CN115758396B - Database security access control technology based on trusted execution environment - Google Patents

Database security access control technology based on trusted execution environment Download PDF

Info

Publication number
CN115758396B
CN115758396B CN202211066304.9A CN202211066304A CN115758396B CN 115758396 B CN115758396 B CN 115758396B CN 202211066304 A CN202211066304 A CN 202211066304A CN 115758396 B CN115758396 B CN 115758396B
Authority
CN
China
Prior art keywords
data
user
database
execution environment
trusted execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211066304.9A
Other languages
Chinese (zh)
Other versions
CN115758396A (en
Inventor
刘忻
周诏盟
王小溪
孙嘉文
陆佳
张瑞生
王淼
王家寅
杨浩睿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lanzhou University
Original Assignee
Lanzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lanzhou University filed Critical Lanzhou University
Priority to CN202211066304.9A priority Critical patent/CN115758396B/en
Publication of CN115758396A publication Critical patent/CN115758396A/en
Application granted granted Critical
Publication of CN115758396B publication Critical patent/CN115758396B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The invention discloses a database security access control technology based on a trusted execution environment, which realizes the function of converting a database key storage state into a calculation state and data hierarchical encryption; the storage key dynamic generation stage calculates key parameters to be executed in a trusted execution environment, and the private data encryption and decryption operation can be selectively executed in the trusted execution environment or an open execution environment; the rest of the operations are implemented in a front-end and back-end open execution environment. The beneficial effects of the invention are as follows: the method has higher security and better practicability, and can resist attacks of malicious codes and privileged users. Compared with the traditional method for centralized management, whole-table encryption and static key storage of the database table, the method realizes the conversion of the key storage state into the calculation state, starts from the perspective of data encryption and decryption keys, realizes the separation of the privacy data rights of the database, solves the problem of key management, provides a privacy data field-level encryption means, ensures the normal access of service data, and greatly improves the security.

Description

Database security access control technology based on trusted execution environment
Technical Field
The invention relates to the field of trusted execution environments, in particular to a database security access control technology based on a trusted execution environment.
Background
With the continuous improvement of the technology level, more and more fields have changed greatly due to the improvement of the technology, and the field of data management is a typical example. With the advent of the big data age, the size of databases of many companies has become larger and larger, and almost all information systems are built on database systems. The method and the system enable the data information to be more convenient to manage and view, are also more beneficial to maintenance of data effectiveness and consistency, and greatly improve the working efficiency of companies. However, in the rapid development of emerging technologies such as 5G and cloud computing, database systems are widely used, each enterprise actively realizes informatization, and under the background that users access enterprise data through multiple channels, the enterprises face the problems of business complexity, attack normalization and the like, the importance of data and the urgency of data management are increasingly improved, and the problem of security access control of the database is particularly important.
The permission separation refers to that users have different access and operation permissions for different access objects, and is an important evaluation index in information security and also an important security evaluation index in national level protection evaluation. At present, a main stream database is mainly managed by a privileged user in a centralized way by adopting a storage key, and the security access control is realized on the whole table encryption form of the database. How to realize a security access control method for the authority separation of a relational database, which is one of the key problems to be solved urgently in the database field.
In summary, the security access control research is performed based on the relational database, so that the security of the data information is improved, the privacy of the user is protected, and the method has important significance on the long-term development of the domestic technology from the strategic level.
Disclosure of Invention
In order to solve the above problems, the present invention provides a database security access control technology based on a trusted execution environment, which includes: five stages are respectively: a user login stage, a user information updating stage, a storage key dynamic generation stage, a privacy data operation stage and a business data access stage;
the user login stage transmits user information input by a user end to a database end, and identifies legal data owners, so that reliable communication between the front end and the database is established;
the dynamic generation phase of the storage key generates a storage key specific to the data owner. In particular, at this stage the technology dynamically generates a user storage key in a trusted execution environment by combining the personal identity information with a predefined master key, through some message digest algorithm, which storage key is to be used for subsequent data reading and encryption and decryption of user privacy data;
the user information updating stage is used for transmitting the updated user information input by the user terminal to the database terminal, so that ciphertext privacy data corresponding to the data owner are updated;
The privacy data operation stage realizes the privacy data extraction and decryption functions of ciphertext storage and the privacy data encryption and writing function of plaintext input, and meets the field-level fine-grained encryption requirement of a database;
and the service data access stage realizes the parallel direct operation function of the non-private data of the database table.
The dynamic generation stage of the storage key is limited to be executed in the trusted execution environment according to the user information and the main key calculation storage key parameter, and the user privacy data extraction decryption or the input encryption stage can be used for encrypting part of privacy data selectively executed in the trusted execution environment or executed in an external open execution environment; the rest of the operations are implemented in a front-end and back-end open execution environment. Further, the specific process of the user login stage is as follows:
s11: initializing a client and registering;
s12: UN obtaining user input from front end i 、PW i The method comprises the steps of carrying out a first treatment on the surface of the Wherein UN is i 、PW i Representing the user name and password of user i, respectively. The user inputs the user name and password and obtains the current time stamp TS 1
S13: the user obtains the current time stamp TS 1
S14: the user terminal will m 1 ={UN i ,PW i ,TS 1 And the data is sent to a remote database management technology and is received by a trusted execution environment management mechanism calling interface. The trusted execution environment management mechanism specifically refers to: trusted execution environment and interactive program interface deployed in database management techniques, in particular, writing implementation of certain message digest algorithms and certain symmetric encryption algorithms within trusted execution environment security zones Meanwhile, a mapping relation table of legal data owners and a database table storage key is stored in the database table storage key;
s15: the trusted execution environment management mechanism receives m 1 After that, the timestamp TS is verified 1 If the request user name is valid, refusing to establish communication, if the request user name is valid, checking whether a legal mapping relation record exists in a prestored mapping form, and if the legal mapping relation record exists, acquiring a table storage key PCD of a data owner i Current timestamp TS 2 The method comprises the steps of carrying out a first treatment on the surface of the Wherein the time stamp is valid, specifically: the difference between the current timestamp and the timestamp to be verified is less than the maximum time transmission delay of communication propagation;
s16: the trusted execution environment management mechanism stores the acquired table storage key PCD i And the data is transmitted to a remote database management technology through an interface.
S17: database management techniques through received PCDs i Searching to obtain a database corresponding table where the corresponding data owner is located. Since in the relational database, the whole table may store records of multiple data owners, only the corresponding record of the data owner in the table is returned to the user side in the form of a sub-table.
Further, the specific flow of the dynamic generation stage of the storage key is as follows:
s21: remote database management technique will m 2 ={UN i ,PW i ,,TS 2 Send to trusted execution environment management mechanism, trusted execution environment management mechanism receives m 2 After that, the timestamp TS is verified 2 If it is valid, refusing to execute the operation of generating the storage key if it is invalid, and if it is valid, executing UN i ||PW i Operating; wherein || represents bitwise connection;
s22: the trusted execution environment management mechanism calls a preset function interface to enable the UN to be executed i ||PW i The method comprises the steps of transmitting the trusted execution environment frame into a security zone of the trusted execution environment frame;
s23: hybrid encryption of a user name, a password and a preset master key in a secure area using a certain message digest algorithm pre-written and implemented internally to generate a data owner-specific storage key CPW i In the dataUnder the condition that the personal information of the owner is not changed, the storage key dynamically generated each time is kept consistent;
s24: in each stage of user operation, the trusted execution environment management mechanism always stores the storage key CPW specific to the data owner in the safe area i
Further, the user password updating stage comprises the following specific processes:
s31: the user name UN before the corresponding update of the data owner 1 Corresponding password PW 1 Sending the encrypted data to a trusted execution environment management mechanism, and carrying out mixed encryption on a user name, a password and a preset master key by calling a message digest algorithm in a secure area to generate an old storage key CPW of a data owner 1 Simultaneously searching mapping relation records in the mapping form to obtain corresponding database table storage key PCD i
S32: database management techniques through received PCDs i Searching to obtain a database table of the corresponding data owner, and transmitting the corresponding record of the data owner in the table to a trusted execution environment management mechanism in a form of a sub-table.
S33: password PW after updating data owner by user 2 Sending the encrypted data to a trusted execution environment management mechanism, and carrying out mixed encryption on a user name, a password and a preset master key by calling a message digest algorithm in a secure area to generate a new storage key CPW of a data owner 2
S34: in a trusted execution environment management mechanism, a calling script acquires all ciphertext storage privacy data corresponding to a data owner, and the data owner stores the privacy data in a safe area through an old storage key CPW 1 Decrypting and then passing through the new storage key CPW 2 Encrypting to obtain updated privacy data ciphertext;
s35: after the operation is finished, the program calls the script connection database again, and the data owner corresponding sub-table record with the privacy data updated is transmitted back to the database through the gsql command, and the total data table is updated through the storage process.
Further, the data owner private data operation stage includes a private data encryption writing stage of plaintext input and a private data extraction decryption stage of ciphertext storage, wherein the plaintext input private data encryption writing stage comprises the following specific procedures:
S41: the user side technical program running script is connected with the database, a database table corresponding to the database table containing the personal information of the user is generated and exported by storing programs and the like in the database table existing by the user, and the database table is stored into a file and is stored under the directory where the programs are located;
s42: after the above has been completed, the data owner may choose to view, encrypt or decrypt the personal information. When the user selects the writing/modifying operation of the private data, the data owner inputs the added or modified private data CT at the user end and obtains the latest timestamp TS 1
S43: the user terminal uses m in a reliable environment 1 ={CT,TS 1 Transmitting the data to a remote database management technology, and receiving the data by a trusted execution environment management mechanism calling interface;
s44: the trusted execution environment management mechanism receives m 1 After that, the time stamp TS is checked first 1 If the private data CT and the storage key are valid, refusing further operation if the private data CT and the storage key are invalid, and if the private data CT and the storage key are valid, invoking a pre-written symmetric encryption algorithm in a security zone according to a user request to store a data owner exclusive storage key CPW in a dynamic generation stage i Encrypting to obtain a corresponding ciphertext PT;
s45: after the operation is finished, the trusted execution environment management mechanism returns the encrypted private data to the user side, so that the private data is written or updated locally at the user side.
S46: the program will call the script connection database again, and the manipulated data owner's corresponding sub-table record is transmitted back to the database through the gsql command and the total data table is updated by the stored procedure.
S47: if the actual security access control framework allows the private data related operation to be executed in the external open environment, the user call interface requests the trusted execution environment management mechanism to send the user storage key CPW i And the corresponding symmetric encryption process is carried out at the user end, and then the ciphertext number is calculatedAnd transmitting the PT data to a remote database management system for storage.
Further, the data owner private data operation stage includes a private data encryption writing stage of plaintext input and a private data extraction decryption stage of ciphertext storage, wherein the ciphertext storage private data extraction decryption stage comprises the following specific procedures:
s51: the user side technical program running script is connected with the database, a database table corresponding to the database table containing the personal information of the user is generated and exported by storing programs and the like in the database table existing by the user, and the database table is stored into a file and is stored under the directory where the programs are located;
s52: after the above has been completed, the data owner may choose to view, encrypt or decrypt the personal information. When the user selects the extraction and decryption operation of the private data, the data owner selects the ciphertext private data PT at the corresponding position from the database sub-table stored in the user side, and obtains the latest timestamp TS 1
S53: the user terminal uses m in a reliable environment 1 ={PT,TS 1 Transmitting the data to a remote database management technology, and receiving the data by a trusted execution environment management mechanism calling interface;
s54: database management technique upon receipt of m 1 After that, the time stamp TS is checked first 1 If the data owner private memory key CPW is valid, refusing further operation if the data owner private memory key CPW is invalid, and if the data owner private memory key CPW is valid, invoking a pre-written symmetric encryption algorithm in a safe area of a trusted execution environment management mechanism to utilize the memory key to dynamically generate the data owner private memory key CPW stored in the stage i Decrypting the ciphertext privacy data PT to obtain a corresponding plaintext CT, and returning the CT to the user side;
s55: after the user side obtains the corresponding plaintext CT, the corresponding record segment of the local file is updated.
S56: if the actual secure access control framework allows the private data operation to be executed in the external open environment, the user call interface requests the trusted execution environment management mechanism to send the user storage key CPW i And the corresponding symmetric decryption process is carried out at the user end, and the obtained corresponding plaintext CT is directly recorded corresponding to the local fileAnd updating the recorded segments.
S57: in particular, when a data holder wishes to obtain private data access rights for a particular data holder, the remote database management system will send a request to the corresponding user side of the particular data holder via a caller.
S58: if the requested user end is granted partial authority to the private data, the user end sends partial plaintext obtained in the above S55 process to a remote database management system in a trusted communication environment, and sends the partial plaintext to a corresponding data holder for subsequent operation.
Further, the service data access stage comprises the following specific processes:
s61: the user side technical program running script is connected with the database, a database table corresponding to the database table containing the personal information of the user is generated and exported by storing programs and the like in the database table existing by the user, and the database table is stored into a file and is stored under the directory where the programs are located;
s62: after the above work is completed, the data owner can choose to check, encrypt or decrypt the individual
Information. The data owner selects a business data access operation, which can directly look up the corresponding entry in the locally stored database sub-table.
The beneficial effects provided by the invention are as follows: the technology realizes the authority separation of the relational database based on the characteristics of the trusted execution environment, solves the problem of key management of the enterprise-level database, has higher security and better practicability, and can resist malicious codes and privileged user attacks. Compared with the traditional method for centralized management, whole-table encryption and static key storage of the database table, the method realizes the conversion of the key storage state into the calculation state, starts from the perspective of data encryption and decryption keys, realizes the separation of the privacy data rights of the database, solves the problem of key management, provides a privacy data field-level encryption means, ensures the normal access of service data, and greatly improves the security.
Drawings
FIG. 1 is a diagram of the overall architecture of the present technology;
fig. 2 is a technical access control technique flow diagram.
Detailed description of the preferred embodiments
For the purpose of making the technical solutions and advantages of the present invention clearer, embodiments of the present invention will be further described with reference to the accompanying drawings.
Referring to fig. 1, the present invention provides a database security access control technology based on a trusted execution environment, which is based on a trusted execution environment framework, and includes five stages, respectively: a user login stage, a user password updating stage, a storage key dynamic generation stage, a privacy data operation stage and a business data access stage;
the user login stage transmits user information input by a user end to a database end, and identifies legal data owners, so that reliable communication between the front end and the database is established;
the dynamic generation phase of the storage key generates a storage key specific to the data owner. In particular, at this stage the technology dynamically generates a user storage key in a trusted execution environment by combining the personal identity information with a predefined master key, through some message digest algorithm, which storage key is to be used for subsequent data reading and encryption and decryption of user privacy data;
The user password updating stage is used for transmitting the updated user information input by the user terminal to the database terminal, so that ciphertext privacy data corresponding to the data owner are updated;
the privacy data operation stage realizes the privacy data extraction and decryption functions of ciphertext storage and the privacy data encryption and writing function of plaintext input, and meets the field-level fine-grained encryption requirement of a database;
and the service data access stage realizes the parallel direct operation function of the non-private data of the database table.
The dynamic generation stage of the storage key is limited to be executed in the trusted execution environment according to the user information and the main key calculation storage key parameter, and the user privacy data extraction decryption or the input encryption stage can be used for encrypting part of privacy data selectively executed in the trusted execution environment or executed in an external open execution environment; the rest of the operations are implemented in a front-end and back-end open execution environment.
The user login function plan adopts a conventional form to collect user data, and the user data are respectively processed after the user data are collected. The processed user data is sent to the back end through the POST request, and the verification result of the back end is received. Meanwhile, at the input position of each form, the invention plans to set a corresponding input verification mechanism, so that potential safety hazards and waste caused by illegal data transmission are avoided.
In a trusted execution environment, the data ownership database whole table mapping is realized by establishing a traditional ORM object relation mapping table for each legal data owner.
The communication process verifies whether the request is replay-attacked by a freshness check on the timestamp. And a legal user login mechanism is arranged in the enterprise-level relational database through user-side input user name and password transmission, so that reliable communication between a user and a remote database management technology is established.
If the timestamp is not fresh (delay/tamper etc.) or the user login information is wrong, the establishment of this communication is refused.
Referring to fig. 2, fig. 2 is a technical access control technical flowchart; after the user is verified as a legal user, the user name, the password and a preset master key are mixed and encrypted by calling a certain message digest algorithm predefined by a trusted execution environment framework safety zone to generate a storage key exclusive to the user, the storage key obtained by dynamic calculation is transmitted to a database management system, and a database table corresponding to the user is obtained according to the storage key of the user.
The program connects the running script with the database, generates and exports a data table containing personal information of the user by storing the program and the like in a database table existing by the user, saves the data table into a file, and stores the file under a catalog where the program is located.
After the above has been completed, the user may choose to view, encrypt or decrypt the personal information. When the user makes a selection, the program will operate on the file according to the user instructions.
After the operation is completed, the program will use the script again to connect the database, and the data file after the operation is transmitted back to the database through the gsql command and the total data table is updated by the stored procedure.
According to the access control technology design, the invention is developed in a front-end and back-end separated form, and a back-end enterprise-level relational database management system is mounted on a back-end server.
In order to comprehensively show the characteristics of a trusted execution environment, for a back-end database server, the cloud server with the spread-spectrum processor is used as a back-end relational database server, an openEuler-20.03-LTS operating system is adopted for interaction, and meanwhile, ARM instruction optimization and MOT engine deployment are built for a web application layer, so that the functions of high concurrency, high reliability, load balancing, parallel recovery and the like are realized, and technical service can be ensured to be smoothly carried out.
The invention completes 2 main operations in the trusted execution environment frame of the trusted execution environment, and is used for realizing several core operations in the access control function so as to ensure the security of the whole technology. Development in a trusted execution environment framework is written through C++, the invention realizes 2 main function subdivision operations, and encapsulates interfaces for a back-end relational database to call. The 2 main functions are respectively as follows: dynamically calculating a user storage key parameter according to the user information and the master key to realize the conversion from a database user storage key storage state to a calculation state; and carrying out field-level fine-grained encryption on the user part sensitive information according to the dynamically generated user key.
The process for dynamically calculating the user storage key parameter according to the user information and the master key is specifically as follows:
s21: remote database management technique will m 2 ={UN i ,PW i, ,TS 2 Send to trusted execution environment management mechanism, trusted execution environment management mechanism receives m 2 After that, the timestamp TS is verified 2 If it is valid, refusing to execute the operation of generating the storage key if it is invalid, and if it is valid, executing UN i ||PW i Operating; wherein || represents bitwise connection;
S22: the trusted execution environment management mechanism calls a preset function interface to enable the UN to be executed i ||PW i The method comprises the steps of transmitting the trusted execution environment frame into a security zone of the trusted execution environment frame;
s23: hybrid encryption of a user name, a password and a preset master key in a secure area using a certain message digest algorithm pre-written and implemented internally to generate a data owner-specific storage key CPW i Under the condition that personal information of a data owner is not changed, the storage key dynamically generated each time is kept consistent;
s24: in each stage of user operation, the trusted execution environment management mechanism always stores the storage key CPW specific to the data owner in the safe area i
The field-level fine-granularity encryption process for the user part sensitive information according to the dynamically generated user key comprises a plaintext input private data encryption storage and ciphertext storage private data extraction decryption stage, wherein the specific process of the plaintext input private data encryption storage stage is as follows:
s41: the user side technical program running script is connected with the database, a database table corresponding to the database table containing the personal information of the user is generated and exported by storing programs and the like in the database table existing by the user, and the database table is stored into a file and is stored under the directory where the programs are located;
s42: after the above has been completed, the data owner may choose to view, encrypt or decrypt the personal information. When the user selects the writing/modifying operation of the private data, the data owner inputs the added or modified private data CT at the user end and obtains the latest timestamp TS 1
S43: the user terminal uses m in a reliable environment 1 ={CT,TS 1 Transmitting the data to a remote database management technology, and receiving the data by a trusted execution environment management mechanism calling interface;
s44: the trusted execution environment management mechanism receives m 1 After that, the time stamp TS is checked first 1 If the private data CT is valid, refusing further operation if the private data CT is invalid, and if the private data CT is valid, calling a pre-written symmetric encryption algorithm in a security zone according to a user request to dynamically generate the private data CT and a storage keyPhase save data owner private storage key CPW i Encrypting to obtain a corresponding ciphertext PT;
s45: after the operation is finished, the trusted execution environment management mechanism returns the encrypted private data to the user side, so that the private data is written or updated locally at the user side.
S46: the program will call the script connection database again, and the manipulated data owner's corresponding sub-table record is transmitted back to the database through the gsql command and the total data table is updated by the stored procedure.
S47: if the actual security access control framework allows the private data related operation to be executed in the external open environment, the user call interface requests the trusted execution environment management mechanism to send the user storage key CPW i And carrying out a corresponding symmetric encryption process at the user side, and then transmitting the ciphertext data PT to a remote database management system for storage.
The specific flow of the ciphertext storage privacy data extraction decryption stage is as follows:
s51: the user side technical program running script is connected with the database, a database table corresponding to the database table containing the personal information of the user is generated and exported by storing programs and the like in the database table existing by the user, and the database table is stored into a file and is stored under the directory where the programs are located;
s52: after the above has been completed, the data owner may choose to view, encrypt or decrypt the personal information. When the user selects the extraction and decryption operation of the private data, the data owner selects the ciphertext private data PT at the corresponding position from the database sub-table stored in the user side, and obtains the latest timestamp TS 1
S53: the user terminal uses m in a reliable environment 1 ={PT,TS 1 Transmitting the data to a remote database management technology, and receiving the data by a trusted execution environment management mechanism calling interface;
s54: database management technique upon receipt of m 1 After that, the time stamp TS is checked first 1 If the symmetric encryption algorithm is valid, refusing further operation if the symmetric encryption algorithm is not valid, and if the symmetric encryption algorithm is valid, calling a pre-written symmetric encryption algorithm in a safe area of a trusted execution environment management mechanism to use storageData owner exclusive storage key CPW stored in key dynamic generation stage i Decrypting the ciphertext privacy data PT to obtain a corresponding plaintext CT, and returning the CT to the user side;
S55: after the user side obtains the corresponding plaintext CT, the corresponding record segment of the local file is updated.
S56: if the actual secure access control framework allows the private data operation to be executed in the external open environment, the user call interface requests the trusted execution environment management mechanism to send the user storage key CPW i And performing a corresponding symmetric decryption process at the user side, and directly updating the obtained corresponding plaintext CT in the corresponding record segment of the local file.
S57: in particular, when a data holder wishes to obtain private data access rights for a particular data holder, the remote database management system will send a request to the corresponding user side of the particular data holder via a caller.
S58: if the requested user end is granted partial authority to the private data, the user end sends partial plaintext obtained in the above S55 process to a remote database management system in a trusted communication environment, and sends the partial plaintext to a corresponding data holder for subsequent operation.
In order to actually realize the 4 stages, the invention designs a front end and a rear end respectively.
Front end portion:
1. the user login function is realized:
and (3) login: the invention uses a VUE framework as a core, and uses an Element Plus component library to develop related components of 'user login'. The body of the user login component is a web form for collecting user names and passwords. Meanwhile, the invention sets verification rules (table 1) for each input of the form, and sets mobile phone verification and man-machine verification of dragging the sliding block so as to ensure the legality of the user identity and the user input and prevent malicious attack. The invention also sets the input times limit to prevent the server from being paralyzed caused by illegal malicious attack. After user data are collected, the user data are packed into JSON types, and Post requests are sent to the rear end through an HTTP library Axios based on promiscus.
Table 1 login authentication rule description
Figure SMS_1
2. The user key parameter calculation implementation:
storage key calculation: in the login stage, a user inputs a user name and a password in a user end program, the user name and the password are transmitted to a trusted execution environment program deployed in a remote database management technology in a POST mode, and the user name and the password are sent into a security zone by calling a defined function interface in an environment of the trusted execution environment. And performing mixed encryption on the user name, the password and a preset master key by using an internal self-implemented SM3 cryptographic algorithm in a security zone, generating a storage key special for the user, and transmitting the storage key to a database management system to access a database table corresponding to the user.
A background part:
the trusted execution environment technology for experimental selection needs to have the support of bottom hardware, namely, the installation package of RISC-V (reduced instruction set computer-V) Poplar safety system is needed, so that the experimental environment is selected as a physical machine supporting Poplar and an operating system is openEulter-20.03-LTS. In addition, the openGauss database selected by the invention recommends the use of an openEuler or a centOS operating system in documents given by authorities, so that the content of the related database is realized on a cloud server with a spread spectrum processor.
TABLE 2 front end physical machine configuration
Figure SMS_2
Table 3 backend server configuration
Figure SMS_3
/>
Figure SMS_4
The invention finally performs different tests on the technical information security, and the specific security tests are shown in table 4.
Table 4 safety test
Figure SMS_5
The invention comprehensively considers the problems of malicious code attack, secret leakage of privileged users and the like faced by the database, based on a trusted execution environment framework, combines national production self-research hash algorithms SM3 and SM9, and realizes the conversion of a storage key from a storage state to a calculation state through the dynamic generation function of the storage key of the database user, thereby realizing the authority separation of the enterprise-level relational database; meanwhile, the invention realizes the fine granularity encryption of part of sensitive information field level, thereby greatly improving the operation efficiency of the enterprise level relational database. Based on the method, a database security access control technology is built, and the technology has higher security and better practicability and can resist most algorithm attacks and protocol attacks. Compared with the existing method for encrypting the whole table of the database and centralizing the key storage, the method converts the key storage state into the calculation state, provides a database field-level encryption means, and realizes permission separation, thereby greatly improving the security. Specifically, the innovation points are as follows:
1. Trusted execution environment framework
The technology adopts a trusted execution environment framework, the secret related processes are all executed in the trusted execution environment, and the safety of the information calculation process is ensured. The trusted execution environment framework realizes the isolated operation among different programs through a set of new instruction set expansion and access control mechanisms, and ensures that the confidentiality and the integrity of key encryption and decryption codes and data of a technical server are not damaged by malicious software. By means of isolation on hardware, an application program can define a security code and data area, and the security code and data area can be maintained, so that an attacker can effectively resist even if the attacker can physically control the technology and generate direct attack on the memory. Meanwhile, compared with other confidential operation frameworks, the development and transplanting adaptation time is greatly shortened, and the maintenance cost is reduced.
It is worth mentioning that the invention does not call the interface provided by the trusted execution environment framework, but independently writes a series of encryption algorithms such as SM3 and SM9 and basic operation operations such as exclusive OR, bit-by-bit connection and rapid modular idempotent through C++, and encapsulates the basic operation operations, so that the flexibility of codes is ensured, and the development process is more controllable and has more excellent performance.
2. Preventing privileged users from revealing threats
The invention encrypts the user privacy information through the key generated by the login information of the user through the hash function. In order to realize the separation key of the authority, the user name and the password of each user are generated, the original storage state is changed into the calculation state, and each user has own information encryption and decryption keys and is not uniformly managed by the privileged user.
Meanwhile, the privacy information is encrypted, so that the information of other users cannot be checked by the privileged user, and the situation that the information is revealed by the privileged user is avoided. When the passwords of the individual users are accidentally revealed, as the permission separation is realized on the encrypted data, an attacker can only acquire the relevant privacy data of the revealed users and cannot acquire the data of other users, so that the risk and damage caused by accidental data disclosure are greatly reduced. The encryption of the user data is considered to encrypt the data fields in the database, the data fields are selected to be encrypted, the development of normal inquiry and other services is not affected, frequent encryption and decryption during operation are avoided, and the high efficiency of encryption and decryption is improved while the data is protected.
3. Malicious code attack resistance
In terms of resisting malicious code attacks, the invention is mainly implemented by placing the production process of the key generated by the user's user name and password in a safe environment. The protection against attacks by malicious code is mainly guaranteed based on the following two aspects: 1. the process of generating the key is in a trusted execution environment; 2. the generated key is not statically stored, but dynamically generated in a secure environment every time the user logs in, and destroyed after being used up. By means of trusted execution environment technology, we change the storage key from the original storage state to a temporary calculation state. The temporary state of the execution environment and the secret key can be executed, and the attack of malicious codes on the stored data and the operation data is effectively resisted, so that the safety of the data in use is ensured. The content is considered to select a trusted execution environment framework in a trusted execution environment technology based on trusted hardware, a code for generating a key and the generated key are placed in an enclaspe safe memory, and the memory area is input and output only through a trusted interface, so that the possibility of modifying the code and stealing the key by malicious codes is eliminated.
4. Database field level fine granularity encryption
The encryption granularity generally comprises a database level, a table level, a record level and a field level, wherein the smaller the encryption granularity is, the less time is consumed for encryption and decryption, the more flexible the operation is, and the application range is wide. The invention provides a field-level fine-granularity encryption method, which is different from the traditional enterprise-level relational database whole-table unified encryption storage method, realizes hierarchical encryption on partial sensitive information and simultaneously realizes parallel access operation on non-sensitive information, thereby greatly improving the database operation efficiency.
5. Innovative workflow of autonomic design
The invention adopts an access control scheme which is designed independently to carry out security protection on the database, and the storage key generation and encryption and decryption processes of sensitive information in a user login stage are all carried out in a trusted execution environment of a trusted execution environment. The invention is different from the direct encryption of files adopted by the mainstream database encryption technology, and the key scheme is simply managed, so that the key is changed from a storage state to a calculation state, and the authority separation is realized; meanwhile, fine granularity encryption is provided, only partial sensitive information is encrypted in a grading way, and the operation efficiency of the database is greatly improved.
Meanwhile, in order to solve the problems of overlarge spending of a safety area in a trusted execution environment frame, poor performance and the like caused by limited I/O capability, the protocol optimizes the use flow of the trusted execution environment frame, only encryption and decryption of user information are carried out, core operations such as calculating and storing key parameters and the like are carried out in the trusted execution environment frame, and other operations are realized in open execution environments such as front end, rear end and the like, so that throughput and load of the safety area are greatly reduced, and working efficiency of the safety area is improved. Compared with research results in the same field, the protocol ensures the safety of the technology through a trusted execution environment framework and improves the working performance of a large technology. The invention also proves that the autonomous innovative access control technology can realize higher security performance with relatively smaller performance cost through detailed comparison analysis of security test and performance cost, and has usability and advancement.
The beneficial effects of the invention are as follows: based on the characteristics of the trusted execution environment, the authority separation of the relational database is realized, meanwhile, the problem of key management of the enterprise-level database is solved, the security is high, the practicability is good, and the attack of malicious codes and privileged users can be resisted. Compared with the traditional method for centralized management, whole-table encryption and static key storage of the database table, the method realizes the conversion of the key storage state into the calculation state, starts from the perspective of data encryption and decryption keys, realizes the separation of the privacy data rights of the database, solves the problem of key management, provides a privacy data field-level encryption means, ensures the normal access of service data, and greatly improves the security.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (7)

1. A database security access control method based on a trusted execution environment is characterized in that: the method is based on a trusted execution environment, and three functions are realized: 1. the data owner stores the key and changes to the computational state from the existing storage state; 2. data hierarchical encryption, privacy data dynamic key protection and business data parallel operation; 3. the relation type database rights are separated, and privacy data encryption operation is combined with user password information of a data owner, so that the risk of data leakage caused by centralized management of the data owner is solved; the method comprises five stages, namely: a user login stage, a user information updating stage, a storage key dynamic generation stage, a privacy data operation stage and a business data access stage;
The data owner refers to an actual owner of corresponding recorded data in a traditional relational database table, and the data owner refers to an actual object held by the database table in the traditional relational database;
the user login stage transmits user information input by a user end to a database end, and identifies legal data owners, so that reliable communication between the front end and the database is established;
a storage key dynamic generation stage generates a storage key special for a data owner, and in the stage, the method dynamically generates a user storage key through combining personal identity information and a predefined master key in a trusted execution environment through a certain message digest algorithm, wherein the storage key is used for subsequent data reading and encryption and decryption of user privacy data;
in the user information updating stage, a user terminal sends user information before and to be updated corresponding to a data owner to a trusted execution environment management mechanism, an old storage key is generated at a TEE side, a mapping form is searched to obtain a corresponding database table storage key for decrypting private data, then a new storage key is generated based on updated user information for re-encrypting the private data, and updating encryption of the corresponding database form is realized;
The privacy data operation stage realizes the interaction of the privacy data of the user side and the database, and specifically comprises the privacy data extraction decryption and the privacy data encryption writing operation of plaintext input of ciphertext storage; the method comprises the steps that a user side program sends ciphertext privacy data expected to be checked and identity authentication information to a trusted execution environment management mechanism in a ciphertext storage privacy data extraction and decryption operation, and after authentication is passed, a corresponding storage key is obtained at a TEE side, and the privacy data is decrypted and returned to the user side; the encryption writing operation of the plaintext input privacy data is that the user program sends the plaintext privacy data which is expected to be changed or written in and the identity authentication information to the trusted execution environment management mechanism, and after the authentication is passed, the corresponding storage key is obtained at the TEE side, the privacy data is encrypted and sent to the database end for storage;
the service data access stage realizes the parallel direct operation function of the non-private data of the database table;
the dynamic generation stage of the storage key is limited to be executed in the trusted execution environment according to the user information and the main key calculation storage key parameter, and the user privacy data extraction decryption or the input encryption stage can be used for encrypting part of privacy data selectively executed in the trusted execution environment or executed in an external open execution environment; the rest of the operations are implemented in a front-end and back-end open execution environment.
2. The method for controlling secure access to a database based on a trusted execution environment as claimed in claim 1, wherein: the user login stage comprises the following specific processes:
s11: initializing a client and registering;
s12: obtaining user input personal information from the front end including, but not limited to, a user name, password, biometric, token; the following operation phase defaults to entering a user name UN i Password PW i The method comprises the steps of carrying out a first treatment on the surface of the Wherein UN is i 、PW i Respectively representing a user name and a password of the user i; the user inputs the user name and password and obtains the current time stamp TS 1
S13: the user obtains the current time stamp TS 1
S14: the user terminal will m 1 ={UN i ,PW i, TS 1 Transmitting the data to a remote database management system, and receiving the data by a trusted execution environment management mechanism calling interface; the trusted execution environment management mechanism specifically refers to: the method comprises the steps that a trusted execution environment and an interactive program interface which are deployed in a database management technology are pre-written in a secure area of the trusted execution environment to realize a certain message digest algorithm and a certain symmetric encryption algorithm, and meanwhile, an object mapping relation table of legal data owners and a database table storage key is stored in the trusted execution environment;
s15: the trusted execution environment management mechanism receives m 1 After that, the timestamp TS is verified 1 Whether it is valid, if it is invalid, refusing to establish communication, if it is valid, checking whether the request user name is pre-storedLegal mapping relation records exist in the mapping form of the (2), if so, the database table storage key (PCD) of the data owner is obtained i Current timestamp TS 2 The method comprises the steps of carrying out a first treatment on the surface of the Wherein the time stamp is valid, specifically: the difference between the current timestamp and the timestamp to be verified is less than the maximum time transmission delay of communication propagation;
s16: the trusted execution environment management mechanism stores the key PCD in the acquired database table i Transmitting the data to a remote database management system through an interface;
s17: the database management system passes the received PCD i Searching to obtain a database corresponding table where a corresponding data owner is located; since in the relational database, the whole table may store records of multiple data owners, only the corresponding record of the data owner in the table is returned to the user side in the form of a sub-table.
3. The method for controlling secure access to a database based on a trusted execution environment according to claim 2, wherein: the dynamic generation stage of the storage key comprises the following specific processes:
s21: the remote database management system will m 2 ={UN i ,PW i ,TS 2 Send to trusted execution environment management mechanism, trusted execution environment management mechanism receives m 2 After that, the timestamp TS is verified 2 If it is valid, refusing to execute the operation of generating the storage key if it is invalid, and if it is valid, executing UN i ||PW i Operating; wherein || represents bitwise connection;
s22: the trusted execution environment management mechanism calls a preset function interface to enable the UN to be executed i ||PW i The method comprises the steps of transmitting the trusted execution environment frame into a security zone of the trusted execution environment frame;
s23: hybrid encryption of a user name, a password and a preset master key in a secure area using a certain message digest algorithm pre-written and implemented internally to generate a data owner-specific storage key CPW i Under the condition that personal information of a data owner is not changed, the storage key dynamically generated each time is kept consistent;
s24: at various stages of user operationThe trusted execution environment management mechanism always stores the storage key CPW specific to the data owner in the safe area i
4. A method of controlling secure access to a database based on a trusted execution environment as claimed in claim 3, wherein: the user information updating stage is used for updating the user related personal characteristic information, including but not limited to user passwords, biological characteristics and tokens, and the user passwords are updated by the following steps:
s31: the user name UN before the corresponding update of the data owner 1 Corresponding password PW 1 Sending the encrypted data to a trusted execution environment management mechanism, and carrying out mixed encryption on a user name, a password and a preset master key by calling a message digest algorithm in a secure area to generate an old storage key CPW of a data owner 1 Simultaneously searching mapping relation records in the mapping form to obtain corresponding database table storage key PCD i
S32: the database management system passes the received PCD i Searching to obtain a database table where the corresponding data owner is located, and transmitting the corresponding record of the data owner in the table to a trusted execution environment management mechanism in a form of a sub-table;
s33: password PW after updating data owner by user 2 Sending the encrypted data to a trusted execution environment management mechanism, and carrying out mixed encryption on a user name, a password and a preset master key by calling a message digest algorithm in a secure area to generate a new storage key CPW of a data owner 2
S34: in a trusted execution environment management mechanism, a calling script acquires all ciphertext storage privacy data corresponding to a data owner, and the data owner stores the privacy data in a safe area through an old storage key CPW 1 Decrypting and then passing through the new storage key CPW 2 Encrypting to obtain updated privacy data ciphertext;
s35: after the operation is finished, the program calls the script connection database again, and the data owner corresponding sub-table record with the privacy data updated is transmitted back to the database through the gsql command, and the total data table is updated through the storage process.
5. The method for controlling secure access to a database based on a trusted execution environment as claimed in claim 4, wherein: the data owner private data operation stage comprises a private data encryption writing stage and a private data extraction decryption stage of ciphertext storage, wherein the private data encryption writing stage comprises the following specific processes of:
s41: the user terminal platform program running script is connected with the database, a database table corresponding to the database table containing the personal information of the user is generated and exported by storing the program in the database table existing by the user, and the database table is stored into a file and is stored under the directory where the program is located;
s42: after the above work is completed, the data owner can choose to view, encrypt or decrypt the personal information; when the user selects the writing/modifying operation of the private data, the data owner inputs the added or modified private data CT at the user end and obtains the latest timestamp TS 1
S43: the user terminal uses m in a reliable environment 1 ={CT,TS 1 Transmitting the data to a remote database management system, and receiving the data by a trusted execution environment management mechanism calling interface;
s44: the trusted execution environment management mechanism receives m 1 After that, the time stamp TS is checked first 1 If the private data CT and the storage key are valid, refusing further operation if the private data CT and the storage key are invalid, and if the private data CT and the storage key are valid, invoking a pre-written symmetric encryption algorithm in a security zone according to a user request to store a data owner exclusive storage key CPW in a dynamic generation stage i Encrypting to obtain a corresponding ciphertext PT;
s45: after the operation is finished, the trusted execution environment management mechanism returns the encrypted private data to the user side, so that the private data is written or updated locally at the user side;
s46: the program will call the script connection database again, the data owner corresponding sub-table record after operation is transmitted back to the database through the gsql command, and the total data table is updated by the storage process;
s47: if the actual security access control framework allows the privacyThe private data related operation is executed in the external open environment, and the user call interface requests the trusted execution environment management mechanism to send the user storage key CPW i And carrying out a corresponding symmetric encryption process at the user side, and then transmitting the ciphertext data PT to a remote database management system for storage.
6. The method for controlling secure access to a database based on a trusted execution environment as claimed in claim 5, wherein: the data owner private data operation stage comprises a private data encryption writing stage and a private data extraction decryption stage of ciphertext storage of plaintext input, wherein the ciphertext storage private data extraction decryption stage comprises the following specific processes:
s51: the user terminal platform program running script is connected with the database, a database table corresponding to the database table containing the personal information of the user is generated and exported by storing the program in the database table existing by the user, and the database table is stored into a file and is stored under the directory where the program is located;
S52: after the above work is completed, the data owner can choose to view, encrypt or decrypt the personal information; when the user selects the extraction and decryption operation of the private data, the data owner selects the ciphertext private data PT at the corresponding position from the database sub-table locally stored at the user side, and obtains the latest timestamp TS 1
S53: the user terminal uses m in a reliable environment 1 ={PT,TS 1 Transmitting the data to a remote database management system, and receiving the data by a trusted execution environment management mechanism calling interface;
s54: the database management system receives m 1 After that, the time stamp TS is checked first 1 If the data owner private memory key CPW is valid, refusing further operation if the data owner private memory key CPW is invalid, and if the data owner private memory key CPW is valid, invoking a pre-written symmetric encryption algorithm in a safe area of a trusted execution environment management mechanism to utilize the memory key to dynamically generate the data owner private memory key CPW stored in the stage i Decrypting the ciphertext privacy data PT to obtain a corresponding plaintext CT, and returning the CT to the user side;
s55: after the user side obtains the corresponding plaintext CT, the corresponding record segment of the local file is updated;
s56: if the actual secure access control framework allows the private data operation to be executed in the external open environment, the user call interface requests the trusted execution environment management mechanism to send the user storage key CPW i The corresponding symmetric decryption process is carried out at the user end, and the obtained corresponding plaintext CT is directly updated in the corresponding record segment of the local file;
s57: when the data holder wishes to obtain the private data access right of the specific data holder, the remote database management system sends a request to the corresponding user terminal of the specific data holder through a calling program;
s58: if the requested user end is granted partial authority to the private data, the user end sends partial plaintext obtained in the above S55 process to a remote database management system in a trusted communication environment, and sends the partial plaintext to a corresponding data holder for subsequent operation.
7. The method for controlling secure access to a database based on a trusted execution environment as claimed in claim 6, wherein: the service data access stage comprises the following specific processes:
s61: the user terminal platform program running script is connected with the database, a database table corresponding to the database table containing the personal information of the user is generated and exported by storing the program in the database table existing by the user, and the database table is stored into a file and is stored under the directory where the program is located;
s62: after the above work is completed, the data owner selects the business data access operation, and can directly check the corresponding table entry in the locally stored database sub-table.
CN202211066304.9A 2022-08-31 2022-08-31 Database security access control technology based on trusted execution environment Active CN115758396B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211066304.9A CN115758396B (en) 2022-08-31 2022-08-31 Database security access control technology based on trusted execution environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211066304.9A CN115758396B (en) 2022-08-31 2022-08-31 Database security access control technology based on trusted execution environment

Publications (2)

Publication Number Publication Date
CN115758396A CN115758396A (en) 2023-03-07
CN115758396B true CN115758396B (en) 2023-05-30

Family

ID=85349507

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211066304.9A Active CN115758396B (en) 2022-08-31 2022-08-31 Database security access control technology based on trusted execution environment

Country Status (1)

Country Link
CN (1) CN115758396B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117786758A (en) * 2024-02-27 2024-03-29 深圳市洞见智慧科技有限公司 Trusted execution environment-based secret database system and electronic equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040045A (en) * 2018-07-25 2018-12-18 广东工业大学 A kind of cloud storage access control method based on the encryption of ciphertext policy ABE base

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107506659B (en) * 2017-07-27 2020-04-07 西安电子科技大学 Data protection system and method of general database based on SGX
CN108418691B (en) * 2018-03-08 2020-10-27 湖南大学 Dynamic network identity authentication method based on SGX
CN109150517B (en) * 2018-09-04 2021-03-12 大唐高鸿信安(浙江)信息科技有限公司 Secret key safety management system and method based on SGX
CN110266467B (en) * 2019-05-31 2021-04-27 创新先进技术有限公司 Method and device for realizing dynamic encryption based on block height
CN110519049A (en) * 2019-08-07 2019-11-29 赤峰学院 A kind of cloud data protection system based on credible performing environment
US11310051B2 (en) * 2020-01-15 2022-04-19 Advanced New Technologies Co., Ltd. Blockchain-based data authorization method and apparatus
CN111008228A (en) * 2020-03-09 2020-04-14 支付宝(杭州)信息技术有限公司 Method and device for inquiring account privacy information in block chain
CN112380578A (en) * 2020-11-20 2021-02-19 天翼电子商务有限公司 Edge computing framework based on block chain and trusted execution environment
CN113037477A (en) * 2021-03-08 2021-06-25 北京工业大学 Kerberos security enhancement method based on Intel SGX
CN113706361B (en) * 2021-08-19 2022-04-26 兰州大学 Digital image ownership protection cloud system based on confidential calculation
CN113922957B (en) * 2021-10-18 2024-01-19 杭州加密矩阵科技有限公司 Virtual cloud wallet system based on privacy protection calculation
CN114697073B (en) * 2022-02-22 2023-12-22 昆明理工大学 Telecommunication operator data security sharing method based on blockchain
CN114629639A (en) * 2022-03-10 2022-06-14 阿里云计算有限公司 Key management method and device based on trusted execution environment and electronic equipment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040045A (en) * 2018-07-25 2018-12-18 广东工业大学 A kind of cloud storage access control method based on the encryption of ciphertext policy ABE base

Also Published As

Publication number Publication date
CN115758396A (en) 2023-03-07

Similar Documents

Publication Publication Date Title
CN109144961B (en) Authorization file sharing method and device
WO2021128733A1 (en) Hyperledger fabric blockchain private data storage and access system and method therefor
CN111488598B (en) Access control method, device, computer equipment and storage medium
US8059818B2 (en) Accessing protected data on network storage from multiple devices
WO2016106752A1 (en) Shared data access control method, device and system
US20150143111A1 (en) Methods and devices for securing keys for a nonsecured, distributed environment with applications to virtualization and cloud-computing security and management
US20090240956A1 (en) Transparent encryption using secure encryption device
CN104618096B (en) Protect method, equipment and the TPM key administrative center of key authorization data
CN110489996B (en) Database data security management method and system
JP2012518329A (en) A framework for trusted cloud computing and services
JP2012530391A (en) Secure private backup storage and processing for trusted computing and data services
WO2005119960A2 (en) Structure preserving database encryption method and system
CN103686716A (en) Android access control system for enhancing confidentiality and integrality
WO2022148182A1 (en) Key management method and related device
US20240039709A1 (en) Method and apparatus for sharing encrypted data, and device and readable medium
JP2022542095A (en) Hardened secure encryption and decryption system
CN115758396B (en) Database security access control technology based on trusted execution environment
Mattsson Database encryption-how to balance security with performance
CN113901507B (en) Multi-party resource processing method and privacy computing system
Voitovych et al. Multilayer Access for Database Protection
JP2011227673A (en) File management system, storage server, client, file management method and program
US20220086000A1 (en) Cryptographic systems
Ma et al. A secure and efficient data deduplication scheme with dynamic ownership management in cloud computing
Katre et al. Trusted third party for data security in cloud environment
Thota et al. Split key management framework for Open Stack Swift object storage cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant