CN115438352A - Data processing method, device, equipment and storage medium - Google Patents

Data processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN115438352A
CN115438352A CN202110622425.6A CN202110622425A CN115438352A CN 115438352 A CN115438352 A CN 115438352A CN 202110622425 A CN202110622425 A CN 202110622425A CN 115438352 A CN115438352 A CN 115438352A
Authority
CN
China
Prior art keywords
data
key
environment
request
attestation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110622425.6A
Other languages
Chinese (zh)
Inventor
汪溯
蒋海滔
路放
买宇飞
陈俊朴
彭忠泓
孟祥宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Innovation Co
Original Assignee
Alibaba Singapore Holdings Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Singapore Holdings Pte Ltd filed Critical Alibaba Singapore Holdings Pte Ltd
Priority to CN202110622425.6A priority Critical patent/CN115438352A/en
Publication of CN115438352A publication Critical patent/CN115438352A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Abstract

The embodiment of the application provides a data processing method, a data processing device, data processing equipment and a storage medium, so as to improve data security. The method comprises the following steps: receiving a remote access request, the remote access request comprising: environment description data and a public key of the isolated environment; verifying the environment description data according to an access restriction rule; under the condition that the isolation environment is determined to be a trustable isolation environment, encrypting a data key by adopting a public key to obtain a public key encryption key; and sending the public key encryption key so that the isolation environment can perform safe processing of data based on the data key. The trusted isolation environment is not required to directly access the key management system through the HTTPS, so that the risk of data key leakage and data leakage is avoided, and the data security is improved.

Description

Data processing method, device, equipment and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data processing method and apparatus, an electronic device, and a storage medium.
Background
Data trust (DataTrust) is a security computing product based on a trusted execution environment, a user uses a data key to encrypt own data in a user domain and uploads an encrypted data ciphertext to a trusted data platform for privacy computation, and in order to ensure data security, the data key can decrypt the user data ciphertext only in a trusted security isolation environment specified by the user and run privacy computation.
A user may authorize a specified account, such as his own account, a specified account of a computing platform, etc., by storing rules to access a Key service of a Key Management System (KMS) to decrypt a user data Key. The authorized specified account accesses the KMS Service via an Access Key (AK) or a Token (Token) of a Security Token Service (STS).
However, when accessing the KMS service in the manner described above, the KMS cannot be restricted to providing the key management service only for the specific service that is authorized and the trusted secure isolated environment that is specified by the specific account, which may result in the risk of leakage of data keys and data.
Disclosure of Invention
The embodiment of the application provides a data processing method for improving data security.
Correspondingly, the embodiment of the application also provides a data processing device, an electronic device and a storage medium, which are used for ensuring the implementation and application of the method.
In order to solve the above problem, an embodiment of the present application discloses a data processing method, including: receiving a remote access request, the remote access request comprising: environment description data and a public key of the isolated environment; verifying the environment description data according to an access restriction rule; under the condition that the isolation environment is determined to be a trustable isolation environment, encrypting a data key by adopting a public key to obtain a public key encryption key; and sending the public key encryption key so that the isolation environment can perform safe processing of data based on the data key.
The embodiment of the application also discloses a data processing method, which comprises the following steps: receiving an attestation request; generating signature data according to the certification request; acquiring environment data, and generating certification data by adopting the environment data and the signature data; receiving a public key encryption key; and acquiring a private key corresponding to the public key, decrypting the public key encryption key through the private key to obtain a corresponding data key, and performing data security processing based on the data key.
The embodiment of the application also discloses a data processing method, which comprises the following steps: determining a verification parameter, and generating an environment certification request according to the verification parameter; sending the environment attestation request to an isolation environment; receiving environment attestation data, the environment attestation data including: the verification signature, the public key and the environment description data are determined according to the verification parameters and a private key corresponding to the public key; generating a remote access request according to the environment certification data, and sending the remote access request to a key management system so as to certify that the isolation environment is a trusted isolation environment based on the environment certification data; receiving a public key encryption key, wherein the public key encryption key is generated based on a public key and a data key under the determination that the isolation environment is a trusted isolation environment; sending the public key encryption key to the isolation environment.
The embodiment of the application also discloses a data processing method, which comprises the following steps: generating a remote attestation request and sending the remote attestation request to a trusted isolation environment, the remote attestation request including attestation parameters; receiving remote attestation data, the remote attestation data including: a certification signature and remote environment data, the certification signature generated in accordance with the certification parameters; after the certification signature passes the verification, generating a key encryption request according to a local key, and sending the key encryption request; receiving an encrypted data key, wherein the encrypted data key is generated by encrypting data according to a local key; and generating a rule configuration request according to the remote environment data, and sending the rule configuration request to configure an access authority rule, wherein the access authority rule is used for determining a trusted isolation environment authorized to access.
The embodiment of the present application further discloses an electronic device, which includes: a processor; and a memory having executable code stored thereon, which when executed, causes the processor to perform a method as in any one of the embodiments of the present application.
Embodiments of the present application also disclose one or more machine-readable media having executable code stored thereon, which when executed, causes a processor to perform a method as described in any of the embodiments of the present application.
Compared with the prior art, the embodiment of the application has the following advantages:
in the embodiment of the application, a user can configure a specified trusted isolation environment in an access permission rule, so that the key management system KMS can verify the isolation environment based on a remote access request, encrypt a data key of the user and transmit the encrypted data key to the trusted isolation environment after verifying the isolation environment as the trusted isolation environment, and the trusted isolation environment can encrypt and decrypt a user data ciphertext and operate privacy calculation based on the data key. In this way, a trusted isolation environment is no longer required to directly access the key management system through HTTPS, thereby avoiding the risk of data key and data leakage and improving the security of data.
Drawings
Fig. 1 is a schematic structural diagram of a data service system according to an embodiment of the present application;
FIG. 2 is a flow chart of steps of an embodiment of a method of access rule configuration of the present application;
FIG. 3 is an interaction diagram of an access control method according to an embodiment of the present application;
FIG. 4 is a flowchart of the steps of the key management system side in a data processing method of the present application;
FIG. 5 is a flowchart of steps on a trusted quarantine environment system side of a data processing method of the present application;
FIG. 6 is a flowchart of the steps on the application side of a data processing method of the present application;
FIG. 7 is a flowchart of the steps on the application side of a data processing method of the present application;
FIG. 8 is a block diagram of an embodiment of a data processing apparatus of the present application;
FIG. 9 is a block diagram of another data processing apparatus embodiment of the present application;
fig. 10 is a schematic structural diagram of an apparatus provided in an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
The method and the device can be applied to remote data service scenes, such as cloud computing scenes. Secure processing based on a trusted execution environment is provided in a remote data services scenario. In order to ensure data security, the data secret key can decrypt the user data cryptograph only in a trusted security isolation environment specified by a user and run privacy computation.
Referring to fig. 1, a schematic structural diagram of a data service system according to an embodiment of the present application is shown.
The data service system includes: user device 10, storage system 20, key management system 30, computing service system 40, and trusted isolation environment system 50.
The user device 10 refers to a device in which a designated account of a user is logged, and may be a terminal device such as a mobile terminal or a personal computer. The storage system 20 refers to a system providing a data storage service, which can store data and perform access management configuration and the like. The storage system 20 may provide an access control service, which is a service that manages user identities and resource access rights. The key management system 30 is used to provide a key management service, which can manage keys of respective users and management services such as authentication for the keys. The computing service system 40 refers to a system for providing computing services, which may be a distributed system, through each computing node (or edge computing node) to provide computing services. The user may perform data computation processing through a compute node of the compute service system 40. The trusted isolation environment system 50 may provide a trusted secure isolation environment, may provide encryption and decryption of user data cipher text, and may run privacy calculations in the secure isolation environment.
In the embodiment of the application, a user can configure a specified trusted isolation environment in an access authority rule, so that a key management system KMS can verify the isolation environment, and after the isolation environment is verified to be the trusted isolation environment, a data key of the user is encrypted and then transmitted to the trusted isolation environment, so that the trusted isolation environment can encrypt and decrypt a user data ciphertext and operate privacy calculation based on the data key. In this way, a trusted isolation environment is no longer required to directly access the key management system KMS through an HTTPS (Hyper Text Transfer Protocol over secure hypertext Transfer Protocol layer), so that risks of data key and data leakage are avoided, and data security is improved.
The user may configure the access rights rules. The access authority rule refers to a rule for controlling access authority for data. Where information may be specified about the trusted isolation environment to which access is allowed, the designated account authorized, etc. Such that the account and the rights to the trusted isolation environment may be subsequently validated based on the access rights rules.
Referring to fig. 2, a flow chart of steps of an embodiment of an access rule configuration method of the present application is shown.
At step 202, the user device generates a remote attestation request based on the attestation parameters.
The attestation parameters may be randomly generated, such as a random string. In other examples, the method may also be based on a certain rule, such as generating a random string of a specified data amount, or generating a certification parameter according to some rule, and the like, which is not limited in this embodiment of the present application. The attestation parameters are used to generate signature data, and the remote attestation request is used to request the trusted isolation environment to provide attestation material for subsequent setting of access restriction rules.
Step 204, the user device sends the remote attestation request to the trusted isolated environment system.
Step 206, the trusted isolated environment system generates a certification signature according to the certification parameters.
In the trusted isolation environment system, the trusted isolation environment corresponds to a first key, which may also be referred to as a environment key pair, and the environment key pair is a specific key pair of the trusted isolation environment, and may be a signature key pair of bound hardware, such as a signature key of bound CPU. The certification data may be signed and calculated by the environment key pair, for example, a random character string included in the certification data may be signed and calculated by the environment key pair, so as to obtain a corresponding certification signature. The first key may be an asymmetric key pair, and the private key of the key pair is used to perform signature calculation on the certification data to obtain a certification signature.
Step 208, the trusted isolation environment system obtains the isolation environment data and generates remote attestation data according to the isolation environment data and the attestation signature.
The isolation environment data refers to data describing a trusted secure isolation environment, and may be generated according to a specified data structure and a specified data format, which is not limited in this embodiment. Isolating environmental data includes: environment version information and environment operating state information. The environment version information refers to version information corresponding to the security isolation environment, such as hardware version information, such as CPU version information of the security isolation environment, and software version information, such as version information of security software in the security isolation environment. The environment operation state information refers to information of an operation state of the security isolation environment, and the like. Identity information of the trusted isolation environment may also be included, and the like.
Step 210, the trusted isolated environment system sends remote attestation data to the user device.
At step 212, the user device verifies the attestation signature in the remote attestation data.
The user device may verify the signature of the certificate by using a corresponding key, such as the first key being an asymmetric key pair, and generate the signature by using a private key of the key pair, and correspondingly verify the certificate signature based on a public key of the key pair. After the signature passes the verification, the isolation environment data in the remote attestation data can be stored, so that the access right rule can be configured based on the isolation environment data. In some embodiments, the user device may store the public key of the trusted quarantine environment, or the trusted quarantine environment system transmits the public key to the user device in other manners, such as a manner of pulling from a server, which is not limited in this embodiment of the present application.
In step 214, the user equipment obtains the second key and generates a key encryption request.
In step 216, the user device sends a key encryption request to the key management system.
The user equipment may locally generate a local key, denoted as a second key, which is used for encryption and decryption of the data key, and may be a symmetric key. A key encryption request may be generated based on the second key for requesting a key management system to encrypt the user's data key. Therefore, the key encryption request can also comprise user identity information, such as user identification and the like.
In step 218, the key management system encrypts the third key with the second key to obtain a fourth key.
Step 220, the key management system sends the fourth key to the user device.
The key management system may determine the user identity based on the key encryption request, so as to obtain a data key of the user, which may also be referred to as a third key, where the data key is a key for the user to protect data by encrypting or decrypting the data. Then, the third Key is encrypted by using the second Key to obtain an encrypted Data Key, which may be referred to as a fourth Key, i.e., a Data Encryption Key (DEK).
In step 222, the user equipment sends a rule configuration request to the storage system.
The user equipment can determine the rule configuration information and generate a rule configuration request according to the rule configuration information. The rule configuration information includes account configuration information and access configuration information. The rule configuration information may be generated based on the identity information of the user and the isolation environment data. The user equipment can configure the access authority rules by logging in the specified account.
The account configuration information may be configured according to the identity information of the user, for example, account information authorized to be accessed is configured, and authorized resource information corresponding to the account information authorized to be accessed is configured, for example, the authority of resources such as reading, writing, and types of data may be set. And configuring access configuration information, such as identity information, version information and the like of an authorized trusted isolation environment according to the isolation environment data. In addition, encryption information such as a key corresponding to the user can be configured.
Step 224, the storage system obtains rule configuration information according to the rule configuration request, and configures the access right rule based on the rule configuration information.
The account configuration information, the access configuration information and the like can be acquired based on the rule configuration information, so that the access authority rules are configured based on the account configuration information, the access configuration information and other rule configuration information. Account information for authorized access, such as a specific account of the user, a specific account of the computing service used by the user, etc., may be configured. And configuring authority information for each account, determining the access authority of the account to the resource, such as reading, writing, types of data resources allowed to be accessed and the like, and specifically setting according to requirements. Information of the trusted isolated environment to which access is authorized, such as identity information, version information, key information, and the like of the environment, may also be configured based on the access configuration information. Thus, access to a given account can be granted based on the access permission rules, and processing of the trusted isolation environment, etc.
The configuration of the access authority rules can be realized through the process, and the access control is carried out subsequently based on the access authority rules, so that the data security is ensured. Therefore, after the access right rule is configured, the data system can send the access right rule to the key management system, and the key management system can perform access control based on the access right rule.
The user may also send the fourth key received from the key management system to an authorized designated account, for example, when the computing node in the computing service system provides data computing service for the user, the corresponding designated account may be logged in, and the fourth key may be sent to the designated account, which is convenient for subsequent data processing.
On the basis of the above embodiment, the embodiment of the present application further provides an access control method, where the key management system KMS may verify the trusted isolated environment, encrypt the data key of the user after the verification is passed, and transmit the encrypted data key to the trusted isolated environment, so that the trusted isolated environment can encrypt and decrypt the user data ciphertext and perform privacy computation based on the data key.
Referring to fig. 3, an interaction diagram of an access control method according to an embodiment of the present application is shown.
At step 302, the application sends an environment attestation request to the trusted isolated environment system.
The application program in this embodiment may be understood as a program that executes processing of data corresponding to a user, such as an application program in user equipment, an application program in a computing node of a computing service system, and the like. The application may determine authentication parameters for authentication, which may be random data, similar to the attestation parameters of the user device described above, a random string, or data determined based on certain rules. And generating an environment certification request based on the verification parameters, and sending the environment certification request to the trusted isolated environment system.
At step 304, the trusted isolated environment system determines a pair of environment keys (first key).
Step 306, the trusted isolation environment system generates a verification signature according to the verification parameters.
And 308, the trusted isolation environment system generates environment certification data according to the public key of the temporary key pair and the environment description data.
The trusted isolated environment system may determine an environment key pair, i.e., a first key, which may be an asymmetric key pair, and thus include a public key (public key) and a private key (private key). The trusted isolated environment system may also generate a verification signature based on the verification parameters in the environment attestation request. And performing signature calculation on the verification parameters according to a private key in the environment key pair to obtain corresponding verification signatures. And generating a temporary key pair, then acquiring a public key of the temporary key pair and the environment description data of the trusted isolated environment system, and then generating environment certification data by adopting the verification signature, the public key of the temporary key pair and the environment description data. The environment description data is similar to the isolation environment data, and includes version information, identity information, and the like of the isolation environment, and is used for verifying the isolation environment.
At step 310, the trusted isolated environment system sends environment attestation data to the application.
At step 312, the application generates a remote access request using the public key of the temporary key pair, the environment description data, and the verification signature.
After receiving the environment certification data fed back by the trusted isolation environment system, the application program can acquire the public key, the environment description data and the verification signature of the temporary key pair, and then acquire a fourth key corresponding to the user, wherein the fourth key is an encrypted data key.
At step 314, the application sends a remote access request to the key management system.
Step 316, the key management system verifies the public key and the environment description data.
The key management system may perform signature verification on the verification signature based on a public key of the environment key pair, and after the verification is passed, may match the environment description data with the access permission rule to determine whether the isolation environment is a specified trusted isolation environment. The environment description data can be matched with information of a trusted isolation environment in the access permission rule, such as identity information, version information and the like, so that whether the environment corresponding to the environment data is the trusted isolation environment or not is determined. In addition, the remote access request can also carry identity information of an account corresponding to the application program, so that whether the account is an account which is allowed to be accessed or not is verified.
Step 318, the key management system obtains a fifth key according to the fourth key.
After the trusted isolation environment is confirmed, the fourth key can be decrypted by using the second key (the local key) to obtain a third key, that is, a data key. And then, encrypting the third secret key by using the public key of the temporary secret key pair to obtain a fifth secret key, wherein the fifth secret key is a data secret key encrypted by the public key and can also be called a public key encryption secret key.
At step 320, the key management system sends the fifth key to the application.
At step 322, the application forwards the fifth key to the trusted isolated environment system.
Step 324, the trusted isolated environment system decrypts the fifth key to obtain a third key.
The trusted isolation environment system may decrypt the fifth key using the private key of the temporary key pair to obtain the third key. Subsequent data for the user may be encrypted and decrypted based on the third key. And data which can be sent aiming at the application program is encrypted, decrypted and calculated in a trusted isolation environment system, so that the data security is ensured.
In the embodiment of the present application, the environment key pair is a key pair determined by hardware based on the isolation environment, and is a key pair that is not changed and is used for determining the isolation environment. The temporary key pair is a key pair temporarily generated for data processing and used for encrypting and decrypting the data key requested at this time, so that different temporary key pairs are adopted during different requests, and the safety of the data key can be further ensured.
In summary, the data key encrypted by using the public key is derived from the key management system through the remote certification materials such as the public key derived from the isolation environment, the environment description data and the like, and then the data key is derived into the trusted isolation environment to be decrypted by using the corresponding private key, so that the data key is obtained, an HTTPS link does not need to be initiated from the trusted isolation environment, the defect that the identity of the trusted isolation environment cannot be configured by a user is overcome, and the development complexity is reduced.
The embodiment of the application provides a data processing method, which can remotely prove an isolation environment and provide a public key encryption key after the isolation environment is trusted, so that data security is ensured.
Referring to fig. 4, a flowchart of the steps of the key management system side in a data processing method of the present application is shown.
At step 402, a remote access request is received.
The remote access request comprises: environment description data and a public key of the isolated environment. The remote access request may also include a verification signature, an encrypted data key (fourth key), and account identity information, among others. Therefore, whether the account is authorized to be accessed or not can be verified according to the identity information of the account.
Step 404, verifying the environment description data according to the access restriction rule.
Identity information, version information and the like of the isolation environment in the environment description information can be matched with rules corresponding to the access restriction rules, and whether the isolation environment is a trusted isolation environment or not is determined. And if the environment is a trusted isolation environment, continuing to execute the subsequent steps. If not a trusted isolation environment, the isolation environment may be denied.
And 406, encrypting the data key by using the public key under the condition that the isolation environment is determined to be a trusted isolation environment to obtain a public key encryption key.
Wherein the public key is a public key of the temporary key pair. The encrypting the data key by the public key to obtain the public key encryption key comprises the following steps: acquiring an encrypted data key; decrypting the encrypted data key by using a local key to obtain a data key; and encrypting the data secret key by adopting the public key to obtain a public key encryption secret key. In the key management system, a data key (third key) is encrypted for storage and transmission, the encrypted data key (fourth key) can be obtained, and a local key (second key) is used for decrypting the encrypted data key to obtain the data key (third key). And then, the data key is encrypted by using the public key of the temporary key pair to obtain a public key encryption key (fifth key).
Step 408, sending the public key encryption key so that the isolated environment can perform secure processing of data based on the data key.
The above is the process of encryption management and transmission for the data key after the access restriction rule setting is completed. The key management system may also encrypt the data key during a setup phase of the access restriction rules. Receiving a key encryption request, wherein the key encryption request comprises a local key; encrypting the data key according to the local key to obtain an encrypted data key; the encrypted data key to the user device.
On the basis of the embodiment, the data processing method applied to the trusted isolation environment system side is further provided, the trusted isolation environment and the certification material can be provided, data processing is provided for the user based on the trusted isolation environment, and data security is guaranteed.
Referring to fig. 5, a flowchart illustrating steps of a trusted quarantine environment system side in a data processing method according to the present application is shown.
At step 502, an attestation request is received.
Step 504, generating signature data according to the certification request.
Step 506, obtaining the environment data, and generating the certification data by using the environment data and the signature data.
The request for the certification material of the isolation environment includes two cases, one is for the certification data of the trusted isolation environment for which access is authorized in the stage of setting the access restriction rule, and the other is for the certification that the isolation environment is the trusted isolation environment in the stage of data processing.
In an alternative embodiment, the attestation request includes: a remote attestation request, the remote attestation request comprising: the parameters are certified. Said generating signature data in accordance with said attestation request, comprising: and determining an environment key pair, and adopting a private key of the environment key pair to sign the certification parameters to generate a certification signature. The certification parameters can be signed and calculated based on a private key of the key pair, and a certification signature is obtained. The obtaining the environment data, generating certification data by using the environment data and the signature data, comprising: obtaining isolation environment data of a trusted isolation environment; generating remote attestation data using the attestation signature and the isolated environment data to set access restriction rules based on the environment attestation request.
In another alternative embodiment, the attestation request includes: an environment attestation request, the environment attestation request including: verifying the parameters; said generating signature data in accordance with said attestation request, comprising: determining an environment key pair, and adopting a private key of the environment key pair to sign the verification parameters to generate a verification signature; the obtaining the environment data, generating certification data by using the environment data and the signature data, comprising: generating a temporary key pair, and acquiring environment description data of an isolated environment and a public key of the temporary key pair; and generating environment certification data by adopting the verification signature, the public key of the temporary key pair and the environment description data, and certifying that the isolation environment is a trusted isolation environment by the environment certification data.
At step 508, a public key encryption key is received.
And 510, obtaining a private key corresponding to the public key, decrypting the public key encryption key through the private key to obtain a corresponding data key, and performing data security processing based on the data key.
The public key and the private key are a pair of temporarily generated asymmetric key pairs, and thus the acquired private key is the private key of the temporary key pair corresponding to the public key.
On the basis of the above embodiment, a data processing method applied to the application program side is further provided, which can provide data interaction between a trusted isolation environment and a key management system, so that the trusted isolation environment can provide data processing for a user, and data security is ensured. The application program can be an application program of the user equipment and can also be an application program of a computing node in the computing service system.
Referring to fig. 6, a flowchart of steps on the application side of a data processing method of the present application is shown.
Step 602, determining a verification parameter, and generating an environment attestation request according to the verification parameter.
Step 604, sending the environment attestation request to the isolation environment.
Step 606, receiving environment attestation data, the environment attestation data including: and verifying a signature, a public key and environment description data, wherein the verification signature is determined according to the verification parameters and a private key corresponding to the public key.
Step 608, generating a remote access request according to the environment certification data, and sending the remote access request to a key management system, so as to certify that the isolation environment is a trusted isolation environment based on the environment certification data.
Step 610, receiving a public key encryption key, where the public key encryption key is generated based on a public key and a data key of the temporary key pair under the determination that the isolation environment is a trusted isolation environment.
Step 612, sending the public key encryption key to the isolated environment.
On the basis of the above embodiment, a data processing method applied to the user equipment side is further provided, which can set an access restriction rule for a specified account and a trusted isolation environment, so that the trusted isolation environment provides data processing for the user, and data security is ensured.
Referring to fig. 7, a flowchart of steps of an application side of a data processing method of the present application is shown.
Step 702 generates a remote attestation request and sends the remote attestation request to a trusted isolation environment, the remote attestation request including attestation parameters.
Step 704, receiving remote attestation data, the remote attestation data including: an attestation signature and remote environment data, the attestation signature generated in dependence on the attestation parameters.
Step 706, after the verification of the certificate signature passes, generating a key encryption request according to the local key, and sending the key encryption request.
Step 708, receiving an encrypted data key, where the encrypted data key is generated by encrypting data according to a local key.
Step 710, generating a rule configuration request according to the remote environment data, and sending the rule configuration request to configure an access authority rule, wherein the access authority rule is used for determining a trusted isolation environment authorized to access.
In the embodiment of the application, a user configures isolation environment data such as identity information of a specified trusted isolation environment in an access authority rule, a key management system verifies whether an environment certification material provided by an application program matches the access authority rule of the user through a remote certification technology of the trusted isolation environment, and finally, a key of the user is encrypted through an exclusive public key of the trusted isolation environment and then is transmitted to the trusted isolation environment specified by the user. And decrypted by the private key specific to the trusted isolated environment. There is no longer a need for a trusted isolated environment to directly access the key management system over HTTPS.
And moreover, the security of the data key of each network service such as a computing service is enhanced through the mode, and as the key management system is used for identifying the authority of the data key when providing the key service, and remotely proving the environmental data such as the identity information of the isolation environment and the like to confirm that the environmental data is a trusted isolation environment, the security of the isolation environment is ensured, and the key management service cannot be obtained even if the data key is obtained by an unauthorized third party.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the embodiments. Further, those of skill in the art will recognize that the embodiments described in this specification are presently preferred embodiments and that no particular act is required to implement the embodiments of the disclosure.
On the basis of the above embodiments, the present embodiment further provides a data processing apparatus, which is applied to an electronic device on the key management system side.
Referring to fig. 8, a block diagram of a data processing apparatus according to an embodiment of the present application is shown, which may specifically include the following modules:
a remote request module 802 configured to receive a remote access request, where the remote access request includes: environment description data and a public key of the isolated environment.
And the environment verification module 804 is used for verifying the environment description data according to the access restriction rule.
The key encryption module 806 is configured to encrypt the data key by using a public key to obtain a public key encryption key when it is determined that the isolation environment is a trusted isolation environment.
A key sending module 808, configured to send the public key encryption key, so that the isolated environment can perform secure processing on data based on the data key.
In summary, the user may configure a specified trusted isolation environment in the access permission rule, so that the key management system KMS may verify the isolation environment based on the remote access request, encrypt the data key of the user and transmit the encrypted data key to the trusted isolation environment after verifying the isolation environment as the trusted isolation environment, so that the trusted isolation environment can encrypt and decrypt the user data ciphertext and perform privacy computation based on the data key. In this way, a trusted isolation environment is no longer required to directly access the key management system through the HTTPS, so that the risk of data key and data leakage is avoided, and the data security is improved
The key encryption module 806 is configured to obtain an encrypted data key; decrypting the encrypted data key by using a local key to obtain a data key; and encrypting the data key by adopting the public key to obtain a public key encryption key.
The remote request module 802 is further configured to receive a key encryption request, where the key encryption request includes a local key; the key encryption module 806 is further configured to encrypt a data key according to the local key to obtain an encrypted data key; the key sending module 808 is further configured to send the encrypted data key to the user equipment.
On the basis of the above embodiments, the present embodiment further provides a data processing apparatus, which is applied to an electronic device on a trusted isolated environment side.
Referring to fig. 9, a block diagram of another data processing apparatus embodiment of the present application is shown, which may specifically include the following modules:
a request receiving module 902, configured to receive a request for attestation;
a signature module 904 for generating signature data according to the certification request;
a certification module 906, configured to obtain environment data, and generate certification data by using the environment data and the signature data;
a key processing module 908 for receiving a public key encryption key; and acquiring a private key corresponding to the public key, decrypting the public key encryption key through the private key to obtain a corresponding data key, and performing data security processing based on the data key.
In an alternative embodiment, the attestation request includes: a remote attestation request, the remote attestation request comprising: proving the parameters; the signature module 904 is configured to generate a certification signature according to the certification parameter; the certification module 906 is configured to obtain isolation environment data of a trusted isolation environment; generating remote attestation data using the attestation signature and the isolated environment data to set access restriction rules based on the environment attestation request.
In another alternative embodiment, the attestation request includes: an environment attestation request, the environment attestation request including: verifying the parameters; the signature module 904 is configured to generate a key pair, perform signature processing on the verification parameter by using a private key of the key pair, and generate a verification signature; the certification module 906 is configured to obtain environment description data of an isolated environment and a public key of the key pair; and generating environment certification data by adopting the verification signature, the public key and the environment description data, and certifying that the isolation environment is a trusted isolation environment by the environment certification data.
On the basis of the above embodiments, the present embodiment further provides a data processing apparatus, which is applied to an electronic device where an application program is located, such as a computing node device.
The environment request module is used for determining verification parameters and generating an environment certification request according to the verification parameters; and sending the environment certification request to the isolation environment. .
A remote access module to receive environment attestation data, the environment attestation data including: verifying a signature, a public key and environment description data, wherein the verification signature is determined according to the verification parameters and a private key corresponding to the public key; and generating a remote access request according to the environment certification data, and sending the remote access request to a key management system so as to certify that the isolation environment is a trusted isolation environment based on the environment certification data.
A key forwarding module, configured to receive a public key encryption key, where the public key encryption key is generated based on a public key and a data key under a determination that the isolation environment is verified to be a trusted isolation environment; sending the public key encryption key to the isolation environment.
On the basis of the above embodiments, the present embodiment further provides a data processing apparatus, which is applied to a user equipment.
A request module to generate a remote attestation request and send the remote attestation request to a trusted isolated environment, the remote attestation request including attestation parameters. Receiving remote attestation data, the remote attestation data including: an attestation signature and remote environment data, the attestation signature generated in dependence on the attestation parameters.
The encryption module is used for generating a key encryption request according to a local key after the verification of the certificate signature passes, and sending the key encryption request; and receiving an encrypted data key, wherein the encrypted data key is generated by encrypting data according to a local key.
And the rule configuration module is used for generating a rule configuration request according to the remote environment data and sending the rule configuration request to configure an access authority rule, wherein the access authority rule is used for determining a trusty isolation environment authorized to access.
In the embodiment of the application, a user configures isolation environment data such as identity information of a specified trusted isolation environment in an access authority rule, a key management system verifies whether an environment certification material provided by an application program matches the access authority rule of the user through a remote certification technology of the trusted isolation environment, and finally, a key of the user is encrypted through an exclusive public key of the trusted isolation environment and then is transmitted to the trusted isolation environment specified by the user. And decrypted by the private key specific to the trusted isolation environment. There is no longer a need for a trusted isolated environment to directly access the key management system over HTTPS.
And the security of the data key of each network service such as a computing service is also enhanced by the mode, and the key management system not only needs to identify the authority of the data key when providing the key service, but also needs to remotely prove the environment data such as the identity information of the isolation environment and the like and confirm the environment data as a trusty isolation environment, so that the security of the isolation environment is ensured, and the key management service cannot be obtained even if the data key is obtained by an unauthorized third party.
The present application further provides a non-transitory, readable storage medium, where one or more modules (programs) are stored, and when the one or more modules are applied to a device, the device may execute instructions (instructions) of method steps in this application.
Embodiments of the present application provide one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an electronic device to perform a method as described in one or more of the above embodiments. In the embodiment of the present application, the electronic device includes various types of devices such as a terminal device and a server (cluster).
Embodiments of the present disclosure may be implemented as an apparatus, which may include electronic devices such as a terminal device, a server (cluster), etc., using any suitable hardware, firmware, software, or any combination thereof, for a desired configuration. Fig. 10 schematically illustrates an example apparatus 1000 that may be used to implement various embodiments described in the present application.
For one embodiment, fig. 10 illustrates an example apparatus 1000 having one or more processors 1002, a control module (chipset) 1004 coupled to at least one of the processor(s) 1002, a memory 1006 coupled to the control module 1004, a non-volatile memory (NVM)/storage 1008 coupled to the control module 1004, one or more input/output devices 1010 coupled to the control module 1004, and a network interface 1012 coupled to the control module 1004.
The processor 1002 may include one or more single-core or multi-core processors, and the processor 1002 may include any combination of general-purpose or special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In some embodiments, the apparatus 1000 can be used as a terminal device, a server (cluster), or the like in this embodiment.
In some embodiments, the apparatus 1000 may include one or more computer-readable media (e.g., the memory 1006 or the NVM/storage 1008) having instructions 1014 and one or more processors 1002 that, in conjunction with the one or more computer-readable media, are configured to execute the instructions 1014 to implement modules to perform the actions described in this disclosure.
For one embodiment, control module 1004 may include any suitable interface controllers to provide any suitable interface to at least one of the processor(s) 1002 and/or any suitable device or component in communication with control module 1004.
The control module 1004 may include a memory controller module to provide an interface to the memory 1006. The memory controller module may be a hardware module, a software module, and/or a firmware module.
Memory 1006 may be used, for example, to load and store data and/or instructions 1014 for device 1000. For one embodiment, memory 1006 may comprise any suitable volatile memory, such as suitable DRAM. In some embodiments, the memory 1006 may comprise a double data rate type four synchronous dynamic random access memory (DDR 4 SDRAM).
For one embodiment, the control module 1004 may include one or more input/output controllers to provide an interface to the NVM/storage 1008 and input/output device(s) 1010.
For example, NVM/storage 1008 may be used to store data and/or instructions 1014. NVM/storage 1008 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more hard disk drive(s) (HDD (s)), one or more Compact Disc (CD) drive(s), and/or one or more Digital Versatile Disc (DVD) drive (s)).
The NVM/storage 1008 may include storage resources that are physically part of the device on which the apparatus 1000 is installed, or it may be accessible by the device and need not be part of the device. For example, NVM/storage 1008 may be accessed over a network via input/output device(s) 1010.
Input/output device(s) 1010 may provide an interface for apparatus 1000 to communicate with any other suitable device, input/output devices 1010 may include communication components, audio components, sensor components, and so forth. Network interface 1012 may provide an interface for device 1000 to communicate over one or more networks, and device 1000 may communicate wirelessly with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols, such as to access a communication standard-based wireless network, such as WiFi, 2G, 3G, 4G, 5G, etc., or a combination thereof.
For one embodiment, at least one of the processor(s) 1002 may be packaged together with logic for one or more controller(s) (e.g., memory controller module) of control module 1004. For one embodiment, at least one of the processor(s) 1002 may be packaged together with logic for one or more controller(s) of control module 1004 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 1002 may be integrated on the same die with the logic of one or more controllers of the control module 1004. For one embodiment, at least one of the processor(s) 1002 may be integrated on the same die with logic for one or more controller(s) of control module 1004 to form a system on chip (SoC).
In various embodiments, the apparatus 1000 may be, but is not limited to: a server, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet, a netbook, etc.), among other terminal devices. In various embodiments, the apparatus 1000 may have more or fewer components and/or different architectures. For example, in some embodiments, device 1000 includes one or more cameras, a keyboard, a Liquid Crystal Display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an Application Specific Integrated Circuit (ASIC), and speakers.
The detection device may adopt a main control chip as a processor or a control module, the sensor data, the position information and the like are stored in a memory or an NVM/storage device, the sensor group may be used as an input/output device, and the communication interface may include a network interface.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the true scope of the embodiments of the present application.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "include", "including" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article, or terminal device including a series of elements includes not only those elements but also other elements not explicitly listed or inherent to such process, method, article, or terminal device. Without further limitation, an element defined by the phrases "comprising one of \ 8230; \8230;" does not exclude the presence of additional like elements in a process, method, article, or terminal device that comprises the element.
The foregoing detailed description has provided a data processing method and apparatus, an electronic device and a storage medium, and the principles and embodiments of the present application are described herein using specific examples, which are merely used to help understand the method and its core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A method of data processing, the method comprising:
receiving a remote access request, the remote access request comprising: environment description data and a public key of the isolated environment;
verifying the environment description data according to an access restriction rule;
under the condition that the isolation environment is determined to be a trustable isolation environment, encrypting a data key by adopting a public key to obtain a public key encryption key;
and sending the public key encryption key so that the isolation environment can perform safe processing of data based on the data key.
2. The method of claim 1, wherein the encrypting the data key with the public key to obtain a public key encryption key comprises:
acquiring an encrypted data key;
decrypting the encrypted data key by using a local key to obtain a data key;
and encrypting the data key by adopting the public key to obtain a public key encryption key.
3. The method of claim 1, further comprising:
receiving a key encryption request, wherein the key encryption request comprises a local key;
encrypting the data key according to the local key to obtain an encrypted data key;
the encrypted data key to the user device.
4. A method of data processing, the method comprising:
receiving a request for attestation;
generating signature data according to the certification request;
acquiring environment data, and generating certification data by adopting the environment data and the signature data;
receiving a public key encryption key;
and acquiring a private key corresponding to the public key, decrypting the public key encryption key through the private key to obtain a corresponding data key, and performing data security processing based on the data key.
5. The method of claim 4, wherein the attestation request comprises: a remote attestation request, the remote attestation request comprising: proving a parameter;
said generating signature data from said attestation request includes: generating a certification signature according to the certification parameters;
the obtaining the environment data, generating certification data by using the environment data and the signature data, comprising:
acquiring isolation environment data of a trusted isolation environment;
generating remote attestation data using the attestation signature and the isolated environment data to set access restriction rules based on the environment attestation request.
6. The method of claim 4, wherein the attestation request comprises: an environment attestation request, the environment attestation request including: verifying the parameters;
said generating signature data from said attestation request includes: adopting a private key of an environment key pair to perform signature processing on the verification parameters to generate a verification signature;
the obtaining the environment data, generating certification data by using the environment data and the signature data, comprising:
generating a temporary key pair and acquiring environment description data of an isolation environment;
and generating environment certification data by adopting the verification signature, the public key of the temporary key pair and the environment description data, and certifying that the isolation environment is a trusted isolation environment through the environment certification data.
7. A method of data processing, the method comprising:
determining a verification parameter, and generating an environment certification request according to the verification parameter;
sending the environment attestation request to an isolated environment;
receiving environment attestation data, the environment attestation data including: verifying a signature, a public key and environment description data, wherein the verification signature is determined according to the verification parameters and a private key corresponding to the public key;
generating a remote access request according to the environment certification data, and sending the remote access request to a key management system so as to certify that the isolation environment is a trusted isolation environment based on the environment certification data;
receiving a public key encryption key, wherein the public key encryption key is generated based on a public key and a data key under the determination that the isolation environment is a trusted isolation environment;
sending the public key encryption key to the isolation environment.
8. A method of data processing, the method comprising:
generating a remote attestation request and sending the remote attestation request to a trusted isolated environment, the remote attestation request including attestation parameters;
receiving remote attestation data, the remote attestation data including: a certification signature and remote environment data, the certification signature generated in accordance with the certification parameters;
after the certification signature passes the verification, generating a key encryption request according to a local key, and sending the key encryption request;
receiving an encrypted data key, wherein the encrypted data key is generated by encrypting data according to a local key;
and generating a rule configuration request according to the remote environment data, and sending the rule configuration request to configure an access authority rule, wherein the access authority rule is used for determining a trusted isolation environment authorized to access.
9. An electronic device, comprising: a processor; and
memory having stored thereon executable code which, when executed, causes the processor to perform the method of any of claims 1-3, or to perform the method of any of claims 4-6, or to perform the method of claim 7, or to perform the method of claim 8.
10. One or more machine-readable media having stored thereon executable code that, when executed, causes a processor to perform the method of any of claims 1-3, or perform the method of any of claims 4-6, or perform the method of claim 7, or perform the method of claim 8.
CN202110622425.6A 2021-06-03 2021-06-03 Data processing method, device, equipment and storage medium Pending CN115438352A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110622425.6A CN115438352A (en) 2021-06-03 2021-06-03 Data processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110622425.6A CN115438352A (en) 2021-06-03 2021-06-03 Data processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115438352A true CN115438352A (en) 2022-12-06

Family

ID=84240232

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110622425.6A Pending CN115438352A (en) 2021-06-03 2021-06-03 Data processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115438352A (en)

Similar Documents

Publication Publication Date Title
US10911226B2 (en) Application specific certificate management
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
US9813247B2 (en) Authenticator device facilitating file security
WO2021022701A1 (en) Information transmission method and apparatus, client terminal, server, and storage medium
US9697371B1 (en) Remote authorization of usage of protected data in trusted execution environments
CN106104542B (en) Content protection for data as a service (DaaS)
WO2019020051A1 (en) Method and apparatus for security authentication
WO2019127278A1 (en) Safe access blockchain method, apparatus, system, storage medium, and electronic device
US20150333915A1 (en) Method and apparatus for embedding secret information in digital certificates
US9887993B2 (en) Methods and systems for securing proofs of knowledge for privacy
CN109862560B (en) Bluetooth authentication method, device, equipment and medium
US9280687B2 (en) Pre-boot authentication using a cryptographic processor
EP3506560A1 (en) Secure provisioning of keys
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
CN114629639A (en) Key management method and device based on trusted execution environment and electronic equipment
US20220400015A1 (en) Method and device for performing access control by using authentication certificate based on authority information
CN113438205A (en) Block chain data access control method, node and system
CN106992978B (en) Network security management method and server
CN102999710A (en) Method, equipment and system for safely sharing digital content
WO2021082222A1 (en) Communication method and apparatus, storage method and apparatus, and operation method and apparatus
JP6378424B1 (en) User authentication method with enhanced integrity and security
CN109960935B (en) Method, device and storage medium for determining trusted state of TPM (trusted platform Module)
CN110602075A (en) File stream processing method, device and system for encryption access control
CN107070648B (en) Key protection method and PKI system
CN113810178B (en) Key management method, device, system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20240304

Address after: 51 Belarusian Pasha Road, Singapore, Lai Zan Da Building 1 # 03-06, Postal Code 189554

Applicant after: Alibaba Innovation Co.

Country or region after: Singapore

Address before: Room 01, 45th Floor, AXA Building, 8 Shanton Road, Singapore

Applicant before: Alibaba Singapore Holdings Ltd.

Country or region before: Singapore

TA01 Transfer of patent application right