CN114584307A

CN114584307A - Trusted key management method and device, electronic equipment and storage medium

Info

Publication number: CN114584307A
Application number: CN202210491003.4A
Authority: CN
Inventors: 黎相敏; 张韬; 范昱昆
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-05-07
Filing date: 2022-05-07
Publication date: 2022-06-03
Anticipated expiration: 2042-05-07
Also published as: CN114584307B

Abstract

The present application relates to the field of computer technologies, and in particular, to a trusted key management method, apparatus, electronic device, and storage medium, which are used to ensure secure sharing of data between TEE applications. The method comprises the following steps: after determining that the running environment of a first target application located in the same physical node is legal, encrypting a data encryption key corresponding to the first target application to obtain a first key ciphertext; the data encryption key is acquired from a trusted key management service in advance and generated based on the measurement information of the first target application, and the trusted key management service operates in a cluster containing physical nodes; and sending the first key ciphertext to the first target application, so that the first target application decrypts the first key ciphertext and then performs data communication with a second target application with the same metric information based on the obtained data encryption key. The data encryption key is acquired from the trusted key management service in advance by the trusted key escrow application and escrowed, and the simultaneous online is not required to be ensured.

Description

Trusted key management method and device, electronic equipment and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a trusted key management method and apparatus, an electronic device, and a storage medium.

Background

Trusted computing is a trusted computing platform widely used in computing and communication systems and based on the support of a hardware security module, so as to improve the security of the whole system. The key plays an important role in identity certification, secure storage and integrity measurement of the platform in a Trusted computer system, so key management is an important link for implementing Trusted computing, for example, when data exchange is performed between applications (TEE applications for short) running in a Trusted Execution Environment (TEE), data communication security needs to be ensured by the key.

In the related art, data can be exchanged safely between TEE applications through real-time key negotiation, as shown in fig. 1A, TEE applications of machines 1 and 2 are online at the same time, the identities are verified remotely, after the validity of the other party is determined, a symmetric key is negotiated, and a safe channel is established to exchange a data cipher text based on the key.

The implementation of the above scheme requires the TEE applications of two machines (also called physical nodes) to be online at the same time, otherwise, the key cannot be negotiated in real time for establishing a secure channel, and thus the secure data communication between the TEE applications cannot be realized.

In summary, how to solve the problem that the TEE applications are not online at the same time, the security of data exchange between the TEE applications is urgently needed to be solved.

Disclosure of Invention

The embodiment of the application provides a trusted key management method and device, electronic equipment and a storage medium, which are used for ensuring the safe sharing of data between TEE applications under the condition that the TEE applications are not online at the same time.

A first trusted key management method provided in an embodiment of the present application includes:

after determining that the running environment of a first target application located in the same physical node is legal, encrypting a data encryption key corresponding to the first target application to obtain a first key ciphertext; the data encryption key is acquired from a trusted key management service in advance and generated based on the measurement information of the first target application, and the trusted key management service runs in a cluster containing the physical node;

sending the first key ciphertext to the first target application, so that after the first target application decrypts the first key ciphertext, the first target application performs data communication with a second target application having the same metric information based on the obtained data encryption key, where the first target application and the second target application run in trusted execution environments in different physical nodes.

A second trusted key management method provided in an embodiment of the present application includes:

after the operating environment of the trusted key escrow application is determined to be legal, encrypting a data encryption key generated aiming at the first target application to obtain a second key ciphertext; the trusted key management service operates in a cluster including physical nodes, the trusted key hosting application and the first target application are located in the same physical node in the cluster, and the data encryption key is generated based on metric information of the first target application;

and sending the second key ciphertext to the trusted key escrow application, so that the trusted key escrow application decrypts the second key ciphertext and sends the obtained data encryption key to the first target application, the first target application performs data communication with a second target application with the same metric information according to the data encryption key, and the first target application and the second target application run in trusted execution environments in different physical nodes.

A third trusted key management method provided in an embodiment of the present application includes:

determining that the running environment of the trusted key escrow application located in the same physical node is legal;

after receiving a first key ciphertext sent by the trusted key escrow application, decrypting the first key ciphertext to obtain a data encryption key used by the trusted key escrow application, wherein the data encryption key is obtained by the trusted key escrow application from a trusted key management service in advance and is generated based on measurement information of the target application, and the trusted key management service operates in a cluster including the physical node;

performing data communication with other target applications having the same metric information based on the data encryption key, the target application and the other target applications running in trusted execution environments in different physical nodes.

A first trusted key management apparatus provided in an embodiment of the present application includes:

the processing unit is used for encrypting the data encryption key corresponding to the first target application to obtain a first key ciphertext after determining that the running environment of the first target application located in the same physical node is legal; the data encryption key is acquired from a trusted key management service in advance and generated based on the measurement information of the first target application, and the trusted key management service runs in a cluster containing the physical node;

a transmission unit, configured to send the first key ciphertext to the first target application, so that after the first target application decrypts the first key ciphertext, the first target application performs data communication with a second target application having the same metric information based on the obtained data encryption key, where the first target application and the second target application operate in trusted execution environments in different physical nodes.

Optionally, the processing unit is further configured to:

before encrypting the data encryption key corresponding to the first target application to obtain a first key ciphertext, performing key exchange with the first target application to obtain a first session key;

the processing unit is specifically configured to:

and encrypting the data encryption key based on the first session key to obtain the first key ciphertext.

Optionally, the apparatus further comprises:

the agent unit is configured to execute the following operations before the processing unit encrypts the data encryption key corresponding to the first target application to obtain a first key ciphertext:

if a key corresponding to the measurement information of the first target application is locally stored, taking the key as the data encryption key, wherein the key is sent after the trusted key management service determines that the running environment of the trusted key escrow application is legal;

if the key corresponding to the measurement information of the first target application is not stored locally, sending a key distribution request to the trusted key management service based on the measurement information of the first target application, and acquiring the data encryption key returned by the trusted key management service.

Optionally, the escrow unit is further configured to encrypt and seal a key-value pair composed of the data encryption key and the measurement information of the first target application to a local place after obtaining the data encryption key returned by the trusted key management service.

Optionally, the escrow unit is specifically configured to:

receiving a second key ciphertext returned by the trusted key management service, and decrypting the second key ciphertext based on a second session key to obtain the data encryption key;

and after determining that the running environment of the trusted key management service is legal, the second session key is obtained by exchanging keys with the trusted key management service.

Optionally, the apparatus further comprises:

the verification unit is used for configuring a first measurement information set aiming at the trusted key management service in advance before the data encryption key is acquired from the trusted key management service in advance;

and if the measurement information of the trusted key management service is in the first measurement information set, determining that the running environment of the trusted key management service is legal.

A second trusted key management apparatus provided in an embodiment of the present application includes:

the determining unit is used for encrypting the data encryption key generated aiming at the first target application after determining that the running environment of the trusted key escrow application is legal to obtain a second key ciphertext; the trusted key management service operates in a cluster including physical nodes, the trusted key hosting application and the first target application are located in the same physical node in the cluster, and the data encryption key is generated based on metric information of the first target application;

a transmission unit, configured to send the second key ciphertext to the trusted key escrow application, so that after the trusted key escrow application decrypts the second key ciphertext, the obtained data encryption key is sent to the first target application, the first target application performs data communication with a second target application having the same metric information according to the data encryption key, and the first target application and the second target application operate in trusted execution environments in different physical nodes.

Optionally, the determining unit is further configured to:

before encrypting a data encryption key generated aiming at a first target application to obtain a second key ciphertext, performing key exchange with the trusted key escrow application to obtain a second session key;

the determining unit is specifically configured to:

and encrypting the data encryption key based on the second session key to obtain the second key ciphertext.

Optionally, the apparatus further comprises:

a key distribution unit for determining the data encryption key by:

if a key corresponding to the measurement information of the first target application is locally stored, taking the key as the data encryption key;

if the key corresponding to the measurement information of the first target application is not stored locally, a preset key derivation rule is called to generate the data encryption key based on the measurement information of the first target application.

Optionally, after the key distribution unit invokes a preset key derivation rule to generate the data encryption key, a key value pair composed of the data encryption key and the measurement information of the first target application is encrypted and sealed to the local.

Optionally, the determining unit is configured to determine that the running environment of the trusted key hosting application is legal by:

acquiring a second measurement information set which is configured in advance and aims at the trusted key escrow application;

and if the measurement information of the trusted key escrow application is in the second measurement information set, determining that the running environment of the trusted key escrow application is legal.

A third trusted key management apparatus provided in an embodiment of the present application includes:

the determining unit is used for determining that the running environment of the trusted key escrow application located in the same physical node is legal;

a decryption unit, configured to decrypt a first key ciphertext sent by the trusted key escrow application after receiving the first key ciphertext, to obtain a data encryption key used by the decryption unit, where the data encryption key is obtained by the trusted key escrow application from a trusted key management service in advance, and is generated based on measurement information of the target application, and the trusted key management service operates in a cluster including the physical node;

a communication unit, configured to perform data communication with other target applications having the same metric information based on the data encryption key, where the target application and the other target applications run in trusted execution environments in different physical nodes.

Optionally, the decryption unit is further configured to:

before decrypting the first key ciphertext to obtain a data encryption key used by the first key ciphertext, performing key exchange with the trusted key escrow application to obtain a first session key;

the decryption unit is specifically configured to:

and decrypting the first key ciphertext based on the first session key to obtain the data encryption key.

Optionally, the determining unit is specifically configured to:

acquiring a third measurement information set which is configured in advance and aims at the trusted key escrow application;

and if the measurement information of the trusted key escrow application is in the third measurement information set, determining that the operating environment of the trusted key management service is legal.

An electronic device provided in an embodiment of the present application includes a processor and a memory, where the memory stores a computer program, and when the computer program is executed by the processor, the processor is caused to execute any one of the steps of the trusted key management method.

An embodiment of the present application provides a computer-readable storage medium, which includes a computer program, and when the computer program runs on an electronic device, the computer program is configured to enable the electronic device to execute any one of the steps of the above trusted key management method.

Embodiments of the present application provide a computer program product, which includes a computer program, stored in a computer readable storage medium; when the processor of the electronic device reads the computer program from the computer-readable storage medium, the processor executes the computer program, so that the electronic device performs the steps of any one of the above-described trusted key management methods.

The beneficial effect of this application is as follows:

the embodiment of the application provides a trusted key management method, a trusted key management device, electronic equipment and a storage medium, and the trusted key management service, the trusted key escrow application and the target application (an application located in a trusted execution environment, also called TEE application) related to the method can perform validity verification of an operation environment, strictly follow coding logic and ensure that a key is not leaked. Specifically, the trusted key escrow application acquires a data encryption key for a target application from the trusted key management service in advance and escrows the data encryption key, and after the target application is authenticated to be legal, the data encryption key is sent to the target application located in the same physical node, so that the target application can encrypt or decrypt data to be exchanged based on the data encryption key; similarly, the target applications of other physical nodes can also obtain the data encryption key from the corresponding trusted key escrow application in the same manner to perform data communication; in this way, the TEE applications located at different physical nodes do not need to be online at the same time, and only the data encryption key which is managed by the TEE application in advance is acquired from the trusted key management application; moreover, when the trusted key management service side generates the data encryption key aiming at the target application, the data encryption key is generated based on the measurement information of the target application, and aiming at the first target application and the second target application with the same measurement information, the pre-generated data encryption key is the same, namely, for the TEE application which is positioned in the same cluster and has the same measurement information, the same key can be obtained even if the physical nodes are different, the data encryption key can be obtained from the corresponding trusted key administration application without being on line at the same time, and the data security communication is realized.

Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

FIG. 1A is a logic diagram of a related art remote attestation-based real-time key agreement;

FIG. 1B is a logic diagram of a related art technique in which a KMS manages keys as TEEs;

fig. 2 is an alternative schematic diagram of an application scenario in an embodiment of the present application;

fig. 3A is a schematic structural diagram of a first trusted key management system in an embodiment of the present application;

fig. 3B is a schematic structural diagram of a second trusted key management system in an embodiment of the present application;

fig. 4 is a schematic flowchart of a first trusted key management method in an embodiment of the present application;

fig. 5 is a schematic diagram of a pre-deployment procedure in an embodiment of the present application;

fig. 6 is a service flow diagram of a trusted key management system in an embodiment of the present application;

fig. 7 is a flowchart illustrating a second trusted key management method in an embodiment of the present application;

fig. 8 is a schematic flowchart of a third trusted key management method in an embodiment of the present application;

fig. 9 is a schematic diagram of a first key distribution process in an embodiment of the present application;

fig. 10 is a schematic diagram of a second key distribution process in the embodiment of the present application;

fig. 11 is a schematic diagram of an interaction implementation timing sequence of a trusted key management method in an embodiment of the present application;

fig. 12 is a schematic structural diagram of a first trusted key management device in an embodiment of the present application;

fig. 13 is a schematic structural diagram of a second trusted key management device in an embodiment of the present application;

fig. 14 is a schematic structural diagram of a third trusted key management unit in an embodiment of the present application;

fig. 15 is a schematic structural diagram of an electronic device in an embodiment of the present application;

fig. 16 is a schematic diagram of a hardware component of a computing device to which an embodiment of the present invention is applied.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the technical solutions of the present application. All other embodiments obtained by a person skilled in the art without any inventive step based on the embodiments described in the present application are within the scope of the protection of the present application.

Some concepts related to the embodiments of the present application are described below.

And (3) trusted computing: protecting the safety of a computing process, data privacy, authentication data integrity, source reliability and the like based on hardware; the method is characterized in that a memory access control and memory encryption mechanism is arranged outside, namely, the outside comprises an operating system and does not have access authority of a memory space in a trusted computing domain; the remote certification mechanism is used for remotely certifying that the logic and the like operated by the trusted execution environment are not tampered; a local attestation mechanism is provided for attesting to other trusted execution environments that operate in the same hardware environment. The effect achieved using trusted computing is that data, program logic within the trusted computing domain cannot be snooped by the external environment without active output.

Trusted Execution Environment (TEE) and TEE applications: the TEE is a secure area located in the main processor. Loading running code and data in the TEE will be protected for privacy and integrity. TEE can run in parallel with the user-oriented operating system, but with better privacy and security than the latter. The TEE application refers to an application program running in the TEE, such as a first target application, a second target application, and the like in the embodiment of the present application.

Local certification: a method of a trusted execution environment certifying to another trusted execution environment that both run in the same hardware environment. In the embodiment of the application, the trusted key management service agent and the TEE application can perform identity mutual verification through a local certification process.

Remote attestation: a method for a trusted execution environment to prove the legitimacy of the hardware of the environment in which the trusted execution environment runs to a third party. Generally, after a third party initiates a challenge, the feasible execution environment sends an information set including hash measurement of own code logic, signs the information set, and returns the signed information set to the third party for identity verification. If the verification is successful, the remote attestation is complete. In the embodiment of the application, the trusted key management service agent and the trusted key management service can perform identity mutual verification through a remote certification process.

Diffie-Hellman (D-H) key exchange protocol: the method is a secure protocol which enables two parties to negotiate the same key through an insecure channel under the condition of completely lacking any advance information of the other party. This key may be used as a symmetric key to encrypt the communication content in subsequent communications.

Key Management Service (KMS): the method can manage the key for the user agent, protect the confidentiality, integrity and availability of the key, and meet the key management requirements of multiple applications and multiple services of the user.

TEE metric information: the evidence for proving the correspondence between the TEE application and the code logic and the runtime hardware environment is a set of information such as the hash measurement of the application code logic, the signature of the hardware on the hash measurement of the code logic (the signature private key is built in the hardware by the hardware manufacturer), the signature of the hardware manufacturer on the hardware public key, and the like. The third party verifies the signature of the hardware public key by the hardware manufacturer so as to prove that the hardware is originated from the legal hardware manufacturer, and verifies the signature of the hardware to the code logic so as to prove that the TEE application of the expected logic runs in the expected hardware environment, thereby proving the integrity of the TEE application, and the safety of the application is ensured by the TEE provided by the hardware. The metrics information supports the deposit of application-specific data, intermediate data that can be used to deposit a key exchange protocol negotiates session keys between the TEE application and the TEE application, and between the TEE application and a non-TEE application for encrypted communications.

Encryption and sealing: and (3) a behavior that the TEE application encrypts data and stores the data to the local based on the symmetric key derived from the hardware, wherein the same hardware is completely the same as the symmetric key derived from the TEE application with the same measurement information, and the derived symmetric keys are different due to the change of the hardware or the measurement information.

White list: a means for implementing entitlement control. For purposes of this application, a white list is embodied as a list of TEE metric information. For a particular metric M, only if it is strictly equal to a certain item in the TEE metric list, the application corresponding to M will be trusted and will be granted with information such as keys.

Hard coding: is a software development practice that embeds data directly into the source code of a program or other executable object, as opposed to obtaining data externally or generating data at runtime. Hardcoded data can typically only be modified by editing the source code and recompiling the executable file, although changes may be made in memory or on disk using a debugger or hexadecimal editor. Hard coded data typically represents invariant information such as physical constants, version numbers, and static text elements.

And (3) secret key: is a parameter that is input in an algorithm that converts plaintext into ciphertext or converts ciphertext into plaintext. In the embodiment of the present application, the keys are divided into two main categories according to the functions of the keys in the overall process of the scheme: a session key and a data encryption key. The session key is a key for encrypting and decrypting communication data by two communication parties, and is mainly used for safety communication and protecting the communication data of the two communication parties; the data encryption key is mainly used for encrypting and decrypting data needing to be exchanged between TEE applications.

TEE is widely applied in the fields of cloud computing, personal consumer electronics, block chain, finance, Internet of things, artificial intelligence and the like, and the requirements of application scenes such as personal privacy protection, cloud computing safety, digital intellectual property protection, financial payment and the like on safety and privacy are infinite, so that a large number of TEE applications based on trust area or software protection extension are developed. However, the trust of the TEE application itself and the mutual trust of TEE applications adopting the same technical scheme in the network can only be guaranteed, TEE applications of different architectures are not trusted, and these applications are easy to form a trust island.

Among them, cloud computing (cloud computing) refers to a delivery and use mode of Internet Technology (IT) infrastructure, and refers to obtaining required resources through a network in an on-demand and easily extensible manner; the broad cloud computing refers to a delivery and use mode of a service, and refers to obtaining a required service in an on-demand and easily-extensible manner through a network. Such services may be IT and software, internet related, or other services. Cloud Computing is a product of development and fusion of traditional computers and Network Technologies, such as Grid Computing (Grid Computing), distributed Computing (distributed Computing), Parallel Computing (Parallel Computing), Utility Computing (Utility Computing), Network Storage (Network Storage Technologies), Virtualization (Virtualization), Load balancing (Load Balance), and the like.

With the development of diversification of internet, real-time data stream, and connection devices, and the promotion of demands for search services, social networks, mobile commerce, open collaboration, and the like, cloud computing has been rapidly developed. Different from the prior parallel distributed computing, the generation of cloud computing can promote the revolutionary change of the whole internet mode and the enterprise management mode in concept.

The system for TEE trusted key management (referred to as trusted key management system for short) provided in the embodiment of the present application may be implemented by using a distributed computing technology in cloud computing, and the system may be a distributed system. In the system, a trusted key management service based on TEE is operated in a cluster of multiple physical nodes, and keys distributed by the service are issued to TEE applications through agents of the service at each physical node, so that the TEE applications with the same measurement on different physical nodes of hardware can obtain the same keys for purposes of symmetric encryption and the like, and the safe sharing of data is realized.

The following briefly introduces the design concept of the embodiments of the present application:

trusted computing widely uses a trusted computing platform based on hardware security module support in computing and communication systems to improve the overall security of the system. The secret key plays an important role in identity certification, secure storage and integrity measurement of the platform in a trusted computer system, so that secret key management is an important link for realizing trusted computing.

Taking key management during data communication between TEE applications as an example, most of applications running in the TEE are developed based on one of a trust zone or a software protection extension, each TEE application is independent and cannot access each other under an unauthorized condition in the TEE, and on the basis, when data is exchanged between the TEE applications, the data communication safety needs to be ensured by means of the key.

In the scheme listed in fig. 1A in which a key is negotiated in real time between TEE applications for secure data exchange, if a TEE application of a machine 1 encrypts data to generate a ciphertext based on a key derived from hardware, the ciphertext is cached in a database and then goes off-line, and when a machine 2 starts the same TEE application, the same key cannot be derived by different hardware of the machine to decrypt the ciphertext, and thus data sharing cannot be achieved, so it is necessary to ensure that the TEE applications of two machines are online at the same time and negotiate in real time.

In addition to the method illustrated in fig. 1A, a method for managing a key for a TEE based on a KMS is also proposed in the related art, as shown in fig. 1B, the specific scheme is as follows: the KMS remotely verifies the validity of the TEE application, distributes a secret key K (the same measurement information can derive the same K) for the TEE application, and the TEE application establishes a secure channel for sharing data based on the secret key K.

However, the traditional KMS is introduced into the method to manage the key for the TEE application, so that the trust root can be expanded, the KMS outside the TEE environment leaks or illegally uses the key, so that the TEE application can be counterfeited by non-TEE application, the trust root cannot be limited in the TEE application, and further the security hole that the TEE application can be counterfeited is brought.

In view of this, embodiments of the present application provide a trusted key management method, an apparatus, an electronic device, and a storage medium. The trusted key management service, the trusted key escrow application and the target application related in the application can carry out validity verification of the operating environment, strictly follow the coding logic and ensure that the key cannot be leaked. In this way, the TEE applications located at different physical nodes do not need to be online at the same time, and only the data encryption key which is managed by the TEE application in advance is acquired from the trusted key management application; and when the trusted key management service side generates the data encryption key for the target application, the data encryption key is generated based on the measurement information of the target application, and the pre-generated data encryption keys are the same for the first target application and the second target application with the same measurement information, that is, for the TEE applications with the same measurement information and located in the same cluster, the same key can be obtained even if the located physical nodes are different, and the data encryption key can be obtained from the corresponding trusted key management application without being on line at the same time, so that the data security communication is realized.

The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it should be understood that the preferred embodiments described herein are merely for illustrating and explaining the present application, and are not intended to limit the present application, and that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.

Fig. 2 is a schematic view of an application scenario according to an embodiment of the present application. The application scenario diagram includes two terminal devices 210 and a server 220.

In the embodiment of the present application, the terminal device 210 includes, but is not limited to, a mobile phone, a tablet computer, a notebook computer, a desktop computer, an e-book reader, an intelligent voice interaction device, an intelligent household appliance, a vehicle-mounted terminal, and other devices; the TEE application may be installed on the terminal device, the application may be software (e.g., a browser, payment software, or the like), or a web page, an applet, or the like, and the server 220 is a background server corresponding to the software, or the web page, the applet, or a server specially used for trusted key management, which is not limited in this application. The server 220 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, a cloud function, cloud storage, Network service, cloud communication, middleware service, domain name service, security service, Content Delivery Network (CDN), big data, and an artificial intelligence platform.

In practical applications, TEE is widely used in many fields, such as the personal consumer electronics field, the artificial intelligence field, etc., as listed above. For example, when an object uses a mobile device to access email, intranet and corporate documents, trusted end-to-end security is required to ensure that corporate data is protected on the device and that network authentication data is not misused, in which case the email application may be a TEE application. Also for example, in content protection, for high-quality content such as music, video, books, and games, a content protection mechanism is required to prevent illegal copying and distribution, in which case a video application, a game application, an audio application, and the like may be a TEE application. For example, when mobile payment is carried out, the TEE can provide protection in aspects of object authentication, transaction confirmation, transaction processing and the like by means of the characteristics of a trusted User Interface (UI) of the TEE, and the payment application can be a TEE application in this case; and so on. When the process is realized by the method in the embodiment of the application, the data can be effectively ensured to be safe and credible.

It should be noted that, in the embodiment of the present application, the first target application, the second target application, the trusted key management service, and the like may run on the terminal device 210, may also run on the server 220, or partially run on the terminal device 210 and partially run on the server 220; typically, a trusted key management service runs on server 220. The trusted key management method in the embodiments of the present application may be executed by an electronic device, which may be the terminal device 210 or the server 220, that is, the method may be executed by the terminal device 210 or the server 220 alone, or may be executed by both the terminal device 210 and the server 220.

In an alternative embodiment, the terminal device 210 and the server 220 may communicate with each other via a communication network.

In an alternative embodiment, the communication network is a wired network or a wireless network.

It should be noted that fig. 2 is only an example, and the number of the terminal devices and the servers is not limited in practice, and is not specifically limited in the embodiment of the present application.

In the embodiment of the application, when the number of the servers is multiple, the multiple servers can be combined into a block chain, and the servers are nodes on the block chain; the trusted key management method as disclosed in the embodiment of the present application, wherein the data to be exchanged can be stored on the block chain, for example, metric information of the tKMS agent, metric information of the TEE application, and the like.

In addition, the embodiment of the application can be applied to various scenes, including but not limited to cloud technology, artificial intelligence, intelligent traffic, driving assistance and the like.

The trusted key management method provided by the exemplary embodiment of the present application is described below with reference to the accompanying drawings in conjunction with the application scenarios described above, and it should be noted that the application scenarios described above are only shown for the convenience of understanding the spirit and principles of the present application, and the embodiments of the present application are not limited in this respect.

Based on the above-mentioned target application, trusted key escrow application, and trusted key management service, an embodiment of the present application provides a trusted key management system, which is a distributed system that manages keys for TEE applications. The TEE-based trusted key management service is operated in a cluster with multiple physical nodes, and keys distributed by the service are issued to TEE applications through agents of the service at each physical node, so that the TEE applications with the same measurement on different physical nodes of hardware can obtain the same keys for purposes of symmetric encryption and the like, and the secure sharing of data is realized. The following briefly introduces a trusted key management system in the embodiment of the present application with reference to fig. 3A and 3B:

the trusted key management system in the embodiment of the application comprises: a trusted key management service module (tKMS), a trusted key escrow application module (tKMS proxy) deployed on a physical node, and a target application, the target application being an application running in a trusted execution environment, i.e., a TEE application.

Specifically, the tKMS responds to a key request of the tKMS agent and distributes keys to the tKMS agent, so that TEEs with the same measurement can share the keys for safely exchanging data; the tKMS agent runs on each physical machine of the cluster and manages keys for TEE application agents of the same machine; the TEE application proxies the synchronization key from the local tKMS for encryption and decryption of data, etc.

In the following, it is exemplified that the cluster includes two physical nodes, which are machine 1 and machine 2.

Fig. 3A is a schematic structural diagram of a first trusted key management system in an embodiment of the present application. The tKMS in the cluster shown in fig. 3A is centrally deployed, thus the cluster comprises one tKMS, and one tKMS agent is deployed on each physical node, thus also comprising two physical nodes, two tKMS agents, multiple TEE applications. The tKMS is responsible for centralized management of global keys and processes low-frequency key distribution requests; a tKMS proxy is deployed on each physical node, and requests and caches keys for local TEE application proxies.

Fig. 3B is a schematic structural diagram of a second trusted key management system in this embodiment of the application. The tKMS in the cluster shown in fig. 3A is not centrally deployed, and thus the cluster comprises a plurality of tKMS, and at least two tKMS agents are deployed on each physical node, and thus also two physical nodes, a plurality of tKMS agents, and a plurality of TEE applications. The system comprises a plurality of physical nodes, a plurality of tKMS agents and a plurality of TEE application agents, wherein the tKMS agents run on each physical node, the plurality of tKMS agents located on the same physical node can request and cache keys for local TEE application agents, load balancing is achieved by deploying the plurality of tKMS agents on the same machine, and high-frequency local key synchronization requests are effectively processed.

In addition, the cluster shown in fig. 3B also has a plurality of tkmss, and the tKMS service of the present application may synchronize data in a manner of sharing a database, so that the service is provided externally in a form of multiple copies in a cluster scene, and is not limited to only running a centralized service. Particularly, the data base shared by the tKMS stores ciphertext, and the decryption key of the ciphertext is obtained by executing multi-party key agreement algorithm negotiation with the existing tKMS copy when the tKMS copy is added into the cluster.

It should be noted that the tKMS, the tKMS proxy, and the TEE application in the embodiment of the present application all run in the TEE, and may accept public inspection, and the execution process cannot be audited or tampered, and strictly follows the encoding logic, so that the key is not leaked out of the TEE.

The following describes the trusted key management method in the embodiment of the present application, applying three sides from the ttms proxy, the ttms, and the TEE, respectively:

first, a description is made from a ttkms proxy side, and referring to fig. 4, an implementation flowchart of a trusted key management method provided in an embodiment of the present application is applied to a trusted key management application, that is, a ttkms proxy, and a specific implementation flow of the method is as follows:

s41: after the trusted key escrow application determines that the running environment of a first target application located in the same physical node is legal, encrypting a data encryption key corresponding to the first target application to obtain a first key ciphertext; the data encryption key is obtained from a trusted key management service in advance and is generated based on the measurement information of the first target application, and the trusted key management service is operated in a cluster containing the physical nodes.

S42: the trusted key escrow application sends the first key ciphertext to the first target application, so that the first target application decrypts the first key ciphertext and then performs data communication with a second target application with the same metric information based on the obtained data encryption key, wherein the first target application and the second target application run in trusted execution environments in different physical nodes.

In the embodiment of the present application, the trusted key hosting application is executed on physical nodes in a cluster, for example, as shown in fig. 3A or fig. 3B, for a cluster, at least one trusted key hosting application (tmks agent) is executed on each physical node in the cluster, and is used for hosting data encryption keys distributed by the trusted key management service (tmks) for target applications (TEE applications).

It should be noted that, in the embodiment of the present application, the trusted key management method implemented based on the trusted key escrow system may be specifically divided into two stages, namely, pre-deployment and key distribution:

wherein the pre-deployment phase mainly involves the tKMS and the tKMS proxy to realize secure data communication between the tKMS and the tKMS proxy.

Optionally, in the pre-deployment phase, the trusted key escrow application side may pre-configure a first metric information set for the trusted key management service, where the set stores metric information of the trusted key management service trusted by the trusted key escrow application, and thus the set may also be referred to as a tmms metric information white list.

In this embodiment, each trusted key hosting application on each physical node may configure a corresponding tKMS metric information whitelist in advance according to a trusted key management service trusted by the application.

When the kms agent verifies the legitimacy of the operating environment of the kms, it can perform based on the preconfigured kms metric information whitelist. Specifically, for a certain trusted key management application, if the currently verified metric information of the trusted key management service is in the first metric information set of the trusted key management application, it is determined that the running environment of the trusted key management service is legal. Conversely, if the currently verified metric information of the trusted key management service is not in the first set of metric information, it may be determined that the trusted key management service operating environment is not legitimate, i.e., not trusted, with respect to the trusted key escrow application.

Similarly, in the pre-deployment phase, the trusted key management service side also pre-configures a second metric information set for the trusted key management application, where the set stores metric information of the trusted key management application trusted by the trusted key management service, and thus the set may also be referred to as a tKMS proxy metric information white list, and further, when the tKMS verifies the validity of the running environment of the tKMS proxy, the set may be executed based on the pre-configured tKMS proxy metric information white list.

Optionally, in order to further protect data communication between the trusted key escrow application and the trusted key management service, after the trusted key escrow application determines that the operating environment of the trusted key management service is legal, the trusted key escrow application may perform key exchange with the trusted key management service to obtain a second session key for protecting communication data between the trusted key escrow application and the trusted key management service.

The key exchange between the tmms and the tmms proxy may be implemented through a key exchange protocol (e.g., D-H key exchange protocol) to negotiate a second session key.

Furthermore, in the subsequent key distribution process, the trusted key management service may encrypt the data encryption key for the first target application based on the second session key to obtain a second key ciphertext, and send the second key ciphertext to the trusted key escrow application. And then, the trusted key escrow application receives a second key ciphertext returned by the trusted key management service, decrypts the second key ciphertext based on the second session key, and obtains a data encryption key so as to realize the safe transmission of the data encryption key.

The pre-deployment process in the embodiment of the present application is described in detail below with reference to fig. 5:

as shown in fig. 5, which is a schematic diagram of a pre-deployment process in the embodiment of the present application, specifically including the following steps 1 to 5:

step 1. for tKMS: examining source codes, configuring a white list:

this step may be performed by an administrator who reviews the ttms program source code, ensures that there is no logic to divulge keys, and configures the ttms program with a white list of ttms proxy metric information.

In this step, the source code of the tmms should be strictly censored, ensuring that there is no logic to leak the key; and, it supports configuring a plurality of ttms proxies different in metric information. The configuration can be in the form of hard-coded source code to the tKMS or configuration files read by the tKMS at runtime, wherein the hard-coded mode has the highest security level and the runtime configuration files have a lower security level. In practical applications, the administrator may select the specific application according to personal needs, and is not specifically limited herein.

Step 2. for the tKMS proxy: examining source codes, configuring a white list:

like step 1 above, the administrator reviews the ttms proxy source code, ensures that there is no logic to divulge keys, and configures the ttms proxy with a ttms metric information whitelist.

In the embodiment of the application, the administrator is responsible for source code review, service operation and maintenance of the tKMS and the tKMS proxy.

And 3, starting:

and sequentially starting the tKMS and the tKMS proxy service of each physical node.

Step 4, remotely proving the mutual authentication identity:

after the tKMS proxy service is started, a remote certification process is executed to certify the legitimacy of the running environment of the tKMS to the tKMS, and the legitimacy of the running environment of the tKMS is verified, wherein the specific verification process comprises the following substeps:

sub-step a1. the remote attestation process tKMS and the agent exchange respective measurement information;

the substep b1. ttkms ensures that the metric information of the ttkms proxy is on the tmms trusted metric information whitelist (i.e. the second set of metric information), otherwise the service is rejected;

the substep c1. the tKMS proxy ensures that the metric information of the tKMS is on the white list of metric information trusted by the tKMS proxy (i.e. the first set of metric information), otherwise the link is broken.

Step 5, negotiating a session key:

the kmss and the kms agents negotiate a session key sk1 (i.e., a second session key) for subsequent protection of communication data by using the metric information exchanged in the previous step and the key added to the metric information to negotiate required data (e.g., a public key).

In the above embodiment, the ttms and its proxy both run inside the TEE (without loss of generality, Intel SGX may be used as the implementation method of the TEE), accept public inspection, the execution process cannot be audited or tampered, and the coding logic is strictly followed, so that the key does not leak outside the TEE.

In addition, the traditional KMS requires the client to authenticate with the server in the form of password, etc., and has a human burden cost. According to the method and the device, direct-connected secure channel exchange keys are established between TEE services by means of mutual authentication based on remote certification between the tKMS and the tKMS proxy, and information such as manually injected passwords is not needed.

Based on the above, a direct secure channel can be established between the tKMS and the tKMS proxy in order to exchange data encryption keys for the TEE application between the tKMS and the tKMS proxy.

Specifically, the trusted key escrow application performs identity mutual verification with the first target application, and after it is ensured that the operating environment of the TEE application is legal, the data encryption key for the first target application needs to be encrypted before being sent to the first target application.

An optional implementation manner is that the trusted key hosting application performs key exchange with the first target application to obtain a first session key, and encrypts the data encryption key based on the first session key to obtain a first key ciphertext.

Specifically, the trusted key escrow application and the first target application may perform local identity mutual verification, and after the verification is legal, the two parties negotiate a first session key, and the specific implementation process is as follows:

first, the TEE application side configures a trusted tKMS proxy metric information white list (configuration requirement is the same as tKMS), i.e. the third metric information set in this application.

Furthermore, after the TEE application is started, a local certification process is executed by combining the third measurement information set, the validity of the running environment of the TEE application is certified to the tKMS proxy of the same physical node, and the running environment of the tKMS proxy is verified to be legal. The specific verification process comprises the following sub-steps:

a substep a2. exchanging respective measurement information by the TEE application and the tKMS proxy in the local attestation process;

the sub-step b2. the TEE application ensures that the metric information of the tKMS agent is in the white list of metric information trusted by the TEE application (i.e. the third set of metric information), otherwise the link is broken;

finally, after the validity is verified, the tmms agent and the TEE application add data (e.g., public key) required for key agreement in their respective metric information, and perform D-H key exchange protocol to negotiate out a session key sk2 (i.e., first session key) for protecting subsequent communication data.

In the above embodiment, the first session key is used to protect communication data between the trusted key hosting application and the first target application to ensure that the data encryption key is not compromised.

In addition, the direct-connection secure channel exchange key is established between the TEE services by means of mutual authentication between the tKMS agent and the local TEE application based on local certification, and information such as manually injected passwords is not needed.

Since the trusted key escrow application in the embodiment of the application may be configured to escrow (proxy) the data encryption key allocated by the trusted key management service for the TEE application, the trusted key escrow application may acquire and store a key in advance from the trusted key management service so as to issue the key to the target application, or send a key distribution request to the trusted key management service before issuing the key distribution request to the target application, so as to acquire the data encryption key allocated by the trusted key management service for the target application.

Optionally, in step S41, before encrypting the data encryption key corresponding to the first target application to obtain the first key ciphertext, it may be queried locally whether the data encryption key that is obtained from the trusted key management service before is stored. Specifically, after the thms agent successfully verifies the validity of the running environment of the TEE application, the hash metric of the code logic of the TEE application is analyzed from the metric information of the TEE application, and whether the corresponding key K is cached locally or not is checked based on the hash metric, which can be divided into the following two cases:

if the key corresponding to the metric information of the first target application is locally stored, the key is used as the data encryption key in step S41, and the key is sent after the trusted key management service determines that the running environment of the trusted key hosting application is legal.

For example, after the trusted key escrow application is started, identity mutual verification is performed with the trusted key management service, and after the identity of the other party is confirmed to be legal, the trusted key management service sends the key generated for the first target application to the trusted key escrow application, and the trusted key escrow application acquires the key and stores the key locally. For example, after step 5 shown in fig. 5, the tKMS generates a data encryption key for the first target application, encrypts the data encryption key based on the session key negotiated at step 5, and transmits the encrypted data encryption key to the tKMS proxy, and the tKMS proxy decrypts the encrypted data encryption key based on the session key negotiated at step 5 and stores the decrypted data encryption key locally.

On the basis of the above situation, the key distribution flow is roughly: the tKMS agent and the TEE application complete local identity mutual verification and negotiate out a first session key; the method comprises the steps that a tKMS agent obtains a data encryption key for TEE application from the local, encrypts the data encryption key through a first session key to obtain a first key ciphertext, and sends the first key ciphertext to the TEE application; and the TEE application decrypts the first key ciphertext based on the first session key to obtain a data encryption key.

And (II) if the key corresponding to the measurement information of the first target application is not stored locally, sending a key distribution request to the trusted key management service based on the measurement information of the first target application, and acquiring a data encryption key returned by the trusted key management service.

When a key distribution request is sent to the trusted key management service based on the metric information of the first target application, the metric information of the first target application can be used as a parameter to request the tKMS to distribute keys; the parameter may also be associated with the metric information of the first target application, and the ttms may be requested to assign a key, that is, the parameter is associated with the metric information of the first target application, for example, SHA256 hash of the metric information of the first target application.

Furthermore, after the data encryption key returned by the trusted key management service is obtained, the key-value pair composed of the data encryption key and the metric information of the first target application may also be encrypted and sealed locally, so that the subsequent query may be directly performed from the local cache (in the manner listed in the above case (a)).

On the basis of the above situation, the key distribution flow is roughly: the tKMS agent and the TEE application complete local identity mutual verification and negotiate out a first session key; sending a key distribution request to the tKMS by the tKMS proxy, acquiring a data encryption key for the TEE application from the tKMS and caching the data encryption key to the local; encrypting the data encryption key by the tKMS agent through the first session key to obtain a first key ciphertext, and sending the first key ciphertext to the TEE application; and the TEE application decrypts the first key ciphertext based on the first session key to obtain a data encryption key.

In the above embodiment, the data encryption key and the measurement information for one target application are encrypted and sealed in a key-value pair manner, so that subsequent queries can be directly performed from the local cache without sending a key distribution request to the trusted key management service each time to obtain the key, thereby saving time and improving key distribution efficiency.

The key management process in the embodiments of the present application is briefly summarized below in connection with fig. 6 by deploying a centralized tKMS and a tKMS agent that clusters each physical machine:

fig. 6 is a business flow diagram of a trusted key management system in an embodiment of the present application. The cluster shown in fig. 6 includes two physical nodes, which are a machine 1 and a machine 2, respectively, a TEE application running on the machine 1 may serve as a first target application, a TEE application running on the machine 2 may serve as a second target application, a ttkms proxy on the machine 1 and the machine 2 may be a trusted key escrow application, and a ttkms may be a trusted key management service in the cluster.

In the embodiment of the application, a TEE is introduced to construct a trusted service tKMS and a corresponding proxy service, and a key is managed for TEE application of a physical machine cluster. The general business process is as follows:

step 1, remotely verifying identity mutually:

the specific process of the remote mutual identity verification between the tmms and the tmms proxy can be referred to the above embodiment, and the repeated details are not repeated.

Step 2, local mutual identity verification:

the specific process of the local mutual authentication between the TEE application and the ttkms proxy on each physical node, for example, the first target application and the corresponding ttkms proxy local mutual authentication on the machine 1, and the second target application and the corresponding ttkms proxy local mutual authentication on the machine 2, is also referred to the above embodiment, and the repeated details are omitted.

Step 3, secret key K:

the kms distributes the key K generated for the target application to each kms agent, and the specific process may refer to the above embodiment, and repeated details are not described herein.

Step 4, secret key K:

the kms agent distributes the key K to the corresponding TEE application, and the specific process may refer to the above embodiment, and repeated details are not described again.

And 5, exchanging data ciphertext:

for example, the TEE application on the machine 1 and the TEE application on the machine 2 exchange data ciphertexts and decrypt the data ciphertexts based on the key K acquired in the above manner.

Referring to fig. 7, a flowchart of an implementation of a trusted key management method provided in an embodiment of the present application is applied to a trusted key management service, that is, a ttms, and is described below with reference to a ttkms side, where the method includes the following specific implementation processes:

s71: after determining that the running environment of the trusted key escrow application is legal, the trusted key management service encrypts a data encryption key generated aiming at the first target application to obtain a second key ciphertext; the trusted key management service operates in a cluster containing physical nodes, the trusted key hosting application and the first target application are located in the same physical node in the cluster, and the data encryption key is generated based on metric information of the first target application.

Optionally, in order to further protect data communication between the trusted key management service and the trusted key escrow application, after the trusted key management service determines that the operating environment of the trusted key escrow application is legal, key exchange is performed with the trusted key escrow application to obtain a second session key, and the trusted key management service encrypts, based on the second session key, the data encryption key for the first target application to obtain a second key ciphertext, and sends the second key ciphertext to the trusted key escrow application.

S72: and the trusted key management service sends the second key ciphertext to the trusted key escrow application so that the trusted key escrow application decrypts the second key ciphertext and sends the obtained data encryption key to the first target application, the first target application performs data communication with a second target application with the same metric information according to the data encryption key, and the first target application and the second target application run in trusted execution environments in different physical nodes.

It should be noted that, as described above by taking the first target application as an example, similarly, the trusted key management service may also perform identity mutual verification with the trusted key escrow application on the physical node where the second target application is located, and further send the data encryption key for the second target application to the trusted key escrow application, so that the trusted key escrow application sends the corresponding data encryption key to the second target application.

In the embodiment of the application, for TEE applications with the same measurement information, data encryption keys generated by the trusted key escrow service are the same, so that when a first target application with the same measurement information needs to share data with a second target application, simultaneous online is not required to be guaranteed, and only keys are acquired from trusted key escrow applications located in the same physical node as the first target application and the second target application. In addition, in the whole process, identity mutual verification is carried out between the trusted key management service and the trusted key escrow application as well as between the trusted key escrow application and the target application, and a data encryption key is transmitted through the session key, so that the key is safe and reliable.

Optionally, before the trusted key management service side feeds back the data encryption key to the trusted key escrow application, it is also required to query whether the key is locally stored, so the process is specifically divided into the following two ways:

and (I) if a key corresponding to the measurement information of the first target application is locally stored, taking the key as a data encryption key used by the first target application.

Specifically, the locally stored data encryption key may be generated and stored in advance, such as after mutual authentication between the ttms and the ttms proxy identity is legal.

And (II) if the key corresponding to the measurement information of the first target application is not stored locally, calling a preset key derivation rule to generate a data encryption key based on the measurement information of the first target application.

Optionally, after invoking the preset key derivation rule to generate the data encryption key, the trusted key management service may encrypt and store the key value pair formed by the data encryption key and the measurement information of the first target application to the local, so that when a request is received again later, a query is directly performed (i.e., in the process listed in the above manner (a)), repeated generation is not required, and efficiency is improved.

Specifically, after receiving the request, the tKMS checks whether the key K corresponding to the metric information of the first target application is cached locally. If not, using the measurement information of the first target application or the related information thereof as a parameter to call a key derivation algorithm to generate a unique key K, and encrypting and sealing the key value pair (M, K) to the local. Where M refers to metric information of the first target application. Likewise, a similar process is also applied to the second target application, and the repetition is not repeated.

It should be noted that the key derivation algorithm in the embodiment of the present application may be selected by the developer of the tKMS.

Compared with the related art, the encryption and decryption algorithm in the embodiment of the application is more flexible, the traditional KMS generally only supports a specific algorithm, and the application supports the object to flexibly select the key type and the encryption algorithm according to the requirement.

Optionally, it is determined that the running environment of the trusted key hosting application is legal by:

acquiring a second measurement information set which is configured in advance and aims at the trusted key escrow application; and if the measurement information of the trusted key escrow application is in the second measurement information set, determining that the running environment of the trusted key escrow application is legal.

It should be noted that, for the specific implementation process of the foregoing embodiment, reference may be made to the foregoing embodiment, and repeated details are not described again.

In the embodiment of the present application, if it is determined that two target applications have the same metric information, the data encryption keys allocated to the two target applications are the same. If the first target application and the second target application have the same metric information, the key K generated by the trusted key management service for the first target application and the second target application is the same.

Based on the above embodiment, distributed TEE applications can share the same key, and it is ensured that TEE applications located in the same cluster and having the same metric information can acquire the same key from the tKMS even if the physical nodes are different.

Referring to fig. 8, a flowchart of an implementation of a trusted key management method provided in an embodiment of the present application is applied to a target application, that is, a TEE application, and the method includes the following specific implementation flows:

s81: the target application determines that the running environment of the trusted key escrow application located in the same physical node is legal;

s82: the target application decrypts the first key ciphertext after receiving the first key ciphertext sent by the trusted key escrow application to obtain a data encryption key used by the target application, wherein the data encryption key is obtained by the trusted key escrow application from the trusted key management service in advance and is generated based on measurement information of the target application, and the trusted key management service operates in a cluster containing physical nodes;

s83: the target application is in data communication with other target applications having the same metric information based on the data encryption key, the target application and the other target applications running in trusted execution environments in different physical nodes.

Two target applications which are located in different physical nodes and have the same measurement information can respectively obtain a data encryption key from a trusted key agent application located in the same physical node with the target applications for data sharing in the manner described above. For example, if the target application is the first target application, the other target applications are the second target applications, or the target application is the second target application, and the other target applications are the first target applications, and so on, the specific implementation process may refer to the foregoing embodiment, and repeated details are not described again.

Optionally, before the target application decrypts the first key ciphertext to obtain the data encryption key used by the target application, the target application needs to perform key exchange with the trusted key escrow application to obtain a first session key; further, the first key ciphertext is decrypted based on the first session key to obtain the data encryption key, and the specific process may refer to the foregoing embodiment, and repeated details are not described again.

Fig. 9 is a schematic diagram of a first key distribution process in the embodiment of the present application. A brief description of a centralized key distribution process in the embodiment of the present application is provided below with reference to fig. 9:

step 1, configuring a white list of a tKMS proxy:

the TEE application configures a trusted kms proxy metrics information white list (configuration requirements are the same as the kms).

Step 2, locally proving the mutual identity:

after the TEE application is started, a local certification process is executed to certify the validity of the running environment of the TEE application to a tKMS proxy of the same physical machine, and the validity of the running environment of the tKMS proxy is verified. The specific process is as follows:

sub-step a3. the remote attestation process TEE application and the tKMS proxy exchange respective measurement information;

the TEE application ensures that the measurement information of the tKMS agent is in a measurement information white list trusted by the TEE application, otherwise, the link is disconnected;

the ttkms proxy and the TEE application add data required for key agreement in their respective metric information, and perform D-H key exchange protocol to negotiate out a session key sk2 for protecting subsequent communication data.

Step 3, checking local cache:

after the tKMS agent successfully verifies the validity of the running environment of the TEE application, whether the key K corresponding to the measurement information M of the TEE application is cached locally or not is checked. If so, go to step 7. Otherwise, requesting the tKMS to distribute the key by taking M as a parameter.

Step 4, requesting to distribute the key:

after receiving the request (i.e., the key distribution request), the tKMS checks whether the key K corresponding to M has been cached locally. If not, calling a key derivation algorithm by taking M as a parameter to generate a unique key K, and encrypting and sealing the key value pair (M, K) to the local.

Step 5, encryption version key C:

and the tKMS encrypts K by sk1 to obtain a ciphertext C, and feeds the ciphertext C back to the tKMS proxy.

And 6, decrypting and caching the key K:

the tKMS agent decrypts the ciphertext C by using sk1 to obtain a key K, and encrypts and stores the key value pair (M, K) to the local.

Step 7, encryption version key C2:

the tKMS agent encrypts K with sk2 to obtain ciphertext C2, and applies feedback C2 to the TEE.

Step 8, data cipher text:

the TEE application decrypts C2 with sk2 to get the key K. Based on the K encrypted data, the ciphertext C3 may be dumped to an external storage device before being taken off-line.

And 9, decrypting and restoring data-data plaintext:

the TEE application, with the same metric information, decrypts ciphertext C3 to obtain the data plaintext based on the same key K.

It should be noted that, after the TEE application with the same metric information is started, the same steps (refer to steps 1-8 shown in fig. 9) are executed, and the same key K can be obtained, for example, in fig. 9, two TEE applications with the same metric information on the machine 1 and the machine 2 can implement data sharing in the above manner.

In the above embodiment, the two-level key management service has clear division of work and high performance: the tKMS is responsible for centralized management of global keys and processes low-frequency key distribution requests; the tKMS proxy proxies the request and cache keys for the local TEE application.

Fig. 10 is a schematic diagram of a second key distribution process in the embodiment of the present application. The difference from fig. 9 is that the key distribution process illustrated in fig. 10 is a decentralized key distribution process, where there are two tkmss in the cluster, and the two tkmss synchronize data between the two tkmss by sharing a database, and in addition, other processes are the same as those illustrated in fig. 9, and their repeated parts are not described again.

In the above embodiment, the ttkms provides services externally in a multi-copy form in a cluster scene, and is not limited to only running centralized services and expanding application scenes.

In the embodiment of the application, after the TEE application is started each time and successfully verifies the identity with the tKMS proxy to execute the local certification process, the tKMS proxy acquires the key K from the tKMS, the TEE application obtains the ciphertext C based on K encrypted data and dumps the ciphertext C to the external storage device, the TEE applications with the same measurement information in the cluster execute the same process and acquire the same key K from the tKMS, the key C can be decrypted, the TEE applications do not need to be online at the same time, the data encryption key can be acquired from the corresponding trusted key escrow application, and data security communication is achieved.

With reference to fig. 11, an example of an interaction flow between the parts in the data sharing process between the first target application and the second target application is described below:

fig. 11 is a schematic diagram of a time sequence for implementing the interaction of the trusted key management method. The specific implementation flow of the method is as follows:

step S1101: after the first trusted key escrow application is started, executing a remote certification process, certifying the legitimacy of the running environment of the first trusted key escrow application to the trusted key management service, and verifying the legitimacy of the running environment of the trusted key management service;

step S1102: after the second trusted key escrow application is started, executing a remote certification process, certifying the legitimacy of the running environment of the second trusted key escrow application to the trusted key management service, and verifying the legitimacy of the running environment of the trusted key management service;

step S1103: the first credible secret key agent application and credible secret key management service execute secret key exchange protocol to negotiate a session secret key-1;

step S1104: the second trusted key escrow application and the trusted key management service execute a key exchange protocol to negotiate a session key-2;

step S1105: after the first target application is started, a local certification flow is executed, the legitimacy of the running environment of the first target application is certified to the first trusted key escrow application, and the legitimacy of the running environment of the first trusted key escrow application is verified;

step S1106: after the second target application is started, executing a local certification process, certifying the legitimacy of the running environment of the second target application to the second trusted key escrow application, and verifying the legitimacy of the running environment of the second trusted key escrow application;

step S1107: the first trusted key escrow application and the first target application execute a key exchange protocol to negotiate a session key-3;

step S1108: the second trusted key escrow application and the second target application execute a key exchange protocol to negotiate a session key-4;

step S1109: the trusted key management service encrypts a data management key K aiming at the first target application based on the session key-1 to generate a key ciphertext-1 and sends the key ciphertext-1 to the first trusted key escrow application;

step S1110: the trusted key management service encrypts a data management key K aiming at the second target application based on the session key-2 to generate a key ciphertext-2 and sends the key ciphertext-2 to the second trusted key escrow application;

step S1111: the first trusted key escrow application decrypts the key ciphertext-1 based on the session key-1 to obtain a data encryption key K;

step S1112: the first trusted key escrow application encrypts a data management key K aiming at the first target application based on the session key-3 to generate a key ciphertext-3 and sends the key ciphertext-3 to the first target application;

step S1113: the second trusted key escrow application decrypts the key ciphertext-2 based on the session key-2 to obtain a data encryption key K;

step S1114: the second trusted key escrow application encrypts a data management key K aiming at the second target application based on the session key-4 to generate a key ciphertext-4 and sends the key ciphertext-4 to the second target application;

step S1115: the first target application decrypts the key ciphertext-3 based on the session key-3 to obtain a data encryption key K;

step S1116: the second target application decrypts the key ciphertext-4 based on the session key-4 to obtain a data encryption key K;

step S1117: the first target application encrypts data to be exchanged based on the data encryption key K to generate a data ciphertext;

step S1118: the first target application stores the data ciphertext to the external storage device;

step S1119: the second target application reads the data ciphertext from the external storage device;

step S1120: and the second target application decrypts the data cipher text based on the data encryption key K to obtain the data to be exchanged.

It should be noted that, in the embodiment of the present application, the execution order of the above steps is not limited, for example: the sequence of step S1101 and step S1102 is not limited, and the sequence of step S1103 and step S1104 is not limited, and so on.

Based on the same inventive concept, the embodiment of the application also provides a trusted key management device. As shown in fig. 12, which is a schematic structural diagram of a first trusted key management apparatus 1200 in this embodiment of the application, the trusted key management apparatus may include:

the processing unit 1201 is configured to encrypt a data encryption key corresponding to a first target application after determining that an operating environment of the first target application located in the same physical node is legal, so as to obtain a first key ciphertext; the data encryption key is acquired from a trusted key management service in advance and generated based on the measurement information of the first target application, and the trusted key management service operates in a cluster containing physical nodes;

a transmission unit 1202, configured to send the first key ciphertext to the first target application, so that after the first key ciphertext is decrypted by the first target application, the first target application performs data communication with a second target application having the same metric information based on the obtained data encryption key, where the first target application and the second target application run in trusted execution environments in different physical nodes.

Optionally, the processing unit 1201 is further configured to:

before encrypting a data encryption key corresponding to a first target application to obtain a first key ciphertext, performing key exchange with the first target application to obtain a first session key;

the processing unit 1201 is specifically configured to:

and encrypting the data encryption key based on the first session key to obtain a first key ciphertext.

Optionally, the apparatus further comprises:

the hosting unit 1203 is configured to, before the processing unit 1201 encrypts the data encryption key corresponding to the first target application to obtain a first key ciphertext, perform the following operations:

if a key corresponding to the measurement information of the first target application is stored locally, the key is used as a data encryption key, and the key is sent after the trusted key management service determines that the running environment of the trusted key escrow application is legal;

and if the key corresponding to the measurement information of the first target application is not stored locally, sending a key distribution request to the trusted key management service based on the measurement information of the first target application, and acquiring a data encryption key returned by the trusted key management service.

Optionally, the hosting unit 1203 is further configured to encrypt and store the key-value pair formed by the data encryption key and the measurement information of the first target application to the local after obtaining the data encryption key returned by the trusted key management service.

Optionally, the escrow unit 1203 is specifically configured to:

receiving a second key ciphertext returned by the trusted key management service, and decrypting the second key ciphertext based on a second session key to obtain a data encryption key;

Optionally, the apparatus further comprises:

an authentication unit 1204, configured to pre-configure a first set of metric information for the trusted key management service before obtaining a data encryption key from the trusted key management service in advance;

Based on the same inventive concept, the embodiment of the application also provides a trusted key management device. As shown in fig. 13, which is a schematic structural diagram of a second trusted key management apparatus 1300 in this embodiment of the present application, including:

the determining unit 1301 is configured to encrypt the data encryption key generated for the first target application after determining that the running environment of the trusted key escrow application is legal, to obtain a second key ciphertext; the trusted key management service operates in a cluster containing physical nodes, the trusted key escrow application and the first target application are located in the same physical node in the cluster, and the data encryption key is generated based on the measurement information of the first target application;

a transmission unit 1302, configured to send the second key ciphertext to the trusted key escrow application, so that after the trusted key escrow application decrypts the second key ciphertext, the obtained data encryption key is sent to the first target application, the first target application performs data communication with a second target application having the same metric information according to the data encryption key, and the first target application and the second target application operate in trusted execution environments in different physical nodes.

Optionally, the determining unit 1301 is further configured to:

before encrypting a data encryption key generated aiming at the first target application to obtain a second key ciphertext, performing key exchange with the trusted key escrow application to obtain a second session key;

the determining unit 1301 is specifically configured to:

and encrypting the data encryption key based on the second session key to obtain a second key ciphertext.

Optionally, the apparatus further comprises:

a key distribution unit 1303 configured to determine a data encryption key by:

if a key corresponding to the measurement information of the first target application is stored locally, taking the key as a data encryption key;

if the key corresponding to the measurement information of the first target application is not stored locally, a preset key derivation rule is called to generate a data encryption key based on the measurement information of the first target application.

Optionally, after the key distribution unit 1303 invokes the preset key derivation rule to generate the data encryption key, the key value pair composed of the data encryption key and the measurement information of the first target application is encrypted and sealed locally.

Optionally, the determining unit 1301 is configured to determine that the running environment of the trusted key hosting application is legal by:

Based on the same inventive concept, the embodiment of the application also provides a trusted key management device. As shown in fig. 14, which is a schematic structural diagram of a third trusted key management device 1400 in this embodiment of the application, the third trusted key management device may include:

a determining unit 1401, configured to determine that an operating environment of a trusted key hosting application located in the same physical node is legal;

a decryption unit 1402, configured to decrypt the first key ciphertext after receiving the first key ciphertext sent by the trusted key hosting application, to obtain a data encryption key used by the decryption unit, where the data encryption key is obtained by the trusted key hosting application from a trusted key management service in advance, and is generated based on measurement information of a target application, and the trusted key management service operates in a cluster including a physical node;

a communication unit 1403, configured to perform data communication with other target applications having the same metric information based on the data encryption key, where the target application and the other target applications run in trusted execution environments in different physical nodes.

Optionally, the decryption unit 1402 is further configured to:

before decrypting the first key ciphertext to obtain a data encryption key used by the user, performing key exchange with a trusted key escrow application to obtain a first session key;

the decryption unit 1402 is specifically configured to:

and decrypting the first key ciphertext based on the first session key to obtain a data encryption key.

Optionally, the determining unit 1401 is specifically configured to:

acquiring a pre-configured third measurement information set aiming at the trusted key escrow application;

and if the measurement information of the trusted key escrow application is in the third measurement information set, determining that the running environment of the trusted key management service is legal.

The trusted key management service, the trusted key escrow application and the target application related in the application can carry out validity verification of the operating environment, strictly follow the coding logic and ensure that the key cannot be leaked. In this way, the TEE applications located at different physical nodes do not need to be online at the same time, and only the data encryption key which is managed by the TEE application in advance is acquired from the trusted key management application; and when the trusted key management service side generates the data encryption key for the target application, the data encryption key is generated based on the measurement information of the target application, and the pre-generated data encryption keys are the same for the first target application and the second target application with the same measurement information, that is, for the TEE applications with the same measurement information and located in the same cluster, the same key can be obtained even if the located physical nodes are different, and the data encryption key can be obtained from the corresponding trusted key management application without being on line at the same time, so that the data security communication is realized.

For convenience of description, the above parts are described separately as modules (or units) according to functions. Of course, the functionality of the various modules (or units) may be implemented in the same one or more pieces of software or hardware when implementing the present application.

Having described the trusted key management method and apparatus of the exemplary embodiments of the present application, an electronic device according to another exemplary embodiment of the present application is next described.

As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.), or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.

The electronic equipment is based on the same inventive concept as the method embodiment, and the embodiment of the application also provides the electronic equipment. In this embodiment, the electronic device may be configured as shown in fig. 15, and may include a memory 1501, a communication module 1503, and one or more processors 1502.

A memory 1501 for storing computer programs executed by the processor 1502. The memory 1501 may mainly include a program storage area and a data storage area, where the program storage area may store an operating system, programs needed for running an instant messaging function, and the like; the storage data area can store various instant messaging information, operation instruction sets and the like.

The memory 1501 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 1501 may also be a non-volatile memory (non-volatile memory), such as a read-only memory (rom), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); or memory 1501 is any other medium that can be used to carry or store a desired computer program in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 1501 may be a combination of the above memories.

The processor 1502 may include one or more Central Processing Units (CPUs), or be a digital processing unit, etc. A processor 1502 is configured to implement the above-described trusted key management method when a computer program stored in the memory 1501 is called.

The communication module 1503 is used for communicating with terminal devices and other servers.

The embodiment of the present application does not limit the specific connection medium among the memory 1501, the communication module 1503 and the processor 1502. In fig. 15, the memory 1501 and the processor 1502 are connected by a bus 1504, the bus 1504 is depicted by a thick line in fig. 15, and the connection manner between other components is merely illustrative and not limited. The bus 1504 may be divided into an address bus, a data bus, a control bus, and the like. For ease of description, only one thick line is depicted in fig. 15, but only one bus or one type of bus is not depicted.

The memory 1501 stores a computer storage medium, in which computer-executable instructions are stored, and the computer-executable instructions are used to implement the trusted key management method according to the embodiment of the present application. The processor 1502 is configured to execute the above-described trusted key management method, as shown in fig. 4, 7, or 8.

A computing device 1600 according to such an embodiment of the present application is described below with reference to fig. 16. The computing device 1600 of fig. 16 is only one example and should not be taken to limit the scope of use and functionality of embodiments of the present application.

As shown in fig. 16, computing device 1600 is in the form of a general purpose computing device. Components of computing device 1600 may include, but are not limited to: the at least one processing unit 1601, the at least one storage unit 1602, and a bus 1603 to which different system components (including the storage unit 1602 and the processing unit 1601) are coupled.

Bus 1603 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, or a local bus using any of a variety of bus architectures.

The storage unit 1602 may include readable media in the form of volatile memory, such as a Random Access Memory (RAM) 16021 and/or a cache storage unit 16022, and may further include a Read Only Memory (ROM) 16023.

Storage unit 1602 may also include a program/utility 16025 having a set (at least one) of program modules 16024, such program modules 16024 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

The computing apparatus 1600 may also communicate with one or more external devices 1604 (e.g., keyboard, pointing device, etc.), and may also communicate with one or more devices that enable a user to interact with the computing apparatus 1600, and/or any devices (e.g., router, modem, etc.) that enable the computing apparatus 1600 to communicate with one or more other computing apparatuses. Such communication may occur over an input/output (I/O) interface 1605. Moreover, the computing device 1600 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) through the network adapter 1606. As shown, the network adapter 1606 communicates with other modules for the computing device 1600 over a bus 1603. It should be understood that although not shown, other hardware and/or software modules may be used in conjunction with the computing device 1600, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, to name a few.

In some possible embodiments, the aspects of the trusted key management method provided by the present application may also be implemented in the form of a program product including a computer program for causing an electronic device to perform the steps in the trusted key management method according to various exemplary embodiments of the present application described above in this specification when the program product is run on the electronic device, for example, the electronic device may perform the steps as shown in fig. 4 or fig. 7 or fig. 8.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product of embodiments of the present application may employ a portable compact disc read only memory (CD-ROM) and include a computer program, and may be run on a computing device. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a command execution system, apparatus, or device.

A readable signal medium may include a propagated data signal with a readable computer program embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with a command execution system, apparatus, or device.

The computer program embodied on the readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Computer programs for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer program may execute entirely on the user computing device, partly on the user equipment, as a stand-alone software package, partly on the user computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more units described above may be embodied in one unit, according to embodiments of the application. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.

Further, while the operations of the methods of the present application are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having a computer-usable computer program embodied therein.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A method for managing a trusted key, the method being applied to a trusted key hosting application, the method comprising:

and sending the first key ciphertext to the first target application, so that after the first target application decrypts the first key ciphertext, the first target application performs data communication with a second target application having the same metric information based on the obtained data encryption key, where the first target application and the second target application run in trusted execution environments in different physical nodes.

2. The method of claim 1, wherein before encrypting the data encryption key corresponding to the first target application to obtain a first key ciphertext, the method further comprises:

performing key exchange with the first target application to obtain a first session key;

the encrypting the data encryption key corresponding to the first target application to obtain a first key ciphertext includes:

3. The method of claim 1, wherein before encrypting the data encryption key corresponding to the first target application to obtain a first key ciphertext, the method further comprises:

4. The method of claim 3, wherein after the obtaining the data encryption key returned by the trusted key management service, further comprising:

and encrypting and sealing a key value pair consisting of the data encryption key and the measurement information of the first target application to the local.

5. The method of claim 3, wherein the obtaining the data encryption key returned by the trusted key management service comprises:

6. The method of any one of claims 1 to 5, further comprising, before obtaining the data encryption key from the trusted key management service in advance:

pre-configuring a first set of metric information for a trusted key management service;

7. A trusted key management method, applied to a trusted key management service, the method comprising:

8. The method of claim 7, wherein prior to encrypting the data encryption key generated for the first target application to obtain the second key ciphertext, further comprising:

carrying out key exchange with the trusted key escrow application to obtain a second session key;

the encrypting the data encryption key generated aiming at the first target application to obtain a second key ciphertext comprises:

9. The method of claim 7, wherein the data encryption key is determined by:

10. The method of claim 9, after said invoking the pre-set key derivation rule to generate the data encryption key, further comprising:

11. A method according to any of claims 7 to 10, wherein the running environment of the trusted key hosting application is determined to be legitimate by:

12. A trusted key management method, applied to a target application, the method comprising:

13. The method of claim 12, wherein before decrypting the first key ciphertext to obtain the data encryption key used by itself, further comprising:

carrying out key exchange with the trusted key escrow application to obtain a first session key;

the decrypting the first key ciphertext to obtain the data encryption key used by the user comprises:

14. The method of claim 12 or 13, wherein the determining that the execution environment of the trusted key hosting application located at the same physical node is legitimate comprises:

15. A trusted key management apparatus, applied to a trusted key hosting application, comprising:

the processing unit is used for encrypting a data encryption key corresponding to a first target application after determining that the running environment of the first target application located in the same physical node is legal to obtain a first key ciphertext; the data encryption key is acquired from a trusted key management service in advance and generated based on the measurement information of the first target application, and the trusted key management service runs in a cluster containing the physical node;

16. A trusted key management apparatus, applied to a trusted key management service, comprising:

17. A trusted key management device, applied to a target application, comprising:

18. An electronic device, characterized in that it comprises a processor and a memory, said memory storing a computer program which, when executed by said processor, causes said processor to carry out the steps of the method according to any one of claims 1 to 14.

19. A computer-readable storage medium, characterized in that it comprises a computer program for causing an electronic device to carry out the steps of the method according to any one of claims 1 to 14, when said computer program is run on said electronic device.

20. A computer program product, comprising a computer program stored in a computer readable storage medium; when a processor of an electronic device reads the computer program from the computer-readable storage medium, the processor executes the computer program, causing the electronic device to perform the steps of the method of any of claims 1-14.