Nothing Special   »   [go: up one dir, main page]

CN110855671B - Trusted computing method and system - Google Patents

Trusted computing method and system Download PDF

Info

Publication number
CN110855671B
CN110855671B CN201911118927.4A CN201911118927A CN110855671B CN 110855671 B CN110855671 B CN 110855671B CN 201911118927 A CN201911118927 A CN 201911118927A CN 110855671 B CN110855671 B CN 110855671B
Authority
CN
China
Prior art keywords
data
key
cloud server
ciphertext
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911118927.4A
Other languages
Chinese (zh)
Other versions
CN110855671A (en
Inventor
吴初锚
刘光磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics China R&D Center
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics China R&D Center
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics China R&D Center, Samsung Electronics Co Ltd filed Critical Samsung Electronics China R&D Center
Priority to CN201911118927.4A priority Critical patent/CN110855671B/en
Priority to PCT/KR2020/002430 priority patent/WO2021095998A1/en
Publication of CN110855671A publication Critical patent/CN110855671A/en
Application granted granted Critical
Publication of CN110855671B publication Critical patent/CN110855671B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a trusted computing method and a system, wherein a data user generates a data operation task in an authorization range after passing validity verification of a trusted computing environment and a trusted computing function library of a cloud server, and sends the data operation task to a computing service provider; the computing service provider acquires the ciphertext of the required data and the ciphertext of the corresponding key according to the data computing task and stores the ciphertext and the corresponding key to the cloud server; and the data user sends a calculation private key for decrypting the ciphertext of the key to the cloud server in a secure transmission mode, triggers the cloud server to obtain a plaintext of data required by the task in execution in the trusted computing environment by using the calculation private key, executes the data operation task by using the plaintext and the trusted computing function library, and sends a corresponding execution result to the data user after being encrypted. By adopting the invention, the overall operation performance can be effectively improved.

Description

Trusted computing method and system
Technical Field
The present application relates to the field of network computing security technologies, and in particular, to a trusted computing method and system.
Background
The existing trusted computing scheme usually adopts a multi-party computing mode, utilizes a cloud hardware-level trusted execution environment, and adopts a mode of performing mixed operation based on a partial homomorphic encryption technology and a hardware-level trusted execution environment at the cloud to complete an analysis computing task of multi-party data.
The applicant finds that the above trusted computing scheme exists in the process of implementing the invention: poor performance and universality. The specific reason is analyzed as follows:
the above trusted computing scheme adopts a homomorphic encryption technology at the cloud, and is to perform data computing analysis directly based on ciphertext data sent by a data holder, so that the data security can be guaranteed, but the computing is complex, the computation amount is large, large computation overhead can be generated, especially when the data amount is large, the overall computation performance can be seriously reduced, the universality of the scheme is further influenced, and the scheme cannot be applied in a large scale.
Disclosure of Invention
In view of the above, the present invention provides a trusted computing method and system, which can effectively improve the operation performance.
In order to achieve the purpose, the technical scheme provided by the invention is as follows:
a trusted computing method, comprising:
after the validity verification of the trusted computing environment and the trusted computing function library of the cloud server is passed, the data user generates a data operation task in a corresponding authorization range according to data access authorization information acquired from a third-party authorization and authentication center, and sends the data operation task to a computing service provider; the cloud server is provided by the computing service provider;
the computing service provider acquires a cipher text of data required by task execution and a cipher text of a corresponding key according to the data computing task, and stores the cipher texts to the cloud server; the cipher text of the data is encrypted by a corresponding data owner, the cipher text of the key is obtained by utilizing a public key for encryption, and the public key is generated for the data owner by the third party authorization and authentication center;
the data using party adopts a safe transmission mode to send a calculation private key used for decrypting the ciphertext of the key in the data access authorization information to the cloud server, triggers the cloud server to obtain the plaintext of the data required by the task in the execution process in the trusted computing environment by using the calculation private key, the ciphertext of the data required by the task in the execution process and the ciphertext of the corresponding key, executes the data operation task by using the plaintext and the trusted computing function library, and sends the corresponding execution result to the data using party by adopting an encryption transmission mode.
Preferably, before the validity verification, the method further comprises:
the data owner sends an access control strategy for own data to the third party authorization and authentication center;
the third party authorization and authentication center generates a corresponding public key and a main private key according to the access control strategy; sending the public key to the data owner;
the obtaining of the data access authorization information comprises:
the data using party requests the data using authority of the data owner to the third party authorization and authentication center;
and the third party authorization and authentication center generates the calculation private key and a corresponding data access authorization certificate for the data user by using the main private key according to the request and an access control strategy sent by the data owner, and sends the data access authorization information to the data user, wherein the data access authorization information carries the calculation private key and the data access authorization certificate.
Preferably, the third party authorization and authentication center generates the public key, the master private key and the calculation private key by using an attribute encryption method.
Preferably, the method further comprises:
the data owner encrypts own data in advance according to a preset data uploading strategy, encrypts a key adopted in encryption by using a public key generated by the third party authorization and authentication center, and uploads a corresponding data encryption result and a corresponding key encryption result to the cloud server.
Preferably, the obtaining a ciphertext of data required for executing the task and a ciphertext of the corresponding key, and storing the ciphertext and the ciphertext in the cloud server includes:
the computing service provider judges whether the ciphertext of the data required by the task execution and the ciphertext of the corresponding key are stored in the cloud server, and if not, the corresponding data owner is triggered to execute an encryption uploading process of the corresponding data; the encrypted uploading process comprises the following steps: and encrypting the data to be uploaded, encrypting the key adopted during encryption by adopting the public key generated by the third party authorization and authentication center for the data owner, and uploading the corresponding data encryption result and the key encryption result to the cloud server.
Preferably, each trusted computing function in the trusted computing function library only has a first interface and a second interface, and the first interface is used for inputting operation parameters; the second interface is used for outputting the encrypted data operation result.
Preferably, the data user performs the validity verification by means of remote verification.
Preferably, the secure transmission mode is an online security providing mode.
Preferably, the method further comprises:
and the data user uploads the trusted computing function defined by the data user to the trusted computing function library of the cloud server.
Preferably, the method further comprises:
the data user sends the calculation private key to the cloud server and sends a key Kr which is generated by the data user and used for encrypting the execution result to the cloud server;
the sending the corresponding execution result to the data user by using the encryption transmission mode comprises:
the cloud server encrypts the execution result by using the secret key Kr and then sends a ciphertext of the execution result to the data user;
and the data user decrypts the ciphertext of the execution result by using the secret key Kr to obtain the plaintext of the execution result.
A trusted computing system, comprising: the system comprises a data user, a data owner, a third party authorization and authentication center, a computing service provider and a cloud server; wherein,
the data user is used for generating a data operation task in a corresponding authorization range according to the data access authorization information acquired from the third party authorization and authentication center after the validity verification of the trusted computing environment and the trusted computing function library of the cloud server is passed, and sending the data operation task to the computing service provider; the cloud server is provided by the computing service provider;
the computing service provider is used for acquiring a cipher text of data required by task execution and a cipher text of a corresponding key according to the data computing task and storing the cipher texts to the cloud server; the cipher text of the data is encrypted by a corresponding data owner, the cipher text of the key is obtained by utilizing a public key for encryption, and the public key is generated for the data owner by the third party authorization and authentication center;
the data using party is used for sending a calculation private key used for decrypting the ciphertext of the key in the data access authorization information to the cloud server in a secure transmission mode, triggering the cloud server to obtain the plaintext of the data required by the task in the trusted computing environment by using the calculation private key, the ciphertext of the data required by the task in the execution process and the ciphertext of the corresponding key, executing the data operation task by using the plaintext and the trusted computing function library, and sending a corresponding execution result to the data using party in an encryption transmission mode.
Preferably, the data owner is further configured to send an access control policy for the data of the data owner to the third party authorization and authentication center before the validity verification;
the third party authorization and authentication center is further used for generating a corresponding public key and a main private key according to the access control strategy; sending the public key to the data owner;
the data user is further used for authorizing an authentication center to the third party and requesting the use permission of the data owner;
the third party authorization and authentication center is further configured to generate the computation private key and the corresponding data access authorization certificate for the data user by using the master private key according to the request and an access control policy sent by the data owner, and send the data access authorization information to the data user, where the data access authorization information carries the computation private key and the data access authorization certificate.
Preferably, the third party authorization and authentication center is further configured to generate the public key, the master private key, and the calculation private key by using an attribute encryption method.
Preferably, the data owner is further configured to encrypt data of the data owner in advance according to a preset data uploading policy, encrypt a key used in encryption by using a public key generated by the third party authorization and authentication center as the own, and upload a corresponding data encryption result and a corresponding key encryption result to the cloud server.
Preferably, the computing service provider is configured to obtain a ciphertext of data required for task execution and a ciphertext of a corresponding key, and store the ciphertext and the ciphertext to the cloud server, and specifically includes:
judging whether the ciphertext of the data required by the task execution and the ciphertext of the corresponding key are stored in the cloud server, if not, triggering the corresponding data owner to execute an encryption uploading process of the corresponding data; the encrypted uploading process comprises the following steps: and encrypting the data to be uploaded, encrypting the key adopted during encryption by adopting the public key generated by the third party authorization and authentication center for the data owner, and uploading the corresponding data encryption result and the key encryption result to the cloud server.
Preferably, each trusted computing function in the trusted computing function library only has a first interface and a second interface, and the first interface is used for inputting operation parameters; the second interface is used for outputting the encrypted data operation result.
Preferably, the data user is specifically configured to perform the validity verification by using a remote verification method.
Preferably, the secure transmission mode is an online security providing mode.
Preferably, the data user is further configured to upload a trusted computing function defined by the data user to the trusted computing function library of the cloud server.
Preferably, the data user is further configured to send the private computation key to the cloud server, and send a self-generated key Kr for encrypting the execution result to the cloud server;
the cloud server is specifically configured to encrypt the execution result by using the key Kr, and then send a ciphertext of the execution result to the data consumer;
the data user is specifically configured to decrypt the ciphertext of the execution result by using the key Kr to obtain the plaintext of the execution result.
According to the technical scheme, the trusted computing method and the trusted computing system provided by the application have the advantages that after the validity verification of the trusted computing environment of the cloud server and the validity verification of the trusted computing function library are passed, a data user can generate a data computing task in an authorized range and send the data computing task to the computing service provider; the computing service provider acquires a cipher text of data required by task execution and a cipher text of a corresponding key according to the data computing task, and stores the cipher texts to the cloud server; and the data user sends a calculation private key for decrypting the ciphertext of the key to the cloud server in a secure transmission mode, triggers the cloud server to obtain a plaintext of data required by the task in execution in the trusted computing environment by using the calculation private key, executes the data operation task by using the plaintext and the trusted computing function library, and then encrypts an execution result and sends the encrypted execution result to the data user. Therefore, on one hand, any secret key and plaintext data are not exposed outside the credible environment boundary in the execution process of the data operation task, on the other hand, the data operation task is executed by utilizing the plaintext data, and therefore the overall operation performance can be effectively reduced. In addition, a public key and a calculation private key for encrypting and decrypting the secret key are generated by the third-party authorization and authentication center, so that after a data owner encrypts the data once, the encrypted data can be used by a plurality of data users, the storage overhead of multiple encryption caused by the traditional cryptography algorithm can be saved, the expandability of the system is improved, and meanwhile, the safety of the secret key and the traceability of the data users can be ensured due to the introduction of the third-party authorization and authentication center.
Drawings
FIG. 1 is a schematic flow chart of a method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of implementation of the embodiment of the invention in a big data security computing scene of the Internet of things;
fig. 3 is a schematic diagram of implementation of the embodiment of the present invention in a trusted hot video recommendation scenario.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is further described in detail below by referring to the accompanying drawings and examples.
FIG. 1 is a schematic flow chart of a method according to an embodiment of the present invention. As shown in fig. 1, the trusted computing method implemented in this embodiment mainly includes the following steps:
step 101, after the validity verification of the trusted computing environment and the trusted computing function library of the cloud server is passed, the data user generates a data operation task in a corresponding authorization range according to data access authorization information acquired from a third-party authorization and authentication center, and sends the data operation task to a computing service provider; the cloud server is provided by the computing service provider.
In this step, after determining that the trusted computing environment and the trusted computing function library of the cloud server are legal, the data user generates a corresponding data computing task according to the computing requirement of the data user in an accessible authority, and sends the corresponding data computing task to the computing service provider, so that the computing service provider prepares data for executing the task.
The specific task generation method is known to those skilled in the art and will not be described herein again.
Preferably, in order to minimize the attack surface of the trusted computing function library and the possibility of malicious use of data, the interfaces of each trusted computing function in the trusted computing function library may be defined as only two to ensure that no plaintext data is output from the trusted environment, i.e.:
each trusted computing function in the trusted computing function library only has a first interface and a second interface, and the first interface is used for inputting operation parameters; the second interface is used for outputting the encrypted data operation result.
In practical applications, some general trusted computing functions may be stored in the trusted computing function library in advance.
Preferably, in order to meet the special data operation requirement of the data user, the data user may define a trusted computing function according to the operation requirement of the data user, and upload the trusted computing function to the trusted computing function library of the cloud server for storage.
In practical application, a data owner sends an access control strategy for own data to the third-party authorization and authentication center; and the third party authorization and authentication center generates a corresponding public key and a main private key according to the access control strategy.
The public key is sent to the data owner, the data owner encrypts a secret key used for encrypting own data by using the public key, and the main private key is used for generating a corresponding calculation private key for a data user authorized to use the data of the data owner.
Therefore, the data user can send the calculation private key to the cloud server, the cloud server can obtain the corresponding key by using the calculation private key, and the cipher text data of the data owner is decrypted by using the key, so that the corresponding plaintext data can be obtained. Therefore, the data owner only needs to encrypt the data once, and other data users can use the calculation private key generated by the third-party authorization authentication center to realize access to the corresponding data, so that the trouble that the data owner needs to encrypt the data for different data users in the traditional cryptography encryption algorithm can be avoided, the storage overhead of multiple encryption caused by the traditional cryptography algorithm is saved, and the expandability of the system is improved
Preferably, on the basis that the third party authorization and authentication center generates the corresponding public key and the main private key according to the access control policy of the data user by using the method, after the validity verification passes, the data user may specifically obtain the corresponding data access authorization information by using the following method:
after the validity verification is passed, the data using party requests the third party authorization and authentication center for the data using authority of the data owner;
the third party authorization and authentication center generates a calculation private key and a corresponding data access authorization certificate for the data user by using the main private key according to the request and an access control strategy sent by the data owner;
and the third party authorization and authentication center sends the data access authorization information to the data user, wherein the data access authorization information carries the calculation private key and the data access authorization certificate.
In practical applications, the third-party authorization and authentication center may preferably generate the public key, the master private key, and the calculation private key by using an existing attribute encryption method, but is not limited thereto.
For the convenience of understanding the implementation of the present invention, the following description is provided for the specific implementation of the attribute encryption method as follows:
the attribute encryption method mainly comprises the following four algorithms:
(1) setup (k, U): the algorithm inputs a security parameter k and a system attribute description U, and outputs a public parameter PP and a main private key MSK;
(2) keygen (MSK, X): the algorithm inputs a master private key MSK and a right X and outputs a key SKX;
(3) enc (PP, Y, m): the algorithm inputs a common parameter PP, a ciphertext index (index) Y and a message m to be encrypted and outputs a ciphertext CTY;
(4) dec (PP, SKX, CTY) which inputs the public parameter PP, the key SKX and the ciphertext CTY and outputs the decrypted result m.
Preferably, the data user may perform the validity verification by using a remote verification method. In particular, the remote verification may be provided by the trusted computing platform Intel SGX. The existing Intel SGX supports a client to verify the legitimacy of a remote trusted environment and an executed trusted library and generate a verification result report.
In practical application, the data owner may specifically be: various end device owners, or certain specific organizations with data collection authority.
The data user may specifically be: and the party with the use requirement on the data analysis result, such as some APP developers.
The computing service provider may specifically be: cloud service providers that provide data storage and trusted computing services, such as the public cloud service provider amazon, arry cloud, and the like.
The third party authorization and authentication center may specifically be: and a third-party organization for applying, checking, managing and distributing the attribute cryptographic key is provided, and the third-party organization is similar to a CA in a PKI system.
And 102, the computing service provider acquires a cipher text of data required by task execution and a cipher text of a corresponding key according to the data computing task, and stores the cipher texts to a cloud server.
The cipher text of the data is encrypted by a corresponding data owner, the cipher text of the key is obtained by utilizing a public key for encryption, and the public key is generated for the data owner by the third party authorization and authentication center.
In this step, after receiving the data operation task, the computation service provider acquires data required to be used in execution for the task, and here, in order to ensure the security of the data, transmission and storage of the data are all realized in an encrypted manner, that is, an owner of the corresponding data needs to encrypt the data and then upload the data to the cloud server, and a ciphertext of the data is stored in the cloud server, so that the encrypted data can also be stored in a cloud untrusted area.
Preferably, in this step, the following method may be adopted to obtain the ciphertext of the data required for executing the task and the ciphertext of the corresponding key, and store the ciphertext and the ciphertext of the corresponding key in the cloud server:
the computing service provider judges whether the ciphertext of the data required by the task execution and the ciphertext of the corresponding key are stored in the cloud server, and if not, the corresponding data owner is triggered to execute an encryption uploading process of the corresponding data; the encrypted uploading process comprises the following steps: and encrypting the data to be uploaded, encrypting the key adopted during encryption by adopting the public key generated by the third party authorization and authentication center for the data owner, and uploading the corresponding data encryption result and the key encryption result to the cloud server.
103, the data user sends a calculation private key used for decrypting the cipher text of the key in the data access authorization information to the cloud server in a secure transmission mode, triggers the cloud server to obtain the plaintext of the data required for executing the task by using the calculation private key, the cipher text of the data required for executing the task and the cipher text of the corresponding key in the trusted computing environment, executes the data operation task by using the plaintext and the trusted computing function library, and sends the corresponding execution result to the data user in an encryption transmission mode.
In this step, the data user needs to send a calculation private key for decrypting a key corresponding to a ciphertext of data required for task execution (i.e., a key used by the corresponding data owner for encrypting data) to the cloud, so that the cloud server can obtain the key corresponding to the ciphertext of the data required for task execution according to the calculation private key, and can decrypt the ciphertext based on the key to obtain a corresponding plaintext, and execute the data operation task using the plaintext. Compared with the method for executing the data operation task based on the ciphertext data, the method has the advantages that the operation amount of the task execution is greatly simplified, the execution efficiency of the operation task is improved, and the operation performance can be ensured when large-scale data operation is carried out.
Preferably, in order to reduce the task processing delay, the data owner may encrypt its own data according to a preset data uploading policy in advance, and upload the encrypted data to the cloud, and specifically, the following method may be adopted to achieve this purpose:
the data owner encrypts own data in advance according to a preset data uploading strategy, encrypts a key adopted in encryption by using a public key generated by the third party authorization and authentication center, and uploads a corresponding data encryption result and a corresponding key encryption result to the cloud server.
In practical applications, the data owner may obtain the key for encrypting the data in a randomly generated manner, which is determined by the encryption method used. Specifically, the data owner may encrypt its own data by using an existing encryption method, such as an encryption method of AES, 3-DES, and the like, which is not described herein again.
In this step, in order to ensure the security of the calculation private key, the data user needs to send the calculation private key to the cloud server in a secure transmission manner. Preferably, the computing private key may be sent in an online security provision manner.
In practical application, in this step, the cloud server may use an existing encryption method to encrypt the execution result of the task, such as an encryption method of AES, 3-DES, and the like, which is not described herein again.
The encryption key for encrypting the execution result can be sent to the cloud server by the data user while sending the calculation private key, namely:
and the data user sends the calculation private key to the cloud server and sends a key Kr which is generated by the data user and used for encrypting the execution result to the cloud server.
Preferably, the secret key Kr can be obtained by random generation.
Correspondingly, the cloud server may adopt the following method, and send the corresponding execution result to the data user in an encrypted transmission mode:
the cloud server encrypts the execution result by using the secret key Kr and then sends a ciphertext of the execution result to the data user;
and the data user decrypts the ciphertext of the execution result by using the secret key Kr to obtain the plaintext of the execution result.
Through the technical scheme, the following technical effects can be obtained by utilizing the embodiment:
(1) data storage security and data computation security: by using a privacy security computing framework of trusted computing, while the privacy security of user data is ensured, cloud data encryption storage and trusted analysis are realized; the method comprises the steps of remote trusted environment verification, secret on-line supply, decryption and analysis of data only in an isolated and protected trusted computing environment, and return of an encrypted analysis result, wherein any secret key and plaintext data are not exposed outside the boundary of the trusted environment in the whole process.
(2) Saving storage space and computational overhead: by using the access control characteristic provided by the attribute cryptography, the data owner can encrypt the data once, and a plurality of data users can use the data once, so that the storage overhead of multiple encryption caused by the traditional cryptography algorithm is saved, and the expandability of the system is improved.
(3) Traceability: and a third party authorization authentication center is introduced to be responsible for verifying the validity of the attribute key user, managing the security of the key and inquiring the identity and the attribute of the user, so that the security of the key and the traceability of a data user are ensured.
(4) And the minimum trusted computer library interface is appointed, and the risk of data leakage and data user repugnance is minimized.
In practical application, the method embodiment can be applied to various application scenarios, for example, an internet of things big data security computing scenario, as shown in fig. 2, in this scenario, a data owner can be a mass of internet of things devices such as a mobile phone, a television, and a computer, each internet of things terminal device uploads encrypted data to a cloud server, a data user can develop a trusted function according to own requirements, deploy the trusted function to a computing service provider, realize analysis of internet of things big data by means of a trusted computing platform provided by the computing service provider, and meanwhile, can effectively protect the security of data.
In the scenario shown in fig. 2, the data owner may also be an organization such as financial, medical, government, etc., which may cause data islanding problems due to lack of trust between organizations. By means of the embodiment, a plurality of data owners can store data of the data owners in the cloud end provided by the computing service in an encrypted form, and the data users can obtain results of joint calculation of multi-party data by calling the cloud end trusted computing function, and user data of any data owner is not leaked.
In practical application, the above method embodiment may also be applied to a trusted popular video recommendation scene, as shown in fig. 3, based on the above embodiment, the following method may be adopted to implement popular video recommendation:
(1) a plurality of users agree data formats for data of terminal devices (such as various internet of things devices including smart phones, smart televisions and smart home devices) of the users, and obtain encrypted public keys from a third-party certification authority;
(2) the user terminal equipment encrypts video information and uploads the video information to the cloud;
(3) the content provider App applies for a calculation private key to a third-party certification authority;
(4) a third-party computing service provider (such as Amazon) deploying a trusted computing function library; the calculation function can be provided by a content provider according to the actual requirements of the content provider, such as a user habit analysis algorithm and a machine learning algorithm based on equipment data, or by a third-party computing service provider according to the actual requirements of the content provider;
(5) the content provider provision private key is sent to a third-party computing service provider to obtain an encrypted hot video analysis result;
(6) the content provider decrypts and obtains the video with the highest hit amount of the user hit video;
(7) the content provider recommends the popular video to the user.
Corresponding to the above method embodiment, the present application further provides a trusted computing system, including: the system comprises a data user, a data owner, a third party authorization and authentication center, a computing service provider and a cloud server; wherein,
the data user is used for generating a data operation task in a corresponding authorization range according to the data access authorization information acquired from the third party authorization and authentication center after the validity verification of the trusted computing environment and the trusted computing function library of the cloud server is passed, and sending the data operation task to the computing service provider; the cloud server is provided by the computing service provider;
the computing service provider is used for acquiring a cipher text of data required by task execution and a cipher text of a corresponding key according to the data computing task and storing the cipher texts to the cloud server; the cipher text of the data is encrypted by a corresponding data owner, the cipher text of the key is obtained by utilizing a public key for encryption, and the public key is generated for the data owner by the third party authorization and authentication center;
the data using party is used for sending a calculation private key used for decrypting the ciphertext of the key in the data access authorization information to the cloud server in a secure transmission mode, triggering the cloud server to obtain the plaintext of the data required by the task in the trusted computing environment by using the calculation private key, the ciphertext of the data required by the task in the execution process and the ciphertext of the corresponding key, executing the data operation task by using the plaintext and the trusted computing function library, and sending a corresponding execution result to the data using party in an encryption transmission mode.
Preferably, the data owner is further configured to send an access control policy for the data of the data owner to the third party authorization and authentication center before the validity verification;
the third party authorization and authentication center is further used for generating a corresponding public key and a main private key according to the access control strategy; sending the public key to the data owner;
the data user is further used for authorizing an authentication center to the third party and requesting the use permission of the data owner;
the third party authorization and authentication center is further configured to generate the computation private key and the corresponding data access authorization certificate for the data user by using the master private key according to the request and an access control policy sent by the data owner, and send the data access authorization information to the data user, where the data access authorization information carries the computation private key and the data access authorization certificate.
Preferably, the third party authorization and authentication center is further configured to generate the public key, the master private key, and the calculation private key by using an attribute encryption method.
Preferably, the data owner is further configured to encrypt data of the data owner in advance according to a preset data uploading policy, encrypt a key used in encryption by using a public key generated by the third party authorization and authentication center as the own, and upload a corresponding data encryption result and a corresponding key encryption result to the cloud server.
Preferably, the computing service provider is configured to obtain a ciphertext of data required for task execution and a ciphertext of a corresponding key, and store the ciphertext and the ciphertext to the cloud server, and specifically includes:
judging whether the ciphertext of the data required by the task execution and the ciphertext of the corresponding key are stored in the cloud server, if not, triggering the corresponding data owner to execute an encryption uploading process of the corresponding data; the encrypted uploading process comprises the following steps: and encrypting the data to be uploaded, encrypting the key adopted during encryption by adopting the public key generated by the third party authorization and authentication center for the data owner, and uploading the corresponding data encryption result and the key encryption result to the cloud server.
Preferably, each trusted computing function in the trusted computing function library only has a first interface and a second interface, and the first interface is used for inputting operation parameters; the second interface is used for outputting the encrypted data operation result.
Preferably, the data user is specifically configured to perform the validity verification by using a remote verification method.
Preferably, the secure transmission mode is an online security providing mode.
Preferably, the data user is further configured to upload a trusted computing function defined by the data user to the trusted computing function library of the cloud server.
Preferably, the data user is further configured to send the private computation key to the cloud server, and send a self-generated key Kr for encrypting the execution result to the cloud server;
the cloud server is specifically configured to encrypt the execution result by using the key Kr, and then send a ciphertext of the execution result to the data consumer;
the data user is specifically configured to decrypt the ciphertext of the execution result by using the key Kr to obtain the plaintext of the execution result.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (20)

1. A trusted computing method, comprising:
after the validity verification of the trusted computing environment and the trusted computing function library of the cloud server is passed, the data user generates a data operation task in a corresponding authorization range according to data access authorization information acquired from a third-party authorization and authentication center, and sends the data operation task to a computing service provider; the cloud server is provided by the computing service provider; the computing service provider is a cloud facilitator providing data storage and trusted computing services;
the computing service provider acquires a cipher text of data required by task execution and a cipher text of a corresponding key according to the data computing task, and stores the cipher texts to the cloud server; the cipher text of the data is encrypted by a corresponding data owner, the cipher text of the key is obtained by utilizing a public key for encryption, and the public key is generated for the data owner by the third party authorization and authentication center;
the data using party adopts a safe transmission mode to send a calculation private key used for decrypting the ciphertext of the key in the data access authorization information to the cloud server, triggers the cloud server to obtain the plaintext of the data required by the task in the execution process in the trusted computing environment by using the calculation private key, the ciphertext of the data required by the task in the execution process and the ciphertext of the corresponding key, executes the data operation task by using the plaintext and the trusted computing function library, and sends the corresponding execution result to the data using party by adopting an encryption transmission mode.
2. The method of claim 1, wherein prior to the validation, the method further comprises:
the data owner sends an access control strategy for own data to the third party authorization and authentication center;
the third party authorization and authentication center generates a corresponding public key and a main private key according to the access control strategy; sending the public key to the data owner;
the obtaining of the data access authorization information comprises:
the data using party requests the data using authority of the data owner to the third party authorization and authentication center;
and the third party authorization and authentication center generates the calculation private key and a corresponding data access authorization certificate for the data user by using the main private key according to the request and an access control strategy sent by the data owner, and sends the data access authorization information to the data user, wherein the data access authorization information carries the calculation private key and the data access authorization certificate.
3. The method of claim 2, wherein the third party authorization authority generates the public key, the master private key, and the computational private key using an attribute encryption method.
4. The method of claim 1, wherein the method further comprises:
the data owner encrypts own data in advance according to a preset data uploading strategy, encrypts a key adopted in encryption by using a public key generated by the third party authorization and authentication center, and uploads a corresponding data encryption result and a corresponding key encryption result to the cloud server.
5. The method of claim 1, wherein obtaining the ciphertext of the data required for the task to execute and the ciphertext of the corresponding key and saving the ciphertext to the cloud server comprises:
the computing service provider judges whether the ciphertext of the data required by the task execution and the ciphertext of the corresponding key are stored in the cloud server, and if not, the corresponding data owner is triggered to execute an encryption uploading process of the corresponding data; the encrypted uploading process comprises the following steps: and encrypting the data to be uploaded, encrypting the key adopted during encryption by adopting the public key generated by the third party authorization and authentication center for the data owner, and uploading the corresponding data encryption result and the key encryption result to the cloud server.
6. The method of claim 1, wherein each trusted computing function in the library of trusted computing functions has only a first interface and a second interface, the first interface for inputting operational parameters; the second interface is used for outputting the encrypted data operation result.
7. The method of claim 1, wherein the data consumer performs the validation by way of remote validation.
8. The method of claim 1, wherein the secure transmission mode is an online security provision mode.
9. The method of claim 1, wherein the method further comprises:
and the data user uploads the trusted computing function defined by the data user to the trusted computing function library of the cloud server.
10. The method of claim 1, wherein the method further comprises:
the data user sends the calculation private key to the cloud server and sends a key Kr which is generated by the data user and used for encrypting the execution result to the cloud server;
the sending the corresponding execution result to the data user by using the encryption transmission mode comprises:
the cloud server encrypts the execution result by using the secret key Kr and then sends a ciphertext of the execution result to the data user;
and the data user decrypts the ciphertext of the execution result by using the secret key Kr to obtain the plaintext of the execution result.
11. A trusted computing system, comprising: the system comprises a data user, a data owner, a third party authorization and authentication center, a computing service provider and a cloud server; wherein,
the data user is used for generating a data operation task in a corresponding authorization range according to the data access authorization information acquired from the third party authorization and authentication center after the validity verification of the trusted computing environment and the trusted computing function library of the cloud server is passed, and sending the data operation task to the computing service provider; the cloud server is provided by the computing service provider; the computing service provider is a cloud facilitator providing data storage and trusted computing services;
the computing service provider is used for acquiring a cipher text of data required by task execution and a cipher text of a corresponding key according to the data computing task and storing the cipher texts to the cloud server; the cipher text of the data is encrypted by a corresponding data owner, the cipher text of the key is obtained by utilizing a public key for encryption, and the public key is generated for the data owner by the third party authorization and authentication center;
the data using party is used for sending a calculation private key used for decrypting the ciphertext of the key in the data access authorization information to the cloud server in a secure transmission mode, triggering the cloud server to obtain the plaintext of the data required by the task in the trusted computing environment by using the calculation private key, the ciphertext of the data required by the task in the execution process and the ciphertext of the corresponding key, executing the data operation task by using the plaintext and the trusted computing function library, and sending a corresponding execution result to the data using party in an encryption transmission mode.
12. The system of claim 11,
the data owner is further used for sending an access control strategy for the data to the third party authorization and authentication center before the validity is verified;
the third party authorization and authentication center is further used for generating a corresponding public key and a main private key according to the access control strategy; sending the public key to the data owner;
the data user is further used for authorizing an authentication center to the third party and requesting the use permission of the data owner;
the third party authorization and authentication center is further configured to generate the computation private key and the corresponding data access authorization certificate for the data user by using the master private key according to the request and an access control policy sent by the data owner, and send the data access authorization information to the data user, where the data access authorization information carries the computation private key and the data access authorization certificate.
13. The system of claim 12, wherein the third party authorization authority is further configured to generate the public key, the master private key, and the computational private key using an attribute encryption method.
14. The system of claim 11,
the data owner is further used for encrypting the data of the data owner in advance according to a preset data uploading strategy, encrypting a key adopted in encryption by using a public key generated by the third party authorization and authentication center as a self, and uploading a corresponding data encryption result and a corresponding key encryption result to the cloud server.
15. The system of claim 11, wherein the computing service provider is configured to obtain a ciphertext of data required for executing the task and a ciphertext of the corresponding key, and store the ciphertext and the ciphertext to the cloud server, and specifically includes:
judging whether the ciphertext of the data required by the task execution and the ciphertext of the corresponding key are stored in the cloud server, if not, triggering the corresponding data owner to execute an encryption uploading process of the corresponding data; the encrypted uploading process comprises the following steps: and encrypting the data to be uploaded, encrypting the key adopted during encryption by adopting the public key generated by the third party authorization and authentication center for the data owner, and uploading the corresponding data encryption result and the key encryption result to the cloud server.
16. The system of claim 11, wherein each trusted computing function in the library of trusted computing functions has only a first interface and a second interface, the first interface for inputting operational parameters; the second interface is used for outputting the encrypted data operation result.
17. The system of claim 11, wherein the data consumer is configured to perform the validation by way of remote validation.
18. The system of claim 11, wherein the secure transmission means is a means for online security provision.
19. The system of claim 11,
the data user is further configured to upload a trusted computing function defined by the data user to the trusted computing function library of the cloud server.
20. The system of claim 11,
the data user is further used for sending the calculation private key to the cloud server and sending a self-generated secret key Kr for encrypting the execution result to the cloud server;
the cloud server is specifically configured to encrypt the execution result by using the key Kr, and then send a ciphertext of the execution result to the data consumer;
the data user is specifically configured to decrypt the ciphertext of the execution result by using the key Kr to obtain the plaintext of the execution result.
CN201911118927.4A 2019-11-15 2019-11-15 Trusted computing method and system Active CN110855671B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201911118927.4A CN110855671B (en) 2019-11-15 2019-11-15 Trusted computing method and system
PCT/KR2020/002430 WO2021095998A1 (en) 2019-11-15 2020-02-19 A trusted computing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911118927.4A CN110855671B (en) 2019-11-15 2019-11-15 Trusted computing method and system

Publications (2)

Publication Number Publication Date
CN110855671A CN110855671A (en) 2020-02-28
CN110855671B true CN110855671B (en) 2022-02-08

Family

ID=69600906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911118927.4A Active CN110855671B (en) 2019-11-15 2019-11-15 Trusted computing method and system

Country Status (2)

Country Link
CN (1) CN110855671B (en)
WO (1) WO2021095998A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378174A (en) * 2020-03-10 2021-09-10 续科天下(北京)科技有限公司 Trusted computing method and device
CN111625815B (en) * 2020-05-26 2023-09-26 牛津(海南)区块链研究院有限公司 Data transaction method and device based on trusted execution environment
CN112613057A (en) * 2020-12-29 2021-04-06 北京熠智科技有限公司 Private key storage method based on trusted execution environment
CN112910846B (en) * 2021-01-15 2024-02-27 常熟理工学院 Communication method based on trusted third party authentication
CN112865968B (en) * 2021-02-08 2021-12-03 上海万向区块链股份公司 Data ciphertext hosting method and system, computer equipment and storage medium
CN112948878A (en) * 2021-03-05 2021-06-11 支付宝(杭州)信息技术有限公司 Privacy-protecting set intersection calculation method and device
CN113127881A (en) * 2021-04-20 2021-07-16 重庆电子工程职业学院 Data security processing method based on big data
CN113438235B (en) * 2021-06-24 2022-10-18 国网河南省电力公司 Data layered credible encryption method
CN113987561A (en) * 2021-09-18 2022-01-28 京信数据科技有限公司 Trusted execution environment-based private data classification method, system and terminal
CN113886862B (en) * 2021-12-06 2022-04-15 粤港澳大湾区数字经济研究院(福田) Trusted computing system and resource processing method based on trusted computing system
CN114462047B (en) * 2022-01-25 2024-03-29 北京工业大学 Cloud outsourcing calculation safety method based on SGX technology
CN115002754B (en) * 2022-02-24 2023-03-31 华东师范大学 Lightweight data sharing method based on vehicle social network
CN114553603B (en) * 2022-04-25 2022-07-29 南湖实验室 Novel data credible decryption method based on privacy calculation
CN115021972B (en) * 2022-05-10 2023-04-07 北京百度网讯科技有限公司 Trusted computing method, device, equipment and medium based on block chain
CN115150183A (en) * 2022-07-25 2022-10-04 黄涌瀚 Multivariable public key communication information transmission method based on cloud computing and cloud storage
CN115834104B (en) * 2022-09-26 2024-08-02 中国电子科技集团公司第三十研究所 Data security circulation method and system
CN116232769B (en) * 2023-05-08 2023-07-18 北京金商祺科技有限公司 Safe interaction method and platform

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103957109A (en) * 2014-05-22 2014-07-30 武汉大学 Cloud data privacy protection security re-encryption method
CN110086804A (en) * 2019-04-25 2019-08-02 广州大学 A kind of internet of things data method for secret protection based on block chain and reliable hardware
CN110519049A (en) * 2019-08-07 2019-11-29 赤峰学院 A kind of cloud data protection system based on credible performing environment

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8103562B2 (en) * 2007-04-03 2012-01-24 Sony Computer Entertainment America Llc System and method for processor cycle accounting and valuation
US10318284B2 (en) * 2008-06-02 2019-06-11 International Business Machines Corporation System and method of generating and managing computing tasks
WO2012144909A1 (en) * 2011-04-19 2012-10-26 Invenia As Method for secure storing of a data file via a computer communication network
US9147195B2 (en) * 2011-06-14 2015-09-29 Microsoft Technology Licensing, Llc Data custodian and curation system
US20150244717A1 (en) * 2013-07-09 2015-08-27 Hua Zhong University Of Science Technology Trusted virtual computing system
CN106445676B (en) * 2015-08-05 2019-10-22 杭州海康威视系统技术有限公司 A kind of method for allocating tasks and task allocation apparatus that distributed data calculates
EP3387809B1 (en) * 2015-12-10 2021-04-21 Nokia Technologies Oy Schemes of homomorphic re-encryption
CN106330984B (en) * 2016-11-29 2019-12-24 北京元心科技有限公司 Dynamic updating method and device of access control strategy

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103957109A (en) * 2014-05-22 2014-07-30 武汉大学 Cloud data privacy protection security re-encryption method
CN110086804A (en) * 2019-04-25 2019-08-02 广州大学 A kind of internet of things data method for secret protection based on block chain and reliable hardware
CN110519049A (en) * 2019-08-07 2019-11-29 赤峰学院 A kind of cloud data protection system based on credible performing environment

Also Published As

Publication number Publication date
WO2021095998A1 (en) 2021-05-20
CN110855671A (en) 2020-02-28

Similar Documents

Publication Publication Date Title
CN110855671B (en) Trusted computing method and system
Bhardwaj et al. Security algorithms for cloud computing
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
CN110750803B (en) Method and device for providing and fusing data
Zhao et al. Trusted data sharing over untrusted cloud storage providers
KR20190073472A (en) Method, apparatus and system for transmitting data
CN109728914B (en) Digital signature verification method, system, device and computer readable storage medium
CN107317677B (en) Secret key storage and equipment identity authentication method and device
CN107959567A (en) Date storage method, data capture method, apparatus and system
US20190268145A1 (en) Systems and Methods for Authenticating Communications Using a Single Message Exchange and Symmetric Key
CN103248479A (en) Cloud storage safety system, data protection method and data sharing method
US20210143986A1 (en) Method for securely sharing data under certain conditions on a distributed ledger
CN108809936B (en) Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof
Kaaniche et al. ID based cryptography for cloud data storage
CN113609522B (en) Data authorization and data access method and device
CN103152322A (en) Method of data encryption protection and system thereof
Kumar et al. Data outsourcing: A threat to confidentiality, integrity, and availability
Rizvi et al. A trusted third-party (TTP) based encryption scheme for ensuring data confidentiality in cloud environment
CN114039753A (en) Access control method and device, storage medium and electronic equipment
CN114547648A (en) Data hiding trace query method and system
CN116132025A (en) Key negotiation method, device and communication system based on preset key group
CN116232639A (en) Data transmission method, device, computer equipment and storage medium
CN106973070A (en) A kind of big data calculates trusteeship service security certification system and method
CN114553557B (en) Key calling method, device, computer equipment and storage medium
CN115795446A (en) Method for processing data in trusted computing platform and management device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant