CN107919954B - A kind of block chain user key guard method and device based on SGX software protecting extended instruction - Google Patents
A kind of block chain user key guard method and device based on SGX software protecting extended instruction Download PDFInfo
- Publication number
- CN107919954B CN107919954B CN201710989478.5A CN201710989478A CN107919954B CN 107919954 B CN107919954 B CN 107919954B CN 201710989478 A CN201710989478 A CN 201710989478A CN 107919954 B CN107919954 B CN 107919954B
- Authority
- CN
- China
- Prior art keywords
- key
- user
- block chain
- sgx
- transaction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 230000006870 function Effects 0.000 claims abstract description 78
- 230000001681 protective effect Effects 0.000 claims abstract description 8
- 238000012545 processing Methods 0.000 claims description 21
- 238000012795 verification Methods 0.000 claims description 11
- 230000002159 abnormal effect Effects 0.000 claims description 7
- 238000007689 inspection Methods 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 230000001902 propagating effect Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 10
- 230000000694 effects Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000010276 construction Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000004321 preservation Methods 0.000 description 3
- 230000033228 biological regulation Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000007306 turnover Effects 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000002184 metal Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000000123 paper Substances 0.000 description 1
- 229920003023 plastic Polymers 0.000 description 1
- 239000004033 plastic Substances 0.000 description 1
- 230000008521 reorganization Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Strategic Management (AREA)
- Finance (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The block chain user key protective device based on SGX that the invention discloses a kind of, comprising: SGX encrypting module generates confidence space based on software protecting extended instruction, and generates the access key for verifying the confidence space access authority;The confidence space is used for the user key and cipher key operation function of memory block chain network;Transaction common recognition module, receives the transaction from block chain network, by the access cipher key access SGX encrypting module, calls cipher key operation function therein, realizes that the verifying to transaction is known together;It trades constructing module, initiates transaction according to the user's intention, by the access cipher key access SGX encrypting module, call cipher key operation function therein, realize the filling of Transaction Information and legalize, and broadcast the transaction to block chain network.The invention also discloses block chain user key guard methods.This method can effectively resist Malware to the sniff of user local key with crack, protect the block chain assets of user not encroached on.
Description
Technical field
The present invention relates to block chain application field more particularly to a kind of block chains based on SGX software protecting extended instruction
User key guard method and device.
Background technique
The development of the emerging technologies such as cloud computing, internet and big data, so that conventional center system information data is total to
The demand of enjoying is increasingly urgent to.However, centralized system lacks a kind of safe and reliable mechanism, it is always the pain spot of reality.With than
Deeply, bottom block chain technology is drawn in recent years to solve the problems, such as that real pain spot provides effective means for the rise and application of special coin
Extensive concern is played.Block chain technology is born as bit coin Floor layer Technology with architecture, is substantially one and goes
The accounting system of the heart, a similar Distributed sharing account book.Novel block catenary system uses P2P network technology, cryptography, is total to
Know algorithm, the intelligent technologies such as contract and distributed data base, there are data can not distort, system collective safeguards, information discloses
Bright equal traditional account book system characteristic too far behind to catch up, this makes a kind of great potential, decentralization Assets Reorganization Taking science and engineering
Tool and technology.
Using bit coin as the publicly-owned block chain of representative, so that block chain has the key property of issue value assets.User
Key is the significant data in block catenary system.The safety of key is the important leverage of user's right.In block catenary system, number
The ownership of word assets (such as bit coin) is being established by digital cipher and digital signature.Digital cipher is not deposited actually
It is stored in block chain network, but keeping is responsible for by each user, is maintained secrecy to other people.The safety of block chain is just to rely on key
Decentralised control.Meanwhile the characteristics such as the decentralization of block chain is trusted and control, ownership authenticate also are all based on modern password
What key mechanism was realized.According to Cryptography Principles, only effective key could generate effective digital signature, only have
The digital signature of effect just can make the transaction on chain effective.This has fundamentally prevented the possibility that transaction is forged on block chain, ensures
The interests of user.
As soon as however, possess the key or its copy of a user account if there is third party, then third party user's energy
Practical control corresponds to the account assets of the key.Therefore, for a user, once lose or damage key, user
Oneself corresponding total assets may be thoroughly lost, and gives means for change without any.The block link network healthy and strong for one
Network, careless omission of the single user in key management will not influence the stabilization of whole network, but user will undertake whole
Consequence.In addition, the modern general-purpose operating system is not fool proof, be also not suitable for storing key information with document form.Especially with
Internet technology it is universal, our computer passes through internet for a long time and is exposed to outer, and during which Malware or program can be with
It is concealed and easily steal local data;Or the carelessness due to operator, it is mixed into Malware and is installed on local, Jin Erwei
Coerce all important local datas.
To protect key, there are mainly two types of common methods.The first is stored after encrypting key.This is a kind of common
Security means, but the effect of this method is influenced by specific Encryption Algorithm and means.Because by data simple encryption and being stored in
Operating system is local, and Malware still has an opportunity continuous access, and can attempt to decrypt in period and obtain key, complicated evil
Meaning software even can directly extract confidential data from memory, threaten key safety;Excessively complicated encryption method is then use
The maintenance at family brings very big burden, in some instances it may even be possible to because forgeing or " loss " key due to lost part encryption details.It is another opposite
Safer method is that the key information of key or encryption is recorded in the physics such as paper, plastics, metal using physical store
Medium, and back up and multiple be subject to safe preservation (being such as locked into safety box) respectively.But this method will lead to using key just
Victory decline.Once (especially being handed over using itself part professional user or block chain because the frequency of use of key rises
Easily frequently), user just has to handle cumbersome write operation one by one.
For compromise between security and availability, anti-tamper " wallet " technology of professional hardware is come into being.Unlike be easy to by
To the common soft and hardware of attack, hardware wallet only provides the generation system and correlation of very limited interface or even built-in key
Proving program externally only exports the signature of private key, to provide security level almost safe against all possibilities for unprofessional user, simultaneously
Also there is comparable ease for operation.For the risk for evading damage and loss, hardware wallet is usually very firm, and provides for user
The approach of physical backup private key.But the framework of its highly-specialised generally requires tightly to dock with the application of specific block chain,
To be allowed to be difficult to be designed to a common apparatus.There is no general type block chain key storage hardware at present, only for specific
The dedicated hardware wallet (such as Trezor) of block chain application (such as bit coin).
Intel SGX (Software Guard Extensions) is a set of cpu instruction, can be supported using creation safety
Area (enclave): in application address space shielded region, it may be ensured that the machine of the terminal operating system environmentally information content
Close property and integrality.The memory content for attempting to access enclave from software respective is not allowed to, even enhanced privileges are soft
Part (such as master operating system, monitor of virtual machine etc.) does not allow to access.The security boundary of enclave only include CPU and it from
Body.The enclave of SGX creation is it can be appreciated that a credible performing environment TEE.A CPU can be run more in SGX technology
A safe enclaves, support concurrently execute.
Summary of the invention
The block chain user key protective device based on SGX software protecting extended instruction that the present invention provides a kind of, in area
The client node of block chain application system introduces SGX, and the block chain user key protective device and various block chain network are mutual
It is compatible, it can be used as the node administration component of block chain network, provide key preservation and the service for checking credentials for block chain network user.
A kind of block chain user key protective device based on SGX software protecting extended instruction, comprising:
SGX encrypting module generates confidence space based on software protecting extended instruction, and generates for verifying the credible sky
Between access authority access key;The confidence space is used for the user key and cipher key operation function of memory block chain network;
Transaction common recognition module, receives the transaction from block chain network, encrypts mould by the access cipher key access SGX
Block calls cipher key operation function therein, realizes that the verifying to transaction is known together;
It trades constructing module, initiates transaction according to the user's intention, by the access cipher key access SGX encrypting module,
Cipher key operation function therein is called, the filling of Transaction Information is realized and legalizes, and broadcasts the transaction to block chain network.
Preferably, the SGX encrypting module includes:
User's space, including processing space and confidence space;The processing space is for loading user key and key behaviour
Make the certificate information of function, the confidence space is for storing user key and cipher key operation function;
SGX driver is measured by the certificate information to user key and cipher key operation function, is the user
Key and cipher key operation function distribute confidence space, and it is hard that the certificate information of user key and cipher key operation function is passed to SGX
Part processor;
SGX hardware processor carries out user key and cipher key operation function certificate information and the integrality of confidence space
Verifying, it is raw according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor characteristic of user key and cipher key operation function certificate
At the access key of confidence space, encrypted by accessing key pair confidence space.
The SGX driver belongs to operating system;SGX hardware processor belongs to hardware architecture.
The access key of confidence space is block chain network user key, cipher key operation function and the SGX hardware by user
The physical hardware information of processor, which is intersected, to be generated, and ensure that the safety and validity of associated verification step.
The block chain user key guard method based on SGX software protecting extended instruction that the present invention also provides a kind of, should
Method passes through the client node for introducing the SGX hardware of Intel to block chain network user, (credible using the enclave of SGX
Space) mechanism, safe user key memory space and corresponding accessing operation are locally being constructed, is realizing local user's key
Secure storage and use.
A kind of block chain user key guard method based on SGX software protecting extended instruction, comprising:
(1) it obtains user key and is stored in SGX encrypting module;
(2) relevant cipher key operation is handled.
Step (1) includes:
(1-1) obtains the user key that block chain is approved with secure way;
The step of the case where for needing user to be autonomously generated user key, generation user key, should be in the equipment of safety
(such as from the emergency PC of failed cluster) is generated by the complete seed of cryptography and algorithm according to regulation format.
For the user key for needing block chain network to issue, then by the communications conduit of strict protection, with adding for safety
Close mode obtains;Or it is obtained by the secured fashion under line.
(1-2) backs up user key;
To evade the risk for causing key to be lost due to various reasons in the future, which kind of key keeping mode no matter is taken, all
It is recommended that user carries out the backup of safety to the user key of acquisition in advance.It is proposed with physical store or the storage of offline secure equipment
Etc. modes user key is backed up;And more parts are backed up, give secure storage respectively.
(1-3) generates public key from user key and is stored in local;
Under normal circumstances, user need to generate public key by user key, and block chain address (such as bit of oneself is generated with public key
Coin), it oneself is transacting targeted so that other people specify.So needs execute the step before storing user key to generate and user
The corresponding public key of key, is stored in local.
The address that public key generates can be disclosed to the whole network, without encryption.For being responsible for handling client public key by block chain network
With the block catenary system (address that such as each user can inquire each user to block chain network) of address, which can be by block chain
Network is completed.
User key is stored in SGX encrypting module by (1-4).
Step (1-4) includes:
(a) certificate for generating user key and cipher key operation function, by user key and cipher key operation function and the card
Book uploads in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX driver,
Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to
In confidence space, data in delete processing space later;
(c) SGX driver obtains the certificate information of user key and cipher key operation function and passes to SGX hardware handles
Device;SGX hardware processor generates confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor itself of certificate information
Access key, by access key pair confidence space encrypted;
(d) step (a)~(c) is repeated, multiple confidence spaces is established, more parts of user keys of backup is stored in difference respectively
Confidence space in.
In step (2), handling relevant cipher key operation includes key behaviour caused by processing is traded by block chain network is incoming
Make and cipher key operation caused by trading is initiated by user.
Cipher key operation caused by processing is traded by block chain network is incoming the following steps are included:
(I) block chain client receives the incoming Transaction Information of block chain network;
(II) calls the verifying function outside the safety zone SGX to verify the part for not needing user key in transaction, counts
It calculates the priority of transaction and is ranked up;
The verifying of the part is limited to not needing the verifying of user key, for example, verify transaction whether version correct, transaction
Whether amount of assets is legal etc..The priority for selectively completing transaction depending on the framework of specific block chain simultaneously calculates and the behaviour such as sequence
Make.
(III) block chain client is initiated to request to SGX driver, after access key authentication, calls a certain credible sky
Interior key authentication function verifies the part that user key is needed in transaction;
Need the verifying of the part of user key to be limited to need the verifying of user key, for example, determine it is transacting targeted whether be
Oneself etc..
(IV) inspection calls another credible sky if call result is abnormal to the call result of key authentication function
Interior key authentication function, until call result is normal;Verification information is packaged into verification result later, completes testing for transaction
Card;
(V), which is sent according to verification result to block chain network, to be fed back;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or illegal to block chain network feedback trading.
Processing by user initiate trade caused by cipher key operation the following steps are included:
(I) block chain client constructs transaction outside the safety zone SGX;
In the step, block chain client needs to trade according to the legal construction of rule of respective block chain, for transaction supplement
The necessary informations such as destination address, turnover;Simultaneously in the step, block chain client is without providing the signing messages of oneself;
(II) block chain client is initiated to request to SGX driver, after access key authentication, calls a certain credible sky
Interior key signature function obtains user key signature;
(III) it checks and another credible sky is called if call result is abnormal to the call result of key signature function
Interior key signature function, until call result is normal;Signing messages is packaged to the structure that transaction is completed into Transaction Information later
It builds;
(IV) it broadcasts and trades to block chain network.
Compared with prior art, the invention has the benefit that
(1) the block chain user key protective device of the invention based on SGX has both safety, availability and general simultaneously
Property, can effectively resist Malware to the sniff of user local key with crack, protect the block chain assets of user not encroached on;
(2) operation of block chain client is divided into two independent sectors, and function is called using different keys in each part,
Improve the operational paradigm of block chain client.Two parts are placed on Enclave (confidence space) to the operation of key simultaneously
Interior execution, external program can not learn key information and relevant operation.Key will not be come across with clear-text way it is any can not
Believe memory, memory overflow attack can be resisted;
(3) a kind of more Enclave mechanism are given, the safety of key preservation is further improved.Even if single
Enclave damage, client remain to operate normally, and user can receive the feedback of Enclave damage simultaneously, take further
Client is safeguarded in specific aim measure, protects key;
(4) a set of safe operating process is given for being not affected by the key pre-write of SGX protection, use can be effectively reduced
The security threat that family key is subject to before being protected by SGX.
Detailed description of the invention
Fig. 1 is the structure and workflow schematic diagram that the block chain user key based on SGX protects client;
Fig. 2 is the flow diagram for obtaining user key and being stored in SGX encrypting module;
Fig. 3 is the flow diagram of cipher key operation caused by processing is traded by block chain network is incoming;
Fig. 4 is the flow diagram that cipher key operation caused by trading is initiated in processing by user.
Specific embodiment
Present invention is further described in detail with reference to the accompanying drawings and examples.
The block chain user key protective device based on SGX of the present embodiment, including 3 software modules: transaction common recognition mould
Block, transaction constructing module and SGX encrypting module, Row control is as shown in Figure 1, specific as follows:
(1) preliminary treatment: need to carry out the acquisition and write-in of block chain key before the operation of block chain client in advance
SGX, process are as shown in Figure 2.
(1-1) obtains the user key that block chain is approved with secure way;
The step of the case where for needing user to be autonomously generated user key, generation user key, should be in the equipment of safety
(such as from the emergency PC of failed cluster) is generated by the complete seed of cryptography and algorithm according to regulation format.
For the user key for needing block chain network to issue, then by the communications conduit of strict protection, with adding for safety
Close mode obtains;Or it is obtained by the secured fashion under line.
(1-2) backs up user key;
To evade the risk for causing key to be lost due to various reasons in the future, which kind of key keeping mode no matter is taken, all
It is recommended that user carries out the backup of safety to the user key of acquisition in advance.It is proposed with physical store or the storage of offline secure equipment
Etc. modes user key is backed up;And more parts are backed up, give secure storage respectively.
(1-3) is from user key generation public key and storage and locally;
Under normal circumstances, user need to generate public key by user key, and block chain address (such as bit of oneself is generated with public key
Coin), it oneself is transacting targeted so that other people specify.So needs execute the step before storing user key to generate and user
The corresponding public key of key, is stored in local.
The address that public key generates can be disclosed to the whole network, without encryption.For being responsible for handling client public key by block chain network
With the block catenary system (address that such as each user can inquire each user to block chain network) of address, which can be by block chain
Network is completed.
User key is stored in SGX encrypting module by (1-4).
Step (1-4) includes:
(a) generate user key and cipher key operation function certificate, by user key and and cipher key operation function with it is described
Certificate uploads in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out to the user key, cipher key operation function and its certificate uploaded by SGX driver,
Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to
In confidence space, data in delete processing space later;
(c) SGX driver obtains the certificate information of user key and cipher key operation function and passes to SGX hardware handles
Device;SGX hardware processor generates confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor itself of certificate information
Access key, by access key pair confidence space encrypted.
(d) step (a)~(c) is repeated, multiple confidence spaces is established, more parts of user keys of backup is stored in difference respectively
Confidence space in.
Key deposit SGX SGX encrypting module is used into wherein, effect is generated based on software protecting extended instruction
Enclave come store user key information and cipher key operation function, and generate to verify the close of confidence space access authority
Key is operated with for subsequent access.The process establishes multiple enclave (being 3 in this example, such as Fig. 1) simultaneously, to ensure
Block chain client remains to operate normally when extremely in special circumstances single enclave is damaged, and gives user feedback to repair
The enclave of damage avoids user's Lost Security Key without knowing it.
(2) transaction common recognition processing: the part is common to complete transaction common recognition using transaction common recognition module and SGX encrypting module
Processing, process are as shown in Figure 3.The effect of transaction common recognition module is to receive the transaction flow from block chain network, and carry out lattice
The authentication functions such as formula verifying, number of deals verifying, by calling the completion of SGX encrypting module to need user key in verification process
Verifying, final realize know together to the verifying traded in network.Once the verifying function in safety zone returns to exception, just call another
Identical verifying function in a safety zone, until completing verifying.The effect of SGX encrypting module herein is provided for common recognition processing
It is capable of the verifying function of security invocation user blocks chain account key.
The following steps are included:
(I) block chain client receives the incoming Transaction Information of block chain network;
(II) calls the verifying function outside the safety zone SGX to verify the part for not needing user key in transaction, counts
It calculates the priority of transaction and is ranked up;
The verifying of the part is limited to not needing the verifying of user key, for example, verify transaction whether version correct, transaction
Whether amount of assets is legal etc..The priority for selectively completing transaction depending on the framework of specific block chain simultaneously calculates and the behaviour such as sequence
Make.
(III) block chain client is initiated to request to SGX driver, after access key authentication, calls a certain credible sky
Interior key authentication function verifies the part that user key is needed in transaction;
Need the verifying of the part of user key to be limited to need the verifying of user key, for example, determine it is transacting targeted whether be
Oneself etc..
(IV) inspection calls another credible sky if call result is abnormal to the call result of key authentication function
Interior key authentication function, until call result is normal;Verification information is packaged into verification result later, completes testing for transaction
Card;
(V), which is sent according to verification result to block chain network, to be fed back;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or illegal to block chain network feedback trading.
(3) transaction Construction treatment: the part is common to complete construction of trading using transaction constructing module and SGX encrypting module
With initiation, process is as shown in Figure 4.Constructing module of trading initiates to trade according to the intention of user, passes through and calls SGX encrypting module
It realizes the filling of Transaction Information and legalizes, and broadcast the transaction to the whole network.Once the signature function in safety zone returns to exception,
Just the same signature function in another safety zone is called, until completing transaction building.The effect of SGX encrypting module herein is
The signature function for capableing of security invocation user blocks chain account key is provided for transaction construction.
The following steps are included:
(I) block chain client constructs transaction outside the safety zone SGX;
In the step, block chain client needs to trade according to the legal construction of rule of respective block chain, for transaction supplement
The necessary informations such as destination address, turnover;Simultaneously in the step, block chain client is without providing the signing messages of oneself;
(II) block chain client is initiated to request to SGX driver, after access key authentication, calls a certain credible sky
Interior key signature function obtains user key signature;
Assets of the signature of the step for confirming that oneself is initiated in transaction are effective.
(III) it checks and another credible sky is called if call result is abnormal to the call result of key signature function
Interior key signature function, until call result is normal;Signing messages is packaged to the structure that transaction is completed into Transaction Information later
It builds;
If call result is abnormal, illustrates the user key damage in the confidence space, then call another confidence space
Interior signature function reacquires signature.
(IV) it broadcasts and trades to block chain network.
Technical solution of the present invention and beneficial effect is described in detail in embodiment described above, it should be understood that
Above is only a specific embodiment of the present invention, it is not intended to restrict the invention, it is all to be done in spirit of the invention
Any modification, supplementary, and equivalent replacement etc., should all be included in the protection scope of the present invention.
Claims (3)
1. a kind of block chain user key protective device based on SGX software protecting extended instruction characterized by comprising
SGX encrypting module generates confidence space based on software protecting extended instruction, and generates and visit for verifying the confidence space
Ask the access key of permission;The confidence space is used for the user key and cipher key operation function of memory block chain network;
Transaction common recognition module, receives the transaction from block chain network, by the access cipher key access SGX encrypting module, adjusts
With cipher key operation function therein, realize that the verifying to transaction is known together;
Transaction constructing module, initiates transaction according to the user's intention, passes through the access cipher key access SGX encrypting module, calls
Cipher key operation function therein, realizes the filling of Transaction Information and legalizes, and broadcasts the transaction to block chain network.
2. block chain user key protective device according to claim 1, which is characterized in that the SGX encrypting module
Include:
User's space, including processing space and confidence space;The processing space is for loading user key and cipher key operation letter
The certificate information of both numbers, the confidence space is for storing user key and cipher key operation function;
SGX driver is measured by the certificate information to both user key and cipher key operation function, is the user
Key and cipher key operation function distribute confidence space, and the certificate information of both user key and cipher key operation function is passed to
SGX hardware processor;
SGX hardware processor, the integrality of certificate information and confidence space to both user key and cipher key operation function into
Row verifying, according to the cryptographic Hash of the certificate of both user key and cipher key operation function and SGX hardware processor characteristic
Cryptographic Hash generates the access key of confidence space, is encrypted by accessing key pair confidence space.
3. a kind of block chain user key guard method based on SGX software protecting extended instruction characterized by comprising
(1) it obtains user key and is stored in SGX encrypting module, comprising:
(1-1) obtains the user key that block chain is approved with secure way;
(1-2) backs up user key;
(1-3) generates public key from user key and is stored in local;
User key is stored in SGX encrypting module by (1-4), comprising:
(a) certificate for generating both user key and cipher key operation function, by user key and cipher key operation function and the card
Book uploads in processing space together;
The cipher key operation function includes key authentication function and key signature function;
(b) parameter measurement is carried out by certificate of the SGX driver to user key, cipher key operation function and the two uploaded,
Address space and page are distributed for confidence space, creates confidence space, and user key and cipher key operation function are copied to
In confidence space, data in delete processing space later;
(c) SGX driver obtains the certificate information of both user key and cipher key operation function and passes to SGX hardware handles
Device;SGX hardware processor generates confidence space according to the cryptographic Hash of the cryptographic Hash and SGX hardware processor itself of certificate information
Access key, by access key pair confidence space encrypted;
(d) repeat step (a)~(c), establish multiple confidence spaces, by more parts of user keys of backup be stored in respectively it is different can
Believe in space;
(2) relevant cipher key operation, including processing are handled by the caused cipher key operation of the incoming transaction of block chain network and by user
Initiate cipher key operation caused by trading;
Cipher key operation caused by processing is traded by block chain network is incoming the following steps are included:
(I) block chain client receives the incoming Transaction Information of block chain network;
(II) calls the verifying function outside the safety zone SGX to verify the part for not needing user key in transaction, calculates and hands over
Easy priority is simultaneously ranked up;
(III) block chain client is initiated to request to SGX driver, after access key authentication, calls in a certain confidence space
Key authentication function the part that user key is needed in transaction is verified;
The call result of key authentication function is called in another confidence space in (IV) inspection if call result is abnormal
Key authentication function, until call result is normal;Verification information is packaged to the verifying that transaction is completed into verification result later;
(V), which is sent according to verification result to block chain network, to be fed back;
If being proved to be successful, the Transaction Information is broadcasted to block chain network, continues to verify for remaining user node;
If authentication failed, stop propagating the transaction, or illegal to block chain network feedback trading;
Processing by user initiate trade caused by cipher key operation the following steps are included:
(I) block chain client constructs transaction outside the safety zone SGX;
(II) block chain client is initiated to request to SGX driver, after access key authentication, calls in a certain confidence space
Key signature function obtain user key signature;
(III) it checks and the call result of key signature function is called in another confidence space if call result is abnormal
Key signature function, until call result is normal;Signing messages is packaged to the building that transaction is completed into Transaction Information later;
(IV) it broadcasts and trades to block chain network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710989478.5A CN107919954B (en) | 2017-10-20 | 2017-10-20 | A kind of block chain user key guard method and device based on SGX software protecting extended instruction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710989478.5A CN107919954B (en) | 2017-10-20 | 2017-10-20 | A kind of block chain user key guard method and device based on SGX software protecting extended instruction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107919954A CN107919954A (en) | 2018-04-17 |
| CN107919954B true CN107919954B (en) | 2019-05-14 |
Family
ID=61894889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710989478.5A Active CN107919954B (en) | 2017-10-20 | 2017-10-20 | A kind of block chain user key guard method and device based on SGX software protecting extended instruction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107919954B (en) |
Families Citing this family (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3794766B1 (en) * | 2018-05-14 | 2024-10-09 | nChain Licensing AG | Computer-implemented systems and methods for using a blockchain to perform an atomic swap |
| CN108921557A (en) * | 2018-07-06 | 2018-11-30 | 佛山伊苏巨森科技有限公司 | A method of it is traded by the system and protection of block chain network protection transaction |
| CN109101822B (en) * | 2018-07-10 | 2021-01-29 | 西安交通大学 | Method for solving data privacy disclosure problem in multi-party computing |
| CN110781492B (en) * | 2018-07-31 | 2023-09-26 | 阿里巴巴集团控股有限公司 | Data processing method, device, equipment and storage medium |
| CN109150517B (en) * | 2018-09-04 | 2021-03-12 | 大唐高鸿信安(浙江)信息科技有限公司 | Secret key safety management system and method based on SGX |
| GB201816936D0 (en) * | 2018-10-17 | 2018-11-28 | Nchain Holdings Ltd | Computer-implemented system and method |
| CN112765595B (en) * | 2018-11-16 | 2024-05-10 | 创新先进技术有限公司 | Cross-blockchain data processing method, device, client and blockchain system |
| CN112468473B (en) * | 2018-11-16 | 2023-10-24 | 创新先进技术有限公司 | Remote proving method and device for trusted application program and electronic equipment |
| CN109934579A (en) * | 2018-11-30 | 2019-06-25 | 上海点融信息科技有限责任公司 | For the key generation method of block chain network, endorsement method, storage medium, calculate equipment |
| CN111325545B (en) * | 2018-12-13 | 2023-05-02 | 北京沃东天骏信息技术有限公司 | Key management method, device and equipment based on blockchain |
| CN109766712B (en) * | 2018-12-14 | 2020-08-25 | 华东师范大学 | Credit reporting streaming method based on block chain and Intel SGX |
| CN109831298B (en) * | 2019-01-31 | 2020-05-15 | 阿里巴巴集团控股有限公司 | Method for safely updating key in block chain, node and storage medium |
| CN111898156B (en) * | 2019-01-31 | 2024-04-16 | 创新先进技术有限公司 | Method, node and storage medium for realizing contract call in block chain |
| CN110008715B (en) * | 2019-01-31 | 2020-05-05 | 阿里巴巴集团控股有限公司 | Method for realizing privacy protection in block chain, node and storage medium |
| CN110020855B (en) * | 2019-01-31 | 2020-05-29 | 阿里巴巴集团控股有限公司 | Method, node and storage medium for realizing privacy protection in block chain |
| CN111767555B (en) * | 2019-01-31 | 2024-07-09 | 创新先进技术有限公司 | Method, node and storage medium for realizing privacy protection in blockchain |
| CN110032876B (en) * | 2019-02-19 | 2020-03-06 | 阿里巴巴集团控股有限公司 | Method, node and storage medium for implementing privacy protection in block chain |
| CN110022316A (en) * | 2019-03-29 | 2019-07-16 | 阿里巴巴集团控股有限公司 | The method and apparatus for creating block chain account and resetting account key |
| CN113835910B (en) * | 2019-04-19 | 2024-08-13 | 创新先进技术有限公司 | Method and apparatus for establishing communication between blockchain networks |
| EP3643041B1 (en) | 2019-04-26 | 2021-03-10 | Advanced New Technologies Co., Ltd. | Distributed key management for trusted execution environments |
| CN110222485B (en) * | 2019-05-14 | 2021-01-12 | 浙江大学 | Industrial control white list management system and method based on SGX software protection extended instruction |
| CN110264196B (en) * | 2019-05-20 | 2021-04-23 | 创新先进技术有限公司 | Conditional receipt storage method and node combining code labeling and user type |
| CN110223172B (en) * | 2019-05-20 | 2021-04-13 | 创新先进技术有限公司 | Conditional receipt storage method and node combining code labeling and type dimension |
| CN110266659B (en) * | 2019-05-31 | 2020-09-25 | 联想(北京)有限公司 | Data processing method and equipment |
| CN110443710B (en) * | 2019-08-02 | 2022-06-07 | 中国工商银行股份有限公司 | Block chain system and method for batch signature |
| CN110675253A (en) * | 2019-08-15 | 2020-01-10 | 山大地纬软件股份有限公司 | Block chain-based exclusive digital asset trusted keeping and transferring device and method |
| CN110889696A (en) * | 2019-11-27 | 2020-03-17 | 杭州趣链科技有限公司 | Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology |
| CN111159018B (en) * | 2019-12-17 | 2021-06-22 | 浙江大学 | Software protection extended instruction SGX-based online fuzzy test system and method |
| CN111160905B (en) * | 2019-12-17 | 2023-07-18 | 浙江大学 | Block chain link point user request processing protection method and device |
| CN111404896B (en) * | 2020-03-06 | 2022-03-04 | 杭州云象网络技术有限公司 | Non-central identity authentication method based on SGX |
| CN111475782B (en) * | 2020-04-08 | 2022-11-08 | 浙江大学 | API (application program interface) key protection method and system based on SGX (generalized Standard X) software extension instruction |
| CN111709745A (en) * | 2020-06-09 | 2020-09-25 | 浙江大学 | SGX-based block chain transaction security protection system and method thereof |
| CN112235301B (en) * | 2020-10-14 | 2023-06-06 | 北京金山云网络技术有限公司 | Access right verification method and device and electronic equipment |
| CN113037477A (en) * | 2021-03-08 | 2021-06-25 | 北京工业大学 | Kerberos security enhancement method based on Intel SGX |
| CN113055376A (en) * | 2021-03-10 | 2021-06-29 | 电子科技大学 | Block chain data protection system |
| CN114301928B (en) * | 2021-11-29 | 2024-07-16 | 之江实验室 | SGX-based chain uplink and downlink hybrid consensus method and system |
| CN114629684A (en) * | 2022-02-16 | 2022-06-14 | 深圳番多拉信息科技有限公司 | Permission token processing method, system, device and storage medium based on block chain |
| CN116260595B (en) * | 2023-05-15 | 2023-07-25 | 豪符密码检测技术(成都)有限责任公司 | Cloud password detection method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106533694A (en) * | 2016-11-03 | 2017-03-22 | 浙江大学 | Method and system for implementation of Openstack token access protection mechanism |
| CN107113284A (en) * | 2014-11-26 | 2017-08-29 | 英特尔公司 | For the trusted computing base evidence binding of transportable virtual machine |
| CN107209722A (en) * | 2015-02-23 | 2017-09-26 | 英特尔公司 | For instruction and the logic for making the process forks of Secure Enclave in Secure Enclave page cache He setting up sub- enclave |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160379212A1 (en) * | 2015-06-26 | 2016-12-29 | Intel Corporation | System, apparatus and method for performing cryptographic operations in a trusted execution environment |
| US10318746B2 (en) * | 2015-09-25 | 2019-06-11 | Mcafee, Llc | Provable traceability |
| US11209815B2 (en) * | 2016-04-01 | 2021-12-28 | Intel Corporation | Drone control registration |
-
2017
- 2017-10-20 CN CN201710989478.5A patent/CN107919954B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107113284A (en) * | 2014-11-26 | 2017-08-29 | 英特尔公司 | For the trusted computing base evidence binding of transportable virtual machine |
| CN107209722A (en) * | 2015-02-23 | 2017-09-26 | 英特尔公司 | For instruction and the logic for making the process forks of Secure Enclave in Secure Enclave page cache He setting up sub- enclave |
| CN106533694A (en) * | 2016-11-03 | 2017-03-22 | 浙江大学 | Method and system for implementation of Openstack token access protection mechanism |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107919954A (en) | 2018-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107919954B (en) | A kind of block chain user key guard method and device based on SGX software protecting extended instruction | |
| CN110034924B (en) | Data processing method and device | |
| CN108418680B (en) | Block chain key recovery method and medium based on secure multi-party computing technology | |
| TWI709314B (en) | Data processing method and device | |
| CN109697365B (en) | Information processing method, block chain node and electronic equipment | |
| CN109274652B (en) | Identity information verification system, method and device and computer storage medium | |
| CN109412812B (en) | Data security processing system, method, device and storage medium | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| US11212095B2 (en) | Allowing restricted external access to devices | |
| CN111914293B (en) | Data access right verification method and device, computer equipment and storage medium | |
| US20180131677A1 (en) | Balancing public and personal security needs | |
| CN105745661A (en) | Policy-based trusted inspection of rights managed content | |
| CN111859446A (en) | Agricultural product traceability information sharing-privacy protection method and system | |
| CN106027503A (en) | Cloud storage data encryption method based on TPM | |
| CA2714196A1 (en) | Information distribution system and program for the same | |
| US20130124860A1 (en) | Method for the Cryptographic Protection of an Application | |
| CN105740725A (en) | File protection method and system | |
| US9734346B2 (en) | Device and method for providing security in remote digital forensic environment | |
| CN109309645A (en) | A kind of software distribution security guard method | |
| CN105933117A (en) | Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage | |
| US8756433B2 (en) | Associating policy with unencrypted digital content | |
| KR102055888B1 (en) | Encryption and decryption method for protecting information | |
| CN113901507B (en) | Multi-party resource processing method and privacy computing system | |
| KR102475434B1 (en) | Security method and system for crypto currency | |
| TW202101267A (en) | Account data processing method and account data processing system ensuring that there is encryption protection when account data is returned to an electronic payment dealer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |