CN115150120A - Data sharing method, terminal and system - Google Patents

Data sharing method, terminal and system Download PDF

Info

Publication number
CN115150120A
CN115150120A CN202210445284.XA CN202210445284A CN115150120A CN 115150120 A CN115150120 A CN 115150120A CN 202210445284 A CN202210445284 A CN 202210445284A CN 115150120 A CN115150120 A CN 115150120A
Authority
CN
China
Prior art keywords
data
trusted
transaction center
calculation result
owner
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210445284.XA
Other languages
Chinese (zh)
Inventor
李建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Clp Hainan United Innovation Research Institute Co ltd
Original Assignee
Clp Hainan United Innovation Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Clp Hainan United Innovation Research Institute Co ltd filed Critical Clp Hainan United Innovation Research Institute Co ltd
Priority to CN202210445284.XA priority Critical patent/CN115150120A/en
Publication of CN115150120A publication Critical patent/CN115150120A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data sharing method, a terminal and a system, wherein a trusted interface of a data demand party, a trusted butt joint bus subsystem of a data owner and a data transaction center are mutually trusted, the data security is improved by operating in a trusted environment, meanwhile, a calculation model is stored in the data owner, the data of the data owner does not need to be sent to the data demand party for calculation, the data owner can calculate only locally to obtain a calculation result, and then the calculation result is processed by a security mechanism to obtain a secure calculation result and fed back to the data demand party, so that the data is not separated from the data owner.

Description

Data sharing method, terminal and system
Technical Field
The present application relates to the field of information security, and in particular, to a data sharing method, terminal, and system.
Background
In the era of digital economy, data is a key production element, and the value of the element is often required to be released through data circulation among cross-field, cross-industry and cross-region organizations. However, while the value of the data is continuously created, the problems of security protection, compliance application and the like generated in the data circulation process become the focus of attention of various fields such as administration, production, science, research, use and the like.
After years of informatization construction, a large number of information systems are arranged in each unit at present, various business data, asset data and personnel data are stored in various systems, and because the systems are different in system architecture, development language and database design and lack of unified top-level design during research and development, the finally established systems cannot effectively share data with each other, and a large number of data are redundant and inconsistent, so that the utilization of the data is influenced.
In order to exert data value, many current information systems adopt third-party tools or self-developed software to perform data identification, conversion, analysis and integration, and then are connected to a database of a data owner in a remote manner to perform data extraction and mining remotely.
The premise that the data can flow on the premise of exerting element value is that the data can be streamed, and under the condition that the data safety is guaranteed, the multiple utilization values can be created through processing treatment such as data sharing, development, utilization and value addition. The existing information system integration mode mostly adopts external hanging type safety mechanisms such as a cipher machine, and the like, and has the following defects except increasing data risk points and reducing efficiency: the first is that the data demand side can obtain all operation authorities of the database of the data owner, or directly extract related data and store the data by itself, so that the data owner cannot control the data security and cannot exert the value of the data assets; secondly, the data owner loses the management right on the own data, does not know who extracts the own data, what data is extracted, how much data is extracted, and does not know whether the data demand side carries out secondary development and utilization, or even sells primary or derived data information privately, so that the existing externally-hung security system has hidden dangers, risk points which are not controlled by the data owner are increased, abuse risks exist due to relative concentration of the data, and once safety accidents such as data leakage occur, the whole system leakage occurs, and the risk influence degree is greatly increased.
Therefore, it is an urgent need to construct a more secure and reliable data sharing method that conforms to the data security and personal information protection compliance system.
Disclosure of Invention
In view of this, an object of the present application is to provide a data sharing method, a terminal and a system, which ensure the safety and reliability of data in the data sharing process. The specific scheme is as follows:
the invention also discloses a data sharing method, which is applied to a data owner and comprises the following steps:
receiving a data request which is transmitted by the data demander through a trusted interface and is forwarded by the data transaction center through a trusted docking bus subsystem;
calling a calculation model corresponding to the data request to calculate target data corresponding to the data request to obtain a calculation result;
according to a preset safety mechanism, carrying out corresponding processing on the calculation result to obtain a safety calculation result;
sending the safety calculation result to a trusted interface of the data demand party by utilizing the trusted docking bus subsystem;
and the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted.
Optionally, before the receiving, by the trusted docking bus subsystem, the data request forwarded by the data transaction center and sent by the data consumer through the trusted interface, the method further includes:
receiving, by the trusted docking bus subsystem, an access request of the data consumer forwarded and verified by the data transaction center;
and according to the access request, establishing communication connection with the data demand party through the data transaction center by utilizing a trusted docking bus subsystem.
Optionally, the process of receiving, by the trusted docking bus subsystem, the access request of the data consumer forwarded and verified by the data transaction center includes:
receiving, by the trusted docking bus subsystem, the access request including a communication address and an age ticket verified by the data transaction center, which is forwarded by the data transaction center through the trusted interface by the data demander;
the process of establishing a communication connection with the data demand party through the data transaction center by using the trusted docking bus subsystem according to the access request comprises the following steps:
sending the aging bill to the data transaction center through the trusted docking bus subsystem;
receiving user information of the data demand party corresponding to the aging bill fed back by the data transaction center through the trusted docking bus subsystem;
and after the user information is verified, establishing communication connection with the data demand party through the data transaction center according to the communication address.
Optionally, the process of performing corresponding processing on the calculation result according to a preset safety mechanism to obtain a safety calculation result includes:
judging the sensitivity of the calculation result according to a preset safety mechanism;
if the calculation result has no sensitive content, outputting the safety calculation result comprising the full amount of data of the calculation result;
if the calculation result has partial sensitive content, performing desensitization decryption processing and outputting the safety calculation result;
if the calculation result sensitivity is high, the safety calculation result comprising the non-sharing reason is output.
The invention also discloses a data sharing method, which is applied to a data demand side and comprises the following steps:
sending an access request authenticated by a data transaction center to the data transaction center through a trusted interface, so that the data transaction center forwards the access request to a data owner according to any one of claims 1 to 4;
sending a data request to the data owner through the trusted interface using a communication connection established with the data owner through the data transaction center;
receiving a security calculation result sent by the data owner through the trusted interface;
and the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted.
Optionally, the process of sending the access request verified by the data transaction center to the data transaction center through the trusted interface includes:
sending a login request to the data transaction center through the trusted interface;
receiving an aging bill fed back by the data transaction center after the data transaction center verifies the communication address of the data demand party through the trusted interface;
and sending an access request comprising the communication address and the aging bill to the data owner through the trusted interface.
The invention also discloses a data sharing terminal of the data owner, which comprises:
the data request receiving module is used for receiving a data request which is transmitted by the data demander through a trusted interface and is forwarded by the data transaction center through the trusted docking bus subsystem;
the model calculation module is used for calling a calculation model corresponding to the data request to calculate target data corresponding to the data request to obtain a calculation result;
the data security processing module is used for correspondingly processing the calculation result according to a preset security mechanism to obtain a security calculation result;
the calculation result sending module is used for sending the safe calculation result to a trusted interface of the data demand party by utilizing the trusted docking bus subsystem;
and the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted.
The invention also discloses a data sharing terminal of the data demander, which comprises:
the access request sending module is used for sending an access request verified by a data transaction center to the data transaction center through a trusted interface so that the data transaction center forwards the access request to the data owner;
the data request sending module is used for sending a data request to the data owner through the trusted interface by utilizing the communication connection established by the data transaction center and the data owner;
the calculation result receiving module is used for receiving the safety calculation result sent by the data owner through the trusted interface;
and the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted.
The invention also discloses a data sharing system, comprising: a data sharing terminal of a data owner executing the data sharing method, a data sharing terminal of a data demand side executing the data sharing method and a data trading center;
the data sharing terminal of the data demand party is connected with the data transaction center through a trusted interface, and the data sharing terminal of the data owner party is connected with the data transaction center through a trusted docking bus subsystem;
and the data transaction center is used for carrying out identity verification on the data requesting party and establishing communication connection between the data sharing terminal of the data requiring party and the data sharing terminal of the data owning party.
Optionally, the data transaction center is further configured to detect a traffic condition and/or data transaction information management and/or user status data management between the data requiring party data sharing terminal and the data owning party data sharing terminal.
In this application, the data sharing method, applied to a data owner, includes: receiving a data request which is transmitted by a data transaction center and is sent by a data demander through a trusted interface through a trusted docking bus subsystem; calling a calculation model corresponding to the data request to calculate target data corresponding to the data request to obtain a calculation result; according to a preset safety mechanism, correspondingly processing the calculation result to obtain a safety calculation result; sending a safety calculation result to a trusted interface of a data demand party by using a trusted docking bus subsystem; the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner party and the data transaction center are mutually trusted.
The application of the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted, and the data security is improved by operating in a trusted environment, meanwhile, a calculation model is stored in the data owner, the data of the data owner does not need to be sent to the data demand party for calculation, the calculation can be carried out only locally, a calculation result is obtained, the safety calculation result is obtained after the safety mechanism is processed, and the safety calculation result is fed back to the data demand party, so that the data is not separated from the data owner, meanwhile, an independent trusted interface or a trusted docking bus subsystem is built in the data demand party or the data owner, the original old system is not required to be changed greatly, only the trusted interface or the trusted docking bus subsystem is required to be compatible and can be docked with the old information system, and the compatibility is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of a data sharing method applied to a data owner according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of an architecture principle of a trusted docking bus subsystem disclosed in an embodiment of the present application;
FIG. 3 is a schematic flowchart of another data sharing method applied to a data owner according to an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a data sharing calculation process disclosed in an embodiment of the present application;
FIG. 5 is a schematic diagram of a Harvard architecture of a trusted docking bus subsystem disclosed in an embodiment of the present application;
fig. 6 is a schematic diagram of a signature verification process of a trusted software based service disclosed in an embodiment of the present application;
fig. 7 is a schematic flowchart of a data sharing method applied to a data demander according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a data owner sharing terminal disclosed in an embodiment of the present application;
fig. 9 is a schematic structural diagram of a data demander shared terminal disclosed in an embodiment of the present application;
FIG. 10 is a block diagram of a data sharing system according to an embodiment of the present disclosure;
fig. 11 is a schematic diagram of a data sharing system architecture according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application discloses a data sharing method, which is shown in figure 1 and is applied to a data owner, and the method comprises the following steps:
specifically, in order to improve the communication safety, the data owner, the data demander and the data transaction center are required to operate in a mutually trusted environment, so that the safety level is improved.
Specifically, because the data owner and the data demand side are respectively and separately provided with the built-in additional external interface or subsystem, the data owner and the data demand side also have better compatibility, the original data system with the data owner and the data demand can be docked, and the trusted interface or the trusted docking bus subsystem can have the safety check function on the external data, so that the external source data entering the trusted environment can be ensured to be safe and reliable, and the safety is ensured.
S11: and receiving a data request which is transmitted by a data demand party through a trusted interface and is forwarded by a data transaction center through a trusted docking bus subsystem.
Specifically, when the data request party needs to obtain the required data from the data owner, the data request needs to be sent to the data owner, so that the data owner can know the data requirement of the data request party, when the data owner sends the data request, in order to verify that the data request sender requests for data, the data request sender ensures that the data request sender is safe and real, the data transaction center is used as a middle forwarder to ensure the reliability of a data source, meanwhile, the subsequent data transaction center can master certain transmission process information such as interactive data flow and the like between the data request party and the data owner, and subsequent transaction management is facilitated.
S12: and calling a calculation model corresponding to the data request to calculate the target data corresponding to the data request to obtain a calculation result.
Specifically, in order to avoid data being separated from a data owner, a system design architecture and a management mode with an endogenous built-in security mechanism are realized, threats such as system leaks and a network backdoor are reduced, the security protection capability of the whole system is improved, phenomena such as information leakage of the whole system and even whole system breakdown caused by the fact that one system is broken through cannot occur, after a data owner receives a data request, data required by a data demander is not sent to the data demander, a calculation model required by the data demander passing security verification can be stored in advance, the calculation model can be used locally on the data owner to calculate target data, a calculation result is obtained locally on the data owner, the data of the data owner is not separated from an original main body, data security is ensured, the requirement for the data by the data demander can be met, the data of the data demander is avoided, on the contrary, all data are basically mastered by the data demander, and the mode of over-concentration of the data is avoided, vulnerability of the whole system is effectively reduced, and data abuse caused by excessive rights and the possibility of data requirements for the data demander can occur.
The data transaction center is used for storing the calculation models required by the data demand party, and the calculation models are sent to the data owner through the data transaction center after the data demand party makes the calculation models and is subjected to credible verification.
S13: and carrying out corresponding processing on the calculation result according to a preset safety mechanism to obtain a safety calculation result.
Specifically, after the calculation result is obtained, the calculation result needs to be fed back to the data demanding party, but part of the data in the calculation result may be that the data owning party cannot feed back to the data demanding party, and a corresponding desensitization process needs to be performed to obtain a secure calculation result, and the secure calculation result can be sent to the data demanding party.
S14: and sending a safety calculation result to a trusted interface of a data demand party by using the trusted docking bus subsystem.
Specifically, after the security evaluation is completed, the trusted docking bus subsystem may be reused to send the security calculation result to the trusted interface of the data demanding party, so that the data demanding party obtains the security calculation result.
Therefore, the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted, the data security is improved by operating in a trusted environment, meanwhile, a calculation model is stored in the data owner, the data of the data owner does not need to be sent to the data demand party for calculation, the calculation can be carried out only locally to obtain a calculation result, the calculation result is processed through a security mechanism to obtain a security calculation result and is fed back to the data demand party, the data is not separated from the data owner, meanwhile, an independent trusted interface or a trusted docking bus subsystem is built in the data demand party or the data owner, the original old system is not required to be changed greatly, the trusted interface or the trusted docking bus subsystem is only required to be compatible with and dock with the old information system, and the compatibility is improved.
Specifically, due to the good compatibility of the trusted interface and the trusted docking bus subsystem, the information system service databases of the data owner and the data demander can be stored in different physical spaces in a distributed manner in a hierarchical manner and the like, so that the characteristic of multi-component isomerism is formed, a multi-component heterogeneous compatible information system can realize local trusted verification through a trusted component, and a newly-built native information system can realize global trusted verification, so that an untrusted entity is monitored and found, operation is recovered or blocked in time, the safety of the whole system is ensured, different types of heterogeneous software and hardware can be deployed in different layers, the originally-built information system is convenient to be compatible, the old information is facilitated, and the cost is saved.
It can be understood that, the data demand party and the data owner may perform one-to-many or many-to-many communication through the data transaction center, and at the same time, a large number of data demand parties and data owner may communicate with each other through the data transaction center, and at the same time, the data owner and the data demand party may perform identity interchange at any time, and the data owner and the data demand party may both have the same trusted docking bus subsystem built therein, and therefore may perform identity interchange according to an actual application scenario, without being affected and limited by hardware or software, wherein when the identity is the data demand party, a main function may be completed by using a trusted interface in the trusted docking bus subsystem, and when the identity is the data owner, the trusted docking bus subsystem may be used to perform operations such as invoking and calculating a calculation model and various security verifications, and therefore, in the foregoing embodiment, only the trusted interface in the trusted docking bus subsystem is emphasized for the data demand party.
Specifically, referring to fig. 2, in the embodiment of the present application, the Trusted docking bus subsystem may be constructed based on a TPCM (Trusted Platform Control Module), where the TPCM reads a BIOS (Basic Input Output System) code, measures the BIOS, stores a measurement result in the TPCM, then the TPCM gives a Control right to the CPU, and the TPCM becomes a Control device to provide a cryptographic service or a Trusted service for a computing process.
Specifically, an endogenous safe private data transmission channel is established among a data owner, a data demand side and a data transaction center, namely node equipment, by dynamically reconstructing an encryption algorithm and combining with dynamic changes of a secret key and an authentication password.
Specifically, the internal Trusted Environment is to establish a TEE (Trusted Execution Environment) and an REE (Rich Execution Environment, a mobile device general-purpose operating Environment) through a hardware root of trust (for example, a CPU core of the internet), and divide resources such as a processor core, a memory space, and a peripheral space into the TEE and the REE.
Specifically, in the embodiment of the present application, taking a PKS system dominated by china electronics as an example, the process of establishing the built-in trusted trust chain is as follows:
1) The Feiteng processor verifies and loads the PBF firmware, trusting the transfer from the Feiteng processor to the PBF firmware;
2) The PBF firmware initializes the processor core, the memory and the on-chip input/output controller;
3) The PBF firmware verifies and loads the TPCM firmware to the TEE, trusting the transfer from the PBF firmware to the TPCM firmware;
4) TPCM firmware initializes TEE, and establishes TPCM running entity;
5) TPCM measures and loads UEFI firmware to REE;
6) The TPCM notifies the PBF to enable the REE, trust is passed from the TPCM firmware to the UEFI firmware;
7) UEFI firmware initializes other external devices, measures and loads execution board card firmware; ( UEFI unified extensible firmware interface, english full name: unified extensible firmware interface )
8) UEFI firmware measures and loads an operating system loader, and trust is transferred from UEFI to the operating system loader;
9) The operating system loader measures and loads the executing operating system kernel, and trust is passed from the operating system loader to the operating system kernel.
Specifically, a trusted platform motherboard in the trusted component is a computer motherboard integrated with the TPCM, and the TPCM can be used as a trust root to establish a trust chain and provide connection between the TPCM and other hardware. The Trusted Platform Control Module (TPCM) is a logically independent or physically independent entity, generally adopts an independent module or physical package, is integrated with a Trusted Cryptography Module (TCM)/Trusted Platform Module (TPM) in an IP core or firmware manner, is a virtualized implementation entity, and has active measurement and control functions. The TPCM firmware is exclusively connected with an SPI controller of the ROM, a write protection pin of the ROM chip is controlled by the SPI controller, the PBF firmware, the TPCM firmware and the UEFI firmware are stored in the ROM together, and the SPI controller connected with the ROM belongs to the TEE; the TEE may securely access the interface of the ROM, the secure metric command interface, and may store a hash value of the metric and a log of the metric. The system hardware may be compatible with secure memory and general purpose memory.
The embodiment of the application discloses a specific data sharing method, which is applied to a data owner, and compared with the previous embodiment, the embodiment further explains and optimizes the technical scheme. Referring to fig. 3 and 4, specifically:
s21: and receiving an access request of the data demand party forwarded and verified by the data transaction center through the trusted docking bus subsystem.
Specifically, before the data demander sends the data request to the data owner, the data demander needs to establish a communication connection with the data owner through the data transaction center, and therefore, the data owner receives the access request of the data demander, which is forwarded and verified through the data transaction center, through the trusted docking bus subsystem.
Specifically, the access request may include a communication address and an aging ticket that has been validated by the data transaction center.
S22: and according to the access request, establishing communication connection with a data demand party through a data transaction center by utilizing the trusted docking bus subsystem.
Specifically, a communication connection with a data demand party can be established through the data transaction center according to an access request verified by the data transaction center, and further, a specific establishing process of the communication connection may include S221 to S223; wherein the content of the first and second substances,
s221: sending the aging bill to a data transaction center through the trusted docking bus subsystem;
s222: receiving user information of a data demand party corresponding to the aging bill fed back by the data transaction center through the trusted docking bus subsystem;
s223: and after the user information is verified, establishing communication connection with a data demand party through a data transaction center according to the communication address.
Specifically, after the aging bill in the access request of the data owner is received, the aging bill needs to be sent to the data transaction center through the trusted docking bus subsystem for aging verification, so that the aging bill is guaranteed not to be invalid.
Specifically, after the data transaction center receives the aging data, if the data transaction center verifies the aging data, the user information of the data demand party corresponding to the aging bill is fed back to the data ownership party, and therefore the verification process of the aging bill is completed.
Specifically, after receiving the user information, the data owner continues to verify the user information by using the trusted docking bus subsystem, the data demander is allowed to access the data owner after the verification is passed, and communication connection with the data demander is established through the data transaction center according to the communication address recorded in the access request.
S23: receiving a data request which is transmitted by a data transaction center and is sent by a data demander through a trusted interface through a trusted docking bus subsystem;
s24: calling a calculation model corresponding to the data request to calculate target data corresponding to the data request to obtain a calculation result;
s25: and judging the sensitivity of the calculation result according to a preset safety mechanism.
Specifically, the sensitivity of the data included in the calculation result is determined according to a preset security mechanism, for example, operations such as setting a black and white list and setting a security level for the data in advance.
S26: if the calculation result has no sensitive content, outputting a safety calculation result of the full data comprising the calculation result;
s27: if the calculation result has partial sensitive content, the safety calculation result is output after desensitization and decryption processing is carried out;
s28: and if the calculation result sensitivity is high, outputting a safe calculation result comprising the non-sharing reason.
Specifically, if the calculation result has no sensitive content, a secure calculation result including the entire data of the calculation result is output, if only part of the sensitive content exists in the calculation result, desensitization and decryption processing can be performed on the calculation result to obtain a secure calculation result not including the sensitive content, if the sensitivity of the calculation result is high, the calculation result cannot be output to the data demand side, and the reason that the data demand side cannot share the data can be output to the data demand side as the secure calculation result, so that the data demand side knows why the data demand side cannot share the data.
It can be understood that the division of the sensitive data is performed by the data owner according to the actual situation in advance, the data is sensitive, and the data insensitivity can be set by the data owner in advance.
S29: sending a safety calculation result to a trusted interface of a data demand party by using a trusted docking bus subsystem;
the data transaction center is used for receiving the data transaction request sent by the data request party, wherein the trusted interface of the data request party, the trusted docking bus subsystem of the data owner party and the data transaction center are mutually trusted.
Specifically, the data demand side calculation model is hosted in a trusted docking bus subsystem managed by a data owner, and has a function 1, a function of a Virtual Private Network (VPN) is to establish a private network on a public network for encryption communication, 2, an API (Application Programming Interface) Interface function which is self-compiled or approved is called across the system, the API Security support capability is enhanced through Interface configuration, information encryption processing and other modes, and even packaged into an SDK,3, a Token is stored by using symmetric encryption, for example, a request URL, a timestamp and a Token are combined, encryption processing is performed through an algorithm, and decryption is performed when the Token is used, and the specific mode includes an Access Token, a Security Token, a Session Token and the like.
Specifically, the Trusted docking bus subsystem realizes that a Trusted Platform Module (TPM) builds a system trust chain in a manner of adding computer hardware, software and the like, so as to realize a security architecture system of Trusted computing and traditional computing with three-party authority responsibility.
Specifically, the storage resources of the trusted docking bus subsystem are trusted program storage and data storage, wherein a trusted program storage area, a trusted core, a trusted memory, trusted firmware and the like form a trust chain, authorization is required when a data demand side has a calculation model to be written into the trusted docking bus subsystem of a data owner, namely, a system management password of the data owner needs to be input, and the change can be performed, including adding, deleting and revising the calculation model of the trusted program storage area, and meanwhile, the packaged API attachable interface has the configurable characteristic, namely, version number and time are added.
Further, the using process of the calculation model comprises 1, data required by the calculation model need to go through a data sharing approval process, code examination is carried out on a calculation model program, the data structure and format matching with a data owner is ensured, and finally code examination specification writing is completed together; 2. submitting a code examination specification to a competent organization or a department for examination and approval, taking an authorization file after the code examination specification passes the approval, and preparing to write a calculation model program; 3. logging in a trusted docking bus subsystem through a management key, writing a calculation model into a trusted program storage area, and configuring an interface; 4. a data demand party and the like log in a system of the data demand party, initiate an authentication link (VPN and the like), and call an API (application programming interface) or an SDK (software development kit) for calculation; 5. and feeding back the calculated data or result to the trusted docking bus subsystem, evaluating the data sensitivity, directly outputting the insensitive data to a data demand side system, carrying out desensitization or full data output authorization examination and approval on the sensitive data according to the original protocol, outputting the full data through examination and approval, and outputting the information of the result which fails to pass the examination and approval to the data transaction center and the data demand side if the sensitive data fails to pass the examination and approval.
Specifically, on the premise of performing trusted verification on objects (data resources and the like), execution environments and the like, the trusted docking bus subsystem also performs trusted verification on the objects, so as to prevent ghost or impersonation attacks. The zero trust monitoring module in the subsystem acquires multi-source information through support components such as cryptographic service and application, identity management, equipment management, resource management, situation perception and the like, supports various services operated by the zero trust monitoring module, and comprises a main body natural attribute, a main body identity authority attribute, a main body identity authentication attribute, a main body access behavior attribute, a main body environment attribute, a main body security situation, main body threat information and the like to determine to create, update and adjust security policy decision, and transmits the security policy decision to the security policy execution module in real time. For example, a security policy is constructed based on the access log or rules such as the access time, frequency, etc. of the subject, and then the security policy enforcement module establishes, maintains or blocks a data access channel from the subject to the resource under the management of the security policy decision module, or continues to grant or revoke access rights to the accessed resource.
Specifically, the trusted docking bus subsystem has the characteristics of a double-system architecture of 'bottom trusted + application layer main body zero trust'. Under the condition of non-obsolescence, the system which is connected with the system can carry out design integration or transformation and the like on the whole system according to the architecture.
Specifically, as shown in fig. 5, the trusted docking bus subsystem may adopt a harvard structure based on trusted components to design a system architecture, and the system is separately designed according to a data bus and a program bus, and because program instructions and data are separately stored and a data memory and a program memory adopt different buses, a bandwidth is increased, and data processing performance and efficiency are improved.
Specifically, referring to fig. 6, the signature verification process of the trusted software-based service is as follows:
1. firstly, downloading a software package, sending software information to a trusted software-based service after the downloading is finished, and checking the validity of the software package;
2. the trusted software base service acquires a signature value and public key certificate information corresponding to the software package;
3. and verifying the legitimacy of the certificate. If the verification fails, notifying the termination of installation; and if the verification is successful, performing system signature verification on the software package through the signature value and the signature verification public key information.
4. If the system fails to check the label, notifying to terminate the installation; if the system successfully checks the label, the software is installed after the label passes the check;
5. in the software installation process, the trusted software base service collects a white list of the installed software through software information;
6. after the software is installed, reporting the collected white list information to a trusted management service, and judging whether to update the white list information to a security policy;
7. the application software is used normally.
Correspondingly, the embodiment of the present application further discloses a data sharing method, as shown in fig. 7, which is applied to a data demander, and includes:
s31: and sending the access request verified by the data transaction center to the data transaction center through the trusted interface, so that the data transaction center forwards the access request to the data owner as described above.
Specifically, the data demander needs to firstly send an access request to the data owner through the data transaction center to establish a communication connection, where the access request may include a communication address of the data demander and related verification information, such as an aging bill, so as to establish the communication connection through the communication address, and verify whether the identity is legal through the aging bill.
Further, the process of sending the access request verified by the data transaction center to the data transaction center through the trusted interface may specifically include S311 to S313; wherein the content of the first and second substances,
s311: sending a login request to a data transaction center through a trusted interface;
s312: receiving an aging bill fed back by the data transaction center after verifying the communication address of the data demand party through the trusted interface;
s313: and sending an access request comprising a communication address and an aging bill to the data owner through the trusted interface.
Specifically, after a login request is sent to the data transaction center, the data transaction center verifies the login request, after the verification is passed, a corresponding time-efficiency bill is sent to the data demand party, meanwhile, the data transaction center establishes communication connection between the data demand party and the data owner, and an access request comprising a communication address and the time-efficiency bill is sent to the data owner through a trusted interface so as to finish login operation and access to the operating system of the data owner.
S32: sending a data request to a data owner through a trusted interface by using a communication connection established with the data owner through a data transaction center;
s33: receiving a security calculation result sent by a data owner through a trusted interface;
the data transaction center is used for receiving the data transaction request sent by the data request party, wherein the trusted interface of the data request party, the trusted docking bus subsystem of the data owner party and the data transaction center are mutually trusted.
Therefore, the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted, the data security is improved by operating in a trusted environment, meanwhile, a calculation model is stored in the data owner, the data of the data owner does not need to be sent to the data demand party for calculation, the calculation can be carried out only locally to obtain a calculation result, the calculation result is processed through a security mechanism to obtain a security calculation result and is fed back to the data demand party, the data is not separated from the data owner, meanwhile, an independent trusted interface or a trusted docking bus subsystem is built in the data demand party or the data owner, the original old system is not required to be changed greatly, the trusted interface or the trusted docking bus subsystem is only required to be compatible with and dock with the old information system, and the compatibility is improved.
Correspondingly, the embodiment of the present application further discloses a data sharing terminal for a data owner, and as shown in fig. 8, the terminal includes:
the data request receiving module 11 is configured to receive, through the trusted docking bus subsystem, a data request, which is sent by a data demander through a trusted interface and is forwarded by the data transaction center;
the model calculation module 12 is configured to invoke a calculation model corresponding to the data request to calculate target data corresponding to the data request, so as to obtain a calculation result;
the data security processing module 13 is configured to perform corresponding processing on the calculation result according to a preset security mechanism to obtain a security calculation result;
the calculation result sending module 14 is configured to send the secure calculation result to the trusted interface of the data demand party by using the trusted docking bus subsystem;
the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner party and the data transaction center are mutually trusted.
Therefore, the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted, the data security is improved by operating in a trusted environment, meanwhile, a calculation model is stored in the data owner, the data of the data owner does not need to be sent to the data demand party for calculation, the calculation can be carried out only locally to obtain a calculation result, the calculation result is processed through a security mechanism to obtain a security calculation result and is fed back to the data demand party, the data is not separated from the data owner, meanwhile, an independent trusted interface or a trusted docking bus subsystem is built in the data demand party or the data owner, the original old system is not required to be changed greatly, the trusted interface or the trusted docking bus subsystem is only required to be compatible with and dock with the old information system, and the compatibility is improved.
Specifically, still include:
the access request receiving module is used for receiving an access request of a data demand party forwarded and verified by the data transaction center through the trusted docking bus subsystem;
and the communication connection establishing module is used for establishing communication connection with a data demand party through the data transaction center by utilizing the trusted docking bus subsystem according to the access request.
Specifically, the access request receiving module is specifically configured to receive, through the trusted docking bus subsystem, an access request including a communication address and an aging bill verified by the data transaction center, the access request being sent by a data transaction center-forwarded data demander through a trusted interface;
specifically, the communication connection establishing module includes: the system comprises an aging bill sending unit, a user information receiving unit and a communication connection establishing unit; wherein, the first and the second end of the pipe are connected with each other,
the aging bill sending unit is used for sending an aging bill to the data transaction center through the trusted docking bus subsystem;
the user information receiving unit is used for receiving user information of a data demand party corresponding to the aging bill fed back by the data transaction center through the trusted docking bus subsystem;
and the communication connection establishing unit is used for establishing communication connection with the data demand party through the data transaction center according to the communication address after the user information is verified to pass.
Specifically, the data security processing module 13 includes: the device comprises a sensitivity judgment unit, a non-sensitive output unit, a partial sensitive output unit and a high-sensitivity output unit; wherein the content of the first and second substances,
the sensitivity judgment unit is used for judging the sensitivity of the calculation result according to a preset safety mechanism;
the non-sensitive output unit is used for outputting a safety calculation result of the total data including the calculation result if the sensitivity judgment unit judges that the calculation result has no sensitive content;
the partial sensitive output unit is used for outputting a safety calculation result after desensitization and decryption if the sensitivity judgment unit judges that the calculation result has partial sensitive content;
and the high-sensitivity output unit is used for outputting a safety calculation result including the unshared reason if the sensitivity judgment unit judges that the sensitivity of the calculation result is high.
Correspondingly, an embodiment of the present application further discloses a data sharing terminal for a data demander, as shown in fig. 9, the terminal includes:
the access request sending module 21 is configured to send an access request verified by the data transaction center to the data transaction center through the trusted interface, so that the data transaction center forwards the access request to the data owner as described above;
a data request sending module 22, configured to send a data request to a data owner through a trusted interface by using a communication connection established through a data transaction center and the data owner;
the calculation result receiving module 23 is configured to receive a secure calculation result sent by the data owner through the trusted interface;
the data transaction center is used for receiving the data transaction request sent by the data request party, wherein the trusted interface of the data request party, the trusted docking bus subsystem of the data owner party and the data transaction center are mutually trusted.
Therefore, the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted, the data security is improved by operating in a trusted environment, meanwhile, a calculation model is stored in the data owner, the data of the data owner does not need to be sent to the data demand party for calculation, the calculation can be carried out only locally to obtain a calculation result, the calculation result is processed through a security mechanism to obtain a security calculation result and is fed back to the data demand party, the data is not separated from the data owner, meanwhile, an independent trusted interface or a trusted docking bus subsystem is built in the data demand party or the data owner, the original old system is not required to be changed greatly, the trusted interface or the trusted docking bus subsystem is only required to be compatible with and dock with the old information system, and the compatibility is improved.
Specifically, the access request sending module 21 includes: the system comprises a login request sending unit, an aging bill receiving unit and an access request sending unit; wherein the content of the first and second substances,
the login request sending unit is used for sending a login request to the data transaction center through the trusted interface;
the aging bill receiving unit is used for receiving an aging bill fed back by the data transaction center after the communication address of the data demand party is verified through the trusted interface;
and the access request sending unit is used for sending an access request comprising a communication address and a time-efficiency bill to the data owner through the trusted interface.
Correspondingly, the embodiment of the present application further discloses a data sharing system, as shown in fig. 10 and fig. 11, including: a data-owner data-sharing terminal 31 that performs the aforementioned data-sharing method, a data-demander data-sharing terminal 33 that performs the aforementioned data-sharing method, and a data transaction center 32;
the data sharing terminal 33 of the data demand party is connected with the data transaction center 32 through a trusted interface, and the data sharing terminal 31 of the data ownership party is connected with the data transaction center 32 through a trusted docking bus subsystem;
and the data transaction center 32 is used for authenticating the data requester and establishing communication connection between the data sharing terminal 33 of the data requester and the data sharing terminal 31 of the data owner.
It can be seen that, in the embodiment of the present application, the trusted interface of the data demander, the trusted docking bus subsystem of the data owner, and the data transaction center 32 are trusted with each other, and by operating in a trusted environment, the security of data is improved, meanwhile, the data owner stores a calculation model, data of the data owner does not need to be sent to the data demander for calculation, and only needs to be calculated locally to obtain a calculation result, and after being processed by a security mechanism, a secure calculation result is obtained and fed back to the data demander, so that the data is not separated from the data owner, and meanwhile, by arranging an independent trusted interface or a trusted docking bus subsystem in the data demander or the data owner, the original old system is not changed greatly, and only the trusted interface or the trusted docking bus subsystem needs to be compatible with and dock with the old information system, so that compatibility is improved.
Specifically, the data transaction center 32 is further configured to detect a traffic condition between the data-requiring-party data sharing terminal 33 and the data-owning-party data sharing terminal 31, and/or manage data transaction information and/or manage user status data.
Specifically, the data transaction center has the functions of data asset pricing system design, interface flow detection and the like, and the problems of absolute pricing power of a data owner, unsuccessful calling, charging, repeated charging and the like are solved.
Specifically, the data transaction center can unify account number and password, interface service and unit information management, classify various types of data brought into sharing, establish a special subject bank and the like, establish a unit authority level and priority configuration table, coordinate related parties, implement concurrent distribution and a data pricing transaction mechanism, conveniently connect with each unit, and can also establish general computing resources by self and use the resources externally in a virtual machine form.
Specifically, the data transaction center can play a role in unifying unit basic information, unifying interface service, unifying service coordination agents, unifying data asset pricing transaction and the like, and solves the problems of difficult service coordination, difficult unit (system) state monitoring, difficult data asset pricing and the like. For example, different software systems belong to different units, if more software systems are involved, each unit needs to be found one by one for coordination and coordination, the difficulty is conceivable, and after the software systems are unified, the coordination is organized by a data transaction center, including holding a negotiation conference and the like, so that the efficiency is greatly improved.
In addition, the data transaction center can also establish a data sharing white list and black list mechanism, which indicates the reason (legal opinions or unit lines) of not sharing or a privileged sharing mechanism; the data asset pricing transaction mechanism can be established to facilitate settlement of data assets by an information system, for example, similar to an internet transaction payment intermediary, for example, each unit enters a data sharing system to deliver a guarantee fee, under the authorization sharing mechanism, the universality of an authorization (administrative approval) is greatly improved, for example, a judicial authority issues an investigation order to a data transaction center (a large data bureau, etc.), so that one-to-many can be realized, and the efficiency is greatly improved.
Specifically, as shown in fig. 11, the data transaction center may include a component unit basic information base, a data subject base, a unit security situation early warning, a unit state data management, and the like, and the trusted docking bus subsystem of the data owner may obtain data required by the data demander from the original business subsystem database of the data owner and substitute the data into the calculation model for calculation.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The technical content provided by the present application is described in detail above, and the principle and the implementation of the present application are explained in the present application by applying specific examples, and the description of the above examples is only used to help understanding the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A data sharing method is applied to a data owner and comprises the following steps:
receiving a data request which is transmitted by the data demander through a trusted interface and is forwarded by the data transaction center through a trusted docking bus subsystem;
calling a calculation model corresponding to the data request to calculate target data corresponding to the data request to obtain a calculation result;
according to a preset safety mechanism, carrying out corresponding processing on the calculation result to obtain a safety calculation result;
sending the security calculation result to a trusted interface of the data demand party by utilizing the trusted docking bus subsystem;
and the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted.
2. The data sharing method according to claim 1, wherein before receiving, by the trusted docking bus subsystem, the data request forwarded by the data consumer via the trusted interface via the data transaction center, the method further comprises:
receiving, by the trusted docking bus subsystem, an access request of the data consumer forwarded and verified by the data transaction center;
and according to the access request, establishing communication connection with the data demand party through the data transaction center by utilizing a trusted docking bus subsystem.
3. The data sharing method according to claim 2, wherein the process of receiving, by the trusted docking bus subsystem, the access request of the data demander forwarded and verified by the data transaction center comprises:
receiving, by the trusted docking bus subsystem, the access request including a communication address and an age ticket verified by the data transaction center, which is forwarded by the data transaction center through the trusted interface by the data demander;
the process of establishing a communication connection with the data demand party through the data transaction center by using the trusted docking bus subsystem according to the access request comprises the following steps:
sending the aging bill to the data transaction center through the trusted docking bus subsystem;
receiving user information of the data demand party corresponding to the aging bill fed back by the data transaction center through the trusted docking bus subsystem;
and after the user information is verified, establishing communication connection with the data demand party through the data transaction center according to the communication address.
4. The data sharing method according to claim 1, wherein the process of performing corresponding processing on the calculation result according to a preset security mechanism to obtain a secure calculation result comprises:
judging the sensitivity of the calculation result according to a preset safety mechanism;
if the calculation result has no sensitive content, outputting the safety calculation result comprising the full amount of data of the calculation result;
if the calculation result has partial sensitive content, carrying out desensitization and decryption processing, and outputting the safety calculation result;
if the calculation result sensitivity is high, outputting the safety calculation result comprising the non-sharing reason.
5. A data sharing method is applied to a data demand side and comprises the following steps:
sending an access request authenticated by a data transaction center to the data transaction center through a trusted interface, so that the data transaction center forwards the access request to a data owner according to any one of claims 1 to 4;
sending a data request to the data owner through the trusted interface using a communication connection established with the data owner through the data transaction center;
receiving a security calculation result sent by the data owner through the trusted interface;
the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted.
6. The data sharing method according to claim 5, wherein the process of sending the access request verified by the data transaction center to the data transaction center through the trusted interface comprises:
sending a login request to the data transaction center through the trusted interface;
receiving an aging bill fed back by the data transaction center after the data transaction center verifies the communication address of the data demand party through the trusted interface;
and sending an access request comprising the communication address and the aging bill to the data owner through the trusted interface.
7. A data-owning data-sharing terminal, comprising:
the data request receiving module is used for receiving a data request which is transmitted by the data demander through a trusted interface and is forwarded by the data transaction center through the trusted docking bus subsystem;
the model calculation module is used for calling a calculation model corresponding to the data request to calculate target data corresponding to the data request to obtain a calculation result;
the data security processing module is used for correspondingly processing the calculation result according to a preset security mechanism to obtain a security calculation result;
the calculation result sending module is used for sending the safe calculation result to a trusted interface of the data demand party by utilizing the trusted docking bus subsystem;
the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted.
8. A data-requiring side data sharing terminal, comprising:
an access request sending module, configured to send an access request verified by a data transaction center to the data transaction center through a trusted interface, so that the data transaction center forwards the access request to the data owner according to any one of claims 1 to 4;
the data request sending module is used for sending a data request to the data owner through the trusted interface by utilizing the communication connection established by the data transaction center and the data owner;
the calculation result receiving module is used for receiving the safety calculation result sent by the data owner through the trusted interface;
and the trusted interface of the data demand party, the trusted docking bus subsystem of the data owner and the data transaction center are mutually trusted.
9. A data sharing system, comprising: data-owner data-sharing terminal that executes the data-sharing method according to any one of claims 1 to 4 a data-demanding side data-sharing terminal and a data trading center that execute the data-sharing method according to claims 5 and 6;
the data sharing terminal of the data demand party is connected with the data transaction center through a trusted interface, and the data sharing terminal of the data owner party is connected with the data transaction center through a trusted docking bus subsystem;
and the data transaction center is used for carrying out identity verification on the data requesting party and establishing communication connection between the data sharing terminal of the data requiring party and the data sharing terminal of the data owning party.
10. The data sharing system of claim 9, wherein the data transaction center is further configured to detect a traffic situation and/or data transaction information management and/or user status data management between the data-requiring data sharing terminal and the data-owning data sharing terminal.
CN202210445284.XA 2022-04-26 2022-04-26 Data sharing method, terminal and system Pending CN115150120A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210445284.XA CN115150120A (en) 2022-04-26 2022-04-26 Data sharing method, terminal and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210445284.XA CN115150120A (en) 2022-04-26 2022-04-26 Data sharing method, terminal and system

Publications (1)

Publication Number Publication Date
CN115150120A true CN115150120A (en) 2022-10-04

Family

ID=83406028

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210445284.XA Pending CN115150120A (en) 2022-04-26 2022-04-26 Data sharing method, terminal and system

Country Status (1)

Country Link
CN (1) CN115150120A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255924A (en) * 2011-08-29 2011-11-23 浙江中烟工业有限责任公司 Multi-stage security interconnection platform based on trusted computing and processing flow thereof
CN104836790A (en) * 2015-03-30 2015-08-12 西安电子科技大学 Linked storage fine-grained access control model based on attribute encryption and timestamp
US20170352116A1 (en) * 2016-06-06 2017-12-07 Chicago Mercantile Exchange Inc. Data payment and authentication via a shared data structure
CN111143880A (en) * 2019-12-27 2020-05-12 中电长城网际系统应用有限公司 Data processing method and device, electronic equipment and readable medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255924A (en) * 2011-08-29 2011-11-23 浙江中烟工业有限责任公司 Multi-stage security interconnection platform based on trusted computing and processing flow thereof
CN104836790A (en) * 2015-03-30 2015-08-12 西安电子科技大学 Linked storage fine-grained access control model based on attribute encryption and timestamp
US20170352116A1 (en) * 2016-06-06 2017-12-07 Chicago Mercantile Exchange Inc. Data payment and authentication via a shared data structure
CN111143880A (en) * 2019-12-27 2020-05-12 中电长城网际系统应用有限公司 Data processing method and device, electronic equipment and readable medium

Similar Documents

Publication Publication Date Title
CN112073400B (en) Access control method, system, device and computing equipment
US10338957B2 (en) Provisioning keys for virtual machine secure enclaves
CN103597494B (en) Method and apparatus for the use of numerals authority of management document
CN110266764B (en) Gateway-based internal service calling method and device and terminal equipment
DE112017002044T5 (en) PLATFORM TESTING AND REGISTRATION FOR SERVER
WO2019052496A1 (en) Account authentication method for cloud storage, and server
CN110768791B (en) Data interaction method, node and equipment with zero knowledge proof
US10270757B2 (en) Managing exchanges of sensitive data
CN111651794A (en) Alliance chain-based electronic data management method and device and storage medium
WO2020143906A1 (en) Method and apparatus for trust verification
CN111460457A (en) Real estate property registration supervision method, device, electronic equipment and storage medium
US20180218364A1 (en) Managing distributed content using layered permissions
CN115580413B (en) Zero-trust multi-party data fusion calculation method and device
CN112862487A (en) Digital certificate authentication method, equipment and storage medium
CN111970254A (en) Access control and configuration method, device, electronic equipment and storage medium
CN105790935A (en) Independent-software-and-hardware-technology-based trusted authentication server
Lin et al. User-managed access delegation for blockchain-driven IoT services
CN115150120A (en) Data sharing method, terminal and system
CN113051611B (en) Authority control method of online file and related product
Balacheff et al. Securing intelligent adjuncts using trusted computing platform technology
TWM617427U (en) Risk information exchange system with privacy protection
JP7477907B2 (en) Information provision system, information provision method, and information provision program
KR102393537B1 (en) Method and system for managing software license based on trusted execution environment
Gallery Authorisation issues for mobile code in mobile systems
CN118282711A (en) Cross-system automatic login method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination