[go: up one dir, main page]

CN115801232A - Private key protection method, device, equipment and storage medium - Google Patents

Private key protection method, device, equipment and storage medium Download PDF

Info

Publication number
CN115801232A
CN115801232A CN202211182328.0A CN202211182328A CN115801232A CN 115801232 A CN115801232 A CN 115801232A CN 202211182328 A CN202211182328 A CN 202211182328A CN 115801232 A CN115801232 A CN 115801232A
Authority
CN
China
Prior art keywords
key
private key
encrypted
private
usbkey
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211182328.0A
Other languages
Chinese (zh)
Other versions
CN115801232B (en
Inventor
何志坚
陶立峰
徐东德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202211182328.0A priority Critical patent/CN115801232B/en
Publication of CN115801232A publication Critical patent/CN115801232A/en
Application granted granted Critical
Publication of CN115801232B publication Critical patent/CN115801232B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The application discloses a private key protection method, a private key protection device, private key protection equipment and a storage medium, which relate to the technical field of information security and comprise the following steps: generating a pair of asymmetric keys in a trusted execution environment of a privacy computing platform to obtain a first private key and a first public key; generating a symmetric key in the trusted execution environment; acquiring a second public key sent by the USBKey, and encrypting the first private key by using the second public key to obtain an encrypted private key; encrypting the symmetric key by using the first public key to obtain an encrypted symmetric key; when target data sent by a user side is obtained, the encrypted private key and the encrypted symmetric key are sent to the user side, the encrypted private key is decrypted by using a second private key arranged in the USBKey to obtain a first private key, the encrypted symmetric key is decrypted by using the first private key to obtain a symmetric key, and then the target data is encrypted by using the symmetric key. The method and the device protect the safety of the private key in the transmission process through the public key produced by the USBKey, so that the transmission of the private key is safer.

Description

一种私钥保护方法、装置、设备及存储介质A private key protection method, device, equipment and storage medium

技术领域technical field

本申请涉及信息安全技术领域,特别涉及一种私钥保护方法、装置、设备及存储介质。The present application relates to the technical field of information security, in particular to a private key protection method, device, equipment and storage medium.

背景技术Background technique

随着隐私计算(Privacy compute)的蓬勃发展,隐私计算技术已经在各行各业得到了广泛的应用。在隐私计算技术中有一个关键的技术,就是密码学。其中,私钥的安全决定了隐私计算过程中各个环境的数据安全,特别是数据传输、数据存储、数据操作验证时,私钥的携带成为了隐私计算过程中的新问题。因此,如何解决私钥携带的安全、私钥传输的安全、私钥验签的安全,成为了亟需解决的突出问题。With the vigorous development of privacy computing, privacy computing technology has been widely used in various industries. There is a key technology in privacy computing technology, which is cryptography. Among them, the security of the private key determines the data security of each environment in the private computing process, especially in data transmission, data storage, and data operation verification. The carrying of the private key has become a new problem in the private computing process. Therefore, how to solve the security of carrying the private key, the security of the transmission of the private key, and the security of the verification of the private key has become a prominent problem that needs to be solved urgently.

然而,目前的私钥携带、传输和验签存在以下缺点:私钥容易被复制和删除;私钥在传输的过程中,由于没有保护措施,所以容易被窃取;私钥验签太复杂,需要手动执行脚本。However, the current private key carrying, transmission and signature verification have the following disadvantages: the private key is easy to be copied and deleted; the private key is easy to be stolen due to no protection measures during the transmission; the private key signature verification is too complicated and requires Execute the script manually.

发明内容Contents of the invention

有鉴于此,本申请的目的在于提供一种私钥保护方法、装置、设备及存储介质,能够保护私钥在传输过程中的安全,实现数据提供方对自己的私钥进行保护,避免私钥在传输途中被泄密及被复制的风险,使私钥传输更安全。其具体方案如下:In view of this, the purpose of this application is to provide a private key protection method, device, device, and storage medium, which can protect the security of the private key during transmission, and enable the data provider to protect its own private key to avoid private key The risk of being leaked and copied during transmission makes private key transmission more secure. The specific plan is as follows:

第一方面,本申请公开了一种私钥保护方法,应用于隐私计算平台,包括:In the first aspect, this application discloses a private key protection method, which is applied to a privacy computing platform, including:

在所述隐私计算平台的可信执行环境中生成一对非对称密钥,得到第一私钥和第一公钥;generating a pair of asymmetric keys in the trusted execution environment of the privacy computing platform to obtain a first private key and a first public key;

在所述可信执行环境中生成一个对称密钥;generating a symmetric key in said trusted execution environment;

获取USBKey发送的内置于所述USBKey中的第二公钥,并利用所述第二公钥对所述第一私钥进行加密,得到加密后私钥;Obtain the second public key embedded in the USBKey sent by the USBKey, and use the second public key to encrypt the first private key to obtain the encrypted private key;

利用所述第一公钥对所述对称密钥进行加密,得到加密后对称密钥;Encrypting the symmetric key by using the first public key to obtain an encrypted symmetric key;

当获取到用户端发送的目标数据时,向所述用户端下发所述加密后私钥和所述加密后对称密钥,以利用内置于所述USBKey中的第二私钥对所述加密后私钥进行解密得到所述第一私钥,并利用所述第一私钥对所述加密后对称密钥进行解密,得到所述对称密钥,再利用所述对称密钥对所述目标数据进行加密得到目标密文。When the target data sent by the client is obtained, the encrypted private key and the encrypted symmetric key are sent to the client to use the second private key built in the USBKey to encrypt the Decrypt the private key to obtain the first private key, and use the first private key to decrypt the encrypted symmetric key to obtain the symmetric key, and then use the symmetric key to decrypt the target The data is encrypted to obtain the target ciphertext.

可选的,所述在所述隐私计算平台的可信执行环境中生成一对非对称密钥,得到第一私钥和第一公钥,包括:Optionally, the generating a pair of asymmetric keys in the trusted execution environment of the privacy computing platform to obtain the first private key and the first public key includes:

在所述隐私计算平台的可信执行环境中通过密钥管理服务系统生成一对非对称密钥,得到第一私钥和第一公钥。A pair of asymmetric keys are generated through a key management service system in the trusted execution environment of the privacy computing platform to obtain a first private key and a first public key.

可选的,所述获取USBKey发送的内置于所述USBKey中的第二公钥,包括:Optionally, the obtaining the second public key sent by the USBKey and embedded in the USBKey includes:

获取USBKey通过用户注册的方式发送的内置于所述USBKey中的第二公钥。Obtain the second public key embedded in the USBKey sent by the USBKey through user registration.

可选的,所述利用所述对称密钥对所述目标数据进行加密得到目标密文之后,还包括:Optionally, after using the symmetric key to encrypt the target data to obtain the target ciphertext, the method further includes:

通过所述用户端将所述目标密文发送至所述隐私计算平台,以便通过所述隐私计算平台对所述目标密文进行存储。Sending the target ciphertext to the privacy computing platform through the user terminal, so as to store the target ciphertext through the privacy computing platform.

可选的,所述在所述隐私计算平台的可信执行环境中生成一对非对称密钥之前,还包括:Optionally, before generating a pair of asymmetric keys in the trusted execution environment of the privacy computing platform, the method further includes:

通过所述USBKey随机的生成一对公私钥,得到所述第二公钥和所述第二私钥,并将所述第二公钥和所述第二私钥内置于所述USBKey中。A pair of public and private keys is randomly generated by the USBKey to obtain the second public key and the second private key, and the second public key and the second private key are embedded in the USBKey.

可选的,所述利用所述对称密钥对所述目标数据进行加密得到目标密文之后,还包括:Optionally, after using the symmetric key to encrypt the target data to obtain the target ciphertext, the method further includes:

利用所述对称密钥对所述目标密文进行解密,得到所述目标数据。Using the symmetric key to decrypt the target ciphertext to obtain the target data.

可选的,所述向所述用户端下发所述加密后私钥和所述加密后对称密钥之前,还包括:Optionally, before sending the encrypted private key and the encrypted symmetric key to the client, the method further includes:

利用所述USBKey中内置的公钥算法对所述用户端的身份进行认证,若认证通过则执行所述向所述用户端下发所述加密后私钥和所述加密后对称密钥的步骤。Using the built-in public key algorithm in the USBKey to authenticate the identity of the client, if the authentication is passed, execute the step of delivering the encrypted private key and the encrypted symmetric key to the client.

第二方面,本申请公开了一种私钥保护装置,应用于隐私计算平台,包括:In the second aspect, the present application discloses a private key protection device applied to a privacy computing platform, including:

非对称密钥生成模块,用于在所述隐私计算平台的可信执行环境中生成一对非对称密钥,得到第一私钥和第一公钥;An asymmetric key generation module, configured to generate a pair of asymmetric keys in the trusted execution environment of the privacy computing platform to obtain a first private key and a first public key;

对称密钥生成模块,用于在所述可信执行环境中生成一个对称密钥;A symmetric key generating module, configured to generate a symmetric key in the trusted execution environment;

公钥获取模块,用于获取USBKey发送的内置于所述USBKey中的第二公钥;The public key obtaining module is used to obtain the second public key embedded in the USBKey sent by the USBKey;

公钥加密模块,用于利用所述第二公钥对所述第一私钥进行加密,得到加密后私钥;A public key encryption module, configured to use the second public key to encrypt the first private key to obtain an encrypted private key;

对称密钥加密模块,用于利用所述第一公钥对所述对称密钥进行加密,得到加密后对称密钥;A symmetric key encryption module, configured to use the first public key to encrypt the symmetric key to obtain an encrypted symmetric key;

密钥下发模块,用于当获取到用户端发送的目标数据时,向所述用户端下发所述加密后私钥和所述加密后对称密钥;A key delivery module, configured to deliver the encrypted private key and the encrypted symmetric key to the client when the target data sent by the client is acquired;

解密模块,用于利用内置于所述USBKey中的第二私钥对所述加密后私钥进行解密得到所述第一私钥,并利用所述第一私钥对所述加密后对称密钥进行解密,得到所述对称密钥;A decryption module, configured to use the second private key built in the USBKey to decrypt the encrypted private key to obtain the first private key, and use the first private key to decrypt the encrypted symmetric key Decrypt to obtain the symmetric key;

数据加密模块,用于利用所述对称密钥对所述目标数据进行加密得到目标密文。A data encryption module, configured to use the symmetric key to encrypt the target data to obtain target ciphertext.

第三方面,本申请公开了一种电子设备,包括处理器和存储器;其中,所述处理器执行所述存储器中保存的计算机程序时实现前述的私钥保护方法。In a third aspect, the present application discloses an electronic device, including a processor and a memory; wherein, when the processor executes a computer program stored in the memory, the aforementioned private key protection method is realized.

第四方面,本申请公开了一种计算机可读存储介质,用于存储计算机程序;其中,所述计算机程序被处理器执行时实现前述的私钥保护方法。In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, the aforementioned private key protection method is implemented.

可见,本申请先在所述隐私计算平台的可信执行环境中生成一对非对称密钥,得到第一私钥和第一公钥,然后在所述可信执行环境中生成一个对称密钥,接着获取USBKey发送的内置于所述USBKey中的第二公钥,并利用所述第二公钥对所述第一私钥进行加密,得到加密后私钥,再利用所述第一公钥对所述对称密钥进行加密,得到加密后对称密钥,当获取到用户端发送的目标数据时,向所述用户端下发所述加密后私钥和所述加密后对称密钥,以利用内置于所述USBKey中的第二私钥对所述加密后私钥进行解密得到所述第一私钥,并利用所述第一私钥对所述加密后对称密钥进行解密,得到所述对称密钥,再利用所述对称密钥对所述目标数据进行加密得到目标密文。本申请通过USBKey随时生产的公私钥中公钥保护了私钥在传输过程中的安全,实现了数据提供方对自己的私钥进行保护,避免了私钥在传输途中被泄密及被复制的风险,使私钥传输更安全。It can be seen that this application first generates a pair of asymmetric keys in the trusted execution environment of the privacy computing platform, obtains the first private key and the first public key, and then generates a symmetric key in the trusted execution environment , then obtain the second public key embedded in the USBKey sent by the USBKey, and use the second public key to encrypt the first private key to obtain the encrypted private key, and then use the first public key Encrypting the symmetric key to obtain the encrypted symmetric key, when the target data sent by the client is obtained, sending the encrypted private key and the encrypted symmetric key to the client to obtain Using the second private key built in the USBKey to decrypt the encrypted private key to obtain the first private key, and using the first private key to decrypt the encrypted symmetric key to obtain the the symmetric key, and then use the symmetric key to encrypt the target data to obtain the target ciphertext. This application protects the security of the private key during the transmission process through the public key of the public and private key produced by the USBKey at any time, realizes the data provider's protection of its own private key, and avoids the risk of the private key being leaked and copied during transmission , making private key transmission more secure.

附图说明Description of drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present application, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

图1为本申请公开的一种私钥保护方法流程图;Fig. 1 is a flow chart of a private key protection method disclosed in the present application;

图2为本申请公开的一种具体的私钥保护方法流程图;FIG. 2 is a flow chart of a specific private key protection method disclosed in the present application;

图3为本申请公开的一种具体的私钥保护方法流程框图;FIG. 3 is a block diagram of a specific private key protection method disclosed in the present application;

图4为本申请公开的一种具体的私钥验签流程图;Fig. 4 is a kind of specific private key sign verification flow chart disclosed in this application;

图5为本申请公开的一种私钥保护装置结构示意图;FIG. 5 is a schematic structural diagram of a private key protection device disclosed in the present application;

图6为本申请公开的一种电子设备结构图。FIG. 6 is a structural diagram of an electronic device disclosed in the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

本申请实施例公开了一种私钥保护方法,应用于隐私计算平台,参见图1所示,该方法包括:The embodiment of the present application discloses a private key protection method, which is applied to a privacy computing platform, as shown in Figure 1. The method includes:

步骤S11:在所述隐私计算平台的可信执行环境中生成一对非对称密钥,得到第一私钥和第一公钥。Step S11: Generate a pair of asymmetric keys in the trusted execution environment of the privacy computing platform to obtain a first private key and a first public key.

本实施例中,首先再所述隐私计算平台的可信执行环境(TEE,Trusted ExecutionEnvironment)中随时的生成一对非对称密钥,得到相应的第一私钥和第一公钥。其中,所述可信执行环境能够使基于inter硬件厂商底层架构可信,并且,通过CPU(CentralProcessing Unit,中央处理器)底层架构保障所述可信执行环境的可信,同时inter的可信执行环境服务中心远程对访问可信执行环境的可信身份验证。例如,当数据参与方需要验证可信执行环境是否可信时,在参与方本地随时的生成随机数r,然后通过可信执行环境对随机数r进行可信认证,并返回可信认证报告;当数据参与方获取到上述可信认证报告时将其自动转发至inter的可信执行环境服务中心,然后通过可信执行环境服务中心验证该可信认证报告的可信执行环境的参数是否有改动,若有改动,则表明可信执行环境不可信;若无改动,则表明可信执行环境可信。In this embodiment, firstly, a pair of asymmetric keys are generated at any time in the Trusted Execution Environment (TEE, Trusted ExecutionEnvironment) of the privacy computing platform, and the corresponding first private key and first public key are obtained. Wherein, the trusted execution environment can make the underlying architecture of the inter-based hardware manufacturer credible, and the underlying architecture of the CPU (Central Processing Unit, central processing unit) guarantees the credibility of the trusted execution environment, and at the same time, the trusted execution of the inter Trusted authentication for access to the Trusted Execution Environment remotely by the Environment Service Center. For example, when a data participant needs to verify whether the trusted execution environment is credible, the random number r is generated locally at the participant at any time, and then the random number r is credibly authenticated through the trusted execution environment, and a credible authentication report is returned; When the data participant obtains the above-mentioned trusted certification report, it will be automatically forwarded to inter's trusted execution environment service center, and then the trusted execution environment service center will verify whether the parameters of the trusted execution environment in the trusted certification report have changed , if there is a change, it indicates that the trusted execution environment is not trusted; if there is no change, it indicates that the trusted execution environment is credible.

需要指出的是,所述在所述隐私计算平台的可信执行环境中生成一对非对称密钥之前,具体还包括:通过USBKey随机的生成一对公私钥,得到所述第二公钥和所述第二私钥,并将所述第二公钥和所述第二私钥内置于所述USBKey中。也即,预先通过USBKey随机的生成一对公私钥,然后将其保存至USBKey中。It should be pointed out that before generating a pair of asymmetric keys in the trusted execution environment of the privacy computing platform, it specifically further includes: randomly generating a pair of public and private keys through a USBKey, and obtaining the second public key and the second private key, and put the second public key and the second private key into the USBKey. That is, a pair of public and private keys is randomly generated through the USBKey in advance, and then stored in the USBKey.

具体的,所述在所述隐私计算平台的可信执行环境中生成一对非对称密钥,得到第一私钥和第一公钥,可以包括:在所述隐私计算平台的可信执行环境中通过密钥管理服务系统生成一对非对称密钥,得到第一私钥和第一公钥。也即,可以基于隐私计算平台的可信执行环境通过密钥管理服务(KMS,Key Management Service)系统生成一对非对称密钥。Specifically, the generating a pair of asymmetric keys in the trusted execution environment of the privacy computing platform to obtain the first private key and the first public key may include: Generate a pair of asymmetric keys through the key management service system to obtain the first private key and the first public key. That is, a pair of asymmetric keys can be generated through a key management service (KMS, Key Management Service) system based on the trusted execution environment of the privacy computing platform.

步骤S12:在所述可信执行环境中生成一个对称密钥。Step S12: Generate a symmetric key in the trusted execution environment.

本实施例中,在所述隐私计算平台的可信执行环境中生成一对非对称密钥得到第一私钥和第一公钥之后,进一步的在上述隐私计算平台的可信执行环境中生成一个对称密钥。In this embodiment, after generating a pair of asymmetric keys in the trusted execution environment of the private computing platform to obtain the first private key and the first public key, further generate A symmetric key.

步骤S13:获取USBKey发送的内置于所述USBKey中的第二公钥,并利用所述第二公钥对所述第一私钥进行加密,得到加密后私钥。Step S13: Obtain the second public key embedded in the USBKey sent by the USBKey, and use the second public key to encrypt the first private key to obtain an encrypted private key.

本实施例中,在所述可信执行环境中生成一个对称密钥之后,先获取由USBKey发送的并且内置于上述USBKey中的第二公钥,然后利用所述第二公钥对上述第一私钥进行加密处理,得到加密后私钥。In this embodiment, after a symmetric key is generated in the trusted execution environment, the second public key sent by the USBKey and embedded in the above-mentioned USBKey is obtained first, and then the above-mentioned first The private key is encrypted to obtain the encrypted private key.

步骤S14:利用所述第一公钥对所述对称密钥进行加密,得到加密后对称密钥。Step S14: Using the first public key to encrypt the symmetric key to obtain an encrypted symmetric key.

本实施例中,利用所述第二公钥对所述第一私钥进行加密得到加密后私钥之后,接着利用上述第一公钥对上述对称密钥进行加密处理,得到相应的加密后对称密钥。In this embodiment, after using the second public key to encrypt the first private key to obtain an encrypted private key, then use the first public key to encrypt the above-mentioned symmetric key to obtain the corresponding encrypted symmetric key. key.

步骤S15:当获取到用户端发送的目标数据时,向所述用户端下发所述加密后私钥和所述加密后对称密钥,以利用内置于所述USBKey中的第二私钥对所述加密后私钥进行解密得到所述第一私钥,并利用所述第一私钥对所述加密后对称密钥进行解密,得到所述对称密钥,再利用所述对称密钥对所述目标数据进行加密得到目标密文。Step S15: When the target data sent by the client is acquired, send the encrypted private key and the encrypted symmetric key to the client, so as to use the second private key pair built in the USBKey Decrypt the encrypted private key to obtain the first private key, and use the first private key to decrypt the encrypted symmetric key to obtain the symmetric key, and then use the symmetric key to The target data is encrypted to obtain target ciphertext.

本实施例中,利用所述第一公钥对所述对称密钥进行加密得到加密后对称密钥之后,当获取到由用户端发送的目标数据时,先将上述加密后私钥和上述加密后对称密钥下发至上述用户端,然后在所述用户端侧自动执行所述USBKey中的脚本,并利用内置于上述USBKey中的第二私钥对上述加密后私钥进行解密操作,进而得到上述第一私钥,接着利用解密后得到的所述第一私钥对上述加密后对称密钥进行解密,得到上述对称密钥,进一步的,利用上述对称密钥对上述目标数据进行加密得到相应的目标密文。In this embodiment, after using the first public key to encrypt the symmetric key to obtain the encrypted symmetric key, when the target data sent by the client is obtained, the above encrypted private key and the above encrypted Afterwards, the symmetric key is sent to the above-mentioned client, and then the script in the USBKey is automatically executed on the client side, and the second private key built in the above-mentioned USBKey is used to decrypt the above-mentioned encrypted private key, and then Obtain the above-mentioned first private key, then use the first private key obtained after decryption to decrypt the above-mentioned encrypted symmetric key to obtain the above-mentioned symmetric key, and further, use the above-mentioned symmetric key to encrypt the above-mentioned target data to obtain The corresponding target ciphertext.

另外,所述向所述用户端下发所述加密后私钥和所述加密后对称密钥之前,具体还包括:利用所述USBKey中内置的公钥算法对所述用户端的身份进行认证,若认证通过则执行所述向所述用户端下发所述加密后私钥和所述加密后对称密钥的步骤。需要指出的是,所述USBKey是一种USB接口的硬件设备,内置了单片机或智能卡芯片,并且具有一定的存储空间,可以存储用户的私钥以及数字证书等信息,利用USB Key内置的公钥算法可以实现对用户身份的认证,由于用户私钥保存在密码锁中,理论上使用任何方式都无法读取,因此采用USB Key能够保证用户认证的安全性。本实施例在向用户端下发密钥信息时,为了确保信息发送的安全性,可以先通过USBKey中内置的公钥算法对用户端的身份进行认证,如果认证通过则进行相应的信息下发操作。In addition, before sending the encrypted private key and the encrypted symmetric key to the client, it specifically further includes: using the built-in public key algorithm in the USBKey to authenticate the identity of the client, If the authentication is passed, the step of sending the encrypted private key and the encrypted symmetric key to the client is executed. It should be pointed out that the USBKey is a hardware device with a USB interface, has a built-in single-chip microcomputer or a smart card chip, and has a certain storage space, which can store information such as the user's private key and digital certificate, and use the built-in public key of the USB Key to The algorithm can realize the authentication of the user's identity. Since the user's private key is stored in the combination lock, it cannot be read in any way in theory. Therefore, the use of USB Key can ensure the security of user authentication. In this embodiment, when sending the key information to the user terminal, in order to ensure the security of the information transmission, the identity of the user terminal can be authenticated through the built-in public key algorithm in the USBKey, and if the authentication is passed, the corresponding information delivery operation will be carried out .

需要指出的是,所述利用所述对称密钥对所述目标数据进行加密得到目标密文之后,还可以包括:通过所述用户端将所述目标密文发送至所述隐私计算平台,以便通过所述隐私计算平台对所述目标密文进行存储。本实施例中,为了提高目标密文存储的安全性,在用户端生成目标密文之后,可以将其发送至隐私计算平台中进行保存。It should be pointed out that, after encrypting the target data with the symmetric key to obtain the target ciphertext, it may also include: sending the target ciphertext to the privacy computing platform through the client, so that The target ciphertext is stored by the privacy computing platform. In this embodiment, in order to improve the security of target ciphertext storage, after the client generates the target ciphertext, it can be sent to the privacy computing platform for storage.

进一步的,所述利用所述对称密钥对所述目标数据进行加密得到目标密文之后,还可以包括:利用所述对称密钥对所述目标密文进行解密,得到所述目标数据。本实施例中,为了对私钥进行验签,还可以利用内置于USBKey中的上述第二私钥对所述加密后私钥进行解密,得到所述第一私钥,然后利用上述第一私钥对所述加密后对称密钥进行解密,得到所述对称密钥,再利用所述对称密钥对上述目标密文数据进行解密,得到明文信息,即所述目标数据,以上便完成了对私钥的验签。Further, after encrypting the target data with the symmetric key to obtain the target ciphertext, the method may further include: decrypting the target ciphertext with the symmetric key to obtain the target data. In this embodiment, in order to verify the signature of the private key, the encrypted private key can also be decrypted by using the above-mentioned second private key built in the USBKey to obtain the first private key, and then use the above-mentioned first private key to decrypt the encrypted private key. key to decrypt the encrypted symmetric key to obtain the symmetric key, and then use the symmetric key to decrypt the above-mentioned target ciphertext data to obtain plaintext information, that is, the target data. Signature verification of the private key.

可见,本申请实施例先在所述隐私计算平台的可信执行环境中生成一对非对称密钥,得到第一私钥和第一公钥,然后在所述可信执行环境中生成一个对称密钥,接着获取USBKey发送的内置于所述USBKey中的第二公钥,并利用所述第二公钥对所述第一私钥进行加密,得到加密后私钥,再利用所述第一公钥对所述对称密钥进行加密,得到加密后对称密钥,当获取到用户端发送的目标数据时,向所述用户端下发所述加密后私钥和所述加密后对称密钥,以利用内置于所述USBKey中的第二私钥对所述加密后私钥进行解密得到所述第一私钥,并利用所述第一私钥对所述加密后对称密钥进行解密,得到所述对称密钥,再利用所述对称密钥对所述目标数据进行加密得到目标密文。本申请实施例通过USBKey随时生产的公私钥中公钥保护了私钥在传输过程中的安全,实现了数据提供方对自己的私钥进行保护,避免了私钥在传输途中被泄密及被复制的风险,使私钥传输更安全。It can be seen that in the embodiment of the present application, a pair of asymmetric keys is first generated in the trusted execution environment of the privacy computing platform to obtain the first private key and the first public key, and then a symmetric key is generated in the trusted execution environment. key, then obtain the second public key sent by the USBKey and built in the USBKey, and use the second public key to encrypt the first private key to obtain the encrypted private key, and then use the first The public key encrypts the symmetric key to obtain the encrypted symmetric key, and when the target data sent by the client is obtained, the encrypted private key and the encrypted symmetric key are sent to the client , to use the second private key built in the USBKey to decrypt the encrypted private key to obtain the first private key, and use the first private key to decrypt the encrypted symmetric key, Obtain the symmetric key, and then use the symmetric key to encrypt the target data to obtain target ciphertext. The embodiment of this application protects the security of the private key during the transmission process through the public key of the public and private keys produced by the USBKey at any time, and realizes that the data provider can protect its own private key, avoiding the private key from being leaked and copied during transmission risk, making private key transmission more secure.

本申请实施例公开了一种具体的私钥保护方法,应用于隐私计算平台,参见图2和图3所示所示,该方法包括:The embodiment of this application discloses a specific private key protection method, which is applied to a privacy computing platform, as shown in Figure 2 and Figure 3, the method includes:

步骤S21:在所述隐私计算平台的可信执行环境中通过密钥管理服务系统生成一对非对称密钥,得到第一私钥和第一公钥。Step S21: Generate a pair of asymmetric keys through the key management service system in the trusted execution environment of the privacy computing platform, and obtain the first private key and the first public key.

在一种具体的实施方式中,参见图3所示,先通过USBKey随时的生成一对公私钥对,得到私钥UK1和公钥UK2,接着密钥管理服务系统在隐私计算平台的可信执行环境中生成一对非对称密钥,得到私钥K1和公钥K2。需要指出的是,所述可信执行环境采用硬件生成密钥的方式,所述密钥管理服务系统用于数据流通中全生命周期加密,提供独立统一密钥管理,支持独立密钥管理体系,包含加密密钥生成、分配、备份、恢复、密钥不出设备等功能,加密密钥统一由主密钥进行保护,主密钥由所述密钥管理服务系统通过硬件密码设备产生并管理,确保主密钥安全。In a specific implementation, as shown in Figure 3, a pair of public-private key pairs is generated at any time through the USBKey to obtain the private key UK1 and public key UK2, and then the key management service system is trusted to execute on the privacy computing platform A pair of asymmetric keys are generated in the environment, and a private key K1 and a public key K2 are obtained. It should be pointed out that the trusted execution environment uses hardware to generate keys, and the key management service system is used for full-lifecycle encryption in data circulation, provides independent and unified key management, and supports independent key management systems. Including functions such as encryption key generation, distribution, backup, recovery, key out of the device, etc. The encryption key is uniformly protected by the master key, which is generated and managed by the key management service system through the hardware cryptographic device. Keep the master key safe.

步骤S22:在所述可信执行环境中生成一个对称密钥。Step S22: Generate a symmetric key in the trusted execution environment.

进一步的,通过上述密钥管理服务系统在上述可信执行环境中生成一个对称密钥K。Further, a symmetric key K is generated in the above-mentioned trusted execution environment through the above-mentioned key management service system.

步骤S23:获取USBKey通过用户注册的方式发送的内置于所述USBKey中的第二公钥,并利用所述第二公钥对所述第一私钥进行加密,得到加密后私钥。Step S23: Obtain the second public key embedded in the USBKey sent by the USBKey through user registration, and use the second public key to encrypt the first private key to obtain an encrypted private key.

例如,在所述可信执行环境中生成一个对称密钥K之后,通过用户注册的方式将上述USBKey中的所述公钥UK2发送到上述隐私计算平台,所述隐私计算平台接收到上述公钥UK2后,使用上述公钥UK2对上述非对称密钥中的私钥K1进行加密,得到加密后私钥UK12。For example, after a symmetric key K is generated in the trusted execution environment, the public key UK2 in the above-mentioned USBKey is sent to the above-mentioned privacy computing platform through user registration, and the above-mentioned privacy computing platform receives the above-mentioned public key After UK2, use the above-mentioned public key UK2 to encrypt the private key K1 in the above-mentioned asymmetric key to obtain the encrypted private key UK12.

步骤S24:利用所述第一公钥对所述对称密钥进行加密,得到加密后对称密钥。Step S24: Using the first public key to encrypt the symmetric key to obtain an encrypted symmetric key.

进一步的,利用上述非对称密钥中的公钥K2对上述对称密钥K进行加密,得到加密后对称密钥KK2。Further, the above-mentioned symmetric key K is encrypted by using the public key K2 in the above-mentioned asymmetric key to obtain the encrypted symmetric key KK2.

步骤S25:当获取到用户端发送的目标数据时,向所述用户端下发所述加密后私钥和所述加密后对称密钥,以利用内置于所述USBKey中的第二私钥对所述加密后私钥进行解密得到所述第一私钥,并利用所述第一私钥对所述加密后对称密钥进行解密,得到所述对称密钥,再利用所述对称密钥对所述目标数据进行加密得到目标密文。Step S25: When the target data sent by the client is acquired, send the encrypted private key and the encrypted symmetric key to the client, so as to use the second private key pair built in the USBKey Decrypt the encrypted private key to obtain the first private key, and use the first private key to decrypt the encrypted symmetric key to obtain the symmetric key, and then use the symmetric key to The target data is encrypted to obtain target ciphertext.

在一种具体的实施例中,当获取到用户端发送的目标数据时,通过所述隐私计算平台向所述用户端下发上述加密后私钥UK12和上述加密后对称密钥KK2,然后在所述用户端自动执行上述USBkey中脚本,并使用上述私钥UK1对上述加密后私钥UK12进行解密,得到上述私钥K1,接着使用上述私钥K1对上述加密后对称密钥KK2进行解密,得到所述对称密钥K,最后在所述用户端本地使用上述对称密钥K对待进行加密的本地文件,得到密文KM,还可以进一步的将上述密文KM上传至上述隐私计算平台中进行保存。可以理解的是,通过内置脚本在USBKey中可以自动化进行私钥验签,可以更方便、安全的对数据集进行授权。In a specific embodiment, when the target data sent by the client is acquired, the above-mentioned encrypted private key UK12 and the above-mentioned encrypted symmetric key KK2 are issued to the client through the privacy computing platform, and then the The client automatically executes the script in the above-mentioned USBkey, and uses the above-mentioned private key UK1 to decrypt the above-mentioned encrypted private key UK12 to obtain the above-mentioned private key K1, and then uses the above-mentioned private key K1 to decrypt the above-mentioned encrypted symmetric key KK2, Obtain the symmetric key K, and finally use the above-mentioned symmetric key K locally on the client side to encrypt the local file to obtain the ciphertext KM, and further upload the above-mentioned ciphertext KM to the above-mentioned privacy computing platform for further save. It is understandable that the private key signature verification can be automatically performed in the USBKey through the built-in script, which can authorize the data set more conveniently and safely.

另外,参见图4所示,图4示出了一种具体的私钥验签过程,先将USBKey插入到隐私计算平台中,然后利用上述私钥UK1对上述加密后私钥UK12进行解密,得到上述私钥K1,然后利用上述私钥K1对上述加密后对称密钥KK2进行解密,得到所述对称密钥K,接着同步上述密文KM进入到所述隐私计算平台的可信执行环境中,并将上述对称密钥K同步进入至上述可信执行环境中,以利用上述对称密钥K对上述密文KM进行解密,得到明文M。In addition, refer to Figure 4, which shows a specific private key signature verification process, first insert the USBKey into the privacy computing platform, and then use the above-mentioned private key UK1 to decrypt the above-mentioned encrypted private key UK12 to obtain The above-mentioned private key K1, and then use the above-mentioned private key K1 to decrypt the above-mentioned encrypted symmetric key KK2 to obtain the above-mentioned symmetric key K, and then synchronize the above-mentioned ciphertext KM to enter the trusted execution environment of the privacy computing platform, And synchronously enter the above-mentioned symmetric key K into the above-mentioned trusted execution environment, so as to use the above-mentioned symmetric key K to decrypt the above-mentioned ciphertext KM to obtain the plaintext M.

可见,本申请提出的私钥保护方案通过是USBKey随时生产的公私钥中的公钥对隐私计算平台分配的私钥进行加密的,并通过用户端本地的USBKey进行私钥验签,可以实现数据提供方对自己的私钥进行保护,防止因私钥泄漏发生数据安全风险,简化了私钥验证的过程,提升了用户使用感,无须手动执行脚本,使私钥验签更方便、更安全,在保护私钥在传输过程中安全性的同时,能够快速的对私钥进行验签,并且能够二次确认用户的真实性。It can be seen that the private key protection scheme proposed in this application encrypts the private key distributed by the privacy computing platform through the public key in the public and private keys produced by USBKey at any time, and performs private key signature verification through the local USBKey on the client side, which can realize data The provider protects its own private key to prevent data security risks due to private key leakage, simplifies the process of private key verification, improves user experience, and does not need to manually execute scripts, making private key verification more convenient and safer. While protecting the security of the private key during transmission, it can quickly verify the signature of the private key and confirm the authenticity of the user twice.

相应的,本申请实施例还公开了一种私钥保护装置,应用于隐私计算平台,参见图5所示,该装置包括:Correspondingly, the embodiment of the present application also discloses a private key protection device, which is applied to a privacy computing platform, as shown in Figure 5, the device includes:

非对称密钥生成模块11,用于在所述隐私计算平台的可信执行环境中生成一对非对称密钥,得到第一私钥和第一公钥;An asymmetric key generation module 11, configured to generate a pair of asymmetric keys in the trusted execution environment of the privacy computing platform to obtain a first private key and a first public key;

对称密钥生成模块12,用于在所述可信执行环境中生成一个对称密钥;A symmetric key generation module 12, configured to generate a symmetric key in the trusted execution environment;

公钥获取模块13,用于获取USBKey发送的内置于所述USBKey中的第二公钥;A public key acquisition module 13, configured to acquire the second public key sent by the USBKey and embedded in the USBKey;

公钥加密模块14,用于利用所述第二公钥对所述第一私钥进行加密,得到加密后私钥;A public key encryption module 14, configured to encrypt the first private key with the second public key to obtain the encrypted private key;

对称密钥加密模块15,用于利用所述第一公钥对所述对称密钥进行加密,得到加密后对称密钥;A symmetric key encryption module 15, configured to use the first public key to encrypt the symmetric key to obtain an encrypted symmetric key;

密钥下发模块16,用于当获取到用户端发送的目标数据时,向所述用户端下发所述加密后私钥和所述加密后对称密钥;A key delivery module 16, configured to deliver the encrypted private key and the encrypted symmetric key to the client when the target data sent by the client is acquired;

解密模块17,用于利用内置于所述USBKey中的第二私钥对所述加密后私钥进行解密得到所述第一私钥,并利用所述第一私钥对所述加密后对称密钥进行解密,得到所述对称密钥;Decryption module 17, configured to use the second private key built in the USBKey to decrypt the encrypted private key to obtain the first private key, and use the first private key to decrypt the encrypted symmetric key key to decrypt to obtain the symmetric key;

数据加密模块18,用于利用所述对称密钥对所述目标数据进行加密得到目标密文。A data encryption module 18, configured to use the symmetric key to encrypt the target data to obtain target ciphertext.

其中,关于上述各个模块的具体工作流程可以参考前述实施例中公开的相应内容,在此不再进行赘述。For the specific work flow of each of the above modules, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.

可见,本申请实施例中,先在所述隐私计算平台的可信执行环境中生成一对非对称密钥,得到第一私钥和第一公钥,然后在所述可信执行环境中生成一个对称密钥,接着获取USBKey发送的内置于所述USBKey中的第二公钥,并利用所述第二公钥对所述第一私钥进行加密,得到加密后私钥,再利用所述第一公钥对所述对称密钥进行加密,得到加密后对称密钥,当获取到用户端发送的目标数据时,向所述用户端下发所述加密后私钥和所述加密后对称密钥,以利用内置于所述USBKey中的第二私钥对所述加密后私钥进行解密得到所述第一私钥,并利用所述第一私钥对所述加密后对称密钥进行解密,得到所述对称密钥,再利用所述对称密钥对所述目标数据进行加密得到目标密文。本申请实施例通过USBKey随时生产的公私钥中公钥保护了私钥在传输过程中的安全,实现了数据提供方对自己的私钥进行保护,避免了私钥在传输途中被泄密及被复制的风险,使私钥传输更安全。It can be seen that in the embodiment of the present application, a pair of asymmetric keys is first generated in the trusted execution environment of the privacy computing platform, and the first private key and the first public key are obtained, and then generated in the trusted execution environment A symmetric key, then obtain the second public key sent by the USBKey and built in the USBKey, and use the second public key to encrypt the first private key to obtain the encrypted private key, and then use the The first public key encrypts the symmetric key to obtain the encrypted symmetric key. When the target data sent by the client is obtained, the encrypted private key and the encrypted symmetric key are sent to the client. key, to use the second private key built in the USBKey to decrypt the encrypted private key to obtain the first private key, and use the first private key to decrypt the encrypted symmetric key decrypt to obtain the symmetric key, and then use the symmetric key to encrypt the target data to obtain target ciphertext. The embodiment of this application protects the security of the private key during the transmission process through the public key of the public and private keys produced by the USBKey at any time, and realizes that the data provider can protect its own private key, avoiding the private key from being leaked and copied during transmission risk, making private key transmission more secure.

在一些具体实施例中,所述非对称密钥生成模块11,具体可以包括:In some specific embodiments, the asymmetric key generation module 11 may specifically include:

第一非对称密钥生成单元,用于在所述隐私计算平台的可信执行环境中通过密钥管理服务系统生成一对非对称密钥,得到第一私钥和第一公钥。The first asymmetric key generation unit is configured to generate a pair of asymmetric keys through the key management service system in the trusted execution environment of the privacy computing platform to obtain a first private key and a first public key.

在一些具体实施例中,所述公钥获取模块13,具体可以包括:In some specific embodiments, the public key acquisition module 13 may specifically include:

公钥获取单元,用于获取USBKey通过用户注册的方式发送的内置于所述USBKey中的第二公钥。The public key acquiring unit is configured to acquire the second public key embedded in the USBKey sent by the USBKey through user registration.

在一些具体实施例中,所述数据加密模块18之后,还可以包括:In some specific embodiments, after the data encryption module 18, it may also include:

密文发送单元,用于通过所述用户端将所述目标密文发送至所述隐私计算平台;a ciphertext sending unit, configured to send the target ciphertext to the privacy computing platform through the client;

密文存储单元,用于通过所述隐私计算平台对所述目标密文进行存储。A ciphertext storage unit, configured to store the target ciphertext through the privacy computing platform.

在一些具体实施例中,所述非对称密钥生成模块11之前,还可以包括:In some specific embodiments, before the asymmetric key generation module 11, it may also include:

第二非对称密钥生成单元,用于通过所述USBKey随机的生成一对公私钥,得到所述第二公钥和所述第二私钥;A second asymmetric key generating unit, configured to randomly generate a pair of public and private keys through the USBKey, to obtain the second public key and the second private key;

存储单元,用于将所述第二公钥和所述第二私钥内置于所述USBKey中。A storage unit, configured to store the second public key and the second private key in the USBKey.

在一些具体实施例中,所述数据加密模块18之后,还可以包括:In some specific embodiments, after the data encryption module 18, it may also include:

密文解密单元,用于利用所述对称密钥对所述目标密文进行解密,得到所述目标数据。A ciphertext decryption unit, configured to use the symmetric key to decrypt the target ciphertext to obtain the target data.

在一些具体实施例中,所述密钥下发模块16之前,还可以包括:In some specific embodiments, before the key issuing module 16, it may also include:

身份认证单元,用于利用所述USBKey中内置的公钥算法对所述用户端的身份进行认证,若认证通过则执行所述向所述用户端下发所述加密后私钥和所述加密后对称密钥的步骤。An identity authentication unit, configured to use the built-in public key algorithm in the USBKey to authenticate the identity of the client, and if the authentication is passed, execute the sending of the encrypted private key and the encrypted private key to the client. Symmetric key steps.

进一步的,本申请实施例还公开了一种电子设备,图6是根据一示例性实施例示出的电子设备20结构图,图中的内容不能认为是对本申请的使用范围的任何限制。Further, the embodiment of the present application also discloses an electronic device. FIG. 6 is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content in the figure should not be regarded as any limitation on the application scope of the present application.

图6为本申请实施例提供的一种电子设备20的结构示意图。该电子设备20,具体可以包括:至少一个处理器21、至少一个存储器22、电源23、通信接口24、输入输出接口25和通信总线26。其中,所述存储器22用于存储计算机程序,所述计算机程序由所述处理器21加载并执行,以实现前述任一实施例公开的私钥保护方法中的相关步骤。另外,本实施例中的电子设备20具体可以为电子计算机。FIG. 6 is a schematic structural diagram of an electronic device 20 provided by an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21 , at least one memory 22 , a power supply 23 , a communication interface 24 , an input/output interface 25 and a communication bus 26 . Wherein, the memory 22 is used to store a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the private key protection method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in this embodiment may specifically be an electronic computer.

本实施例中,电源23用于为电子设备20上的各硬件设备提供工作电压;通信接口24能够为电子设备20创建与外界设备之间的数据传输通道,其所遵循的通信协议是能够适用于本申请技术方案的任意通信协议,在此不对其进行具体限定;输入输出接口25,用于获取外界输入数据或向外界输出数据,其具体的接口类型可以根据具体应用需要进行选取,在此不进行具体限定。In this embodiment, the power supply 23 is used to provide working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows is applicable Any communication protocol in the technical solution of the present application is not specifically limited here; the input and output interface 25 is used to obtain external input data or output data to the external, and its specific interface type can be selected according to specific application needs, here Not specifically limited.

另外,存储器22作为资源存储的载体,可以是只读存储器、随机存储器、磁盘或者光盘等,其上所存储的资源可以包括操作系统221、计算机程序222等,存储方式可以是短暂存储或者永久存储。In addition, the memory 22, as a resource storage carrier, can be a read-only memory, random access memory, magnetic disk or optical disk, etc., and the resources stored thereon can include operating system 221, computer program 222, etc., and the storage method can be temporary storage or permanent storage. .

其中,操作系统221用于管理与控制电子设备20上的各硬件设备以及计算机程序222,其可以是Windows Server、Netware、Unix、Linux等。计算机程序222除了包括能够用于完成前述任一实施例公开的由电子设备20执行的私钥保护方法的计算机程序之外,还可以进一步包括能够用于完成其他特定工作的计算机程序。Wherein, the operating system 221 is used to manage and control various hardware devices and computer programs 222 on the electronic device 20 , which may be Windows Server, Netware, Unix, Linux, etc. In addition to the computer program 222 that can be used to complete the private key protection method performed by the electronic device 20 disclosed in any of the foregoing embodiments, the computer program 222 can further include a computer program that can be used to complete other specific tasks.

进一步的,本申请还公开了一种计算机可读存储介质,用于存储计算机程序;其中,所述计算机程序被处理器执行时实现前述公开的私钥保护方法。关于该方法的具体步骤可以参考前述实施例中公开的相应内容,在此不再进行赘述。Further, the present application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, the aforementioned private key protection method is implemented. Regarding the specific steps of the method, reference may be made to the corresponding content disclosed in the foregoing embodiments, and details are not repeated here.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same or similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.

专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Professionals can further realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two. In order to clearly illustrate the possible For interchangeability, in the above description, the composition and steps of each example have been generally described according to their functions. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the methods or algorithms described in connection with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

以上对本申请所提供的一种私钥保护方法、装置、设备及存储介质进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。A private key protection method, device, device, and storage medium provided by this application have been described above in detail. In this article, specific examples are used to illustrate the principles and implementation methods of this application. The description of the above embodiments is only for To help understand the method and its core idea of this application; at the same time, for those of ordinary skill in the art, according to the idea of this application, there will be changes in the specific implementation and application scope. In summary, the content of this specification It should not be construed as a limitation of the application.

Claims (10)

1. A private key protection method applied to a private computing platform comprises the following steps:
generating a pair of asymmetric keys in a trusted execution environment of the privacy computing platform to obtain a first private key and a first public key;
generating a symmetric key in said trusted execution environment;
acquiring a second public key which is sent by the USBKey and is arranged in the USBKey, and encrypting the first private key by utilizing the second public key to obtain an encrypted private key;
encrypting the symmetric key by using the first public key to obtain an encrypted symmetric key;
when target data sent by a user side is obtained, the encrypted private key and the encrypted symmetric key are issued to the user side, so that the encrypted private key is decrypted by using a second private key arranged in the USBKey to obtain a first private key, the encrypted symmetric key is decrypted by using the first private key to obtain the symmetric key, and then the target data is encrypted by using the symmetric key to obtain a target ciphertext.
2. The method of claim 1, wherein generating an asymmetric pair of keys in a trusted execution environment of the private computing platform, resulting in a first private key and a first public key, comprises:
and generating a pair of asymmetric keys through a key management service system in a trusted execution environment of the privacy computing platform to obtain a first private key and a first public key.
3. The method for protecting the private key according to claim 1, wherein the obtaining the second public key sent by the USBKey and built in the USBKey comprises:
and acquiring a second public key which is sent by the USBKey through a user registration mode and is arranged in the USBKey.
4. The method for protecting a private key according to claim 1, wherein after encrypting the target data with the symmetric key to obtain a target ciphertext, the method further comprises:
and sending the target ciphertext to the privacy computing platform through the user side so as to store the target ciphertext through the privacy computing platform.
5. The method of claim 1, wherein prior to generating the pair of asymmetric keys in the trusted execution environment of the private computing platform, further comprising:
and randomly generating a pair of public and private keys through the USBKey to obtain the second public key and the second private key, and placing the second public key and the second private key in the USBKey.
6. The method of claim 1, wherein after encrypting the target data with the symmetric key to obtain a target ciphertext, the method further comprises:
and decrypting the target ciphertext by using the symmetric key to obtain the target data.
7. The method according to any one of claims 1 to 6, wherein before the sending the encrypted private key and the encrypted symmetric key to the user side, the method further comprises:
and authenticating the identity of the user side by using a public key algorithm built in the USBKey, and if the authentication is passed, executing the step of issuing the encrypted private key and the encrypted symmetric key to the user side.
8. A private key protection device applied to a private computing platform, comprising:
the asymmetric key generation module is used for generating a pair of asymmetric keys in a trusted execution environment of the privacy computing platform to obtain a first private key and a first public key;
a symmetric key generation module, configured to generate a symmetric key in the trusted execution environment;
the public key acquisition module is used for acquiring a second public key which is sent by the USBKey and is arranged in the USBKey;
the public key encryption module is used for encrypting the first private key by using the second public key to obtain an encrypted private key;
the symmetric key encryption module is used for encrypting the symmetric key by using the first public key to obtain an encrypted symmetric key;
the key issuing module is used for issuing the encrypted private key and the encrypted symmetric key to the user side when target data sent by the user side is acquired;
the decryption module is used for decrypting the encrypted private key by using a second private key arranged in the USBKey to obtain the first private key, and decrypting the encrypted symmetric key by using the first private key to obtain the symmetric key;
and the data encryption module is used for encrypting the target data by using the symmetric key to obtain a target ciphertext.
9. An electronic device comprising a processor and a memory; wherein the processor, when executing the computer program stored in the memory, implements the private key protection method of any of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the private key protection method of any one of claims 1 to 7.
CN202211182328.0A 2022-09-27 2022-09-27 A method, apparatus, device, and storage medium for protecting private keys. Active CN115801232B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211182328.0A CN115801232B (en) 2022-09-27 2022-09-27 A method, apparatus, device, and storage medium for protecting private keys.

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211182328.0A CN115801232B (en) 2022-09-27 2022-09-27 A method, apparatus, device, and storage medium for protecting private keys.

Publications (2)

Publication Number Publication Date
CN115801232A true CN115801232A (en) 2023-03-14
CN115801232B CN115801232B (en) 2026-01-30

Family

ID=85432268

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211182328.0A Active CN115801232B (en) 2022-09-27 2022-09-27 A method, apparatus, device, and storage medium for protecting private keys.

Country Status (1)

Country Link
CN (1) CN115801232B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116346341A (en) * 2023-03-29 2023-06-27 阿里云计算有限公司 Private key protection and server access method, system, device and storage medium
CN117544430A (en) * 2024-01-10 2024-02-09 北京佳芯信息科技有限公司 Intelligent data encryption method and system
CN118898081A (en) * 2024-09-30 2024-11-05 山东正中信息技术股份有限公司 File encryption method and system based on CP-ABE and USBKEY

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090106561A1 (en) * 2007-10-16 2009-04-23 Buffalo Inc. Data management apparatus and data management method
CN101470789A (en) * 2007-12-28 2009-07-01 中国长城计算机深圳股份有限公司 Encryption and decryption method and device of computer
CN101483518A (en) * 2009-02-20 2009-07-15 北京天威诚信电子商务服务有限公司 Customer digital certificate private key management method and system
CN107566407A (en) * 2017-10-20 2018-01-09 哈尔滨工程大学 A kind of two-way authentication Security Data Transmission and storage method based on USBkey
CN113868684A (en) * 2021-09-30 2021-12-31 成都卫士通信息产业股份有限公司 Signature method, device, server, medium and signature system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090106561A1 (en) * 2007-10-16 2009-04-23 Buffalo Inc. Data management apparatus and data management method
CN101470789A (en) * 2007-12-28 2009-07-01 中国长城计算机深圳股份有限公司 Encryption and decryption method and device of computer
CN101483518A (en) * 2009-02-20 2009-07-15 北京天威诚信电子商务服务有限公司 Customer digital certificate private key management method and system
CN107566407A (en) * 2017-10-20 2018-01-09 哈尔滨工程大学 A kind of two-way authentication Security Data Transmission and storage method based on USBkey
CN113868684A (en) * 2021-09-30 2021-12-31 成都卫士通信息产业股份有限公司 Signature method, device, server, medium and signature system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116346341A (en) * 2023-03-29 2023-06-27 阿里云计算有限公司 Private key protection and server access method, system, device and storage medium
CN117544430A (en) * 2024-01-10 2024-02-09 北京佳芯信息科技有限公司 Intelligent data encryption method and system
CN117544430B (en) * 2024-01-10 2024-03-29 北京佳芯信息科技有限公司 Intelligent data encryption method and system
CN118898081A (en) * 2024-09-30 2024-11-05 山东正中信息技术股份有限公司 File encryption method and system based on CP-ABE and USBKEY

Also Published As

Publication number Publication date
CN115801232B (en) 2026-01-30

Similar Documents

Publication Publication Date Title
CN110784491B (en) Internet of things safety management system
CN111416807B (en) Data acquisition method, device and storage medium
EP3577848B1 (en) Origin certificate based online certificate issuance
US9467430B2 (en) Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware
US20210320789A1 (en) Secure distribution of device key sets over a network
EP2204008B1 (en) Credential provisioning
US7526649B2 (en) Session key exchange
US20140112470A1 (en) Method and system for key generation, backup, and migration based on trusted computing
CN102986161B (en) Method and system for password protecting an application
US20060013402A1 (en) Method of delivering Direct Proof private keys to devices using an on-line service
CN105915338B (en) Generate the method and system of key
CN102025503B (en) Data security implementation method in cluster environment and high-security cluster
CN106452764B (en) A method and cryptographic system for automatic update of identification private key
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
TW202015378A (en) Cryptographic operation method, method for creating work key, and cryptographic service platform and device
CN111917710A (en) PCI-E password card, key protection method thereof, and computer-readable storage medium
CN110912685B (en) Establishing a protected communication channel
CN115801232A (en) Private key protection method, device, equipment and storage medium
WO2023151427A1 (en) Quantum key transmission method, device and system
CN111600903A (en) A communication method, system, device and readable storage medium
US20250226974A1 (en) Method and apparatus for distributing encrypted device unique credentials
CN106992978B (en) Network security management method and server
Yoon et al. Security enhancement scheme for mobile device using H/W cryptographic module
CN116432220A (en) Numerical control system host access control method, device, equipment and storage medium
EP3769462B1 (en) Secure distribution of device key sets over a network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant