CN115186280A - Data access method and electronic equipment - Google Patents
Data access method and electronic equipment Download PDFInfo
- Publication number
- CN115186280A CN115186280A CN202210815915.2A CN202210815915A CN115186280A CN 115186280 A CN115186280 A CN 115186280A CN 202210815915 A CN202210815915 A CN 202210815915A CN 115186280 A CN115186280 A CN 115186280A
- Authority
- CN
- China
- Prior art keywords
- position information
- host
- terminal device
- bloom filter
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a data access method and electronic equipment, and relates to the field of information security. According to the data access method, the latest first N pieces of position information related to a target event are extracted from the acquired track information of the terminal equipment in the TEE. The terminal device performs hash calculation on the set bloom filter in the TEE to obtain a first hash value, and uses a private key to sign the first hash value, wherein the bloom filter records each position information of the track information. The terminal device sends an access request to the host. And the terminal equipment receives the data sent after the access request is verified by the host. The terminal equipment only needs to sign the first hash value once by using the private key, so that the signing efficiency is improved and the computing resources are saved on the basis of ensuring the data security. When the host verifies the signature, only one verification is needed to be carried out on the first hash value, so that the verification efficiency is improved, and the computing resources are saved.
Description
Technical Field
The present application relates to the field of information security, and in particular, to a data access method and an electronic device.
Background
The access control policy means: the host is used for limiting the strategy according to which the terminal equipment accesses the data of the host. Therefore, the data of the host can be accessed only by the terminal equipment meeting the preset conditions, so that the data security of the host is ensured. Generally, access control policies include: and performing digital signature verification on attributes such as schools, institutions, grades or positions carried in the access request of the terminal equipment, if the verification is passed, allowing the terminal equipment to access, and if the verification fails, not allowing the terminal equipment to access.
Currently, when the access control policy is: when determining whether to allow the terminal device to access the data of the host based on the location attribute carried by the access request of the terminal device, if the terminal device is in the moving process, the location of the terminal device may change frequently. The signature verification of the position of the terminal equipment is required when the terminal equipment accesses the data of the host. This results in inefficient signing and verification and wasted computing resources.
Disclosure of Invention
The application provides a data access method and electronic equipment, which are used for solving the problem of low efficiency of signing and verifying a position carried by an access request.
In a first aspect, the present application provides a data access method, which is applied to a terminal device, where the terminal device runs with a trusted execution environment TEE. The data access method provided by the application comprises the following steps:
when the terminal device detects a target event, extracting the top N pieces of position information related to the target event from the acquired track information of the terminal device in the TEE, wherein N is a positive integer. The terminal device performs hash calculation on the set bloom filter in the TEE to obtain a first hash value, and uses a private key to sign the first hash value, wherein each position information with track information is recorded by the bloom filter. And the terminal equipment sends an access request to the host, wherein the access request carries the bloom filter, the signed first hash value and the first N pieces of position information. And the terminal equipment receives the data sent after the access request is verified by the host.
According to the data access method provided by the application, the process of signature of the terminal equipment comprises the following steps: the terminal equipment only needs to perform hash calculation on the set bloom filter in the TEE to obtain a first hash value, and signs the first hash value once by using a private key. Since each piece of position information of the track information is recorded in the bloom filter, the position information of the terminal device is changed no matter how many times. The terminal device performs hash calculation on the bloom filter once and signs the first hash value once by using the private key, which is equivalent to that the terminal device performs hash calculation and signature on each position information of the track information without frequently performing hash calculation and signature on each position information, thereby improving the signature efficiency and saving the calculation resources.
Further, the process of host authentication may be made to: and the host verifies the first hash value of the signature by using a preset public key. When the first hash value of the signature is verified, the host computer detects whether the first N position information is recorded in the bloom filter. If the first N position information is recorded in the bloom filter, the host verifies whether the first N position information is credible. And when the current N position information can be trusted, the host sends the data associated with the access request to the terminal equipment. As can be seen, in the above process, each position information of the track information is recorded in the bloom filter. One verification of the first hash value of the signature generated based on the bloom filter by the host corresponds to each piece of location information for which the signature is verified. Therefore, no matter how many times the position information of the terminal equipment is changed, when the host verifies the signature, the public key is only needed to be used for verifying the first hash value of the signature obtained according to the bloom filter once, the hash values of the position information of each signature do not need to be verified one by one, the signature verification efficiency is improved, and the computing resources are further saved.
In a possible implementation, before extracting the top N position information closest to the target event, the method provided by the present application further includes: the method comprises the steps that position information of the terminal equipment is periodically collected through a position sensor of the terminal equipment, wherein the collected position information is track information of the terminal equipment. And the terminal equipment acquires the position information acquired by the position sensor by using the position acquisition unit positioned in the TEE. The terminal equipment records each position information by using a bloom filter positioned in the TEE.
In one possible implementation, the terminal device records each location information by using a bloom filter located in the TEE, including: and when the terminal equipment acquires one piece of position information at each time, inserting the acquired position information into a preset bloom filter at the TEE. The terminal device controls the bloom filter so that data associated with the acquired position information is changed to record the position information.
In one possible implementation, each piece of location information in the trajectory information includes a count value, where the count value is used to indicate a timing at which the corresponding piece of location information is acquired.
Therefore, when the host verifies, the contents of the first N pieces of position information carried in the access request are verified, and the time sequence relation of the first N pieces of position information carried in the access request is also verified, so that the safety of data in the host is further improved.
In one possible implementation, when the terminal device detects a target event, extracting, in the TEE, the top N most recent pieces of location information associated with the target event from the acquired trajectory information of the terminal device includes: when detecting a target event, the terminal device generates a request packet for requesting to access the host, wherein the request packet is associated with the identifier of the accessed host. And the terminal equipment extracts the first N pieces of position information closest to the target event from the acquired track information of the terminal equipment according to the identification of the host in the TEE, wherein N is a positive integer.
In a second aspect, the present application further provides a data access method applied to a host. The data access method provided by the application comprises the following steps: the host receives an access request from the terminal device, wherein the access request carries a bloom filter, a first hash value of a signature and first N pieces of position information in track information of the terminal device, and N is a positive integer. And the host verifies the first hash value of the signature by using a preset public key. When the first hash value of the signature is verified, the host detects whether the first N position information is recorded in the bloom filter. If the first N position information is recorded in the bloom filter, the host verifies whether the first N position information is credible. And when the current N position information can be trusted, the host sends the data associated with the access request to the terminal equipment.
According to the data access method provided by the application, when the host verifies the signature, the bloom filter records each position information of the track information. In this way, the host only needs to verify the first hash value once using the public key no matter how many times the location information of the terminal device is changed. On the basis of ensuring data security, the efficiency of signature is improved, and computing resources are saved. In addition, the terminal equipment only needs to perform hash calculation on the set bloom filter in the TEE to obtain a first hash value, and signs the first hash value once by using the private key, so that the signing efficiency is improved, and the calculation resources are further saved.
In one possible implementation, each piece of location information in the trajectory information includes a count value, where the count value is used to indicate a timing at which the corresponding piece of location information is acquired.
Therefore, when the host computer is verified, the contents of the first N pieces of position information carried in the access request are verified, and the time sequence relation of the first N pieces of position information carried in the access request is also verified, so that the safety of data in the host computer is further improved.
In a third aspect, the present application further provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to cause the electronic device to perform the method as provided in the first or second aspect of the present application.
In a fourth aspect, the present application also provides a computer readable storage medium storing a computer program which, when executed by a processor, causes a computer to perform the method as provided in the first or second aspect of the present application.
In a fifth aspect, the present application also provides a computer program product comprising a computer program which, when executed, causes a computer to perform the method as provided in the first or second aspect of the present application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic diagram of interaction between a terminal device and a host according to an embodiment of the present disclosure;
FIG. 2 is a flowchart of a data access method provided in an embodiment of the present application;
FIG. 3 is one of functional unit block diagrams of a data access device provided by an embodiment of the present application;
fig. 4 is a second functional unit block diagram of a data access device according to an embodiment of the present application;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present disclosure;
fig. 6 is a second block diagram of a structure of an electronic device according to an embodiment of the present application.
With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. These drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the inventive concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
At present, when an access control policy is a location attribute carried in an access request to a terminal device and digital signature verification is performed, if the terminal device is in a moving process, the location of the terminal device may change frequently. Thus, each time the terminal device accesses the data of the host, the signature verification needs to be performed on the location of the terminal device. This results in inefficient signing and verification and wasted computational resources.
In view of this, the present application provides a data access method, where a terminal device performs hash calculation on a set bloom filter in a TEE to obtain a first hash value, and signs a signature on the first hash value using a private key, where the bloom filter records each piece of location information having track information. And the terminal equipment sends an access request to the host, wherein the access request carries the bloom filter, the signed first hash value and the first N pieces of position information. And the terminal equipment receives the data sent after the access request is verified by the host.
Since each position information of the track information is recorded in the bloom filter. Therefore, no matter how many times the position information of the terminal equipment is changed, the terminal equipment only needs to perform hash calculation on the set bloom filter in the TEE to obtain the first hash value, and the private key is used for signing the first hash value once, so that the signing efficiency is improved and the computing resources are saved on the basis of ensuring the data safety. In addition, when the host verifies the signature, the first hash value only needs to be verified once, so that the verification efficiency is improved, and the computing resources are further saved.
The terms referred to in this application are explained first:
a bloom filter: for retrieving whether an element is in a set, a bloom filter may be understood as a data structure of a Hash table (also called Hash table). The bloom filter may map an element to a point in a Bit array (Bit array) by a Hash function. Thus, the bloom filter can know whether the set records the element as long as the bloom filter sees whether the point is 1 or not.
TEE: the TEE may also be referred to as a secure world of the ARM CPU, and when the CA operates in a user mode of a normal world of the ARM CPU, the CA is configured to receive input data of an application in the terminal device and transfer the received data to a TA operating in the user mode of the TEE of the secure world of the ARM CPU, so that the TA performs a key operation, for example, the TA may perform fingerprint verification, personal Identification Number (PIN) verification, secure storage of a private key or certificate, and the like.
A monotonic counter: a new count value is maintained which is only monotonically increasing and not back-off. The count value of the monotonic counter is usually assigned to the data to protect the freshness of the data, so that it is difficult for an attacker to attack the system with old data or old messages.
And (3) Hash algorithm: an input of arbitrary length is converted by a hashing algorithm into an output of fixed length, which is a hash value. In short, it is a function of compressing a message of an arbitrary length into a message digest of a certain fixed length.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. These several specific embodiments may be combined with each other below, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
The application provides a data access method, which is applied to a communication system formed by a terminal device 100 and a host 200. The terminal device 100 includes a position sensor for collecting position information of the terminal device 100. The terminal device 100 may be a mobile phone or a computer. As shown in fig. 1, the terminal device 100 includes the terminal device 100 running a trusted execution environment TEE. A location acquisition unit, a monotonic counter, a bloom filter, and a data signature unit are included in the trusted execution environment TEE. As shown in fig. 2, the data access method provided by the present application includes:
s201: the position sensor of the terminal device 100 periodically collects the position information of the terminal device 100, wherein the set of the acquired position information is the track information of the terminal device 100.
Wherein the position sensor may be a GPS locator. Illustratively, the position sensor of the terminal device 100 may collect the position information of the terminal device 100 once every 10 ms. The set of acquired position information may be (p 1, p2, p3.. Times., (39.9n, 116.3e)), (39.8n, 116.3e), (39.7n, 116.3e)).
S202: the terminal device 100 acquires the position information acquired by the position sensor by using the position acquisition unit located at the TEE.
Illustratively, the position acquisition unit may also acquire a set of position information (p 1, p2, p3..., (39.9n, 116.3e), (39.8n, 116.3e), (39.7n, 116.3e).
In addition, when the position acquisition unit acquires one position information, the count value of the monotonic counter is notified to be increased by 1. For example, when the 1 st position information p1 is acquired, the count value of the monotonic counter is 1; when the 2 nd position information p2 is acquired, the count value of the monotonic counter is 2; when the 100 th position information is acquired, the count value of the monotonic counter is 100; when the 101 st position information is acquired, the count value of the monotonic counter is 101; when the 102 th position information is acquired, the count value of the monotonic counter is 102. The count value is used to indicate a timing at which the corresponding position information is acquired.
It should be noted that, since the counting process of the monotonic counter is performed in the TEE, the security of the count value obtained by the monotonic counter is higher.
In addition, if the count is performed using a monotonic counter, each piece of position information may further include a count value. Specifically, the position obtaining unit may splice the obtained position information and the corresponding count value together to obtain new position information. For example, the position information (39.9n, 116.3e) and the count value 100 are spliced together to obtain new position information ((39.9n, 116.3e), 100); for another example, the position information (39.8N, 116.3E) and the counting value 101 are spliced together to obtain new position information ((39.8N, 116.3E), 101); for another example, the position information (39.8N, 116.3E) and the count value 102 are spliced together to obtain new position information ((39.8N, 116.3E), 100).
In this way, when the host 200 performs the authentication, it is necessary to not only verify the contents of the first N pieces of location information carried in the access request, but also verify the timing relationship of the first N pieces of location information carried in the access request, thereby further improving the security of the data in the host 200.
S203: the terminal device 100 records each location information using a bloom filter located in the TEE.
For example, the way in which the bloom filter records each position information may be: the terminal device 100 inserts the acquired position information into the bloom filter at the TEE every time the position acquisition unit acquires one position information. The terminal device 100 controls the bloom filter so that data associated with the acquired position information is changed to record the position information.
Illustratively, when the position obtaining unit obtains the position information (39.9n, 116.3e), the position information (39.9n, 116.3e) is inserted into a bloom filter in which the 1 st, 3 rd, 8 th, and 9 th bit data is set from "0" to "1". Thus, the positional information (39.9n, 116.3e)) is recorded as equivalent to the bloom filter. For another example, when the position acquisition unit obtains the position information (39.8n, 116.3e), the position information (39.8n, 116.3e) is inserted into the bloom filter, in which the 2 nd, 4 th, 6 th, and 10 th bit data is set from "0" to "1". Thus, the bloom filter records position information (39.8N, 116.3E). For another example, when the position information (39.7N, 116.3E) is obtained by the position obtaining unit, the position information (39.7N, 116.3E) is inserted into the bloom filter, the 11 th, 14 th, 16 th, 18 th and 10 th bit data in the bloom filter is set from "0" to "1". Thus, position information (39.7N, 116.3E) was recorded corresponding to the bloom filter.
In addition, when the location information includes a count value, the 3 location information inserted into the bloom filter are replaced with: ((39.9N, 116.3E), 100), ((39.8N, 116.3E), 101), and ((39.8N, 116.3E), 100).
S203 is executed in the TEE, and the safety of the positional information recorded in the bloom filter is high.
S204: when the terminal device 100 detects the target event, the most recent top N pieces of position information associated with the target event are extracted from the acquired trajectory information of the terminal device 100 in the TEE.
Wherein, the target event may be a click event of the terminal device 100 in response to a certain website link on the terminal device 100. Wherein the clicked web site link is associated with the host 200. The access policy set by the host 200 is: the last N location information of the terminal device 100 is verified. In this way, the first N location information are associated with the target event.
Illustratively, the terminal device 100 generates a request packet for requesting access to the host 200 upon detecting the target event, wherein the request packet is associated with the identification of the accessed host 200. In the TEE, the terminal device 100 extracts the first N pieces of position information closest to the target event from the acquired track information of the terminal device 100 according to the identifier of the host 200, where N is a positive integer.
For example, when N =3, the first 3 pieces of location information "(39.9n, 116.3e)), (39.8n, 116.3e), (39.7n, 116.3e)) may be extracted from the trajectory information (p 1, p2, p3..., (39.9n, 116.3e)) of the terminal device 100.
It should be noted that, since the first 3 pieces of position information are acquired in the TEE, the security is high.
S205: the terminal device 100 performs hash calculation on the set bloom filter in the TEE to obtain a first hash value, and signs the first hash value by using a private key.
Wherein the bloom filter records each position information of the track information.
It should be noted that, since the processes of hash calculation and signature are performed in the data signature unit in the TEE, the security is high. Illustratively, the terminal device 100 may perform Hash calculation on the feature vector composed of the request packet, the bloom filter and the count value in the TEE to obtain a Hash value Hash (B, request, n). Wherein, B is a bloom filter, request, and n is a count value. Further, the terminal device 100 may Sign the Hash value Hash (B, request, n) in the TEE, and obtain a signature result Sign (Hash (B, request, n)).
S206: the terminal device 100 sends an access request to the host 200, where the access request carries the bloom filter, the signed first hash value, and the first N pieces of location information.
The terminal device 100 may transmit an access request to the host 200 based on the data transceiving unit. In addition, the access request also carries a count value n and a request packet request.
Illustratively, the first N position information in the trajectory information of the terminal device 100 received by the host 200 may be "(39.9n, 116.3e)), (39.8n, 116.3e), and (39.7n, 116.3e)".
It should be noted that the above-mentioned S201 to S206 describe a procedure of how the terminal device 100 sends the access request. How the host 200 transmits the accessed data to the terminal device 100 will be described below in conjunction with S207-S210.
S207: the host 200 verifies the first hash value of the signature using the preset public key, and if the verification is passed, S208 is performed.
The host 200 verifies the first hash value of the signature by using a preset public key, so that the security of the data to be accessed is further enhanced.
S208: the host 200 detects whether the first N position information is recorded in the bloom filter, and if so, performs S209.
Illustratively, the specific implementation process of S209 may be: the host 200 inserts the position information (39.9n, 116.3e) into the bloom filter so that the bloom filter detects whether the data of the 1 st bit, the 3 rd bit, the 8 th bit, and the 9 th bit is "1". If so, the bloom filter determines that position information is recorded (39.9N, 116.3E)). The host 200 inserts the position information (39.8n, 116.3e) into the bloom filter so that the bloom filter detects whether or not the 2 nd, 4 th, 6 th, and 10 th data is "1". If so, the bloom filter determines that position information is recorded (39.8N, 116.3E). The host 200 inserts the position information (39.7N, 116.3E) into the bloom filter so that the bloom filter detects whether or not the data of the 11 th, 14 th, 16 th, and 18 th bits is "1". If so, the bloom filter determines that location information is recorded (39.7N, 116.3E).
In addition, when the location information includes a count value, the 3 location information inserted into the bloom filter are replaced with: ((39.9N, 116.3E), 100), ((39.8N, 116.3E), 101), and ((39.8N, 116.3E), 100).
It should be noted that when the host 200 detects that the first N position information are all recorded in the bloom filter, it indicates that the access request has not been attacked or tampered, and then the next step S209 is performed for verification. When the host 200 detects that any of the first N location information is not recorded in the bloom filter, it indicates that the access request is attacked and tampered, and then this access of the terminal device 100 is denied.
S209: the host 200 verifies whether the first N location information is authentic, and if so, executes S210.
For example, the host 200 may determine that the first N location information is trusted according to a preset access control policy. For example, the host computer 200 verifies whether (39.9N, 116.3E)), (39.8N, 116.3E), and (39.7N, 116.3E), belong to the trajectory ranges (39.9N, 116.3E) - (36.9N, 116.3E). Understandably, (39.9N, 116.3E)), (39.8N, 116.3E) and (39.7N, 116.3E) belong to the trajectory ranges (39.9N, 116.3E) - (36.9N, 116.3E), then the host 200 verifies that the first N location information is authentic.
In other embodiments, if any of the first N pieces of location information does not belong to the range of trajectories (39.9n, 116.3e) - (36.9n, 116.3e), the host 200 denies the access of the terminal device 100. For example, when the first N location information includes location information (40.9n, 116.3e), the host 200 denies the access of the terminal device 100 this time.
S210: the terminal device 100 receives data transmitted after the access request is authenticated from the host 200.
To sum up, in the data access method provided by the present application, the process of signing by the terminal device includes: the terminal equipment only needs to perform hash calculation on the set bloom filter in the TEE to obtain a first hash value, and signs the first hash value once by using a private key. Since each piece of position information of the track information is recorded in the bloom filter, the position information of the terminal device is changed no matter how many times. The terminal device performs hash calculation on the bloom filter once and signs the first hash value once by using the private key, which is equivalent to that the terminal device performs hash calculation and signature on each position information of the track information without frequently performing hash calculation and signature on each position information, so that the signature efficiency is improved, and the calculation resources are saved.
Further, the host authentication process may be made as follows: and the host verifies the first hash value of the signature by using a preset public key. When the first hash value of the signature is verified, the host detects whether the first N position information is recorded in the bloom filter. If the first N position information is recorded in the bloom filter, the host verifies whether the first N position information is credible. And when the current N position information can be trusted, the host sends the data associated with the access request to the terminal equipment. As can be seen, in the above process, each position information of the track information is recorded in the bloom filter. One verification of the first hash value of the signature generated by the bloom filter by the host corresponds to verification of each piece of location information of the signature. Therefore, no matter how many times the position information of the terminal equipment is changed, when the host verifies the signature, the public key is only needed to be used for verifying the first hash value of the signature obtained according to the bloom filter once, the hash values of the position information of each signature do not need to be verified one by one, the signature verification efficiency is improved, and the computing resources are further saved.
Referring to fig. 3, the present application provides a data access apparatus 300, which is applied to a terminal device 100, where the terminal device 100 runs with a trusted execution environment TEE. It should be noted that the data access apparatus 300 provided in the embodiment of the present application has the same basic principle and technical effect as the above embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the above embodiments for the part of the embodiment of the present application that is not mentioned. The data access device 300 provided by the present application includes:
a data extracting unit 304, configured to, when a target event is detected, extract, from the acquired trajectory information of the terminal device 100, the top N pieces of nearest location information associated with the target event in the TEE, where N is a positive integer.
The data extracting unit 304 is specifically configured to generate a request packet for requesting to access the host 200 when the target event is detected, where the request packet is associated with an identifier of the accessed host 200. In the TEE, according to the identifier of the host 200, the first N pieces of position information closest to the target event are extracted from the acquired track information of the terminal device 100, where N is a positive integer.
And a data signing unit 305, configured to perform hash calculation on the set bloom filter 303 in the TEE to obtain a first hash value, and sign the first hash value using a private key, where each piece of position information of the track information is recorded by the bloom filter 303.
The first data transceiving unit 306 is configured to send an access request to the host 200, where the access request carries the bloom filter 303, the signed first hash value, and the first N pieces of location information.
The first data transceiving unit 306 is further configured to receive data sent after the access request is authenticated from the host 200.
In one possible embodiment, the apparatus 300 provided herein further comprises:
the data acquisition unit 301 is configured to periodically acquire position information of the terminal device 100, where a set of the acquired position information is track information of the terminal device 100.
And a position acquisition unit 302 located at the TEE, configured to acquire position information acquired by the position sensor.
A bloom filter 303 located in the TEE for recording each location information.
In a possible embodiment, the location obtaining unit 302 is specifically configured to insert the obtained location information into a preset bloom filter 303 at the TEE every time one location information is obtained. The bloom filter 303 is specifically configured to control data associated with the acquired location information to be changed, so as to record the location information.
In one possible implementation, each piece of location information in the trajectory information includes a count value, where the count value is used to indicate a timing at which the corresponding piece of location information is acquired.
Referring to fig. 4, the present application further provides another data access apparatus 400 applied to a host 200. It should be noted that the basic principle and the resulting technical effect of the data access apparatus 400 provided in the embodiment of the present application are the same as those of the above embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the above embodiments for parts of the embodiment of the present application that are not mentioned.
The data access apparatus 400 provided by the present application includes:
the second data transceiver unit 401 is configured to receive an access request from the terminal device 100, where the access request carries a bloom filter, a first hash value of a signature, and first N pieces of location information in track information of the terminal device 100, where N is a positive integer.
A data verification unit 402, configured to verify the signed first hash value using a preset public key.
A data detection unit 403, configured to detect whether the first N pieces of location information are recorded in the bloom filter when the first hash value of the signature is verified.
The data verification unit 402 is further configured to verify whether the first N location information is authentic if the first N location information is recorded in the bloom filter.
The second data transceiver unit 401 is further configured to send data associated with the access request to the terminal device 100 when the current N location information is trusted.
FIG. 5 is a block diagram illustrating an electronic device in accordance with an example embodiment. When the electronic device is a terminal device, the electronic device may include one or more of the following components: processing component 502, memory 504, power component 506, multimedia component 508, audio component 510, input/output (I/O) interface 512, sensor component 514, and communications component 516.
The processing component 502 generally controls overall operation of the device 500, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing component 502 may include one or more processors 520 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 502 can include one or more modules that facilitate interaction between the processing component 502 and other components. For example, the processing component 502 can include a multimedia module to facilitate interaction between the multimedia component 508 and the processing component 502.
The memory 504 is configured to store various types of data to support operations at the apparatus 500. Examples of such data include instructions for any application or method operating on device 500, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 504 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A power supply component 506 provides power to the various components of the device 500. The power components 506 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the apparatus 500.
The multimedia component 508 includes a screen that provides an output interface between the device 500 and the user. In the embodiment of the application, the screen comprises a vehicle-mounted main screen and at least one vehicle-mounted auxiliary screen. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 508 includes a front facing camera and/or a rear facing camera. The front camera and/or the rear camera may receive external multimedia data when the device 500 is in an operating mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.
The audio component 510 is configured to output and/or input audio signals. For example, audio component 510 includes a Microphone (MIC) configured to receive external audio signals when apparatus 500 is in an operating mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in the memory 504 or transmitted via the communication component 516. In some embodiments, audio component 510 further includes a speaker for outputting audio signals.
The I/O interface 512 provides an interface between the processing component 502 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.
The sensor assembly 514 includes one or more sensors for providing various aspects of status assessment for the device 500. For example, the sensor assembly 514 may detect the open/closed status of the device 500, the relative positioning of the components, such as the display and keypad of the device 500, the change in position of the device 500 or a component of the device 500, the presence or absence of user contact with the device 500, the orientation or acceleration/deceleration of the device 500, and the change in temperature of the device 500. The sensor assembly 514 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 514 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 514 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 516 is configured to facilitate communication between the apparatus 500 and other devices in a wired or wireless manner. The apparatus 500 may access a wireless network based on a communication standard, such as WiFi,2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component 516 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 516 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the apparatus 500 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors, or other electronic components for performing the above-described methods.
In addition, as shown in fig. 6, when the electronic device is a host, the electronic device may include one or more of the following components: processing component 602, memory 604, power component 606, input/output (I/O) interface 612, and communication component 616. The principle of each component is the same as that of the corresponding component in fig. 5, and the details are not repeated herein.
In an exemplary embodiment, a non-transitory computer-readable storage medium comprising instructions, such as the memory 504 comprising instructions, executable by the processor 520 of the apparatus 500 to perform the above-described method is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like. The non-transitory computer readable storage medium, when executed by a processor of a terminal device, enables the electronic device to perform the method performed by the terminal device or the host.
The present application also provides a computer program product comprising a computer program which, when executed by a processor, performs the method described above for a terminal device or a host.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (10)
1. A data access method is applied to a terminal device, wherein the terminal device runs with a Trusted Execution Environment (TEE), and the method comprises the following steps:
when the terminal device detects a target event, extracting the latest first N pieces of position information associated with the target event from the acquired track information of the terminal device in the TEE, wherein N is a positive integer;
the terminal device performs hash calculation on a set bloom filter in the TEE to obtain a first hash value, and signs the first hash value by using a private key, wherein the bloom filter records each position information of the track information;
the terminal equipment sends an access request to a host, wherein the access request carries the bloom filter, the signed first hash value and the first N position information;
and the terminal equipment receives the data sent after the host computer verifies the access request.
2. The method of claim 1, wherein prior to the extracting the top-most N location information associated with the target event, the method further comprises:
periodically acquiring the position information of the terminal equipment by a position sensor of the terminal equipment, wherein the acquired position information is collected as track information of the terminal equipment;
the terminal equipment acquires the position information acquired by the position sensor by using a position acquisition unit positioned on the TEE;
and the terminal equipment records each piece of position information by using the bloom filter positioned in the TEE.
3. The method of claim 2, wherein the terminal device records each of the location information using the bloom filter located in the TEE, comprising:
when the terminal equipment acquires one piece of position information at the position acquisition unit, inserting the acquired position information into a preset bloom filter at the TEE;
and the terminal equipment controls the data related to the acquired position information in the bloom filter to change so as to record the position information.
4. The method according to claim 1, wherein each of the position information in the trajectory information includes a count value, wherein the count value is used to indicate a timing at which the corresponding position information is acquired.
5. The method according to claim 1, wherein the terminal device, when detecting a target event, extracts, in the TEE, the top N most recent location information associated with the target event from the acquired trajectory information of the terminal device, including:
when the terminal device detects the target event, generating a request packet for requesting to access a host, wherein the request packet is associated with an identifier of the host to be accessed;
and the terminal equipment extracts the first N pieces of position information closest to the target event from the acquired track information of the terminal equipment in the TEE according to the identification of the host, wherein N is a positive integer.
6. A data access method, applied to a host, the method comprising:
the host receives an access request from a terminal device, wherein the access request carries a bloom filter, a signed first hash value and the first N pieces of position information in the track information of the terminal device, and N is a positive integer;
the host verifies the first hash value of the signature by using a preset public key;
when the first hash value of the signature passes verification, the host computer detects whether the first N pieces of position information are recorded in the bloom filter;
if the first N position information is recorded in the bloom filter, the host verifies whether the first N position information is credible;
and when the first N position information is credible, the host sends the data associated with the access request to the terminal equipment.
7. The method of claim 6, wherein each of the location information in the trajectory information comprises a count value, wherein a count value is used to indicate a timing at which the corresponding location information is acquired.
8. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, causes the electronic device to perform the method of any of claims 1 to 7.
9. A computer-readable storage medium, in which a computer program is stored which, when executed by a processor, causes a computer to carry out the method according to any one of claims 1 to 7.
10. A computer program product, comprising a computer program which, when executed, causes a computer to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210815915.2A CN115186280A (en) | 2022-07-12 | 2022-07-12 | Data access method and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210815915.2A CN115186280A (en) | 2022-07-12 | 2022-07-12 | Data access method and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115186280A true CN115186280A (en) | 2022-10-14 |
Family
ID=83516503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210815915.2A Pending CN115186280A (en) | 2022-07-12 | 2022-07-12 | Data access method and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115186280A (en) |
-
2022
- 2022-07-12 CN CN202210815915.2A patent/CN115186280A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102327574B1 (en) | Blockchain-based transaction processing method and device | |
| AU2011330044B2 (en) | Method for providing active security authentication, and terminal and system for supporting same | |
| US20180039819A1 (en) | Method and device for identity verification | |
| CN109039990B (en) | Behavior verification method and device based on verification code | |
| EP3176719B1 (en) | Methods and devices for acquiring certification document | |
| EP3324662B1 (en) | Identity verification method, apparatus and system, computer program and recording medium | |
| CN103914520B (en) | Data query method, terminal device and server | |
| CN107466041B (en) | Method and device for identifying pseudo base station and mobile terminal | |
| RU2608187C2 (en) | Terminal verification method and device | |
| CN105281907B (en) | Encrypted data processing method and device | |
| CN107767133B (en) | Virtual card opening method, device and system and storage medium | |
| CN111368232A (en) | Password sharing reflux method and device, electronic equipment and storage medium | |
| US20230222843A1 (en) | Method and device for registering biometric feature | |
| CN106603528B (en) | The method and device of webpage calling terminal local function | |
| CN106302528B (en) | Short message processing method and device | |
| CN105677513A (en) | Method and device for restoring backup data | |
| CN110677551B (en) | Image encryption method, device, equipment and storage medium | |
| CN111819574B (en) | Method and device for verifying biological characteristics, electronic equipment and storage medium | |
| CN115186280A (en) | Data access method and electronic equipment | |
| CN106408304B (en) | Account security management method and device | |
| CN105721506B (en) | Method, device and system for account number theft prevention | |
| CN107302519B (en) | Identity authentication method and device for terminal equipment, terminal equipment and server | |
| CN107256151A (en) | Processing method, device and the terminal of page rendering | |
| CN112800442A (en) | Encrypted file detection method, device and medium | |
| CN112351131A (en) | Control method and device of electronic equipment, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |