[go: up one dir, main page]

CN113922969B - Intel SGX trusted service cluster deployment implementation method, system and electronic device - Google Patents

Intel SGX trusted service cluster deployment implementation method, system and electronic device Download PDF

Info

Publication number
CN113922969B
CN113922969B CN202111257826.2A CN202111257826A CN113922969B CN 113922969 B CN113922969 B CN 113922969B CN 202111257826 A CN202111257826 A CN 202111257826A CN 113922969 B CN113922969 B CN 113922969B
Authority
CN
China
Prior art keywords
key
ecc
cluster
trusted
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111257826.2A
Other languages
Chinese (zh)
Other versions
CN113922969A (en
Inventor
姚有方
何剑虹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Xianbing Technology Co ltd
Original Assignee
Hangzhou Xianbing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Xianbing Technology Co ltd filed Critical Hangzhou Xianbing Technology Co ltd
Priority to CN202111257826.2A priority Critical patent/CN113922969B/en
Publication of CN113922969A publication Critical patent/CN113922969A/en
Application granted granted Critical
Publication of CN113922969B publication Critical patent/CN113922969B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a realization method, a system and electronic equipment for Intel SGX trusted service clustering deployment, wherein the realization method comprises the steps of generating a complete ECC master key, dividing the ECC master key into a plurality of key fragments, dispersing and storing the key fragments, receiving the key fragments which reach the preset number when the trusted service based on the Intel SGX in a cluster is initialized, recovering the complete ECC master key according to the input key fragments in an Enclave program space, inputting the ECC master key into a key derivation function, deriving a security key, and encrypting and decrypting service data by utilizing the security key. The invention adopts the same ECC master key and the same key derivation function, and all Intel SGX trusted services in the same cluster can derive the same security key, thereby achieving the purpose of safely sharing business data in the cluster, realizing the technical effect of clustered deployment of the Intel SGX trusted services, and solving the technical problem that clustered deployment of the trusted services cannot be realized.

Description

Intel SGX trusted service clustering deployment realization method, system and electronic equipment
Technical Field
The invention relates to the field of trusted computing application, in particular to a method, a system and electronic equipment for realizing Intel SGX trusted service clustered deployment.
Background
Currently, in the field of trusted computing (TEE) application, intel SGX technology is the most mature and widely applied, and most cloud service providers support developers to realize applications such as data encryption and confidential computation by adopting the Intel SGX technology. The principle of the SGX technology of Intel is to isolate a region called Enclave inside the Intel CPU, and the program code and data loaded into the Enclave region will not be tampered and peeped by the outside. In short, enclave is just like a piece of hardware-based secure black box inside the CPU, so program logic, data storage, executing inside Enclave are secure.
Meanwhile, intel SGX provides an sgx_ KEYPOLICY _mrencleave policy for generating a security key internally by encleave, and an encleave program can use the policy to generate a security key to encrypt and decrypt data.
For the sgx_ KEYPOLICY _mrenclave policy provided by Intel SGX, the security key is derived from the code, data, signature, and CPU hardware information of its own Enclave, so that only the Enclave itself can decrypt data encrypted using such security key. The method for realizing the data security application by using the policy comprises the steps that data to be processed is transmitted into an enclaspe, a program of the enclaspe generates a security key by using an SGX_ KEYPOLICY _MRENCLAVE policy, the data is encrypted by using the security key and then stored in a database, and the same security key can be derived by the same enclaspe program under the hardware platform, so that the data can be decrypted only in the enclaspe.
In practical applications, in order to meet high availability and high load, a cloud security application platform often needs to be deployed in a clustered manner, which requires that service data can be safely shared among multiple Intel SGX trusted services in a cluster.
However, according to the above step of implementing the data security application by using the sgx_ KEYPOLICY _mrenclave policy, it can be seen that the data can only be used and stored in a single trusted service, and the interaction and sharing of the data between multiple trusted services cannot be achieved, for example, after the service data encrypted by the trusted service a is stored in the database for two trusted services a and B, the trusted service B in the cluster can read the ciphertext from the database but cannot decrypt the ciphertext, and the clustered deployment of the trusted service cannot be implemented.
Disclosure of Invention
The invention mainly aims to provide a method and a system for realizing clustered deployment of Intel SGX trusted services, which are used for solving the problem that the clustered deployment of the trusted services cannot be realized in the related technology.
In order to achieve the above object, a first aspect of the present invention provides a method for implementing clustered deployment of Intel SGX trusted services, including:
generating a complete ECC master key;
The ECC master key is segmented into a plurality of key segments, and the key segments are stored in a scattered manner;
when a trusted service based on Intel SGX in a cluster is initialized, receiving input key fragments reaching a preset number;
In the Enclave program space, recovering a complete ECC master key according to the input key fragments;
inputting the ECC master key into a key derivation function to derive a security key;
And encrypting and decrypting the service data by using the security key.
Optionally, the inputting the ECC master key into a key derivation function to derive a security key includes:
determining a key derivation function meeting preset requirements;
Inputting a public key of an ECC master key into the key derivation function;
inputting a private key of an ECC master key into the key derivation function;
performing hash operation on the public key by utilizing a hash function in the key derivation function to obtain a public key hash value;
and carrying out hash operation on the public key hash value and the private key by utilizing a hash function in the key derivation function to obtain a security key.
Further, a key derivation function KDF satisfying a preset requirement is determined according to the following formula:
KDF(p,d)=SHA256(SHA256(p),d)
Where p is the public key of the ECC master key, d is the private key of the ECC master key, and SHA256 is the standard SHA256 hash function.
Further, the preset requirements comprise a first preset requirement and a second preset requirement;
When the input of the key derivation function is the same, the output result is consistent;
the second preset requirement comprises that the length of data obtained by the output result of the key derivation function is the same as the length of the ECC master key.
Optionally, the service data includes original text data and ciphertext data;
The encrypting and decrypting the service data by using the security key comprises the following steps:
Symmetric encryption operation is carried out on the original text data by utilizing the security key, so as to obtain ciphertext data;
Storing the ciphertext data into a ciphertext database of a cluster;
and symmetrically decrypting the ciphertext data by using the secure key to obtain the original text data.
Optionally, a plurality of trusted services are deployed in the cluster, and each trusted service is used for providing the same service function;
All trusted services within the same cluster derive the same security key using the same ECC master key and the same key derivation function, so that the traffic data is shared within the cluster.
Optionally, before initializing the trusted service based on Intel SGX in the cluster, the method further comprises:
Any one of the trusted services in the cluster is randomly selected for access through scheduling of the load balancing service.
The second aspect of the present invention provides a system for implementing clustered deployment of Intel SGX trusted services, including:
The generating unit is used for generating a complete ECC master key;
The slicing unit is used for slicing the ECC master key, dividing the ECC master key into a plurality of key slices and storing the key slices in a scattered manner;
the receiving unit is used for receiving the input key fragments reaching the preset number when the trusted service based on Intel SGX in the cluster is initialized;
The recovery unit is used for recovering the complete ECC master key according to the input key fragments in the Enclave program space;
the deriving unit is used for inputting the ECC master key into a key deriving function to derive a security key;
and the encryption and decryption unit is used for encrypting and decrypting the service data by utilizing the security key.
A third aspect of the present invention provides a computer-readable storage medium storing computer instructions for causing a computer to perform the implementation method of the Intel SGX trusted service clustered deployment provided in any one of the first aspects.
A fourth aspect of the present invention provides an electronic device comprising at least one processor, and a memory communicatively coupled to the at least one processor, wherein the memory stores a computer program executable by the at least one processor to cause the at least one processor to perform the method of implementing the Intel SGX trusted service clustered deployment provided in any of the first aspects.
The implementation method for the Intel SGX trusted service clustering deployment provided by the embodiment of the invention comprises the steps of generating a complete ECC master key, dividing the ECC master key into a plurality of key fragments, dispersing and storing the key fragments, receiving the input key fragments reaching the preset number when the trusted service based on the Intel SGX in the cluster is initialized, recovering the complete ECC master key according to the input key fragments in an enclaspe program space, inputting the ECC master key into a key derivation function to derive a security key, and encrypting and decrypting service data by utilizing the security key. Because the invention adopts the same ECC master key and the same key derivation function, all Intel SGX trusted services in the same cluster can derive the same security key, thereby achieving the purpose of safely sharing business data in the cluster, realizing the technical effect of clustered deployment of the Intel SGX trusted services, and further solving the technical problem that the clustered deployment of the trusted services cannot be realized because the data can only be used and stored in a single trusted service in the related art.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings which are required in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a system architecture diagram of a system for implementing Intel SGX trusted service clustered deployment provided by an embodiment of the present invention;
FIG. 2 is a flow chart of a method for implementing clustered deployment of Intel SGX trusted services provided by an embodiment of the present invention;
FIG. 3 is a block diagram of a system for implementing clustered deployment of Intel SGX trusted services provided by an embodiment of the present invention;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe the embodiments of the invention herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other. The invention will be described in detail below with reference to the drawings in connection with embodiments.
Trusted computing (TEE) is a computing way to execute programs in a secure, trusted environment, where the program code, logic, and computing results running in the TEE are not tampered and hijacked by an attacker. Trusted computing has been widely used in applications such as confidential computing, cloud computing, and the like. In practical application, in order to meet high availability and high load, a cloud security application platform often needs to be subjected to clustered deployment, which requires that service data can be safely shared among a plurality of Intel SGX trusted services in a cluster, wherein Intel SGX is a trusted computing technical scheme realized by Intel based on a CPU level.
However, when the sgx_ KEYPOLICY _mrenclave policy is used to implement data security application in the related art, the data can only be used and stored in a single trusted service, and interaction and sharing of the data between multiple trusted services cannot be achieved, for example, after service data encrypted by the trusted service a is stored in a database for two trusted services a and B, the trusted service B in the cluster can read ciphertext from the database but cannot decrypt the ciphertext, and clustered deployment of the trusted service cannot be implemented.
In order to solve the above-mentioned problems, an embodiment of the present invention provides a system for implementing clustered deployment of Intel SGX trusted services, where when two trusted services based on Intel SGX technology are included in the system, a system structure diagram is shown in fig. 1, where:
the trusted service A and the trusted service B are two trusted services which are deployed in a cluster and are based on Intel SGX technology, and the same business function is provided; in addition, the system can be expanded to clustered deployment of a plurality of Intel SGX trusted services;
the cluster scheduling service is responsible for randomly selecting A, B one of two trusted services for access;
The ECC master key segmentation comprises key segmentation of an ECC master key, wherein a manager managing each key segmentation inputs the key segmentation into a trusted service respectively during the initialization of the trusted service, and the trusted service recovers the complete ECC master key by using the key segmentation in an enclaspe program;
KDF is a key derivation function, and the input parameter is a complete ECC master key;
a security key only appearing in the Enclave program space;
ciphertext=k (original data), wherein the data encryption process uses the security key K to perform symmetric encryption operation on the original data to obtain ciphertext data;
The data decryption process, use the security key K to do the symmetric decryption operation to the ciphertext data, get the original text data;
ciphertext database, which is a shared database in the cluster, and the business data is stored in the database in the form of ciphertext data.
The method comprises the steps of generating a unified ECC master key for Intel SGX trusted services in a cluster, performing fragmentation and then performing scattered storage, respectively inputting key fragments by a manager of the key fragments when the Intel SGX trusted services are initialized, recovering the fragments by the trusted services to obtain a complete ECC master key, and finally deriving a security key K through the ECC master key, and encrypting and decrypting service data by using the K.
The embodiment of the invention provides a method for realizing Intel SGX trusted service clustering deployment, wherein a flow chart is shown in fig. 2, and the method comprises the following steps of S101 to S106:
Step S101, a standard generating algorithm is adopted to generate a complete ECC master key, and a complete ECC master key is generated through a common ECC master key generating algorithm, so that the same ECC master key is recovered when a follow-up trusted service keeps key fragments of the ECC master key.
And step S102, the ECC master key is segmented into a plurality of key segments and the key segments are stored in a scattered manner, for example, the ECC master key is segmented into n key segments, the n key segments are respectively stored in n administrators, and each administrator stores and only stores 1 key segment, wherein n is greater than 1.
Step 103, receiving input key fragments reaching a preset number when the trusted service based on Intel SGX in the cluster is initialized, respectively inputting the key fragments stored by an administrator when the trusted service based on Intel SGX is initialized, wherein the input number of the key fragments is at least k preset, and receiving the input key fragments reaching k preset numbers, wherein k is the minimum number of the key fragments required when an ECC master key is recovered, and 1<k < = n;
specifically, a plurality of trusted services are deployed in the cluster, and each trusted service is used for providing the same service function;
All trusted services within the same cluster derive the same security key using the same ECC master key and the same key derivation function, so that the traffic data is shared within the cluster.
Further, before initializing the trusted service based on Intel SGX in the cluster, the method further includes:
Any one of the trusted services in the cluster is randomly selected for access through scheduling of the load balancing service. The trusted service based on Intel SGX is widely applied at present, and in practical application, in order to ensure high availability and high load of the service, clustered deployment of the trusted service is often required, and any trusted service in a cluster is randomly called to complete service calculation through scheduling of load balancing service.
Step S104, in the Enclave program space, recovering the complete ECC master key according to the input key fragments;
step 105, inputting the ECC master key into a key derivation function to derive a security key;
Specifically, the step S105 includes:
Determining a key derivation function meeting preset requirements, wherein the preset requirements comprise a first preset requirement and a second preset requirement, the first preset requirement comprises that when the input of the key derivation function is the same, the output results are consistent, the second preset requirement comprises that the length of data obtained by the output result of the key derivation function is the same as the length of the ECC master key, and the length of the ECC master key is 32 bytes in fixed length.
Further, a key derivation function KDF satisfying a preset requirement is determined according to the following formula:
KDF(p,d)=SHA256(SHA256(p),d)
Where p is the public key of the ECC master key, d is the private key of the ECC master key, and SHA256 is the standard SHA256 hash function. The hash operation is an irreversible password operation, can perform operation processing on original data with any length, the operation result data is data with fixed length, the original data cannot be deduced from the operation result data, the SHA256 is a common hash operation algorithm, and the operation result data length is 32 bytes.
Inputting a public key of an ECC master key into the key derivation function;
inputting a private key of an ECC master key into the key derivation function;
performing hash operation on the public key by utilizing a hash function in the key derivation function to obtain a public key hash value;
and carrying out hash operation on the public key hash value and the private key by utilizing a hash function in the key derivation function to obtain a security key.
According to the invention, through carrying out hash operation on the public key and carrying out hash operation on the public key hash value and the private key, compared with the method for directly carrying out hash operation on the public key and the private key once, the obtained secure key is safer. The key obtained by the derivative function determined by the two hash functions is used as a security key, and data sharing can be carried out between trusted services of Intel SGX, so that cluster deployment is realized.
The key derivation function KDF in the invention adopts the standard SHA256 hash function, can ensure that under the condition of the same input parameters, the calculation results are the same, and the length of the ECC master key is the same as the length of the result data of the operation of the SHA256 hash function and is 32 bytes in fixed length, so that the key derivation function KDF adopting the SHA256 hash function meets the first preset requirement and the second preset requirement. Therefore, the invention requires the input parameter of the key derivation function KDF to be the master key shared by Intel SGX trusted services, so as to ensure that each Intel SGX trusted service can derive the same security key K. By setting up a master key, intel SGX trusted services in the cluster derive the same security key K from the master key, thereby achieving the purpose of cluster deployment.
And step S106, encrypting and decrypting the service data by using the security key.
Wherein, the service data comprises original text data and ciphertext data;
The encrypting and decrypting the service data by using the security key comprises the following steps:
Symmetric encryption operation is carried out on the original text data by utilizing the security key, so as to obtain ciphertext data;
Storing the ciphertext data into a ciphertext database of a cluster;
And symmetrically decrypting the ciphertext data by using the secure key to obtain the original text data. For safety, the service data in the trusted service is encrypted and then stored in the database, and when the service data is used, the service processing can be performed by decrypting the ciphertext in the database, so that the service data is calculated in a safe and trusted computing environment. The invention achieves the technical effect that the service data stored by the trusted service in an encrypted manner and other trusted services in the cluster can be decrypted by the encryption and decryption.
According to the steps, the Intel SGX trusted service in the cluster can derive the same security key K through the same ECC master key, so that the invention can share service data through a database and realize the requirement of clustered deployment. The Intel SGX trusted service in the cluster uses an ECC master key and generates a unified security key K through a key derivation function to encrypt service data, so that service data sharing is realized, and the service data is encrypted and decrypted by utilizing the security key to achieve the technical effect that the service data stored by one trusted service in an encrypted manner and other trusted services in the cluster can be decrypted.
From the above description, it can be seen that the following technical effects are achieved:
Because the invention adopts the same ECC master key and the same key derivation function, all Intel SGX trusted services in the same cluster can derive the same security key, thereby achieving the purpose of safely sharing business data in the cluster, realizing the technical effect of clustered deployment of the Intel SGX trusted services, and further solving the technical problem that the clustered deployment of the trusted services cannot be realized because the data can only be used and stored in a single trusted service in the related art;
the Intel SGX trusted service in the cluster can derive the same security key K through the same ECC master key, can share service data through a database, and can realize the requirement of clustered deployment, the Intel SGX trusted service in the cluster uses the ECC master key and generates a unified security key K through a key derivation function to encrypt the service data, so that the service data sharing is realized, and the service data is encrypted and decrypted by utilizing the security key to achieve the technical effect that the service data stored by encrypting one trusted service and other trusted services in the cluster can be decrypted.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the invention also provides a system for realizing the Intel SGX trusted service clustered deployment for implementing the implementation method of the Intel SGX trusted service clustered deployment, and the schematic diagram is shown in figure 3, and the system comprises:
A generating unit 31 for generating a complete ECC master key;
a slicing unit 32, configured to slice the ECC master key, divide the ECC master key into a plurality of key slices, and store the plurality of key slices in a scattered manner;
a receiving unit 33, configured to receive, when a trusted service based on Intel SGX in a cluster is initialized, an input key fragment up to a preset number;
a recovery unit 34, configured to recover a complete ECC master key according to the input key fragment in the Enclave program space;
A deriving unit 35, configured to input the ECC master key into a key derivation function to derive a security key;
And the encryption and decryption unit 36 is configured to encrypt and decrypt service data by using the security key.
The embodiment of the invention also provides an electronic device, as shown in fig. 4, which includes one or more processors 41 and a memory 42, and in fig. 4, one processor 41 is taken as an example.
The controller may also include an input device 43 and an output device 44.
The processor 41, the memory 42, the input device 43 and the output device 44 may be connected by a bus or otherwise, for example in fig. 4.
The Processor 41 may be a central processing unit (Central Processing Unit, abbreviated as CPU), the Processor 41 may be other general purpose Processor, digital signal Processor (DIGITAL SIGNAL Processor, abbreviated as DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware component, or a combination of the foregoing, and the general purpose Processor may be a microprocessor or any conventional Processor.
The memory 42 serves as a non-transitory computer readable storage medium, and may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the control methods in embodiments of the present invention. The processor 41 executes various functional applications and data processing of the server, i.e. a method for implementing the clustered deployment of Intel SGX trusted services of the above-described method embodiment, by running non-transitory software programs, instructions and modules stored in the memory 42.
The memory 42 may include a storage program area that may store an operating system, application programs required for at least one function, and a storage data area that may store data created according to the use of a processing device operated by a server, etc. In addition, memory 42 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 42 may optionally include memory located remotely from processor 41, which may be connected to a network connection device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input means 43 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the processing means of the server. The output device 44 may include a display device such as a display screen.
One or more modules are stored in memory 42 that, when executed by one or more processors 41, perform the method illustrated in fig. 1.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment method may be implemented by a computer program for instructing relevant hardware, and the program may be stored in a computer readable storage medium, and the program may include the embodiment of the above-described motor control method when executed. The storage medium may be a magnetic disk, an optical disc, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a Flash Memory (FM), a hard disk (HARD DISK DRIVE HDD), or a Solid state disk (Solid-STATE DRIVE SSD), and the like, and the storage medium may further include a combination of the above types of memories.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.

Claims (9)

1. The implementation method of Intel SGX trusted service clustering deployment is characterized by comprising the following steps:
generating a complete ECC master key;
The ECC master key is segmented into a plurality of key segments, and the key segments are stored in a scattered manner;
when a trusted service based on Intel SGX in a cluster is initialized, receiving input key fragments reaching a preset number;
In the Enclave program space, recovering a complete ECC master key according to the input key fragments;
inputting the ECC master key into a key derivation function to derive a security key;
encrypting and decrypting the service data by using the security key;
the cluster is provided with a plurality of trusted services, and each trusted service is used for providing the same service function;
All trusted services within the same cluster derive the same security key using the same ECC master key and the same key derivation function, so that the traffic data is shared within the cluster.
2. The method of claim 1, wherein said inputting the ECC master key into a key derivation function derives a security key, comprising:
determining a key derivation function meeting preset requirements;
Inputting a public key of an ECC master key into the key derivation function;
inputting a private key of an ECC master key into the key derivation function;
performing hash operation on the public key by utilizing a hash function in the key derivation function to obtain a public key hash value;
and carrying out hash operation on the public key hash value and the private key by utilizing a hash function in the key derivation function to obtain a security key.
3. The method of claim 2, wherein the key derivation function KDF satisfying the preset requirement is determined as follows:
KDF(p,d)=SHA256(SHA256(p),d)
Where p is the public key of the ECC master key, d is the private key of the ECC master key, and SHA256 is the standard SHA256 hash function.
4. The method of claim 2, wherein the preset requirements include a first preset requirement and a second preset requirement;
When the input of the key derivation function is the same, the output result is consistent;
the second preset requirement comprises that the length of data obtained by the output result of the key derivation function is the same as the length of the ECC master key.
5. The method of claim 1, wherein the service data comprises textual data and ciphertext data;
The encrypting and decrypting the service data by using the security key comprises the following steps:
Symmetric encryption operation is carried out on the original text data by utilizing the security key, so as to obtain ciphertext data;
Storing the ciphertext data into a ciphertext database of a cluster;
and symmetrically decrypting the ciphertext data by using the secure key to obtain the original text data.
6. The method of claim 1, wherein prior to initialization of the Intel SGX-based trusted service in the cluster, the method further comprises:
Any one of the trusted services in the cluster is randomly selected for access through scheduling of the load balancing service.
7. An implementation system for Intel SGX trusted service cluster deployment, comprising:
The generating unit is used for generating a complete ECC master key;
The slicing unit is used for slicing the ECC master key, dividing the ECC master key into a plurality of key slices and storing the key slices in a scattered manner;
the receiving unit is used for receiving the input key fragments reaching the preset number when the trusted service based on Intel SGX in the cluster is initialized;
The recovery unit is used for recovering the complete ECC master key according to the input key fragments in the Enclave program space;
the deriving unit is used for inputting the ECC master key into a key deriving function to derive a security key;
The encryption and decryption unit is used for encrypting and decrypting the service data by utilizing the security key;
the cluster is provided with a plurality of trusted services, and each trusted service is used for providing the same service function;
All trusted services within the same cluster derive the same security key using the same ECC master key and the same key derivation function, so that the traffic data is shared within the cluster.
8. A computer readable storage medium storing computer instructions for causing a computer to perform the method for implementing clustered deployment of Intel SGX trusted services according to any of claims 1 to 6.
9. An electronic device comprising at least one processor and a memory communicatively coupled to the at least one processor, wherein the memory stores a computer program executable by the at least one processor to cause the at least one processor to perform the method of implementing the Intel SGX trusted service clustered deployment of any of claims 1-6.
CN202111257826.2A 2021-10-27 2021-10-27 Intel SGX trusted service cluster deployment implementation method, system and electronic device Active CN113922969B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111257826.2A CN113922969B (en) 2021-10-27 2021-10-27 Intel SGX trusted service cluster deployment implementation method, system and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111257826.2A CN113922969B (en) 2021-10-27 2021-10-27 Intel SGX trusted service cluster deployment implementation method, system and electronic device

Publications (2)

Publication Number Publication Date
CN113922969A CN113922969A (en) 2022-01-11
CN113922969B true CN113922969B (en) 2025-01-10

Family

ID=79243085

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111257826.2A Active CN113922969B (en) 2021-10-27 2021-10-27 Intel SGX trusted service cluster deployment implementation method, system and electronic device

Country Status (1)

Country Link
CN (1) CN113922969B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584307B (en) * 2022-05-07 2022-09-02 腾讯科技(深圳)有限公司 Trusted key management method and device, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209353A (en) * 2015-05-27 2016-12-07 三星Sds株式会社 Key management method and system thereof
CN111949996A (en) * 2019-05-15 2020-11-17 北京奇安信科技有限公司 Generation method, encryption method, system, device and medium of security private key

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111181720B (en) * 2019-12-31 2021-04-06 支付宝(杭州)信息技术有限公司 Service processing method and device based on trusted execution environment
CN113434905B (en) * 2021-07-05 2022-11-15 网易(杭州)网络有限公司 Data transmission method and device, computer equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209353A (en) * 2015-05-27 2016-12-07 三星Sds株式会社 Key management method and system thereof
CN111949996A (en) * 2019-05-15 2020-11-17 北京奇安信科技有限公司 Generation method, encryption method, system, device and medium of security private key

Also Published As

Publication number Publication date
CN113922969A (en) 2022-01-11

Similar Documents

Publication Publication Date Title
US11846975B2 (en) Distributed security analysis for shared content
CN111245597B (en) Key management method, system and equipment
KR101811758B1 (en) Methods and apparatus to securely share data
US10419217B2 (en) Security information configuration method, security verification method, and related chip
US9020149B1 (en) Protected storage for cryptographic materials
US8719590B1 (en) Secure processing in multi-tenant cloud infrastructure
US11489660B2 (en) Re-encrypting data on a hash chain
US20130290733A1 (en) Systems and methods for caching security information
US20140032925A1 (en) System and method for combining deduplication and encryption of data
JP7486530B2 (en) Method, system, and program for accessing shared confidential information in a controlled container environment
US20130290731A1 (en) Systems and methods for storing and verifying security information
US11557016B2 (en) Tracking image senders on client devices
CN114006741A (en) Method and system for realizing cluster security deployment of Intel SGX trusted service
US10469457B1 (en) Systems and methods for securely sharing cloud-service credentials within a network of computing devices
US10142306B1 (en) Methods for providing a secure network channel and devices thereof
CN113986470B (en) A Batch Remote Attestation Method for Virtual Machines Without User Awareness
CN113328979A (en) Method and device for recording access behaviors
US20200241941A1 (en) Master control plane for infrastructure and application operations
CN110378128A (en) Data ciphering method, device and terminal device
US20130290732A1 (en) Systems and methods for storing and verifying security information
CN113922969B (en) Intel SGX trusted service cluster deployment implementation method, system and electronic device
US10432596B2 (en) Systems and methods for cryptography having asymmetric to symmetric key agreement
CN109891823B (en) Method, system, and non-transitory computer readable medium for credential encryption
US20250015985A1 (en) Apparatuses, computer-implemented methods, and computer program products for improved data loss prevention using partial encryption
CN116341017A (en) A data processing method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant