[go: up one dir, main page]

CN119538319A - Anti-tampering database method and system based on trusted computing environment - Google Patents

Anti-tampering database method and system based on trusted computing environment Download PDF

Info

Publication number
CN119538319A
CN119538319A CN202411476697.XA CN202411476697A CN119538319A CN 119538319 A CN119538319 A CN 119538319A CN 202411476697 A CN202411476697 A CN 202411476697A CN 119538319 A CN119538319 A CN 119538319A
Authority
CN
China
Prior art keywords
data
tamper
module
computing environment
hash value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411476697.XA
Other languages
Chinese (zh)
Inventor
刘凡
荆志军
安琪
王鹏宇
张仁湖
刘锡明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Yuanji Technology Co ltd
Original Assignee
Nanjing Yuanji Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Yuanji Technology Co ltd filed Critical Nanjing Yuanji Technology Co ltd
Priority to CN202411476697.XA priority Critical patent/CN119538319A/en
Publication of CN119538319A publication Critical patent/CN119538319A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及信息安全技术领域,具体为基于可信计算环境的防篡改数据库方法及其系统,包括S1、采用安全协议通信TLS接收传入内部的数据,进行数据的初步验证和清洗,通过可信计算模块TPM生成验证密钥,存储在可信计算模块的安全存储区域;S2、将验证后的数据载入可行计算环境TEE中生成加密密钥,加密密钥存储在可行计算环境TEE内部存储区域;S3、对可行计算环境TEE中加密的数据进行完整性校验;S4、将检验的数据通过安全协议通信TLS离开可行计算环境TEE,传输到防篡改数据库进行存储。本发明通过在可信计算环境中执行数据处理和存储操作,并利用防篡改数据库确保操作记录的完整性和不可篡改性,通过结合的方式提高整个数据处理和存储系统的信任度和安全性。

The present invention relates to the field of information security technology, specifically to a tamper-proof database method and system based on a trusted computing environment, including S1, using a secure protocol communication TLS to receive data passed into the internal, performing preliminary verification and cleaning of the data, generating a verification key through a trusted computing module TPM, and storing it in a secure storage area of the trusted computing module; S2, loading the verified data into a feasible computing environment TEE to generate an encryption key, and the encryption key is stored in the internal storage area of the feasible computing environment TEE; S3, performing integrity verification on the encrypted data in the feasible computing environment TEE; S4, the verified data leaves the feasible computing environment TEE through the secure protocol communication TLS, and is transmitted to an anti-tamper database for storage. The present invention improves the trust and security of the entire data processing and storage system by performing data processing and storage operations in a trusted computing environment, and using an anti-tamper database to ensure the integrity and non-tamperability of operation records, and by combining them.

Description

Tamper-resistant database method and system based on trusted computing environment
Technical Field
The invention relates to the technical field of information security, in particular to a tamper-proof database method and a tamper-proof database system based on a trusted computing environment.
Background
With the rapid development of information technology, data security and integrity have become important challenges for various industries. Data tampering and unauthorized access events occur frequently, which seriously affects trust and security of enterprises and users. While conventional security measures such as encryption and access control provide some degree of protection, these measures tend to be difficult to protect against data tampering by internal attackers or users with advanced rights. Therefore, a more comprehensive and efficient technical solution is needed to improve the security and reliability of data.
Traditional data protection techniques rely primarily on software-level measures such as data encryption, access control, and firewalls. These techniques can to some extent prevent data from being illegally accessed and tampered with, but they are generally not completely resistant to the threat of internal attackers or advanced rights users. For example, the encryption key is stolen by an internal person and the access control mechanism is bypassed. Furthermore, conventional data storage techniques lack a continuous verification mechanism of data integrity, which is difficult to discover and recover in time once the data is tampered with. These limitations make conventional techniques frustrating in the face of increasingly complex network security threats.
The prior art solutions, although improved in some respects, still suffer from a number of disadvantages. For example, some systems employ hardware-assisted security measures, such as Trusted Platform Modules (TPM), to enhance security of data. However, these techniques often provide limited protection against security threats during storage and transmission of data. In addition, although the existing tamper-resistant database technology can record an unalterable data log, the technology relies on measures at a software level, and is difficult to solve security holes at a hardware level. These techniques, in the face of complex network attacks, still present a risk of being breached.
Therefore, the technical scheme provides an omnibearing data protection solution by combining a trusted computing technology and a tamper-resistant database technology.
Disclosure of Invention
The invention discloses a tamper-proof database method based on a trusted computing environment, which comprises the following steps:
S1, receiving data transmitted into the computer by adopting a security protocol communication TLS, performing preliminary verification and cleaning on the data, generating a verification key by a trusted computing module TPM, and storing the verification key in a security storage area of the trusted computing module;
s2, loading the verified data into the feasible computing environment TEE to generate an encryption key, and storing the encryption key in an internal storage area of the feasible computing environment TEE;
S3, carrying out integrity check on encrypted data in the feasible computing environment TEE;
S4, the checked data leave the feasible computing environment TEE through the security protocol communication TLS and are transmitted to a tamper-proof database for storage.
Preferably, the trusted computing module TPM in S1 generates a verification key to verify the integrity of the data by comparing the hash value of the actual data with the expected hash value at the hardware level, and verifies whether the data in the key start and run software is tampered.
Preferably, the TEE uses intel software to protect the extended SGX to generate the encryption key, and specifically includes the following steps:
S2.1, creating a secure Enclave in SGX, and loading data into the Enclave;
s2.2, generating a random initialization vector in the Enclave through a hardware random number generator RNG;
S2.3, encrypting by using a strong encryption algorithm AES-256 in the Enclave through a GCM encryption mode, generating an encryption key, and storing the encryption key in the Enclave.
Preferably, the integrity check in S3 includes the following steps;
s3.1, generating a hash value for the data through a hash algorithm, and storing or attaching the hash value to the data;
s3.2, before the data is accessed or transmitted, recalculating the hash value of the current data and comparing the hash value with the original hash value to ensure that the data is not modified;
and S3.3, verifying the source and the integrity of the data by adopting a digital signature, signing the data or the hash value by a data client through a private key, and verifying the signature by a public key of a sender to indicate that the data is not tampered after self-signing.
Preferably, the storing the data in the tamper-resistant database in S4 includes the following steps:
s4.1, encrypting data by using a symmetric encryption algorithm through the tamper-resistant database, generating a storage key through a hardware security module HSM, and encrypting the data by using the generated storage key;
s4.2, calculating a data hash value, and generating each data to comprise a unique key and a value through a K-V pair storage model;
s4.3, linking the hash value of the data to the hash value of the previous data, and storing each data together with the hash value calculated by each data to form a hash chain;
s4.4, storing the encrypted data in the tamper-proof database through a hash chain.
The tamper-resistant database system based on the trusted computing environment comprises a trusted computing layer, a data processing layer, a data storage layer and a system interaction layer;
the trusted computing layer comprises a TPM and an SGX, wherein the TPM generates a verification key through data, stores the verification key in a safe storage area, manages access control on the data, decrypts data and accesses sensitive data according to an application program and a user authorized by the verification key identification, and records an operation log;
the SGX generates an encryption key by creating a secure Enclave and isolating an execution environment through the data of the Enclave, and processes and stores sensitive data and the encryption key;
the data processing layer comprises a preliminary verification module, a data cleaning module and a data integrity verification module of data;
The preliminary verification module comprises data type and structure verification, data size and value range verification, malicious content and replay attack prevention detection;
the data cleaning module comprises the steps of identifying repeated records and unified data formats, splitting and merging fields, correcting logic errors, detecting and processing abnormal values, and checking validity and consistency;
The data integrity verification module verifies the data integrity by generating a unique hash value for the data through a hash algorithm;
The data storage layer comprises a data storage module and a data query module;
the data storage module stores data into the tamper-proof database through a K-V pair storage model;
The data query module acquires data stored in the tamper-resistant database through a query API;
The system interaction layer comprises an internal API, an external API and a security calling module;
The internal API is used for data exchange between different structural layers, and allows each internal module to call a specific function through the API;
the external API provides an interface for an external user to access and operate the internal data of the database, and the caller is authenticated through the API to identify authorized access;
And the security calling module calls an Enclave interface of the SGX from the outside, starts a specific security task in the Enclave, and encrypts and decrypts data.
Preferably, the TPM further comprises a TPM remote proving module and an operation protection module, wherein the TPM remote proving module proves data integrity to a remote client or a third party service through a server, a client confirms that the data processing and storage environment meets expected safety standards through verifying the safety state of the server, and the operation protection module protects software and hardware environment from being tampered through the TPM in the process from starting to executing.
Preferably, the SGX further includes an SGX remote attestation function, allowing the database to attest its identity and integrity to a remote user or application, and by cryptographically signing the secure Enclave, the verifier verifies that the data of the secure Enclave is secure and not tampered with;
the secure Enclave comprises a secure Enclave outside and a secure Enclave inside, data is automatically encrypted when the secure Enclave outside is stored, and decryption is performed inside the secure Enclave.
Preferably, the data query module further comprises a data verification mechanism, wherein the tamper-proof database verifies the hash value of the query parameter when a user queries, so that the validity of query is ensured, the data stored in the tamper-proof database is obtained through query, if the hash value of the query parameter is matched with the hash value stored in tamper-proof, query operation is allowed, and if the hash value of the query parameter is not matched with the hash value stored in tamper-proof, query is refused, and the time of query attempt and operator information are recorded.
Preferably, the system interaction layer adopts a bidirectional TLS protection mechanism, the transmitted data is encrypted through TLS, an encrypted communication channel is established, the data processing or data retrieval can be submitted by a verified client, and the bidirectional TLS protection mechanism records information of all API calls through a log and sets cache for frequently requested data.
Compared with the prior art, the technical scheme of the application has the following technical effects:
According to the invention, the TLS is adopted to communicate the TLS to receive the data in the transmission process, and the primary verification and cleaning of the data are carried out, so that the problem that the data may be tampered or malicious content is injected in the traditional data transmission process is solved, the encryption and the integrity of the data in the transmission process are ensured through the TLS, and the primary verification and cleaning ensure the validity and the safety of the data through checking the data type, the structure, the size and the value range and preventing replay attack, thereby improving the safety of the data transmission, and reducing the burden of invalid or malicious data in the TEE, so that the overall performance and the reliability of the system are improved.
The method solves the vulnerability problems of key management and data integrity verification in the traditional system by generating the verification key in the trusted computing module TPM and storing the verification key in the safe storage area, and ensures the integrity of the data in the starting and running processes by comparing the hash values of the data at the hardware level by the TPM, so that the verification mechanism at the hardware level is difficult to be damaged by the attack at the software level, thereby greatly enhancing the safety and the credibility of the system. In addition, the TPM also supports a remote proving function, so that a remote client or a third party service can verify the system state and the data integrity, and the transparency and the trust degree of the system are further improved.
The invention establishes the secure Enclave in the Intel software protection extension SGX, generates and manages the encryption key in the Enclave, solves the potential safety hazards in the key management and data processing process in the traditional encryption technology, ensures the isolation and confidentiality of data and codes in the execution process by the secure Enclave provided by the SGX, ensures that an attacker cannot access sensitive data and execution logic in the Enclave even if an operating system is broken, improves the security of data processing, and further enhances the anti-attack capability of the system by periodically updating the key and a secure discarding mechanism. In addition, the SGX also supports a remote attestation function, and allows a remote user or application to verify the identity and integrity of the secure enclave, thereby improving the credibility and security of the system.
The invention solves the safety and integrity problems in the data storage and transmission process in the traditional database technology by using the symmetric encryption algorithm and the hash chain technology in the tamper-proof database, the tamper-proof database generates a storage key through the hardware security module HSM, and encrypts the data by using the generated key, thereby ensuring the safety of the data in the storage process. Meanwhile, by calculating the hash value of the data and forming a hash chain, the non-tampering and traceability of the data are ensured. The technical scheme not only improves the safety of data storage, but also enhances the auditing capability and the data recovery capability of the system through a detailed log record and data verification mechanism, thereby providing a higher protection level for data processing and storage.
The foregoing description is only an overview of the present application, and is intended to provide a better understanding of the technical means of the present application, so that the present application may be practiced according to the teachings of the present specification, and so that the above-mentioned and other objects, features and advantages of the present application may be better understood, and the following detailed description of the preferred embodiments of the present application will be presented in conjunction with the accompanying drawings.
The above and other objects, advantages and features of the present application will become more apparent to those skilled in the art from the following detailed description of the specific embodiments of the present application when taken in conjunction with the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. Like elements or portions are generally identified by like reference numerals throughout the several figures. In the drawings, elements or portions thereof are not necessarily drawn to scale.
FIG. 1 is a flow chart of the entire method for tamper-resistant database based on trusted computing environment of the present invention;
FIG. 2 is a block diagram of the entire tamper resistant database system based on a trusted computing environment in accordance with the present invention;
FIG. 3 is a block diagram of the whole encryption algorithm of the present invention for encrypting data;
FIG. 4 is a flow chart of the TEE of the invention generating encryption keys;
FIG. 5 is a verification flow chart of the integrity verification of encrypted data according to the present invention;
FIG. 6 is a flow chart of the data storage of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. In the following description, specific details such as specific configurations and components are provided merely to facilitate a thorough understanding of embodiments of the application. It will therefore be apparent to those skilled in the art that various changes and modifications can be made to the embodiments described herein without departing from the scope and spirit of the application. In addition, descriptions of well-known functions and constructions are omitted in the embodiments for clarity and conciseness.
It should be appreciated that reference throughout this specification to "one embodiment" or "this embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the "one embodiment" or "this embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the present application may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed.
The term "and/or" herein is merely one kind of association relation describing the association object, and indicates that three kinds of relations may exist, for example, a and/or B may indicate that a alone exists, B alone exists, and a and B exist simultaneously, and the term "/and" herein is another kind of association object relation describing that two kinds of relations may exist, for example, a/and B may indicate that a alone exists, and a and B exist separately, and in addition, a character "/" herein generally indicates that the association object is an "or" relation.
The term "at least one" is used herein to describe only one association relationship of associated objects, and means that three relationships may exist, for example, at least one of A and B may mean that A exists alone, while A and B exist together, and B exists alone.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprise," "include," or any other variation thereof, are intended to cover a non-exclusive inclusion.
Example 1
The embodiment mainly describes a tamper-resistant database system based on a trusted computing environment, as shown in fig. 2, and comprises a trusted computing layer, a data processing layer, a data storage layer and a system interaction layer;
The trusted computing layer comprises a TPM and an SGX;
The TPM is used as a secure cryptoprocessor and is used for securely storing encryption keys, digital certificates and other sensitive data and providing security functions at a hardware level, including encryption and signature operations;
The TPM can safely store and manage the key used for encrypting the database, ensure that the key cannot be easily acquired by external software or an attacker, and can manage access control, so that only authorized application programs and users can decrypt and access sensitive data;
the TPM is used for ensuring that the database file is not tampered, verifying the integrity of the database file when the database is started, and detecting whether the file is illegally modified by comparing the hash value of the actual file with the expected hash value, wherein the verification process is carried out at a hardware level, so that the verification process is difficult to be destroyed by software level attacks;
The TPM can record the database operation log for future security audit and post analysis, and can ensure the integrity of log data and prevent the log from being tampered, which is particularly important for tracking potential security events and data leakage;
The TPM further comprises a TPM remote proving module and an operation protection module, the TPM remote proving module is used for proving data integrity to a remote client or a third party service through a server, a client is used for verifying the safety state of the server to ensure that the data processing and storage environment meets the expected safety standard, and the operation protection module is used for protecting software and hardware environment from being tampered through the TPM in the process from starting to executing.
The SGX provides an isolated execution environment for the database by creating a secure Enclave, wherein the Enclave is a protected memory area, and data and codes in the protected memory area are invisible even at an operating system level;
In SGX, data is automatically encrypted when being stored outside enclave and can be decrypted only inside enclave, so that the security of the data in the storage and transmission process is ensured;
the operation of the database can be performed in enclave, so that the safety and privacy of the data processing process are ensured;
The SGX can record the operation log of the database, and the log is generated and encrypted in enclave, so that the integrity and confidentiality of the log are ensured, and the safe starting of the database application can be realized through the SGX even if other parts of the system are broken.
The SGX may verify whether the database application code was tampered with prior to execution, ensuring that only verified code can run in enclave.
The SGX further comprises an SGX remote proving function, which allows the database to prove the identity and the integrity of the SGX remote proving function to a remote user or an application, and a verifier confirms that the data of the secure Enclave is secure and not tampered by carrying out encryption signature on the secure Enclave;
the data processing layer comprises a preliminary verification module, a data cleaning module and a data integrity verification module of data;
The preliminary verification module comprises data type and structure verification, data size and value range verification, malicious content and replay attack prevention detection;
Ensuring that the type of each data field accords with expectations, for example, whether the date field accords with a date format, whether the number field only contains numbers, checking whether the data accords with a predefined structure, such as the structural integrity of JSON or XML, and whether necessary fields are missing;
Checking whether the size of the data packet is within an allowable range, avoiding the system burden caused by processing oversized data, checking the data value, for example, the age cannot be negative, and the date cannot exceed a logic range;
Malicious content and replay attack prevention detection, scanning whether the data contains possible SQL injection codes, script injection or other malicious input, checking whether the received data is duplicated, and preventing the historical data from being resent to deception the system;
the data cleaning module comprises the steps of identifying repeated records and unified data formats, splitting and merging fields, correcting logic errors, detecting and processing abnormal values, and checking validity and consistency;
The data cleaning aim is to improve the quality of data, ensure the safety of the sensitive process, remove or correct errors and incomplete records in the data, ensure the accuracy and consistency of the data, and improve the usability, reliability and effectiveness of the data, wherein the data cleaning aim mainly comprises the following parts:
Identifying duplicate records and unified data formats by checking whether duplicate entries exist in the data, which may be generated before the data enters the TEE, to ensure that all data fields conform to the same format standard, converting inconsistent data types to consistent formats, such as converting digits of a string type to a numeric type;
The data structure is adjusted to split one field into a plurality of fields according to the requirement, or the fields are combined into one field and the logic error in the data is corrected;
Abnormal value detection and processing, namely identifying abnormal values in data by using a statistical method, wherein the abnormal values can be caused by incorrect input or measurement errors, and correcting, deleting or retaining marks;
Validity and consistency checks to ensure that the data complies with validity rules and to ensure that the data maintains logical consistency between different fields, e.g. a person's date of birth should be earlier than his date of employment.
The data integrity verification module verifies the data integrity by generating a unique hash value for the data through a hash algorithm;
The data storage layer comprises a data storage module and a data query module;
the data storage module stores data into the tamper-proof database through a K-V pair storage model;
The data query module acquires data stored in the tamper-resistant database through a query API;
The system interaction layer comprises an internal API, an external API and a safety calling module, so that a bridge for interaction between the layers of the system and the outside is formed, and the safety and the integrity of data are ensured;
The system external API provides interfaces for external users or systems to access and operate the data in the database, such as acquiring, updating and deleting data records, authenticating a system caller and ensuring that only authorized users or systems can access the API;
The security calling module calls an Enclave interface of the SGX from the outside and is used for starting a specific security task in the Enclave to realize the operation in the TEE; the secure call module can also be used for starting a data processing task in the enclaspe to encrypt and decrypt data, and the enclaspe interface of the external call SGX specially processes encryption operation before the data is persisted to a database, so that all sensitive data are ensured to be encrypted safely before leaving a trusted execution environment;
The system interaction layer also comprises an API endpoint to support a decryption flow read from the database, ensure that the data is decrypted inside the trusted environment, maintain the confidentiality and integrity of the data, decrypt the received data inside the enclase, and encrypt the data again after processing and send the data back to the client or other services without leaving the security boundary.
The system interaction layer adopts a bidirectional TLS protection mechanism, whether data is submitted or queried, the bidirectional TLS protection mechanism is used for protecting the data, the application of the bidirectional TLS protection mechanism relates to interaction of multiple layers in the system, the interaction comprises user access, data processing and secure communication with a trusted execution environment, all transmitted data are encrypted through TLS from a user terminal to a back-end service and from a trusted computing layer to a data storage layer, an encrypted communication channel is established, the data is effectively prevented from being stolen or tampered in the transmission process, and once the channel of the bidirectional TLS protection mechanism is established, all the data passing through the channel are encrypted, so that even if the data are intercepted in the transmission process, the data cannot be read by an unauthorized person;
the bi-directional TLS protection mechanism ensures that only authenticated clients can submit data for processing or retrieve data from when communicating with the trusted computing layer enclaspe, where all keys for TLS encryption must be securely managed, securely stored and restored using SGX's sealing and unsealing functions to prevent them from being accessed by malware, and in addition, all TLS connection attempts, successful handshakes, and completion of critical steps are recorded in an audit log for future security analysis and investigation.
The embodiment creates a safe execution environment through the trusted computing module TPM and the Intel software protection extension SGX, ensures the safety and transparency in the data processing and storage process, solves the defects of the traditional technology in the aspects of data encryption and access control, improves the overall safety of data through double protection of hardware and software, introduces a remote proving function, enhances the credibility of the system, and provides higher-level protection for data processing and storage.
Example 2
The embodiment describes in detail a tamper-resistant database method based on a trusted computing environment, as shown in fig. 1, comprising the steps of:
S1, receiving data transmitted into the computer by adopting a security protocol communication TLS, performing preliminary verification and cleaning on the data, generating a verification key by a trusted computing module TPM, and storing the verification key in a security storage area of the trusted computing module;
s2, loading the verified data into the feasible computing environment TEE to generate an encryption key, and storing the encryption key in an internal storage area of the feasible computing environment TEE;
S3, carrying out integrity check on encrypted data in the feasible computing environment TEE;
S4, the checked data leave the feasible computing environment TEE through the security protocol communication TLS and are transmitted to a tamper-proof database for storage.
Further, the trusted computing module TPM in S1 generates a verification key to verify the integrity of the data by comparing the hash value of the actual data with the expected hash value at the hardware level, and verifies whether the data in the key start and run software is tampered.
Further, as shown in fig. 4, the TEE uses intel software protection extension SGX to generate an encryption key, and specifically includes the following steps:
S2.1, creating a secure Enclave in SGX, and loading data into the Enclave;
s2.2, generating a random initialization vector in the Enclave through a hardware random number generator RNG;
S2.3, encrypting by using a strong encryption algorithm AES-256 in the Enclave through a GCM encryption mode, generating an encryption key, and storing the encryption key in the Enclave.
The initialization vector in S2.2 is a non-confidentiality binary sequence in an encryption algorithm, and is used for assisting a GCM encryption mode by introducing randomness and uniqueness in the encryption process, and the encryption of each data in the GCM encryption mode depends on the output of the previous data, so that the initialization vector is used for encrypting the first data block;
As shown in fig. 3, by combining the randomly generated initialization vector with the plaintext data block, the same data will also generate different ciphertext in different encryption instances, preventing an attacker from deducing the original data by comparing the patterns of the encrypted messages; in addition, even if the same data are repeatedly encrypted, different ciphertext can be generated by using different initialization vectors, so that the uniqueness of the encryption process is increased, and the information with repeated or structured data is protected;
in the GCM mode, the initialization vector must be guaranteed to be unique for each encryption key, and the initialization vector is securely stored to prevent tampering during encryption.
The encryption key is generated and stored in the enclaspe, so that the key security is ensured, the encryption key is safely stored by utilizing the sealing function provided by the enclaspe, so that the encryption key cannot be accessed even outside the enclaspe, the data is digitally signed by using the private key generated by the enclaspe when the data is updated each time, the signature is stored in the tamper-resistant database, and for each item of data retrieved from the database, the application in the enclaspe verifies the validity of the signature, so that the data is ensured not to be tampered.
Generating an encryption key in the TEE through a trusted execution environment, ensuring randomness and unpredictability of the key by using a strong random number generator, generating the encryption key according to an encryption algorithm, and storing the encryption key in an internal storage area of the TEE to prevent external access and leakage;
The access and use of the encryption key of the TEE are strictly controlled, so that only authorized processes or personnel can access the encryption key, the encryption key can be accessed when the encryption key is used according to the minimum authority principle, the encryption key can be updated periodically according to a security policy to resist potential attacks, and measures are taken to safely discard the key when the encryption key is not used any more, such as using an encryption technology to overwrite encryption key data.
Before data encryption, converting the data into an encoding form which can be effectively processed by an encryption algorithm, such as UTF-8, encrypting the data in a TEE by using a preselected encryption algorithm and a generated encryption key, and ensuring that all operations are performed in a safe memory of the TEE in the encryption process, so that any sensitive data is prevented from being leaked to a common memory, and carrying out integrity check on the encrypted data to ensure that the data is not tampered or damaged in the encryption process;
The invention can carry out decryption test on a small part of data, ensures that the encryption process is correct, and the encrypted data can be added with encryption algorithm identification and time stamp information and leaves the TEE through a TLS secure communication protocol to be transmitted to a tamper-proof database module, and the system can record encryption detailed information to a security log in the decryption and encryption processes to provide data support for subsequent audit.
Further, as shown in fig. 5, the integrity check in S3 includes the following steps;
s3.1, generating a hash value for the data through a hash algorithm, and storing or attaching the hash value to the data;
s3.2, before the data is accessed or transmitted, recalculating the hash value of the current data and comparing the hash value with the original hash value to ensure that the data is not modified;
and S3.3, verifying the source and the integrity of the data by adopting a digital signature, signing the data or the hash value by a data client through a private key, and verifying the signature by a public key of a sender to indicate that the data is not tampered after self-signing.
The system uses a hash algorithm to verify the data integrity by generating a unique hash value for the data, and generates a hash value for the data content by the system when the data is generated for the first time, and stores or attaches the hash value to the data itself;
the source and the integrity of the data are verified by adopting a digital signature mode, the data client signs the data or the hash value thereof by using a private key of the data client, the system can verify the signature by using a public key of a sender, the data is proved to be sent by a signer, and meanwhile, the data is indicated that the data is not tampered since the signature.
The integrity verification mechanism plays multiple roles of protection, monitoring and support in the invention through the implementation mode, provides a layer of necessary security protection for the system, and also provides traceability and definition of responsibility attribution while protecting data and the system from unauthorized or malicious tampering.
Further, as shown in fig. 6, the tamper-proof database in S4 stores data, including the following steps:
s4.1, encrypting data by using a symmetric encryption algorithm through the tamper-resistant database, generating a storage key through a hardware security module HSM, and encrypting the data by using the generated storage key;
s4.2, calculating a data hash value, and generating each data to comprise a unique key and a value through a K-V pair storage model;
s4.3, linking the hash value of the data to the hash value of the previous data, and storing each data together with the hash value calculated by each data to form a hash chain;
s4.4, storing the encrypted data in the tamper-proof database through a hash chain.
The tamper-resistant database in S4.2 uses a K-V pair storage model, each data comprises a unique key and a value, and in order to ensure the non-tamper property of the data, the value of each data item is encrypted and stored together with a hash value, wherein the hash value is calculated by using a hash algorithm through the value of the data;
When the data is updated, the anti-tampering database recalculates the hash value and compares the hash value with the old hash value to ensure that the data is not tampered, if the hash value is matched, the data is unchanged, if the hash value is not matched, the data is tampered, the anti-tampering can reject the updating operation, and the time of tampering attempt and the operator information are recorded.
Detailed description of the embodiments by combining trusted computing technology and tamper-resistant database technology, an omnidirectional data protection solution is provided. The integrated application of the security protocol communication TLS, the trusted computing module TPM and the Intel software protection extension SGX and the tamper-resistant database solves the defects of the traditional technology in the aspects of data transmission, key management, data processing, storage and the like, and the overall security and the credibility of the data are obviously improved through the double protection of hardware and software.
The above is only a preferred embodiment of the present invention, which is not intended to limit the scope of the present invention, and various modifications and variations may be made to the present invention by those skilled in the art, and the present invention may be modified, altered, substituted, integrated and altered by general substitution or the same function can be achieved without departing from the principle and spirit of the present invention, without departing from the scope of the invention.

Claims (10)

1.基于可信计算环境的防篡改数据库方法,其特征在于,包括以下步骤:1. A tamper-proof database method based on a trusted computing environment, characterized in that it comprises the following steps: S1、采用安全协议通信TLS接收传入内部的数据,进行数据的初步验证和清洗,通过可信计算模块TPM生成验证密钥,存储在可信计算模块的安全存储区域;S1, using the secure protocol communication TLS to receive the internal data, perform preliminary verification and cleaning of the data, generate a verification key through the trusted computing module TPM, and store it in the secure storage area of the trusted computing module; S2、将验证后的数据载入可行计算环境TEE中生成加密密钥,加密密钥存储在可行计算环境TEE内部存储区域;S2. Load the verified data into the feasible computing environment TEE to generate an encryption key, and the encryption key is stored in the internal storage area of the feasible computing environment TEE; S3、对可行计算环境TEE中加密的数据进行完整性校验;S3. Perform integrity check on the data encrypted in the feasible computing environment TEE; S4、将检验的数据通过安全协议通信TLS离开可行计算环境TEE,传输到防篡改数据库进行存储。S4. The verified data leaves the feasible computing environment TEE through the secure protocol communication TLS and is transmitted to the tamper-proof database for storage. 2.根据权利要求1所述的基于可信计算环境的防篡改数据库方法,其特征在于,所述S1中可信计算模块TPM生成验证密钥通过在硬件级别进行比对实际数据的哈希值与预期的哈希值来验证数据的完整性,验证密钥启动和运行软件中的数据是否被篡改。2. The tamper-proof database method based on a trusted computing environment according to claim 1 is characterized in that the trusted computing module TPM in S1 generates a verification key to verify the integrity of the data by comparing the hash value of the actual data with the expected hash value at the hardware level, and verifies whether the data in the key startup and running software has been tampered with. 3.根据权利要求2所述的基于可信计算环境的防篡改数据库方法,其特征在于,所述TEE采用英特尔软件保护扩展SGX生成加密密钥,具体包括以下步骤:3. The tamper-proof database method based on a trusted computing environment according to claim 2 is characterized in that the TEE uses Intel Software Guard Extensions SGX to generate encryption keys, specifically comprising the following steps: S2.1、在SGX中创建一个安全飞地Enclave,将数据加载到Enclave中;S2.1. Create a secure enclave in SGX and load data into the enclave. S2.2、在Enclave内部通过硬件随机数生成器RNG生成一个随机的初始化向量;S2.2. Generate a random initialization vector through the hardware random number generator RNG inside the Enclave; S2.3、通过GCM加密模式在Enclave内使用强加密算法AES-256进行加密,生成加密密钥,存储在Enclave中。S2.3. Use the strong encryption algorithm AES-256 to encrypt in the Enclave through the GCM encryption mode, generate an encryption key, and store it in the Enclave. 4.根据权利要求1所述的基于可信计算环境的防篡改数据库方法,其特征在于,所述S3中的完整性校验包括以下步骤;4. The tamper-proof database method based on a trusted computing environment according to claim 1, characterized in that the integrity check in S3 comprises the following steps: S3.1、通过哈希算法对数据生成一个哈希值,并将哈希值存储或附加于数据本身;S3.1. Generate a hash value for the data through a hash algorithm, and store or attach the hash value to the data itself; S3.2、数据被访问或传输前,重新计算当前数据的哈希值,并与原始哈希值比较,以确保数据未被修改;S3.2. Before data is accessed or transmitted, the hash value of the current data is recalculated and compared with the original hash value to ensure that the data has not been modified; S3.3、采用数字签名验证数据的来源和完整性,数据客户端通过私钥对数据或哈希值进行签名,并通过发送者的公钥来验证签名,表明数据自签名后未被篡改。S3.3. Use digital signatures to verify the source and integrity of data. The data client signs the data or hash value with a private key and verifies the signature with the sender’s public key, indicating that the data has not been tampered with since it was signed. 5.根据权利要求1所述的基于可信计算环境的防篡改数据库方法,其特征在于,所述S4中防篡改数据库对数据进行存储,包括以下步骤:5. The tamper-proof database method based on a trusted computing environment according to claim 1, characterized in that the tamper-proof database in S4 stores data, comprising the following steps: S4.1、防篡改数据库使用对称加密算法加密数据,通过硬件安全模块HSM来生成存储密钥,使用生成的存储密钥对数据进行加密;S4.1. The tamper-proof database uses a symmetric encryption algorithm to encrypt data, generates a storage key through a hardware security module HSM, and uses the generated storage key to encrypt data; S4.2、计算数据哈希值,通过K-V对存储模型将每个数据生成包含有唯一的键key和值value;S4.2. Calculate the data hash value and generate a unique key and value for each data through the K-V pair storage model; S4.3、将数据的哈希值链接到前一个数据的哈希值上,将每个数据与每个数据计算的哈希值一起存储,形成哈希链;S4.3, link the hash value of the data to the hash value of the previous data, store each data together with the hash value calculated for each data, and form a hash chain; S4.4、通过哈希链,加密后的数据存储在防篡改数据库。S4.4. Through hash chain, the encrypted data is stored in a tamper-proof database. 6.基于可信计算环境的防篡改数据库系统,其特征在于,包括可信计算层、数据处理层、数据存储层和系统交互层;6. A tamper-proof database system based on a trusted computing environment, characterized by comprising a trusted computing layer, a data processing layer, a data storage layer and a system interaction layer; 所述可信计算层包括TPM和SGX;所述TPM通过数据生成验证密钥,并存储验证密钥到安全存储区域,对数据实现管理访问控制,根据验证密钥识别授权的应用程序和用户进行解密数据和访问敏感数据,并记录操作日志;The trusted computing layer includes TPM and SGX; the TPM generates a verification key through data, stores the verification key in a secure storage area, implements management access control on the data, identifies authorized applications and users based on the verification key to decrypt data and access sensitive data, and records operation logs; 所述SGX通过创建安全飞地Enclave,通过Enclave的数据隔离执行环境生成加密密钥,并进行处理和存储敏感数据和加密密钥;The SGX creates a secure enclave, generates encryption keys through the data isolation execution environment of the enclave, and processes and stores sensitive data and encryption keys; 所述数据处理层包括数据的初步验证模块、数据清洗模块和数据完整性验证模块;The data processing layer includes a data preliminary verification module, a data cleaning module and a data integrity verification module; 所述初步验证模块包括数据类型和结构验证、数据大小和值域验证、恶意内容和防止重放攻击检测;The preliminary verification module includes data type and structure verification, data size and value range verification, malicious content and replay attack prevention detection; 所述数据清洗模块包括识别重复记录和统一数据格式、字段拆分合并与逻辑错误纠正、异常值检测与处理、有效性和一致性检查;The data cleaning module includes identification of duplicate records and unification of data formats, field splitting and merging and logical error correction, outlier detection and processing, and validity and consistency checks; 所述数据完整性验证模块通过哈希算法对数据生成唯一的哈希值进行验证数据完整性;The data integrity verification module generates a unique hash value for the data through a hash algorithm to verify the data integrity; 所述数据存储层包括数据存储模块和数据查询模块;The data storage layer includes a data storage module and a data query module; 所述数据存储模块通过K-V对存储模型,将数据存储至防篡改数据库中;The data storage module stores data in a tamper-proof database through a K-V pair storage model; 所述数据查询模块通过查询API获取存储在防篡改数据库中的数据;The data query module obtains data stored in the tamper-proof database by querying the API; 所述系统交互层包括内部API、外部API、安全调用模块;The system interaction layer includes internal API, external API and security call module; 所述内部API用于不同结构层之间的数据交换,允许内部各模块通过API调用特定功能;The internal API is used for data exchange between different structural layers, allowing each internal module to call specific functions through the API; 所述外部API为外部用户提供访问和操作数据库内部数据的接口,通过API对调用者进行认证,识别授权访问;The external API provides an interface for external users to access and operate the internal data of the database, authenticates the caller through the API, and identifies authorized access; 所述安全调用模块从外部调用SGX的Enclave接口,启动Enclave内部的特定安全任务,进行数据的加密、解密。The security calling module calls the Enclave interface of SGX from the outside, starts a specific security task inside the Enclave, and performs data encryption and decryption. 7.根据权利要求6所述的基于可信计算环境的防篡改数据库系统,其特征在于,所述TPM还包括TPM远程证明模块和运行保护模块,所述TPM远程证明模块通过服务器向远程客户端或第三方服务证明数据完整性,客户通过验证服务器的安全状态,确信数据处理和存储环境符合预期的安全标准;所述运行保护模块从启动到执行过程中,通过TPM保护软件和硬件环境都未被篡改。7. According to claim 6, the tamper-proof database system based on a trusted computing environment is characterized in that the TPM also includes a TPM remote attestation module and an operation protection module, the TPM remote attestation module attests data integrity to a remote client or a third-party service through a server, and the client verifies the security status of the server to ensure that the data processing and storage environment meets the expected security standards; the operation protection module protects the software and hardware environment from being tampered with through TPM from startup to execution. 8.根据权利要求6所述的基于可信计算环境的防篡改数据库系统,其特征在于,所述SGX还包括SGX远程证明功能,允许数据库证明自己的身份和完整性给远程用户或应用,通过对安全飞地Enclave进行加密签名,验证方确认安全飞地Enclave的数据是安全且未被篡改;8. The tamper-proof database system based on a trusted computing environment according to claim 6, characterized in that the SGX also includes an SGX remote attestation function, allowing the database to prove its identity and integrity to a remote user or application, and by encrypting and signing the secure enclave, the verifier confirms that the data in the secure enclave is secure and has not been tampered with; 所述安全飞地Enclave包括安全飞地外部和安全飞地内部,数据在安全飞地外部存储时自动加密,在安全飞地内部进行解密。The secure enclave includes an outside of the secure enclave and an inside of the secure enclave. Data is automatically encrypted when stored outside the secure enclave and is decrypted inside the secure enclave. 9.根据权利要求6所述的基于可信计算环境的防篡改数据库系统,其特征在于,所述数据查询模块还还包括数据验证机制,用户在查询时防篡改数据库会验证查询参数的哈希值,确保查询的合法性,通过查询获取存储在防篡改数据库中的数据,若查询参数的哈希值与存储在防篡改中的哈希值匹配,则允许查询操作;若不匹配,则拒绝查询,并记录下查询尝试的时间和操作者信息。9. According to the tamper-proof database system based on a trusted computing environment as described in claim 6, it is characterized in that the data query module also includes a data verification mechanism. When a user queries, the tamper-proof database will verify the hash value of the query parameter to ensure the legitimacy of the query, and obtain the data stored in the tamper-proof database through the query. If the hash value of the query parameter matches the hash value stored in the tamper-proof database, the query operation is allowed; if it does not match, the query is rejected, and the time of the query attempt and the operator information are recorded. 10.根据权利要求6所述的基于可信计算环境的防篡改数据库系统,其特征在于,所述系统交互层采用双向TLS保护机制,传输的数据通过TLS加密,建立加密的通信通道,通过验证的客户端可以提交数据处理或数据检索;所述双向TLS保护机制通过日志记录所有API调用的信息,并对频繁请求的数据设置缓存。10. According to claim 6, the tamper-proof database system based on a trusted computing environment is characterized in that the system interaction layer adopts a two-way TLS protection mechanism, the transmitted data is encrypted through TLS, an encrypted communication channel is established, and the verified client can submit data processing or data retrieval; the two-way TLS protection mechanism records the information of all API calls through logs and sets up a cache for frequently requested data.
CN202411476697.XA 2024-10-22 2024-10-22 Anti-tampering database method and system based on trusted computing environment Pending CN119538319A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411476697.XA CN119538319A (en) 2024-10-22 2024-10-22 Anti-tampering database method and system based on trusted computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411476697.XA CN119538319A (en) 2024-10-22 2024-10-22 Anti-tampering database method and system based on trusted computing environment

Publications (1)

Publication Number Publication Date
CN119538319A true CN119538319A (en) 2025-02-28

Family

ID=94713677

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411476697.XA Pending CN119538319A (en) 2024-10-22 2024-10-22 Anti-tampering database method and system based on trusted computing environment

Country Status (1)

Country Link
CN (1) CN119538319A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119783139A (en) * 2025-03-07 2025-04-08 天津中环恒达科技有限公司 Encrypted information storage system and method based on industrial control host

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119783139A (en) * 2025-03-07 2025-04-08 天津中环恒达科技有限公司 Encrypted information storage system and method based on industrial control host

Similar Documents

Publication Publication Date Title
US7215771B1 (en) Secure disk drive comprising a secure drive key and a drive ID for implementing secure communication over a public network
US7370211B2 (en) Arrangement and method of execution of code
US8555075B2 (en) Methods and system for storing and retrieving identity mapping information
KR101067399B1 (en) One or more computer readable media storing a method, system and a plurality of instructions implemented in a computing device for storage and retrieval of data based on symmetric key encryption.
KR100996784B1 (en) One or more computer readable media storing a method, system and a plurality of instructions implemented in a computing device for storage and retrieval of data based on public key encryption.
EP2957063B1 (en) Policy enforcement with associated data
US8386774B2 (en) Logging system and method based on one-way hash function
CN109361668A (en) A method of reliable data transmission
WO2020000786A1 (en) Voting method and apparatus, and computer device and computer readable storage medium
CN112565205B (en) Credible authentication and measurement method, server, terminal and readable storage medium
KR100702499B1 (en) Message Integrity Assurance Systems, Methods, and Recording Media
Lee Security basics for computer architects
US10263782B2 (en) Soft-token authentication system
US11184339B2 (en) Method and system for secure communication
CN110837634B (en) Electronic signature method based on hardware encryption machine
CN119538319A (en) Anti-tampering database method and system based on trusted computing environment
CN114553557A (en) Key calling method, key calling device, computer equipment and storage medium
CN119583226B (en) A Geographic Data Processing System Based on Cryptography
CN119172167A (en) A security prevention and control method based on edge computing device, cloud platform and edge computing device
CN112613033A (en) Method and device for safely calling executable file
CN105873043B (en) Method and system for generating and applying network private key for mobile terminal
CN117494104A (en) 3 DES-based password management method, system, equipment and medium
Yang et al. New paradigm of inference control with trusted computing
US12432054B2 (en) Federated key management
ALnwihel et al. A Novel Cloud Authentication Framework

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination