CN115085917A - Data fusion computing method, device, equipment and medium of trusted execution environment - Google Patents

Data fusion computing method, device, equipment and medium of trusted execution environment Download PDF

Info

Publication number
CN115085917A
CN115085917A CN202210704628.4A CN202210704628A CN115085917A CN 115085917 A CN115085917 A CN 115085917A CN 202210704628 A CN202210704628 A CN 202210704628A CN 115085917 A CN115085917 A CN 115085917A
Authority
CN
China
Prior art keywords
data
target
key
result set
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210704628.4A
Other languages
Chinese (zh)
Inventor
徐东德
何志坚
陶立峰
李晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202210704628.4A priority Critical patent/CN115085917A/en
Publication of CN115085917A publication Critical patent/CN115085917A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]

Abstract

The application discloses a data fusion computing method, a device, equipment and a medium based on a trusted execution environment, which relate to the technical field of computers, and the method comprises the following steps: acquiring an encrypted data set and a symmetric key which are sent by a data provider and obtained by encrypting a target data set by using the symmetric key, and decrypting the encrypted data set by using the symmetric key to obtain the target data set; the symmetric key is a key generated by the data provider; performing data fusion calculation according to a target data set and based on an intelligent contract between a data provider and a data acquirer to obtain a data result set; acquiring a first public key sent by a data acquirer, encrypting a data result set by using the first public key to obtain an encrypted result set, and sending the encrypted result set to the data acquirer so that the data acquirer decrypts the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer. The method and the device can improve the credibility of the calculation process and the safety of data transmission.

Description

Data fusion computing method, device, equipment and medium of trusted execution environment
Technical Field
The invention relates to the technical field of computers, in particular to a data fusion computing method, device, equipment and medium based on a trusted execution environment.
Background
At present, a lot of policies are issued by the nation, data are qualitatively determined as the fifth production element, the marketization and circulation of the data elements are promoted, the data value is favorably released, the society is enabled, and the decision-making capability of the brain of the industry is improved. The method has the advantages that the industrial digital development is promoted, the industrial intellectualization and high-quality development are promoted, the intelligent analysis is carried out on the industrial in the area by the accurate and efficient absolute advantages, the resource allocation efficiency can be further improved, the data support is provided for the industrial development, and the policy landing is assisted.
However, in the scenario of industrial joint modeling, that is, data fusion calculation, there is a risk of core data leakage of an enterprise, which causes poor reliability and security, further causes the enterprise to be unwilling to share data, opens data, does not solve the problem of poor reliability and security in the industrial joint modeling process, and can bring a barrier to industrial development.
In summary, how to improve the credibility of the computing process and the security of the data transmission process is a problem to be solved urgently at present.
Disclosure of Invention
In view of this, the present invention provides a data fusion calculation method based on a trusted execution environment, which can improve the credibility of the calculation process and the security of the data transmission process. The specific scheme is as follows:
in a first aspect, the application discloses a data fusion computing method based on a trusted execution environment, including:
acquiring an encrypted data set and a symmetric key which are sent by a data provider and obtained by encrypting a target data set by using the symmetric key, and decrypting the encrypted data set by using the symmetric key to obtain the target data set; the symmetric key is a key generated by the data provider;
performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set;
acquiring a first public key sent by the data acquirer, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data acquirer, so that the data acquirer decrypts the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer.
Optionally, the acquiring an encrypted data set obtained by encrypting a target data set with a symmetric key and sent by a data provider and the symmetric key includes:
generating a second public key and a second private key, and sending the second public key to a data provider;
and acquiring an encrypted data set which is sent by the data provider and obtained by encrypting a target data set by using a symmetric key and a target key which is obtained by encrypting the symmetric key by using the second public key, and decrypting the target key by using the second private key to acquire the symmetric key.
Optionally, before decrypting the target key by using the second private key to obtain the symmetric key, the method further includes:
the second private key is verified to determine that the second private key is a usable private key.
Optionally, before obtaining the encrypted data set obtained by encrypting the target data set with the symmetric key and sent by the data provider, the method further includes:
acquiring a target random number sent by the data provider, and performing trusted authentication on the target random number to generate a trusted authentication report;
sending the trusted authentication report to a target service center of the trusted execution environment, so that the target service center can perform trusted verification on the trusted execution environment through the target random number and a current random number in the trusted authentication report to obtain a verification result;
and acquiring the verification result, and if the verification result is credible, performing data fusion calculation based on the credible execution environment.
Optionally, the performing data fusion calculation according to the target data set and based on the target intelligent contract between the data provider and the data acquirer to obtain a data result set includes:
acquiring the target intelligent contract between the data provider and the data acquirer, and determining a target calculation model corresponding to the target intelligent contract;
and performing data fusion calculation by using the target calculation model according to the target data set to obtain a data result set.
Optionally, before performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set, the method further includes:
and formulating a target intelligent contract according to a target protocol between the data provider and the data acquirer, and constructing a corresponding target calculation model based on the target intelligent contract.
Optionally, the data fusion calculation method of the trusted execution environment further includes:
recording a first fusion calculation process log, and recording a second fusion calculation process log based on a block chain technology;
and comparing the first fusion calculation process log with the second fusion calculation process log, if the first fusion calculation process log is inconsistent with the second fusion calculation process log, sending an abnormal alarm, and displaying abnormal contents in the first fusion calculation process log.
In a second aspect, the present application discloses a trusted execution environment based data fusion computing device, comprising:
the data set acquisition module is used for acquiring an encrypted data set which is sent by a data provider and obtained by encrypting a target data set by using a symmetric key and the symmetric key, and decrypting the encrypted data set by using the symmetric key to obtain the target data set; the symmetric key is a key generated by the data provider;
the data fusion calculation module is used for performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set;
the result set sending module is used for obtaining a first public key sent by the data obtaining party, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data obtaining party so that the data obtaining party can decrypt the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer.
In a third aspect, the present application discloses an electronic device comprising a processor and a memory; wherein the processor implements the trusted execution environment-based data fusion computing method disclosed above when executing the computer program stored in the memory.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the trusted execution environment based data fusion computing method disclosed above.
Therefore, the method comprises the steps of obtaining an encrypted data set obtained by encrypting a target data set by using a symmetric key and sent by a data provider and the symmetric key, and decrypting the encrypted data set by using the symmetric key to obtain the target data set; the symmetric key is a key generated by the data provider; performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set; acquiring a first public key sent by the data acquirer, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data acquirer, so that the data acquirer decrypts the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer. Therefore, the data fusion calculation is carried out based on the trusted execution environment, and the credibility of the calculation process is improved; according to the method, the data provider and the data acquirer respectively generate the secret keys, so that the encryption process is decentralized, and the data transmission process is further safer; in addition, the intelligent contract is used for data fusion calculation, and calculation accuracy, credibility and safety are facilitated. .
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flowchart of a trusted execution environment-based data fusion computing method provided in the present application;
FIG. 2 is a flowchart of a specific trusted execution environment-based data fusion computation method provided in the present application;
FIG. 3 is a schematic diagram illustrating a trusted execution environment based data fusion computing process according to the present application;
FIG. 4 is a schematic diagram of a trusted execution environment based data fusion computing device according to the present application;
fig. 5 is a block diagram of an electronic device provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, under the scene of industrial joint modeling, namely data fusion calculation, the risk of enterprise core data leakage can occur, so that the reliability and the safety are poor, the enterprise is further unwilling to share data, the data is opened, the problem of poor reliability and safety in the industrial joint modeling process is not solved, and the industrial development can be hindered.
In order to overcome the problems, the data fusion computing scheme based on the trusted execution environment is provided, and the credibility of the computing process and the safety of the data transmission process can be improved.
Referring to fig. 1, an embodiment of the present application discloses a data fusion computing method based on a trusted execution environment, where the method includes:
step S11: acquiring an encrypted data set and a symmetric key which are sent by a data provider and obtained by encrypting a target data set by using the symmetric key, and decrypting the encrypted data set by using the symmetric key to obtain the target data set; the symmetric key is a key generated by the data provider.
In the embodiment of the application, a data provider provides a target data set for data fusion calculation, and the data provider generates a symmetric key by using a key generator, and is used for encrypting the target data set to obtain an encrypted data set; it should be noted that the number of the data providers may be one or more, which is not specifically limited herein, and the number of the target data sets provided by the same data provider may also be one or more, and the symmetric keys corresponding to different target data sets may be the same or different. It should be noted that different target data sets correspond to different symmetric keys, which can improve the security of data transmission. It is noted that the generation of keys by the key generator is more secure than the generation of keys by software.
It should be noted that symmetric encryption uses an encryption method of a single-key cryptosystem, and the same key can be used for both encryption and decryption of information.
In the embodiment of the application, after an encrypted data set obtained by encrypting a target data set by using a symmetric key and sent by a data provider and the symmetric key are obtained, the encrypted data set is decrypted by using the symmetric key to obtain the target data set, and the target data set is used for data fusion calculation.
In the embodiment of the application, before acquiring an encrypted data set which is sent by a data provider and obtained by encrypting a target data set by using a symmetric key and the symmetric key, whether a trusted execution environment is trusted needs to be verified, and when a verification result is trusted, data fusion calculation is performed based on the trusted execution environment; specifically, the credibility of the TEE (Trusted execution environment) is guaranteed through a CPU (central processing unit) bottom architecture, and meanwhile, the inter TEE service center remotely verifies the credible identity of the accessed TEE. The specific process of the verification is as follows: acquiring a target random number sent by the data provider, and performing trusted authentication on the target random number to generate a trusted authentication report; sending the trusted authentication report to a target service center of the trusted execution environment, so that the target service center can perform trusted verification on the trusted execution environment through the target random number and a current random number in the trusted authentication report to obtain a verification result; and acquiring the verification result, and if the verification result is credible, performing data fusion calculation based on the credible execution environment. It should be noted that the Trusted Execution Environment (TEE) is Trusted based on the inter hardware vendor infrastructure. It should be noted that, if the target random number is consistent with the current random number in the trusted authentication report, the verification result is trusted; and if the target random number is inconsistent with the current random number in the credibility authentication report, the verification result is not credible.
Step S12: and performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set.
In the embodiment of the present application, a specific process of performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set is as follows: acquiring the target intelligent contract between the data provider and the data acquirer, and determining a target calculation model corresponding to the target intelligent contract; and performing data fusion calculation by using the target calculation model according to the target data set to obtain a data result set. For example, when inquiring, the inquiring program intelligently inquires and outputs a result set according to contract requirements.
It should be noted that, before performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set, a target intelligent contract needs to be formulated according to a target protocol between the data provider and the data acquirer, and a corresponding target calculation model needs to be constructed based on the target intelligent contract. It should be pointed out that the process is completed by an intelligent contract system, and the intelligent contract system is a system for the two parties to jointly entrust the data security operation and maintenance officer to apply, make and execute the intelligent contract according to the agreement; in addition, a Smart contract (Smart contract) is a computer protocol intended to propagate, verify or execute contracts in an informational manner. Smart contracts allow trusted transactions to be conducted without third parties, which transactions are traceable and irreversible.
Step S13: acquiring a first public key sent by the data acquirer, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data acquirer, so that the data acquirer decrypts the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer.
In the embodiment of the present application, a data acquirer generates a first public key and a first private key to complete the encryption, transmission and decryption processes of a data result set, specifically: and acquiring a first public key sent by the data acquirer, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data acquirer, so that the data acquirer decrypts the encrypted result set by using a first private key to obtain the data result set. It is noted that the data acquirer generates the first public key and the first private key by the key generator.
It should be noted that asymmetric encryption requires two keys for encryption and decryption, which are a public key and a private key.
In the embodiment of the application, the content can be prevented from being tampered by recording the log, or an alarm is sent out after the content is tampered; specifically, a first fusion calculation process log is recorded, and a second fusion calculation process log is recorded through a block chain auditing system and based on a block chain technology; and comparing the first fusion calculation process log with the second fusion calculation process log, if the first fusion calculation process log is inconsistent with the second fusion calculation process log, sending an abnormal alarm, and displaying abnormal contents in the first fusion calculation process log. It should be noted that the blockchain auditing system is used for preventing unsafe events of the platform caused by illegal operation of users, and needs to perform detailed recording and auditing on operation behaviors of the users on the platform. And the block chain technology is used for storing the compliance audit log, so that the audit log is prevented from being lost or tampered. Meanwhile, the operation behavior of the user is accurately recorded and verified by combining a log and a flow analysis technology. And the behaviors are intelligently analyzed, abnormal phenomena are timely found, and the occurrence of operation which is not in accordance is prevented.
It should be noted that the blockchain is a shared database, and the data or information stored in the shared database has the characteristics of "unforgeability", "whole-course trace", "traceability", "open transparency", "collective maintenance", and the like. Based on the characteristics, the block chain technology lays a solid 'trust' foundation, creates a reliable 'cooperation' mechanism and has wide application prospect.
In the embodiment of the application, generation and use of all keys are managed by a key management system, the key management system is used for full-life-cycle encryption in data circulation, provides independent unified key management, supports an independent key management system, and comprises generation, distribution, backup and recovery of encryption keys (symmetric keys), and the keys do not exit from equipment.
In the embodiment of the application, the data fusion calculation realizes privacy calculation, and the privacy calculation refers to a technical set for realizing data analysis calculation on the premise of protecting data from being leaked to the outside, so that the purpose of 'available and invisible' of the data is achieved; under the premise of fully protecting data and privacy safety, the conversion and release of data value are realized.
Therefore, the method comprises the steps of obtaining an encrypted data set obtained by encrypting a target data set by using a symmetric key and sent by a data provider and the symmetric key, and decrypting the encrypted data set by using the symmetric key to obtain the target data set; the symmetric key is a key generated by the data provider; performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set; acquiring a first public key sent by the data acquirer, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data acquirer, so that the data acquirer decrypts the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer. Therefore, the data fusion calculation is carried out based on the trusted execution environment, and the credibility of the calculation process is improved; according to the method, the data provider and the data acquirer respectively generate the secret keys, so that the encryption process is decentralized, and the data transmission process is further safer; in addition, the application utilizes the intelligent contract to perform data fusion calculation, which is beneficial to the accuracy, credibility and safety of calculation, so that the enterprise data island can be further broken under the premise of ensuring the data safety of the enterprise, thereby realizing the industrial linkage, releasing the dividend of the industrial data through industrial joint analysis, and accurately guiding the production and operation of the enterprise.
Referring to fig. 2, an embodiment of the present application discloses a specific data fusion calculation method based on a trusted execution environment, where the method includes:
step S21: generating a second public key and a second private key, and sending the second public key to a data provider; acquiring an encrypted data set which is sent by the data provider and obtained by encrypting a target data set by using a symmetric key and a target key which is obtained by encrypting the symmetric key by using the second public key, and decrypting the target key by using the second private key to acquire the symmetric key; the symmetric key is a key generated by the data provider.
In the embodiment of the present application, an encrypted data set obtained by encrypting a target data set with a symmetric key and sent by a data provider and the symmetric key need to be obtained, specifically, the obtained encrypted symmetric key is obtained, the symmetric key is obtained after decryption, and a second public key encrypted by the symmetric key is locally generated and sent to the data provider.
In the embodiment of the application, the data provider encrypts the target data set by using the symmetric key generated by the data provider, and encrypts the symmetric key by using the locally generated second public key sent to the data provider. The method comprises the steps that a local key generator generates a second public key and a second private key, and the second public key is sent to a data provider; and acquiring an encrypted data set which is sent by the data provider and obtained by encrypting a target data set by using a symmetric key and a target key which is obtained by encrypting the symmetric key by using the second public key, and decrypting the target key by using the second private key to acquire the symmetric key.
In the embodiment of the present application, before the target key is decrypted by using the second private key to obtain the symmetric key, the second private key needs to be verified to determine that the second private key is an available private key. It should be noted that the second private key may be verified based on the manner of obtaining and filling the verification code, and after the second private key is verified, the identities of the data participants (the data provider and the data acquirer) may be considered as trusted. It should be noted that the process of verifying the second private key is also a process of verifying the intelligent contract, for example, when the set process of performing data fusion calculation using the intelligent contract is performed at the first time, but the time of verifying the second private key is performed at the second time, the verification fails, and the data fusion calculation based on the intelligent contract is not performed at this time.
Step S22: and decrypting the encrypted data set by using the symmetric key to obtain the target data set.
In this embodiment, as to the specific process of the step S22, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated herein.
Step S23: and performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set.
In this embodiment, as to the specific process of the step S23, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated herein.
Step S24: acquiring a first public key sent by the data acquirer, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data acquirer, so that the data acquirer decrypts the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer.
In this embodiment, as to the specific process of the step S24, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated herein.
Therefore, a second public key and a second private key are generated, and the second public key is sent to a data provider; acquiring an encrypted data set which is sent by the data provider and obtained by encrypting a target data set by using a symmetric key and a target key which is obtained by encrypting the symmetric key by using the second public key, and decrypting the target key by using the second private key to acquire the symmetric key; the symmetric key is a key generated by the data provider; decrypting the encrypted data set by using the symmetric key to obtain the target data set; performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set; acquiring a first public key sent by the data acquirer, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data acquirer so that the data acquirer can decrypt the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer. Therefore, the data fusion calculation is carried out based on the trusted execution environment, and the credibility of the calculation process is improved; according to the method, the data provider and the data acquirer respectively generate the secret keys, so that the encryption process is decentralized, and the data transmission process is further safer; the method and the system utilize the intelligent contract to perform data fusion calculation, and are favorable for the accuracy, credibility and safety of calculation; in addition, the intelligent contract is further verified by using the second private key, so that the credibility and the safety of the intelligent contract are improved; the symmetric key is encrypted by using the second public key generated locally, so that the transmission process is safer.
The data fusion computing system based on the trusted execution environment comprises a key management system, a block chain security audit system and an intelligent contract system; the intelligent contract system is used for specifying an intelligent contract, and the block chain security audit system is used for recording logs and preventing unsafe events of a platform (system) caused by illegal operation of a user.
Referring to fig. 3, a schematic diagram of a trusted execution environment-based data fusion computation process is shown.
Step 1: the TEE trusted execution environment generates a public and private key pair, a private key KA and a public key KB;
step 2: issuing the public key to a data provider;
and 3, step 3: the data provider locally uses the key generator to generate a key K;
and 4, step 4: encrypting the local data set M by using the key K to obtain a ciphertext KM; encrypting the key K by using a public key KB to obtain KKB;
and 5, step 5: uploading KM, KKB to TEE trusted computing environments;
and 6, step 6: executing the contract;
and 7, step 7: in the TEE environment, a private key KA is used for decrypting KKB to obtain a secret key K, a ciphertext KM is decrypted by using the secret key K to obtain a plaintext M, and model calculation is carried out according to an intelligent contract to obtain a data result set M1;
and 8, step 8: the data acquirer locally adopts a key generator to generate a pair of public and private keys, namely a private key K1 and a public key K2;
step 9: uploading public keys k2 to a TEE feasible execution environment;
step 10: the TEE feasible execution environment encrypts a data result set M1 by using a public key K2 to obtain a ciphertext KM 12;
and 11, step 11: the data acquisition party downloads the ciphertext KM 12;
step 12: the data acquirer decrypts the encrypted data result set KM12 locally by using a private key K1, and acquires a data result set M1 in clear text.
In the application, the symmetric key or the asymmetric key is locally generated by the data provider and the data beneficiary, so that the key management is decentralized, and the data flow is safer; the TEE trusted execution environment is adopted, so that data calculation is safer; the intelligent contract is verified and signed by checking the private key, so that the contract is more credible, safer and tamper-proof; data circulation records can be traced and managed through block chain audit; the key is encrypted by a public key in a public and private key pair generated by a local trusted execution environment, so that the transmission process is safer.
It is noted that industrial modeling requires a large amount of data as support and decision-making. If the credibility problem of multi-party data fusion calculation is not solved, the industrial joint modeling cannot enable enterprises to provide real data, so that the industrial modeling is inaccurate, and the industrial production efficiency is greatly influenced and improved. When multiple enterprises are used for joint modeling and promotion of operation and marketing, confidential business data of the enterprises are involved, and if a decentralized trusted computing environment is not provided, the enterprises are unwilling to share the data and open the data, so that each enterprise is an independent data isolated island. Therefore, the data fusion calculation method based on the trusted execution environment is provided, the feasible problem in multi-party data fusion calculation is solved, and the data calculation value is released on the premise of ensuring data safety.
Referring to fig. 4, an embodiment of the present application discloses a data fusion computing device based on a trusted execution environment, including:
a data set obtaining module 11, configured to obtain an encrypted data set obtained by encrypting a target data set with a symmetric key and sent by a data provider, and obtain the target data set by decrypting the encrypted data set with the symmetric key; the symmetric key is a key generated by the data provider;
the data fusion calculation module 12 is configured to perform data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set;
a result set sending module 13, configured to obtain a first public key sent by the data acquirer, encrypt the data result set with the first public key to obtain an encrypted result set, and send the encrypted result set to the data acquirer, so that the data acquirer decrypts the encrypted result set with a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer.
For more specific working processes of the modules, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
Therefore, the method comprises the steps of obtaining an encrypted data set obtained by encrypting a target data set by using a symmetric key and sent by a data provider and the symmetric key, and decrypting the encrypted data set by using the symmetric key to obtain the target data set; the symmetric key is a key generated by the data provider; performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set; acquiring a first public key sent by the data acquirer, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data acquirer, so that the data acquirer decrypts the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer. Therefore, the data fusion calculation is carried out based on the trusted execution environment, and the credibility of the calculation process is improved; according to the method, the data provider and the data acquirer respectively generate the secret keys, so that the encryption process is decentralized, and the data transmission process is further safer; in addition, the intelligent contract is used for data fusion calculation, and calculation accuracy, credibility and safety are facilitated.
Further, an electronic device is provided in the embodiments of the present application, and fig. 5 is a block diagram of the electronic device 20 according to an exemplary embodiment, which should not be construed as limiting the scope of the application.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, an input output interface 24, a communication interface 25, and a communication bus 26. The memory 22 is configured to store a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps of the trusted execution environment based data fusion computing method disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 25 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 24 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, and the storage 22 is used as a non-volatile storage that may include a random access memory as a running memory and a storage purpose for an external memory, and the storage resources on the storage include an operating system 221, a computer program 222, and the like, and the storage manner may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device and the computer program 222 on the electronic device 20 on the source host, and the operating system 221 may be Windows, Unix, Linux, or the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the trusted execution environment based data fusion computing method performed by the electronic device 20 disclosed in any of the foregoing embodiments.
In this embodiment, the input/output interface 24 may specifically include, but is not limited to, a USB interface, a hard disk reading interface, a serial interface, a voice input interface, a fingerprint input interface, and the like.
Further, the embodiment of the application also discloses a computer readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the trusted execution environment based data fusion computing method disclosed above.
For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
The computer-readable storage medium includes a Random Access Memory (RAM), a Memory, a Read-Only Memory (ROM), an electrically programmable ROM, an electrically erasable programmable ROM, a register, a hard disk, a magnetic or optical disk, or any other form of storage medium known in the art. Wherein the computer program, when executed by a processor, implements the aforementioned trusted execution environment-based data fusion computing method. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
In the present specification, the embodiments are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same or similar parts between the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the data fusion calculation method based on the trusted execution environment disclosed by the embodiment, so that the description is simple, and the relevant points can be obtained by referring to the description of the method part.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of an algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above detailed description is given to a data fusion computing method, apparatus, device and medium based on a trusted execution environment, and a specific example is applied in this document to explain the principle and implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and its core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A data fusion computing method based on a trusted execution environment is characterized by comprising the following steps:
acquiring an encrypted data set and a symmetric key which are sent by a data provider and obtained by encrypting a target data set by using the symmetric key, and decrypting the encrypted data set by using the symmetric key to obtain the target data set; the symmetric key is a key generated by the data provider;
performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set;
acquiring a first public key sent by the data acquirer, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data acquirer, so that the data acquirer decrypts the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer.
2. The trusted execution environment-based data fusion computing method according to claim 1, wherein the obtaining of the encrypted data set obtained by encrypting the target data set with a symmetric key and sent by the data provider and the symmetric key comprises:
generating a second public key and a second private key, and sending the second public key to a data provider;
and acquiring an encrypted data set which is sent by the data provider and obtained by encrypting a target data set by using a symmetric key and a target key which is obtained by encrypting the symmetric key by using the second public key, and decrypting the target key by using the second private key to acquire the symmetric key.
3. The trusted execution environment-based data fusion computing method of claim 2, wherein before decrypting the target key with the second private key to obtain the symmetric key, the method further comprises:
the second private key is verified to determine that the second private key is a usable private key.
4. The trusted execution environment-based data fusion computing method according to claim 1, wherein the obtaining of the encrypted data set obtained by encrypting the target data set with the symmetric key and sent by the data provider and before the symmetric key further comprises:
acquiring a target random number sent by the data provider, and performing trusted authentication on the target random number to generate a trusted authentication report;
sending the trusted authentication report to a target service center of the trusted execution environment, so that the target service center can perform trusted verification on the trusted execution environment through the target random number and a current random number in the trusted authentication report to obtain a verification result;
and acquiring the verification result, and if the verification result is credible, performing data fusion calculation based on the credible execution environment.
5. The trusted execution environment based data fusion computing method of claim 1, wherein performing data fusion computing according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set comprises:
acquiring the target intelligent contract between the data provider and the data acquirer, and determining a target calculation model corresponding to the target intelligent contract;
and performing data fusion calculation by using the target calculation model according to the target data set to obtain a data result set.
6. The trusted execution environment based data fusion computing method of claim 5, wherein before performing the data fusion computing according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain the data result set, the method further comprises:
and formulating a target intelligent contract according to a target protocol between the data provider and the data acquirer, and constructing a corresponding target calculation model based on the target intelligent contract.
7. The trusted execution environment-based data fusion computing method of any one of claims 1 to 6, further comprising:
recording a first fusion calculation process log, and recording a second fusion calculation process log based on a block chain technology;
and comparing the first fusion calculation process log with the second fusion calculation process log, if the first fusion calculation process log is inconsistent with the second fusion calculation process log, sending an abnormal alarm, and displaying abnormal contents in the first fusion calculation process log.
8. A trusted execution environment based data fusion computing device, comprising:
the data set acquisition module is used for acquiring an encrypted data set which is sent by a data provider and obtained by encrypting a target data set by using a symmetric key and the symmetric key, and decrypting the encrypted data set by using the symmetric key to obtain the target data set; the symmetric key is a key generated by the data provider;
the data fusion calculation module is used for performing data fusion calculation according to the target data set and based on a target intelligent contract between the data provider and the data acquirer to obtain a data result set;
the result set sending module is used for obtaining a first public key sent by the data obtaining party, encrypting the data result set by using the first public key to obtain an encrypted result set, and then sending the encrypted result set to the data obtaining party so that the data obtaining party can decrypt the encrypted result set by using a first private key to obtain the data result set; the first public key and the first private key are keys generated by the data acquirer.
9. An electronic device comprising a processor and a memory; wherein the processor, when executing the computer program stored in the memory, implements the trusted execution environment-based data fusion computing method of any of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements a trusted execution environment based data fusion computing method as claimed in any one of claims 1 to 7.
CN202210704628.4A 2022-06-21 2022-06-21 Data fusion computing method, device, equipment and medium of trusted execution environment Pending CN115085917A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210704628.4A CN115085917A (en) 2022-06-21 2022-06-21 Data fusion computing method, device, equipment and medium of trusted execution environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210704628.4A CN115085917A (en) 2022-06-21 2022-06-21 Data fusion computing method, device, equipment and medium of trusted execution environment

Publications (1)

Publication Number Publication Date
CN115085917A true CN115085917A (en) 2022-09-20

Family

ID=83252933

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210704628.4A Pending CN115085917A (en) 2022-06-21 2022-06-21 Data fusion computing method, device, equipment and medium of trusted execution environment

Country Status (1)

Country Link
CN (1) CN115085917A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580413A (en) * 2022-12-07 2023-01-06 南湖实验室 Zero-trust multi-party data fusion calculation method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580413A (en) * 2022-12-07 2023-01-06 南湖实验室 Zero-trust multi-party data fusion calculation method and device

Similar Documents

Publication Publication Date Title
CN108076057B (en) Data security system and method based on block chain
US20190116038A1 (en) Attestation With Embedded Encryption Keys
CN110417750B (en) Block chain technology-based file reading and storing method, terminal device and storage medium
CN103107995B (en) A kind of cloud computing environment date safety storing system and method
EP3437048A1 (en) Systems and methods for providing data privacy in a private distributed ledger
CN113228011A (en) Data sharing
CN110932859B (en) User information processing method, device and equipment and readable storage medium
CN111292041A (en) Electronic contract generating method, device, equipment and storage medium
US20210217004A1 (en) Data processing method, apparatus, device, and medium in blockchain fund settlement system
CN104574176A (en) USBKEY-based secure online tax declaration method
CN115580413B (en) Zero-trust multi-party data fusion calculation method and device
EP3869374B1 (en) Method, apparatus and electronic device for processing user request and storage medium
US10536276B2 (en) Associating identical fields encrypted with different keys
CN113918982B (en) Data processing method and system based on identification information
KR20120091507A (en) Data access privilege managing method and apparatus
CN115085917A (en) Data fusion computing method, device, equipment and medium of trusted execution environment
CN114003955A (en) Block chain-based security credit worthiness control method and related equipment
CN112181983A (en) Data processing method, device, equipment and medium
US11777745B2 (en) Cloud-side collaborative multi-mode private data circulation method based on smart contract
Kumbhar et al. The comprehensive approach for data security in cloud computing: A survey
WO2022252356A1 (en) Data processing method and apparatus, electronic device, and medium
CN113706261A (en) Block chain-based power transaction method, device and system
Ghani et al. Cloud storage architecture: research challenges and opportunities
CN116827821B (en) Block chain cloud-based application program performance monitoring method
US20240048532A1 (en) Data exchange protection and governance system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination