CN115225285A - Trusted execution environment-based data security uplink implementation method - Google Patents
Trusted execution environment-based data security uplink implementation method Download PDFInfo
- Publication number
- CN115225285A CN115225285A CN202210845825.8A CN202210845825A CN115225285A CN 115225285 A CN115225285 A CN 115225285A CN 202210845825 A CN202210845825 A CN 202210845825A CN 115225285 A CN115225285 A CN 115225285A
- Authority
- CN
- China
- Prior art keywords
- data
- signature
- calculation
- execution environment
- trusted execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/127—Trusted platform modules [TPM]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
A data security chain linking implementation method based on a trusted execution environment is characterized in that data are acquired from an external data source through the trusted execution environment, data calculation is completed according to calculation logic, a digital signature is generated according to the calculation result to guarantee the credibility of the calculation result, and then the signature of the whole trusted execution environment is generated to guarantee the credibility of the calculation logic; and finally, pushing the calculation result and the corresponding signature to a blockchain system through a blockchain remote interface, wherein the invention utilizes a trusted execution environment to realize the security of the data from the input to the uplink whole process, can realize the safe and trusted uplink process for an external data source, and can ensure that the data is generated by an untampered code according to correct logic through two signatures.
Description
Technical Field
The invention relates to a technology in the field of information security, in particular to a Trusted Execution Environment (TEE) -based method for realizing safe uplink of data.
Background
The trusted execution environment is a computing chip with an internal security protection function, which is embedded in the design, and a unique signature key can be embedded in the chip manufacturing process, wherein the security of the key is determined by the protection mechanism of the chip. The signature key can only be used by programs running in the TEE secure area to generate a signature that can verify its correctness in cooperation with the chip manufacturer. The integrity of the executable program in the TEE safety zone can be verified by using the mechanism, namely, the program is subjected to hash calculation to generate a digital signature, and the signature verifies that the program is not tampered, so that the correctness of the program logic is ensured.
Disclosure of Invention
The invention provides a method for realizing data safe uplink based on a trusted execution environment, aiming at the defects that the prior art does not support customized data processing logic and cannot ensure the safety and the integrity of processed data, and originally acquired data cannot be directly uplink in most application scenes due to the limited throughput rate of a block chain, the trusted execution environment is utilized to realize the safety of data from input to the whole uplink process, the safe uplink process of an external data source can be realized, and the data can be ensured to be generated according to correct logic by an untampered code through two times of signature.
The invention is realized by the following technical scheme:
the invention relates to a data security chain linking method based on a trusted execution environment, which comprises the steps of acquiring data from an external data source through the trusted execution environment, completing data calculation according to calculation logic, generating a digital signature according to the calculation result to ensure the credibility of the calculation result, and generating the signature of the whole trusted execution environment to ensure the credibility of the calculation logic; and finally, pushing the calculation result and the corresponding signature to a block chain system through a block chain remote interface, wherein the specific steps comprise:
step 1) data acquisition: the trusted execution environment accesses any external data source through interfaces such as a network and a bus, and the data source may be different forms such as sensor equipment and network service.
Step 2) data calculation: corresponding data calculation logics are customized according to different applications and data acquisition sources, and the calculation logics comprise different modes such as numerical calculation, logic calculation, artificial intelligence reasoning and the like. The data calculation is timed out or driven by the new data acquired.
Step 3), calculating a result signature: the trusted computing environment generates a pair of public and private keys. The public key is published to the outside in the form of a block chain and the like, the private key is stored in the trusted computing environment, and the data computing result is signed by using the private key. The signature result can be verified by the published public key.
Step 4) calculating an environment signature: the trusted execution environment uses an internal non-modifiable private key in the chip production phase to sign important data such as executable codes loaded in the trusted execution environment and generated public keys. The signature is also appended to the computation results, enabling the user to verify that the computation logic has not been tampered with.
Step 5) remote uplink: the trusted computing environment submits the computation result to be linked up and the corresponding computation result signature and the corresponding computation environment signature to the blockchain system through the remote call interface.
The invention relates to a system for realizing the method, which comprises the following steps: the system comprises a digital signature unit, a calculation logic unit and a data transmission unit which are arranged in a security chip supporting a trusted execution environment, wherein: after the security chip is started, the calculation logic unit enters a security area to carry out initialization, a public and private key pair for data signature is generated, and the built-in private key of the digital signature unit is utilized to complete the signature with the self code of the calculation logic unit and the generated public and private key pair; after initialization is completed, the computing logic unit collects external data and completes data computing according to the computing logic, a computing result is signed according to a generated private key, a program signature and a public key in an initialization stage are attached to the computing result and serve as a complete data packet to be sent to the data transmission unit, and the data transmission unit uploads the complete data packet to the block chain system through a remote interface.
The public and private keys can not read any program of the private key part in the storage and chip, and the signature completed by the private key can be verified under the assistance of a chip manufacturer.
Technical effects
The invention realizes the safe uplink of the collected and calculated data by a two-section signature method. The data acquisition and the computation logic are dynamically loaded through two signatures, so that the logic requirements of different applications are met. In the process, the dynamically loaded program logic passes the built-in key signature verification of the security chip, and the data calculation result of the program logic can be protected by the generated data key signature, so that the pressure of storing a large amount of original data in a block chain is avoided, and the calculation logic and the calculation result can be guaranteed not to be tampered in the whole calculation process.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a flow chart of an embodiment.
Detailed Description
As shown in fig. 1, the present embodiment relates to a data security uplink method based on a trusted execution environment, which includes acquiring data from an external data source through the trusted execution environment, performing data calculation according to a calculation logic, generating a digital signature according to a calculation result to ensure the reliability of the calculation result, and then generating a signature of the entire trusted execution environment to ensure the reliability of the calculation logic; and finally, pushing the calculation result and the corresponding signature to a block chain system through a block chain remote interface.
As shown in fig. 2, the method implemented by the Intel SGX chip in the long-chain system in this embodiment specifically includes:
step 1) an initialization stage: after a pair of public and private keys (pk, sk) for data verification and signature is generated in a security zone through the TEE, a digital signature sigma is completed by using a unique key pair built in the TEE and the loaded code and the generated public key pk.
Step 2) data security uplink execution stage: the TEE waits for acquiring data from a specified data source, completes data calculation according to program logic after the data acquisition is successful, and then completes signature sigma' on a calculation result by using a private key sk; and then the calculation result, the corresponding signature sigma', the public key pk and the signature sigma are used as a data to complete uplink or the public key pk and the digital signature sigma uplink are used as one-time registration after the initialization stage is independently executed, and the registered pk and sigma are repeatedly used as a verification basis in the subsequent execution.
And 3) other users use the pk check data and the corresponding signature sigma' to determine that the data is signed by the sk, and simultaneously, the data can be confirmed to be safe by utilizing a sigma check program under the assistance of the service of the chipmaker and executing the pk in the TEE environment.
Compared with the prior art, the method has the advantages that data acquisition and calculation logic is defined at will, and the final calculation result is guaranteed to be the result of outputting the original data through the credible calculation logic through two times of signature.
The foregoing embodiments may be modified in many different ways by those skilled in the art without departing from the spirit and scope of the invention, which is defined by the appended claims and all changes that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Claims (4)
1. A data security chaining method based on a trusted execution environment is characterized in that data are obtained from an external data source through the trusted execution environment, data calculation is completed according to calculation logic, then a digital signature is generated according to the calculation result to guarantee the credibility of the calculation result, and then the signature of the whole trusted execution environment is generated to guarantee the credibility of the calculation logic; and finally, pushing the calculation result and the corresponding signature to a block chain system through a block chain remote interface.
2. The method of claim 1, further comprising the steps of:
step 1) data acquisition: the trusted execution environment accesses an external data source to obtain data;
step 2) data calculation: customizing corresponding data calculation logic according to different applications and data acquisition sources, wherein the data calculation is completed at regular time or is driven by acquired new data;
step 3), calculating a result signature: the trusted computing environment generates a pair of public and private keys, wherein the public key is published to the outside in a blockchain form, the private key is stored in the trusted computing environment, and the data computing result is signed by using the private key; the signature result is verified by the published public key;
step 4) calculating an environment signature: the trusted execution environment uses an internal non-modifiable private key in the chip production phase to sign the executable code loaded in the trusted execution environment and the generated public key, and the signature is also attached to the calculation result to verify that the calculation logic is not tampered;
step 5) remote uplink: the trusted computing environment submits the computation result to be linked up and the corresponding computation result signature and the corresponding computation environment signature to the blockchain system through the remote call interface.
3. A system for implementing the trusted execution environment based secure uplink data method of claim 1 or 2, comprising: the system comprises a digital signature unit, a computational logic unit and a data transmission unit which are arranged in a security chip supporting a trusted execution environment, wherein: after the security chip is started, the calculation logic unit enters a security area to perform initialization, a public and private key pair for data signature is generated, and the code of the calculation logic unit and the signature of the generated public and private key pair are completed by using a built-in private key of the digital signature unit; after initialization is completed, the computing logic unit collects external data and completes data computing according to the computing logic, a computing result is signed according to a generated private key, a program signature and a public key in an initialization stage are attached to the computing result and serve as a complete data packet to be sent to the data transmission unit, and the data transmission unit uploads the complete data packet to the block chain system through a remote interface.
4. The system as claimed in claim 3, wherein the public and private key pair is stored in the chip and cannot be read by any program of the private key part, and the signature completed by the private key can be verified with the help of the chip manufacturer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210845825.8A CN115225285A (en) | 2022-07-19 | 2022-07-19 | Trusted execution environment-based data security uplink implementation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210845825.8A CN115225285A (en) | 2022-07-19 | 2022-07-19 | Trusted execution environment-based data security uplink implementation method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115225285A true CN115225285A (en) | 2022-10-21 |
Family
ID=83612047
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210845825.8A Pending CN115225285A (en) | 2022-07-19 | 2022-07-19 | Trusted execution environment-based data security uplink implementation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115225285A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116308348A (en) * | 2023-02-27 | 2023-06-23 | 广州芳禾数据有限公司 | Machine learning model safe transaction method, system and equipment based on blockchain |
-
2022
- 2022-07-19 CN CN202210845825.8A patent/CN115225285A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116308348A (en) * | 2023-02-27 | 2023-06-23 | 广州芳禾数据有限公司 | Machine learning model safe transaction method, system and equipment based on blockchain |
| CN116308348B (en) * | 2023-02-27 | 2024-01-02 | 广州芳禾数据有限公司 | Machine learning model safe transaction method, system and equipment based on blockchain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110602052B (en) | Micro-service processing method and server | |
| TWI670621B (en) | Information encryption and decryption method and device | |
| CN105095772B (en) | Method and apparatus for safely saving and restoring computing platform state | |
| JP6401784B2 (en) | Payment authentication system, method and apparatus | |
| CN112200585B (en) | Service processing method, device, equipment and system | |
| US20170222813A1 (en) | Method, device, terminal, and server for a security check | |
| CN114338666B (en) | Verification method, device, equipment and medium for Fabric block chain cross-chain transaction | |
| US20210357198A1 (en) | Controlled scope of authentication key for software update | |
| CN110555309A (en) | Starting method, starting device, terminal and computer readable storage medium | |
| CN112001376B (en) | Fingerprint identification method, device, equipment and storage medium based on open source component | |
| CN115225285A (en) | Trusted execution environment-based data security uplink implementation method | |
| CN113360217A (en) | Rule engine SDK calling method and device and storage medium | |
| CN108092947B (en) | Method and device for identity authentication of third-party application | |
| WO2023001624A1 (en) | Securely executing software based on cryptographically verified instructions | |
| WO2022222437A1 (en) | Script verification method, script signing method, and computing device | |
| CN109657454B (en) | Trusted verification method for android application based on TF (TransFlash) cryptographic module | |
| CN111260080A (en) | Process optimization method, device, terminal and storage medium based on machine learning | |
| CN112398861A (en) | Encryption system and method for sensitive data in web configuration system | |
| US11689374B1 (en) | Blockchain-enhanced proof of identity | |
| JP2017055368A (en) | Cryptographic data processing method, cryptographic data processing system, cryptographic data processing device, and cryptographic data processing program | |
| CN113379019B (en) | Verification code generation method and device, storage medium and electronic equipment | |
| CN115203674A (en) | Automatic login method, system, device and storage medium for application program | |
| CN112150151B (en) | Secure payment method, apparatus, electronic device and storage medium | |
| CN115185551A (en) | Application program installation method, device, system and storage medium | |
| CN104102538A (en) | Information processing method and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |