CN116566744B

CN116566744B - Data processing method and security verification system

Info

Publication number: CN116566744B
Application number: CN202310826580.9A
Authority: CN
Inventors: 请求不公布姓名
Original assignee: Beijing Real AI Technology Co Ltd
Current assignee: Beijing Real AI Technology Co Ltd
Priority date: 2023-07-07
Filing date: 2023-07-07
Publication date: 2023-09-22
Anticipated expiration: 2043-07-07
Also published as: CN116566744A

Abstract

The invention discloses a data processing method and a security verification system, wherein the method is applied to a node containing a general execution environment REE and a trusted execution environment TEE, and comprises the following steps: accessing a corresponding REE storage space through the REE, reading a parameter ciphertext required by an operation target algorithm from the REE storage space, and sending the parameter ciphertext to the TEE; decrypting the parameter ciphertext through the TEE to obtain a parameter plaintext; accessing a corresponding TEE storage space through the TEE, reading the target algorithm from the TEE storage space, and running the target algorithm by utilizing the parameter plaintext; the REE storage space can only be accessed by the corresponding REE, and the TEE storage space can only be accessed by the corresponding TEE.

Description

Data processing method and security verification system

Technical Field

The invention relates to the technical field of data processing, in particular to a data processing method and a security verification system.

Background

Authentication and the use of software functions after passing authentication are very important parts in the use of software services. Therefore, it is necessary to protect the core algorithm of the software from reverse piracy. However, the inventors have studied to find that: in the prior art, software is independently and completely installed in an open system with low credibility, and when the system is attacked and is authorized, a core algorithm in the software is easily stolen.

Aiming at the problem of insufficient security of a core algorithm in software in the prior art, no effective solution exists at present.

Disclosure of Invention

The invention aims to provide a data processing method and a security verification system, which can ensure the security of a core algorithm in software.

One aspect of the present invention provides a data processing method applied to a node including a general execution environment REE and a trusted execution environment TEE, the method comprising:

accessing a corresponding REE storage space through the REE, reading a parameter ciphertext required by an operation target algorithm from the REE storage space, and sending the parameter ciphertext to the TEE;

decrypting the parameter ciphertext through the TEE to obtain a parameter plaintext;

accessing a corresponding TEE storage space through the TEE, reading the target algorithm from the TEE storage space, and running the target algorithm by utilizing the parameter plaintext;

the REE storage space can only be accessed by the corresponding REE, and the TEE storage space can only be accessed by the corresponding TEE.

Optionally, accessing the target storage space through the REE or the TEE includes:

acquiring an environment identifier of the current execution environment;

Generating an access request containing the environment identifier;

sending the access request to a preset hardware encryption and decryption unit so that the hardware encryption and decryption unit accesses the target storage space based on the access request;

the target storage space is a REE storage space or a TEE storage space.

Optionally, the sending the access request to a preset hardware encryption and decryption unit, so that the hardware encryption and decryption unit accesses the target storage space based on the access request includes:

determining whether an execution environment pointed by the environment identifier corresponds to the target storage space or not based on the environment identifier through the hardware encryption and decryption unit;

when the execution environment pointed by the environment identifier corresponds to the target storage space, determining specific access matters of the access request through the hardware encryption and decryption unit, and directly accessing the target storage space based on the specific access matters;

and stopping the access operation when the execution environment pointed by the environment identifier is not corresponding to the target storage space.

Optionally, when the execution environment pointed by the environment identifier corresponds to the target storage space, determining, by the hardware encryption and decryption unit, a specific access item of the access request, and directly accessing the target storage space based on the specific access item includes:

When the specific access item is stored data:

acquiring a data plaintext to be stored from the access request through the hardware encryption and decryption unit;

encrypting the data plaintext by utilizing an encryption algorithm stored in the hardware encryption and decryption unit so as to obtain a data ciphertext;

storing the data ciphertext into the target storage space through the hardware encryption and decryption unit;

when the specific access item is read data:

reading out the required data ciphertext from the target storage space through the hardware encryption and decryption unit;

decrypting the data ciphertext by using a decryption algorithm stored in the hardware encryption and decryption unit so as to obtain a data plaintext;

and sending the data plaintext to the execution environment pointed by the environment identifier through the hardware encryption and decryption unit.

determining specific access matters of the access request through the hardware encryption and decryption unit;

and acquiring an encryption/decryption algorithm associated with the environment identifier based on the specific access item through the hardware encryption/decryption unit, and attempting to access the target storage space based on the encryption/decryption algorithm associated with the environment identifier.

Optionally, the obtaining, by the hardware encryption and decryption unit, an encryption/decryption algorithm associated with the environment identifier based on the specific access item, and attempting to access the target storage space based on the encryption/decryption algorithm associated with the environment identifier includes:

when the specific access item is stored data:

acquiring an encryption algorithm associated with the environment identifier through the hardware encryption and decryption unit, and acquiring a data plaintext to be stored from the access request;

encrypting the data plaintext by the hardware encryption and decryption unit by utilizing an encryption algorithm associated with the environment identifier so as to obtain a data ciphertext;

attempting to store the data ciphertext into the target storage space through the hardware encryption and decryption unit;

when the execution environment pointed by the environment identifier corresponds to the target storage space, successful storage is realized; otherwise, the storage fails;

when the specific access item is read data:

acquiring a decryption algorithm associated with the environment identifier through the hardware encryption and decryption unit, and reading out a required data ciphertext from the target storage space;

attempting, by the hardware encryption and decryption unit, to decrypt the data ciphertext using a decryption algorithm associated with the environment identifier;

When the decryption is successful, the data plaintext obtained after the decryption is sent to the execution environment pointed by the environment identifier through the hardware encryption and decryption unit;

when the execution environment pointed by the environment identifier corresponds to the target storage space, the decryption is successful; otherwise, the decryption fails.

Optionally, the accessing the corresponding re storage space through the re, reading the parameter ciphertext required by the operation target algorithm from the re storage space, and sending the parameter ciphertext to the TEE includes:

reading a first public key and a key pair identifier from a corresponding TEE storage space through the TEE;

generating a verification file ciphertext by the TEE through the first public key;

sending a verification request containing the verification file ciphertext and the key pair identifier to an authorization terminal through the TEE, so that the authorization terminal searches a first private key and a second public key by using the key pair identifier and decrypts the verification file ciphertext by using the first private key;

receiving a verification result ciphertext encrypted by a second public key returned by the authorization terminal through the TEE, reading a second private key from a corresponding TEE storage space, decrypting the verification result ciphertext by using the second private key to obtain a verification result plaintext, and sending the verification result plaintext to the REE;

When the verification result plaintext is analyzed to represent that verification passes, accessing a corresponding REE storage space through the REE, reading a parameter ciphertext required by an operation target algorithm from the REE storage space, and sending the parameter ciphertext to the TEE;

the authorization terminal stores a plurality of keys and a key identifier of each key, each key pair comprises two keys, and each key comprises a public key and a private key.

Optionally, the generating, by the TEE, the verification document ciphertext using the first public key includes:

collecting REE environment information through the REE, and sending the REE environment information to the TEE;

and collecting the TEE environment information through the TEE, and encrypting the REE environment information and the TEE environment information by using the first public key to obtain a verification file ciphertext.

Optionally, the cluster to which the node belongs includes a plurality of master nodes, and a third key including a third public key and a third private key is generated by a master node;

the method comprises the following steps:

receiving the third public key sent by the master node through the REE, and storing the third public key into a corresponding REE storage space;

Receiving the third private key sent by the master node through the TEE, and storing the third public key into a corresponding TEE storage space;

receiving a parameter plaintext storage request through the REE, encrypting the parameter plaintext by using the third public key to obtain the parameter ciphertext, and storing the parameter ciphertext into a corresponding REE storage space;

the decrypting the parameter ciphertext by the TEE to obtain a parameter plaintext includes:

and decrypting the parameter ciphertext by the TEE through the third private key to obtain a parameter plaintext.

Another aspect of the present invention provides a security verification system, the system comprising a request cluster and an authorization terminal, the request cluster comprising a plurality of request nodes, each request node comprising a general execution environment re and a trusted execution environment TEE, wherein:

the request node reads a first public key and a key pair identifier from a corresponding TEE storage space through the contained TEE; generating a verification file ciphertext by using the first public key, and sending a verification request containing the verification file ciphertext and the key pair identifier to the authorization terminal;

the authorization terminal receives and analyzes the verification request to obtain the verification file ciphertext and the key pair identifier; screening key pairs associated with the key pair identification from a plurality of pre-stored keys; decrypting the verification file ciphertext by using a first private key in the screened key pair to obtain a verification file plaintext; verifying the plaintext of the verification file and generating a verification result plaintext; encrypting the verification result plaintext by using a second public key in the screened key pair to obtain a verification result ciphertext; sending the verification result ciphertext to the request node;

The request node receives the verification result ciphertext through the contained TEE and reads a second private key from the corresponding TEE storage space; decrypting the verification result ciphertext by using the second private key to obtain a verification result plaintext; sending the verification result plaintext to the REE;

when the verification result plaintext is analyzed to represent that verification passes, the request node accesses a corresponding REE storage space through the contained REE, reads a parameter ciphertext required by an operation target algorithm from the REE storage space, and sends the parameter ciphertext to the TEE;

the request node decrypts the parameter ciphertext through the contained TEE so as to obtain a parameter plaintext; accessing a corresponding TEE storage space, reading the target algorithm from the TEE storage space, and running the target algorithm based on the parameter plaintext;

each key pair comprises two keys, each key comprises a public key and a private key, the REE storage space can only be accessed by the corresponding REE, and the TEE storage space can only be accessed by the corresponding TEE.

Yet another aspect of the present invention provides a computer apparatus comprising: the data processing method according to any one of the above embodiments is implemented by a memory, a processor, and a computer program stored in the memory and executable on the processor when the processor executes the computer program.

A further aspect of the invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a data processing method according to any of the embodiments described above.

According to the invention, the target algorithm is stored in a TEE (Requirements Engineering Environment, general execution environment) storage space, parameters required for running the target algorithm are stored in a REE (Trusted Execution Environment ) storage space, and each TEE and each REE are set to only successfully access the corresponding storage space. Because the TEE has higher security reliability, even if the TEE is attacked, the algorithm parameters in the TEE storage space are only lost, and the target algorithm in the TEE storage space is difficult to steal.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:

Fig. 1 shows a schematic architecture provided by an application scenario of the present invention;

FIG. 2 is a flow chart of a data processing method according to a first embodiment of the present invention;

FIG. 3 is a flowchart of a data processing method according to a second embodiment of the present invention;

FIG. 4 is a flowchart of a data processing method according to a third embodiment of the present invention;

FIG. 5 is a block diagram of a security verification system according to a fourth embodiment of the present invention;

FIG. 6 is a block diagram of a data processing apparatus according to a fifth embodiment of the present invention;

fig. 7 shows a block diagram of a computer device adapted to implement a data processing method according to a sixth embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Application scenario

In order to facilitate understanding of the technical scheme of the present invention, the following examples illustrate application scenarios to which the present invention is applicable. It should be understood that the application scenario described in the present invention is only exemplary, and does not limit the protection scope of the present invention.

The seller enterprise sells a certain software to the client, and the client needs to check the identity before using the software; after the verification is successful, the client side performs service processing based on the purchased software. The arrangement mode of the client system may include:

client system one: as shown in fig. 1, a client side is arranged with a cluster, where the cluster includes multiple physical machines, each physical machine includes one or more nodes, and each node includes a virtual machine with an operating environment of REE and a virtual machine with an operating environment of TEE.

Client system two: the client side is provided with a cluster, the cluster comprises a plurality of nodes, each node comprises two physical machines, wherein the operating environment of one physical machine is REE, and the operating environment of the other physical machine is TEE.

And a client system III: the client side is provided with a node which is a physical machine, and a virtual machine with REE as an operation environment and a virtual machine with TEE as an operation environment are arranged in the physical machine.

And a client system IV: the client side is provided with a node which is two physical machines, wherein the operating environment of one physical machine is REE, and the operating environment of the other physical machine is TEE.

In the dual environment composed of the re and the TEE, one piece of software is divided into two parts, and the part located in the re environment is called CA (Client Application) part, and the part located in the TEE environment is called TA (Trust Application) part. When the identity verification is required, each node of the client side can interact with the authorization terminal of the seller; when there is a verified node, the client can conduct business processing based on interactions between the environments within the node.

Example 1

Fig. 2 shows a flowchart of a data processing method according to an embodiment of the present application, where the method is applied to a node including a general execution environment REE and a trusted execution environment TEE, and as shown in fig. 2, the data processing method includes steps A1 to A3, where:

a1, accessing a corresponding REE storage space through the REE, reading a parameter ciphertext required by an operation target algorithm from the REE storage space, and sending the parameter ciphertext to the TEE;

Step A2, decrypting the parameter ciphertext through the TEE to obtain a parameter plaintext;

step A3, accessing a corresponding TEE storage space through the TEE, reading the target algorithm from the TEE storage space, and running the target algorithm by utilizing the parameter plaintext;

the REE storage space can only be successfully accessed by the corresponding REE, and the TEE storage space can only be successfully accessed by the corresponding TEE. Successful access refers to reading data from the memory space and successfully decrypting, or successfully storing encrypted data to the memory space.

Specifically, storage media are arranged on physical machines arranged on a client side, the storage media on each physical machine are divided into a plurality of different storage spaces in advance, and each execution environment uniquely corresponds to one storage space; the storage medium includes a memory and/or a disk, the storage space corresponding to the REEs may be referred to as a REE storage space, and the storage space corresponding to the TEEs may be referred to as a TEE storage space.

For example, the REE and the TEE in node 1 correspond to REE storage space 1 and TEE storage space 1, respectively, and the REE and the TEE in node 2 correspond to REE storage space 2 and TEE storage space 2, respectively. Then, REE memory 1 is only accessible by REE in node 1, TEE memory 1 is only accessible by TEE in node 1, REE memory 2 is only accessible by REE in node 2, and TEE memory 2 is only accessible by REE in node 2.

In order to ensure security, the embodiment stores the target algorithm with higher security level in the TEE storage space in advance, stores the parameter ciphertext with lower security level in the re storage space, and sets logic that cannot access the storage space mutually between different execution environments. Thus, when the business needs to be processed through the target algorithm, the parameter ciphertext can only be extracted from the corresponding REE storage space through REE, and the target algorithm can be extracted from the corresponding TEE storage space through TEE; the TEE environment cannot access the storage space of the TEE environment in the node and other nodes, or the storage space of the TEE environment in other nodes. According to the method, the security of the target algorithm is improved through the method of isolating and storing the target algorithm and parameters required by running the target algorithm.

As an alternative embodiment, accessing the target storage space through the REE or the TEE includes:

step S1, acquiring an environment identifier of a current execution environment;

s2, generating an access request containing the environment identifier;

Step S3, the access request is sent to a preset hardware encryption and decryption unit, so that the hardware encryption and decryption unit accesses the target storage space based on the access request;

the target storage space is a REE storage space or a TEE storage space.

Specifically, since each REE storage space and each TEE storage space can only be accessed by the corresponding environment and are not open to the outside, the environment identifier must be carried for environment identification when each access to the storage space is performed. The environment identifier may include a plurality of flag bits, where the even identifier indicates a re environment and the odd identifier indicates a TEE environment, or where the odd identifier indicates a re environment and the even identifier indicates a TEE environment. Such as: 00000000 represents the TEE environment in node 0, 00000001 represents the re environment in node 0, 00000010 represents the TEE environment in node 1, and 00000011 represents the re environment in node 1. For example, if the flag bit is 8 bits, there are at most 128 virtual machines under the same physical machine; if the flag bit is 16 bits, there are at most 32756 virtual machines under the same physical machine.

And each physical machine is internally provided with a hardware encryption and decryption unit, and when the target storage space is accessed, the hardware encryption and decryption unit is called, and access logic is executed through the hardware encryption and decryption unit. The access logic comprises two types, each type of access logic can effectively protect the content of the virtual machine from being illegally read by other virtual machines in the same physical machine, can effectively ensure that the memory and the disk between the TEE and the REE cannot be read, and can protect the monitor of the virtual machine from reading the content in the virtual machine, thereby improving the data security to the maximum extent. The REE and the TEE in each node are bound through a software identifier or a hardware identifier, and the virtual machine monitor can correctly forward messages to the REE and the TEE according to the identifier; there is a unique interaction channel for REE and TEE in each node, and the virtual machine monitor will correctly forward the interaction message between REE and TEE in the interaction channel.

1. First kind of access logic

The step S3 includes:

step S31, determining whether the execution environment pointed by the environment identifier corresponds to the target storage space or not based on the environment identifier through the hardware encryption and decryption unit;

step S32, when the execution environment pointed by the environment identifier corresponds to the target storage space, determining a specific access item of the access request through the hardware encryption and decryption unit, and directly accessing the target storage space based on the specific access item;

and step S33, stopping the access operation when the execution environment pointed by the environment identifier is not corresponding to the target storage space.

Further, step S32 includes:

when the specific access item is stored data:

when the specific access item is read data:

Specifically, in order to avoid the problem that access failure occurs when the target storage space is directly accessed, before the target storage space is accessed, the hardware encryption and decryption unit firstly judges the validity of the access, namely judges whether the environment identifier corresponds to the target storage space or not. Further, when illegal, prohibiting access operation; when legal, the corresponding access operation is performed based on the specific access matters of the access request. The hardware encryption and decryption unit stores an encryption algorithm and a decryption algorithm, and after the hardware encryption and decryption unit verifies the validity of the access request, specific access matters are executed based on the internally stored encryption and decryption algorithm. That is, the same encryption algorithm is used for storing data in the TEE storage space and the REE storage space, and the same decryption algorithm is used for reading data from the TEE storage space and the REE storage space. The encryption and decryption algorithm stored in the hardware encryption and decryption unit can comprise AES (Advanced Encryption Standard), DES (Data Encryption Standard) and other symmetrical encryption algorithms, and the algorithms are suitable for encrypting and decrypting files with larger data quantity and have better encryption and decryption performance.

2. Second type of access logic

The step S3 comprises the following steps:

step S31', determining specific access matters of the access request through the hardware encryption and decryption unit;

and step S32', acquiring an encryption/decryption algorithm associated with the environment identifier based on the specific access item through the hardware encryption/decryption unit, and attempting to access the target storage space based on the encryption/decryption algorithm associated with the environment identifier.

Further, step S32' includes:

when the specific access item is stored data:

when the specific access item is read data:

Specifically, each environment identifier is associated with a pair of encryption and decryption algorithms, and preferably, different environment identifiers are associated with different encryption and decryption algorithms. When the specific access item is storage data, acquiring an encryption algorithm associated with the environment identifier; when the specific access item is the read data, a decryption algorithm associated with the environment identifier is acquired. In view of that the execution environment will not access the storage space of other environments, in order to reduce code redundancy and increase data processing speed, the present embodiment does not verify the validity of the access request in advance, but directly accesses the target storage space based on the encryption/decryption algorithm obtained by personalization. If the environment identifier corresponds to the target storage space, the data can be successfully stored in the target storage space or the data read from the target storage space can be successfully decrypted based on the acquired encryption/decryption algorithm; otherwise, the access fails.

As an alternative embodiment, a part of the plaintext storage space is reserved in the storage medium of the physical machine, and the data with a lower security level may be stored in the plaintext storage space. Specifically, the plaintext storage space is identified, and the REE or the TEE can directly access the plaintext storage space without going through a hardware encryption and decryption unit or executing data encryption and decryption. For example, to better enable interactive communication between the REEs and the TEE, the REEs may store data to the clear text storage space that does not require confidentiality, and the TEE may read the data directly from the space.

Authentication and authorization of use of software functions after passing authentication are very important parts in the use of software services. Existing authentication methods are mainly static password authentication, time-based one-time password authentication and hardware information-based authentication. The static password verification is to bind a pre-registered user name and a fixed password, and verify the user name and the password input by the user based on the binding relation. The time-based one-time password verification is a verification mode of receiving a short message verification code, scanning a two-dimensional code and the like. The verification based on the hardware information is to generate summary information according to the hardware information of each computer, send the copy of the summary information to an authorizer, the authorizer verifies and generates a key with time limitation, and then send the copy of the key to a software user to complete identity verification and software function use authorization. The inventor researches and discovers that the existing identity verification mode is not enough in safety and is easy to crack.

Based on this, the inventors provide a method as described in the following second embodiment to improve the security of identity verification.

Example two

The second embodiment of the present invention provides a data processing method, and part of the steps of the second embodiment are identical to those of the first embodiment, and corresponding technical features and technical effects are not described in detail in the present embodiment, and reference is made to the first embodiment for relevant points. Specifically, fig. 3 shows a flowchart of a data processing method provided in the second embodiment. As shown in fig. 3, the data processing method may include steps B1 to B7, where:

step B1, reading a first public key and a key pair identifier from a corresponding TEE storage space through the TEE;

step B2, generating a verification file ciphertext by the TEE through the first public key;

step B3, sending a verification request containing the verification file ciphertext and the key pair identifier to an authorization terminal through the TEE, so that the authorization terminal searches a first private key and a second public key by using the key pair identifier and decrypts the verification file ciphertext by using the first private key;

step B4, receiving a verification result ciphertext encrypted by a second public key returned by the authorization terminal through the TEE, reading a second private key from a corresponding TEE storage space, decrypting the verification result ciphertext by using the second private key to obtain a verification result plaintext, and sending the verification result plaintext to the REE;

Step B5, when the verification result plaintext is analyzed to represent that verification passes, accessing a corresponding REE storage space through the REE, reading a parameter ciphertext required by an operation target algorithm from the REE storage space, and sending the parameter ciphertext to the TEE;

step B6, decrypting the parameter ciphertext through the TEE to obtain a parameter plaintext;

and B7, accessing a corresponding TEE storage space through the TEE, reading the target algorithm from the TEE storage space, and running the target algorithm by utilizing the parameter plaintext.

The authorization terminal stores a plurality of keys and key identifications of each key, each key pair comprises two keys, and each key comprises a public key and a private key; the REE storage space is only accessible by the corresponding REE, and the TEE storage space is only accessible by the corresponding TEE.

Specifically, the authorized terminal generates a plurality of keys in advance, and determines N key pairs through the plurality of keys, wherein each key pair comprises two keys, each key comprises a public key and a private key, and N is the total number of nodes in the cluster. The key pair may be determined by selecting two keys from a plurality of keys to form a key pair, or designating two keys to form a key pair.

For each key pair, the authorized terminal sends the public key in one key, the private key in the other key and the key pair identifier to a TA part in a node, namely, sends the first public key, the second private key and the key pair identifier to the TA part of the node, and the TA part stores the received data in the corresponding TEE storage space. Wherein the key pair identification includes a key identification of each key in the key pair. The same key pair may be used between different nodes or different key pairs may be used. For example, there are 100 nodes in the cluster, and the authorized terminal generates 5 keys, so that 10 key pairs can be combined at most, 10 key pairs are respectively sent to 100 nodes, and the same key pair corresponding to different nodes is necessarily present; if the authorized terminal generates 200 keys, the 100 nodes may use different key pairs.

When the identity verification is required, the REE collects REE environment information, the TEE collects TEE environment information, and the TEE is a trusted environment, so that a verification file is required to be generated by the TEE and interacted with the authorization terminal. Therefore, the REE forwards the collected REE environment information to the TEE, and the TEE encrypts the REE environment information and the TEE environment information based on the first public key to generate a verification file ciphertext. In other words, step B2 includes: collecting REE environment information through the REE, and sending the REE environment information to the TEE; and collecting the TEE environment information through the TEE, and encrypting the REE environment information and the TEE environment information by using the first public key to obtain a verification file ciphertext. The REE environment information comprises physical machine hardware information, SN code, CPU code, BIOS mainboard number, network card, operating system version and the like of the CA part, and the TEE environment information comprises physical machine hardware information, SN code, CPU code, BIOS mainboard number, network card, operating system version and the like of the TA part. The encrypting, by the TEE, the REE environment information and the TEE environment information based on the first public key may be: the TEE acquires an encryption algorithm, encrypts REE environment information and TEE environment information by using a first public key and the encryption algorithm, and generates a verification file ciphertext. Further, the TEE sends the verification file ciphertext, the encryption identification of the encryption algorithm, and the key pair identification to the authorized terminal.

The authorization terminal locally stores each key generated before and the key identifier of each key, and also stores a plurality of encryption and decryption identifiers and encryption and decryption algorithms corresponding to each encryption and decryption identifier. The authorization terminal locks the key pair through the key pair identifier sent by the TEE, locks the key from the key pair through the first public key, extracts the first private key from the key, and then decrypts the verification file ciphertext by using the first private key and a decryption algorithm corresponding to the encrypted identifier to obtain the verification file plaintext. The authorization terminal verifies the plaintext of the verification file, generates a verification result plaintext, acquires a second public key from the other key of the key pair, encrypts the verification result plaintext by utilizing the second public key and an encryption algorithm corresponding to the obtained encryption identifier to obtain a verification result ciphertext, and sends the verification result ciphertext to the TEE.

The TEE decrypts the verification result ciphertext based on the second private key stored in advance and a decryption algorithm corresponding to the encryption identifier, and obtains a verification result plaintext. When the verification result plaintext represents the allowed use, the software installed on the node can be used in the allowed use time, otherwise, the software cannot be used. The encryption and decryption algorithm in this embodiment may include asymmetric encryption algorithms such as RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography), and the algorithms are suitable for encrypting and decrypting data with smaller data size, and have higher encryption and decryption security.

In this embodiment, the TEE interacts with the authorization terminal through the key pair to complete the authentication logic, so that on one hand, the security of the authentication process is improved based on the reliability of the TEE, and on the other hand, the security of information passing is improved based on the authentication mode of the key pair.

Example III

The third embodiment of the present invention provides a data processing method, and part of the steps of the third embodiment are identical to those of the first embodiment, and corresponding technical features and technical effects are not described in detail in this embodiment, and reference is made to the first embodiment for relevant points. Specifically, fig. 4 shows a flowchart of a data processing method provided in the third embodiment. As shown in fig. 4, the data processing method may include steps C1 to C7, where the cluster to which the node belongs includes a plurality of master nodes, and a third key including a third public key and a third private key is generated by a master node; wherein:

step C1, receiving the third public key sent by the master node through the REE, and storing the third public key into a corresponding REE storage space;

step C2, receiving the third private key sent by the master node through the TEE, and storing the third public key into a corresponding TEE storage space;

Step C3, receiving a parameter plaintext storage request through the REE, encrypting the parameter plaintext by using the third public key to obtain the parameter ciphertext, and storing the parameter ciphertext into a corresponding REE storage space;

step C4, accessing a corresponding REE storage space through the REE, reading a parameter ciphertext required by an operation target algorithm from the REE storage space, and sending the parameter ciphertext to the TEE;

step C5, decrypting the parameter ciphertext by the TEE through the third private key to obtain a parameter plaintext;

and C6, accessing a corresponding TEE storage space through the TEE, reading the target algorithm from the TEE storage space, and running the target algorithm by utilizing the parameter plaintext.

Specifically, the cluster includes a plurality of master nodes, a third key including a third public key and a third private key is generated by a master node, the third public key is sent to CAs in the TEE environment in all nodes, and the third private key is sent to TAs in the TEE environment in all nodes. When the cluster comprises a plurality of main nodes, the main nodes cooperate with each other to determine that a certain main node executes the operation; alternatively, all the master nodes collect respective information, send the information to a certain master node, and the master node performs the above operation.

The parameter plaintext described in this embodiment refers to a parameter that is required to run the target algorithm and is not encrypted. When the parameter plaintext is stored, the REE encrypts the parameter plaintext based on the third public key, and then the obtained parameter ciphertext is stored in the REE storage space. When the target algorithm needs to be operated, the TEE decrypts the parameter ciphertext by using a third private key, operates the target algorithm based on the obtained parameter plaintext, and sends an operation result to the REE. In the embodiment, the REE and the TEE encrypt and decrypt the parameters by using the third public key and the third private key, so that confidentiality of data storage and reading is realized.

Example IV

A fourth embodiment of the present invention provides a security verification system, which corresponds to the methods provided in the first, second and third embodiments, and corresponding technical features and technical effects are not described in detail in this embodiment, and reference is made to the foregoing embodiments for relevant points. Specifically, fig. 5 shows a block diagram of a security verification system according to a fourth embodiment of the present invention. As shown in fig. 5, the security verification system 500 may include a request cluster 501 and an authorization terminal 502, the request cluster 501 including a plurality of request nodes 5011, each request node 5011 including a general execution environment REE and a trusted execution environment TEE, wherein:

The request node 5011 reads a first public key and a key pair identifier from a corresponding TEE storage space through the included TEE; generating a verification file ciphertext by using the first public key, and sending a verification request containing the verification file ciphertext and the key pair identifier to the authorization terminal 502;

the authorization terminal 502 receives and parses the verification request to obtain the verification file ciphertext and the key pair identifier; screening key pairs associated with the key pair identification from a plurality of pre-stored keys; decrypting the verification file ciphertext by using a first private key in the screened key pair to obtain a verification file plaintext; verifying the plaintext of the verification file and generating a verification result plaintext; encrypting the verification result plaintext by using a second public key in the screened key pair to obtain a verification result ciphertext; sending the verification result ciphertext to the requesting node 5011;

the request node 5011 receives the verification result ciphertext through the included TEE, and reads a second private key from the corresponding TEE storage space; decrypting the verification result ciphertext by using the second private key to obtain a verification result plaintext; sending the verification result plaintext to the REE;

When the verification result plaintext is analyzed to represent that verification passes, the request node 5011 accesses a corresponding REE storage space through the contained REE, reads a parameter ciphertext required by an operation target algorithm from the REE storage space, and sends the parameter ciphertext to the TEE;

the request node 5011 decrypts the parameter ciphertext through the included TEE to obtain a parameter plaintext; accessing a corresponding TEE storage space, reading the target algorithm from the TEE storage space, and running the target algorithm based on the parameter plaintext;

Example five

A fifth embodiment of the present invention provides a data processing apparatus, where the apparatus corresponds to the methods described in the first to third embodiments, and corresponding technical features and technical effects are not described in detail in this embodiment, and reference is made to the first to third embodiments for relevant points. Specifically, fig. 6 shows a block diagram of a data processing apparatus provided in the fifth embodiment. Wherein the data processing apparatus 600 comprises:

The reading module 601 is configured to access a corresponding re storage space through the re, read a parameter ciphertext required by an operation target algorithm from the re storage space, and send the parameter ciphertext to the TEE;

the decryption module 602 is configured to decrypt the parameter ciphertext through the TEE to obtain a parameter plaintext;

an operation module 603, configured to access, through the TEE, a corresponding TEE storage space, read the target algorithm from the TEE storage space, and operate the target algorithm using the parameter plaintext;

Optionally, the reading module is further configured to:

acquiring an environment identifier of the current execution environment through the REE;

generating an access request containing the environment identifier through the REE;

sending the access request to a preset hardware encryption and decryption unit through the REE so that the hardware encryption and decryption unit accesses the target storage space based on the access request;

the target storage space is a REE storage space or a TEE storage space.

Optionally, when the reading module sends the access request to a preset hardware encryption and decryption unit through the REE, the hardware encryption and decryption unit accesses the target storage space based on the access request, the reading module is specifically configured to:

Optionally, when the reading module determines, through the hardware encryption and decryption unit, a specific access item of the access request and directly accesses the target storage space based on the specific access item when executing the execution environment pointed by the environment identifier corresponds to the target storage space, the reading module is specifically configured to:

when the specific access item is stored data:

when the specific access item is read data:

Optionally, when the reading module executes the encryption/decryption algorithm associated with the environment identifier based on the specific access item by the hardware encryption/decryption unit, and attempts to access the target storage space based on the encryption/decryption algorithm associated with the environment identifier, the reading module is specifically configured to:

When the specific access item is stored data:

when the specific access item is read data:

Optionally, the operation module is further configured to:

acquiring an environment identifier of the current execution environment through the TEE;

generating an access request containing the environment identifier through the TEE;

sending the access request to a preset hardware encryption and decryption unit through the TEE so that the hardware encryption and decryption unit accesses the target storage space based on the access request;

the target storage space is a REE storage space or a TEE storage space.

Optionally, when the running module sends the access request to a preset hardware encryption and decryption unit through the TEE, so that the hardware encryption and decryption unit accesses the target storage space based on the access request, the running module is specifically configured to:

Optionally, when the execution module determines, through the hardware encryption and decryption unit, a specific access item of the access request and directly accesses the target storage space based on the specific access item when executing the execution environment pointed by the environment identifier corresponds to the target storage space, the execution module is specifically configured to:

when the specific access item is stored data:

when the specific access item is read data:

Optionally, when the execution module obtains, by the hardware encryption and decryption unit, an encryption/decryption algorithm associated with the environment identifier based on the specific access item, and attempts to access the target storage space based on the encryption/decryption algorithm associated with the environment identifier, the execution module is specifically configured to:

when the specific access item is stored data:

When the specific access item is read data:

Optionally, when the reading module accesses the corresponding re storage space through the re, reads the parameter ciphertext required by the operation target algorithm from the re storage space, and sends the parameter ciphertext to the TEE, the reading module is specifically configured to:

Optionally, the reading module is specifically configured to, when executing the generation of the verification file ciphertext by the TEE using the first public key:

Optionally, the cluster to which the device belongs includes a plurality of master nodes, and a third key including a third public key and a third private key is generated by a master node;

the apparatus further comprises:

the first receiving module is used for receiving the third public key sent by the master node through the REE and storing the third public key into a corresponding REE storage space;

the second receiving module is used for receiving the third private key sent by the main node through the TEE and storing the third public key into a corresponding TEE storage space;

the third receiving module is used for receiving a parameter plaintext storage request through the REE, encrypting the parameter plaintext by utilizing the third public key to obtain the parameter ciphertext, and storing the parameter ciphertext into a corresponding REE storage space;

the decryption module is specifically configured to, when executing decryption on the parameter ciphertext through the TEE to obtain a parameter plaintext:

Example six

Fig. 7 shows a block diagram of a computer device adapted to implement a data processing method according to a sixth embodiment of the present invention. In this embodiment, the computer device 700 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack-mounted server, a blade server, a tower server, or a rack-mounted server (including a stand-alone server or a server cluster formed by a plurality of servers), etc. for executing the program. As shown in fig. 7, the computer device 700 of the present embodiment includes at least, but is not limited to: a memory 701, a processor 702, and a network interface 703 that may be communicatively coupled to each other via a system bus. It is noted that FIG. 7 only shows a computer device 700 having components 701-703, but it is to be understood that not all of the illustrated components are required to be implemented, and that more or fewer components may be implemented instead.

In this embodiment, the memory 703 includes at least one type of computer-readable storage medium, including flash memory, hard disk, multimedia card, card memory (e.g., SD or DX memory, etc.), random Access Memory (RAM), static Random Access Memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory, magnetic disk, optical disk, etc. In some embodiments, the memory 701 may be an internal storage unit of the computer device 700, such as a hard disk or memory of the computer device 700. In other embodiments, the memory 701 may also be an external storage device of the computer device 700, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the computer device 700. Of course, the memory 701 may also include both internal storage units of the computer device 700 and external storage devices. In the present embodiment, the memory 701 is typically used to store an operating system and various types of application software installed on the computer device 700, such as program codes of a data processing method, and the like.

The processor 702 may be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 702 is generally used to control the overall operation of the computer device 700. Such as performing control and processing related to data interaction or communication with the computer device 700. In this embodiment, the processor 702 is used for executing program codes of steps of a data processing method stored in the memory 701.

In this embodiment, the data processing method stored in the memory 701 may also be divided into one or more program modules and executed by one or more processors (the processor 702 in this embodiment) to complete the present invention.

The network interface 703 may include a wireless network interface or a wired network interface, the network interface 703 typically being used to establish a communication link between the computer device 700 and other computer devices. For example, the network interface 703 is used to connect the computer device 700 to an external terminal through a network, establish a data transmission channel and a communication link between the computer device 700 and the external terminal, and the like. The network may be a wireless or wired network such as an Intranet (Intranet), the Internet (Internet), a global system for mobile communications (Global System of Mobile communication, abbreviated as GSM), wideband code division multiple access (Wideband Code Division Multiple Access, abbreviated as WCDMA), a 4G network, a 5G network, bluetooth (Bluetooth), wi-Fi, etc.

Example seven

The present embodiment also provides a computer-readable storage medium including a flash memory, a hard disk, a multimedia card, a card memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., having stored thereon a computer program that when executed by a processor implements the steps of a data processing method.

It will be apparent to those skilled in the art that the modules or steps of the embodiments of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may alternatively be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than what is shown or described, or they may be separately fabricated into individual integrated circuit modules, or a plurality of modules or steps in them may be fabricated into a single integrated circuit module. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.

It should be noted that, the embodiment numbers of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments. The above embodiments can be freely combined, and the separately set embodiments do not impose any limitation on the combination between the embodiments.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment.

The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims

1. A data processing method applied to a node comprising a general execution environment, REE, and a trusted execution environment, TEE, the method comprising:

wherein the REE storage space is only accessible by the corresponding REE, and the TEE storage space is only accessible by the corresponding TEE;

the accessing the corresponding REE storage space through the REE, reading the parameter ciphertext required by the operation target algorithm from the REE storage space, and sending the parameter ciphertext to the TEE includes:

2. The method of claim 1, wherein accessing the target storage space through the REE or the TEE comprises:

acquiring an environment identifier of the current execution environment;

generating an access request containing the environment identifier;

the target storage space is a REE storage space or a TEE storage space.

3. The method of claim 2, wherein the sending the access request to a preset hardware encryption and decryption unit, so that the hardware encryption and decryption unit accesses the target storage space based on the access request comprises:

4. The method of claim 3, wherein when the execution environment pointed to by the environment identifier corresponds to the target storage space, determining, by the hardware encryption/decryption unit, a specific access item of the access request, and directly accessing the target storage space based on the specific access item comprises:

when the specific access item is stored data:

when the specific access item is read data:

5. The method of claim 2, wherein the sending the access request to a preset hardware encryption and decryption unit, so that the hardware encryption and decryption unit accesses the target storage space based on the access request comprises:

6. The method of claim 5, wherein the obtaining, by the hardware encryption and decryption unit, an encryption/decryption algorithm associated with the environment identifier based on the specific access item, and attempting to access the target storage space based on the encryption/decryption algorithm associated with the environment identifier comprises:

When the specific access item is stored data:

when the specific access item is read data:

7. The method of claim 1, wherein the generating, by the TEE, a verification file ciphertext using the first public key comprises:

8. The method according to claim 1, wherein the cluster to which the node belongs includes a plurality of master nodes, and a third key including a third public key and a third private key is generated by a master node;

the method comprises the following steps:

9. A security verification system, the system comprising a request cluster and an authorization terminal, the request cluster comprising a plurality of request nodes, each request node comprising a generic execution environment, REE, and a trusted execution environment, TEE, wherein: