CN117786758B - Trusted execution environment-based secret database system and electronic equipment - Google Patents
Trusted execution environment-based secret database system and electronic equipment Download PDFInfo
- Publication number
- CN117786758B CN117786758B CN202410214055.6A CN202410214055A CN117786758B CN 117786758 B CN117786758 B CN 117786758B CN 202410214055 A CN202410214055 A CN 202410214055A CN 117786758 B CN117786758 B CN 117786758B
- Authority
- CN
- China
- Prior art keywords
- user
- target
- data
- key
- database system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012545 processing Methods 0.000 claims abstract description 35
- 238000004422 calculation algorithm Methods 0.000 claims description 18
- 238000013507 mapping Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 5
- 238000007726 management method Methods 0.000 description 69
- 238000000034 method Methods 0.000 description 19
- 238000004590 computer program Methods 0.000 description 11
- 238000004364 calculation method Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 2
- 238000011217 control strategy Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The application discloses a confidential database system and electronic equipment based on a trusted execution environment, wherein the confidential database system comprises a target trusted execution environment; the target trusted execution environment is provided with a key generation center and a key management module, wherein the key generation center is used for carrying out system initialization, generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key is subjected to secret processing; the key management module is used for receiving user information submitted by a user, wherein the user information comprises at least one of the following components: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by the key generation center, and the user attribute list comprises a second character string; the key generation center is also used for calculating according to the public parameters and the user information to obtain a private key corresponding to the user information, and the private key is given to the user in a preset safety mode. The embodiment of the application can improve the safety of the database.
Description
Technical Field
The application relates to the technical field of privacy computation and the technical field of computers, in particular to a trusted execution environment-based secret database system and electronic equipment.
Background
Currently, there are abundant protection measures in academia and industry for data security protection, such as: symmetric/asymmetric cryptographic algorithms, data integrity checks, etc. However, there are still significant problems with runtime protection of data.
In database applications, when the database is running, the data stored in the shared memory layer is still in plaintext form, which provides a multiplicative basis for an attacker. Furthermore, the administrator of the database is not the producer and owner of the data, but has full read-write rights to the data, which also makes internal attacks possible. In order to increase the security depth of data, it is necessary to provide encryption protection at database runtime. Therefore, the problem of how to improve the security of the database system is to be solved.
Disclosure of Invention
The embodiment of the application provides a trusted execution environment-based secret database system and electronic equipment, which can realize the unauthorized direct use of individual characteristic data in federal learning.
In a first aspect, an embodiment of the present application provides a trusted execution environment-based cryptographic database system, where the cryptographic database system includes a target trusted execution environment; the target trusted execution environment deploys a key generation center, a key management module, wherein,
The key generation center is used for initializing a system, and generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key is subjected to secret processing;
The key management module is configured to receive user information submitted by a user, where the user information includes at least one of: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by the key generation center, and the user attribute list comprises a second character string;
The key generation center is further configured to calculate according to the public parameter and the user information, obtain a private key corresponding to the user information, and send the private key to the user in a preset security manner.
In a second aspect, an embodiment of the present application provides a database management method, which is applied to the secret database system in the first aspect, where the secret database system includes a target trusted execution environment; the target trusted execution environment is provided with a key generation center and a key management module, and the method comprises the following steps:
The key generation center performs system initialization, and generates public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key is subjected to secret processing;
the key management module receives user information submitted by a user, wherein the user information comprises at least one of the following: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by the key generation center, and the user attribute list comprises a second character string;
And the key generation center calculates according to the public parameters and the user information to obtain a private key corresponding to the user information, and the private key is given to the user in a preset safety mode.
In a third aspect, an embodiment of the present application provides an electronic device, including a processor, a memory, a communication interface, and one or more programs, where the one or more programs are stored in the memory and configured to be executed by the processor, the programs including instructions for performing the steps in the second aspect of the embodiment of the present application.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program for electronic data exchange, wherein the computer program causes a computer to execute some or all of the steps described in the second aspect of the embodiments of the present application.
In a fifth aspect, embodiments of the present application provide a computer program product, wherein the computer program product comprises a non-transitory computer readable storage medium storing a computer program operable to cause a computer to perform part or all of the steps described in the second aspect of the embodiments of the present application. The computer program product may be a software installation package.
The embodiment of the application has the following beneficial effects:
It can be seen that, in the embodiment of the present application, the trusted execution environment-based secret database system and the electronic device are described, where the secret database system includes a target trusted execution environment; the target trusted execution environment is provided with a key generation center and a key management module, wherein the key generation center is used for initializing a system, generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, the master key is subjected to secret processing, the key management module is used for receiving user information submitted by a user, and the user information comprises at least one of the following components: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by a key generation center, the user attribute list comprises a second character string, the key generation center is further used for calculating according to public parameters and user information to obtain a private key corresponding to the user information, the private key is given to a user through a preset safety mode, firstly, key management is carried out through a trusted execution environment, meanwhile, identification encryption and attribute encryption are introduced to realize fine-granularity access control, data access and database management authority are separated, the risk of unauthorized data access is effectively isolated, secondly, the user authority is managed based on the user identification information and the attribute information, a large amount of public key information is not needed to be stored, key management cost is greatly reduced, thirdly, the key management system is loosely coupled with a database system, original database bottom logic is not needed to be modified, meanwhile, service logic applied on an upper layer is not influenced, and access cost is greatly reduced, so that the safety of the database system can be improved.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a trusted execution environment-based cryptographic database system according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of a key generation method for identification encryption and attribute encryption according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of a data writing method according to an embodiment of the present application;
FIG. 4 is a flowchart of a database management method according to an embodiment of the present application;
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The initiator and the participant described in the embodiments of the present application may include electronic devices, where the electronic devices may include smart phones (such as Android Mobile phones, iOS Mobile phones, windows Phone Mobile phones, etc.), tablet computers, palm computers, automobile recorders, servers, notebook computers, mobile internet devices (MID, mobile INTERNET DEVICES), wearable devices (such as smartwatches and bluetooth headsets), etc., which are merely examples, but not exhaustive, including but not limited to the electronic devices described above, and the electronic devices may also be cloud servers, or the electronic devices may also be computer clusters.
There are three main implementations of the encryption database system in the related art: 1) The encryption of the application layer, namely, the encryption of the original data is carried out before the data is written in by the application layer, and then the ciphertext is written in the database, the proposal needs the application layer management key, has larger key management cost, and simultaneously, easily causes the key leakage risk due to uneven cryptography background of the application layer developer; 2) The file system encryption, namely, the disk data encryption is realized by encrypting the file system, and the scheme has the advantages that complex encryption logic can be shielded for users, but illegal access and data abuse of high-authority users (such as database management) cannot be controlled; 3) The database plug-in realizes real-time encryption and real-time decryption of data reading in the data insertion process by developing the database plug-in, but the mode has strong coupling degree with the database, and is difficult to support data migration and database replacement.
In a specific implementation, the database encryption scheme is implemented using separate encryption middleware. The encryption database scheme is realized by calling an encryption API provided by the middleware to encrypt the data and initiating a database interaction request before the user stores the data. The user first sends a clear structured query language (structured query language, SQL) request to the encryption middleware. After receiving the request, the middleware analyzes the SQL statement and encrypts the corresponding field, and then sends the encrypted SQL statement to the database engine. And finally, the database engine normally executes database operation in the system. During the whole program execution phase, the functions of the encryption middleware are four: and (3) key management, password operation, analysis and recombination of the SQL request and initiation of the ciphertext SQL request. The key management and password operation part functions are used for converting a plaintext SQL request of a user into ciphertext. Similarly, the ciphertext data returned by the database needs to be decrypted when the user performs the query operation. The function of the part is the core function of the encryption database, which determines the security level of the encryption database. The SQL request analyzing function is responsible for analyzing and splitting the SQL request of the user into a plurality of fields to be encrypted, and calling the encryption function for further processing. Because the content in the database is ciphertext, when the query operation needs to be executed, the data in the data table needs to be completely downloaded and decrypted and then is matched with the query request locally. This step of operation decrypts the database contents, which may cause leakage of the original data, and bring about a certain security risk.
In order to solve the defects in the related art, the embodiment of the application provides a trusted execution environment-based secret database system, which comprises a target trusted execution environment; wherein the target trusted execution environment deploys a key generation center, a key management module, wherein,
The key generation center is used for initializing a system, and generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key is subjected to secret processing;
The key management module is configured to receive user information submitted by a user, where the user information includes at least one of: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by the key generation center, and the user attribute list comprises a second character string;
The key generation center is further configured to calculate according to the public parameter and the user information, obtain a private key corresponding to the user information, and send the private key to the user in a preset security manner.
In the embodiment of the application, firstly, key management is carried out through a trusted execution environment, meanwhile, identification encryption and attribute encryption are introduced to realize fine granularity access control, data access and database management authority are separated, the unauthorized access risk of data is effectively isolated, secondly, the user authority is managed based on user identification information and attribute information, a large amount of public key information is not required to be stored, the key management cost is greatly reduced, thirdly, the key management cost is loosely coupled with a database system, the original database bottom logic is not required to be modified, meanwhile, the service logic of upper application is not influenced, and the access cost is greatly reduced, so that the security of the database system can be improved.
Embodiments of the present application are described in detail below.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a trusted execution environment-based cryptographic database system according to an embodiment of the present application, where the cryptographic database system includes a target trusted execution environment as shown in the figure; wherein the target trusted execution environment deploys a key generation center, a key management module, wherein,
The key generation center is used for initializing a system, and generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key is subjected to secret processing;
The key management module is configured to receive user information submitted by a user, where the user information includes at least one of: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by the key generation center, and the user attribute list comprises a second character string;
The key generation center is further configured to calculate according to the public parameter and the user information, obtain a private key corresponding to the user information, and send the private key to the user in a preset security manner.
In the embodiment of the application, the target trusted execution environment can be a trusted execution environment corresponding to the CPU, the trusted execution environment realizes safe calculation based on memory isolation based on the hardware safe CPU, and the privacy protection calculation can be completed on the premise of ensuring the calculation efficiency. In TEE, any external device cannot acquire internal data, and thus, privacy protection and secure computation of data can be completed.
In an embodiment of the present application, the security parameters may include at least one of the following: the key length, identity of the user, number of users, etc., are not limited herein. The identity of the user may include at least one of: user name, user class, etc., without limitation. The common parameters may include common parameters related to the elliptic curve, for example, an identification map of the elliptic curve, i.e. the base domain.
Wherein the master key includes a public key and a private key.
In the embodiment of the application, the master key is understood to be a key representing the identity of a key generation center in a cryptographic algorithm, and the master key may include a public parameter and a master private key. The key generation center uses an identification encryption algorithm scheme to realize generation and distribution of the user key. The identification password is like SM9 algorithm, firstly, a key generation center is required to initialize and generate a random master key and public parameters, and then, the private key of the user is generated and distributed according to the identity information of different users. The private key of the serving user needs to generate a center master key using the user's identity information and the key. Since the master key of the key generation center can distribute the keys of all system users, the disclosure of the master key threatens the security of all ciphertext in the encryption system, so that the master key needs to be processed in a secret manner.
Wherein the user information may include at least one of: the identification information and the attribute information are not limited herein, the identification information may include a first character string, the attribute information is a user attribute list managed by the key generation center, and the user attribute list includes a second character string. The preset security mode may be preset or the system defaults.
Wherein the identification information may be used to uniquely determine the entity identity information, e.g. the identification information may comprise at least one of: the identity card number of the natural person, the email box, the MAC address of the internet of things device, etc., are not limited herein. The attribute information may be used to characterize the user's access rights to the database. The access rights of the user to the database determined by each identification information are different, for example: user a can only access data table 1 of the database, and can not access other data tables; user B has access to all of the tables of all of the databases. In the above example, the attribute information of the user a can be expressed as: the attribute information of the user B may represent a question of a-sheet 1: b-all.
The preset security mode can be understood as that a default user does not have access rights to any one data table. In this secure manner, the user's request cannot be responded to. The access rights of the subsequent users are gradually added by the administrator through the attribute information of the administrative users.
In particular implementations, the private key needs to be sent to the user over a secure channel. The private key is the private key of the user and needs to be used when the user decrypts the ciphertext.
In the embodiment of the application, the user attribute list contains control information of the user accessing the database. In the scheme, the user identification information and the read-write permission of the user for each data table are contained.
In a specific implementation, the key generation center can perform system initialization, and generates public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key is subjected to security processing. The key management module receives user information submitted by a user, the key generation center calculates according to public parameters and the user information to obtain a private key corresponding to the user information, and the private key is sent to the user in a preset safety mode, so that key management and secret state calculation can be realized based on a trusted execution environment.
In the embodiment of the application, the encryption database is combined with the TEE, so that the problem of original text leakage in the related technology can be effectively solved. Meanwhile, the TEE provides a safe key management and password operation environment, and development cost and development workload can be greatly reduced by using the TEE to realize the partial functions.
In the embodiment of the application, a trusted execution environment (trusted execution environment, TEE) can be used as an operation environment of the encryption database middleware, and belongs to an application layer encryption scheme in a mainstream database encryption scheme. Encryption and decryption, key management and privacy protection calculation of data are completed in the trusted execution environment, and an external person cannot access the operation content in the trusted execution environment, so that the data privacy of the whole read-write process is ensured.
In the embodiment of the application, the identification encryption and the attribute encryption are also introduced to realize fine-granularity access control, namely, attribute, identification and access control strategies are endowed to each user, equipment and data, so that fine-granularity management of user rights is realized, the data access rights and database management rights are further distinguished, and malicious access of a high-rights user to unauthorized data is prevented.
For example, as shown in fig. 2, the system is initialized to generate public parameters and a master key, and then key generation is implemented based on user attributes, identifiers and public parameters to obtain a user private key. Specifically, the key generation flow of the identification encryption and the attribute encryption may include the following steps:
a1, a key generation center performs system initialization, and generates public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key needs to be kept secret;
a2, submitting identification information or attribute information of the user to a key management module, wherein the identification information can be any character string, and the attribute information is a user attribute list managed by a key generation center and is input in the form of character strings;
And A3, the key generation center calculates according to the parameters in the step A1 and the private key submitted by the user in the step A2, generates the private key corresponding to the user identifier or the attribute, and sends the key to the corresponding user in a safe mode.
Optionally, in the aspect of calculating according to the public parameter and the user information to obtain a private key corresponding to the user information, the key generation center is specifically configured to:
When the user information comprises identification information, calculating according to the public parameter and the identification information to obtain a private key corresponding to the identification information;
Or alternatively
And when the user information comprises attribute information, calculating according to the public parameters and the attribute information to obtain a private key corresponding to the attribute information.
In the embodiment of the application, when the user information comprises the identification information, the private key corresponding to the identification information can be obtained by calculating according to the public parameter and the identification information. When the user information comprises attribute information, the private key corresponding to the attribute information can be obtained by calculation according to the public parameters and the attribute information, the user permission is managed based on the user identification information and the attribute information, a large amount of public key information is not required to be stored, and the key management cost is greatly reduced.
In the embodiment of the application, taking an SM9 identification password algorithm as an example: let ke be the private key in the key generation center master key. The key generation center selects and discloses an encrypted private key function generation identifier hid expressed in one byte. The identification of the user A is IDA, in order to generate a user encryption private key de, a key generation center firstly calculates an intermediate variable t=H2 (IDA||hide, N) +ke on a finite field FN, if t=0, an encryption main private key is required to be regenerated, a main encryption public key is calculated and disclosed, and the encryption private key of the existing user is updated; otherwise, calculating the private key of the master key: t2=ke/t, then, calculate the public key of the master key: de= [ t2] P2. Wherein H2 is an operation function specified in the SM9 password standard; n is the finite field modulus; p2 is an addition cyclic group with order of prime number N; the generation formula of de is the dot product operation of the addition loop group.
In the embodiment of the application, identification encryption, attribute encryption and digital envelope combination are also introduced to realize fine granularity access control, namely, attribute, identification and access control strategies are endowed to each user, equipment and data, thereby realizing fine granularity management of user rights, further distinguishing data access rights and database management rights and preventing malicious access of high-rights users to unauthorized data.
Optionally, the secret database system further includes a target database system, and the secret database system is further specifically configured to:
Acquiring a target plaintext SQL statement; analyzing the target plaintext SQL statement to obtain database content calling parameters, wherein the database content calling parameters comprise at least one of the following components: database name, table name, data field and data content; calling corresponding target data from the target database system through the database content calling parameters, and transmitting the target data to the target trusted execution environment; executing data encryption operation and ciphertext table management operation on the target data in the target trusted execution environment to obtain processing data; SQL compiling is carried out on the target data and the target plaintext SQL statement to obtain a ciphertext SQL statement corresponding to the encrypted data; and writing the target data into the target database system according to the ciphertext SQL statement.
Wherein the database content invocation parameters may include at least one of: database name, table name, data field, data content, not limited herein.
In the embodiment of the application, the target plaintext SQL statement can be obtained, then the target plaintext SQL statement is analyzed to obtain the database content calling parameter, corresponding target data can be called from the target database system through the database content calling parameter, the target data is transmitted to the target trusted execution environment, the data encryption operation and the ciphertext table management operation are carried out on the target data in the target trusted execution environment to obtain the processed data, the target data and the target plaintext SQL statement are compiled to obtain the ciphertext SQL statement corresponding to the encrypted data, and the target data is written into the database system according to the ciphertext SQL statement.
In the embodiment of the application, in the compiling process, plaintext fields in the target plaintext SQL statement are required to be encrypted and replaced by the encrypted data in a trusted execution environment, so that the ciphertext SQL statement is generated. Examples are as follows: the obtained target plaintext SQL statement is: SELECT NAME, an age FROM table1; in the statement, name and age are the target data, ciphertext 'ifed' and '9 iw' are respectively obtained by encrypting in a trusted execution environment, the target data is replaced by the obtained encrypted data, and the SQL statement is recompiled to obtain a ciphertext SQL statement: SELECT IFED,9IW FROM TABLE1.
In a specific implementation, a service layer can call a secret database system through plaintext SQL, input standard SQL sentences to perform database operation, and an SQL parser receives and parses the plaintext SQL to obtain a database name, a table name, a data field and data content, and for parsed data, two types of operations, namely, data encryption and ciphertext table management, are performed in a trusted execution environment, namely: and encrypting the original data through a digital envelope, performing ciphertext access control, encrypting the database and table information and storing the mapping relation to obtain the processed data, performing SQL compiling according to the processed data and plaintext SQL to generate SQL sentences corresponding to the encrypted data, and writing the processed data into the target database through the encrypted SQL.
For example, as shown in fig. 3, plaintext SQL is obtained, the plaintext SQL is parsed, the parsing result is respectively subjected to data encryption and ciphertext table management to obtain a processing result, and the processing result is subjected to encrypted SQL compiling to obtain ciphertext data, so that ciphertext data writing is realized. Specifically, the data writing may include the steps of:
b1, a business layer calls a secret database system through plaintext SQL, and inputs standard SQL sentences to perform database operation;
B2, the SQL parser receives and parses the plaintext SQL to obtain a database name, a table name, a data field and data content;
B3, for the data analyzed in the step B2, two types of operations, namely, data encryption and ciphertext table management are executed in a trusted execution environment, namely: encrypting the original data through a digital envelope, performing ciphertext access control, encrypting the database and table information, and storing the mapping relation;
b4, performing SQL compiling according to the data in the step B3 and the plain text SQL analyzed in the step B1 to generate an SQL statement corresponding to the encrypted data;
and B5, writing the processed data into a database through the secret SQL.
Optionally, in the target trusted execution environment, performing a data encryption operation and a ciphertext table management operation on the target data to obtain processed data, where the cryptographic database system is specifically configured to:
Encrypting and cryptographically accessing the target data through a digital envelope in the target trusted execution environment to obtain first target data;
encrypting the database and table information corresponding to the target data and storing the mapping relation to obtain second target data;
And determining the processing data according to the first target data and the second target data.
In the embodiment of the application, the target data is encrypted and cryptograph access control is carried out through a digital envelope in a target trusted execution environment to obtain first target data, the database and table information corresponding to the target data are encrypted and the mapping relation is stored to obtain second target data, and the processing data is determined according to the first target data and the second target data.
Optionally, the secret database system includes n trusted execution environments; each trusted execution environment corresponds to a processing module, and n is a positive integer; the target trusted execution environment is any one of the n trusted execution environments.
Wherein the processing module may comprise at least one of: a central processor (central processing unit, CPU), a graphics processor (graphics processing unit, GPU), a neural network processor (neural processing unit, NPU), a micro control unit (microcontroller unit, MCU), a field programmable gate array (field programmable GATE ARRAY, FPGA), a digital signal processor (DIGITAL SIGNAL process, DSP), and the like, without limitation.
In the embodiment of the application, the secret database system can comprise n trusted execution environments, each trusted execution environment corresponds to a processing module, n is a positive integer, and the target trusted execution environment is any trusted execution environment in the n trusted execution environments.
For example, a CPU may correspond to one trusted execution environment and a GPU may correspond to another trusted execution environment.
Optionally, the key generating center is configured to manage attribute encryption, identify public parameters and a master key of an encryption algorithm, and manage user attributes and complete user identity authentication.
In the embodiment of the application, the key generation center can be responsible for managing the public parameters and the master key of the attribute encryption and identification encryption algorithm, and simultaneously, managing the user attribute and completing the user identity authentication.
Wherein the identification encryption algorithm may include at least one of: the national cipher SM9 identification cipher algorithm, identity-based cipher system algorithm (BF 01), homomorphic encryption algorithm (Gentry) and BBG05 identification cipher algorithm, etc., are not limited herein.
Optionally, the key management module is used for being responsible for key generation, secure distribution, reliable storage and integrity verification.
The key management module is mainly responsible for key generation, secure distribution, reliable storage and integrity verification. And key management is performed through a trusted execution environment, and meanwhile, identification encryption and attribute encryption are introduced to realize fine granularity access control, so that data access and database management authority are separated, and the risk of unauthorized data access is effectively isolated.
In the embodiment of the application, in the system initialization stage, a key generation center generates a multiplication loop group applicable to the current identity-based encryption (IBE) system by inputting a security parameter and calling a group generation algorithm, and executes the initialization algorithm based on the group parameter to generate a public parameter and a master key, wherein the public parameter is public data, the public parameter can be broadcasted to a user of the encryption system, and the master key needs to be saved by the key generation center and ensures the privacy of the master key. When a user requests a key from a key generation center, the user firstly submits an attribute list of the user, the key generation center verifies the list, namely, for each user, only legal attributes can participate in generating a private key, namely, an identity authentication process, after the identity authentication is passed, the key generation center executes a key generation algorithm, and the private key corresponding to the current user is generated according to the authenticated attribute information.
Optionally, the secret database system further comprises a calculation module;
the computing module is configured to encapsulate at least one of the following protocols: digital envelope protocols, confidential computing protocols, secret sharing protocols, secure multiparty computing protocols.
In the embodiment of the application, the computing module encapsulates a plurality of computing protocols such as digital envelope, confidential computing, secret sharing, secure multiparty computing and the like, so that privacy computing directly based on ciphertext can be supported.
In the embodiment of the application, the data encryption and decryption and the ciphertext access control can be realized based on the identification encryption, the attribute encryption and the digital envelope, thereby improving the security of the database system.
Optionally, the target database system is used for directly interfacing with the target database system through an SQL statement.
In a specific implementation, the encryption component of the secret database is a middleware and is attached to the third party database, so that the architecture of the secret database system in the embodiment of the application is the same as the network topology of the third party database. The network topology comprises a database client and a server, wherein the client receives a user request, converts the user request into an encrypted data request and forwards the encrypted data request to the back-end database server. The secret state database system can be directly connected with the existing database system through SQL sentences without modifying the original database bottom logic, and can realize seamless access in the form of middleware on the premise of not modifying the original service system.
In the embodiment of the application, the target database system can be directly connected with the target database system through SQL sentences, namely, the target database system is realized in a middleware system mode, and the universal access of different databases is realized by realizing universal SQL analysis and compiling, shielding the differences among different databases, so that the flexibility and the safety of data migration are ensured.
As shown in fig. 1, the secret database system may include: at least one trusted execution environment, a processing module, a computing module, a target database system, the at least one trusted execution environment may include a target trusted execution environment, the processing module may include: the CPU and the GPU are used for packaging related protocols such as digital envelope, confidential calculation, secret sharing, safe multiparty calculation and the like. The target database system may include: a relational database, a cache database.
The relational database may refer to traditional databases such as MySQL and Oracle, and the storage medium of the database is mainly a magnetic disk, such as a solid state disk and a mechanical hard disk. The cache database is a memory-based database, such as MEMCACHED, REDIS, and the like, and is characterized in that data is stored in the memory without reading and writing a disk each time, and the access speed is high.
In the specific implementation, the key generation center and the key management module are deployed through a trusted execution environment, and the key generation center is responsible for managing attribute encryption, identifying public parameters and a master key of an encryption algorithm, managing user attributes and completing user identity authentication. The key management module is mainly responsible for key generation, secure distribution, reliable storage and integrity verification.
In addition, in order to improve the throughput of the database system, in the embodiment of the application, the trusted execution environment based on the CPU and the GPU can be simultaneously supported, so that the parallel acceleration of data encryption and decryption can be realized through high-performance parallel computation. The computing module of the secret state database system encapsulates a plurality of computing protocols such as digital envelope, confidential computing, secret sharing, secure multiparty computing and the like, so that the direct ciphertext-based privacy computing can be supported. The database layer can be directly connected with the existing database system through SQL sentences without modifying the original database bottom logic.
It can be seen that the trusted execution environment-based secret database system described in the embodiments of the present application includes a target trusted execution environment; the target trusted execution environment is provided with a key generation center and a key management module, wherein the key generation center is used for initializing a system, generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, the master key is subjected to secret processing, the key management module is used for receiving user information submitted by a user, and the user information comprises at least one of the following components: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by a key generation center, the user attribute list comprises a second character string, the key generation center is further used for calculating according to public parameters and user information to obtain a private key corresponding to the user information, the private key is given to a user through a preset safety mode, firstly, key management is carried out through a trusted execution environment, meanwhile, identification encryption and attribute encryption are introduced to realize fine-granularity access control, data access and database management authority are separated, the risk of unauthorized data access is effectively isolated, secondly, the user authority is managed based on the user identification information and the attribute information, a large amount of public key information is not needed to be stored, key management cost is greatly reduced, thirdly, the key management system is loosely coupled with a database system, original database bottom logic is not needed to be modified, meanwhile, service logic applied on an upper layer is not influenced, and access cost is greatly reduced, so that the safety of the database system can be improved.
Referring to fig. 4, fig. 4 is a schematic flow chart of a database management method according to an embodiment of the present application, which is applied to the cryptographic database system shown in fig. 1, wherein the cryptographic database system includes a target trusted execution environment; the target trusted execution environment is provided with a key generation center and a key management module, and the database management method comprises the following steps:
s401, the key generation center performs system initialization, and generates public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key is subjected to secret processing.
S402, the key management module receives user information submitted by a user, wherein the user information comprises at least one of the following: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by the key generation center, and the user attribute list comprises a second character string.
S403, the key generation center calculates according to the public parameters and the user information to obtain a private key corresponding to the user information, and the private key is given to the user in a preset safety mode.
The relevant descriptions of the above steps may refer to the relevant descriptions above, and are not repeated herein.
It can be seen that the database management method described in the embodiments of the present application is applied to a trusted execution environment-based cryptographic database system, which includes a target trusted execution environment; the target trusted execution environment is provided with a key generation center and a key management module, wherein the key generation center is used for initializing a system, generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, the master key is subjected to secret processing, the key management module is used for receiving user information submitted by a user, and the user information comprises at least one of the following components: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by a key generation center, the user attribute list comprises a second character string, the key generation center is further used for calculating according to public parameters and user information to obtain a private key corresponding to the user information, the private key is given to a user through a preset safety mode, firstly, key management is carried out through a trusted execution environment, meanwhile, identification encryption and attribute encryption are introduced to realize fine-granularity access control, data access and database management authority are separated, the risk of unauthorized data access is effectively isolated, secondly, the user authority is managed based on the user identification information and the attribute information, a large amount of public key information is not needed to be stored, key management cost is greatly reduced, thirdly, the key management system is loosely coupled with a database system, original database bottom logic is not needed to be modified, meanwhile, service logic applied on an upper layer is not influenced, and access cost is greatly reduced, so that the safety of the database system can be improved.
In accordance with the above embodiments, referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application, where the electronic device includes a processor, a memory, a communication interface, and one or more programs, where the one or more programs are stored in the memory and configured to be executed by the processor, and the electronic device includes a cryptographic database system, where the cryptographic database system includes a target trusted execution environment; the target trusted execution environment is provided with a key generation center and a key management module, and in the embodiment of the application, the program comprises instructions for executing the following steps:
the key generation center is used for initializing a system, and generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key is subjected to secret processing;
The key management module is configured to receive user information submitted by a user, where the user information includes at least one of: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by the key generation center, and the user attribute list comprises a second character string;
The key generation center is further configured to calculate according to the public parameter and the user information, obtain a private key corresponding to the user information, and send the private key to the user in a preset security manner.
Optionally, in the aspect of calculating according to the public parameter and the user information to obtain a private key corresponding to the user information, the program includes instructions for executing the following steps:
When the user information comprises identification information, calculating according to the public parameter and the identification information to obtain a private key corresponding to the identification information;
Or alternatively
And when the user information comprises attribute information, calculating according to the public parameters and the attribute information to obtain a private key corresponding to the attribute information.
The cryptographic database system optionally further comprises a target database system, the program further comprising instructions for:
Acquiring a target plaintext SQL statement;
analyzing the target plaintext SQL statement to obtain database content calling parameters, wherein the database content calling parameters comprise at least one of the following components: database name, table name, data field and data content;
Calling corresponding target data from the target database system through the database content calling parameters, and transmitting the target data to the target trusted execution environment;
executing data encryption operation and ciphertext table management operation on the target data in the target trusted execution environment to obtain processing data;
SQL compiling is carried out on the target data and the target plaintext SQL statement to obtain a ciphertext SQL statement corresponding to the encrypted data;
And writing the target data into the target database system according to the ciphertext SQL statement.
Optionally, in the target trusted execution environment, performing a data encryption operation and a ciphertext table management operation on the target data to obtain processed data, the program includes instructions for performing the following steps:
Encrypting and cryptographically accessing the target data through a digital envelope in the target trusted execution environment to obtain first target data;
encrypting the database and table information corresponding to the target data and storing the mapping relation to obtain second target data;
And determining the processing data according to the first target data and the second target data.
Optionally, the secret database system includes n trusted execution environments; each trusted execution environment corresponds to a processing module, and n is a positive integer; the target trusted execution environment is any one of the n trusted execution environments.
Optionally, the key generating center is configured to manage attribute encryption, identify public parameters and a master key of an encryption algorithm, and manage user attributes and complete user identity authentication.
Optionally, the key management module is used for being responsible for key generation, secure distribution, reliable storage and integrity verification.
Optionally, the secret database system further comprises a calculation module;
the computing module is configured to encapsulate at least one of the following protocols: digital envelope protocols, confidential computing protocols, secret sharing protocols, secure multiparty computing protocols.
Optionally, the target database system is used for directly interfacing with the target database system through an SQL statement.
It can be seen that the electronic device described in the embodiments of the present application includes a cryptographic database system that includes a target trusted execution environment; the target trusted execution environment is provided with a key generation center and a key management module, wherein the key generation center is used for initializing a system, generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, the master key is subjected to secret processing, the key management module is used for receiving user information submitted by a user, and the user information comprises at least one of the following components: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by a key generation center, the user attribute list comprises a second character string, the key generation center is further used for calculating according to public parameters and user information to obtain a private key corresponding to the user information, the private key is given to a user through a preset safety mode, firstly, key management is carried out through a trusted execution environment, meanwhile, identification encryption and attribute encryption are introduced to realize fine-granularity access control, data access and database management authority are separated, the risk of unauthorized data access is effectively isolated, secondly, the user authority is managed based on the user identification information and the attribute information, a large amount of public key information is not needed to be stored, key management cost is greatly reduced, thirdly, the key management system is loosely coupled with a database system, original database bottom logic is not needed to be modified, meanwhile, service logic applied on an upper layer is not influenced, and access cost is greatly reduced, so that the safety of the database system can be improved.
The embodiment of the application also provides a computer storage medium, wherein the computer storage medium stores a computer program for electronic data exchange, and the computer program makes a computer execute part or all of the steps of any one of the above method embodiments, and the computer includes an electronic device.
Embodiments of the present application also provide a computer program product comprising a non-transitory computer-readable storage medium storing a computer program operable to cause a computer to perform part or all of the steps of any one of the methods described in the method embodiments above. The computer program product may be a software installation package, said computer comprising an electronic device.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, such as the above-described division of units, merely a division of logic functions, and there may be additional manners of dividing in actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, or may be in electrical or other forms.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units described above, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a memory, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the above-mentioned method of the various embodiments of the present application. And the aforementioned memory includes: a usb disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the various methods of the above embodiments may be implemented by a program that instructs associated hardware, and the program may be stored in a computer readable memory, which may include: flash disk, read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.
The foregoing has outlined rather broadly the more detailed description of embodiments of the application, wherein the principles and embodiments of the application are explained in detail using specific examples, the above examples being provided solely to facilitate the understanding of the method and core concepts of the application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (8)
1. A trusted execution environment-based cryptographic database system, wherein the cryptographic database system comprises a target trusted execution environment; the target trusted execution environment deploys a key generation center, a key management module, wherein,
The key generation center is used for initializing a system, and generating public parameters and a master key by inputting security parameters, wherein the public parameters are public information, and the master key is subjected to secret processing;
The key management module is configured to receive user information submitted by a user, where the user information includes at least one of: identification information and attribute information; the identification information comprises a first character string, the attribute information is a user attribute list managed by the key generation center, and the user attribute list comprises a second character string;
the key generation center is further used for calculating according to the public parameters and the user information to obtain a private key corresponding to the user information, and the private key is given to the user in a preset safety mode;
the secret database system further comprises a target database system, and the secret database system is further specifically used for:
Acquiring a target plaintext SQL statement;
analyzing the target plaintext SQL statement to obtain database content calling parameters, wherein the database content calling parameters comprise at least one of the following components: database name, table name, data field and data content;
Calling corresponding target data from the target database system through the database content calling parameters, and transmitting the target data to the target trusted execution environment;
executing data encryption operation and ciphertext table management operation on the target data in the target trusted execution environment to obtain processing data;
SQL compiling is carried out on the processing data and the target plaintext SQL statement to obtain a ciphertext SQL statement corresponding to the encrypted data;
writing the target data into the target database system according to the ciphertext SQL statement;
The target trusted execution environment executes data encryption operation and ciphertext table management operation on the target data to obtain processed data, and the confidential database system is specifically used for:
Encrypting and cryptographically accessing the target data through a digital envelope in the target trusted execution environment to obtain first target data;
encrypting the database and table information corresponding to the target data and storing the mapping relation to obtain second target data;
And determining the processing data according to the first target data and the second target data.
2. The system of claim 1, wherein in the aspect of calculating according to the public parameter and the user information to obtain a private key corresponding to the user information, the key generation center is specifically configured to:
When the user information comprises identification information, calculating according to the public parameter and the identification information to obtain a private key corresponding to the identification information;
Or alternatively
And when the user information comprises attribute information, calculating according to the public parameters and the attribute information to obtain a private key corresponding to the attribute information.
3. The cryptographic database system of claim 1, wherein the cryptographic database system comprises n trusted execution environments; each trusted execution environment corresponds to a processing module, and n is a positive integer; the target trusted execution environment is any one of the n trusted execution environments.
4. A cryptographic database system according to claim 3, wherein the key generation center is responsible for managing attribute encryption, identifying public parameters and master keys of the encryption algorithm, and simultaneously managing user attributes and performing user authentication.
5. A cryptographic database system according to claim 3, wherein the key management module is responsible for key generation, secure distribution, reliable storage and integrity verification.
6. The cryptographic database system of claim 3, wherein the cryptographic database system further comprises a computing module;
the computing module is configured to encapsulate at least one of the following protocols: digital envelope protocols, confidential computing protocols, secret sharing protocols, secure multiparty computing protocols.
7. A cryptographic database system according to claim 3, wherein the target database system is adapted to interface directly with the target database system via SQL statements.
8. An electronic device comprising a cryptographic database system as in any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410214055.6A CN117786758B (en) | 2024-02-27 | 2024-02-27 | Trusted execution environment-based secret database system and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410214055.6A CN117786758B (en) | 2024-02-27 | 2024-02-27 | Trusted execution environment-based secret database system and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117786758A CN117786758A (en) | 2024-03-29 |
| CN117786758B true CN117786758B (en) | 2024-06-07 |
Family
ID=90393120
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410214055.6A Active CN117786758B (en) | 2024-02-27 | 2024-02-27 | Trusted execution environment-based secret database system and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117786758B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117992993B (en) * | 2024-04-07 | 2024-06-14 | 蓝象智联(杭州)科技有限公司 | Data management and control method and system based on trusted execution environment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519041A (en) * | 2019-07-29 | 2019-11-29 | 同济大学 | A kind of attribute base encryption method based on SM9 mark encryption |
| CN113595971A (en) * | 2021-06-02 | 2021-11-02 | 云南财经大学 | Block chain-based distributed data security sharing method, system and computer readable medium |
| CN114362912A (en) * | 2020-09-27 | 2022-04-15 | 山东爱城市网信息技术有限公司 | Identification password generation method based on distributed key center, electronic device and medium |
| CN115758396A (en) * | 2022-08-31 | 2023-03-07 | 兰州大学 | Database security access control technology based on trusted execution environment |
| CN116232568A (en) * | 2022-12-22 | 2023-06-06 | 广州大学 | SM 9-based attribute-based encryption block chain access control method |
-
2024
- 2024-02-27 CN CN202410214055.6A patent/CN117786758B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110519041A (en) * | 2019-07-29 | 2019-11-29 | 同济大学 | A kind of attribute base encryption method based on SM9 mark encryption |
| CN114362912A (en) * | 2020-09-27 | 2022-04-15 | 山东爱城市网信息技术有限公司 | Identification password generation method based on distributed key center, electronic device and medium |
| CN113595971A (en) * | 2021-06-02 | 2021-11-02 | 云南财经大学 | Block chain-based distributed data security sharing method, system and computer readable medium |
| CN115758396A (en) * | 2022-08-31 | 2023-03-07 | 兰州大学 | Database security access control technology based on trusted execution environment |
| CN116232568A (en) * | 2022-12-22 | 2023-06-06 | 广州大学 | SM 9-based attribute-based encryption block chain access control method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117786758A (en) | 2024-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11770368B2 (en) | Techniques for shared private data objects in a trusted execution environment | |
| US11239994B2 (en) | Techniques for key provisioning in a trusted execution environment | |
| Chen et al. | A secure electronic medical record authorization system for smart device application in cloud computing environments | |
| CN117786758B (en) | Trusted execution environment-based secret database system and electronic equipment | |
| TW202101165A (en) | Secure smart unlocking | |
| Yang et al. | DAA-TZ: an efficient DAA scheme for mobile devices using ARM TrustZone | |
| CN115001841A (en) | Identity authentication method, identity authentication device and storage medium | |
| CN108549824A (en) | A kind of data desensitization method and device | |
| Xu et al. | An efficient blockchain‐based privacy‐preserving scheme with attribute and homomorphic encryption | |
| CN114357492A (en) | Medical data privacy fusion method and device based on block chain | |
| Yang et al. | Dual traceable distributed attribute-based searchable encryption and ownership transfer | |
| Alzomai et al. | The mobile phone as a multi OTP device using trusted computing | |
| CN107920060A (en) | Data access method and device based on account | |
| US11818278B2 (en) | Dynamic certificate management in cryptographic agility frameworks | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN113014387B (en) | Method for improving multidimensional encryption interface based on hardware encryption machine and encryption device | |
| Pop et al. | Secure migration of WebAssembly-based mobile agents between secure enclaves | |
| Nie et al. | Time‐enabled and verifiable secure search for blockchain‐empowered electronic health record sharing in IoT | |
| Wang et al. | A User‐Centered Medical Data Sharing Scheme for Privacy‐Preserving Machine Learning | |
| WO2022017103A1 (en) | Method for dynamically loading encryption engine | |
| CN109768969A (en) | Authority control method and internet-of-things terminal, electronic equipment | |
| US11496287B2 (en) | Privacy preserving fully homomorphic encryption with circuit verification | |
| CN114697113A (en) | Hardware accelerator card-based multi-party privacy calculation method, device and system | |
| CN109598114B (en) | Cross-platform unified user account management method and system | |
| Song et al. | A trusted authentication model for remote users under cloud architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |