and a trusted execution environment. In a set of data cooperation process, all parties cooperate to complete a data cooperation (including joint modeling, joint statistical analysis and the like) task and ensure confidentiality and integrity of respective codes and data; and the method makes a demonstration on how to protect the data codes in the processes of uploading, transmitting, storing and executing the data and the codes. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
Fig. 12 is a flowchart illustrating another data security processing method according to an embodiment of the present invention. Referring to fig. 12, on the basis of the foregoing embodiments, optionally, the data security processing method includes the following steps:
a task initiator formulates a task and requests a function; after a function provider user logs in, uploading a function and transferring a function ID; a task initiator user submits a task after logging in and transmits a task ID; after a data provider user logs in, registering data and binding ID; after the user of the receiving party logs in as a result, registering a path and binding an ID; data providers and result recipients approve tasks; a task initiator starts a task; trusted execution environment data processing; the result recipient receives the data.
The task initiator, the function provider, the data provider and the result receiver all need to log in by users to acquire corresponding rights. Before the function provider uploads the function, the function provider needs to create the function according to the request of the task initiator. The data provider registration data is data registered with the trusted execution environment, and the binding ID is a binding of a data ID and a task ID. The result recipient registration path is a registration path with the trusted execution environment, and the binding ID is a binding of the result data ID with the task ID.
The embodiment of the invention also provides a data security processing device which can be realized by software and/or hardware. Fig. 13 is a schematic structural diagram of another data security processing apparatus according to an embodiment of the present invention. Referring to fig. 13, the apparatus includes: a function provider D10, a task initiator D20, a data provider D30, a result recipient D40, and a trusted execution environment D50. The function provider D10 is used for sending a function file to the trusted execution environment; the task initiator D20 is used for sending a task file to the trusted execution environment; the data provider D30 is used to send private data to the trusted execution environment; the result recipient D40 is used to send path information to the trusted execution environment; the function file, the privacy data and the path information are all bound and matched with the task file; the trusted execution environment D50 is used for processing the private data by adopting the function file after receiving a task starting instruction sent by the task initiator to obtain result data, and sending the result data to the result receiver; the result recipient D40 is also used to receive result data. The number of the data provider and the result receiver can be multiple.
The embodiment of the invention provides a private data cooperation device based on a trusted execution environment, which defines a plurality of roles of a data cooperation task and comprises the following steps: the system comprises a data provider, a result receiver, a function provider, a task initiator and a trusted execution environment. In a set of data cooperation process, all parties cooperate to complete a data cooperation (including joint modeling, joint statistical analysis and the like) task and ensure confidentiality and integrity of respective codes and data; and the method makes a demonstration on how to protect the data codes in the processes of uploading, transmitting, storing and executing the data and the codes. The embodiment of the invention can perform business processing according to a certain data cooperation process in a privacy calculation mode, perform multi-party data joint calculation or modeling, and fully mine and release data value. Since the trusted execution environment guarantees the integrity and confidentiality of data and code, the data is guaranteed to be available and invisible. And the trusted execution environment has high operation efficiency and low algorithm expansion cost, so the embodiment of the invention improves the operation efficiency of data security processing and reduces the algorithm expansion cost.
Fig. 14 is a schematic structural diagram of a terminal according to an embodiment of the present invention, as shown in fig. 14, the terminal includes a processor E0, a memory E1, an input device E2, and an output device E3; the number of the processors E0 in the terminal can be one or more, and one processor E0 is taken as an example in FIG. 14; the processor E0, the memory E1, the input device E2 and the output device E3 in the terminal may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 14.
The memory E1 is a computer-readable storage medium for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the data security processing method in the embodiment of the present invention (for example, for a terminal of a trusted execution environment, the program instructions/modules include the data acquisition module 210, the data processing module 220, and the data transmission module 230; for a function provider terminal, the program instructions/modules include the data dictionary acquisition module 410, the function creation module 420, and the function transmission module 430; for a data provider terminal, the program instructions/modules include the encryption module 610, the first data number acquisition module 620, and the input parameter binding module 630; for a result receiver terminal, the program instructions/modules include the path information transmission module 810, the second data number acquisition module 820, and the data transmission module 230; for a result receiver terminal, the program instructions/modules include the path information transmission module 810, the second data number acquisition module 820, and the data transmission module 430; the path information transmission module, An output parameter binding module 830 and a result data receiving module 840; for the task originator terminal, the program instructions/modules include a task creation sending module a10, a task number acquisition module a20, and a start instruction sending module a 30). The processor E0 executes various functional applications and data processing of the terminal, that is, implements the above-described data security processing method, by executing software programs, instructions and modules stored in the memory E1.
The memory E1 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory E1 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory E1 may further include memory located remotely from the processor E0, which may be connected to the terminal through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device E2 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the terminal. The output device E3 may include a display device such as a display screen.
Each of the terminals may be disposed in one computer or in a plurality of computers, and may be set as needed in actual use, and the present invention is not limited thereto.
Embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform any one of the data security processing methods.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the operations of the method described above, and may also perform related operations in the data security processing method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods of the embodiments of the present invention.
It should be noted that, in the embodiment of the data security processing apparatus, the included units and modules are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
An embodiment of the present invention further provides a data security processing system, including: the system comprises a function provider terminal, a task initiator terminal, a data provider terminal, a result receiver terminal and a trusted execution environment terminal.
The trusted execution environment terminal comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and when the processor executes the program, the processor realizes any data security processing method applied to the trusted execution environment, which is provided by the embodiment of the invention, and the method comprises the following steps:
acquiring a function file sent by a function provider, a task file sent by a task initiator, privacy data sent by a data provider and path information sent by a result receiver; the function file, the privacy data and the path information are all bound and matched with the task file;
after a task starting instruction sent by a task initiator is received, processing the private data by adopting a function file to obtain result data;
and sending the result data to a result receiver according to the path information.
The function provider terminal comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and when the processor executes the program, the processor realizes the data security processing method applied to the function provider, which comprises the following steps:
acquiring a data dictionary of a data provider;
creating a function file according to the function definition and the data dictionary;
and sending the function file to the trusted execution environment.
The data provider terminal comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and when the processor executes the program, the processor realizes the data security processing method applied to the data provider, which comprises the following steps:
after being encrypted, the private data are sent to a trusted execution environment;
acquiring a first data number returned by the trusted execution environment;
and binding the first data number to the input parameter of the function corresponding to the task number.
The terminal of the result receiving party comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and when the processor executes the program, the data security processing method applied to the result receiving party provided by any embodiment of the invention is realized, and the method comprises the following steps:
sending path information and a data receiving mode to the trusted execution environment;
acquiring a path number and a second data number returned by the trusted execution environment;
binding the second data number to the output parameter of the function corresponding to the task number;
and receiving result data sent by the trusted execution environment.
The task initiator terminal comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and when the processor executes the program, the data security processing method applied to the task initiator, which is provided by any embodiment of the invention, is realized, and the method comprises the following steps:
creating a task file and sending the task file to a trusted execution environment;
acquiring a task number returned by the trusted execution environment;
and sending a task starting instruction to the trusted execution environment according to the task number.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (31)

1. A data security processing method is characterized in that the method is applied to a trusted execution environment; the method comprises the following steps:
acquiring a function file sent by a function provider, a task file sent by a task initiator, privacy data sent by a data provider and path information sent by a result receiver; the function file, the privacy data and the path information are all in binding matching with the task file;
after receiving a task starting instruction sent by the task initiator, processing the privacy data by adopting the function file to obtain result data;
and sending the result data to the result receiver according to the path information.
2. The data security processing method according to claim 1, further comprising, after acquiring the function file transmitted by the function provider:
numbering the function files to obtain function numbers;
and sending the function number to the function provider and the task initiator.
3. The data security processing method according to claim 1, further comprising, after acquiring the private data transmitted by the data provider:
numbering the private data to obtain a first data number;
and sending the first data number to the data provider.
4. The data security processing method according to claim 3, wherein the number of the data providers is at least two, and the first data numbers corresponding to different data providers are different.
5. The data security processing method of claim 1, further comprising, after obtaining the path information sent by the result receiver:
numbering the path information to obtain a path number;
and sending the path number to the result receiver.
6. The data security processing method according to claim 5, wherein the number of the result receivers is at least two, and the path numbers corresponding to different result receivers are different.
7. The data security processing method according to claim 1, further comprising:
acquiring a data receiving mode sent by a result receiving party;
numbering the data receiving modes to obtain a second data number;
and sending the second data number to the result receiver.
8. The data security processing method of claim 7, wherein the number of the result receivers is at least two, and the second data numbers corresponding to the result receivers are the same.
9. The data security processing method according to claim 1, further comprising:
authentication of the third party is obtained.
10. The data security processing method according to claim 1, wherein the private data is encrypted private data, and encryption modes of different data providers are not identical.
11. The data security processing method according to claim 1, before sending the result data to the result receiver according to the path information, further comprising:
and encrypting the result data, and outputting the result through a secure transport layer protocol trusted channel.
12. The data security processing method according to claim 1, further comprising:
and carrying out memory encryption on the trusted execution environment.
13. The data security processing method according to claim 1, after sending the result data to the result receiver according to the path information, further comprising:
executing the step of destroying the trusted execution environment.
14. A data security processing apparatus, wherein the apparatus is applied to a trusted execution environment; the device comprises:
the data acquisition module is used for acquiring the function file sent by the function provider, the task file sent by the task initiator, the privacy data sent by the data provider and the path information sent by the result receiver; the function file, the privacy data and the path information are all in binding matching with the task file;
the data processing module is used for processing the private data by adopting the function file after receiving an approval task instruction sent by the data provider and the result receiver and a task starting instruction sent by the task initiator to obtain result data;
and the data sending module is used for sending the result data to the result receiver according to the path information.
15. A data security processing method is characterized in that the method is applied to a function provider; the method comprises the following steps:
acquiring a data dictionary of a data provider;
creating a function file according to the function definition and the data dictionary;
and sending the function file to a trusted execution environment.
16. A data security processing apparatus, wherein the apparatus is applied to a function provider; the device comprises:
the data dictionary acquisition module is used for acquiring a data dictionary of a data provider;
the function creating module is used for creating a function file according to the function definition and the data dictionary;
and the function sending module is used for sending the function file to the trusted execution environment.
17. A data security processing method is characterized in that the method is applied to a data provider; the method comprises the following steps:
after being encrypted, the private data are sent to a trusted execution environment;
acquiring a first data number returned by the trusted execution environment;
and binding the first data number to an input parameter of a function corresponding to the task number.
18. The data security processing method of claim 17, further comprising:
and sending an approval task instruction to the task initiator according to the task number.
19. The method of claim 17, wherein the encrypted private data is transmitted to the trusted execution environment via a secure transport layer protocol.
20. A data security processing device is characterized in that the device is applied to a data provider; the device comprises:
the encryption module is used for encrypting the private data and then sending the encrypted private data to the trusted execution environment;
the first data number acquisition module is used for acquiring a first data number returned by the trusted execution environment;
and the input parameter binding module is used for binding the first data number to the input parameter of the function corresponding to the task number.
21. A data security processing method is characterized in that the method is applied to a result receiver; the method comprises the following steps:
sending path information and a data receiving mode to the trusted execution environment;
acquiring a path number and a second data number returned by the trusted execution environment;
binding the second data number to an output parameter of a function corresponding to the task number;
and receiving result data sent by the trusted execution environment.
22. The data security processing method of claim 21, further comprising:
and sending an approval task instruction to the task initiator according to the task number.
23. A data security processing apparatus, wherein the apparatus is applied to a result receiver; the device comprises:
the path information sending module is used for sending path information and a data receiving mode to the trusted execution environment;
the second data number acquisition module is used for acquiring a path number and a second data number returned by the trusted execution environment;
the output parameter binding module is used for binding the second data number to the output parameter of the function corresponding to the task number;
and the result data receiving module is used for receiving the result data sent by the trusted execution environment.
24. A data security processing method is characterized in that the method is applied to a task initiator; the method comprises the following steps:
creating a task file and sending the task file to a trusted execution environment;
acquiring a task number returned by the trusted execution environment;
and sending a task starting instruction to the trusted execution environment according to the task number.
25. The method of claim 24, wherein the launch task instruction is sent to the trusted execution environment after receiving an approve task instruction sent by a function provider.
26. A data security processing apparatus, wherein the apparatus is applied to a task initiator; the device comprises:
the task creating and sending module is used for creating a task file and sending the task file to the trusted execution environment;
the task number acquisition module is used for acquiring a task number returned by the trusted execution environment;
and the starting instruction sending module is used for sending a starting task instruction to the trusted execution environment according to the task number.
27. A data security processing method is characterized by comprising the following steps:
a function providing direction sends a function file to a trusted execution environment, a task initiating direction sends a task file to the trusted execution environment, a data providing direction sends private data to the trusted execution environment, and a result receiving direction sends path information to the trusted execution environment; the function file, the privacy data and the path information are all in binding matching with the task file;
after receiving a task starting instruction sent by the task initiator, the trusted execution environment processes the private data by adopting the function file to obtain result data and sends the result data to the result receiver;
the result receiver receives the result data.
28. A data security processing apparatus, comprising:
the function provider is used for sending the function file to the trusted execution environment;
the task initiator is used for sending a task file to the trusted execution environment;
a data provider for sending private data to the trusted execution environment;
a result receiver to send path information to the trusted execution environment; the function file, the privacy data and the path information are all in binding matching with the task file;
the trusted execution environment is used for processing the private data by adopting the function file after receiving a task starting instruction sent by the task initiator to obtain result data and sending the result data to the result receiver;
the result receiver is used for receiving the result data.
29. A terminal, a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements a method for secure processing of data according to any of claims 1-13, 15, 17-19, 21-22, 24-25, 27 when executing the program.
30. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method for secure processing of data according to any one of claims 1 to 13, 15, 17 to 19, 21 to 22, 24 to 25, 27.
31. A data security processing system, comprising: the system comprises a function provider terminal, a task initiator terminal, a data provider terminal, a result receiver terminal and a trusted execution environment terminal;
the trusted execution environment terminal comprises a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the data security processing method according to any one of claims 1 to 13 when executing the program;
the function provider terminal comprises a memory, a processor and a computer program stored on the memory and operable on the processor, the processor implementing the data security processing method of claim 15 when executing the program;
the data provider terminal comprises a memory, a processor and a computer program stored on the memory and operable on the processor, the processor implementing the data security processing method according to any one of claims 17-19 when executing the program;
the result receiver terminal comprises a memory, a processor and a computer program stored on the memory and operable on the processor, the processor implementing the data security processing method according to any one of claims 21-22 when executing the program;
the task initiator terminal comprises a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the data security processing method according to any one of claims 24 to 25 when executing the program.
CN202111319425.5A 2021-11-09 2021-11-09 Data security processing method, device, terminal, medium and system Pending CN114091059A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111319425.5A CN114091059A (en) 2021-11-09 2021-11-09 Data security processing method, device, terminal, medium and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111319425.5A CN114091059A (en) 2021-11-09 2021-11-09 Data security processing method, device, terminal, medium and system

Publications (1)

Publication Number Publication Date
CN114091059A true CN114091059A (en) 2022-02-25

Family

ID=80299632

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111319425.5A Pending CN114091059A (en) 2021-11-09 2021-11-09 Data security processing method, device, terminal, medium and system

Country Status (1)

Country Link
CN (1) CN114091059A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116226928A (en) * 2023-05-09 2023-06-06 京东科技控股股份有限公司 Combined computing method, device, equipment and medium for multiparty business privacy data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116226928A (en) * 2023-05-09 2023-06-06 京东科技控股股份有限公司 Combined computing method, device, equipment and medium for multiparty business privacy data
CN116226928B (en) * 2023-05-09 2024-04-16 京东科技控股股份有限公司 Combined computing method, device, equipment and medium for multiparty business privacy data

Similar Documents

Publication Publication Date Title
CN108965230B (en) Secure communication method, system and terminal equipment
US10601801B2 (en) Identity authentication method and apparatus
CN111460453A (en) Machine learning training method, controller, device, server, terminal and medium
US20180159694A1 (en) Wireless Connections to a Wireless Access Point
CN114679293A (en) Access control method, device and storage medium based on zero trust security
CN109618341A (en) A kind of digital signature authentication method, system, device and storage medium
CN103237305B (en) Password protection method for smart card on facing moving terminal
CN111431713A (en) Private key storage method and device and related equipment
CN103716330A (en) Method and device for encryption and decryption of digital content
CN102916869A (en) Instant messaging method and system
CN105610845A (en) Data routing method and device based on cloud service and system
CN109039997B (en) Secret key obtaining method, device and system
CN116992458B (en) Programmable data processing method and system based on trusted execution environment
CN111431922A (en) Internet of things data encryption transmission method and system
CN113630412B (en) Resource downloading method, resource downloading device, electronic equipment and storage medium
CN114091059A (en) Data security processing method, device, terminal, medium and system
CN113328860A (en) Block chain-based user privacy data security providing method
CN112927026A (en) Coupon processing method and device, electronic equipment and computer storage medium
CN112261002A (en) Data interface docking method and device
CN103685239A (en) Real-time encryption and decryption system and real-time encryption and decryption method for mobile products
JP2014527786A (en) Communication system for authentication by fingerprint information and use thereof
CN113626880B (en) Mobile interactive electronic signature method
CN115733687A (en) System account login control method and device, server and readable storage medium
CN110912857A (en) Method and storage medium for sharing login between mobile applications
CN114430345A (en) Data transmission method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination