CN112532576B - Gateway data interaction method and device, computer equipment and storage medium - Google Patents
Gateway data interaction method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN112532576B CN112532576B CN202011124855.7A CN202011124855A CN112532576B CN 112532576 B CN112532576 B CN 112532576B CN 202011124855 A CN202011124855 A CN 202011124855A CN 112532576 B CN112532576 B CN 112532576B
- Authority
- CN
- China
- Prior art keywords
- database
- area
- gateway
- safety
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/76—Proxy, i.e. using intermediary entity to perform cryptographic operations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a gateway data interaction method, which is applied to the security field of a database gateway and is used for solving the problem of low security when a database gateway and a database are interacted, wherein a database gateway end and a database end are divided into a secure area and a non-secure area, the secure area of the database gateway end and the secure area of the database end are remotely certified, a trusted computing base of the database gateway end and the secure area of the database end are used for measuring to obtain a measurement value, and a certificate is used for signing the measurement value to generate signature information. The data number gateway terminal and the database terminal verify the metric value and the signature information of the other side to ensure the credibility of the other side, so as to construct the credible relationship between the database gateway terminal and the database terminal and improve the safety of data interaction.
Description
Technical Field
The invention relates to the field of database gateway security, in particular to a gateway data interaction method, a gateway data interaction device, computer equipment and a storage medium.
Background
Data processing and analysis in the big data era need to complete complex computing logic through multi-database intercommunication aggregation, and the intercommunication of databases is a common requirement in cloud computing. The Database Gateway (Database Gateway) is a Database management component used for Database agents and having functions of Database access control, Database authority management, Database access tracing and the like, and can realize intercommunication among databases. But the database gateway is very vulnerable to attacks because it is exposed to the public network environment. Attack forms include but are not limited to malicious software such as hackers, viruses, rootkits and the like, and attack is performed on the database gateway at an application layer, an operating system layer and a hardware layer. The user often has difficulty in noticing that the database is stolen in the using process, so that an Advanced Persistent Thread (APT) is formed. Furthermore, malicious or inadvertent unauthorized access from inside personnel may also cause data leakage.
In the existing database gateway end protection scheme, system resource isolation and monitoring are based on a virtualization technology, for example, if a Hypervisor constructs an isolated space for a database gateway end, a vulnerability of the Hypervisor technology may threaten the whole system; a Trusted framework based on TPM (Trusted Platform Module) performs integrity measurement when a program is loaded, but it is difficult to ensure that the program is still Trusted when running; based on virus searching and killing, such as agents of a cloud platform and the like, threat monitoring is carried out by detecting in-out flow, instructions, internal memories, files and the like in real time, but under the condition of large data volume of a database gateway end, the scheme based on virus searching and killing has high resource occupation and weak capability of coping with unknown threats.
Most database gateway and database interaction protection schemes are not suitable for ARM processor platforms. The ARMTrustzone is a safety technology which is proposed by ARM and aims to be ensured by taking hardware as safety enforcement. Trustzone places the application program in a normal area and a safe area respectively for running, and the content needing to be protected is protected in the safe area.
Aiming at the ARM architecture server, the ARM architecture personal computer and the mobile device which are gradually increased at present, the invention provides a database gateway and database interaction scheme which can ensure the safety of the database gateway in operation as long as a Central Processing Unit (CPU) is credible, thereby improving the defense capability of the database gateway end to unknown threats and ensuring the database gateway to be safer.
Disclosure of Invention
The embodiment of the invention provides a gateway data interaction method, a gateway data interaction device, computer equipment and a storage medium, and aims to solve the problems that a database gateway in an ARM (advanced RISC machine) framework is easy to attack and data at a database end is easy to leak or steal in a big data era.
According to an aspect of the present application, a gateway data interaction method is provided, where the method is applied to a database gateway side, and the database gateway side is divided into a secure area and an insecure area, and includes the following steps:
the database gateway end non-safety area forwards a user request and user identity information received from a user side to the database gateway end safety area through a first agent, and the first agent controls the data gateway end safety area to operate and controls the database gateway end non-safety area to sleep;
the safety area of the database gateway end receives the user request and the user identity information and verifies the user request and the user identity information;
after the user request and the user identity information are verified, the database gateway end safety area initiates remote certification to the database end safety area;
after the remote certification is successful, the database gateway end safety area sends the user request to the database end safety area, so that the database end safety area executes the user request;
when a first processing result which is from the database end safety region and is processed according to the request result is received, the first agent controls the operation of the data gateway end non-safety region and controls the database gateway end safety region to sleep, and the first processing result is received through the database gateway end non-safety region;
the first agent controls the safe area of the database gateway end to operate, controls the non-safe area of the database gateway end to sleep, and forwards the first processing result to the safe area of the database gateway end through the first agent;
the database gateway end safety region receives the first processing result and forwards the first processing result to the database gateway end non-safety region through a first agent, and the first agent controls the database gateway end non-safety region to operate and controls the database gateway end safety region to sleep;
and the database gateway end non-safety area returns the first processing result to the user end.
According to an aspect of the present application, a gateway data interaction method is provided, where the method is applied to a database side, the database side is divided into a secure area and a non-secure area, and the method includes the following steps:
when receiving a remote certification initiated between a database gateway end safety area and a database end safety area, remotely certifying the database end safety area and the database gateway end safety area;
after the remote certification is successful, the database end safety area receives a user request sent by the database gateway end safety area;
the database end safe region forwards the user request to the database end non-safe region through a second agent, and the second agent controls the operation of the database end non-safe region and controls the database end safe region to sleep;
the non-safety area at the database end calls a database to execute the user request to obtain a first processing result;
the database forwards the first processing result to the database end safe area through a second agent, and the second agent controls the operation of the database end safe area and controls the sleep of the database end non-safe area;
and the database end safety region sends the first processing result to the database gateway end non-safety region, so that the database gateway end non-safety region returns the first processing result to the user side.
According to an aspect of the present application, there is provided a gateway data first interaction apparatus, including:
the first receiving module is used for the database gateway end non-safety area to forward a user request and user identity information received from a user side to the database gateway end safety area through a first agent, and the first agent controls the data gateway end safety area to operate and controls the database gateway end non-safety area to sleep;
the first verification module is used for receiving the user request and the user identity information by the database gateway terminal safety area and verifying the user request and the user identity information;
the first remote certification module is used for initiating remote certification to a database end safety area by the database gateway end safety area after the user request and the user identity information are verified;
the first sending module is used for sending the user request to the database end safety area by the database gateway end safety area after the remote certification is successful, so that the database end safety area can execute the user request;
the first agent module is used for controlling the operation of the non-safety area of the data gateway end and controlling the sleep of the safety area of the database gateway end when receiving a first processing result which is from the safety area of the database end and is processed according to the request result, and receiving the first processing result through the non-safety area of the database gateway end;
the second agent module is used for controlling the safe area of the database gateway end to operate and controlling the non-safe area of the database gateway end to sleep by the first agent, and forwarding the first processing result to the safe area of the database gateway end through the first agent;
a second receiving module, configured to receive, by the secure area of the database gateway, the first processing result and forward the first processing result to the insecure area of the database gateway through a first agent, where the first agent controls the insecure area of the database gateway to operate and controls the secure area of the database gateway to sleep;
and the second sending module is used for the database gateway end non-secure area to return the first processing result to the user end.
According to an aspect of the present application, a second gateway data interaction apparatus is provided, including:
the second remote certification module is used for remotely certifying the database end safety area and the database gateway end safety area when receiving remote certification initiated from the database gateway end safety area to the database end safety area;
the third receiving module is used for receiving the user request sent by the database gateway end safety area after the remote certification is successful;
the third agent module is used for forwarding the user request to the database end non-secure area through a second agent by the database end secure area, and the second agent controls the operation of the database end non-secure area and controls the database end secure area to sleep;
a database calling execution module, configured to call a database by the database-side insecure area to execute the user request, so as to obtain a first processing result;
the fourth agent module is used for forwarding the first processing result to the database end safe area through a second agent, and the second agent controls the data end safe area to operate and controls the database end non-safe area to sleep;
and the fourth sending module is used for sending the first processing result to the database gateway end non-safety area by the database end safety area, so that the database gateway end non-safety area returns the first processing result to the user side.
A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the above gateway data interaction method when executing the computer program.
A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the above-mentioned gateway data interaction method.
The gateway data interaction method, the gateway data interaction device, the computer equipment and the storage medium divide a database gateway end and a database end into a safe region and a non-safe region, remotely prove the safe region of the database gateway end and the safe region of the database end to construct a trusted environment, and control and switch the safe region and the non-safe region to operate or sleep through an agent, so that the problems that the database gateway in an ARM framework is easy to attack and the data of the database end is easy to leak or steal in a big data era are solved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
Fig. 1 is a schematic application environment diagram of a gateway data interaction method in an embodiment of the present application;
fig. 2 is a schematic flowchart of a gateway data interaction method applied to a database gateway end in an embodiment of the present application, where the database gateway end is divided into a secure area and an insecure area;
fig. 3 is a schematic flowchart illustrating a gateway data interaction method applied to a database, where the database is divided into a secure area and a non-secure area according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a first interaction device of gateway data in an embodiment of the present application;
fig. 5 is a schematic structural diagram of a second interaction device for gateway data in an embodiment of the present application;
fig. 6 is a schematic structural diagram of a computer device in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The gateway data interaction method provided by the application can be applied to the application environment shown in fig. 1.
Specifically, the application environment includes, but is not limited to, a first computer device gateway end device 11, a first computer device database end device 12, and a user end 10.
In an embodiment, as shown in fig. 1, a gateway data interaction method is provided, which is applied to a gateway device of a first computer device in fig. 1.
In an embodiment, as shown in fig. 2, a gateway data interaction method is provided, which is applied to a database gateway, where the database gateway is divided into a secure area and an insecure area, and includes the following steps S101 to S108.
Illustratively, the data to be saved in the database gateway secure area includes configuration information of the database gateway and a gateway load program, where the gateway load program includes a communication interface with the database gateway non-secure area and a service logic, where the service logic may expand functions of the database gateway, including database gateway access control, database gateway usage metering, and database gateway rights management.
Illustratively, the database gateway insecure area stores a portion of the encrypted sealing data of the secure area.
Step S101, the database gateway end non-safety area forwards a user request and user identity information received from a user end to the database gateway end safety area through a first agent, and the first agent controls the data gateway end safety area to operate and controls the database gateway end non-safety area to sleep.
Specifically, the user can obtain the request result only by sending the user request to the database gateway, and the database gateway determines whether to process the user request and return the return result of the database to the user.
Specifically, the user side firstly establishes a secure channel between the user side and the database gateway side through an RSA (Rivest-Shamir-Adleman) algorithm or a Diffie-Hellman (Diffie-Hellman) algorithm, and then sends the user request and the user identity information to the database gateway side insecure area through the secure channel.
Specifically, a first agent is needed to communicate between a secure area and an insecure area of a database gateway, the secure area/insecure area of the database gateway stores information into a memory and triggers a Secure Monitor Command (SMC) to be abnormal, so that a Central Processing Unit (CPU) of an ARM processor enters a Monitor mode, the first agent in the Monitor mode determines whether a request is from the insecure area side or the secure area side and whether a sending target is the insecure area side or the secure area side by judging a corresponding value in a Secure Configuration Register (SCR) of the ARM processor, and controls an information sender to sleep and an information receiver to operate.
Step S102, the security area of the database gateway end receives the user request and the user identity information, and verifies the user request and the user identity information.
Specifically, the database gateway end device verifies the user request and the user identity information, and if the user request passes the verification and needs to call the database, the database gateway end device and at least one database end device related to the request try to perform remote certification and establish a request of a secure channel. And for illegal requests, controlling the safe area of the gateway end of the database to sleep through the first agent, and operating the unsafe area and finishing the user request.
Step S103, after the user request and the user identity information are verified, the database gateway end safety area initiates remote certification to the database end safety area.
Specifically, the message in the remote attestation process is transmitted through the memory and needs to be transmitted between the database gateway end insecure area and the database end insecure area and the network.
Optionally, a remote attestation expiration time may be set in the remote attestation process, and the user request may be skipped if the database gateway end does not receive a feedback that the database end verifies the first metric value and the first signature information within the expiration time.
And step S104, after the remote certification is successful, the security area of the gateway end of the database sends the user request to the security area of the database end, so that the security area of the database end can execute the user request.
Specifically, the security area of the database gateway sends the user request to the database, and waits for the database to return a request result of the user request.
Step S105, when receiving a first processing result from the database end safety region according to the request result, the first agent controls the data gateway end non-safety region to operate, controls the database gateway end safety region to sleep, and receives the first processing result through the database gateway end non-safety region.
And step S106, the first agent controls the safe area of the database gateway to operate, controls the non-safe area of the database gateway to sleep, and forwards the first processing result to the safe area of the database gateway through the first agent.
Step S107, the database gateway end safety area receives the first processing result and forwards the first processing result to the database gateway end non-safety area through a first agent, and the first agent controls the database gateway end non-safety area to operate and controls the database gateway end safety area to sleep.
Specifically, the database gateway secure area receives the first processing result, processes the first processing result into a result more suitable for the lower module to receive, and sends the first processing result to the database gateway insecure area through the first agent.
Step S108, the database gateway insecure area returns the first processing result to the user side.
It should be particularly noted that the database gateway end may be applied to a plurality of database ends, and performs remote certification and establishes a secure channel with the plurality of database ends, respectively, so as to achieve the purpose of performing data security interaction with the plurality of database ends.
In this embodiment, the database gateway receives and verifies the user request and the user identity information sent by the user side, remotely proves the database side related to the user request for the user request passing the verification, and after the remote attestation is successful, the database gateway receives the request result of the database side for the user request and returns the request result to the user side. In the process, the remote certification process is carried out in a database gateway end safety area/database end safety area, so that the environmental reliability of data interaction is ensured, the safety of gateway data interaction is ensured, and the risk of data leakage caused by malicious threat received by the database gateway during working is rewarded.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
In an embodiment, in step S103, after the user request and the user identity information are verified, the initiating, by the database gateway security area, a remote attestation to a database security area includes the following steps S1031 to S1036.
And S1031, the database gateway security region initiates a remote certification to the database security region.
S1032, a first secure channel between the database gateway end secure area and the database end secure area is established.
S1033, the database gateway terminal measures the trusted computing base of the database gateway terminal to obtain a first measurement value, and the first measurement value is signed by using the certificate of the database gateway terminal to generate first signature information.
Specifically, the first metric value is used for measuring the credibility of the database gateway end, the certificate of the database gateway end is derived through a hardware key in an ARM processor CPU through a corresponding algorithm, the derived algorithm is related to a specific ARM processor CPU model, the certificate can be stored in a secret manner, and only a security area of the database gateway end can be obtained.
S1034, the database gateway end safety region sends the first metric value and the first signature information to the database end safety region through the first safety channel, so that the database end safety region can verify the first metric value and the first signature information, and feeds back a second metric value and second signature information when the first metric value and the first signature information are verified.
S1035, when the database gateway secure area receives the second metric value and the second signature information sent by the database gateway secure area, verifying the second metric value and the second signature information.
The method can be divided into the following steps:
and the database gateway end safety region sends the second metric value and the second signature information to the database gateway end non-safety region through a first agent, and the first agent controls the database gateway end non-safety region to operate and controls the database gateway end safety region to sleep.
And the database gateway end non-safety area verifies the second metric value and the second signature information, and if the verification is passed, a second verification report is generated and sent to the database gateway end safety area through a first proxy.
And the first agent controls the safe area of the database gateway end to operate and controls the non-safe area of the database gateway end to sleep, and the safe area of the database gateway end determines that the database end is credible when receiving the second verification report and sends the user request to the safe area of the database end.
And S1036, when the second metric value and the second signature information are verified, the remote certification is successful, and the security area of the database gateway end sends the user request to the security area of the database end.
In an embodiment, as shown in fig. 4, there is provided a gateway data first interaction device, including:
a first receiving module 40, configured to forward, by the database gateway insecure area, a user request and user identity information received from a user side to the database gateway secure area through a first agent, where the first agent controls the database gateway secure area to operate and controls the database gateway insecure area to sleep;
a first verification module 41, configured to receive the user request and the user identity information by the database gateway secure area, and verify the user request and the user identity information;
the first remote attestation module 42 is configured to initiate remote attestation from the database gateway security area to the database security area after the user request and the user identity information are verified;
a first sending module 43, configured to send, by the security domain of the database gateway, the user request to the security domain of the database after the remote attestation is successful, so that the security domain of the database executes the user request;
a first agent module 44, configured to, when receiving a first processing result obtained by processing the request result from the database gateway secure area according to the request result, control the operation of the data gateway insecure area, control the sleep of the database gateway secure area, and receive the first processing result through the database gateway insecure area;
the second agent module 45 is configured to control the database gateway secure area to operate and control the database gateway non-secure area to sleep by the first agent, and forward the first processing result to the database gateway secure area through the first agent;
a second receiving module 46, configured to receive the first processing result by the database gateway secure area and forward the first processing result to the database gateway insecure area through a first agent, where the first agent controls the database gateway insecure area to operate and controls the database gateway secure area to sleep;
a second sending module 47, configured to return the first processing result to the user side by the database gateway insecure area.
Further, the first remote module 42 includes:
the remote certification initiating unit is used for initiating remote certification to a database end safety area by the database gateway end safety area;
the first security channel establishing unit is used for establishing a first security channel between the security area of the database gateway end and the security area of the database end;
the first verification information generation unit is used for measuring the trusted computing base of the database gateway terminal to obtain a first measurement value, and using a certificate of the database gateway terminal to sign the first measurement value to generate first signature information;
the first sending unit is used for the database gateway end safety area to send the first metric value and the first signature information to the database end safety area through the first safety channel, so that the database end safety area can verify the first metric value and the first signature information, and feed back a second metric value and second signature information when the first metric value and the first signature information are verified;
the first verification unit is used for verifying the second metric value and the second signature information when the database gateway end safety area receives the second metric value and the second signature information sent by the database end safety area;
and the second sending unit is used for sending the user request to the database end safety area by the database gateway end safety area when the second metric value and the second signature information pass verification and the remote certification is successful.
Further, the first authentication unit further includes:
the first agent unit is used for sending the second metric value and the second signature information to the database gateway end non-safety area through a first agent by the database gateway end safety area, and controlling the database gateway end non-safety area to operate and the database gateway end safety area to sleep by the first agent;
the second verification unit is used for verifying the second metric value and the second signature information by the database gateway-side insecure area, and generating a second verification report and sending the second verification report to the database gateway-side secure area through a first agent if the verification is passed;
and the second proxy unit is used for controlling the safe region of the database gateway end to operate and controlling the non-safe region of the database gateway end to sleep by the first proxy, and the safe region of the database gateway end determines that the database end is credible when receiving the second verification report and sends the user request to the safe region of the database end.
Wherein the meaning of "first" and "second" in the above modules/units is only to distinguish different modules/units, and is not used to define which module/unit has higher priority or other defining meaning. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules explicitly listed, but may include other steps or modules not explicitly listed or inherent to such process, method, article, or apparatus, and such that a division of modules presented in this application is merely a logical division and may be implemented in a practical application in a further manner.
For the specific definition of the gateway data first interaction device, reference may be made to the gateway data interaction method described above, where the method is applied to a database gateway end, and the database gateway end is divided into definitions of a secure area and a non-secure area, which is not described herein again. The modules in the gateway data first interaction device may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing functional units and modules are merely illustrated in terms of division, and in practical applications, the foregoing functional allocation may be performed by different functional units and modules as needed, that is, the internal structure of the gateway data first interaction device is divided into different functional units or modules to perform all or part of the above described functions.
In one embodiment, a computer device is provided, which includes a memory, a processor and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the gateway data interaction method in the above embodiments is implemented, and the method is applied to a database gateway end, and the database gateway end is divided into steps of a secure area and a non-secure area, for example, steps S101 to S108 shown in fig. 2 and other extensions of the method and extensions of related steps. Alternatively, the processor, when executing the computer program, implements the functions of the modules/units of the gateway data first interaction device in the above embodiments, such as the functions of the modules 40 to 47 shown in fig. 4. To avoid repetition, further description is omitted here.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like which is the control center for the computer device and which connects the various parts of the overall computer device using various interfaces and lines.
The memory may be used to store the computer programs and/or modules, and the processor may implement various functions of the computer device by running or executing the computer programs and/or modules stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, video data, etc.) created according to the use of the cellular phone, etc.
The memory may be integrated in the processor or may be provided separately from the processor.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the method for gateway data interaction in the above-described embodiments is implemented, and the method is applied to a database gateway end, and the database gateway end is divided into steps of a secure area and a non-secure area, such as steps S101 to S108 shown in fig. 2 and extensions of other extensions and related steps of the method. Alternatively, the computer program, when executed by the processor, implements the functions of the modules/units of the gateway data first interaction device in the above embodiments, such as the functions of the modules 40 to 47 shown in fig. 4. To avoid repetition, further description is omitted here.
In an embodiment, as shown in fig. 1, a gateway data interaction method is provided, which is applied to a database side device of a second computer device in fig. 1.
In an embodiment, as shown in fig. 3, a gateway data interaction method is provided, and the method is applied to a database side, which is divided into a secure area and a non-secure area, and includes the following steps S201 to S206.
Illustratively, the database gateway insecure area stores a portion of the encrypted sealing data of the secure area.
S201, when receiving a remote certification initiated between a database gateway end safety area and a database end safety area, performing remote certification on the database end safety area and the database gateway end safety area.
Specifically, the database gateway secure area and the database secure area establish a secure channel between the user terminal and the database gateway terminal through an RSA (Rivest-Shamir-Adleman) algorithm or a Diffie-Hellman algorithm, and then send the user request and the user identity information to the database gateway insecure area through the secure channel.
Specifically, the communication between the safe area and the non-safe area at the database end needs to pass through a second agent, the safe area/the non-safe area at the database end stores information into a memory and triggers SMC abnormity to enable a CPU (central processing unit) of an ARM processor to enter a Monitor mode, the second agent in the Monitor mode determines whether a request comes from the non-safe area side or the safe area side and whether an information sending target is the non-safe area side or the safe area side by judging a corresponding value in an SCR (selective catalytic reduction) register of the ARM processor, an information sending party is controlled to sleep, and an information receiving party operates.
S202, after the remote certification is successful, the database end safety area receives a user request sent by the database gateway end safety area.
S203, the database end safe area forwards the user request to the database end non-safe area through a second agent, and the second agent controls the operation of the database end non-safe area and controls the database end safe area to sleep.
And S204, the database-side nonsecure area calls a database to execute the user request to obtain a first processing result.
S205, the database forwards the first processing result to the database end safe area through a second agent, and the second agent controls the data end safe area to operate and controls the database end non-safe area to sleep.
And S206, the database end safety region sends the first processing result to the database gateway end non-safety region, so that the database gateway end non-safety region returns the first processing result to the user side.
In this embodiment, after the database side and the database gateway side successfully perform remote attestation, the database side security region receives a user request from the database gateway side, the user request is sent to the database side insecure region through the second agent and controls the database side insecure region to operate, that is, the database is called to execute the user request to obtain a request result, the database sends the request result to the database side security region through the second agent, the database side security region processes the request result together with the database side security region, and the database side security region sends the processed first processing result to the database gateway side.
Optionally, the database-side insecure area initiates a local trusted certification verification request to the database-side secure area and verifies a result returned by the database-side secure area to determine whether the secure world is trusted. It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
In an embodiment, in step S201, when receiving a remote attestation initiated from a database gateway secure area to a database secure area, performing remote attestation on the database gateway secure area and the database gateway secure area includes the following steps S2011 to S2014.
S2011, a second secure channel between the database-side secure area and the database gateway-side secure area is established.
S2012, the database side security area receives the first metric value and the first signature information sent by the database gateway side security area through the second security channel, and verifies the first metric value and the first signature information.
Specifically, the method can be divided into the following steps:
and the database end safety region forwards the first metric value and the first signature information to the database end non-safety region through a second agent, and the second agent controls the database end non-safety region to operate and controls the database end safety region to sleep.
And the database gateway terminal non-secure area verifies the first metric value and the first signature information, and generates a first verification report if the verification is passed and forwards the first verification report to the database terminal secure area through a second agent.
And the second agent controls the safe area of the database end to operate and controls the non-safe area of the database end to sleep, and the safe area of the database end confirms that the gateway end of the database is credible when receiving the first verification report and sends the second metric value and the second signature information to the safe area of the gateway end of the database.
And S2013, when the first metric value and the first signature information are verified, the security area of the database end measures the trusted computing base of the security area to obtain a second metric value, and the second metric value is signed by using a certificate of the database end to generate second signature information.
Specifically, the second metric measures the credibility of the gateway end of the database, the certificate of the database end is derived through a hardware key in the CPU of the ARM processor by a corresponding algorithm, the derived algorithm is related to the specific CPU model of the ARM processor, the certificate is stored in a secret manner, and only the secure area of the database end can be obtained.
And S2014, the database end safety region sends the second metric value and the second signature information to the database gateway end safety region through the second safety channel, so that the database gateway end safety region verifies the second metric value and the second signature information, and the remote certification is successful when the second metric value and the second signature information are verified. In an embodiment, as shown in fig. 5, there is provided a gateway data second interaction device, including:
a second remote attestation module 50, configured to perform remote attestation on a database end secure area and a database gateway end secure area when receiving remote attestation initiated between the database gateway end secure area and the database gateway end secure area;
a third receiving module 51, configured to receive, by the database-side secure area, a user request sent by the database gateway-side secure area after the remote attestation is successful;
the third agent module 52 is configured to forward the user request to the database-side insecure area through a second agent by the database-side secure area, where the second agent controls the database-side insecure area to operate and controls the database-side secure area to sleep;
a database calling execution module 53, configured to call a database from the database-side insecure area to execute the user request, so as to obtain a first processing result;
a fourth agent module 54, configured to forward the first processing result to the database secure area through a second agent, where the second agent controls the database secure area to operate and controls the database non-secure area to sleep.
A fourth sending module 55, configured to send the first processing result to the database gateway insecure area by the database gateway secure area, so that the database gateway insecure area returns the first processing result to the user side.
Further, the second remote attestation module 50 also includes:
and the second secure channel establishing unit is used for establishing a second secure channel between the database end secure area and the database gateway end secure area.
And the third verification unit is used for receiving the first metric value and the first signature information sent by the database gateway end safety region through the second safety channel by the database end safety region and verifying the first metric value and the first signature information.
And the second verification information generation unit is used for measuring the trusted computing base of the security area at the database end to obtain a second metric value when the first metric value and the first signature information are verified, and signing the second metric value by using a certificate at the database end to generate second signature information.
And the third sending unit is used for sending the second metric value and the second signature information to the database gateway end safety area by the database end safety area through the second safety channel, so that the database gateway end safety area verifies the second metric value and the second signature information, and confirms that the remote certification is successful when the second metric value and the second signature information are verified.
Further, the third verification unit further includes the following units:
the third agent unit is used for forwarding the first metric value and the first signature information to the database end non-secure area through a second agent by the database end secure area, and the second agent controls the database end non-secure area to operate and controls the database end secure area to sleep;
a fourth verification unit, configured to verify, by the database gateway insecure area, the first metric value and the first signature information, and generate a first verification report if the verification is passed, and forward the first verification report to the database secure area through a second agent;
and the fourth sending unit is used for controlling the safe area of the database end to operate by the second agent and controlling the nonsecure area of the database end to sleep, confirming that the gateway end of the database is credible when the safe area of the database end receives the first verification report, and sending the second metric value and the second signature information to the safe area of the gateway end of the database.
The meaning of "second", "third", etc. in the above modules/units is only to distinguish different modules/units, and is not used to limit which module/unit has higher priority or other limiting meanings. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules explicitly listed, but may include other steps or modules not explicitly listed or inherent to such process, method, article, or apparatus, and such that a division of modules presented in this application is merely a logical division and may be implemented in a practical application in a further manner.
For the gateway data second interaction device, the specific limitations of the device may be referred to above for the gateway data interaction method, which applies to the database side, where the database side is divided into the limitations of the secure area and the non-secure area, and will not be described herein again. The above gateway data second interaction device, the modules of the device may be implemented wholly or partially by software, hardware and their combination. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing functional units and modules are merely illustrated in terms of division, and in practical applications, the foregoing functional allocation may be performed by different functional units and modules as needed, that is, the internal structure of the gateway data second interaction device is divided into different functional units or modules to perform all or part of the above described functions.
In an embodiment, a computer device is provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the gateway data interaction method in the above embodiments is implemented, and the method is applied to a database side, where the database side is divided into a secure area and a non-secure area, for example, steps S201 to S206 shown in fig. 3 and other extensions of the method and extensions of related steps. Alternatively, the processor, when executing the computer program, implements the functions of the modules/units of the gateway data second interaction device in the above embodiments, such as the functions of the modules 50 to 55 shown in fig. 5. To avoid repetition, further description is omitted here.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like which is the control center for the computer device and which connects the various parts of the overall computer device using various interfaces and lines.
The memory may be used to store the computer programs and/or modules, and the processor may implement various functions of the computer device by running or executing the computer programs and/or modules stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, video data, etc.) created according to the use of the cellular phone, etc.
The memory may be integrated in the processor or may be provided separately from the processor. In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the method for gateway data interaction in the above embodiments is implemented, and the method is applied to a database side, and the database side is divided into steps of a secure area and an insecure area, for example, steps S201 to S206 shown in fig. 3 and other extensions of the method and extensions of related steps. Alternatively, the computer program, when executed by the processor, implements the functions of the modules/units of the gateway data second interaction device in the above embodiments, such as the functions of the modules 50 to 55 shown in fig. 5. To avoid repetition, further description is omitted here.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
In one embodiment, a computer device is provided, which may be a server, and its internal structure is shown in fig. 6. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data involved in the gateway data interaction method. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a gateway data interaction method.
In an embodiment, as shown in fig. 1, a user end 10 sends a user request and user identity information to an insecure area of a first computer device gateway end device 11 through a protocol such as socket, HTTP, RPC, IPC, etc. and a network, forwards the user request and the user identity information to a secure area of the first computer device gateway end device 11 through an agent of the first computer device gateway end device 11 for verification, and if the user request needs to call a database, the first computer device gateway end device 11 initiates a remote attestation request to a related second computer device database end device 12 to establish a secure channel between the first computer device gateway end device 11 and the second computer device database end device 12, and both complete remote attestation of the metric value by verifying the metric value of the own computer base and signature information for signing the trusted computer base, and the secure area of the first computer device gateway end device 11 passes through a socket, The HTTP, RPC, IPC, and other protocols and networks send the user request to the secure domain of the second computer device database end device 12, and the secure domain of the database sends the user request to the non-secure domain of the database through the proxy of the second computer device database end device 12, so that the non-secure domain of the second computer device database end device 12 calls the database to execute the user request. The execution result of the user request is processed by the security area of the second computer device database end device 12 and returned to the data gateway end, and the first computer device gateway end device 11 returns the user request to the user end 10.
Optionally, the first computer device gateway device 11 includes, but is not limited to, a mobile computing device such as a tablet computer including an ARM processor, a tower-type non-mobile computing device, a rack-type high-performance computing device, and a server of a cloud architecture, where a single database gateway may include, for example, multiple servers operating individually or together. The second computer device database side device 12 includes, but is not limited to, a mobile computing device such as a tablet computer including an ARM processor, a tower-type non-mobile computing device, a rack-type high-performance computing device, a cloud-architecture server, in which a single database side may include, for example, multiple servers operating individually or together; or a specific database system, such as database software of a relational database, a non-relational database, a row database, a table database, a graph database, etc., an operating system where the database software is located, and a database system composed of computer hardware and a network. Network 13 includes, but is not limited to, a Local Area Network (LAN), a Wide Area Network (WAN), a Global Area Network (GAN), and the like.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.
Claims (10)
1. A gateway data interaction method is applied to a database gateway end which is divided into a safe area and an unsafe area, and is characterized by comprising the following steps:
the database gateway end non-safety area forwards a user request and user identity information received from a user side to the database gateway end safety area through a first agent, and the first agent controls the database gateway end safety area to operate and controls the database gateway end non-safety area to sleep;
the safety area of the database gateway end receives the user request and the user identity information and verifies the user request and the user identity information;
after the user request and the user identity information are verified, the database gateway end safety area initiates remote certification to the database end safety area;
after the remote certification is successful, the database gateway end safety area sends the user request to the database end safety area, so that the database end safety area executes the user request;
when a first processing result which is from the database end safety region and is processed according to the request result is received, the first agent controls the database gateway end non-safety region to operate and controls the database gateway end safety region to sleep, and the first processing result is received through the database gateway end non-safety region;
the first agent controls the safe area of the database gateway end to operate, controls the non-safe area of the database gateway end to sleep, and forwards the first processing result to the safe area of the database gateway end through the first agent;
the database gateway end safety region receives the first processing result, processes the first processing result, and forwards the processed first processing result to the database gateway end non-safety region through a first agent, wherein the first agent controls the database gateway end non-safety region to operate and controls the database gateway end safety region to sleep;
and the database gateway end non-safety area returns the first processing result to the user end.
2. The gateway data interaction method of claim 1, wherein the remote attestation comprises the steps of:
the security area of the database gateway terminal initiates a remote certification to the security area of the database terminal;
establishing a first security channel between the security area of the database gateway end and the security area of the database end;
the database gateway terminal measures a trusted computing base of the database gateway terminal to obtain a first measurement value, and a certificate of the database gateway terminal is used for signing the first measurement value to generate first signature information;
the database gateway end safety region sends the first metric value and the first signature information to the database end safety region through the first safety channel, so that the database end safety region can verify the first metric value and the first signature information, and feeds back a second metric value and second signature information when the first metric value and the first signature information are verified;
when the security area of the database gateway end receives a second metric value and second signature information sent by the security area of the database end, verifying the second metric value and the second signature information;
and when the second metric value and the second signature information pass verification, the remote certification is successful, and the security area of the gateway end of the database sends the user request to the security area of the database end.
3. The gateway data interaction method of claim 2, wherein the step of verifying the second metric value and the second signature information comprises the following steps:
the database gateway end safety region sends the second metric value and the second signature information to the database gateway end non-safety region through a first agent, and the first agent controls the database gateway end non-safety region to operate and controls the database gateway end safety region to sleep;
the database gateway end non-safety area verifies the second metric value and the second signature information, and if the verification is passed, a second verification report is generated and sent to the database gateway end safety area through a first agent;
and the first agent controls the safe area of the database gateway end to operate and controls the non-safe area of the database gateway end to sleep, and the safe area of the database gateway end determines that the database end is credible when receiving the second verification report and sends the user request to the safe area of the database end.
4. A gateway data interaction method is applied to a database side, wherein the database side is divided into a safe area and an unsafe area, and the method is characterized by comprising the following steps:
when receiving a remote certification initiated between a database gateway end safety area and a database end safety area, remotely certifying the database end safety area and the database gateway end safety area;
after the remote certification is successful, the database end safety area receives a user request sent by the database gateway end safety area;
the database end safe region forwards the user request to the database end non-safe region through a second agent, and the second agent controls the database end non-safe region to operate and controls the database end safe region to sleep;
the non-safety area at the database end calls a database to execute the user request to obtain a first processing result;
the database forwards the first processing result to the database end safe area through a second agent, and the second agent controls the database end safe area to operate and controls the database end non-safe area to sleep;
and the database end safety region sends the first processing result to the database gateway end non-safety region, so that the database gateway end non-safety region returns the first processing result to the user side.
5. The gateway data interaction method of claim 4, wherein the remote attestation comprises the steps of:
establishing a second secure channel between the database end secure area and the database gateway end secure area;
the database end safety region receives a first metric value and first signature information sent by the database gateway end safety region through the second safety channel, and verifies the first metric value and the first signature information;
when the first metric value and the first signature information are verified, the security area of the database end measures a trusted computing base of the security area to obtain a second metric value, and the second metric value is signed by using a certificate of the database end to generate second signature information;
and the database end safety region sends the second metric value and the second signature information to the database gateway end safety region through the second safety channel, so that the database gateway end safety region verifies the second metric value and the second signature information, and confirms that the remote certification is successful when the second metric value and the second signature information are verified.
6. The gateway data interaction method of claim 5, wherein the step of verifying the first metric value and the first signature information comprises:
the database end safety area forwards the first metric value and the first signature information to the database end non-safety area through a second agent, and the second agent controls the database end non-safety area to operate and controls the database end safety area to sleep;
the database gateway end non-safety area verifies the first metric value and the first signature information, and if the first metric value and the first signature information are verified, a first verification report is generated and forwarded to the database end safety area through a second agent;
and the second agent controls the safe area of the database end to operate and controls the non-safe area of the database end to sleep, and the safe area of the database end confirms that the gateway end of the database is credible when receiving the first verification report and sends the second metric value and the second signature information to the safe area of the gateway end of the database.
7. A first interactive device for gateway data, the first interactive device comprising:
the first receiving module is used for the database gateway end non-safety area to forward a user request and user identity information received from a user side to the database gateway end safety area through a first agent, and the first agent controls the database gateway end safety area to operate and controls the database gateway end non-safety area to sleep;
the first verification module is used for receiving the user request and the user identity information by the database gateway terminal safety area and verifying the user request and the user identity information;
the first remote certification module is used for initiating remote certification to a database end safety area by the database gateway end safety area after the user request and the user identity information are verified;
the first sending module is used for sending the user request to the database end safety area by the database gateway end safety area after the remote certification is successful, so that the database end safety area can execute the user request;
the first agent module is used for controlling the operation of the non-safety area of the database gateway end and controlling the sleep of the safety area of the database gateway end when receiving a first processing result which is from the safety area of the database end and is processed according to the request result, and receiving the first processing result through the non-safety area of the database gateway end;
the second agent module is used for controlling the safe area of the database gateway end to operate and controlling the non-safe area of the database gateway end to sleep by the first agent, and forwarding the first processing result to the safe area of the database gateway end through the first agent;
a second receiving module, configured to receive and process the first processing result by the database gateway secure area, and forward the processed first processing result to the database gateway insecure area through a first agent, where the first agent controls the database gateway insecure area to operate and controls the database gateway secure area to sleep;
and the second sending module is used for the database gateway end non-secure area to return the first processing result to the user end.
8. A second interactive device for gateway data, wherein the second interactive device comprises:
the second remote certification module is used for remotely certifying the database end safety area and the database gateway end safety area when receiving remote certification initiated from the database gateway end safety area to the database end safety area;
the third receiving module is used for receiving the user request sent by the database gateway end safety area after the remote certification is successful;
the third agent module is used for forwarding the user request to the database end non-secure area through a second agent by the database end secure area, and the second agent controls the database end non-secure area to operate and controls the database end secure area to sleep;
a database calling execution module, configured to call a database by the database-side insecure area to execute the user request, so as to obtain a first processing result;
the fourth agent module is used for forwarding the first processing result to the database end safe area through a second agent, and the second agent controls the database end safe area to operate and controls the database end non-safe area to sleep;
and the fourth sending module is used for sending the first processing result to the database gateway end non-safety area by the database end safety area, so that the database gateway end non-safety area returns the first processing result to the user side.
9. Computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor realizes the steps of the gateway data interaction method according to any of claims 1-6 when executing the computer program.
10. A computer-readable storage medium, having a computer program, wherein the computer program, when being executed by a processor, is adapted to carry out the steps of the gateway data interaction method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011124855.7A CN112532576B (en) | 2020-10-20 | 2020-10-20 | Gateway data interaction method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011124855.7A CN112532576B (en) | 2020-10-20 | 2020-10-20 | Gateway data interaction method and device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112532576A CN112532576A (en) | 2021-03-19 |
| CN112532576B true CN112532576B (en) | 2021-08-20 |
Family
ID=74979729
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011124855.7A Active CN112532576B (en) | 2020-10-20 | 2020-10-20 | Gateway data interaction method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112532576B (en) |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8682845B2 (en) * | 2008-07-09 | 2014-03-25 | The Boeing Company | Secure high performance multi-level security database systems and methods |
| CN103888257B (en) * | 2013-11-03 | 2017-01-18 | 北京工业大学 | Network camera identity authentication method based on TPCM |
| CN104008135A (en) * | 2014-05-07 | 2014-08-27 | 南京邮电大学 | Multi-source heterogeneous database fusion system and data query method thereof |
| US10089489B2 (en) * | 2015-06-02 | 2018-10-02 | ALTR Solutions, Inc. | Transparent client application to arbitrate data storage between mutable and immutable data repositories |
| CN106101055A (en) * | 2016-04-29 | 2016-11-09 | 乐视控股(北京)有限公司 | The data access method of a kind of multiple database and system thereof and proxy server |
| US10587586B2 (en) * | 2017-01-10 | 2020-03-10 | Mocana Corporation | System and method for a multi system trust chain |
-
2020
- 2020-10-20 CN CN202011124855.7A patent/CN112532576B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112532576A (en) | 2021-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112422532B (en) | Service communication method, system and device and electronic equipment | |
| US11432150B2 (en) | Method and apparatus for authenticating network access of terminal | |
| US9003519B2 (en) | Verifying transactions using out-of-band devices | |
| CN107463838B (en) | SGX-based security monitoring method, device, system and storage medium | |
| CN107040513B (en) | Trusted access authentication processing method, user terminal and server | |
| Krawiecka et al. | Safekeeper: Protecting web passwords using trusted execution environments | |
| US20130081129A1 (en) | Outbound Connection Detection and Blocking at a Client Computer | |
| US10609067B2 (en) | Attack protection for webRTC providers | |
| EP3061027A1 (en) | Verifying the security of a remote server | |
| CN110401640B (en) | Trusted connection method based on trusted computing dual-system architecture | |
| CN107835185A (en) | A kind of mobile terminal safety method of servicing and device based on ARM TrustZone | |
| CN113630244A (en) | End-to-end safety guarantee method facing communication sensor network and edge server | |
| Sung et al. | Security analysis of mobile authentication using QR-codes | |
| Bhudia et al. | RansomClave: ransomware key management using SGX | |
| CN111479265A (en) | Information dissemination method and device, computer equipment and storage medium | |
| Vinh et al. | Property‐based token attestation in mobile computing | |
| CN106411524B (en) | The method of mobile terminal trust computing based on bluetooth | |
| CN112532576B (en) | Gateway data interaction method and device, computer equipment and storage medium | |
| US20220035924A1 (en) | Service trust status | |
| CN112446037B (en) | Data interaction method and device based on database gateway terminal and related equipment | |
| CN117938465A (en) | Request processing method and system | |
| Min et al. | Secure dynamic software loading and execution using cross component verification | |
| CN113726837A (en) | Behavior measurement method and device for power system | |
| CN119676711B (en) | Network security short message sending method and system based on zero trust mechanism | |
| CN114785577B (en) | A zero-trust verification method, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |