CN115276982A - Ethernet workshop key management method and system based on SGX - Google Patents

Ethernet workshop key management method and system based on SGX Download PDF

Info

Publication number
CN115276982A
CN115276982A CN202210906257.8A CN202210906257A CN115276982A CN 115276982 A CN115276982 A CN 115276982A CN 202210906257 A CN202210906257 A CN 202210906257A CN 115276982 A CN115276982 A CN 115276982A
Authority
CN
China
Prior art keywords
key
transaction
module
signature
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210906257.8A
Other languages
Chinese (zh)
Other versions
CN115276982B (en
Inventor
任正伟
贺广鑫
余易晋
张凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Science and Engineering WUSE
Original Assignee
Wuhan University of Science and Engineering WUSE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Science and Engineering WUSE filed Critical Wuhan University of Science and Engineering WUSE
Priority to CN202210906257.8A priority Critical patent/CN115276982B/en
Publication of CN115276982A publication Critical patent/CN115276982A/en
Application granted granted Critical
Publication of CN115276982B publication Critical patent/CN115276982B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an Ethernet shop key management method and system based on SGX.A key management end is arranged to comprise a key generation and management module, a key transfer module, a transaction signature module and a data transfer module, and a transaction processing end comprises a transaction initialization module and a transaction processing module; the key generation and management module generates a public key and a private key of the Ethengfang user side, performs sealing and unsealing operations on the private key, completes local access of the key through the key transfer module, and transmits the private key to the transaction signature module; the transaction initialization module generates initialized Ether shop transaction information which is transmitted to the transaction signature module through the data transfer module; the transaction signature module signs the initialization information by using a private key and transmits the signature to the transaction processing module through the data transfer module; and the transaction processing module processes the signature result and submits the transaction to an Ether house transaction pool. The invention can effectively improve the safety of the Ethernet user key in the generation, storage and use processes without influencing the normal function of the Ethernet.

Description

Ethernet workshop key management method and system based on SGX
Technical Field
The invention relates to the technical field of computer information security, which mainly comprises the steps of managing a public and private key of an Etherhouse user side by utilizing an SGX (secure gateway), realizing public and private key generation and transaction signature of the Etherhouse user side in an Enclave of the SGX, and storing a private key in an untrusted file system in a sealing manner, thereby improving the security of the Etherhouse user side key in the processes of generation, storage and use.
Background
As a specific block chain system, an Ethenhouse is a distributed public account book which is commonly maintained by a plurality of nodes, has the characteristics of decentralization, no tampering, traceability, openness and transparency and the like, and has great application value in many scenes.
In the EtherFang application, the digital assets and the protection mode are integrated into a circulated encrypted digital rights certificate, and the user side can operate the digital assets only when the user side possesses the password or the private key corresponding to the digital assets. In the current market, most clients use wallet software to manage their etherhouse passwords or private keys and thus manage their etherhouse digital assets. However, current wallet software tends to be biased towards convenience in use, and security is less considered, that is, these wallet software tends to generate a public and private key of an ethernet user terminal in a common operating system environment, sign a transaction using the private key of the ethernet user terminal in the common operating system environment, and the like. That is, the protection strength of the existing wallet software on the secret key of the ethernet user side is not enough, and if malicious software resides in the operating system, the possibility that the private key of the ethernet user side is stolen is greatly increased. Once the private key of the Etheng user side is stolen, an attacker can transfer the digital assets of the Etheng user side; moreover, once the transaction of the transferred asset is confirmed by the etherhouse, the etherhouse user end will forever lose that portion of the digital asset without forced intervention by the etherhouse community. Therefore, it is necessary to manage the keys of the ethernet user side securely.
Intel Software Guard Extensions, SGX for short, is a set of instructions for enhancing the security of application code and data. The SGX may create a protected and secure memory area, called Enclave (secure area), and place the private information to be protected and the operation instruction for the private information into the Enclave. The security boundary of Enclave only contains the CPU and itself, and no other applications running in the system (including the operating system itself and other privileged software) can access Enclave. The interaction between Enclave and the common application memory area is controlled by SGX, so that the attack of malicious software in the system is avoided, and the integrity and confidentiality of data and calculation are protected.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an Ethernet workshop key management method and system based on SGX, the method and system can effectively improve the security of Ethernet user side keys in the processes of generation, storage and use, and the normal functions of the Ethernet workshop cannot be influenced, namely, the transaction based on the method and system can still be verified and accepted by the Ethernet workshop.
The technical scheme adopted by the invention for solving the technical problems is an Ethernet gateway key management method based on SGX, a key management end is arranged to comprise a key generation and management module KGMM, a key transfer module KTM, a transaction signature module TxSM and a data transfer module DTM, and a transaction processing end comprises a transaction initialization module TxIM and a transaction processing module TxPM;
the key generation and management module KGMM generates a public key and a private key of the Ethernet workshop user side, the private key of the Ethernet workshop user side is sealed and unsealed, local access of the key is completed through the key transfer module KTM, and the private key of the Ethernet workshop user side is transmitted to the transaction signature module TxSM;
the transaction initialization module TxIM generates initialized Ether shop transaction information and transmits the transaction information to the transaction signature module TxSM through the data transfer module DTM;
the transaction signature module TxSM signs the initialized Ethernet workshop transaction information by using a private key of the Ethernet workshop user side, and transmits a signature result to the transaction processing module TxPM through the data transfer module DTM;
the transaction processing module TxPM processes the signature result to enable the signature result to meet the Ethernet workshop transaction specification, and finally submits the processed Ethernet workshop transaction to an Ethernet workshop transaction pool;
the key management process includes the following steps,
1) The Ethenhouse user side generates a public and private key pair meeting the Ethenhouse specification in the Enclave of the key management side, calculates the Ethenhouse account address by using the public key, performs sealing operation on the private key, and stores the public key and the sealed private key in a local file system;
2) When an ether house transaction needs to be initiated, the user side generates initialized ether house transaction information at the transaction processing end and sends the initialized transaction information to the key management end;
3) At a key management end, a user side acquires a sealed private key from a local file system, recovers the private key and checks the correctness of the private key;
4) At a key management end, a user end signs the Etheng transaction information by using a private key, returns a signature result to a transaction processing end, then performs sealing operation on the private key, and stores the public key and the sealed private key in a local file system;
5) And at the transaction processing end, the user end processes the signature result to enable the signature result to meet the specification of the Ether house, and submits the processed transaction information to the Ether house transaction pool.
Moreover, step 1) implementation includes the following sub-steps,
1-1) a key generation and management module KGMM generates a pair of public and private keys (pk, sk) meeting the specification;
1-2) the key generation and management module KGMM converts the public key pk into an Ethernet house account address;
1-3) a key generation and management module KGMM verifies whether a public key (pk, sk) and an account address are matched, if the verification fails, the key generation error information is returned, and 1-1) is carried out; otherwise, turning to 1-4); 1-4) the secret key generation and management module KGMM carries out sealing operation on the private key sk to obtain SealskAnd the public key pk and the sealed private key Seal are usedskTransmitting to a key transfer module KTM;
1-5) Key transfer Module KTM will pk and SealskStored in the local file system.
Moreover, step 2) implementation includes the following sub-steps,
2-1) the user end inputs the transaction information;
2-2) the transaction initialization module TxIM fills the transaction information input by the user side into an initialized Ethenhouse transaction data structure, so as to generate initialized transaction information Tx, and transmits Tx to the data transfer module DTM;
2-3) the data transfer module DTM transmits the initialized transaction information Tx to the transaction signature module TxSM.
Moreover, step 3) implementation includes the following sub-steps,
3-1) a key transfer module KTM acquires a public key pk of a user side and a sealed private key Seal from a local file systemskAnd put pk and SealskTransmitting to a key generation and management module KGMM;
3-3) the KGMM checks the correctness of the sk, including taking the private key sk as input, calculating a corresponding public key value pk 'and checking whether pk' is matched with the public key value pk obtained from the local file system; if pk' is not matched with pk, the private key is failed to be unsealed, and the key loading error information is returned; otherwise, KGMM transmits the private key sk to the transaction signature module TxSM.
Moreover, step 4) implementation includes the following sub-steps,
4-1) after receiving the transaction information Tx and the user side private key sk, the transaction Signature module TxSM signs the Tx to obtain a Signature result Signature; 4-2) the TxSM checks whether the last 32 bytes of the Signature are smaller than half of secp256k1.Size, if yes, the TxSM transmits the Signature to a data transfer module DTM, and if not, the TxSM transfers the Signature to 4-1);
4-3) the DTM returns the Signature to a transaction processing module TxPM of the transaction processing end;
4-4) the secret key generation and management module KGMM carries out sealing operation on the private key sk to obtain SealskAnd the public key pk and the sealed private key Seal are usedskTransmitting to a key transfer module KTM;
4-5) secret key transfer module KTM transfers pk and SealskStored in the local file system.
On the other hand, the invention provides an ethernet shop key management system based on SGX, which is used for implementing the ethernet shop key management method based on SGX.
Furthermore, the SGX-based ethernet room key management system comprises a processor and a memory, wherein the memory is used for storing program instructions, and the processor is used for calling the stored instructions in the memory to execute the SGX-based ethernet room key management method.
Alternatively, a readable storage medium is included, on which a computer program is stored, which when executed, implements an SGX-based ethernet house key management method as described above.
Compared with the prior art, the invention has the following main advantages:
(1) The SGX technology is applied to key management of an EtherFang, a credible execution environment Enclave is constructed by utilizing the SGX technology, and generation, sealing and decryption of a public key and a private key of a user side are all carried out in the Enclave, so that the key is effectively protected, and the safe storage of the private key is realized.
(2) The SGX technology is applied to the transaction of an EtherFang, a credible execution environment Enclave is constructed by utilizing the SGX technology, and the signature of transaction information by using a private key is carried out in the Enclave, so that the safety of a secret key in the using process can be effectively protected.
In a word, the invention realizes a method and a system for managing the Ethernet house key by utilizing SGX and web3.Js, can effectively improve the security of the Ethernet house user side key in the processes of generation, storage and use, and can realize normal Ethernet house transaction functions including key generation, transaction processing and transaction submission.
Drawings
Fig. 1 is a diagram of an SGX-based ethernet key management system framework according to an embodiment of the present invention.
Fig. 2 is a flowchart of the work flow of the SGX-based ethernet house key management system according to the embodiment of the present invention.
FIG. 3 is a flowchart of key generation and secure storage according to an embodiment of the present invention.
FIG. 4 is a flow diagram of transaction signature flow according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made with reference to the accompanying drawings.
The implementation of the Ethernet shop key management system based on SGX provided by the embodiment of the invention comprises two parts: a key management end and a transaction processing end. The key management end realizes the generation, storage and use of the key (namely, the transaction information is signed by a private key), and the transaction processing end realizes the generation of the initialized transaction information, the processing of the Ethenhouse transaction information and the submission of the Ethenhouse transaction. At the key management end, the invention constructs a Trusted Execution Environment (TEE) based on Intel SGX, and in the SGX technology, the TEE is Enclave. Private information and related operations are carried out in the envelope, and the private information comprises the steps of generating, sealing and unsealing a public key and a private key, signing initialized Etherhouse transaction information by using the private key and the like; other operations that do not affect the security of transaction privacy are performed in a common Environment called REE (Rich Execution Environment), including access to local file systems, network interaction, etc. The interaction of REE with Enclave is controlled by SGX to ensure that REE does not destroy Enclave and its data and application integrity and confidentiality. The transaction processing terminal of the invention is realized based on web3. Js. Js is a JavaScript library that can interact with the etherhouse, and it can interact with the etherhouse through JSON RPC (Remote Process Call). The transaction processing end of the invention sends a request for reading and writing data to the nodes in the Etherhouse through JSON RPC.
The system implementation of the technical scheme comprises the following functional modules: a Key Generation and Management Module (KGMM), a Key Transfer Module (KTM), a Transaction Signature Module (TxSM), a Data Transfer Module (DTM), a Transaction initiation Module (TxIM), and a Transaction Processing Module (TxPM). The key management end comprises a key generation and management module KGMM, a key transfer module KTM, a transaction signature module TxSM and a data transfer module DTM, and the transaction processing end comprises a transaction initialization module TxIM and a transaction processing module TxPM. Wherein:
the key generation and management module KGMM, the key transfer module KTM, the transaction signature module TxSM and the data transfer module DTM are functional modules of a key management end, the key generation and management module KGMM and the transaction signature module TxSM are located in Enclave, and the key transfer module KTM and the data transfer module DTM are located in REE.
The transaction initialization module TxIM and the transaction processing module TxPM are functional modules of the transaction processing end and are positioned in the REE.
The key generation and management module KGMM generates a public key and a private key of the Ethernet workshop user side, the private key of the Ethernet workshop user side is sealed and unsealed, local access of the key is completed through the key transfer module KTM, and the private key of the Ethernet workshop user side is transmitted to the transaction signature module TxSM. The transaction initialization module TxIM generates initialized Ether shop transaction information and transmits the transaction information to the transaction signature module TxSM through the data transfer module DTM. The transaction signature module TxSM uses a private key of the Ethernet workshop user side to sign the initialized Ethernet workshop transaction information, and transmits a signature result to the transaction processing module TxPM through the data transfer module DTM. And the transaction processing module TxPM processes the signature result to enable the signature result to meet the Ethernet workshop transaction specification, and finally submits the processed Ethernet workshop transaction to an Ethernet workshop transaction pool.
In an embodiment, the main functions of the functional modules are further set as follows:
key generation and management module KGMM: generating a user side public and private key pair which accords with the Ethengfang specification, and calculating an account address of the Ethengfang user side through a user side public key; sealing the private key of the user side, interacting with the key transfer module KTM, and transmitting the public key of the user side and the sealed private key of the user side to the KTM; interacting with the KTM, receiving a user side public key and a sealed user side private key transmitted by the KTM, recovering the user side private key, and verifying the correctness of the user side private key; interacting with the transaction signature module TxSM and transmitting the private key of the user side to TxSM.
A secret key transfer module KTM: interacting with a key generation and management module KGMM, and storing a user side public key transmitted by KGMM and a sealed user side private key in a local file system; interacting with a key generation and management module KGMM, and transmitting a user side public key acquired from a local file system and a sealed user side private key to KGMM.
Transaction signature module TxSM: interacting with a key generation and management module KGMM and receiving a user-side private key transmitted by KGMM; interacting with a Data Transfer Module (DTM), and receiving initialized transaction information transmitted by the DTM; interacting with the DTM, and transmitting a signature result of the transaction information to the DTM.
A data transfer module DTM: interacting with a transaction initialization module TxIM, and receiving initialized transaction information transmitted by the TxIM; interacting with a transaction signature module TxSM, and transmitting initialized transaction information to TxSM; interacting with a transaction signature module TxSM, and receiving a signature result of transaction information transmitted by the TxSM; interacting with the transaction processing module TxPM, and transmitting the signature result of the transaction information to the TxPM.
The transaction initialization module TxIM: generating initialized transaction information; and interacting with a Data Transfer Module (DTM) and transmitting the generated initial transaction information to the DTM.
The transaction processing module TxPM: interacting with a Data Transfer Module (DTM), and receiving a signature result of the transaction information transmitted by the DTM; processing the signature result process of the transaction information to enable the transaction information to meet the Ether shop transaction specification; and submitting the processed transaction information to an Ether house transaction pool.
The embodiment of the invention provides an Ethernet room key management method and system based on SGX, wherein the overall process comprises the following steps: the Ether house user side generates a public key and a private key in the Enclave of the key management side, calculates the Ether house account address by using the public key, seals the private key, and stores the public key and the sealed private key in a local file system. When an ether house transaction needs to be initiated, the user first inputs related transaction information, so as to generate initialized ether house transaction information, and the initialized ether house transaction information is loaded into the envelope. Meanwhile, the user side loads the private key which is hermetically stored in the local file system into the envelope, recovers the private key and verifies the correctness of the private key. After the verification is passed, the user side signs the initialized Ether house transaction information by using the private key of the user side, processes the signature result to enable the signature result to meet the Ether house transaction specification, and finally submits the processed Ether house transaction to an Ether house transaction pool to wait for the confirmation of the Ether house transaction pool.
The structure of the ethernet house key management method and system based on SGX provided by the embodiment of the present invention is shown in fig. 1, and mainly includes the following functional modules:
a Key Generation and Management Module (KGMM), a Key Transfer Module (KTM), a Transaction Signature Module (TxSM), a Data Transfer Module (DTM), a Transaction initiation Module (TxIM), and a Transaction Processing Module (TxPM). Wherein:
the key generation and management module KGMM, the key transfer module KTM, the transaction signature module TxSM and the data transfer module DTM are functional modules of a key management end, the key generation and management module KGMM and the transaction signature module TxSM are located in Enclave, and the key transfer module KTM and the data transfer module DTM are located in REE.
The transaction initialization module TxIM and the transaction processing module TxPM are functional modules of the transaction processing end and are positioned in the REE.
The main functions of the functional modules are as follows:
the key generation and management module KGMM: generating a user side public and private key pair which accords with the Ethengfang standard, and calculating an account address of the Ethengfang user side through a user side public key; sealing the private key of the user side, interacting with the key transfer module KTM, and transmitting the public key of the user side and the sealed private key of the user side to the KTM; interacting with the KTM, receiving the user side public key and the sealed user side private key transmitted by the KTM, recovering the user side private key, and verifying the correctness of the user side private key; interacting with the transaction signature module TxSM and transmitting the private key of the user side to TxSM.
A secret key transfer module KTM: interacting with a key generation and management module KGMM, and storing a user side public key transmitted by KGMM and a sealed user side private key in a local file system; interacting with a key generation and management module KGMM, and transmitting a user side public key obtained from a local file system and a sealed user side private key to KGMM.
Transaction signature module TxSM: interacting with a key generation and management module KGMM and receiving a user-side private key transmitted by KGMM; interacting with a Data Transfer Module (DTM) and receiving initialized transaction information transmitted by the DTM; interacting with the DTM, and transmitting a signature result of the transaction information to the DTM.
A data transfer module DTM: interacting with a transaction initialization module TxIM, and receiving initialized transaction information transmitted by the TxIM; interacting with a transaction signature module TxSM, and transmitting initialized transaction information to TxSM; interacting with a transaction signature module TxSM, and receiving a signature result of transaction information transmitted by the TxSM; interacting with the transaction processing module TxPM, and transmitting the signature result of the transaction information to the TxPM.
The transaction initialization module TxIM: generating initialized transaction information; and interacting with a Data Transfer Module (DTM) and transmitting the generated initial transaction information to the DTM.
The transaction processing module TxPM: interacting with a Data Transfer Module (DTM) and receiving a signature result of the transaction information transmitted by the DTM; processing the signature result process of the transaction information to enable the transaction information to meet the Ether shop transaction specification; and submitting the processed transaction information to an Ether house transaction pool.
0. The system work flow is shown in fig. 2, and includes the following steps:
1) The Ethenhouse user side generates a public and private key pair meeting the Ethenhouse specification in the Enclave of the key management side, calculates the Ethenhouse account address by using the public key, performs sealing operation on the private key, and stores the public key and the sealed private key in a local file system.
2) When an ether house transaction needs to be initiated, the user side generates initialized ether house transaction information at the transaction processing end and sends the initialized transaction information to the key management end.
3) At the key management end, the user end obtains the sealed private key from the local file system, recovers the private key and checks the correctness of the private key.
4) At the key management end, the user end signs the Ether shop transaction information by using the private key, returns the signing result to the transaction processing end, then performs sealing operation on the private key, and stores the public key and the sealed private key in a local file system.
5) And at the transaction processing end, the user end processes the signature result to enable the signature result to meet the specification of the Ether house, and submits the processed transaction information to the Ether house transaction pool.
The present invention and the above system work flow are further explained with reference to the attached drawings.
1. And a key generation stage:
the above system work flow 1) is the generation stage of the key at the ethernet user side. The generation of public and private keys and account addresses of a user side and the safe storage of the keys in the local are mainly completed in the stage, the process is shown in fig. 3, an etherhouse user side generates a public and private key pair meeting etherhouse specifications in Enclave of a key management side, the etherhouse account address is calculated by using a public key, the private key is sealed, and the public key and the sealed private key are stored in a local file system, and the implementation mode mainly comprises the following steps:
1-1) Key Generation and management Module KGMM generates a pair of public and private keys (pk, sk) that meet the ECDSA-secp256k1 specification. The public key pk is 64 bytes long, and the private key sk is 32 bytes long. The process directly calls the wc _ ecc _ make _ key _ ex () method provided by the wolfSSL library, and the used curve is the secp256k1 curve.
1-2) the key generation and management module KGMM converts the public key pk into the address of the Ethernet account. The length of the address is 20 bytes. The process uses the ecc _ getaddress () method customized by this patent. The specific implementation manner of the ecc _ getaddress () method is to calculate the Keccak256 hash value of the ecc _ getaddress () method by using the public key pk, and then combine "0x" with the last 20 bits of the hash value to obtain the account address.
1-3) the key generation and management module KGMM verifies whether the public and private keys (pk, sk) are matched with the account address, i.e. whether the public and private keys (pk, sk) meet the Etherhouse specification. The process uses the ecc _ verify _ key () method customized by the patent. The specific implementation manner of the ecc _ verify _ key () method is to calculate a public key and an address through a private key and then perform matching verification with the previous pk and address. If the verification fails, returning a key to generate error information, and turning to 1-1); otherwise, turn 1-4).
1-4) the key generation and management module KGMM calls a library function SGX _ Seal _ data () provided by Intel SGX SDK (Software Development Kit) to perform sealing operation on the private key sk to obtain SealskAnd the public key pk and the sealed private key SealskAnd transmits the key to a key transfer module KTM.
1-5) Key transfer Module KTM will pk and SealskStored in the local file system.
2. A transaction signature stage:
2) -4) in the system workflow, signing the Ethengfang transaction for the user end. In this stage, generation of initialized ethernet transaction information and signature of the transaction information are mainly completed, and the process is shown in fig. 4 and mainly includes the following steps:
when an Ethernet shop transaction needs to be initiated, the user side generates initialized Ethernet shop transaction information at the transaction processing end and sends the initialized transaction information to the key management end, and the implementation mode comprises the following substeps:
2-1) the user inputs his transaction information including gasrice (i.e. the unit price the user is willing to pay for Gas per unit), gasLimit (i.e. the maximum amount of Gas the user can consume to specify his transaction), value (i.e. the transaction amount), data (i.e. the data to be transferred that is incidental to the transaction initiated by the user), to (i.e. the destination address of the transfer).
2-2) the transaction initialization module TxIM fills the transaction information input by the user side into an initialized ethernet transaction data structure, so as to generate initialized transaction information Tx, and transmits the Tx to the data transfer module DTM. The initialized etherhouse transaction data structure is shown in table 1, where the Nonce value is obtained from the web3.Eth. Gettransactionincount () method provided by the TxIM calling the web3.Js library and the chainld value is obtained from the function web3.Eth. Net. Getid () method provided by the TxIM calling the web3.Js library.
Table 1 initialized Ether house transaction structure parameter table
Figure BDA0003772578980000081
Figure BDA0003772578980000091
2-3) the data transfer module DTM transmits the initialized transaction information Tx to the transaction signature module TxSM.
At a key management end, a user side acquires a sealed private key from a local file system, recovers the private key and checks the correctness of the private key, and the implementation mode comprises the following substeps:
3-1) a key transfer module KTM acquires a public key pk of a user side and a sealed private key Seal from a local file systemskAnd adding pk and SealskTo the key generation and management module KGMM.
3-2) KGMM Call sgx _ unseal _ data () method from SealskAnd recovering the private key sk.
3-3) KGMM checks the correctness of sk. The specific inspection mode is as follows: the private key sk is used as input, and the corresponding public key value pk' is calculated by using the self-defined to _ pubkey () method of the patent. the specific implementation of the to _ pubkey () method is to map the private key to the public key using the ECDSA-secp256k1 algorithm, and then check if pk' matches the public key value pk obtained from the local file system. If pk' is not matched with pk, the private key is failed to be unsealed, and the key loading error information is returned; otherwise, the private key is decrypted successfully, and the KGMM transmits the private key sk to the transaction signature module TxSM.
At a key management end, a user end signs the Etheng transaction information by using a private key, returns a signature result to a transaction processing end, then performs sealing operation on the private key, and stores the public key and the sealed private key in a local file system, and the implementation mode comprises the following substeps:
4-1) after receiving the transaction information Tx and the user side private key sk, the transaction Signature module TxSM signs the Tx to obtain a Signature result Signature. Specifically, the TxSM called method provides a crypto _ ecc _ sign () function for the wolfSSL library, and the crypto _ ecc _ sign () method calls a relevant parameter of the secp256k1 algorithm to generate a signature result.
4-2) TxSM checks whether the last 32 bytes of Signature are less than half of secp256k1.Size (secp256k1. Size is the parameter specified by the curve secp256k 1). If the last 32 bytes of the Signature are smaller than half of secp256k1.Size, the TxSM transmits the Signature to a data transfer module DTM; otherwise, the last 32 bytes of the Signature are indicated to appear on the wrong side of the elliptic curve, and 4-1) conversion is needed to recalculate the Signature.
4-3) the DTM returns the Signature to a transaction processing module TxPM of the transaction processing end.
4-4) the key generation and management module KGMM calls the library function SGX _ Seal _ data () method provided by Intel SGX SDK to perform sealing operation on the private key sk to obtain SealskAnd the public key pk and the sealed private key SealskAnd transmits the key to a key transfer module KTM.
4-5) secret key transfer module KTM transfers pk and SealskStored in the local file system.
3. A transaction submission stage:
5) in the system work flow is a stage that the user side submits the transaction to the Etherhouse transaction pool. The stage mainly completes the processing of the signature result and the submission of the transaction, and mainly comprises the following steps:
5-1) after receiving the Signature result Signature, the transaction processing module TxPM processes the Signature result, and fills the processed information into a standard EtherFang transaction Signature structure body shown in a table 2. The specific treatment process comprises the following steps: the TxPM takes the first 32 bytes of Signature as the R value of the Ether house transaction Signature structure, and takes the last 32 bytes of Signature as the S value of the Ether house transaction Signature structure.
Table 2 trade signature structure parameter table
Transaction structureBody parameter Meaning of parameters
Nonce The Nonce value is incremented by 1 each time the client initiates a transaction
gasPrice The user's willing to pay a unit price per unit of Gas
gasLimit The user end designates the maximum Gas quantity which can be consumed by the user end in the transaction
value Amount of transaction
data User end initiates transaction to transmit data
to Destination address of transfer
R The first 32 bytes of the signature result
S The last 32 bytes of the signature result
V Parameters for recovering addresses
chainId Chain parameters
5-2) the TxPM takes the hash value of Tx as input, calls the util. Erecover () method provided by the web3.Js library to calculate an address ', and compares the address' with the address. If the address' is the same as the address, setting the recid (the recid is a temporary variable used for calculating V in the Ether house transaction signature structure) to be 0, otherwise, setting the recid to be 1.TxPM calculates V in the transaction signature structure as follows: v = recid + chainId + 2+35.
5-3) copying the Nonce, gasSource, gasLimit, value, data, to and chainId in the initialized EtherFang transaction structure into an EtherFang transaction signature structure by the TxPM.
5-4) the TxPM calls a tx. Serialize () method provided by a web3.Js library to perform serialization processing on the EtherFang trade signature structure.
5-5) the TxPM calls a web3.Eth. SendSignedTransaction () method provided by the web3.Js library to broadcast the serialized transaction to an Etherhouse transaction pool and wait for the Etherhouse to confirm the transaction.
In specific implementation, a person skilled in the art can implement the automatic operation process by using a computer software technology, and a system device for implementing the method, such as a computer-readable storage medium storing a corresponding computer program according to the technical solution of the present invention and a computer device including a corresponding computer program for operating the computer program, should also be within the scope of the present invention.
In some possible embodiments, an SGX-based ethernet house key management system is provided, which includes a processor and a memory, where the memory is used to store program instructions, and the processor is used to call the storage instructions in the memory to execute an SGX-based ethernet house key management method as described above.
In some possible embodiments, an SGX-based ethernet lane key management system is provided, which includes a readable storage medium, where a computer program is stored, and when the computer program is executed, the SGX-based ethernet lane key management method is implemented.
The specific embodiments described herein are merely illustrative of the spirit of the invention. Various modifications or additions may be made to the described embodiments, or alternatives may be employed, by those skilled in the art, without departing from the spirit or ambit of the invention as defined in the appended claims.

Claims (8)

1. An Ethernet shop key management method based on SGX is characterized by comprising the following steps: the method comprises the steps that a key management end is arranged and comprises a key generation and management module KGMM, a key transfer module KTM, a transaction signature module TxSM and a data transfer module DTM, and a transaction processing end comprises a transaction initialization module TxIM and a transaction processing module TxPM;
the key generation and management module KGMM generates a public key and a private key of the Ethernet workshop user side, the private key of the Ethernet workshop user side is sealed and unsealed, local access of the key is completed through the key transfer module KTM, and the private key of the Ethernet workshop user side is transmitted to the transaction signature module TxSM;
the transaction initialization module TxIM generates initialized Ether shop transaction information and transmits the transaction information to the transaction signature module TxSM through the data transfer module DTM;
the transaction signature module TxSM signs the initialized Ethernet workshop transaction information by using a private key of the Ethernet workshop user side, and transmits a signature result to the transaction processing module TxPM through the data transfer module DTM;
the transaction processing module TxPM processes the signature result to enable the signature result to meet the Ethernet workshop transaction specification, and finally submits the processed Ethernet workshop transaction to an Ethernet workshop transaction pool;
the key management process includes the following steps,
1) The Ethenhouse user side generates a public and private key pair meeting the Ethenhouse specification in the Enclave of the key management side, calculates the Ethenhouse account address by using the public key, performs sealing operation on the private key, and stores the public key and the sealed private key in a local file system;
2) When an ether house transaction needs to be initiated, the user side generates initialized ether house transaction information at the transaction processing end and sends the initialized transaction information to the key management end;
3) At a key management end, a user side acquires a sealed private key from a local file system, recovers the private key and checks the correctness of the private key;
4) At a key management end, a user end signs the Etheng transaction information by using a private key, returns a signature result to a transaction processing end, then performs sealing operation on the private key, and stores the public key and the sealed private key in a local file system;
5) And at the transaction processing end, the user end processes the signature result to enable the signature result to meet the specification of the Ether house, and submits the processed transaction information to the Ether house transaction pool.
2. The SGX-based ethernet house key management method of claim 1, wherein: step 1) implementation includes the following sub-steps,
1-1) a key generation and management module KGMM generates a pair of public and private keys (pk, sk) satisfying the specification;
1-2) the key generation and management module KGMM converts the public key pk into an Ethernet house account address;
1-3) verifying whether a public and private key (pk, sk) is matched with an account address by a key generation and management module KGMM, if the verification fails, returning key generation error information, and turning to 1-1); otherwise, turning to 1-4); 1-4) the secret key generation and management module KGMM carries out sealing operation on the private key sk to obtain SealskAnd the public key pk and the sealed private key SealskTransmitting to a key transfer module KTM;
1-5) Key transfer Module KTM will pk and SealskStored in the local file system.
3. The ethernet workshop key management method based on SGX of claim 2, wherein: step 2) the implementation comprises the following sub-steps,
2-1) the user inputs the transaction information;
2-2) the transaction initialization module TxIM fills the transaction information input by the user side into an initialized Etherhouse transaction data structure, thereby generating initialized transaction information Tx, and transmitting Tx to the data transfer module DTM;
2-3) the data transfer module DTM transmits the initialized transaction information Tx to the transaction signature module TxSM.
4. The SGX-based ethernet house key management method of claim 3, wherein: step 3) the implementation comprises the following sub-steps,
3-1) a key transfer module KTM acquires a public key pk of a user side and a sealed private key Seal from a local file systemskAnd put pk and SealskTransmitting to a key generation and management module KGMM;
3-3) the KGMM checks the correctness of the sk, including taking the private key sk as input, calculating a corresponding public key value pk 'of the private key sk, and checking whether the pk' is matched with the public key value pk obtained from the local file system; if pk' is not matched with pk, the unsealing of the private key is failed, and the key loading error information is returned; otherwise, KGMM transmits the private key sk to the transaction signature module TxSM.
5. The SGX-based Etherhouse key management method according to claim 4, wherein: step 4) the implementation comprises the following sub-steps,
4-1) after receiving the transaction information Tx and the user side private key sk, the transaction Signature module TxSM signs Tx to obtain a Signature result Signature; 4-2) the TxSM checks whether the last 32 bytes of the Signature are smaller than half of secp256k1.Size, if yes, the TxSM transmits the Signature to a data transfer module DTM, and if not, the TxSM transfers the Signature to 4-1);
4-3) the DTM returns the Signature to a transaction processing module TxPM of the transaction processing end;
4-4) the secret key generating and managing module KGMM performs sealing operation on the private key sk to obtain SealskAnd the public key pk and the sealed private key SealskTransmitting to a key transfer module KTM;
4-5) secret key transfer module KTM transfers pk and SealskStored in the local file system.
6. An Ethernet shop key management system based on SGX is characterized in that: for implementing an SGX-based etherhouse key management method according to any of claims 1 to 5.
7. The SGX-based etherhouse key management system of claim 6, wherein: comprising a processor and a memory, the memory for storing program instructions, the processor for invoking the stored instructions in the memory to perform a SGX-based etherhouse key management method according to any one of claims 1 to 5.
8. The SGX-based ethernet house key management system of claim 6, wherein: comprising a readable storage medium having stored thereon a computer program which, when executed, implements a SGX-based etherhouse key management method according to any one of claims 1 to 5.
CN202210906257.8A 2022-07-29 2022-07-29 SGX-based Ethernet key management method and system Active CN115276982B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210906257.8A CN115276982B (en) 2022-07-29 2022-07-29 SGX-based Ethernet key management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210906257.8A CN115276982B (en) 2022-07-29 2022-07-29 SGX-based Ethernet key management method and system

Publications (2)

Publication Number Publication Date
CN115276982A true CN115276982A (en) 2022-11-01
CN115276982B CN115276982B (en) 2024-04-16

Family

ID=83770381

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210906257.8A Active CN115276982B (en) 2022-07-29 2022-07-29 SGX-based Ethernet key management method and system

Country Status (1)

Country Link
CN (1) CN115276982B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118520506A (en) * 2024-07-23 2024-08-20 浙江大学 Intel SGX-based Ethernet privacy protection transaction pre-execution system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020098377A1 (en) * 2018-11-16 2020-05-22 阿里巴巴集团控股有限公司 Remote attestation method and apparatus for trusted application program, and electronic device
CN112613048A (en) * 2020-12-18 2021-04-06 武汉科技大学 Secret key use frequency management method and system based on SGX in cloud storage mode
KR20210103615A (en) * 2020-02-13 2021-08-24 경기대학교 산학협력단 Blockchain-based user authentication model
CN113645036A (en) * 2021-06-11 2021-11-12 东南大学 Ether shop transaction privacy protection method based on ring signature and intelligent contract

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020098377A1 (en) * 2018-11-16 2020-05-22 阿里巴巴集团控股有限公司 Remote attestation method and apparatus for trusted application program, and electronic device
KR20210103615A (en) * 2020-02-13 2021-08-24 경기대학교 산학협력단 Blockchain-based user authentication model
CN112613048A (en) * 2020-12-18 2021-04-06 武汉科技大学 Secret key use frequency management method and system based on SGX in cloud storage mode
CN113645036A (en) * 2021-06-11 2021-11-12 东南大学 Ether shop transaction privacy protection method based on ring signature and intelligent contract

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李嶒;: "基于以太坊平台的DNS设计与实现", 黄河科技学院学报, no. 02, 10 February 2020 (2020-02-10) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118520506A (en) * 2024-07-23 2024-08-20 浙江大学 Intel SGX-based Ethernet privacy protection transaction pre-execution system

Also Published As

Publication number Publication date
CN115276982B (en) 2024-04-16

Similar Documents

Publication Publication Date Title
CN109716375B (en) Block chain account processing method, device and storage medium
JP4916584B2 (en) Method for secret sealing about the calling program
KR100996784B1 (en) Saving and retrieving data based on public key encryption
WO2020073513A1 (en) Blockchain-based user authentication method and terminal device
US7953977B2 (en) Security and ticketing system control and management
CN111460525B (en) Block chain-based data processing method, device and storage medium
CN111931158A (en) Bidirectional authentication method, terminal and server
US8868910B2 (en) Elliptic curve cryptographic signature
CA2425006C (en) Saving and retrieving data based on symmetric key encryption
KR102329221B1 (en) Blockchain-based user authentication model
Devanbu et al. Stack and queue integrity on hostile platforms
CN115276982B (en) SGX-based Ethernet key management method and system
CN115580413A (en) Zero-trust multi-party data fusion calculation method and device
EP3980911A1 (en) Trusted device and computing system
CN117332440A (en) Privacy calculation data verification method, device, equipment and storage medium
Ren et al. An Sgx-Based Key Protection Solution for Ethereum Blockchain
CN118332566A (en) TEE-based chain-up and chain-down safe and reliable collaborative computing method and device
CN116743391A (en) Tamper-proof method and device for request parameters, computer equipment and storage medium
Young A weakness in smart card PKI certification
CN110059489A (en) Safe electronic equipment
Malipatlolla Sustainable Trusted Computing: A Novel Approach for a Flexible and Secure Update of Cryptographic Engines on a Trusted Platform Module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant