CN115766173A - Data processing method, system and device - Google Patents

Abstract

One or more embodiments of the present specification disclose a method, a system, and an apparatus for processing data, where the method is applied to a server, and the server is provided with a trusted execution environment, and includes: receiving a data storage request sent by a client; the data storage request is used for requesting to store data to be stored to a cloud end; acquiring the data to be stored, and setting the data to be stored in the trusted execution environment; determining, in the trusted execution environment, a first key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the first key to obtain corresponding ciphertext data; and sending the ciphertext data to the cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

Description

Data processing method, system and device

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a method, a system, and an apparatus for processing data.

Background

The public cloud has the advantages of convenience in storage, low storage cost, convenience in data sharing and the like in the aspect of data storage. Currently, a large number of enterprises use public clouds to store data.

However, as people pay more attention to their private data, the security of public cloud storage data cannot meet the requirement of privacy protection. In the prior art, enterprises generally use AK (Access Key ID, access Key)/SK (private Access Key) of a public cloud to perform verification to obtain plaintext data stored on the public cloud, and in this way, once AK/SK is leaked, all data can be accessed by an attacker. Therefore, a more effective privacy protection means is urgently needed for data stored in public cloud.

Disclosure of Invention

In one aspect, one or more embodiments of the present specification provide a data processing method, which is applied to a server, where a trusted execution environment is set in the server, and the method includes: receiving a data storage request sent by a client, wherein the data storage request is used for requesting to store data to be stored to a cloud. And acquiring the data to be stored, and setting the data to be stored in the trusted execution environment. In the trusted execution environment, a first secret key used for encrypting the data to be stored is determined based on the data to be stored, and the data to be stored is encrypted based on the first secret key to obtain corresponding ciphertext data. And sending the ciphertext data to a cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

In another aspect, one or more embodiments of the present specification provide a data processing method applied to a data processing device, where a trusted execution environment is provided, the method including: and receiving a data storage request sent by a first application in the data processing equipment, wherein the data storage request is used for requesting to store data to be stored to a cloud end. And acquiring the data to be stored, and setting the data to be stored in the trusted execution environment. In the trusted execution environment, a second secret key used for encrypting the data to be stored is determined based on the data to be stored, and the data to be stored is encrypted based on the second secret key to obtain corresponding ciphertext data. And sending the ciphertext data to the cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

In another aspect, one or more embodiments of the present specification provide a data processing system, which includes a cloud, a server, and at least one client, where a trusted execution environment is disposed in the server. The client is used for sending a data storage request to the server, and the data storage request is used for requesting to store data to be stored to the cloud. The server is used for acquiring the data to be stored and setting the data to be stored in the trusted execution environment. In the trusted execution environment, a first secret key used for encrypting the data to be stored is determined based on the data to be stored, and the data to be stored is encrypted based on the first secret key to obtain corresponding ciphertext data. And sending the ciphertext data to the cloud. And the cloud end is used for carrying out data archiving processing on the ciphertext data.

In another aspect, one or more embodiments of the present specification provide a data processing system, which includes a data processing device and a cloud, where the data processing device is provided with a trusted execution environment, and the data processing device includes a trusted application and at least one first application. The first application is used for sending a data storage request to the trusted application, and the data storage request is used for requesting to store data to be stored to the cloud. The data processing device is configured to acquire the data to be stored when the trusted application receives the data storage request sent by the first application. And setting the data to be stored in the trusted execution environment. In the trusted execution environment, a second secret key used for encrypting the data to be stored is determined based on the data to be stored, and the data to be stored is encrypted based on the second secret key to obtain corresponding ciphertext data. And sending the ciphertext data to the cloud. And the cloud end is used for performing data archiving processing on the ciphertext data.

In yet another aspect, one or more embodiments of the present specification provide an apparatus for processing data, the apparatus having a trusted execution environment disposed therein, the apparatus including: the first receiving module is used for receiving a data storage request sent by a client, wherein the data storage request is used for requesting to store data to be stored to the cloud. The first acquisition module is used for acquiring the data to be stored and setting the data to be stored in the trusted execution environment. And the first data processing module is used for determining a first secret key for encrypting the data to be stored based on the data to be stored in the trusted execution environment, and encrypting the data to be stored based on the first secret key to obtain corresponding ciphertext data. And the first sending module is used for sending the ciphertext data to the cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

In yet another aspect, one or more embodiments of the present specification provide an apparatus for processing data, the apparatus having a trusted execution environment disposed therein, the apparatus including: the fourth receiving module is configured to receive a data storage request sent by a first application in the data processing device, where the data storage request is used to request to store data to be stored to the cloud. And the second acquisition module is used for acquiring the data to be stored and setting the data to be stored in the trusted execution environment. And the third data processing module is used for determining a second secret key for encrypting the data to be stored based on the data to be stored in the trusted execution environment, and encrypting the data to be stored based on the second secret key to obtain corresponding ciphertext data. And the fourth sending module is used for sending the ciphertext data to the cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

In yet another aspect, one or more embodiments of the present specification provide a data processing device provided with a trusted execution environment, including: a processor; and a memory arranged to store computer executable instructions that, when executed, are capable of causing the processor to: receiving a data storage request sent by a client, wherein the data storage request is used for requesting to store data to be stored to a cloud. And acquiring the data to be stored, and setting the data to be stored in the trusted execution environment. In the trusted execution environment, a first secret key used for encrypting the data to be stored is determined based on the data to be stored, and the data to be stored is encrypted based on the first secret key to obtain corresponding ciphertext data. And sending the ciphertext data to a cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

In yet another aspect, one or more embodiments of the present specification provide a data processing apparatus provided with a trusted execution environment, including: a processor; and a memory arranged to store computer executable instructions that, when executed, are capable of causing the processor to: and receiving a data storage request sent by a first application in the data processing equipment, wherein the data storage request is used for requesting to store data to be stored to a cloud. And acquiring the data to be stored, and setting the data to be stored in the trusted execution environment. In the trusted execution environment, a second secret key used for encrypting the data to be stored is determined based on the data to be stored, and the data to be stored is encrypted based on the second secret key to obtain corresponding ciphertext data. And sending the ciphertext data to the cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

In yet another aspect, embodiments of the present specification provide a storage medium for storing computer-executable instructions, which when executed by a processor implement the following: receiving a data storage request sent by a client, wherein the data storage request is used for requesting to store data to be stored to a cloud. And acquiring the data to be stored, and setting the data to be stored in the trusted execution environment. In the trusted execution environment, a first secret key used for encrypting the data to be stored is determined based on the data to be stored, and the data to be stored is encrypted based on the first secret key to obtain corresponding ciphertext data. And sending the ciphertext data to a cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

In yet another aspect, embodiments of the present specification provide a storage medium for storing computer-executable instructions, which when executed by a processor implement the following: and receiving a data storage request sent by a first application in the data processing equipment, wherein the data storage request is used for requesting to store data to be stored to a cloud. And acquiring the data to be stored, and setting the data to be stored in the trusted execution environment. And in the trusted execution environment, determining a second key for encrypting the data to be stored based on the data to be stored, and encrypting the data to be stored based on the second key to obtain corresponding ciphertext data. And sending the ciphertext data to the cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

Drawings

In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings used in the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the description below are only some of the embodiments described in one or more embodiments of the present specification, and that other drawings may be obtained by those skilled in the art without inventive effort.

FIG. 1 is a schematic block diagram of a data processing system according to one embodiment of the present description;

FIG. 2 is a schematic flow chart diagram of a method of processing data in accordance with one embodiment of the present description;

FIG. 3 is a schematic swim lane diagram of a method of processing data according to an embodiment of the present description;

FIG. 4 is a schematic block diagram of a data processing system according to another embodiment of the present description;

FIG. 5 is a schematic flow chart diagram of a method of processing data according to another embodiment of the present description;

FIG. 6 is a schematic swim lane diagram of a method of processing data according to another embodiment of the present description;

FIG. 7 is a schematic block diagram of a data processing apparatus according to an embodiment of the present description;

FIG. 8 is a schematic block diagram of a data processing apparatus according to another embodiment of the present description;

fig. 9 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present specification.

Detailed Description

One or more embodiments of the present disclosure provide a data processing method, system, and apparatus, so as to solve a problem in the prior art that security of data stored in a cloud is low.

In order to make those skilled in the art better understand the technical solutions in one or more embodiments of the present disclosure, the technical solutions in one or more embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in one or more embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all embodiments. All other embodiments that can be derived by a person skilled in the art from one or more of the embodiments of the present disclosure without making any creative effort shall fall within the protection scope of one or more of the embodiments of the present disclosure.

Fig. 1 is a schematic architecture diagram of a data processing system according to an embodiment of the present disclosure, the system includes a cloud 110, a server 120, and at least one client 130 (as shown in fig. 1, four clients 130 are schematically shown), and a trusted execution environment 121 is disposed in the server 120. The client 130 is configured to send a data storage request to the server 120, where the data storage request is used to request to store data to be stored in the cloud 110. The server 120 is configured to receive a data storage request sent by the client 130, acquire data to be stored, set the data to be stored in the trusted execution environment 121, determine, in the trusted execution environment 121, a first key used for encrypting the data to be stored based on the data to be stored, encrypt the data to be stored based on the first key, obtain corresponding ciphertext data, and send the ciphertext data to the cloud 110. And the cloud 110 is configured to perform data archiving processing on the ciphertext data.

The Trusted Execution Environment set in the server may be a TEE (Trusted Execution Environment), which may be implemented by a program written in a predetermined programming language (that is, may be implemented in the form of software), or may be implemented by a hardware device and a program written in advance together (that is, may be implemented in the form of hardware + software), and the like.

In an embodiment, the client 130 is further configured to send a data reading request to the server 120, where the data reading request carries second identification information corresponding to data to be read currently, and the data reading request is used to request to read data stored in the cloud 110. The server 120 is further configured to receive a data reading request sent by the client 130, set the second identification information in the trusted execution environment 121, determine, in the trusted execution environment 121, first target identification information matched with the second identification information according to the mapping relationship table, obtain, according to a first target storage path mapped by the first target identification information, first target ciphertext data stored in the first target storage path from the cloud 110, decrypt, according to a first target key mapped by the first target identification information, the first target ciphertext data to obtain corresponding first target plaintext data, and send the first target plaintext data to the client 130 as current data to be read. The client 130 is further configured to receive the first target plaintext data sent by the server 120.

In an embodiment, the client 130 is further configured to send a data deletion request to the server 120, where the data deletion request carries third identification information corresponding to the current data to be deleted, and the data deletion request is used to request deletion of data stored in the cloud 110. The server 120 is further configured to receive a data deletion request sent by the client 130, set the third identification information in the trusted execution environment 121, determine, according to the mapping relationship table, second target identification information matched with the third identification information in the trusted execution environment 121, determine a second target storage path mapped by the second target identification information, and send a request for deleting ciphertext data stored in the second target storage path to the cloud 110. The cloud 110 is further configured to delete the ciphertext data. The server 120 is further configured to delete the mapping relationship between the second target identification information and the second target storage path in the mapping relationship table.

The following describes in detail operations performed by the server 120 in the data processing system during data processing. Fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present specification, where the data processing method is applied to a server 120 shown in fig. 1, and a trusted execution environment is set in the server. As shown in fig. 2, the method may include:

s202, receiving a data storage request sent by a client, wherein the data storage request is used for requesting to store data to be stored to a cloud.

Optionally, the data storage request may carry data to be stored; or, the data storage request may carry the acquisition path information of the data to be stored, so that the server obtains the data to be stored from the client based on the acquisition path information; or, the data storage request may carry an identifier corresponding to the data to be stored, so that the server locally searches for the corresponding data to be stored in the server based on the identifier. Alternatively, the data to be stored may be a privacy file, service data, log data, or the like. The cloud may be a public cloud.

And S204, acquiring the data to be stored, and setting the data to be stored in the trusted execution environment.

Optionally, under the condition that the data to be stored is carried in the data storage request, the server may directly obtain the data to be stored from the data storage request; under the condition that the data storage request carries the acquisition path information of the data to be stored, the server side can acquire the data to be stored from the client side based on the acquisition path information; under the condition that the data storage request carries the identifier corresponding to the data to be stored, the server can locally search the corresponding data to be stored in the server based on the identifier.

The trusted execution environment may be a data processing environment that is secure and isolated from other environments, that is, processes executed in the trusted execution environment, and data and the like generated during data processing cannot be accessed by other execution environments or application programs outside the trusted execution environment. Alternatively, the trusted execution environment may be implemented by creating a small operating system that can run independently in a trusted zone (e.g., trustZone, etc.), and the trusted execution environment may provide services directly in the form of system calls (e.g., handled directly by the TrustZone kernel). The server may include an REE (Rich Execution Environment) and a TEE (trusted Execution Environment), where an operating system installed in the server may be run under the REE, such as an Android operating system, an iOS operating system, a Windows operating system, a Linux operating system, and the like, and the REE may have characteristics of being powerful, good in openness and extensibility, and capable of providing all functions of the server, such as a camera function, a touch function, and the like, for an upper application program. The TEE has its own execution space, that is, there is an operating system under the TEE, the TEE has a higher security level than the REE, software and hardware resources in the server that the TEE can access are separated from the REE, but the TEE can directly acquire the information of the REE, and the REE cannot acquire the information of the TEE. The TEE can perform authentication and other processing through the provided interface, so that user information (such as payment information, user privacy information and the like) cannot be tampered, passwords cannot be hijacked, and information such as fingerprints or faces cannot be stolen.

S206, in the trusted execution environment, a first key used for encrypting the data to be stored is determined based on the data to be stored, and the data to be stored is encrypted based on the first key to obtain corresponding ciphertext data.

Optionally, multiple encryption modes may be set in the trusted execution environment, such as a symmetric encryption mode, an asymmetric encryption mode, and the like. For example, in the case that the data to be stored is a private file, the encryption manner and the key may be determined according to one or more of the file type, the file attribute (such as size), and the file security level (or risk level). For example, if the file security level is high, the security is preferentially ensured by using an encryption mode with high complexity; the file is large and the security level is low, and an encryption mode with relatively low complexity can be used to take safety and efficiency into consideration.

And S208, sending the ciphertext data to the cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

By adopting the technical scheme of one or more embodiments of the specification, the server receives a data storage request which is sent by the client and used for requesting to store the data to be stored to the cloud, acquires the data to be stored, and sets the data to be stored in the trusted execution environment, so that in the trusted execution environment, a first key used for encrypting the data to be stored is determined based on the data to be stored, the data to be stored is encrypted based on the first key to obtain corresponding ciphertext data, and the ciphertext data is sent to the cloud, so that the cloud archives the ciphertext data. Therefore, even if the security of the cloud is low, the stored data is easily acquired by an attacker, and the attacker cannot acquire the real content of the ciphertext data, so that a better privacy protection effect on the data is realized. In addition, because the processing executed in the trusted execution environment, the data generated in the data processing process, and the like cannot be accessed by other execution environments or application programs outside the trusted execution environment, the technical scheme can ensure that an attacker cannot acquire the key, so that the ciphertext data cannot be accurately decrypted, and the data security is ensured.

In one embodiment, determining the first key for encrypting the data to be stored based on the data to be stored (i.e., S206) may be performed as: generating a random key as a first key for data to be stored; alternatively, one key among a plurality of keys stored in advance is determined as the first key.

Optionally, a random key may be generated for the data to be stored in a common random password generation manner such as a random password generator, and the random key is used as the first key, the first keys generated in this manner are different, that is, the encryption keys of different data to be stored are different, so that an effect that one piece of data to be stored corresponds to one encryption key is achieved, and the data storage security is improved.

Optionally, if a key determination manner is adopted in which one key of a plurality of pre-stored keys is determined as the first key, different keys may be respectively allocated to each piece of data to be stored, so as to achieve the effect that one piece of data to be stored corresponds to one encryption key, which is beneficial to improving the storage security of the data; or, the same key can be allocated to a plurality of pieces of data to be stored, so as to avoid the problem that the keys cannot be allocated to the data to be stored due to the insufficient number of the plurality of pre-stored keys, and ensure that the data to be stored all have corresponding encryption keys; or, a key determining mode of respectively allocating different keys to each piece of data to be stored may be adopted first, and then a key determining mode of allocating the same key to a plurality of pieces of data to be stored is adopted, so as to take into account the problems of data storage security and insufficient number of keys, and on the premise of ensuring that all the data to be stored have encryption keys, one piece of data to be stored corresponds to one encryption key as much as possible.

In one embodiment, in the trusted execution environment, in addition to determining the first key used for encrypting the data to be stored, the first identification information corresponding to the data to be stored may also be determined, and the first identification information is returned to the client, so that the client is facilitated to request the server to acquire the corresponding data based on the first identification information in a subsequent process.

Optionally, the first key and the first identification information may be stored in association, in the trusted execution environment or locally at the server. Therefore, after receiving the data acquisition request carrying the first identification information, the server can match the data acquisition request to find out whether the first identification information and the corresponding key are stored locally, so that the server can acquire corresponding data from the cloud end subsequently.

In one embodiment, determining first identification information corresponding to data to be stored may be performed as: generating a corresponding hash value according to the data content of the data to be stored, and determining first identification information corresponding to the data to be stored according to the hash value; alternatively, one of a plurality of pieces of identification information stored in advance is determined as the first identification information.

Optionally, any hash algorithm may be adopted to generate a hash value corresponding to the data to be stored, and the generated hash value is used as the first identification information. The Hash Algorithm may include MD5 (Message-digest Algorithm 5, fifth edition of Message digest Algorithm), SHA-1 (Secure Hash Algorithm 1 ), and so on. If the hash algorithm is MD5, the generated hash value is an MD5 value; if the hash algorithm is SHA-1, the generated hash value is an SHA-1 value; and so on.

It should be understood that in a scenario where data is stored in the cloud, there are no two identical pieces of data to be stored, and therefore, identification information of each piece of data to be stored should be different from each other. For this reason, if an identification information determination manner is adopted in which one of a plurality of pieces of identification information stored in advance is determined as the first identification information, different pieces of identification information may be respectively allocated to each piece of data to be stored, so as to ensure that one piece of data to be stored corresponds to one piece of identification information.

In one embodiment, before the ciphertext data is sent to the cloud (i.e., S208), a first storage path of the ciphertext data on the cloud may be determined according to the first identification information corresponding to the data to be stored.

Optionally, the storage path of the data on the cloud may be a file name of the data, and based on this, the first identification information corresponding to the data to be stored may be determined as the first storage path of the ciphertext data on the cloud.

In one embodiment, the sending of the ciphertext data to the cloud end, so that the cloud end performs data archiving processing on the ciphertext data (i.e. S208), may be performed as: according to an access key AK and a private access key SK stored in a trusted execution environment, ciphertext data is sent to a first storage path on a cloud end in an AK/SK authentication mode, so that the cloud end conducts data archiving processing on the ciphertext data in the first storage path.

Optionally, the encrypted data is sent to the cloud in an AK/SK authentication manner, and the method may be performed as follows: constructing a ciphertext data storage request comprising ciphertext data, an access key AK and a signature (obtained by calculating the ciphertext data and a private access key SK), sending the ciphertext data storage request to a cloud, locally searching the private access key SK corresponding to the access key AK in the cloud after the cloud receives the ciphertext data storage request, calculating the signature based on the private access key SK and the ciphertext data, comparing the signature obtained by calculation of the cloud with the signature carried in the ciphertext data storage request, and if the signature obtained by calculation of the cloud is the same as the signature carried in the ciphertext data storage request, successfully authenticating; if the two are different, the authentication fails. Under the condition that the authentication is successful, the cloud determines that the server has the authority of storing data in the cloud, and responds to a ciphertext data storage request sent by the server; under the condition of authentication failure, the cloud determines that the server does not have the authority of storing data in the cloud, and does not need to respond to a ciphertext data storage request sent by the server.

Optionally, the storage path of the data on the cloud end can be a file name of the data, and based on this, after the ciphertext data is sent to the cloud end, the cloud end directly carries out data archiving processing on the ciphertext data, so that the effect of storing the ciphertext data in the first storage path can be realized. That is, under the condition that a piece of ciphertext data is stored for the first time, the cloud does not have a storage path corresponding to the piece of ciphertext data, and after the piece of ciphertext data is received and stored at the cloud, the file name of the piece of ciphertext data is the storage path of the piece of ciphertext data on the cloud.

In this embodiment, the access key AK and the private access key SK are stored in the trusted execution environment with a higher security level, so that the AK and the SK are difficult to be acquired by an attacker, thereby preventing the attacker from successfully accessing the cloud based on an AK/SK authentication method, and facilitating improvement of the storage security of cloud data.

In one embodiment, in the trusted execution environment, the first identification information corresponding to the data to be stored, the first key used for encrypting the data to be stored, and the first storage path of the data to be stored on the cloud end may be written into a mapping relation table created in advance.

The mapping relation table can be used for describing mapping relations between identification information corresponding to the data to be stored, a key used for encrypting the data to be stored and a storage path of the data to be stored on the cloud. Optionally, the mapping relation table may be a hash table, and since the hash table has an advantage of fast retrieval speed, by writing the first identification information, the first key, and the first storage path into a hash table created in advance, a response speed of a server to a request, such as a data read request, a data delete request, initiated by a client in a subsequent application can be ensured.

In this embodiment, by storing the mapping relationship between the identification information corresponding to the data to be stored, the encryption key, and the storage path in the trusted execution environment with a higher security level, an attacker can be prevented from acquiring the identification information, the encryption key, the storage path, and other information of the data stored in the cloud, so that the attacker can be prevented from knowing the data content of the data stored in the cloud, and the storage security of the cloud data is facilitated to be improved.

In one embodiment, the data stored in the cloud can be sent to the client based on the data reading request initiated by the client through the following steps A1 to A4:

step A1, a data reading request sent by a client is received, and the data reading request carries second identification information corresponding to the data to be read currently.

The data reading request is used for requesting to read data stored in the cloud. Optionally, the second identification information corresponding to the data to be read currently may be determined by the trusted execution environment of the server and sent to the client in the data storage process.

And step A2, setting the second identification information in the trusted execution environment.

And A3, in a trusted execution environment, determining first target identification information matched with the second identification information according to the mapping relation table, acquiring first target ciphertext data stored in the first target storage path from the cloud according to the first target storage path mapped by the first target identification information, and decrypting the first target ciphertext data according to a first target key mapped by the first target identification information to obtain corresponding first target plaintext data.

And step A4, sending the first target plaintext data serving as the current data to be read to the client.

In this embodiment, the server side can search for information such as an encryption key and a storage path corresponding to data to be read through the trusted execution environment based on a data reading request sent by the client side, so as to obtain ciphertext data from the cloud side according to the storage path, decrypt the ciphertext data by using the encryption key in the trusted execution environment, and send plaintext data to the client side, thereby not only ensuring that the client side can accurately obtain data stored in the cloud side, but also effectively avoiding that the data stored in the cloud side is obtained by an attacker, and ensuring the security of the data.

In step A3, according to the first target storage path mapped by the first target identification information, obtaining first target ciphertext data stored in the first target storage path from the cloud, and may be executed as: and accessing the cloud end by using an AK/SK authentication mode according to an access key AK and a private access key SK stored in the trusted execution environment, and reading ciphertext data stored in the first target storage path to obtain first target ciphertext data.

Optionally, the AK/SK authentication is used to access the cloud, and the ciphertext data stored in the first target storage path is read, which may be executed as: a ciphertext data acquisition request comprising a first target storage path, an access key AK and a signature (obtained by calculating the first target storage path and a private access key SK) is constructed in a trusted execution environment, the ciphertext data acquisition request is sent to a cloud, after the cloud receives the ciphertext data acquisition request, the private access key SK corresponding to the access key AK is searched locally in the cloud, the signature is calculated based on the private access key SK and the first target storage path, the signature calculated by the cloud is compared with the signature carried in the ciphertext data acquisition request, and if the private access key SK and the signature are the same, authentication is successful; if the two are different, the authentication fails. Under the condition of successful authentication, the cloud terminal determines that the server terminal has the authority of acquiring data from the cloud terminal and responds to a ciphertext data acquisition request sent by the server terminal; under the condition of authentication failure, the cloud determines that the server does not have the authority of acquiring data from the cloud, and does not need to respond to a ciphertext data acquisition request sent by the server.

In one embodiment, the data stored in the cloud may be deleted based on a data deletion request initiated by the client through the following steps B1 to B5:

and step B1, receiving a data deletion request sent by the client, wherein the data deletion request carries third identification information corresponding to the current data to be deleted.

The data deleting request is used for requesting to delete the data stored in the cloud. Optionally, the third identification information corresponding to the current data to be deleted may be determined by the trusted execution environment of the server and sent to the client in the data storage process.

And step B2, setting the third identification information in the trusted execution environment.

And step B3, in the trusted execution environment, according to the mapping relation table, determining second target identification information matched with the third identification information, and determining a second target storage path mapped with the second target identification information.

And step B4, sending a request for deleting the ciphertext data stored in the second target storage path to the cloud end so that the cloud end can delete the ciphertext data.

Optionally, in this step, the cloud may be accessed in an AK/SK authentication manner according to the access key AK and the private access key SK stored in the trusted execution environment, so as to delete the ciphertext data stored in the second target storage path. Under the condition that AK/SK authentication is successful, the cloud determines that the server has the authority to delete data stored in the cloud, responds to the request sent by the server, and deletes ciphertext data stored in the second target storage path; and under the condition that AK/SK authentication fails, the cloud determines that the server does not have the authority to delete the data stored in the cloud, and the request sent by the server does not need to be responded.

Optionally, after deleting the ciphertext data stored in the second target storage path, the cloud may feed back prompt information such as "successful deletion", "deleted", and the like, to the server.

And step B5, deleting the mapping relation between the second target identification information and the second target storage path in the mapping relation table.

In this embodiment, the server side can search the storage path corresponding to the data to be deleted through the trusted execution environment based on the data deletion request sent by the client side, so as to access and delete the ciphertext data stored in the cloud side according to the storage path, and delete the mapping relationship between the identification information corresponding to the data to be deleted and the storage path in the trusted execution environment, thereby not only ensuring that the client side can conveniently modify the data stored in the cloud side, but also effectively avoiding storing a large number of invalid mapping relationships in the mapping relationship table, and saving the storage resource of the server side.

In one embodiment, the cloud-stored data may be updated based on a data update request initiated by the client through the following steps C1-C6:

and step C1, receiving a data updating request sent by the client, wherein the data updating request carries seventh identification information corresponding to the current data to be updated and updating content.

The data updating request is used for requesting to update the data stored in the cloud. Optionally, the seventh identification information corresponding to the current data to be updated may be determined by the trusted execution environment of the server and sent to the client in the data storage process.

And step C2, setting the seventh identification information in the trusted execution environment.

And step C3, in the trusted execution environment, determining fifth target identification information matched with the seventh identification information according to the mapping relation table, acquiring third target ciphertext data stored in a fifth target storage path from the cloud according to the fifth target storage path mapped by the fifth target identification information, and decrypting the third target ciphertext data according to a third target key mapped by the fifth target identification information to obtain corresponding third target plaintext data.

And step C4, in the trusted execution environment, performing data updating processing on the third target plaintext data according to the updating content carried by the data updating request to obtain updated data, determining identification information corresponding to the updated data, and returning the identification information to the client, so that the client replaces the seventh identification information with the identification information. And deleting the mapping relation among the fifth target identification information, the fifth target storage path and the third target key in the mapping relation table.

Optionally, a determination manner of the identification information corresponding to the updated data is similar to a determination manner of the first identification information corresponding to the data to be stored, and is not described herein again.

And step C5, in the trusted execution environment, determining an encryption key for encrypting the updated data, and encrypting the updated data based on the encryption key to obtain corresponding ciphertext data. And determining a storage path of the ciphertext data on the cloud according to the identification information corresponding to the updated data. And writing the identification information corresponding to the updated data, the encryption key for encrypting the updated data and the storage path of the updated data on the cloud into a pre-established mapping relation table.

Optionally, the encryption key of the updated data may be the same as or different from the third target key corresponding to the data to be updated.

And C6, sending the ciphertext data to the cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

In this embodiment, the server side can search for information such as an encryption key and a storage path corresponding to data to be updated through the trusted execution environment based on a data update request sent by the client side, so as to obtain ciphertext data from the cloud side according to the storage path, decrypt the ciphertext data by using the encryption key in the trusted execution environment, update plaintext data, re-determine information such as the encryption key, the storage path and identification information, and send the ciphertext data corresponding to the updated data to the cloud side for storage. In addition, what is sent to the cloud for storage in this embodiment is ciphertext data, so even if the security of the cloud is low, the stored data is easily acquired by an attacker, and the attacker cannot acquire the real content of the ciphertext data, thereby realizing a better privacy protection effect on the data. In addition, because the processing executed in the trusted execution environment, the data generated in the data processing process, and the like cannot be accessed by other execution environments or application programs outside the trusted execution environment, the scheme of the embodiment can ensure that an attacker cannot acquire the key, so that the ciphertext data cannot be accurately decrypted, and the security of the data is ensured.

The following describes a method for processing data provided by an embodiment of the present specification through a specific service scenario. In this embodiment, the data processing method is applied to a scene of storing the private file in the public cloud. Specifically, the data processing method may be applied to a data processing system as shown in fig. 1, in this embodiment, the data to be stored is a private file, the cloud is a public cloud, and the trusted execution environment set in the server is a TEE. The embodiment shown in fig. 3 is described by taking this scenario as an example, wherein for convenience of description, fig. 3 shows that the TEE is disposed in the server by connecting the server with the TEE.

FIG. 3 is a schematic swim lane diagram of a method of processing data according to an embodiment of the present description. As shown in fig. 3, the data processing method may include the following steps S3.1-S3.9:

and S3.1, the client sends a data storage request to the server.

The data storage request is used for requesting the private file to be stored in the public cloud through the server side.

S3.2, the server side obtains the privacy file and sets the privacy file in the TEE.

S3.3, in the TEE, a first secret key used for encrypting the privacy file is determined based on the privacy file, and the privacy file is encrypted based on the first secret key to obtain corresponding ciphertext data.

S3.4, in the TEE, determining first identification information corresponding to the privacy file.

And S3.5, in the TEE, returning the first identification information to the client.

S3.6, in the TEE, determining a first storage path of the ciphertext data on the public cloud according to the first identification information corresponding to the privacy file.

It should be noted that the execution sequence of S3.3 and S3.4-S3.6 is not limited in this embodiment. For example, in addition to the execution sequence of first executing S3.3 and then executing S3.4-S3.6, which is illustrated in the present embodiment, S3.4-S3.6 and then executing S3.3 may be executed, or S3.3 and S3.4-S3.6 may be executed simultaneously.

S3.7, in the TEE, writing the first identification information corresponding to the privacy file, the first key for encrypting the privacy file and the first storage path of the ciphertext data on the public cloud into a pre-created mapping relation table.

The mapping relation table is used for describing the mapping relation between the identification information and the key and between the identification information and the storage path.

And S3.8, in the TEE, sending the ciphertext data to the public cloud.

In this embodiment, the execution sequence of S3.7 to S3.8 is not limited. For example, in addition to the execution sequence of executing S3.7 first and then S3.8 in this embodiment, S3.8 first and then S3.7 second may be executed, or S3.7 and S3.8 may be executed simultaneously.

And S3.9, carrying out data archiving processing on the ciphertext data by the public cloud.

The specific processes of S3.1 to S3.9 are described in detail in the above embodiments, and are not described herein again.

By adopting the technical scheme of one or more embodiments of the specification, the server receives a data storage request which is sent by the client and used for requesting the privacy file to be stored in the public cloud, acquires the privacy file, and sets the privacy file in the TEE, so that in the TEE, a first secret key used for encrypting the privacy file is determined based on the privacy file, the privacy file is encrypted based on the first secret key, corresponding ciphertext data is obtained, and the ciphertext data is sent to the public cloud, so that the public cloud can carry out data archiving processing on the ciphertext data. Therefore, even if the security of the public cloud is low, the stored data is easy to acquire by an attacker, and the attacker cannot acquire the real content of the ciphertext data, so that a better privacy protection effect on the data is achieved. In addition, because the processing executed in the TEE and the data generated in the data processing process cannot be accessed by other execution environments or application programs outside the TEE, the technical scheme can ensure that an attacker cannot acquire the key, so that the ciphertext data cannot be accurately decrypted, and the security of the data is ensured.

Fig. 4 is a schematic architecture diagram of a data processing system according to another embodiment of the present disclosure, the system includes a data processing device 410 and a cloud 420, a trusted execution environment 411 is disposed in the data processing device 410, and the data processing device 410 includes a trusted application 412 and at least one first application 413 (as shown in fig. 4, two first applications 413 are schematically illustrated). The first application 413 is configured to send a data storage request to the trusted application 412, where the data storage request is used to request to store data to be stored to the cloud 420. The data processing device 410 is configured to, when the trusted application 412 receives a data storage request sent by the first application 413, obtain data to be stored, set the data to be stored in the trusted execution environment 411, determine, in the trusted execution environment 411, a second key used for encrypting the data to be stored based on the data to be stored, encrypt the data to be stored based on the second key, obtain corresponding ciphertext data, and send the ciphertext data to the cloud 420. And the cloud 420 is used for performing data archiving processing on the ciphertext data.

The trusted execution environment may be a TEE, and the trusted execution environment may be implemented by a program written in a predetermined programming language (that is, may be implemented in the form of software), or may be implemented by a hardware device and a program written in advance together (that is, may be implemented in the form of hardware + software), and the like. The trusted application may be a pre-specified trusted application that can be used to execute specified business processing, such as a trusted application that executes some financial payment, a trusted application that executes some instant messaging, or a pre-developed application program, and the trusted application may be an application program that needs to be installed in the data processing device, a code program that is pre-embedded in some hardware of the data processing device, or a program that is set in the form of a plug-in to run in the background of an operating system of the data processing device, and may be specifically set according to actual situations.

In an embodiment, the first application 413 is further configured to send a data reading request to the trusted application 412, where the data reading request carries fifth identification information corresponding to data to be read currently, and the data reading request is used to request to read data stored in the cloud 420. The data processing device 410 is further configured to, when the trusted application 412 receives a data reading request sent by the first application 413, set fifth identification information in the trusted execution environment 411, determine, in the trusted execution environment 411, third target identification information that matches the fifth identification information according to the mapping relation table, obtain, according to a third target storage path mapped by the third target identification information, second target ciphertext data stored in the third target storage path from the cloud 420, decrypt, according to a second target key mapped by the third target identification information, the second target ciphertext data to obtain corresponding second target plaintext data, and send the second target plaintext data to the first application 413. The first application 413 is also configured to receive the second target plaintext data sent by the data processing apparatus 410.

In an embodiment, the first application 413 is further configured to send a data deletion request to the trusted application 412, where the data deletion request carries sixth identification information corresponding to data to be currently deleted, and the data deletion request is used to request deletion of data stored in the cloud 420. The data processing device 410 is further configured to, in a case that the trusted application 412 receives a data deletion request sent by the first application 413, set sixth identification information in the trusted execution environment 411, determine, in the trusted execution environment 411, fourth target identification information that matches the sixth identification information according to the mapping relation table, determine a fourth target storage path that is mapped with the fourth target identification information, and send a request for deleting ciphertext data stored in the fourth target storage path to the cloud 420. And the cloud 420 is further configured to delete the ciphertext data. The data processing device 410 is further configured to delete the mapping relationship between the fourth target identification information and the fourth target storage path in the mapping relationship table.

The operation of the data processing device 410 in the data processing system to be specifically performed in the data processing process is described in detail below. Fig. 5 is a schematic flowchart of a data processing method according to another embodiment of the present specification, in which the data processing method is applied to a data processing device 410 as shown in fig. 4, in which a trusted execution environment is provided. As shown in fig. 5, the method may include:

s502, a data storage request sent by a first application in the data processing equipment is received, and the data storage request is used for requesting to store data to be stored to a cloud.

Optionally, the data storage request may carry data to be stored; or, the data storage request may carry acquisition path information of the data to be stored, so that the data processing device acquires the data to be stored from the first application based on the acquisition path information; or, the data storage request may carry an identifier corresponding to the data to be stored, so that the data processing device locally searches for the corresponding data to be stored in the data processing device based on the identifier. Alternatively, the data to be stored may be a privacy file, business data, log data, or the like. The cloud may be a public cloud.

S504, obtaining the data to be stored, and setting the data to be stored in the trusted execution environment.

Optionally, under the condition that the data storage request carries data to be stored, the data processing device may directly obtain the data to be stored from the data storage request; under the condition that the data storage request carries the acquisition path information of the data to be stored, the data processing equipment can acquire the data to be stored from the first application based on the acquisition path information; under the condition that the data storage request carries the identifier corresponding to the data to be stored, the data processing device may locally find the corresponding data to be stored in the data processing device based on the identifier.

Alternatively, the first application in the data processing device may send a data storage request to the trusted application, and thus, the data processing device executes S504 if the trusted application receives the data storage request sent by the first application.

S506, in the trusted execution environment, a second key used for encrypting the data to be stored is determined based on the data to be stored, and the data to be stored is encrypted based on the second key to obtain corresponding ciphertext data.

Optionally, the determination manner of the second key is similar to that of the first key in the embodiment shown in fig. 2, and is not described here again.

And S508, sending the ciphertext data to the cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

By adopting the technical scheme of one or more embodiments of the specification, the data to be stored is acquired by receiving a data storage request which is sent by a first application in the data processing equipment and used for requesting the data to be stored in a cloud, and the data to be stored is arranged in a trusted execution environment, so that in the trusted execution environment, a second secret key used for encrypting the data to be stored is determined based on the data to be stored, the data to be stored is encrypted based on the second secret key, corresponding ciphertext data is obtained, and the ciphertext data is sent to the cloud, so that the cloud carries out data archiving processing on the ciphertext data. Therefore, ciphertext data are sent to the cloud end to be stored in the technical scheme, and even if the security of the cloud end is low, the stored data are easy to obtain by an attacker who cannot acquire the real content of the ciphertext data, so that a better privacy protection effect on the data is achieved. In addition, because the processing executed in the trusted execution environment, the data generated in the data processing process, and the like cannot be accessed by other execution environments or application programs outside the trusted execution environment, the technical scheme can ensure that an attacker cannot acquire the key, so that the ciphertext data cannot be accurately decrypted, and the data security is ensured.

In one embodiment, in the trusted execution environment, in addition to determining the second key for encrypting the data to be stored, fourth identification information corresponding to the data to be stored may be determined, and the fourth identification information is returned to the first application. Therefore, the first application can request the trusted application to acquire the corresponding data based on the fourth identification information in the subsequent process.

Optionally, a determination manner of the fourth identification information is similar to the determination manner of the first identification information in the embodiment shown in fig. 2, and is not described here again.

Optionally, the second key and the fourth identification information may be stored in association, in the trusted execution environment or locally to the data processing device. Therefore, after receiving the data acquisition request carrying the fourth identification information, the data processing device can match the data acquisition request to find out whether the fourth identification information and the corresponding key are stored locally, so that the corresponding data can be acquired from the cloud end subsequently.

In one embodiment, before the ciphertext data is sent to the cloud (i.e., S508), the second storage path of the ciphertext data on the cloud may be determined according to the fourth identification information corresponding to the data to be stored.

Optionally, the storage path of the data on the cloud may be a file name of the data, and based on this, the fourth identification information corresponding to the data to be stored may be determined as the second storage path of the ciphertext data on the cloud.

In one embodiment, the sending of the ciphertext data to the cloud end, so that the cloud end performs data archiving processing on the ciphertext data (i.e., S508), may be performed as: and sending the ciphertext data to a second storage path on the cloud end in an AK/SK authentication mode according to an access key AK and a private access key SK stored in the trusted execution environment, so that the cloud end can archive the ciphertext data in the second storage path. The specific execution manner of sending the ciphertext data to the cloud end by using the AK/SK authentication is similar to that described in the specific execution manner of S208 in the embodiment shown in fig. 2, and is not described herein again.

In this embodiment, the access key AK and the private access key SK are stored in the trusted execution environment with a higher security level, so that the AK and the SK are difficult to be acquired by an attacker, thereby preventing the attacker from successfully accessing the cloud based on an AK/SK authentication method, and facilitating improvement of the storage security of cloud data.

In one embodiment, in the trusted execution environment, the fourth identification information corresponding to the data to be stored, the second key used for encrypting the data to be stored, and the second storage path of the data to be stored on the cloud may be written into a mapping relationship table created in advance.

The mapping relation table can be used for describing mapping relations between identification information corresponding to the data to be stored, a key used for encrypting the data to be stored and a storage path of the data to be stored on the cloud. Alternatively, the mapping relation table may be a hash table, and based on this, the fourth identification information, the second key, and the second storage path may be written in a hash table created in advance.

In this embodiment, by storing the identification information corresponding to the data to be stored, the mapping relationship between the encryption key and the storage path in the trusted execution environment with a higher security level, an attacker can be prevented from acquiring the identification information, the encryption key, the storage path and other information of the data stored in the cloud, so that the attacker can be prevented from knowing the data content of the data stored in the cloud, and the storage security of the cloud data can be improved.

In one embodiment, the cloud-stored data may be sent to the first application based on a data read request initiated by the first application through the following steps D1-D4:

and D1, receiving a data reading request sent by the first application, wherein the data reading request carries fifth identification information corresponding to the data to be read currently.

The data reading request is used for requesting to read data stored in the cloud. Optionally, the fifth identification information corresponding to the data to be currently read may be determined by the trusted execution environment of the data processing device and sent to the first application in the data storage process.

And D2, setting the fifth identification information in the trusted execution environment.

And D3, in the trusted execution environment, determining third target identification information matched with the fifth identification information according to the mapping relation table, acquiring second target ciphertext data stored in a third target storage path from the cloud according to the third target storage path mapped by the third target identification information, and decrypting the second target ciphertext data according to a second target key mapped by the third target identification information to obtain corresponding second target plaintext data.

Optionally, according to a third target storage path mapped by the third target identification information, second target ciphertext data stored in the third target storage path is obtained from the cloud, and the method may be implemented as: and accessing the cloud end by using an AK/SK authentication mode according to the access key AK and the private access key SK stored in the trusted execution environment, and reading ciphertext data stored in the third target storage path to obtain second target ciphertext data. The specific execution mode for accessing the cloud terminal by using the AK/SK authentication and reading the ciphertext data stored in the third target storage path is similar to the specific execution mode for accessing the cloud terminal by using the AK/SK authentication in step A3 and reading the ciphertext data stored in the first target storage path, and is not repeated here.

And D4, sending the second target plaintext data to the first application.

In this embodiment, the data processing device, based on the data reading request sent by the first application, can search information such as an encryption key and a storage path corresponding to the data to be read through the trusted execution environment, thereby obtaining ciphertext data from the cloud according to the storage path, decrypting the ciphertext data by using the encryption key in the trusted execution environment, and then sending the plaintext data to the first application, thereby not only ensuring that the first application can accurately obtain the data stored in the cloud, but also effectively avoiding the data stored in the cloud from being obtained by an attacker, and ensuring the security of the data.

In one embodiment, the cloud-stored data may be deleted based on a data deletion request initiated by the first application by the following steps E1-E5:

and E1, receiving a data deletion request sent by the first application, wherein the data deletion request carries sixth identification information corresponding to the current data to be deleted.

The data deleting request is used for requesting to delete the data stored in the cloud. Optionally, the sixth identification information corresponding to the data to be deleted may be determined by the trusted execution environment of the data processing device and sent to the first application in the data storage process.

And E2, setting the sixth identification information in the trusted execution environment.

And E3, in the trusted execution environment, according to the mapping relation table, determining fourth target identification information matched with the sixth identification information, and determining a fourth target storage path mapped with the fourth target identification information.

And E4, sending a request for deleting the ciphertext data stored in the fourth target storage path to the cloud so that the cloud deletes the ciphertext data.

Optionally, in this step, the cloud may be accessed in an AK/SK authentication manner according to the access key AK and the private access key SK stored in the trusted execution environment, so as to delete the ciphertext data stored in the fourth target storage path. Under the condition that AK/SK authentication is successful, the cloud determines that the data processing equipment has the authority of deleting data stored in the cloud, responds to the request sent by the data processing equipment, and deletes ciphertext data stored in a fourth target storage path; and under the condition that AK/SK authentication fails, the cloud determines that the data processing equipment does not have the authority to delete the data stored in the cloud, and the request sent by the data processing equipment does not need to be responded.

Optionally, after deleting the ciphertext data stored in the fourth target storage path, the cloud may feed back prompt information such as "successful deletion", "deleted", and the like to the data processing device.

And E5, deleting the mapping relation between the fourth target identification information and the fourth target storage path in the mapping relation table.

In this embodiment, the data processing device can search the storage path corresponding to the data to be deleted through the trusted execution environment based on the data deletion request sent by the first application, so as to access and delete the ciphertext data stored in the cloud according to the storage path, and delete the mapping relationship between the identification information corresponding to the data to be deleted and the storage path in the trusted execution environment, thereby not only ensuring that the first application can conveniently modify the data stored in the cloud, but also effectively avoiding storing a large number of invalid mapping relationships in the mapping relationship table, and saving the storage resource of the data processing device.

In one embodiment, the cloud-stored data may be updated based on the data update request initiated by the first application through the following steps F1-F6:

step F1, receiving a data updating request sent by the first application, wherein the data updating request carries eighth identification information corresponding to the current data to be updated and updating content.

The data updating request is used for requesting to update the data stored in the cloud. Optionally, the eighth identification information corresponding to the data to be updated currently may be determined by the trusted execution environment of the data processing device and sent to the first application in the data storage process.

And F2, setting the eighth identification information in the trusted execution environment.

And F3, in the trusted execution environment, according to the mapping relation table, determining sixth target identification information matched with the eighth identification information, according to a sixth target storage path mapped by the sixth target identification information, acquiring fourth target ciphertext data stored in the sixth target storage path from the cloud, and according to a fourth target key mapped by the sixth target identification information, decrypting the fourth target ciphertext data to obtain corresponding fourth target plaintext data.

And F4, in the trusted execution environment, performing data updating processing on the fourth target plaintext data according to the updating content carried by the data updating request to obtain updated data, determining identification information corresponding to the updated data, and returning the identification information to the first application, so that the first application replaces the eighth identification information with the identification information. And deleting the mapping relation among the eighth target identification information, the sixth target storage path and the fourth target key in the mapping relation table.

Optionally, a determination manner of the identification information corresponding to the updated data is similar to that of the first identification information in the embodiment shown in fig. 2, and is not described herein again.

And F5, in the trusted execution environment, determining an encryption key for encrypting the updated data, and encrypting the updated data based on the encryption key to obtain corresponding ciphertext data. And determining a storage path of the ciphertext data on the cloud according to the identification information corresponding to the updated data. And writing the identification information corresponding to the updated data, the encryption key for encrypting the updated data and the storage path of the updated data on the cloud into a pre-established mapping relation table.

Optionally, the encryption key of the updated data may be the same as or different from the fourth target key corresponding to the data to be updated.

And F6, sending the ciphertext data to the cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

In this embodiment, the data processing device can search for information such as an encryption key and a storage path corresponding to data to be updated through the trusted execution environment based on a data update request sent by the first application, so as to obtain ciphertext data from the cloud according to the storage path, decrypt the ciphertext data by using the encryption key in the trusted execution environment, update plaintext data, re-determine information such as the encryption key, the storage path, and the identification information, and send the ciphertext data corresponding to the updated data to the cloud for storage. In addition, what is sent to the cloud for storage in this embodiment is ciphertext data, so even if the security of the cloud is low, the stored data is easily acquired by an attacker, and the attacker cannot acquire the real content of the ciphertext data, thereby realizing a better privacy protection effect on the data. Moreover, because the processing executed in the trusted execution environment, and the data generated in the data processing process, etc. cannot be accessed by other execution environments or application programs outside the trusted execution environment, the scheme of the embodiment can ensure that an attacker cannot acquire the key, so that the ciphertext data cannot be accurately decrypted, and the security of the data is ensured.

The following describes a method for processing data provided by an embodiment of the present specification through a specific service scenario. In this embodiment, the data processing method is applied to a scene where a private file is stored in a public cloud. Specifically, the data processing method may be applied to a data processing system as shown in fig. 4, in this embodiment, the data to be stored is a private file, the cloud is a public cloud, and the trusted execution environment set in the data processing device is a TEE. The embodiment shown in fig. 6 is illustrated by taking this scenario as an example, wherein for convenience of illustration, fig. 6 shows that the data processing apparatus is connected with the TEE to indicate that the TEE is disposed in the data processing apparatus.

FIG. 6 is a schematic swim lane diagram of a method of processing data according to another embodiment of the present description. As shown in fig. 6, the data processing method may include the following steps S6.1-S6.9:

s6.1, the first application sends a data storage request to the trusted application.

The data storage request is used for requesting the private file to be stored in the public cloud through the data processing equipment.

S6.2, the data processing equipment acquires the privacy file and sets the privacy file in the TEE under the condition that the trusted application receives the data storage request.

S6.3, in the TEE, determining a second secret key for encrypting the privacy file based on the privacy file, and encrypting the privacy file based on the second secret key to obtain corresponding ciphertext data.

S6.4, in the TEE, determining fourth identification information corresponding to the privacy file.

And S6.5, in the TEE, returning the fourth identification information to the first application.

S6.6, in the TEE, according to the fourth identification information corresponding to the privacy file, determining a second storage path of the ciphertext data on the public cloud.

It should be noted that the execution sequence of S6.3 and S6.4-S6.6 is not limited in this embodiment. For example, in addition to the execution sequence of first executing S6.3 and then executing S6.4-S6.6, which is listed in this embodiment, S6.4-S6.6 and then executing S6.3 may be executed first, or S6.3 and S6.4-S6.6 may be executed simultaneously.

S6.7, in the TEE, writing fourth identification information corresponding to the privacy file, a second secret key for encrypting the privacy file and a second storage path of the ciphertext data on the public cloud into a mapping relation table which is created in advance.

The mapping relation table is used for describing the mapping relation between the identification information and the key and between the identification information and the storage path.

S6.8, in the TEE, sending the ciphertext data to the public cloud.

It should be noted that the execution sequence of S6.7-S6.8 is not limited in this embodiment. For example, in addition to the execution sequence of executing S6.7 first and then S6.8 in this embodiment, S6.8 first and then S6.7 second may be executed, or S6.7 and S6.8 may be executed simultaneously.

And S6.9, carrying out data archiving processing on the ciphertext data by the public cloud.

The specific processes of S6.1 to S6.9 are described in detail in the above embodiments, and are not described herein again.

By adopting the technical scheme of one or more embodiments of the specification, the privacy file is acquired by receiving a data storage request which is sent by a first application in the data processing equipment and used for requesting the privacy file to be stored in the public cloud, and the privacy file is set in the TEE, so that in the TEE, a second secret key used for encrypting the privacy file is determined based on the privacy file, the privacy file is encrypted based on the second secret key to obtain corresponding ciphertext data, and the ciphertext data is sent to the public cloud, so that the public cloud can carry out data archiving processing on the ciphertext data. Therefore, ciphertext data are sent to the public cloud for storage in the technical scheme, and even if the security of the public cloud is low, the stored data are easy to obtain by an attacker, the attacker cannot acquire the real content of the ciphertext data, and the better privacy protection effect on the data is achieved. Moreover, because the processing executed in the TEE and the data and the like generated in the data processing process cannot be accessed by other execution environments or application programs outside the TEE, the technical scheme can ensure that an attacker cannot acquire the key, so that the ciphertext data cannot be accurately decrypted, and the security of the data is ensured.

In summary, particular embodiments of the present subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may be advantageous.

Based on the same idea, the data processing method provided in one or more embodiments of the present specification further provides a data processing apparatus.

Fig. 7 is a schematic block diagram of a data processing apparatus in which a trusted execution environment is provided according to an embodiment of the present specification. Referring to fig. 7, the data processing apparatus may include:

a first receiving module 710, configured to receive a data storage request sent by a client; the data storage request is used for requesting to store the data to be stored to the cloud;

a first obtaining module 720, configured to obtain data to be stored, and set the data to be stored in a trusted execution environment;

a first data processing module 730, configured to determine, in the trusted execution environment, a first key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the first key to obtain corresponding ciphertext data;

the first sending module 740 is configured to send the ciphertext data to the cloud, so that the cloud performs data archiving processing on the ciphertext data.

In one embodiment, the first data processing module 730 includes:

the generating unit is used for generating a random key as a first key aiming at the data to be stored; alternatively, the first and second electrodes may be,

a first determination unit configured to determine one key of a plurality of keys stored in advance as a first key.

In one embodiment, the apparatus for processing data further comprises:

the first determining module is used for determining first identification information corresponding to data to be stored in a trusted execution environment; and returning the first identification information to the client.

In one embodiment, the first determining module comprises:

the generating and determining unit is used for generating a corresponding hash value according to the data content of the data to be stored; determining first identification information corresponding to the data to be stored according to the hash value; alternatively, the first and second electrodes may be,

a second determination unit configured to determine one of the plurality of pieces of identification information stored in advance as the first identification information.

In one embodiment, the apparatus for processing data further comprises:

the second determining module is used for determining a first storage path of the ciphertext data on the cloud end according to the first identification information corresponding to the data to be stored before the ciphertext data is sent to the cloud end.

In one embodiment, the first sending module 740 includes:

and the sending unit is used for sending the ciphertext data to a first storage path on the cloud end in an AK/SK authentication mode according to the access key AK and the private access key SK stored in the trusted execution environment, so that the cloud end can carry out data archiving processing on the ciphertext data in the first storage path.

In one embodiment, the apparatus for processing data further comprises:

the first execution module is used for writing the first identification information, the first key and the first storage path into a mapping relation table which is created in advance in a trusted execution environment; the mapping relation table is used for describing the mapping relation between the identification information and the key and between the identification information and the storage path.

In one embodiment, the apparatus for processing data further comprises:

the second receiving module is used for receiving a data reading request sent by the client, wherein the data reading request carries second identification information corresponding to the data to be read currently; the data reading request is used for requesting to read data stored in the cloud;

the second execution module is used for setting the second identification information in the trusted execution environment;

the second data processing module is used for determining first target identification information matched with the second identification information according to the mapping relation table in the trusted execution environment; according to a first target storage path mapped by the first target identification information, first target ciphertext data stored in the first target storage path is obtained from the cloud; decrypting the first target ciphertext data according to a first target key mapped by the first target identification information to obtain corresponding first target plaintext data;

and the second sending module is used for sending the first target plaintext data to the client as the current data to be read.

In one embodiment, the second data processing module comprises:

and the reading unit is used for accessing the cloud end by using an AK/SK authentication mode according to the access key AK and the private access key SK stored in the trusted execution environment, reading the ciphertext data stored in the first target storage path, and obtaining first target ciphertext data.

In one embodiment, the apparatus for processing data further comprises:

the third receiving module is used for receiving a data deleting request sent by the client, wherein the data deleting request carries third identification information corresponding to the current data to be deleted; the data deleting request is used for requesting to delete the data stored in the cloud;

the third execution module is used for setting the third identification information in the trusted execution environment;

the third determining module is used for determining second target identification information matched with the third identification information according to the mapping relation table in the trusted execution environment and determining a second target storage path mapped with the second target identification information;

the third sending module is used for sending a request for deleting the ciphertext data stored in the second target storage path to the cloud end so that the cloud end can delete the ciphertext data;

and the first deleting module is used for deleting the mapping relation between the second target identification information and the second target storage path in the mapping relation table.

By adopting the device in one or more embodiments of the specification, a server receives a data storage request which is sent by a client and used for requesting to store data to be stored to a cloud, acquires the data to be stored, and sets the data to be stored in a trusted execution environment, so that in the trusted execution environment, a first key for encrypting the data to be stored is determined based on the data to be stored, the data to be stored is encrypted based on the first key, corresponding ciphertext data is obtained, and the ciphertext data is sent to the cloud, so that the cloud carries out data archiving processing on the ciphertext data. Therefore, ciphertext data are sent to the cloud end to be stored in the device, and even if the security of the cloud end is low, the stored data are easy to obtain by an attacker, the attacker cannot acquire the real content of the ciphertext data, and the better privacy protection effect on the data is achieved. In addition, because the processing executed in the trusted execution environment, the data generated in the data processing process and the like cannot be accessed by other execution environments or application programs outside the trusted execution environment, the adoption of the device can ensure that an attacker cannot acquire the key, cannot accurately decrypt the ciphertext data and ensures the security of the data.

Fig. 8 is a schematic block diagram of a data processing apparatus in which a trusted execution environment is provided according to another embodiment of the present specification. Referring to fig. 8, the data processing apparatus may include:

a fourth receiving module 810, configured to receive a data storage request sent by a first application in the data processing apparatus; the data storage request is used for requesting to store the data to be stored to the cloud;

a second obtaining module 820, configured to obtain data to be stored, and set the data to be stored in the trusted execution environment;

a third data processing module 830, configured to determine, in the trusted execution environment, a second key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the second key to obtain corresponding ciphertext data;

the fourth sending module 840 is configured to send the ciphertext data to the cloud, so that the cloud performs data archiving processing on the ciphertext data.

In one embodiment, the apparatus for processing data further comprises:

the fourth determining module is used for determining fourth identification information corresponding to the data to be stored in the trusted execution environment; and returning the fourth identification information to the first application.

In one embodiment, the apparatus for processing data further comprises:

and the fifth determining module is used for determining a second storage path of the ciphertext data on the cloud terminal according to fourth identification information corresponding to the data to be stored before the ciphertext data is sent to the cloud terminal.

In one embodiment, the apparatus for processing data further comprises:

the fourth execution module is used for writing the fourth identification information, the second key and the second storage path into a mapping relation table which is created in advance in the trusted execution environment; the mapping relation table is used for describing the mapping relation between the identification information and the key and between the storage paths.

In one embodiment, the apparatus for processing data further comprises:

the fifth receiving module is used for receiving a data reading request sent by the first application, wherein the data reading request carries fifth identification information corresponding to the data to be read currently; the data reading request is used for requesting to read data stored in the cloud;

the fifth execution module is used for setting the fifth identification information in the trusted execution environment;

the fourth data processing module is used for determining third target identification information matched with the fifth identification information according to the mapping relation table in the trusted execution environment; according to a third target storage path mapped by the third target identification information, second target ciphertext data stored in the third target storage path is obtained from the cloud end; decrypting the second target ciphertext data according to a second target key mapped by the third target identification information to obtain corresponding second target plaintext data;

and the fifth sending module is used for sending the second target plaintext data to the first application.

In one embodiment, the apparatus for processing data further comprises:

a sixth receiving module, configured to receive a data deletion request sent by the first application, where the data deletion request carries sixth identification information corresponding to current data to be deleted; the data deleting request is used for requesting to delete the data stored in the cloud;

the sixth execution module is used for setting the sixth identification information in the trusted execution environment;

a sixth determining module, configured to determine, in the trusted execution environment, fourth target identification information that matches the sixth identification information according to the mapping relationship table, and determine a fourth target storage path mapped with the fourth target identification information;

the sixth sending module is configured to send a request for deleting the ciphertext data stored in the fourth target storage path to the cloud, so that the cloud deletes the ciphertext data;

and the second deleting module is used for deleting the mapping relation between the fourth target identification information and the fourth target storage path in the mapping relation table.

By adopting the device in one or more embodiments of the present specification, a data storage request for requesting to store data to be stored to a cloud end, which is sent by a first application in a data processing device, is received, the data to be stored is acquired, and the data to be stored is set in a trusted execution environment, so that in the trusted execution environment, a second key for encrypting the data to be stored is determined based on the data to be stored, the data to be stored is encrypted based on the second key, corresponding ciphertext data is obtained, and the ciphertext data is sent to the cloud end, so that the cloud end performs data archiving processing on the ciphertext data. Therefore, ciphertext data are sent to the cloud end to be stored in the device, and even if the security of the cloud end is low, the stored data are easy to obtain by an attacker, the attacker cannot acquire the real content of the ciphertext data, and the better privacy protection effect on the data is achieved. Moreover, because the processing executed in the trusted execution environment, the data generated in the data processing process and the like cannot be accessed by other execution environments or application programs outside the trusted execution environment, the adoption of the device can ensure that an attacker cannot acquire the key, so that the ciphertext data cannot be accurately decrypted, and the security of the data is ensured.

It should be understood by those skilled in the art that the data processing apparatus can be used to implement the data processing method described above, and the detailed description thereof should be similar to the detailed description of the method, and therefore, for avoiding the complexity, no further description is provided herein.

Based on the same idea, one or more embodiments of the present specification further provide a data processing apparatus, as shown in fig. 9. The data processing device may have a large difference due to different configurations or performances, and may include one or more processors 901 and a memory 902, and the memory 902 may store one or more stored applications or data. Memory 902 may be, among other things, transient storage or persistent storage. The application program stored in memory 902 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in a processing device for data. Still further, the processor 901 may be arranged in communication with the memory 902 for executing a series of computer executable instructions in the memory 902 on a processing device for data. The processing of data may also include one or more power supplies 903, one or more wired or wireless network interfaces 904, one or more input-output interfaces 905, one or more keyboards 906.

In one embodiment, an apparatus for processing data includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions in the apparatus for processing data, and configured for execution by the one or more processors the one or more programs including computer-executable instructions for:

receiving a data storage request sent by a client; the data storage request is used for requesting to store data to be stored to the cloud;

acquiring data to be stored, and setting the data to be stored in a trusted execution environment;

determining a first key for encrypting data to be stored based on the data to be stored in a trusted execution environment; encrypting the data to be stored based on the first key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud so that the cloud can carry out data archiving processing on the ciphertext data.

By adopting the device in one or more embodiments of the present specification, a data storage request for requesting to store data to be stored to a cloud end, which is sent by a client end, is received through a server end, the data to be stored is obtained, and the data to be stored is set in a trusted execution environment, so that in the trusted execution environment, a first secret key for encrypting the data to be stored is determined based on the data to be stored, the data to be stored is encrypted based on the first secret key, corresponding ciphertext data is obtained, and the ciphertext data is sent to the cloud end, so that the cloud end performs data archiving processing on the ciphertext data. Therefore, even if the security of the cloud is low, the stored data is easy to be acquired by an attacker, the attacker cannot acquire the real content of the ciphertext data, and the better privacy protection effect on the data is realized. Moreover, because the processing executed in the trusted execution environment, the data generated in the data processing process and the like cannot be accessed by other execution environments or application programs outside the trusted execution environment, the device can ensure that an attacker cannot acquire the key, cannot accurately decrypt the ciphertext data, and ensures the security of the data.

In one embodiment, an apparatus for processing data includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions in the apparatus for processing data, and configured for execution by the one or more processors the one or more programs including computer-executable instructions for:

receiving a data storage request sent by a first application in the data processing equipment; the data storage request is used for requesting to store the data to be stored to the cloud;

acquiring data to be stored, and setting the data to be stored in a trusted execution environment;

determining a second key for encrypting the data to be stored based on the data to be stored in the trusted execution environment; encrypting the data to be stored based on the second key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud so that the cloud carries out data archiving processing on the ciphertext data.

By adopting the device according to one or more embodiments of the specification, the data to be stored is acquired by receiving a data storage request which is sent by a first application in the data processing device and used for requesting the data to be stored in a cloud, and the data to be stored is set in a trusted execution environment, so that in the trusted execution environment, a second key used for encrypting the data to be stored is determined based on the data to be stored, the data to be stored is encrypted based on the second key, corresponding ciphertext data is obtained, and the ciphertext data is sent to the cloud, so that the cloud performs data archiving processing on the ciphertext data. Therefore, even if the security of the cloud is low, the stored data is easy to be acquired by an attacker, the attacker cannot acquire the real content of the ciphertext data, and the better privacy protection effect on the data is realized. Moreover, because the processing executed in the trusted execution environment, the data generated in the data processing process and the like cannot be accessed by other execution environments or application programs outside the trusted execution environment, the device can ensure that an attacker cannot acquire the key, cannot accurately decrypt the ciphertext data, and ensures the security of the data.

One or more embodiments of the present specification also propose a storage medium storing one or more computer programs, the one or more computer programs including instructions, which, when executed by an electronic device including a plurality of application programs, enable the electronic device to perform the respective processes of the above-mentioned data processing method embodiments, and are specifically configured to perform:

receiving a data storage request sent by a client; the data storage request is used for requesting to store the data to be stored to the cloud;

acquiring data to be stored, and setting the data to be stored in a trusted execution environment;

determining a first key for encrypting data to be stored based on the data to be stored in a trusted execution environment; encrypting the data to be stored based on the first key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud so that the cloud carries out data archiving processing on the ciphertext data.

By adopting the storage medium of one or more embodiments of the specification, a data storage request which is sent by a client and used for requesting to store data to be stored to a cloud is received through a server, the data to be stored is obtained, the data to be stored is set in a trusted execution environment, so that in the trusted execution environment, a first secret key used for encrypting the data to be stored is determined based on the data to be stored, the data to be stored is encrypted based on the first secret key, corresponding ciphertext data is obtained, and the ciphertext data is sent to the cloud, so that the cloud carries out data archiving processing on the ciphertext data. Therefore, ciphertext data are sent to the cloud end to be stored in the storage medium, and even if the security of the cloud end is low, the stored data are easy to obtain by an attacker who cannot acquire the real content of the ciphertext data, so that a better privacy protection effect on the data is achieved. Moreover, because the processing executed in the trusted execution environment, and the data generated in the data processing process, etc. cannot be accessed by other execution environments or application programs outside the trusted execution environment, the storage medium can ensure that an attacker cannot acquire the key, so that the ciphertext data cannot be accurately decrypted, and the security of the data is ensured.

One or more embodiments of the present specification also propose a storage medium storing one or more computer programs, the one or more computer programs including instructions, which, when executed by an electronic device including a plurality of application programs, enable the electronic device to perform the respective processes of the above-mentioned data processing method embodiments, and are specifically configured to perform:

receiving a data storage request sent by a first application in the data processing equipment; the data storage request is used for requesting to store the data to be stored to the cloud;

acquiring data to be stored, and setting the data to be stored in a trusted execution environment;

determining a second key for encrypting the data to be stored based on the data to be stored in the trusted execution environment; encrypting the data to be stored based on the second key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud so that the cloud carries out data archiving processing on the ciphertext data.

By means of the storage medium of one or more embodiments of the present specification, a data storage request for requesting to store data to be stored to a cloud end, which is sent by a first application in a data processing device, is received, the data to be stored is acquired, and the data to be stored is set in a trusted execution environment, so that in the trusted execution environment, a second key for encrypting the data to be stored is determined based on the data to be stored, the data to be stored is encrypted based on the second key, corresponding ciphertext data is acquired, and the ciphertext data is sent to the cloud end, so that the cloud end performs data archiving processing on the ciphertext data. Therefore, ciphertext data are sent to the cloud end to be stored in the storage medium, and even if the security of the cloud end is low, the stored data are easy to obtain by an attacker who cannot acquire the real content of the ciphertext data, so that a better privacy protection effect on the data is achieved. Moreover, because the processing executed in the trusted execution environment, the data generated in the data processing process, and the like cannot be accessed by other execution environments or application programs outside the trusted execution environment, the storage medium can ensure that an attacker cannot acquire the key, cannot accurately decrypt the ciphertext data, and ensures the security of the data.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.

One skilled in the art will recognize that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

One or more embodiments of the present specification are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.

One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only one or more embodiments of the present disclosure, and is not intended to limit the present disclosure. Various modifications and alterations to one or more embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of one or more embodiments of the present specification should be included in the scope of claims of one or more embodiments of the present specification.

Claims (19)

1. A data processing method is applied to a server side, wherein a trusted execution environment is arranged in the server side, and the method comprises the following steps:

receiving a data storage request sent by a client; the data storage request is used for requesting to store data to be stored to a cloud end;

acquiring the data to be stored, and setting the data to be stored in the trusted execution environment;

determining, in the trusted execution environment, a first key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the first key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

2. The method of claim 1, the determining a first key for encrypting the data to be stored based on the data to be stored, comprising:

generating a random key as the first key aiming at the data to be stored; alternatively, the first and second electrodes may be,

determining one key of a plurality of keys stored in advance as the first key.

3. The method of claim 1, further comprising:

determining first identification information corresponding to the data to be stored in the trusted execution environment; and returning the first identification information to the client.

4. The method according to claim 3, wherein the determining first identification information corresponding to the data to be stored includes:

generating a corresponding hash value according to the data content of the data to be stored; determining the first identification information corresponding to the data to be stored according to the hash value; alternatively, the first and second electrodes may be,

determining one of a plurality of identification information stored in advance as the first identification information.

5. The method of claim 3, prior to sending the ciphertext data to the cloud, the method further comprising:

and determining a first storage path of the ciphertext data on the cloud according to the first identification information corresponding to the data to be stored.

6. The method of claim 5, wherein the sending the ciphertext data to the cloud to enable the cloud to perform data archiving processing on the ciphertext data comprises:

and sending the ciphertext data to the first storage path on the cloud end in an AK/SK authentication mode according to an access key AK and a private access key SK stored in the trusted execution environment, so that the cloud end can archive the ciphertext data in the first storage path.

7. The method of claim 5, further comprising:

in the trusted execution environment, writing the first identification information, the first key and the first storage path into a mapping relation table which is created in advance; the mapping relation table is used for describing the mapping relation between the identification information and the key as well as the storage path.

8. The method of claim 7, further comprising:

receiving a data reading request sent by the client, wherein the data reading request carries second identification information corresponding to the current data to be read; the data reading request is used for requesting to read data stored in the cloud end;

setting the second identification information in the trusted execution environment;

in the trusted execution environment, determining first target identification information matched with the second identification information according to the mapping relation table; according to a first target storage path mapped by the first target identification information, acquiring first target ciphertext data stored in the first target storage path from the cloud; decrypting the first target ciphertext data according to a first target key mapped by the first target identification information to obtain corresponding first target plaintext data;

and sending the first target plaintext data as current data to be read to the client.

9. The method of claim 8, wherein the obtaining, from the cloud, first target ciphertext data stored in a first target storage path according to the first target storage path mapped by the first target identification information, comprises:

and accessing the cloud end by using an AK/SK authentication mode according to an access key AK and a private access key SK stored in the trusted execution environment, and reading ciphertext data stored in the first target storage path to obtain the first target ciphertext data.

10. The method of claim 7, further comprising:

receiving a data deleting request sent by the client, wherein the data deleting request carries third identification information corresponding to the current data to be deleted; the data deleting request is used for requesting to delete the data stored in the cloud;

setting the third identification information in the trusted execution environment;

in the trusted execution environment, according to the mapping relation table, determining second target identification information matched with the third identification information, and determining a second target storage path mapped by the second target identification information;

sending a request for deleting the ciphertext data stored in the second target storage path to the cloud end so that the cloud end can delete the ciphertext data;

and deleting the mapping relation between the second target identification information and the second target storage path in the mapping relation table.

11. A data processing method is applied to a data processing device, a trusted execution environment is arranged in the data processing device, and the method comprises the following steps:

receiving a data storage request sent by a first application in the data processing equipment; the data storage request is used for requesting to store data to be stored to a cloud end;

acquiring the data to be stored, and setting the data to be stored in the trusted execution environment;

determining, in the trusted execution environment, a second key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the second key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

12. A data processing system comprises a cloud end, a server end and at least one client end, wherein a trusted execution environment is arranged in the server end; wherein the content of the first and second substances,

the client is used for sending a data storage request to the server; the data storage request is used for requesting to store data to be stored to the cloud end;

the server is used for acquiring the data to be stored and setting the data to be stored in the trusted execution environment; determining, in the trusted execution environment, a first key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the first key to obtain corresponding ciphertext data; sending the ciphertext data to the cloud;

and the cloud end is used for carrying out data archiving processing on the ciphertext data.

13. The data processing system comprises a data processing device and a cloud end, wherein a trusted execution environment is arranged in the data processing device, and the data processing device comprises a trusted application and at least one first application; wherein, the first and the second end of the pipe are connected with each other,

the first application is used for sending a data storage request to the trusted application; the data storage request is used for requesting to store data to be stored to the cloud end;

the data processing device is configured to, when the trusted application receives the data storage request sent by the first application, acquire the data to be stored, and set the data to be stored in the trusted execution environment; determining, in the trusted execution environment, a second key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the second key to obtain corresponding ciphertext data; sending the ciphertext data to the cloud;

and the cloud end is used for performing data archiving processing on the ciphertext data.

14. An apparatus for processing data, the apparatus having a trusted execution environment disposed therein, the apparatus comprising:

the first receiving module is used for receiving a data storage request sent by a client; the data storage request is used for requesting to store data to be stored to a cloud end;

the first acquisition module is used for acquiring the data to be stored and setting the data to be stored in the trusted execution environment;

the first data processing module is used for determining a first key for encrypting the data to be stored based on the data to be stored in the trusted execution environment; encrypting the data to be stored based on the first key to obtain corresponding ciphertext data;

and the first sending module is used for sending the ciphertext data to the cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

15. An apparatus for processing data, the apparatus having a trusted execution environment disposed therein, the apparatus comprising:

a fourth receiving module, configured to receive a data storage request sent by a first application in the data processing device; the data storage request is used for requesting to store data to be stored to a cloud end;

the second acquisition module is used for acquiring the data to be stored and setting the data to be stored in the trusted execution environment;

a third data processing module, configured to determine, in the trusted execution environment, a second key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the second key to obtain corresponding ciphertext data;

and the fourth sending module is used for sending the ciphertext data to the cloud end so that the cloud end can carry out data archiving processing on the ciphertext data.

16. A device for processing data, the device for processing data being provided with a trusted execution environment, comprising:

a processor; and

a memory arranged to store computer executable instructions that, when executed, are capable of causing the processor to:

receiving a data storage request sent by a client; the data storage request is used for requesting to store data to be stored to a cloud end;

acquiring the data to be stored, and setting the data to be stored in the trusted execution environment;

determining, in the trusted execution environment, a first key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the first key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

17. A device for processing data, the device for processing data being provided with a trusted execution environment, comprising:

a processor; and

a memory arranged to store computer executable instructions that, when executed, are capable of causing the processor to:

receiving a data storage request sent by a first application in the data processing equipment; the data storage request is used for requesting to store data to be stored to a cloud end;

acquiring the data to be stored, and setting the data to be stored in the trusted execution environment;

determining, in the trusted execution environment, a second key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the second key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

18. A storage medium for storing computer executable instructions which, when executed by a processor, implement the following flow:

receiving a data storage request sent by a client; the data storage request is used for requesting to store data to be stored to a cloud end;

acquiring the data to be stored, and setting the data to be stored in the trusted execution environment;

determining, in the trusted execution environment, a first key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the first key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

19. A storage medium for storing computer executable instructions which, when executed by a processor, implement the following flow:

receiving a data storage request sent by a first application in the data processing equipment; the data storage request is used for requesting to store data to be stored to a cloud end;

acquiring the data to be stored, and setting the data to be stored in the trusted execution environment;

determining, in the trusted execution environment, a second key for encrypting the data to be stored based on the data to be stored; encrypting the data to be stored based on the second key to obtain corresponding ciphertext data;

and sending the ciphertext data to the cloud end so that the cloud end carries out data archiving processing on the ciphertext data.

Images