CN115412378B - Credibility authentication method and device for private data and financial private data related service - Google Patents

Credibility authentication method and device for private data and financial private data related service Download PDF

Info

Publication number
CN115412378B
CN115412378B CN202211360570.2A CN202211360570A CN115412378B CN 115412378 B CN115412378 B CN 115412378B CN 202211360570 A CN202211360570 A CN 202211360570A CN 115412378 B CN115412378 B CN 115412378B
Authority
CN
China
Prior art keywords
hash
service
data
algorithm
information set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211360570.2A
Other languages
Chinese (zh)
Other versions
CN115412378A (en
Inventor
黎家诚
王帅
王爽
郑灏
李帜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Weiwei Information Technology Co ltd
Original Assignee
Beijing Nuowei Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Nuowei Information Technology Co ltd filed Critical Beijing Nuowei Information Technology Co ltd
Priority to CN202211360570.2A priority Critical patent/CN115412378B/en
Publication of CN115412378A publication Critical patent/CN115412378A/en
Application granted granted Critical
Publication of CN115412378B publication Critical patent/CN115412378B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention relates to the technical field of privacy data processing, in particular to a credible authentication method and a credible authentication device for related services of privacy data and financial privacy data, wherein the credible authentication method for the related services of the privacy data comprises the following steps: receiving authentication information uploaded by a service provider; verifying the authentication information to determine a final verification result; and when the final verification result is that the verification is passed, sending a service certificate to the service providing end, so that the service providing end provides the privacy data related service to the client according to the service certificate. According to the technical scheme of the embodiment of the invention, the service of the service provider is monitored by the service monitoring terminal, the service of the service provider is authenticated by the authentication certificate, so that the high-efficiency monitoring of a third party is realized, a specific authentication mode is provided, the hash values of the algorithm and the data source are separated in the authentication process, the authentication failure caused by newly added content is avoided, and the method has higher flexibility and higher efficiency compared with the prior art.

Description

Credibility authentication method and device for private data and financial private data related service
Technical Field
The embodiment of the invention relates to the technical field of privacy data processing, in particular to a trusted authentication method and device for privacy data and financial privacy data related services.
Background
When a management and control center needs to monitor whether a service operated by a distributed server is in a scene that meets expectations, the following monitoring method is generally adopted: assigning personnel to go to a distributed server for investigation regularly to complete monitoring work; using a trusted monitoring service to participate in the running process of a distributed server to complete the monitoring work; various penalty measures are used. The monitoring in the prior art is poor in timeliness.
Disclosure of Invention
Based on the above situation in the prior art, an object of the embodiments of the present invention is to provide a method and an apparatus for trusted authentication of private data and services related to financial private data, which implement trusted authentication of a service provider by providing a monitoring method based on a third party, thereby improving reliability and efficiency of monitoring.
To achieve the above object, according to a first aspect of the present invention, there is provided a trusted authentication method for private data related services, applied to a service monitor, the method including:
receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources;
verifying the authentication information to determine a final verification result;
and when the final verification result is that the verification is passed, sending a service certificate to the service providing end so that the service providing end provides the privacy data related service to the client according to the service certificate.
Further, the service provider signs each hash information by using a private key of hardware and then sends the authentication information;
the method further comprises the following steps: receiving the signed hash information, and checking the signed hash information according to the public key of the hardware to obtain a check result;
and determining whether the algorithm and the data source are available for the service provider or not according to the signature checking result.
Further, the verifying the authentication information includes:
analyzing the third hash information set to obtain hash values of all algorithms in the plurality of algorithms, and matching the hash values with the pre-stored hash values of the algorithms to determine a third verification result;
analyzing the fourth hash information set to obtain hash values of the data sources, and matching the hash values with the pre-stored hash values of the data sources to determine a fourth verification result;
and obtaining a final verification result according to the third verification result and the fourth verification result.
Further, the method further comprises:
and determining whether the algorithm or the data source has the key requirement, and if so, sending the corresponding key to the service provider after the final verification result is that the verification is passed.
Further, the third hash information set is generated by dividing hash values obtained by hashing a plurality of algorithms according to a preset dividing rule;
and the fourth hash information set is generated by separating the hash values obtained by hashing the plurality of data sources according to a preset separation rule.
Further, the preset separation rule includes that the first a bit is preset as a hash value of a first algorithm or a hash value of a first data source, the middle B bit is a hash value of a second algorithm or a hash value of a second data source, the rear C bit is a hash value of a third algorithm or a hash value of a third data source, and the values of A, B and C are preset first, second and third separation values.
Further, the preset separation rule includes: setting a first separator between the hash values of the algorithm, setting a second separator between the hash values of the data source, and setting a third separator between the hash values of the algorithm and the hash values of the data source.
Further, the method further comprises:
and when the final verification result is that the verification is passed, sending the first public key to the client so that the client adopts the first public key to handshake with the service provider according to the service certificate, negotiating a symmetric key, encrypting data by adopting the symmetric key, and uploading the encrypted data to the service provider.
According to a second aspect of the present invention, there is provided a trusted authentication method for private data-related services, applied to a service provider, the method including:
uploading authentication information to the service monitoring terminal to enable the service monitoring terminal to verify the authentication information and determine a final verification result; the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, wherein the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources;
and receiving a service certificate sent by the service monitoring terminal, and providing the privacy data related service for the client according to the service certificate.
According to a third aspect of the present invention, there is provided a trusted authentication method for medical privacy data-related services, applied to a service monitoring end, the method including:
receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources;
verifying the authentication information to determine a final verification result;
when the final verification result is that the verification is passed, a service certificate is sent to the service providing end, so that the service providing end provides medical privacy data related services to the client according to the service certificate;
wherein the medical privacy data related services include data processing of data such as genetic data, medical examination data, and the like, the data processing including at least one of analyzing, encrypting, storing, and converting the data.
According to a fourth aspect of the present invention, there is provided a trusted authentication method for financial privacy data related services, which is applied to a service monitoring end, and the method includes:
receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources;
verifying the authentication information to determine a final verification result;
when the final verification result is that the verification is passed, a service certificate is sent to the service providing end, so that the service providing end provides the financial privacy data related service to the client according to the service certificate;
wherein the financial privacy data related services include data processing of financial privacy data, the data processing including at least one of analyzing, encrypting, storing, converting the data.
According to a fifth aspect of the present invention, there is provided a trusted authentication apparatus for private data related services, applied to a service monitor, the apparatus including:
the authentication information receiving module is used for receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources;
the authentication information verification module is used for verifying the authentication information and determining a final verification result;
and the service certificate sending module is used for sending the service certificate to the service provider when the final verification result is that the verification is passed, so that the service provider provides the privacy data related service to the client according to the service certificate.
In summary, embodiments of the present invention provide a trusted authentication method and apparatus for private data and services related to financial private data, where the trusted authentication method for private data-related services includes: receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to an algorithm and a fourth hash information set related to a data source, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources; verifying the authentication information to determine a final verification result; and when the final verification result is that the verification is passed, sending a service certificate to the service providing end, so that the service providing end provides the privacy data related service to the client according to the service certificate. According to the technical scheme of the embodiment of the invention, the service of the service provider is monitored by the service monitoring terminal, the service of the service provider is authenticated by the authentication certificate, so that the high-efficiency monitoring of a third party is realized, a specific authentication mode is provided, the hash values of the algorithm and the data source are separated in the authentication process, the current certificate can be still used for authentication when a new algorithm and/or a new data source is added in the service, the problem of authentication failure caused by the new content is avoided, and the method has higher flexibility and higher efficiency compared with the existing authentication mode.
Drawings
Fig. 1 is a schematic diagram illustrating interaction among a service monitoring end, a service providing end, and a user end in a trusted authentication method for private data related services according to an embodiment of the present invention;
FIG. 2 is a flowchart of a trusted authentication method for private data-related services provided by an embodiment of the invention;
fig. 3 is a flowchart of a trusted authentication method for private data-related services according to another embodiment of the present invention;
fig. 4 is a flowchart of a trusted authentication method for private data-related services provided by another embodiment of the present invention;
fig. 5 is a block diagram illustrating a trusted authentication apparatus for private data-related services according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings in conjunction with the following detailed description. It should be understood that the description is intended to be exemplary only, and is not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
It is to be understood that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present invention should have the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and similar terms in one or more embodiments of the invention are not intended to indicate any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect.
The technical solution of the present invention will be described in detail below with reference to the accompanying drawings. The embodiment of the invention provides a trusted authentication method for private data related services, which can be applied to occasions where a service provider provides services to a user side, where the services are used for processing private data, and include processing such as analyzing the private data or related data of the private data (e.g., image analysis), encrypting (e.g., encryption by using a key stored in a trusted execution environment), storing (e.g., data encryption is stored in a database, the service side may also be a database), converting (e.g., hiding the private data and outputting to other devices for calculation), and the like (data processing may be performed by using an algorithm, a data source, and the like of the service provider), and particularly may be configured according to requirements. The service providing terminal is a Trusted Execution Environment (TEE), the service monitoring terminal provides authentication for the service providing terminal, and after the authentication, a user can determine that the service providing terminal is Trusted (a Trusted Environment, a Trusted algorithm and a Trusted data source) and can use the service providing terminal securely. The service monitoring terminal monitors the services provided by the service provider to the user terminal, and ensures that all the services of the monitored service provider are in line with expectations during starting and running through authentication, so that illegal services provided by the service provider outside a preset service range privately cannot occur. In the embodiment of the present invention, a certificate mechanism is adopted for authentication, and a premise of using the certificate mechanism is to establish a certificate Authority (hereinafter referred to as "CA") and a matching Registration Authority (hereinafter referred to as "RA"). Fig. 1 shows a schematic interaction diagram among a service monitoring end, a service providing end, and a user end in a trusted authentication method for private data related services provided by an embodiment of the present invention. The service monitoring terminal is used for monitoring the service providing terminal which provides the specific service to the user terminal. If the user wants to use the service, the user needs to complete the registration at the service monitor and negotiate with the service monitor to generate a key, which is then used to encrypt the data that the user wants to send to the service provider. After the service provider terminates the data, it cannot decrypt the data sent by the user end because it has no key to decrypt the data. The service provider needs to complete the RA authentication with the service monitor first, and can obtain the decryption key of the user and provide the service to the user terminal after proving that the service provider is safe and trusted. In the interaction process, the service provider uploads an RA authentication certificate to the service monitor to determine whether RA authentication passes, and the service monitor returns an authentication result to the service provider. When the authentication is successful, the service providing end can interact with the service monitoring end to obtain a corresponding decryption key so as to decrypt the data encrypted by the key at the user end.
An embodiment of the present invention provides a trusted authentication method for a private data related service, which is applied to a service monitoring end, and fig. 2 shows a flowchart of a trusted authentication method 200 for the private data related service, where the method includes the following steps:
s202, receiving authentication information uploaded by a service provider, where the authentication information includes first hash information related to hardware, second hash information related to a service framework (the second hash information is a software framework and may use any algorithm and data source), a third hash information set related to the algorithm, and a fourth hash information set related to the data source, where the third hash information set includes hash values of multiple algorithms, and the fourth hash information set includes hash values of multiple data sources. The authentication information is sent after the service provider signs each hash information by using a private key of hardware, wherein the private key of hardware can be a private key of Software protection Extensions ("SGX") equipment, that is, a private key of the hardware equipment; the service monitoring end receives the signed hash information and checks the signed hash information according to the public key of the hardware to obtain a check result; and determining whether the algorithm and the data source are available for the service provider or not according to the signature checking result. According to the embodiment of the invention, a plurality of algorithms are respectively hashed to obtain a plurality of hash values, and the hash values are separated according to a preset separation rule. The third hash information set is generated by separating the hash values obtained by hashing a plurality of algorithms according to a preset separation rule, and the fourth hash information set is generated by separating the hash values obtained by hashing a plurality of data sources according to a preset separation rule. The preset separation rule comprises that the first A bit is preset as a hash value of a first algorithm or a hash value of a first data source, the middle B bit is a hash value of a second algorithm or a hash value of a second data source, the rear C bit is a hash value of a third algorithm or a hash value of a third data source, and the values of A, B and C are preset first separation value, second separation value and third separation value. The preset separation rule can also adopt a mode of setting a separator to perform separation. For example, a first separator is arranged between hash values of an algorithm, a second separator is arranged between hash values of a data source, and a third separator is arranged between the hash values of the algorithm and the hash values of the data source, wherein the first separator, the second separator and the third separator may be the same separator or different separators, so that a service monitoring end can judge whether a hash value corresponds to an algorithm or a data source according to the type of the separator, thereby reducing the matching range of the hash values. For example, a first hash table and a second hash table may be set at the service monitoring end, the first hash table stores a pre-stored hash value of the algorithm, the second hash table stores a pre-stored hash value of the data source, and after the hash value to be matched is determined to be the algorithm or the data source, only the corresponding hash table may be obtained, so that matching efficiency of the hash value is improved. In the embodiment of the present invention, the preset partition rule is described by taking three partitions as an example, and actually, more or less partitions may be selected according to actual needs. The service provider may negotiate a hash value storage location (storage location in the certificate) with the service monitor and store the hash values according to the negotiated storage location or insert a delimiter between the hash values. The method can be carried out according to the following steps:
the service providing end uploads separation rule information while uploading authentication information to the service monitoring end, wherein the separation rule information comprises separation according to a storage position or separation according to a separator; if the data is separated according to the storage location, hash value storage location information is also required to be uploaded at the same time, and the hash value storage location information is included in the authentication information, for example, the first a bit of the authentication information is preset as the hash value of the first algorithm or the hash value of the first data source, the middle B bit is the hash value of the second algorithm or the hash value of the second data source, and the last C bit is the hash value of the third algorithm or the hash value of the third data source; in addition, the separation rule may also be negotiated in advance, and hash values of different algorithms are stored according to the negotiated separation rule, if a storage location is negotiated in advance, the providing end stores each hash value according to the negotiated storage location, and the monitoring end extracts each hash value according to the negotiated storage location.
And the service provider stores the hash values according to the storage positions described in the hash value storage position information and uploads the hash values, or inserts separators between the hash values according to a preset rule and uploads the hash values, wherein the preset rule is that, for example, a first separator is arranged between the hash values of the algorithm, a second separator is arranged between the hash values of the data source, and a third separator is arranged between the hash values of the algorithm and the hash values of the data source.
After receiving the authentication information, the service monitoring end can extract a hash value according to the separation rule information, and if the separation is based on the storage position, the service monitoring end extracts the hash value according to the hash value storage position information; if the separation is based on the separator, the hash value is extracted after the separator is identified.
Part of the scheme is that information of a plurality of algorithms is fused together, then hash is carried out to obtain a hash value, and authentication is carried out along with uploading of a certificate. However, in this way, if an algorithm needs to be added (for example, a service provider needs to add a new service content and needs to add an algorithm), the hash value obtained finally changes, but the hash value pre-stored in the server is still the hash value before the new algorithm, which may cause authentication failure. The embodiment of the invention respectively hashes the algorithm and the data source through the authentication mode and separates the hash values, so that the service monitoring end can identify whether the service providing end has a newly added algorithm or data source, and can judge whether the platform is allowed to use the algorithm or the data source (such as user permission and algorithm providing permission can be obtained) when the algorithm or the data source is newly added, if so, the platform is allowed to use, for example, the newly added algorithm and the data source can be used after being decrypted by using a key, and the platform can be allowed to use by issuing the key. If use is denied, then use of other algorithms or data sources than the algorithm or data source may be allowed (only the algorithm or data source that is not available is denied). Therefore, the service provider can be monitored more flexibly. The services provided by the service provider are generally divided into a framework, an algorithm and a data source. In authentication, the quantum (a generic name of software and hardware for generating metric values built in hardware) in the server of the service provider generates metric values only for the framework and signs. The metrics for the algorithm and the data source are generated by the framework. The benefits of this are: the body framework has great flexibility in using different algorithms and data sources. And the service monitoring system updates the main body frame measurement value when the subordinate department changes the algorithm in service. When the report is transmitted, the reserved part transmission algorithm of the QUOTE and the measurement value of the data source are used, and the service monitoring end can judge whether the server of the service providing end has authorization or not according to the values.
The authentication process can adopt two modes: (1) When the service providing end starts the service, the service providing end sends a service starting request to complete authentication with the service monitoring end, and the service monitoring end can disconnect the service providing end after issuing a certificate for the service of the service providing end. The user side configures the CA of the service monitoring side in advance, verifies the authenticity of the service providing side by using the CA, and can communicate with the service providing side after verification. In this way, the pressure on the service monitoring end can be reduced. (2) When the service provider starts the service, the service provider completes authentication with the service monitor by sending the service start request and keeps long connection with the service monitor, so that all subsequent user terminals do not need to perform authentication again when requesting the service of the service provider, and the user terminals do not need to additionally use the CA of the service monitor to verify the service of the service provider, so that the method is more friendly to the user terminals.
And S204, verifying the authentication information and determining a final verification result. The authentication information is verified, and the method comprises the following steps:
analyzing the first hash information and the second hash information, and matching the first hash information and the second hash information with a hash value of a pre-stored algorithm to determine a first verification result and a second verification result;
analyzing the third hash information set to obtain hash values of all algorithms in the plurality of algorithms, and matching the hash values with the hash values of the prestored algorithms to determine a third verification result;
analyzing the fourth hash information set to obtain hash values of all data sources, and matching the hash values with the pre-stored hash values of the data sources to determine a fourth verification result;
and obtaining a final verification result according to the third verification result and the fourth verification result and by combining the first verification result and the second verification result.
S206, when the final verification result is that the verification passes, sending a service certificate (for example, an SSL certificate) to the service provider, so that the service provider provides the private data related service to the client according to the service certificate.
According to some optional embodiments, the method further comprises:
and determining whether the algorithm or the data source has the key requirement, and if so, sending the corresponding key to the service provider. Wherein the key sent by the service monitor to the service provider can be used to decrypt the data source or algorithm.
According to some optional embodiments, the method further comprises:
and when the final verification result is that the verification is passed, sending the first public key to the client so that the client adopts the first public key to handshake with the service provider according to the service certificate, negotiating a symmetric key, encrypting data by adopting the symmetric key, and uploading the encrypted data to the service provider. The first private key corresponding to the first public key may be added to a service certificate sent by the service monitor to the service provider, so that the service provider has the first private key corresponding to the first public key. The client side is provided with a first public key, and the identity of the service provider can be determined in a private key signature and public key verification mode. After the identity is confirmed, a symmetric key can be negotiated, so that the client can encrypt data by using the symmetric key, and the server can decrypt the data by using the symmetric key. In addition, the symmetric key may also be encrypted by using the first public key, and the encrypted symmetric key is bound to the data encrypted by using the symmetric key, so that other service providers (the monitoring party determines that the service provider is the trusted execution environment and sends a service certificate containing the first private key to the service provider) having the first private key can decrypt the symmetric key encrypted by using the first public key according to the first private key, and decrypt the encrypted data according to the decrypted symmetric key, thereby providing a service corresponding to the data.
An embodiment of the present invention further provides a trusted authentication method for private data related services, which is applied to a service provider, and fig. 3 shows a flowchart of the service monitoring method 300, where the method includes the following steps:
s302, uploading authentication information to the service monitoring terminal to enable the service monitoring terminal to verify the authentication information and determine a final verification result; the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, wherein the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources. And the service monitoring terminal signs the signed hash information according to the public key of the hardware to obtain a sign checking result, and determines whether the algorithm and the data source are available for the service providing terminal or not according to the sign checking result.
S304, receiving the service certificate sent by the service monitoring terminal, and providing the privacy data related service for the client according to the service certificate.
According to some optional embodiments, the method further comprises:
receiving encrypted data uploaded by a client, and providing service after decrypting the encrypted data by adopting a symmetric key; the symmetric key is obtained by the client side through negotiation after handshaking is carried out by adopting a first public key and the service provider according to the service certificate (the service certificate comprises a first private key corresponding to the first public key and is processed in a public key encryption and private key decryption mode).
An embodiment of the present invention further provides a trusted authentication method for private data-related services, which is applied to a client, and fig. 4 shows a flowchart of the service monitoring method 400, where the method includes the following steps:
s402, receiving a first public key sent by the service monitoring terminal.
S404, handshaking is carried out between the first public key and the service provider according to the service certificate, and a symmetric key is negotiated.
S406, encrypting the data by adopting the symmetric key, and uploading the encrypted data to the service provider, so that the service provider can decrypt the encrypted data by adopting the symmetric key and provide service.
The embodiment of the invention also provides a credible authentication method for medical privacy data related services, which is applied to a service monitoring end, and the method comprises the following steps:
receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources;
verifying the authentication information to determine a final verification result;
when the final verification result is that the verification is passed, a service certificate is sent to the service providing end, so that the service providing end provides medical privacy data related services to the client according to the service certificate;
wherein the medical privacy data-related service includes data processing of data such as gene data, medical examination data, and the like, the data processing including at least one of analyzing, encrypting, storing, and converting the data.
The embodiment of the invention also provides a credible authentication method for financial privacy data related services, which is applied to a service monitoring end, and the method comprises the following steps:
receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources;
verifying the authentication information to determine a final verification result;
when the final verification result is that the verification is passed, a service certificate is sent to the service providing end, so that the service providing end provides the financial privacy data related service to the client according to the service certificate;
wherein the financial privacy data related services include data processing of financial privacy data, the data processing including at least one of analyzing, encrypting, storing, converting the data.
In the trusted authentication method for medical privacy data-related services and the trusted authentication method for financial privacy data-related services provided in the above embodiments of the present invention, the service provider and the client perform the same steps as those of the service monitoring method provided in the above embodiments of the present invention at the service provider and the client, and repeated description thereof will be omitted here.
An embodiment of the present invention further provides a trusted authentication apparatus 500 for a private data related service, which is applied to a service monitoring end, and fig. 5 shows a block diagram of the trusted authentication apparatus 500 for the private data related service, where the apparatus 500 includes:
the authentication information receiving module 501 is configured to receive authentication information uploaded by a service provider, where the authentication information includes first hash information related to hardware, second hash information related to a service framework, a third hash information set related to an algorithm, and a fourth hash information set related to a data source, the third hash information set includes hash values of a plurality of algorithms, and the fourth hash information set includes hash values of a plurality of data sources.
An authentication information verification module 502 for verifying the authentication information to determine a final verification result;
the service certificate sending module 503 is configured to send a service certificate to the service provider when the final verification result is that the verification passes, so that the service provider provides the privacy data-related service to the client according to the service certificate.
The specific process of implementing the functions of each module in the trusted authentication device for the private data related service provided by the above embodiment of the present invention is the same as that of each step of the trusted authentication method for the private data related service provided by the above embodiment of the present invention, and therefore, repeated descriptions thereof will be omitted here.
In an embodiment of the present invention, there is also provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the method as described in the above-mentioned embodiment of the present invention. A computer-readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a random access memory ((RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be understood that the Processor in the embodiments of the present invention may be a Central Processing Unit (CPU), and the Processor may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In summary, the embodiments of the present invention relate to a trusted authentication method and apparatus for private data and financial private data related services, where the trusted authentication method for private data related services includes: receiving authentication information uploaded by a service provider; verifying the authentication information to determine a final verification result; and when the final verification result is that the verification is passed, sending a service certificate to the service providing end, so that the service providing end provides the privacy data related service to the client according to the service certificate. According to the technical scheme of the embodiment of the invention, the service monitoring end is set to monitor the service of the service provider, the authentication certificate is adopted to authenticate the service of the service provider, the high-efficiency monitoring of a third party is realized, and a specific authentication mode is provided.
It should be understood that the discussion of any embodiment above is merely exemplary, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to those examples; features from the above embodiments or from different embodiments may also be combined within the inventive idea, steps may be implemented in any order, and there are many other variations of different aspects of one or more embodiments of the invention as described above, which are not provided in detail for the sake of brevity. The foregoing detailed description of the invention has been presented only to illustrate or explain the principles of the invention and not to limit the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.

Claims (9)

1. A trusted authentication method for private data related services is applied to a service monitoring end, and comprises the following steps:
receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources; the third hash information set is generated by dividing hash values obtained by hashing a plurality of algorithms according to a preset dividing rule; the fourth hash information set is generated by separating hash values obtained by hashing a plurality of data sources according to a preset separation rule; wherein, the first and the second end of the pipe are connected with each other,
the preset separation rule comprises that the front A bit is preset as a hash value of a first algorithm or a hash value of a first data source, the middle B bit is a hash value of a second algorithm or a hash value of a second data source, the rear C bit is a hash value of a third algorithm or a hash value of a third data source, and the values of A, B and C are preset first separation value, second separation value and third separation value; or, setting a first separator between the hash values of the algorithm, setting a second separator between the hash values of the data source, and setting a third separator between the hash values of the algorithm and the hash values of the data source;
verifying the authentication information to determine a final verification result;
and when the final verification result is that the verification is passed, sending a service certificate to the service providing end, so that the service providing end provides the privacy data related service to the client according to the service certificate.
2. The method according to claim 1, wherein the authentication information is sent by a service provider after signing each hash information by using a private key of hardware;
the method further comprises the following steps: receiving the signed hash information, and checking the signed hash information according to the public key of the hardware to obtain a check result;
and determining whether the algorithm and the data source are available for the service provider or not according to the signature checking result.
3. The method of claim 1, wherein verifying the authentication information comprises:
analyzing the third hash information set to obtain hash values of all algorithms in the plurality of algorithms, and matching the hash values with the pre-stored hash values of the algorithms to determine a third verification result;
analyzing the fourth hash information set to obtain hash values of the data sources, and matching the hash values with the pre-stored hash values of the data sources to determine a fourth verification result;
and obtaining a final verification result according to the third verification result and the fourth verification result.
4. The method of claim 1, further comprising:
and determining whether the algorithm or the data source has the key requirement, and if so, sending the corresponding key to the service provider after the final verification result is that the verification is passed.
5. The method according to any one of claims 1-4, further comprising:
and when the final verification result is that the verification is passed, sending the first public key to the client so that the client adopts the first public key to handshake with the service provider according to the service certificate, negotiating a symmetric key, encrypting data by adopting the symmetric key, and uploading the encrypted data to the service provider.
6. A trusted authentication method for private data related services is applied to a service provider, and the method comprises the following steps:
uploading authentication information to the service monitoring terminal to enable the service monitoring terminal to verify the authentication information and determine a final verification result; the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, wherein the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources; the third hash information set is generated by dividing hash values obtained by hashing a plurality of algorithms according to a preset dividing rule; the fourth hash information set is generated by separating hash values obtained by hashing a plurality of data sources according to a preset separation rule; wherein the content of the first and second substances,
the preset separation rule comprises that the front A bit is preset as a hash value of a first algorithm or a hash value of a first data source, the middle B bit is a hash value of a second algorithm or a hash value of a second data source, the rear C bit is a hash value of a third algorithm or a hash value of a third data source, and the values of A, B and C are preset first separation value, second separation value and third separation value; or, setting a first separator between the hash values of the algorithm, setting a second separator between the hash values of the data source, and setting a third separator between the hash values of the algorithm and the hash values of the data source;
and receiving a service certificate sent by the service monitoring terminal, and providing the privacy data related service for the client according to the service certificate.
7. A credible authentication method for medical privacy data related services is applied to a service monitoring end, and comprises the following steps:
receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources; the third hash information set is generated by separating hash values obtained by hashing a plurality of algorithms according to a preset separation rule; the fourth hash information set is generated by separating hash values obtained by hashing a plurality of data sources according to a preset separation rule; wherein, the first and the second end of the pipe are connected with each other,
the preset separation rule comprises that the front A bit is preset as a hash value of a first algorithm or a hash value of a first data source, the middle B bit is a hash value of a second algorithm or a hash value of a second data source, the rear C bit is a hash value of a third algorithm or a hash value of a third data source, and the values of A, B and C are preset first separation value, second separation value and third separation value; or, setting a first separator between the hash values of the algorithm, setting a second separator between the hash values of the data source, and setting a third separator between the hash values of the algorithm and the hash values of the data source;
verifying the authentication information to determine a final verification result;
when the final verification result is that the verification is passed, a service certificate is sent to the service providing end, so that the service providing end provides medical privacy data related services to the client according to the service certificate;
wherein the medical privacy data related services include data processing of data such as genetic data, medical examination data, and the like, the data processing including at least one of analyzing, encrypting, storing, and converting the data.
8. A credible authentication method for financial privacy data related services is applied to a service monitoring end, and comprises the following steps:
receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources; the third hash information set is generated by dividing hash values obtained by hashing a plurality of algorithms according to a preset dividing rule; the fourth hash information set is generated by separating hash values obtained by hashing a plurality of data sources according to a preset separation rule; wherein the content of the first and second substances,
the preset separation rule comprises that the front A bit is preset as a hash value of a first algorithm or a hash value of a first data source, the middle B bit is a hash value of a second algorithm or a hash value of a second data source, the rear C bit is a hash value of a third algorithm or a hash value of a third data source, and the values of A, B and C are preset first separation value, second separation value and third separation value; or, setting a first separator between the hash values of the algorithm, setting a second separator between the hash values of the data source, and setting a third separator between the hash values of the algorithm and the hash values of the data source;
verifying the authentication information to determine a final verification result;
when the final verification result is that the verification is passed, a service certificate is sent to the service providing end, so that the service providing end provides the financial privacy data related service to the client according to the service certificate;
wherein the financial privacy data related services include data processing of financial privacy data, the data processing including at least one of analyzing, encrypting, storing, converting the data.
9. A trusted authentication device for private data related services, which is applied to a service monitor, the device comprising:
the authentication information receiving module is used for receiving authentication information uploaded by a service provider, wherein the authentication information comprises first hash information related to hardware, second hash information related to a service framework, a third hash information set related to algorithms and a fourth hash information set related to data sources, the third hash information set comprises hash values of a plurality of algorithms, and the fourth hash information set comprises hash values of a plurality of data sources; the third hash information set is generated by dividing hash values obtained by hashing a plurality of algorithms according to a preset dividing rule; the fourth hash information set is generated by separating hash values obtained by hashing a plurality of data sources according to a preset separation rule; wherein the content of the first and second substances,
the preset separation rule comprises that the front A bit is preset as a hash value of a first algorithm or a hash value of a first data source, the middle B bit is a hash value of a second algorithm or a hash value of a second data source, the rear C bit is a hash value of a third algorithm or a hash value of a third data source, and the values of A, B and C are preset first separation value, second separation value and third separation value; or, setting a first separator between the hash values of the algorithm, setting a second separator between the hash values of the data source, and setting a third separator between the hash values of the algorithm and the hash values of the data source;
the authentication information verification module is used for verifying the authentication information and determining a final verification result;
and the service certificate sending module is used for sending the service certificate to the service provider when the final verification result is that the verification is passed, so that the service provider provides the privacy data related service to the client according to the service certificate.
CN202211360570.2A 2022-11-02 2022-11-02 Credibility authentication method and device for private data and financial private data related service Active CN115412378B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211360570.2A CN115412378B (en) 2022-11-02 2022-11-02 Credibility authentication method and device for private data and financial private data related service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211360570.2A CN115412378B (en) 2022-11-02 2022-11-02 Credibility authentication method and device for private data and financial private data related service

Publications (2)

Publication Number Publication Date
CN115412378A CN115412378A (en) 2022-11-29
CN115412378B true CN115412378B (en) 2023-01-31

Family

ID=84169203

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211360570.2A Active CN115412378B (en) 2022-11-02 2022-11-02 Credibility authentication method and device for private data and financial private data related service

Country Status (1)

Country Link
CN (1) CN115412378B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116933334B (en) * 2023-09-19 2023-12-29 杭州锘崴信息科技有限公司 Calculation element authentication method and device based on data operation project

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010135892A1 (en) * 2009-05-27 2010-12-02 西安西电捷通无线网络通信有限公司 Method and system of bidirectional authentication based on hash function

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010135892A1 (en) * 2009-05-27 2010-12-02 西安西电捷通无线网络通信有限公司 Method and system of bidirectional authentication based on hash function

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种保护隐私的高效远程验证机制;徐梓耀等;《软件学报》;20110228(第02期);第340-351页 *

Also Published As

Publication number Publication date
CN115412378A (en) 2022-11-29

Similar Documents

Publication Publication Date Title
US11736467B2 (en) Technologies for token-based authentication and authorization of distributed computing resources
US9467430B2 (en) Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware
US9137017B2 (en) Key recovery mechanism
JP6731491B2 (en) Data transfer method, non-transitory computer-readable storage medium, cryptographic device, and method of controlling data use
EP3535683B1 (en) Data encryption control using multiple controlling authorities
WO2017020452A1 (en) Authentication method and authentication system
US20200320178A1 (en) Digital rights management authorization token pairing
US20210067331A1 (en) Method for issuing quantum key chip, application method, issuing platform and system
CN111447187A (en) Cross-domain authentication method for heterogeneous Internet of things
WO2015072203A1 (en) Information delivery system
WO2005025125A1 (en) Device authentication system
CN110958209B (en) Bidirectional authentication method, system and terminal based on shared secret key
US8397281B2 (en) Service assisted secret provisioning
WO2022100356A1 (en) Identity authentication system, method and apparatus, device, and computer readable storage medium
CN115412378B (en) Credibility authentication method and device for private data and financial private data related service
WO2016000473A1 (en) Business access method, system and device
US10979407B2 (en) Data communications
CN117834103A (en) Multimedia data sharing method, system and related equipment based on block chain
CN113872769A (en) PUF-based device authentication method and device, computer device and storage medium
CN115378644A (en) Security authentication method and related device
CN116915388A (en) Information transmission method, related equipment and storage medium
CN113886781A (en) Multi-authentication encryption method, system, electronic device and medium based on block chain
CN115277176A (en) Communication method, communication device, storage medium, and electronic apparatus
CN116830564A (en) Conference data transmission method, device and system, electronic equipment and readable medium
WO2005055516A1 (en) Method and apparatus for data certification by a plurality of users using a single key pair

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230907

Address after: Room 254, building 4, 66 Dongxin Avenue, Puyan street, Binjiang District, Hangzhou City, Zhejiang Province 310053

Patentee after: Hangzhou Weiwei Information Technology Co.,Ltd.

Address before: Room 3-443, 3rd Floor, Building 1, No. 158, North West Fourth Ring Road, Haidian District, Beijing 100089

Patentee before: Beijing Nuowei Information Technology Co.,Ltd.