CN114978626B - Trusted computing method, device, equipment and medium based on block chain - Google Patents

Trusted computing method, device, equipment and medium based on block chain Download PDF

Info

Publication number
CN114978626B
CN114978626B CN202210508272.7A CN202210508272A CN114978626B CN 114978626 B CN114978626 B CN 114978626B CN 202210508272 A CN202210508272 A CN 202210508272A CN 114978626 B CN114978626 B CN 114978626B
Authority
CN
China
Prior art keywords
key
computing
trusted
result
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210508272.7A
Other languages
Chinese (zh)
Other versions
CN114978626A (en
Inventor
荆博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN202210508272.7A priority Critical patent/CN114978626B/en
Publication of CN114978626A publication Critical patent/CN114978626A/en
Application granted granted Critical
Publication of CN114978626B publication Critical patent/CN114978626B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a block chain-based trusted computing method, device, equipment and medium, relates to the technical field of computer data processing, in particular to the fields of cloud computing and block chains, and can be used in trusted computing scenes. The specific implementation scheme is as follows: responding to a trusted computing task execution request issued by a block chain network, and acquiring a computing logic program and an encrypted computing material required by a computing task; the encrypted computing material is obtained by carrying out encryption processing on an original computing material by an encryption key determined by a service demand side based on root private key derivation; the root private key is generated by the service provider in a trusted execution environment; in a trusted execution environment, a decryption key is deduced and determined according to a root private key, and the encrypted computing material is decrypted by using the decryption key to obtain an original computing material; and in the trusted execution environment, calling a calculation logic program to perform calculation analysis on the original calculation material to obtain a calculation result. The method and the device protect the data privacy security and effectively break the data barrier.

Description

Trusted computing method, device, equipment and medium based on block chain
Technical Field
The disclosure relates to the technical field of computer data processing, in particular to the field of cloud computing and the field of block chains, and can be used for trusted computing scenes.
Background
Trusted Computing (TC) is a Trusted Computing platform with hardware-based security module support that is widely used in Computing and communication systems. Trusted computing can provide a trusted environment for data security and achieve data privacy protection during data computing. The credible calculation has important significance for breaking the data barrier, connecting the data island and safely and reliably releasing the data value.
Disclosure of Invention
The disclosure provides a block chain-based trusted computing method, device, equipment and medium.
According to an aspect of the present disclosure, a block chain-based trusted computing method is provided, which is executed by a service provider and includes:
responding to a trusted computing task execution request issued by a block chain network, and acquiring a computing logic program and an encrypted computing material required by a computing task; the encrypted computing material is obtained by carrying out encryption processing on an original computing material by an encryption key determined by a service demand side based on root private key derivation; the root private key is generated by the service provider in a trusted execution environment;
in the trusted execution environment, deriving and determining a decryption key according to the root private key, and decrypting the encrypted computing material by using the decryption key to obtain the original computing material;
and calling the calculation logic program to perform calculation analysis on the original calculation material in the trusted execution environment to obtain a calculation result.
According to another aspect of the present disclosure, there is provided a block chain-based trusted computing method, executed by a service demand side, including:
deriving and determining an encryption key based on the parent public key; the father public key is derived by the service provider based on a root private key; the root private key is generated by the service provider in a trusted execution environment;
encrypting the original calculation material by adopting the encryption key, and storing the encrypted calculation material;
issuing a trusted computing task execution request to a service provider through a block chain network to request the service provider to acquire a computing logic program and an encrypted computing material according to the trusted computing task execution request, deducing and determining a decryption key to decrypt the encrypted computing material, and calling the computing logic program to perform computing analysis on the original computing material to obtain a computing result.
According to another aspect of the present disclosure, there is provided a trusted computing method based on a block chain, performed by a block chain node, including:
acquiring a trusted computing task execution request issued by a service demand side, enabling a service providing side to respond to the trusted computing task execution request so as to acquire a computing logic program and encrypted computing materials, deducing and determining a decryption key to decrypt the encrypted computing materials, and calling the computing logic program to perform computing analysis on the original computing materials to obtain a computing result;
responding to a result uplink processing request of the service providing terminal, and performing security check on a result measurement report of a calculation result in the result uplink processing request; wherein the result metric report is used to uniquely characterize the raw computing materials and computing logic of the computed result;
and if the security check is passed, performing uplink storage on the result measurement report and the calculation result.
According to another aspect of the present disclosure, there is provided a block chain-based trusted computing device configured at a service provider, including:
the calculation data acquisition module is used for responding to a trusted calculation task execution request issued by the block chain network and acquiring a calculation logic program and an encrypted calculation material required by a calculation task; the encrypted computing material is obtained by deriving a determined encryption key by a service demand side based on a root private key to encrypt an original computing material; the root private key is generated by the service provider in a trusted execution environment;
a decryption key determining module, configured to derive and determine a decryption key according to the root private key in the trusted execution environment, and decrypt the encrypted computing material using the decryption key to obtain the original computing material;
and the calculation analysis module is used for calling the calculation logic program to perform calculation analysis on the original calculation material in the trusted execution environment to obtain a calculation result.
According to another aspect of the present disclosure, there is provided a block chain-based trusted computing device configured at a service demand side, including:
the encryption key determining module is used for deriving and determining an encryption key based on the parent public key; the parent public key is derived by the service provider based on a root private key; the root private key is generated by the service provider in a trusted execution environment;
the material encryption processing module is used for encrypting the original calculation material by adopting the encryption key and storing the encrypted calculation material;
the trusted computing task execution request issuing module is used for issuing a trusted computing task execution request to a service provider through a block chain network so as to request the service provider to acquire a computing logic program and an encrypted computing material according to the trusted computing task execution request, derive and determine a decryption key to decrypt the encrypted computing material, and call the computing logic program to perform computing analysis on the original computing material to obtain a computing result.
According to another aspect of the present disclosure, there is provided a block chain-based trusted computing device configured at a block chain node, including:
the trusted computing task execution request acquisition module is used for acquiring a trusted computing task execution request issued by a service demand end, enabling the service providing end to respond to the trusted computing task execution request so as to acquire a computing logic program and an encrypted computing material, deducing and determining a decryption key to decrypt the encrypted computing material, and calling the computing logic program to perform computing analysis on the original computing material so as to obtain a computing result;
a calculation result security check module, configured to perform security check on a result metric report of a calculation result in a result uplink processing request in response to the result uplink processing request from the service provider; wherein the result metric report is used to uniquely characterize the raw computing materials and computing logic of the computed result;
and the calculation result storage module is used for performing uplink storage on the result measurement report and the calculation result if the security check is passed.
According to another aspect of the present disclosure, there is provided an electronic device including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a block chain based trusted computing method according to any one of the embodiments of the present disclosure.
According to another aspect of the present disclosure, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform a block chain based trusted computing method according to any one of the embodiments of the present disclosure.
According to the technology disclosed by the invention, the data privacy and security are protected, and the data barrier is effectively broken.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present disclosure, nor do they limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
fig. 1 is a flowchart of a block chain-based trusted computing method according to an embodiment of the present disclosure;
FIG. 2 is a flowchart of another block chain based trusted computing method provided in accordance with an embodiment of the present disclosure;
FIG. 3 is a flowchart of yet another block chain based trusted computing method provided in accordance with an embodiment of the present disclosure;
FIG. 4 is a flowchart of a block chain based trusted computing method according to an embodiment of the present disclosure;
FIG. 5 is a flowchart of yet another block chain based trusted computing method provided in accordance with an embodiment of the present disclosure;
FIG. 6 is a flowchart of a block chain based trusted computing method according to an embodiment of the present disclosure;
FIG. 7 is a flowchart of yet another block chain based trusted computing method provided in accordance with an embodiment of the present disclosure;
FIG. 8 is a block diagram of yet another block chain based trusted computing system provided in accordance with an embodiment of the present disclosure;
FIG. 9 is a schematic structural diagram of a block chain-based trusted computing device according to an embodiment of the present disclosure;
FIG. 10 is a schematic block diagram of a trusted computing device based on a blockchain according to an embodiment of the present disclosure;
FIG. 11 is a schematic block chain-based trusted computing device according to an embodiment of the present disclosure;
fig. 12 is a block diagram of an electronic device used to implement the block chain based trusted computing method of an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of embodiments of the present disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a flowchart of a block chain-based trusted computing method according to an embodiment of the present disclosure, where the embodiment of the present disclosure is applicable to a case where a service providing end provides a trusted computing service for a service requiring end based on a block chain network. The method can be executed by a trusted computing device based on a blockchain, which can be implemented in software and/or hardware, configured at a service provider and can be integrated into an electronic device carrying trusted computing functions based on the blockchain.
The technical scheme disclosed by the invention can be applied to a network architecture with multi-party coordination, mainly relates to a service providing end, a service demand end and a block chain network, and can also be used for selectively setting a decentralized storage network to realize the storage function of mass data, which can be seen in fig. 8. The service providing terminal is used for providing service for the service requiring terminal, for example, providing face recognition service. The business service is completed by means of the raw material data of the service demand side and a corresponding calculation logic program. The service provider can provide corresponding computational support. One or more service providers may provide one or more types of service, and one, usually more, service demanders may initiate requests for processing service to the service providers. In the technical solution of the present disclosure, the business service will be processed by the trusted execution environment, and thus may also be referred to as a trusted computing task or a computing task. In the process, the block chain network can be used as an organizer or a manager, and can issue requests, store data, be responsible for verification and other functions in various aspects to manage and coordinate interaction between the service providing end and the service requiring end, so as to ensure reliable and safe execution of the service process. Based on the above systems and scenarios, the embodiments of the present disclosure first introduce a process performed by a service provider.
As shown in fig. 1, the block chain-based trusted computing method of the present embodiment may include:
s101, responding to a trusted computing task execution request issued by a block chain network, and acquiring a computing logic program and an encrypted computing material required by a computing task.
The encrypted computing material is obtained by carrying out encryption processing on an original computing material by an encryption key determined by a service demand side based on root private key derivation; the root private key is generated by the service provider in a trusted execution environment.
The service demand end is the end which requests the trusted computing service, and the service demand end needs to provide encrypted computing materials. Specifically, the service demand side deduces and determines an encryption key based on a root private key generated by the service provider in the trusted execution environment, and then the service demand side encrypts the original calculation material by using the encryption key to obtain the encrypted calculation material. The service demand side can ensure the data security of the original computing material by encrypting the original computing material, and avoid the disclosure of user privacy data or enterprise business secrets.
The service providing end is one end for providing Trusted computing service, a Trusted Execution Environment (TEE) is deployed in the service providing end, and the service providing end provides the Trusted computing service for the service requiring end based on the Trusted Execution Environment. Specifically, the method comprises the following steps. The service provider generates a root private key in the trusted execution environment. The trusted execution environment is a secure area constructed in the central processing unit by a software and hardware method, and programs and data loaded in the trusted execution environment can be protected in confidentiality and integrity. The root private key is used to derive the encryption key and the decryption key.
Optionally, both the service demand side and the service provider side may install a blockchain client applicable to their role functions, and the service demand side and the service provider side may access the blockchain network based on the blockchain client to perform data interaction with the blockchain nodes. The block chain network is used as a data interaction channel between the service provider and the service demand, and the service provider and the service demand can perform data interaction based on the block chain network.
The trusted computing task execution request is used for requesting the service providing end to provide trusted computing service for the service requiring end.
The trusted computing task execution request may be obtained by the service provider through a listening blockchain network, or obtained by the service provider from a blockchain network based on a subscription service, and may be specifically determined according to an actual service requirement, which is not limited herein.
Optionally, the trusted computing task execution request may include encrypted computing material and data storage information of the computing logic program.
And the service providing end responds to the trusted computing task execution request issued by the block networking network to acquire the computing logic program and the encrypted computing material required by the computing task. Optionally, the service provider obtains the encrypted computing material and the computing logic program according to the data storage information in the trusted computing task execution request. The encrypted computing materials and the computing logic program may be stored in the blockchain network, or may be stored in other storage networks, such as a decentralized storage network, specifically according to actual business requirements, and are not limited herein. The computational logic program is a program code which can realize a complete service function and can run in a trusted execution environment. Illustratively, the calculation logic program may implement business functions such as blacklist collision, multihead loan analysis or total credit line statistics.
In an alternative embodiment, in response to a trusted computing task execution request issued by a blockchain network, obtaining a computing logic program and encrypted computing materials required by a computing task includes: and responding to a trusted computing task execution request issued by the blockchain network, and reading a computing logic program and an encrypted computing material required by the computing task from the blockchain network according to a program address and a material address in the trusted computing task execution request.
The program address is a storage address of the calculation logic program in the block chain network, and the material address is a storage address of the encryption calculation material in the block chain network.
And the service providing terminal responds to a trusted computing task execution request issued by the blockchain network, and reads a computing logic program and encrypted computing materials required by the computing task from the blockchain network according to a program address and a material address in the trusted computing task execution request.
According to the technical scheme, the block chain technology is applied to trusted computing, the computing logic program and the encrypted computing material are stored in the block chain network, the characteristics of encryption safety, tamper resistance and decentralization of the block chain network are fully utilized, data value flow exchange is achieved between the service demand end and the service providing end, and data safety is further guaranteed.
And S102, in the trusted execution environment, deriving and determining a decryption key according to the root private key, and decrypting the encrypted computing material by using the decryption key to obtain the original computing material.
Because the encrypted computing material is obtained by encrypting the original computing material by using the encryption key determined by derivation based on the root private key, the service provider cannot directly perform computation analysis on the encrypted computing material. The service provider needs to decrypt the encrypted computing material, and specifically, the service provider derives a decryption key according to the root private key in a trusted execution environment, and decrypts the encrypted computing material by using the decryption key to obtain the original computing material.
S103, in the trusted execution environment, calling the calculation logic program to perform calculation analysis on the original calculation material to obtain a calculation result.
And the service providing end calls a calculation logic program to perform calculation analysis on the original calculation material obtained by decryption in the trusted execution environment to obtain a calculation result.
Specifically, the service provider transmits the original computing material and the computing logic program to the trusted execution environment, uses the original computing material as input data of the computing logic program, and calls the computing logic program in the trusted execution environment to perform computing analysis on the original computing material to obtain a computing result.
According to the embodiment of the disclosure, a block chain technology is applied to trusted computing, a service provider decrypts encrypted computing materials in a trusted execution environment, and a computing logic program is called to perform computing analysis on original computing materials obtained by decryption in the trusted execution environment, so that an application closed loop from a service demand end to the service provider is established, trusted computing services are provided for the service demand end on the premise that the original computing materials are not leaked to the outside, data privacy safety is effectively guaranteed, a data barrier is effectively broken, a data island is effectively connected, and data sharing circulation is safer and more reliable.
In an optional embodiment, the block chain-based trusted computing method further includes: generating, in the trusted execution environment, the root private key based on a random number; and encrypting the root private key by using a trusted hardware key, and storing the encrypted root private key into an external storage space of the trusted execution environment.
The random number refers to an irregular number generated randomly in the trusted execution environment. Optionally, the random number is generated by a random number generator built into the trusted execution environment. The trusted hardware key refers to a TEE hardware key built in the trusted execution environment. External memory space refers to memory space that is external to the trusted execution environment. This is because the trusted execution environment is a secure area that is built in the central processing unit by software and hardware methods, and generally speaking, the trusted execution environment cannot persistently store data, and therefore, the encrypted root private key needs to be persistently stored in an external storage space of the trusted execution environment. The external storage space may be internal to the service provider or external to the service provider, in which case the external storage space may be a blockchain network or a decentralized storage network.
The service providing end generates a root private key in the trusted execution environment based on the random number, then uses a trusted hardware key built in the trusted execution environment to encrypt the root private key, and stores the encrypted root private key in an external storage space of the trusted execution environment. It can be known that, if the original unencrypted root private key is to be recovered from the root private key encrypted by the trusted hardware key, decryption needs to be performed by using the trusted hardware key. Without a trusted hardware key, even the service provider that controls the generation of the root private key cannot recover the original unencrypted root private key from the encrypted root private key.
According to the technical scheme, the service provider generates the root private key based on the random number in the trusted execution environment, and encrypts the root private key by using the trusted hardware key, so that the security of the root private key is effectively ensured, and technical support is provided for safe and reliable sharing and circulation of data. According to the technical scheme, the encrypted root private key is stored in the external storage space of the trusted execution environment, so that the root private key is stored persistently and is convenient for subsequent decryption processing and use.
In an optional embodiment, before deriving and determining a decryption key according to the root private key in the trusted execution environment, the method further includes: and acquiring an encrypted root private key, and decrypting the encrypted root private key by using a trusted hardware secret key of the trusted execution environment.
The encrypted root private key is obtained by encrypting the root private key by using a trusted hardware key of a trusted execution environment. The encrypted root private key is stored in a memory space external to the trusted execution environment.
The service providing end obtains the encrypted root private key from the external storage space of the trusted execution environment, and the service providing end decrypts the encrypted root private key in the trusted execution environment by using the trusted hardware key of the trusted execution environment to recover the original root private key.
According to the technical scheme, the encrypted root private key is obtained, the encrypted root private key is decrypted by using the trusted hardware key of the trusted execution environment, the original root private key is recovered from the encrypted root private key, and data support is provided for deducing and determining the decryption key of the encrypted computing material.
FIG. 2 is a flowchart of another block chain based trusted computing method provided in accordance with an embodiment of the present disclosure; the present embodiment is an alternative proposed on the basis of the above-described embodiments. Specifically, the operation "derive and determine a decryption key according to the root private key in the trusted execution environment" is refined.
Referring to fig. 2, the block chain-based trusted computing method provided in this embodiment includes:
s201, responding to a trusted computing task execution request issued by a block chain network, and acquiring a computing logic program and an encrypted computing material required by a computing task.
S202, key derivation information is obtained from the block chain network, and is transmitted into the trusted execution environment.
The key derivation information is derivation information for the service demander to derive and determine the encryption key.
In order for the service provider to decrypt the original computation material from the encrypted computation material, the service provider needs to determine a decryption key by deriving the encryption key, and perform decryption processing on the encrypted computation material using the decryption key.
Specifically, the service provider transmits the key derivation information to the trusted execution environment, and the service provider derives and determines the decryption key in the trusted execution environment based on the key derivation information.
S203, in the trusted execution environment, deriving the decryption key based on the root private key and the key derivation information, and decrypting the encrypted computing material by using the decryption key to obtain the original computing material.
Since the encryption key is determined based on the root private key derivation, the key derivation information records the association relationship between the decryption key and the root private key, and the service provider can determine the decryption key based on the root private key and the key derivation information.
And the service providing end deduces a decryption key based on the root private key and key derivation information in the trusted execution environment, decrypts the encrypted computing material by using the decryption key, and decrypts to obtain the original computing material. The encryption key and the decryption key are preferably asymmetric keys.
And S204, in the trusted execution environment, calling the calculation logic program to perform calculation analysis on the original calculation material to obtain a calculation result.
According to the technical scheme provided by the embodiment of the disclosure, the service provider derives the decryption key based on the root private key and key derivation information in the trusted execution environment. And decrypting the encrypted computing material by using the decryption key to obtain an original computing material, and calling a computing logic program to perform computing analysis on the original computing material in a trusted execution environment to obtain a computing result. By executing decryption key derivation operation, encryption calculation material decryption operation and original calculation material calculation operation in an executable environment, the decryption key and the original calculation material can be invisible, so that the original calculation material can not be exposed to a service providing end, the security of the decryption key and the security of the original calculation material can be ensured, and the data privacy security can be further improved.
In an alternative embodiment, the key derivation information includes: encryption key hierarchy and encryption key number; the encryption key is a child public key determined by derivation based on a parent public key and the key derivation information, and the decryption key is a child private key corresponding to the child public key. The parent public key is determined based on the root private key and assigned to the service consumer.
The encryption key hierarchy and the encryption key number record the association relationship between the parent public key and the child public key. The parent public key is used to determine the encryption key as well as the decryption key.
The encryption key hierarchy is used to determine the hierarchical relationship between the child and parent public keys, and the encryption key number is used to determine the key number of the child public key in the key hierarchy. And the service demand side deduces and determines the child public key according to the parent public key and generates key deduction information of the child public key according to the encryption key hierarchy and the encryption key number of the child public key. Optionally, the Service requirement side invokes a Key Management Service (KMS), and derives the deterministic public Key according to the parent public Key based on a hierarchical deterministic encryption/decryption algorithm. And the service demand side encrypts the original calculation material by using the sub public key and stores the key derivation information into the block chain network.
Given a known parent public key, a determined child public key may be derived based on the encryption key hierarchy and the encryption key number. The Service providing terminal deduces and determines a sub private Key corresponding to the sub public Key based on the Key derivation information in the trusted execution environment, and correspondingly, the Service providing terminal calls a Key Management Service (KMS) and deduces and determines the sub private Key from the parent public Key based on the encryption Key hierarchy based on the hierarchical deterministic encryption and decryption algorithm. And decrypting the encrypted computing material by using the sub private key in the trusted execution environment.
According to the technical scheme, the encryption and decryption mechanism for the original computing material is provided, the child public key determined based on parent public key derivation is used for encryption, so that the original computing material can be decrypted from the encrypted computing material only by the child private key determined based on the key derivation information through the service providing end, the decryption difficulty of the encrypted computing material is improved, and the data privacy safety is further improved.
The embodiment of the present disclosure provides another block chain-based trusted computing method, and is an alternative proposed on the basis of the above embodiments. Specifically, the service provider responds to a key distribution request of the service demand side, deduces and determines a parent public key based on a pre-generated root private key in the trusted execution environment, and feeds back the parent public key to the service demand side; the parent public key is used to derive the encryption key.
The key distribution request corresponds to the service demand end, is generated by the service demand end and is used for requesting the service providing end to distribute the father public key for the service demand end. Wherein, the parent public key is deducted and determined by the service provider based on the pre-generated root private key.
And the service providing end responds to the key distribution request of the service requiring end, deduces and determines a parent public key based on a pre-generated root private key in a trusted execution environment, and feeds back the parent public key to the service requiring end. And after receiving the parent public key, the service demand side deduces and determines an encryption key based on the parent public key, and encrypts the original calculation material by using the encryption key.
Optionally, when the number of the service demand ends is at least two, the service provider allocates different parent public keys to each service demand end, so as to avoid disclosure of private data of different service demand ends.
The embodiment ensures the safety of the parent public key by deducing and determining the parent public key in the trusted execution environment. On the premise of ensuring the safety of the parent public key, the encryption key is deduced and determined based on the parent public key, and the encryption key is used for encrypting the original computing material, so that the data safety of the original computing material is ensured, and the private data leakage is effectively avoided.
In an optional embodiment, the service provider further generates a key measurement report for the parent public key according to a derivation algorithm of the parent public key; and feeding back the key measurement report to the service demand side.
A derivation algorithm for the parent public key is used to derive the parent public key based on the root private key. Alternatively, the derivation algorithm of the parent public key may be a hierarchical deterministic encryption algorithm. Wherein the key measurement report is associated with the parent public key, the key measurement report being used to evaluate the security of the parent public key.
After the service provider deduces and determines the parent public key based on the root private key by using the deduction algorithm, the service provider also generates a key measurement report for the parent public key according to the operation characteristics of the deduction algorithm of the parent public key. Optionally, the service provider generates a key measurement report for the parent public key according to the operating environment of the derivation algorithm. And the service providing end feeds the key measurement report back to the service demand end, and the service demand end carries out security verification on the father public key according to the key measurement report.
According to the technical scheme, the service provider generates the key measurement report for the parent public key according to the derivation algorithm of the parent public key, so that the parent public key can be verified and traced, the service provider feeds the key measurement report back to the service demand side, the service demand side can conveniently perform security verification on the parent public key, and data support is provided for the security verification of the parent public key.
FIG. 3 is a flowchart of yet another block chain based trusted computing method provided in accordance with an embodiment of the present disclosure; this embodiment is an alternative proposed on the basis of the above-described embodiments. Specifically, after "in the trusted execution environment, the computation logic program is called to perform computation analysis on the original computation material to obtain a computation result", an additional operation "is performed to generate unique characterization data according to the original computation material and the computation logic program, and a result measurement report is generated for the computation result according to the unique characterization data; and generating a result uplink processing request according to the calculation result and the result measurement report, and sending the result uplink processing request to the block chain network for uplink distribution.
Referring to fig. 3, the block chain-based trusted computing method provided in this embodiment includes:
s301, responding to a trusted computing task execution request issued by the blockchain network, and acquiring a computing logic program and an encrypted computing material required by the computing task.
The encrypted computing material is obtained by carrying out encryption processing on an original computing material by an encryption key determined by a service demand side based on root private key derivation; the root private key is generated by the service provider in a trusted execution environment.
S302, in the trusted execution environment, a decryption key is derived and determined according to the root private key, and the encrypted computing material is decrypted by using the decryption key to obtain the original computing material.
And S303, calling the calculation logic program to calculate and analyze the original calculation material in the trusted execution environment to obtain a calculation result.
S304, generating unique characterization data according to the original calculation material and the calculation logic program, and generating a result measurement report for the calculation result according to the unique characterization data.
Wherein the unique characterizing data is used to uniquely represent a trusted computing task. It can be understood that the process of providing the trusted computing service for the service demand side by the service provider side is actually a process of calling the computing logic program to analyze and compute the original computing material to obtain the computing result. The original computing material and the computing logic program are used as two necessary elements of the trusted computing task, one trusted computing task can be uniquely determined, and the original computing material and the computing logic program are directly related to a computing result.
The unique characterization data can be determined according to the data characteristics of the original computing material and the operation characteristics of the computing logic program. The original computing material is provided by a service demand side, and the data characteristics of the original computing material can comprise service demand side information; the operating characteristics may include a program execution environment.
And the service provider generates a result measurement report for the calculation result according to the unique characterization data, wherein the result measurement report is used for quantitatively describing the attributes of the calculation result. The validity and safety of the calculation result can be verified according to the result measurement report.
S305, generating a result uplink processing request according to the calculation result and the result metric report, and sending the result uplink processing request to the block chain network for uplink distribution.
Wherein the resulting uplink processing request is generated by the service provider and sent to the blockchain network. Optionally, the result uplink request includes the calculation result and the result metric report. The result uplink request is used to request that the blockchain node distribute the computed result and the result metric report to the blockchain network. The calculation result may be encrypted or unencrypted, and preferably, the calculation result is encrypted, so that the calculation result can be prevented from being leaked, and data security is ensured.
And the service providing terminal generates a result uplink processing request according to the calculation result and the result measurement report, sends the result uplink processing request to the block chain network for uplink distribution, and the block chain nodes in the block chain network perform validity verification on the calculation result and the result measurement report in response to the result uplink processing request and store the calculation result and the result measurement report into the block chain network under the condition that the validity verification is passed.
The method and the device for processing the uplink comprise the steps that the service providing end generates unique characterization data according to original computing materials and computing logic programs, generates a result measurement report for a computing result according to the unique characterization data, generates a result uplink processing request according to the computing result and the result measurement report, and sends the result uplink processing request to a block chain network for uplink publishing. The method and the device realize the quantitative description of the attributes of the calculation result, so that the calculation result is traceable and verifiable, data support is provided for the validity of the subsequent verification calculation result, and the safety of private data is further ensured.
Fig. 4 is a flowchart of a block chain-based trusted computing method provided in an embodiment of the present disclosure, where the embodiment of the present disclosure is applicable to a case where a service providing end provides a trusted computing service for a service requiring end based on a block chain network. The method can be executed by a trusted computing device based on a blockchain, which can be implemented in software and/or hardware, and is configured at a service demand side and can be integrated into an electronic device carrying trusted computing functions based on the blockchain. As shown in fig. 4, the block chain-based trusted computing method of the present embodiment may include:
s401, an encryption key is derived and determined based on the parent public key.
The father public key is derived by the service provider based on a root private key; the root private key is generated by the service provider in a trusted execution environment.
The service providing terminal generates a root private key in a trusted execution environment, and deduces and determines a father public key based on the root private key, the service providing terminal distributes the father public key to the service requiring terminal, and the service requiring terminal deduces and determines an encryption key based on the father public key.
S402, encrypting the original calculation material by adopting the encryption key, and storing the encrypted calculation material.
The service demand side encrypts the original calculation material by adopting the encryption key to obtain the encrypted calculation material, and the service demand side stores the encrypted calculation material. Optionally, the service requirement side may store the encrypted computing material in the blockchain network or other external storage networks.
And S403, issuing a trusted computing task execution request to a service provider through a blockchain network to request the service provider to acquire a computing logic program and an encrypted computing material according to the trusted computing task execution request, deriving and determining a decryption key to decrypt the encrypted computing material, and calling the computing logic program to perform computing analysis on the original computing material to obtain a computing result.
After the encrypted added material is obtained, the service demand side generates a trusted computing task execution request, issues the trusted computing task execution request to the block chain network, and issues the trusted computing task execution request to the service providing side through the block chain network.
And the service providing end responds to the trusted computing task execution request issued by the block chain network, and obtains the computing logic program and the encrypted computing material required by the computing task. Wherein, the calculation logic program is developed in advance according to the actual business requirement. And the service providing end transmits the calculation logic program and the encrypted calculation material into a trusted execution environment, and in the trusted execution environment, the service providing end deduces and determines a decryption key according to the root private key, and decrypts the encrypted calculation material by using the decryption key to obtain the original calculation material.
And the service providing end calls a calculation logic program to calculate and analyze the original calculation material obtained by decryption in the trusted execution environment to obtain a calculation result.
The block chain technology is applied to trusted computing, and the encryption key is determined by derivation of the service demand side based on the parent public key, wherein the parent public key is derived by the service provider side based on the root private key; the root private key is generated by the service provider in the trusted execution environment. And the service demand end encrypts the original calculation material by adopting the encryption key and stores the encrypted calculation material. The method comprises the steps that a service demand end issues a trusted computing task execution request to a service providing end through a block chain network, the service providing end is requested to decrypt encrypted computing materials in a trusted execution environment, a computing logic program is called to compute and analyze original computing materials obtained through decryption in the trusted execution environment, and an application closed loop from the service demand end to the service providing end is established.
In an alternative embodiment, the determining the encryption key based on parent public key derivation includes: calling a key management service, and deriving a child public key based on key derivation information and the parent public key; wherein the key derivation information includes: encryption key hierarchy and encryption key number.
The key management service is used for managing keys, creating a root private key according to needs based on the key management service, and determining an encryption key and a decryption key based on the root private key. Optionally, the Key Management Service may be a KMS Service (Key Management Service), and the KMS Service is a novel product activation mechanism in products behind Windows Vista, and is used for suppressing illegal software authorization behaviors.
The encryption key hierarchy and the encryption key number record the association relationship between the parent public key and the child public key. The encryption key hierarchy is used to determine a hierarchical relationship between the child public key and the parent public key, and the encryption key number is used to determine a key number of the child public key in the key hierarchy.
Under the condition that the parent public key is known, the service demander can derive and determine the child public key based on the key derivation information and the parent public key, and specifically, the service demander derives and determines the child public key from the parent public key based on the encryption key hierarchy and the encryption key number.
According to the technical scheme, an original computing material encryption mechanism is provided, the service demand side in the embodiment of the disclosure deduces the determined child public key based on the key derivation information and the parent public key, and encrypts the original computing material based on the child public key to obtain the encrypted computing material, so that the decryption difficulty of the encrypted computing material is improved, and the data privacy safety is further improved.
FIG. 5 is a flowchart of yet another block chain based trusted computing method provided in accordance with an embodiment of the present disclosure; the present embodiment is an alternative proposed on the basis of the above-described embodiments. Specifically, before "deriving and determining an encryption key based on a parent public key" is operated, an additional operation "is performed to obtain a key measurement report of the parent public key generated by the service provider; and carrying out security verification on the parent public key according to the key measurement report. "
Referring to fig. 5, the block chain-based trusted computing method provided in this embodiment includes:
s501, acquiring a key measurement report of the parent public key generated by the service provider.
The parent public key is derived by the service provider based on the root private key, and the key measurement report is generated by the service provider according to the derivation algorithm of the parent public key.
And the service demand side acquires a key measurement report of the parent public key generated by the service provider side.
S502, according to the secret key measurement report, carrying out security check on the father public key.
The key measurement report is used for quantitatively describing the attribute of the parent public key, the parent public key corresponds to the key measurement report one by one, and the key measurement report can be used for evaluating the security of the parent public key. And the service demand side carries out security verification on the parent public key according to the secret key measurement report.
S503, deriving and determining an encryption key based on the parent public key.
If the security check of the parent public key passes, the parent public key is safe and valid. And the service demander deduces and determines an encryption key based on the parent public key.
If the security check of the parent public key is not passed, the parent public key is indicated to be unsafe, and the parent public key cannot be used for deriving and determining the encryption key.
S504, the encryption key is adopted to encrypt the original calculation material, and the encrypted calculation material is stored.
The service demand side encrypts the original calculation material by adopting the encryption key to obtain the encrypted calculation material, and stores the encrypted calculation material.
And S505, issuing a trusted computing task execution request to a service provider through a blockchain network to request the service provider to acquire a computing logic program and an encrypted computing material according to the trusted computing task execution request, deriving and determining a decryption key to decrypt the encrypted computing material, and calling the computing logic program to perform computing analysis on the original computing material to obtain a computing result.
According to the technical scheme provided by the embodiment of the disclosure, the parent public key is subjected to security verification through the key measurement report based on the parent public key, after the security verification of the parent public key is passed, an encryption key is deduced and determined based on the parent public key, and the encryption key is used for encrypting the original computing material to obtain the encrypted computing material. The security of the encryption key is ensured, the leakage risk of the original calculation material is reduced, and the privacy security of user data is protected.
In an optional embodiment, the performing security check on the parent public key according to the key metric report includes: acquiring a key measurement report of the parent public key from the blockchain network as a reference measurement report; acquiring a key measurement report of the father public key from the service provider as a measurement report to be verified; matching the reference measurement report with the measurement report to be verified to obtain a matching result; and determining the security verification result of the parent public key according to the matching result.
It can be known that, the blockchain network has the features of encryption security, tamper resistance and decentralization, before the key measurement report of the parent public key is stored on the blockchain network, the blockchain node performs validity check on the key measurement report, that is, the key measurement report obtained from the blockchain network passes the validity check, and the key measurement report obtained from the blockchain network is trusted and can be used as a reference measurement report.
The key measurement report fed back by the service providing end is not subjected to security verification, the security of the key measurement report fed back by the service providing end is unknown, and the key measurement report fed back by the service providing end is used as a measurement report to be verified.
It can be known that the parent public keys with the same key measurement report are the same, the reference measurement report is used as a security reference standard for determining the measurement report to be verified, the reference measurement report and the measurement report to be verified are matched to obtain a matching result, and the security verification result of the parent public key is determined according to the matching result.
If the reference measurement report is successfully matched with the measurement report to be verified, the security check of the father public key is passed. If the reference measurement report and the measurement report to be verified fail to be matched, the security check of the parent public key is not passed.
According to the technical scheme, a parent public key security verification method is provided, and a matching result is obtained by matching a key measurement report acquired in a block chain network with a key measurement report acquired by a service provider; and determining the security verification result of the parent public key according to the matching result. The security verification of the parent public key is realized, and the risk of tampering the parent public key is reduced, so that the security of the encryption key is ensured, and the privacy security of user data is protected.
In an optional embodiment, the performing security check on the parent public key according to the key metric report includes: a remote verification service is called to verify the generated environment of the key measurement report to obtain a generated environment verification result; judging whether the generation environment of the key measurement report is the trusted execution environment according to the generation environment verification result to obtain a generation environment judgment result; and determining the safety verification result of the father public key according to the generated environment judgment result.
The remote verification service is used for requesting a third party to verify the generation environment of the key report. Optionally, the third party may be a TEE hardware vendor. For example, the service requirement side may directly invoke a remote verification service of a TEE execution environment provided by a TEE hardware vendor to verify the generation environment of the key measurement report, or invoke a talker service request participant through a blockchain network to verify the generation environment of the key measurement report. The method is specifically determined according to actual service requirements, and is not limited herein.
The service demand side calls a remote verification service to verify the generated environment of the key measurement report to obtain a generated environment verification result; and the generated environment verification result is used for judging whether the generated environment of the key measurement report is a trusted execution environment. If the generation environment of the key measurement report is a trusted execution environment, the parent public key is generated in the trusted execution environment, and the security verification of the parent public key is passed; if the generation environment of the key measurement report is not the trusted execution environment, it is indicated that the parent public key is not generated in the trusted execution environment, at this time, the parent public key has a leakage risk, and the security check of the parent public key does not pass.
According to the technical scheme, the parent public key security verification method is provided, a remote verification service is called to verify the generation environment of the key measurement report, whether the generation environment of the key measurement report is a trusted execution environment is verified, and the leakage risk of the parent public key is reduced, so that the security of the encryption key is ensured, and the privacy security of user data is protected.
It can be understood that the above two parent public key security verification methods are independent of each other, and may be used separately or simultaneously. Under the condition that the two parent public key security verification methods are used for performing security verification on the parent public key at the same time, the security verification results of the two parent public key security verification methods can be integrated to determine whether the parent public key is secure.
Fig. 6 is a flowchart of a block chain-based trusted computing method according to an embodiment of the present disclosure, where the embodiment of the present disclosure is applicable to a case where a service providing end provides a trusted computing service for a service requiring end based on a block chain network. The method may be performed by a block chain based trusted computing apparatus, which may be implemented in software and/or hardware, configured at a block chain node and may be integrated in an electronic device carrying block chain based trusted computing functionality. As shown in fig. 6, the block chain-based trusted computing method of this embodiment may include:
referring to fig. 6, the block chain-based trusted computing method provided in this embodiment includes:
s601, obtaining a trusted computing task execution request issued by a service demand side, enabling a service providing side to respond to the trusted computing task execution request to obtain a computing logic program and an encrypted computing material, deducing and determining a decryption key to decrypt the encrypted computing material, and calling the computing logic program to perform computing analysis on the original computing material to obtain a computing result.
The trusted computing task execution request is used for requesting the service providing end to provide trusted computing service for the service requiring end. The trusted computing task execution request is generated by the service demand side.
And the service demand side generates a trusted computing task execution request and issues the trusted computing task execution request to the block chain network. And the block chain link point in the block chain network acquires the trusted computing task request and informs the service providing end. And the service providing end responds to the execution request of the trusted computing task, and obtains a computing logic program and an encrypted computing material required by the computing task. The service providing end transmits the calculation logic program and the encrypted calculation material into the trusted execution environment, and in the trusted execution environment, the service providing end deduces and determines a decryption key according to the root private key, and decrypts the encrypted calculation material by using the decryption key to obtain the original calculation material. And the service providing end calls a calculation logic program to calculate and analyze the original calculation material obtained by decryption in the trusted execution environment to obtain a calculation result.
S602, in response to the result uplink processing request from the service provider, performing security check on the result metric report of the calculation result in the result uplink processing request.
Wherein the result metric report is used to uniquely characterize the raw computing material and the computing logic of the computed result.
And the service providing terminal generates unique characterization data according to the original calculation material and the calculation logic program, and generates a result measurement report for the calculation result according to the unique characterization data. The original computing material and the computing logic program are used as two necessary elements of the trusted computing task, one trusted computing task can be uniquely determined, and the original computing material and the computing logic program are directly related to a computing result.
Wherein the resulting uplink processing request is generated by the service provider and sent to the blockchain network. Optionally, the result uplink request includes the calculation result and the result metric report. The resulting uplink request is used to request that the blockchain node distribute the computed results and the resulting metric report to the blockchain network.
The block chain node responds to the result uplink processing request of the service provider and performs security check on the result measurement report of the result calculated in the result uplink processing request. The block chain node performs a security check on the result metric report of the computed result in the resulting uplink processing request, in effect by performing a security check on the original computed material and the computed logic program.
S603, if the security check is passed, the result measurement report and the calculation result are subjected to uplink storage.
And if the safety check is passed, the result measurement report and the calculation result are safe and effective, and the block link point carries out uplink storage on the result measurement report and the calculation result.
The method comprises the steps of applying a blockchain technology to trusted computing, organizing a service providing end and a service requiring end through a blockchain network, and establishing an application closed loop from the service requiring end to the service providing end.
FIG. 7 is a flowchart of yet another block chain based trusted computing method provided in accordance with an embodiment of the present disclosure; the present embodiment is an alternative proposed on the basis of the above-described embodiments. Specifically, the operation "perform security check on the result metric report of the calculation result in the result uplink processing request" is refined.
Referring to fig. 7, the block chain-based trusted computing method provided in this embodiment includes:
s701, a trusted computing task execution request issued by a service demand side is obtained, the service providing side responds to the trusted computing task execution request to obtain a computing logic program and an encrypted computing material, a decryption key is deduced and determined to decrypt the encrypted computing material, and the computing logic program is called to perform computing analysis on the original computing material to obtain a computing result.
S702, responding to the result uplink processing request of the service provider, verifying the computational logic procedure of the result metric report to obtain a computational logic verification result.
The block chain node responds to the result uplink processing request of the service provider and invokes an intelligent contract in the block chain network to verify the calculation logic program of the result measurement report. And verifying whether the calculation logic program corresponding to the verification result measurement report is consistent with the calculation logic program specified by the service demand side.
If the calculation logic program of the result measurement report is consistent with the calculation logic program specified by the service demand side, the calculation logic passes the verification, and the generation environment of the result measurement report can be further verified. If the computational logic procedure of the result measurement report is inconsistent with the computational logic procedure specified by the service requirement terminal, the computational logic verification fails, the security verification fails to be directly determined, and the result measurement report and the computation result cannot be stored in an uplink manner.
And S703, if the computational logic verification is passed, calling a predictive engine service, and requesting at least two participants to verify the generation environment of the result measurement report to obtain a generated environment verification result.
If the computation logic verifies, the block link node further verifies the generation environment of the result metric report. Specifically, the block link point requests at least two participants to verify whether the generated environment of the result metric report is a trusted execution environment by calling the predictive engine service.
Wherein the participant may be a third party outside the blockchain. Alternatively, the participant may be a TEE hardware vendor.
The prediction machine service is used for helping the intelligent contract on the block chain to connect data outside the block chain network and completing data intercommunication between the block chain network and the real world. Data outside the blockchain network may be data from the internet or data from the real world. Alternatively, the predictive speaker service may be a decentralized predictive speaker service. The block chain node calls a predictive machine service, the remote authentication services of at least two participants are requested through the predictive machine service, and the remote authentication services of different participants are independent. Wherein the remote verification service may be a remote verification service of a TEE execution environment provided by a TEE hardware vendor.
The predictive engine service determines whether the environment in which the result metric report is generated is a trusted execution environment according to the verification result returned by each independent remote verification service. Optionally, the predicting machine service statistics is performed to count the verification result that passes the verification to account for the proportion of all the verification results, so as to obtain the passing proportion. And comparing the pass specific gravity with a preset specific gravity threshold, and if the pass specific gravity is greater than the preset specific gravity threshold, determining the generation environment of the result measurement report as a trusted execution environment. The preset specific gravity threshold is predetermined according to actual service requirements, and is not limited herein. Illustratively, the preset specific gravity threshold may be more than 2/3 or more than 1/2.
S704, determining a security verification result according to the generated environment verification result.
And determining whether the generated environment is a trusted execution environment according to the result measurement report.
If the result measurement report is generated in the trusted execution environment, the result measurement report and the calculation result are safe and effective, and the result measurement report and the calculation result can be determined to pass the safety check.
If the result measurement report is not generated in the trusted execution environment, the result measurement report and the calculation result are at risk of being tampered, and the security check of the result measurement report and the calculation result is not passed.
S705, if the security check is passed, performing uplink storage on the result measurement report and the calculation result.
And under the condition that the result measurement report and the calculation result pass the safety check, performing uplink storage on the result measurement report and the calculation result.
If the security check of the result metric report and the calculated result fails, the result metric report and the calculated result cannot be uplink stored.
According to the technical scheme provided by the embodiment of the disclosure, the calculation logic program of the result measurement report is firstly subjected to calculation logic verification through the block link point, and under the condition that the calculation logic verification is passed, the generation environment verification is carried out on the result measurement report by calling the predictive server service, whether the result measurement report is generated in a trusted execution environment is judged, so that the resource utilization rate of the block link point is improved. And the blockchain node performs uplink storage on the result measurement report and the calculation result under the condition that the result measurement report can be generated in a trusted execution environment, so that the effectiveness and the safety of the result measurement report and the calculation result are ensured.
FIG. 8 is a block diagram of yet another trusted computing system based on blockchains provided in accordance with an embodiment of the present disclosure. As shown in fig. 8, a block chain based trusted computing system includes: a service provider, a service demander and a blockchain network.
The service providing end is an end for providing the trusted computing service, a trusted execution environment (TEE environment) is deployed in the service providing end, and the service providing end provides the trusted computing service for the service requiring end based on the trusted execution environment.
The service demand side refers to one side requesting trusted computing service, and the service demand side needs to provide encrypted computing materials. The encrypted computing material provided by the service demand side is obtained by encrypting the original computing material by taking a child public key determined by deriving based on a parent public key as an encryption key. Wherein the parent public key is determined by the service provider based on generating a root private key derivation at the trusted execution environment. The number of the service demand side can be multiple. Fig. 8 shows a case where two service demanders (service demander 1 and service demander 2) request trusted computing from a service provider. Taking the service requirement terminal 1 as an example to explain the block chain-based trusted computing method, the process of the service requirement terminal 2 requesting the block chain-based trusted computing service is similar to that of the service requirement terminal 1, and is not described herein again.
Before requesting a trusted computing service from a service provider, a service requiring end needs to request the service provider to distribute a parent public key required for determining an encryption key.
The process of the service provider determining the parent public key is as follows: 1. the method comprises the steps that a service providing end firstly calls a random number generation service in a trusted execution environment (TEE environment) and requests a random number generator to generate a random number; 2. the service provider generates a root private key based on a random number in the TEE environment. Specifically, a service provider firstly calls a key management service (KMS service) to initialize a parent public key in a TEE environment; 3. and the service provider calls a parent public key derivation service in the key management service, and determines a parent public key based on root private key derivation. The service provider further needs to generate a key measurement report for the parent public key according to a derivation algorithm of the parent public key. 4. And the service provider sends the father public key and the key measurement report of the father public key to the service demand side. It should be noted that, in the case that the number of the service demanders is greater than 1, the parent public keys allocated by the service providers to the different service demanders are different from each other. The father public key 1 distributed by the service provider for the service demander 1 is different from the father public key 2 distributed by the service provider for the service demander 2.
Optionally, after the service provider generates the root private key, the service provider encrypts the root private key by using a trusted hardware key built in the TEE environment, and stores the encrypted root private key in an external storage space of the TEE environment. Optionally, the service provider stores the encrypted root private key in a decentralized storage network or a blockchain network.
The process that the service demand side 1 deduces and determines the encryption key according to the parent public key 1 deduced and determined by the service provider side based on the root private key is as follows:
1. the service demand side 1 carries out security verification on the father public key 1 according to the key measurement report of the father public key 1; 2. under the condition that the parent public key 1 passes the safety verification, the service demand side 1 calls a key management service to deduce and determine the child public key 1 based on the parent public key 1 by utilizing a hierarchical determined encryption algorithm, and the service demand side 1 determines key derivation information according to derivation information of the deduced and determined child public key 1. Wherein the key derivation information includes: the sub public key 1 level and the sub public key 1 number; 3. and the service demand side 1 encrypts the original calculation material by using the sub public key 1 to obtain the encrypted calculation material. 4. The service requirement end 1 stores the key derivation information and the encrypted calculation materials. Optionally, the service requirement side 1 stores the key derivation information and the encrypted computation material in the decentralized storage network or the blockchain network.
The service demand side 1 obtains the storage addresses of the key derivation information and the encrypted calculation material as material addresses after storing the key derivation information and the encrypted calculation material. The service demander 1 also needs to acquire a storage address of a computation logic program required for trusted computation as a program address. The calculation logic program is a program code which can realize a complete service function and can run in a trusted execution environment. The calculation logic program is pre-stored in the decentralized storage network or the block chain network by the technical providing terminal.
The service demand end 1 generates a trusted computing task execution request according to the program address and the material address, issues the trusted computing task execution request to the blockchain network, and the blockchain network acquires the trusted computing task execution request issued by the service demand end and enables the service providing end to respond to the trusted computing task execution request to provide trusted computing service for the service demand end.
The method comprises the following steps that a service providing end responds to a trusted computing task execution request to provide trusted computing service for a service demand end, wherein the two steps are a computing encryption material decryption process and an original computing material computing process.
Wherein, the process of calculating the decryption of the encrypted material is as follows: 1. and the service providing terminal responds to a trusted computing task execution request issued by the blockchain network, and acquires encrypted computing materials and key derivation information required by the computing task according to the material address in the trusted computing task execution request. 2. The service provider acquires the encrypted root private key from the external storage space of the TEE environment, and transmits the encrypted root private key, the encrypted computing material and the key derivation information into the TEE environment; 3. the service provider recovers the root private key by using a trusted hardware key built in the TEE environment, calls a derivative derivation service of a sub private key in the key management service, deducing and determining a sub private key 1 corresponding to the encryption key sub public key 1 as a decryption key based on the root private key and key derivation information; 4. and the service providing terminal decrypts the encrypted calculation material by using the sub private key 1 to obtain the original calculation material.
The raw calculation material calculation process is as follows: 1. the service providing end obtains a calculation logic program 1 required by the calculation task according to the program address in the trusted calculation task execution request; 2. the service provider transmits the calculation logic program 1 into the TEE environment; 3. the service providing end calls a calculation logic program 1 in the TEE environment to analyze and calculate the original calculation material to obtain a calculation result; 4. the service providing end generates unique characterization data according to the original calculation material and the calculation logic program, and generates a result measurement report for the calculation result according to the unique characterization data; 5. and the service providing terminal generates a result uplink processing request according to the calculation result and the result measurement report and sends the result uplink processing request to the block chain network for uplink distribution.
The block chain node in the block chain network responds to the result uplink processing request of the service provider and carries out security check on a result measurement report of a calculation result in the result uplink processing request; and in case of passing the safety check, performing uplink storage on the result measurement report and the calculation result. Optionally, the blockchain node in the blockchain network does not directly store the result measurement report and the calculation result in the blockchain network, but issues a storage task to the de-centering storage network, stores the result measurement report and the calculation result in the de-centering storage network, and records a storage address of the result measurement report and the calculation result in the blockchain network. The off-center storage network has the advantages of large storage space and high data reading efficiency.
Optionally, the process of performing security check on the result metric report of the calculated result in the uplink processing request by the block link point result is as follows: 1. verifying the calculation logic program of the result measurement report to obtain a calculation logic verification result; 2. and if the calculation logic passes the verification, calling a prediction machine service, requesting at least two participants to verify the generation environment of the result measurement report, and verifying whether the generation environment of the result measurement report is a trusted execution environment. Specifically, the predictive server service requests remote authentication services of at least two participants, the remote authentication services of different participants being independent of each other. Wherein the remote validation service may be a remote validation service of a TEE execution environment provided by a TEE hardware vendor. The predictive speaker service determines whether the generation environment of the result measurement report is a trusted execution environment according to the verification result returned by each independent remote verification service; 3. if the result measurement report is generated in the trusted execution environment, the security check is passed, the storage task is issued to the off-center storage network, and the calculation result is recorded in the intelligent contract to be effective.
The block chain technology is applied to trusted computing, the encrypted computing material is decrypted in a trusted execution environment through the service providing end, the original computing material obtained by decryption is calculated and analyzed through calling the computing logic program in the trusted execution environment, and the application closed loop from the service demand end to the service providing end is established.
Fig. 9 is a schematic structural diagram of a block chain-based trusted computing apparatus according to an embodiment of the present disclosure. The embodiment of the disclosure is suitable for the situation that the service providing end provides the trusted computing service for the service requiring end based on the block chain network. The apparatus may be implemented by software and/or hardware, and the apparatus may implement the block chain based trusted computing method according to any embodiment of the present disclosure, and the apparatus is configured at a service provider. As shown in fig. 9, the block chain-based trusted computing device 900 includes:
a calculation data obtaining module 901, configured to respond to a trusted calculation task execution request issued by a blockchain network, and obtain a calculation logic program and an encrypted calculation material required by a calculation task; the encrypted computing material is obtained by carrying out encryption processing on an original computing material by an encryption key determined by a service demand side based on root private key derivation; the root private key is generated by the service provider in a trusted execution environment;
a decryption key determining module 902, configured to derive and determine a decryption key according to the root private key in the trusted execution environment, and decrypt the encrypted computing material with the decryption key to obtain the original computing material;
and the calculation analysis module 903 is configured to invoke the calculation logic program to perform calculation analysis on the original calculation material in the trusted execution environment to obtain a calculation result.
According to the embodiment of the disclosure, a block chain technology is applied to trusted computing, a service provider decrypts encrypted computing materials in a trusted execution environment, and a computing logic program is called to perform computing analysis on original computing materials obtained by decryption in the trusted execution environment, so that an application closed loop from a service demand end to the service provider is established, trusted computing services are provided for the service demand end on the premise that the original computing materials are not leaked to the outside, data privacy safety is effectively guaranteed, a data barrier is effectively broken, a data island is effectively connected, and data sharing circulation is safer and more reliable.
Optionally, the decryption key determining module 902 includes: a key derivation information acquisition sub-module, configured to acquire key derivation information from the blockchain network, and transmit the key derivation information to the trusted execution environment; the key derivation information is derivation information for deriving and determining the encryption key by the service demander; a decryption key derivation sub-module to derive the decryption key based on the root private key and the key derivation information in the trusted execution environment.
Optionally, the key derivation information includes: encryption key hierarchy and encryption key number; the encryption key is a child public key which is derived and determined based on a parent public key and the key derivation information, and the decryption key is a child private key corresponding to the child public key.
Optionally, the apparatus further comprises: and the root private key decryption processing module is used for acquiring an encrypted root private key before deriving and determining a decryption key according to the root private key in the trusted execution environment, and decrypting the encrypted root private key by using a trusted hardware key of the trusted execution environment.
Optionally, the calculation data obtaining module is specifically configured to, in response to a trusted calculation task execution request issued by a blockchain network, read a calculation logic program and an encrypted calculation material required by a calculation task from the blockchain network according to a program address and a material address in the trusted calculation task execution request.
Optionally, the apparatus further comprises: the result measurement report generation module is used for calling the calculation logic program to perform calculation analysis on the original calculation material in the trusted execution environment to obtain a calculation result, generating unique characterization data according to the original calculation material and the calculation logic program, and generating a result measurement report for the calculation result according to the unique characterization data; and a result uplink processing request generating module, configured to generate a result uplink processing request according to the calculation result and the result metric report, and send the result uplink processing request to the block chain network for uplink distribution.
Optionally, the apparatus further comprises: the parent public key determining module is specifically used for responding to a key distribution request of a service demand end, deducing and determining a parent public key based on a pre-generated root private key in the trusted execution environment, and feeding back the parent public key to the service demand end; the parent public key is used to derive the encryption key.
Optionally, the apparatus further comprises: the key measurement report generation module is used for generating a key measurement report for the father public key according to the derivation algorithm of the father public key; and the key measurement report feedback module is used for feeding the key measurement report back to the service demand side.
Optionally, the apparatus further comprises: a root private key generation module to generate the root private key based on a random number in the trusted execution environment; and the root private key encryption processing module is used for encrypting the root private key by using a trusted hardware key and storing the encrypted root private key into an external storage space of the trusted execution environment.
The trusted computing device based on the block chain provided by the embodiment of the disclosure can execute the trusted computing method based on the block chain provided by any embodiment of the disclosure, and has the corresponding functional module and beneficial effect of executing the trusted computing method based on the block chain.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the related calculation logic program and the encryption calculation material all accord with the regulations of related laws and regulations without violating the customs of public order.
Fig. 10 is a schematic structural diagram of a block chain-based trusted computing device according to an embodiment of the present disclosure. The embodiment of the disclosure is suitable for the situation that the service providing end provides the trusted computing service for the service requiring end based on the block chain network. The device can be implemented by software and/or hardware, and can implement the block chain-based trusted computing method according to any embodiment of the present disclosure, and the device is configured at a service requirement end. As shown in fig. 10, the block chain-based trusted computing device 1000 includes:
an encryption key determination module 1001 configured to derive and determine an encryption key based on the parent public key; the parent public key is derived by the service provider based on a root private key; the root private key is generated by the service provider in a trusted execution environment;
the material encryption processing module 1002 is configured to encrypt an original calculation material by using the encryption key, and store the encrypted calculation material;
the trusted computing task execution request issuing module 1003 is configured to issue a trusted computing task execution request to a service provider through a blockchain network, so as to request the service provider to obtain a computing logic program and an encrypted computing material according to the trusted computing task execution request, derive and determine a decryption key to decrypt the encrypted computing material, and call the computing logic program to perform computing analysis on the original computing material to obtain a computing result.
The block chain technology is applied to trusted computing, and the encryption key is determined by derivation of the service demand side based on the parent public key, wherein the parent public key is derived by the service provider side based on the root private key; the root private key is generated by the service provider in the trusted execution environment. And the service demand end encrypts the original calculation material by adopting the encryption key and stores the encrypted calculation material. The method comprises the steps that a trusted computing task execution request is issued to a service providing end through a block chain network, the service providing end is requested to decrypt encrypted computing materials in a trusted execution environment, a computing logic program is called to perform computing analysis on original computing materials obtained through decryption in the trusted execution environment, an application closed loop from a service demand end to the service providing end is established, the trusted computing service is provided for the service demand end on the premise that the original computing materials are not leaked to the outside, data privacy safety is effectively guaranteed, data barriers are effectively broken, data islands are effectively connected, and data sharing circulation is safer and more reliable.
Optionally, the encryption key determining module 1001 is specifically configured to invoke a key management service, and derive a child public key based on key derivation information and the parent public key; wherein the key derivation information includes: encryption key hierarchy and encryption key number.
Optionally, the apparatus further comprises: a key measurement report acquisition module, configured to acquire a key measurement report of the parent public key generated by the service provider before deriving and determining an encryption key based on the parent public key; and the parent public key security verification module is used for performing security verification on the parent public key according to the key measurement report.
Optionally, the parent public key security verification module includes: a reference measurement report determining submodule, configured to obtain a key measurement report of the parent public key from the blockchain network, where the key measurement report is used as a reference measurement report; a measurement report to be verified determining submodule, configured to obtain a key measurement report of the parent public key from the service provider, where the key measurement report is used as a measurement report to be verified; a matching result determining submodule, configured to match the reference metric report with the metric report to be verified to obtain a matching result; and the safety verification result determining submodule is used for determining the safety verification result of the father public key according to the matching result.
Optionally, the parent public key security verification module includes: the generation environment verification submodule is used for calling a remote verification service to verify the generation environment of the key measurement report to obtain a generation environment verification result; a generation environment judgment result determining submodule, configured to judge, according to the generation environment verification result, whether a generation environment of the key measurement report is the trusted execution environment, to obtain a generation environment judgment result; and the safety verification result determining submodule is used for determining the safety verification result of the father public key according to the generated environment judgment result.
The trusted computing device based on the block chain provided by the embodiment of the disclosure can execute the trusted computing method based on the block chain provided by any embodiment of the disclosure, and has the corresponding functional module and beneficial effect of executing the trusted computing method based on the block chain.
Fig. 11 is a schematic structural diagram of a block chain-based trusted computing device according to an embodiment of the present disclosure. The embodiment of the disclosure is suitable for the situation that the service providing end provides the trusted computing service for the service requiring end based on the block chain network. The apparatus may be implemented by software and/or hardware, and the apparatus may implement the block chain based trusted computing method according to any embodiment of the present disclosure, and the apparatus is configured at a block chain node. As shown in fig. 11, the block chain based trusted computing device 1100 includes:
a trusted computing task execution request obtaining module 1101, configured to obtain a trusted computing task execution request issued by a service demand side, enable the service provider side to respond to the trusted computing task execution request to obtain a computing logic program and an encrypted computing material, derive and determine a decryption key to decrypt the encrypted computing material, and call the computing logic program to perform computing analysis on the original computing material to obtain a computing result;
a calculation result security check module 1102, configured to perform security check on a result metric report of a calculation result in a result uplink processing request in response to the result uplink processing request from the service provider; wherein the result metric report is used to uniquely characterize the raw computing materials and computing logic of the computed result;
a calculation result storage module 1103, configured to perform uplink storage on the result measurement report and the calculation result if the security check passes.
The block chain technology is applied to trusted computing, a service providing end and a service requiring end are organized through a block chain network, and an application closed loop from the service requiring end to the service providing end is established.
Optionally, the calculation result security check module 1102 includes: the computation logic verification submodule is used for verifying the computation logic program of the result measurement report to obtain a computation logic verification result; the generation environment verification submodule is used for calling a prediction machine service if the calculation logic verification is passed, and requesting at least two participants to verify the generation environment of the result measurement report to obtain a generation environment verification result; and the safety verification result determining submodule determines a safety verification result according to the generated environment verification result.
The trusted computing device based on the block chain provided by the embodiment of the disclosure can execute the trusted computing method based on the block chain provided by any embodiment of the disclosure, and has the corresponding functional module and beneficial effect of executing the trusted computing method based on the block chain.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
FIG. 12 shows a schematic block diagram of an example electronic device 1200, which can be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not intended to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 12, the electronic apparatus 1200 includes a computing unit 1201 that can perform various appropriate actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 1202 or a computer program loaded from a storage unit 1208 into a Random Access Memory (RAM) 1203. In the RAM 1203, various programs and data necessary for the operation of the electronic apparatus 1200 may also be stored. The computing unit 1201, the ROM 1202, and the RAM 1203 are connected to each other by a bus 1204. An input/output (I/O) interface 1205 is also connected to bus 1204.
Various components in the electronic device 1200 are connected to the I/O interface 1205, including: an input unit 1206 such as a keyboard, a mouse, or the like; an output unit 1207 such as various types of displays, speakers, and the like; a storage unit 1208 such as a magnetic disk, optical disk, or the like; and a communication unit 1209 such as a network card, modem, wireless communication transceiver, etc. The communication unit 1209 allows the electronic device 1200 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 1201 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of the computing unit 1201 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 1201 performs the various methods and processes described above, such as a block chain based trusted computing method. For example, in some embodiments, the blockchain-based trusted computing method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 1208. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 1200 via the ROM 1202 and/or the communication unit 1209. When the computer program is loaded into RAM 1203 and executed by computing unit 1201, one or more steps of the above-described block chain based trusted computing method may be performed. Alternatively, in other embodiments, the computing unit 1201 may be configured by any other suitable means (e.g., by means of firmware) to perform a block chain based trusted computing method.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable block chain based trusted computing device such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server combining a blockchain.
Artificial intelligence is the subject of research that makes computers simulate some human mental processes and intelligent behaviors (such as learning, reasoning, thinking, planning, etc.), both at the hardware level and at the software level. Artificial intelligence hardware technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing, and the like; the artificial intelligence software technology mainly comprises a computer vision technology, a voice recognition technology, a natural language processing technology, a machine learning/deep learning technology, a big data processing technology, a knowledge map technology and the like.
Cloud computing (cloud computing) refers to a technology system that accesses a flexibly extensible shared physical or virtual resource pool through a network, where resources may include servers, operating systems, networks, software, applications, storage devices, and the like, and may be deployed and managed in a self-service manner as needed. Through the cloud computing technology, high-efficiency and strong data processing capacity can be provided for technical application and model training of artificial intelligence, block chains and the like.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims (17)

1. A trusted computing method based on a block chain is executed by a service provider and comprises the following steps:
responding to a trusted computing task execution request issued by a block chain network, and acquiring a computing logic program and an encrypted computing material required by a computing task; the encrypted computing material is obtained by deriving a determined encryption key by a service demand side based on a root private key to encrypt an original computing material; the root private key is generated by the service provider in a trusted execution environment;
in the trusted execution environment, deriving and determining a decryption key according to the root private key, and decrypting the encrypted computing material by using the decryption key to obtain the original computing material;
in the trusted execution environment, calling the calculation logic program to perform calculation analysis on the original calculation material to obtain a calculation result;
wherein said deriving, in the trusted execution environment, a decryption key from the root private key comprises: acquiring key derivation information from the blockchain network, and transmitting the key derivation information into the trusted execution environment; the key derivation information is derivation information for deriving and determining the encryption key by the service demander; deriving, in the trusted execution environment, the decryption key based on the root private key and the key derivation information; wherein the key derivation information includes: encryption key hierarchy and encryption key number; the encryption key is a child public key determined by derivation based on a parent public key and the key derivation information, and the decryption key is a child private key corresponding to the child public key;
wherein the method further comprises: responding to a key distribution request of a service demand terminal, in the trusted execution environment, deducing and determining a parent public key based on a pre-generated root private key, and feeding back the parent public key to the service demand terminal; the parent public key is used to derive the encryption key.
2. The method of claim 1, wherein prior to determining, in the trusted execution environment, a decryption key from the root private key derivation, further comprising:
and acquiring an encrypted root private key, and decrypting the encrypted root private key by using a trusted hardware key of the trusted execution environment.
3. The method of claim 1, wherein the obtaining of the computing logic and the encrypted computing material required for the computing task in response to the trusted computing task execution request issued by the blockchain network comprises:
and responding to a trusted computing task execution request issued by the blockchain network, and reading a computing logic program and an encrypted computing material required by the computing task from the blockchain network according to a program address and a material address in the trusted computing task execution request.
4. The method of claim 1, wherein after invoking the computational logic program to perform computational analysis on the raw computing material in the trusted execution environment to obtain a computational result, the method further comprises:
generating unique characterization data according to the original calculation material and the calculation logic program, and generating a result measurement report for the calculation result according to the unique characterization data;
and generating a result uplink processing request according to the calculation result and the result measurement report, and sending the result uplink processing request to the block chain network for uplink distribution.
5. The method of claim 1, wherein the method further comprises:
generating a key measurement report for the father public key according to the derivation algorithm of the father public key;
and feeding back the key measurement report to the service demand side.
6. The method of claim 1, wherein the method further comprises:
generating, in the trusted execution environment, the root private key based on a random number;
and encrypting the root private key by using a trusted hardware key, and storing the encrypted root private key into an external storage space of the trusted execution environment.
7. A block chain-based trusted computing method is executed by a service demand side and comprises the following steps:
deriving and determining an encryption key based on the parent public key; the father public key is derived by a service provider based on a root private key and is distributed to a service demand side based on a key distribution request of the service demand side; the root private key is generated by the service provider in a trusted execution environment;
encrypting the original calculation material by adopting the encryption key, and storing the encrypted calculation material;
issuing a trusted computing task execution request to a service provider through a block chain network to request the service provider to acquire a computing logic program and encrypted computing materials according to the trusted computing task execution request, deducing and determining a decryption key to decrypt the encrypted computing materials, and calling the computing logic program to perform computing analysis on the original computing materials to obtain a computing result;
wherein the determining an encryption key based on the parent public key derivation comprises: calling a key management service, and deriving a child public key based on key derivation information and the parent public key; wherein the key derivation information includes: encryption key hierarchy and encryption key number; the sub public key is an encryption key;
the service provider deduces and determines a decryption key, and the method comprises the following steps: the service provider acquires the key derivation information from the block chain network, and transmits the key derivation information into the trusted execution environment; deriving, in the trusted execution environment, the decryption key based on the root private key and the key derivation information; and the decryption key is a sub private key corresponding to the sub public key.
8. The method of claim 7, wherein prior to the determining an encryption key based on the parent public key derivation, the method further comprises:
acquiring a key measurement report of the parent public key generated by the service provider;
and carrying out security verification on the parent public key according to the key measurement report.
9. The method of claim 8, wherein the security checking the parent public key according to the key metric report comprises:
acquiring a key measurement report of the parent public key from the blockchain network as a reference measurement report;
acquiring a key measurement report of the father public key from the service provider as a measurement report to be verified;
matching the reference measurement report with the measurement report to be verified to obtain a matching result;
and determining the security verification result of the parent public key according to the matching result.
10. The method of claim 8, wherein the security checking the parent public key according to the key metric report comprises:
a remote verification service is called to verify the generation environment of the key measurement report to obtain a generation environment verification result;
judging whether the generation environment of the key measurement report is the trusted execution environment or not according to the generation environment verification result to obtain a generation environment judgment result;
and determining the safety verification result of the father public key according to the generated environment judgment result.
11. A trusted computing method based on a block chain, performed by block chain nodes, comprising:
acquiring a trusted computing task execution request issued by a service demand end, enabling a service providing end to respond to the trusted computing task execution request so as to acquire a computing logic program and an encrypted computing material, deducing and determining a decryption key to decrypt the encrypted computing material, and calling the computing logic program to perform computing analysis on an original computing material to obtain a computing result; the encrypted computing material is obtained by the service demand side through encryption processing on an original computing material by deriving a determined encryption key based on a root private key; the root private key is generated by the service provider in a trusted execution environment;
responding to a result uplink processing request of the service providing terminal, and performing security check on a result measurement report of a calculation result in the result uplink processing request; wherein the result metric report is used to uniquely characterize the raw computing materials and computing logic of the computed result;
if the safety check is passed, performing uplink storage on the result measurement report and the calculation result;
the service provider deduces and determines a decryption key, and the method comprises the following steps: the service provider acquires key derivation information from the blockchain network, and transmits the key derivation information into the trusted execution environment; the key derivation information is derivation information for deriving and determining the encryption key by the service demander; deriving, in the trusted execution environment, the decryption key based on the root private key and the key derivation information; wherein the key derivation information includes: encryption key hierarchy and encryption key number; the encryption key is a child public key determined by derivation based on a parent public key and the key derivation information, and the decryption key is a child private key corresponding to the child public key; the parent public key is derived and determined by the service provider based on a pre-generated root private key, and is distributed to the service demand side based on a key distribution request of the service demand side.
12. The method of claim 11, wherein said performing a security check on a resultant metric report of a computed result in said resultant uplink processing request comprises:
verifying the calculation logic program of the result measurement report to obtain a calculation logic verification result;
if the calculation logic verification is passed, calling a predictive server service, and requesting at least two participants to verify the generation environment of the result measurement report to obtain a generation environment verification result;
and determining a safety verification result according to the generated environment verification result.
13. A block chain based trusted computing device configured at a service provider, comprising:
the calculation data acquisition module is used for responding to a trusted calculation task execution request issued by the block chain network and acquiring a calculation logic program and an encrypted calculation material required by a calculation task; the encrypted computing material is obtained by deriving a determined encryption key by a service demand side based on a root private key to encrypt an original computing material; the root private key is generated by the service provider in a trusted execution environment;
a decryption key determining module, configured to derive and determine a decryption key according to the root private key in the trusted execution environment, and decrypt the encrypted computing material using the decryption key to obtain the original computing material;
the calculation analysis module is used for calling the calculation logic program to perform calculation analysis on the original calculation material in the trusted execution environment to obtain a calculation result;
wherein the decryption key determining module includes: a key derivation information acquisition sub-module, configured to acquire key derivation information from the blockchain network, and transmit the key derivation information to the trusted execution environment; the key derivation information is derivation information for deriving and determining the encryption key by the service demander; a decryption key derivation sub-module to derive the decryption key based on the root private key and the key derivation information in the trusted execution environment; wherein the key derivation information includes: encryption key hierarchy and encryption key number; the encryption key is a child public key determined by derivation based on a parent public key and the key derivation information, and the decryption key is a child private key corresponding to the child public key;
the device further comprises: the parent public key determining module is specifically used for responding to a key distribution request of the service demand side, deducing and determining a parent public key based on a pre-generated root private key in the trusted execution environment, and feeding back the parent public key to the service demand side; the parent public key is used to derive the encryption key.
14. A trusted computing device configured at a service provider, comprising:
the encryption key determining module is used for deriving and determining an encryption key based on the parent public key; the father public key is derived by a service provider based on a root private key and is distributed to a service demand side based on a key distribution request of the service demand side; the root private key is generated by the service provider in a trusted execution environment;
the material encryption processing module is used for encrypting the original calculation material by adopting the encryption key and storing the encrypted calculation material;
the trusted computing task execution request issuing module is used for issuing a trusted computing task execution request to a service provider through a block chain network so as to request the service provider to acquire a computing logic program and encrypted computing materials according to the trusted computing task execution request, derive and determine a decryption key to decrypt the encrypted computing materials, and call the computing logic program to perform computing analysis on the original computing materials to obtain a computing result;
the encryption key determining module is further configured to invoke a key management service, and derive a child public key based on key derivation information and the parent public key; wherein the key derivation information includes: encryption key hierarchy and encryption key number; the sub public key is an encryption key;
the trusted computing task execution request issuing module is further configured to request the service provider to acquire the key derivation information from the blockchain network, and transmit the key derivation information to the trusted execution environment; deriving, in the trusted execution environment, the decryption key based on the root private key and the key derivation information; and the decryption key is a sub private key corresponding to the sub public key.
15. A blockchain-based trusted computing device configured at a blockchain node, comprising:
the trusted computing task execution request acquisition module is used for acquiring a trusted computing task execution request issued by the service demand end, enabling the service providing end to respond to the trusted computing task execution request so as to acquire a computing logic program and an encrypted computing material, deducing and determining a decryption key to decrypt the encrypted computing material, and calling the computing logic program to perform computing analysis on an original computing material so as to obtain a computing result; the encrypted computing material is obtained by the service demand side through carrying out encryption processing on an original computing material by an encryption key which is derived and determined based on a root private key; the root private key is generated by the service provider in a trusted execution environment;
a calculation result security check module, configured to perform security check on a result metric report of a calculation result in a result uplink processing request in response to the result uplink processing request of the service provider; wherein the result metric report is used to uniquely characterize the raw computing materials and computing logic of the computed result;
a calculation result storage module, configured to perform uplink storage on the result measurement report and the calculation result if the security check passes;
the service provider deduces and determines a decryption key, and the method comprises the following steps: the service provider acquires key derivation information from the block chain network, and transmits the key derivation information into the trusted execution environment; the key derivation information is derivation information for deriving and determining the encryption key by the service demander; deriving, in the trusted execution environment, the decryption key based on the root private key and the key derivation information; wherein the key derivation information includes: encryption key hierarchy and encryption key number; the encryption key is a child public key which is derived and determined based on a parent public key and the key derivation information, and the decryption key is a child private key corresponding to the child public key; the parent public key is derived and determined by the service provider based on a pre-generated root private key, and is distributed to the service demand side based on a key distribution request of the service demand side.
16. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the block chain based trusted computing method of any of claims 1-6, 7-10 or 11-12.
17. A non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the blockchain based trusted computing method of any one of claims 1-6, claims 7-10, or claims 11-12.
CN202210508272.7A 2022-05-10 2022-05-10 Trusted computing method, device, equipment and medium based on block chain Active CN114978626B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210508272.7A CN114978626B (en) 2022-05-10 2022-05-10 Trusted computing method, device, equipment and medium based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210508272.7A CN114978626B (en) 2022-05-10 2022-05-10 Trusted computing method, device, equipment and medium based on block chain

Publications (2)

Publication Number Publication Date
CN114978626A CN114978626A (en) 2022-08-30
CN114978626B true CN114978626B (en) 2023-03-10

Family

ID=82981574

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210508272.7A Active CN114978626B (en) 2022-05-10 2022-05-10 Trusted computing method, device, equipment and medium based on block chain

Country Status (1)

Country Link
CN (1) CN114978626B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392889A (en) * 2019-03-26 2019-10-29 阿里巴巴集团控股有限公司 The credible performing environment based on field programmable gate array for block chain network
CN111143890A (en) * 2019-12-26 2020-05-12 百度在线网络技术(北京)有限公司 Calculation processing method, device, equipment and medium based on block chain
CN111181720A (en) * 2019-12-31 2020-05-19 支付宝(杭州)信息技术有限公司 Service processing method and device based on trusted execution environment
CN113438289A (en) * 2020-07-08 2021-09-24 支付宝(杭州)信息技术有限公司 Block chain data processing method and device based on cloud computing

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9722775B2 (en) * 2015-02-27 2017-08-01 Verizon Patent And Licensing Inc. Network services via trusted execution environment
SG11202002779TA (en) * 2019-08-12 2021-03-30 Advanced New Technologies Co Ltd Blockchain-based trusted platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392889A (en) * 2019-03-26 2019-10-29 阿里巴巴集团控股有限公司 The credible performing environment based on field programmable gate array for block chain network
CN111143890A (en) * 2019-12-26 2020-05-12 百度在线网络技术(北京)有限公司 Calculation processing method, device, equipment and medium based on block chain
CN111181720A (en) * 2019-12-31 2020-05-19 支付宝(杭州)信息技术有限公司 Service processing method and device based on trusted execution environment
CN113438289A (en) * 2020-07-08 2021-09-24 支付宝(杭州)信息技术有限公司 Block chain data processing method and device based on cloud computing

Also Published As

Publication number Publication date
CN114978626A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
WO2021184882A1 (en) Method and apparatus for verifying contract
WO2021184968A1 (en) Cluster key sharing method and device
WO2021184962A1 (en) Method and apparatus for generating shared contract key
CN103795692B (en) Open authorization method, system and certification authority server
CN103888251B (en) A kind of method of virtual machine credible security in cloud environment
CN109067528B (en) Password operation method, work key creation method, password service platform and equipment
CN111737366B (en) Private data processing method, device, equipment and storage medium of block chain
CN110492990A (en) Private key management method, apparatus and system under block chain scene
CN112507363A (en) Data supervision method, device and equipment based on block chain and storage medium
CN109347625B (en) Password operation method, work key creation method, password service platform and equipment
CN109872155A (en) Data processing method and device
CN110580412A (en) Permission query configuration method and device based on chain codes
CN112231652B (en) Trusted environment remote verification method, device, equipment, system and medium
CN110580245A (en) private data sharing method and device
CN109981576B (en) Key migration method and device
CN109361508A (en) Data transmission method, electronic equipment and computer readable storage medium
CN110580411A (en) permission query configuration method and device based on intelligent contract
CN105847000A (en) Token generation method and communication system based on same
CN116011590A (en) Federal learning method, device and system
CN115580414A (en) Data opening system and method based on privacy computation
CN114139176A (en) Industrial internet core data protection method and system based on state secret
CN114514550A (en) Partitioning requests into blockchains
CN114978626B (en) Trusted computing method, device, equipment and medium based on block chain
CN114884714B (en) Task processing method, device, equipment and storage medium
CN115021972B (en) Trusted computing method, device, equipment and medium based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant