[go: up one dir, main page]

CN118821104A - Data authorization management method and related equipment applied to trusted data space - Google Patents

Data authorization management method and related equipment applied to trusted data space Download PDF

Info

Publication number
CN118821104A
CN118821104A CN202411282197.2A CN202411282197A CN118821104A CN 118821104 A CN118821104 A CN 118821104A CN 202411282197 A CN202411282197 A CN 202411282197A CN 118821104 A CN118821104 A CN 118821104A
Authority
CN
China
Prior art keywords
key
data
user
ciphertext
result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411282197.2A
Other languages
Chinese (zh)
Inventor
马博文
冯新宇
方东
靳新
何浩
姚明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Dongjian Intelligent Technology Co ltd
Original Assignee
Shenzhen Dongjian Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Dongjian Intelligent Technology Co ltd filed Critical Shenzhen Dongjian Intelligent Technology Co ltd
Priority to CN202411282197.2A priority Critical patent/CN118821104A/en
Publication of CN118821104A publication Critical patent/CN118821104A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本申请公开了一种应用于可信数据空间的数据授权管理方法及相关设备,该方法包括:基于可信执行环境,采用密钥派生算法派生出根密钥;使用随机数发生器生成数据加密密钥;通过根密钥加密数据加密密钥得到第一密文结果,并将第一密文结果保存在可信执行环境内;获取用户创建的第一口令码;采用密钥派生算法确定第一口令码对应的第一用户密钥;使用第一用户密钥加密第一用户密钥,得到第一密文值,并将第一密文值保存在可信执行环境内;在用户向可信执行环境请求根密钥时,使用根密钥解密第一密文结果,得到数据加密密钥;根据第一用户密钥加密数据加密密钥,得到第二密文结果。

The present application discloses a data authorization management method and related equipment applied to a trusted data space, the method comprising: based on a trusted execution environment, deriving a root key using a key derivation algorithm; generating a data encryption key using a random number generator; encrypting the data encryption key using the root key to obtain a first ciphertext result, and storing the first ciphertext result in the trusted execution environment; obtaining a first passcode created by a user; determining a first user key corresponding to the first passcode using a key derivation algorithm; encrypting the first user key using the first user key to obtain a first ciphertext value, and storing the first ciphertext value in the trusted execution environment; when the user requests the root key from the trusted execution environment, decrypting the first ciphertext result using the root key to obtain the data encryption key; encrypting the data encryption key according to the first user key to obtain a second ciphertext result.

Description

Data authorization management method applied to trusted data space and related equipment
Technical Field
The application relates to the technical field of privacy computation and the technical field of computers, in particular to a data authorization management method and related equipment applied to a trusted data space.
Background
In practical applications, a trusted data space is a secure, trusted data storage, exchange and computing infrastructure, which aims to solve the problems of privacy-preserving storage and computation of data and secure sharing exchange. The data authorization is a key module of a trusted data space, and determines authority control of various applications such as data calculation, access, sharing and the like. For example, the data owner can realize multiple dimension management of the use times, the application scene, the user range and the like of the data in the trusted data space through the data authorization module, so that the safety of the data in the processes of storage, calculation and application is ensured.
Currently, there is a risk of data leakage in data authorization, so the problem of how to improve the security of data authorization of a trusted data space needs to be solved.
Disclosure of Invention
The embodiment of the application provides a data authorization management method applied to a trusted data space and related equipment, which can improve the data authorization security of the trusted data space.
In a first aspect, an embodiment of the present application provides a data authorization management method applied to a trusted data space, where the method includes:
deriving a root key by adopting a key derivation algorithm based on a trusted execution environment;
Generating a data encryption key using a random number generator;
Encrypting the data encryption key through the root key to obtain a first ciphertext result, and storing the first ciphertext result in the trusted execution environment;
Acquiring a first password code created by a user;
determining a first user key corresponding to the first password code by adopting the key derivation algorithm;
Encrypting the first user key by using the first user key to obtain a first ciphertext value, and storing the first ciphertext value in the trusted execution environment;
when the user requests a root key from the trusted execution environment, decrypting the first ciphertext result by using the root key to obtain the data encryption key;
and encrypting the data encryption key according to the first user key to obtain a second ciphertext result.
In a second aspect, an embodiment of the present application provides a data authorization management device applied to a trusted data space, the device including: a deriving unit, a generating unit, an encrypting unit, an acquiring unit, a determining unit, a decrypting unit, wherein,
The deriving unit is used for deriving a root key by adopting a key derivation algorithm based on a trusted execution environment;
the generation unit is used for generating a data encryption key by using a random number generator;
The encryption unit is used for encrypting the data encryption key through the root key to obtain a first ciphertext result, and storing the first ciphertext result in the trusted execution environment;
The acquisition unit is used for acquiring a first password code created by a user;
The determining unit is used for determining a first user key corresponding to the first password code by adopting the key derivation algorithm;
The encryption unit is further configured to encrypt the first user key with the first user key to obtain a first ciphertext value, and store the first ciphertext value in the trusted execution environment;
the decryption unit is used for decrypting the first ciphertext result by using the root key when the user requests the root key from the trusted execution environment, so as to obtain the data encryption key;
The encryption unit is further configured to encrypt the data encryption key according to the first user key, and obtain a second ciphertext result.
In a third aspect, an embodiment of the present application provides an electronic device, including a processor, a memory, a communication interface, and one or more programs, where the one or more programs are stored in the memory and configured to be executed by the processor, the programs including instructions for performing the steps in the first aspect of the embodiment of the present application.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program for electronic data exchange, wherein the computer program causes a computer to perform part or all of the steps described in the first aspect of the embodiments of the present application.
In a fifth aspect, embodiments of the present application provide a computer program product, wherein the computer program product comprises a non-transitory computer readable storage medium storing a computer program operable to cause a computer to perform some or all of the steps described in the first aspect of the embodiments of the present application. The computer program product may be a software installation package.
The embodiment of the application has the following beneficial effects:
It can be seen that, according to the data authorization management method and related device applied to the trusted data space described in the embodiments of the present application, based on the trusted execution environment, a root key is derived by adopting a key derivation algorithm, a data encryption key is generated by using a random number generator, a first ciphertext result is obtained by encrypting the data encryption key by the root key, and the first ciphertext result is stored in the trusted execution environment, a first user key created by a user is obtained, the first user key corresponding to the first password is determined by adopting the key derivation algorithm, the first user key is encrypted by using the first user key, a first ciphertext value is obtained, and the first ciphertext value is stored in the trusted execution environment, when a user requests the root key from the trusted execution environment, the first ciphertext result is decrypted by using the root key, a data encryption key is obtained, and the data encryption key is encrypted according to the first user key, and a second ciphertext result is obtained, so, a system key (root key) for encrypting data is not required to be created in the TEE, and based on the system key, the user key and the user key are derived on the basis of the system key, the user key and the user key are further stored in the TEE, and the user key are managed in the user key, and the user key is used for logging in the trusted execution space, and the user access cost is further reduced, and the user access cost is reduced.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a data authorization management method applied to a trusted data space according to an embodiment of the present application;
FIG. 2 is a schematic illustration of a key hierarchy provided by an embodiment of the present application;
FIG. 3 is a schematic illustration of an encrypted data content provided by an embodiment of the present application;
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 5 is a functional unit block diagram of a data authorization management device applied to a trusted data space according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The computing node described in the embodiments of the present application may be an electronic device, which may include a smart Phone (such as an Android Mobile Phone, an iOS Mobile Phone, a Windows Phone Mobile Phone, etc.), a tablet computer, a palm computer, a vehicle event recorder, a server, a notebook computer, a Mobile internet device (MID, mobile INTERNET DEVICES), a wearable device (such as a smart watch, a bluetooth headset), etc., which are merely examples, but not limited to, the electronic device may be a cloud server, or the electronic device may be a computer cluster.
In the embodiment of the application, the SM4, namely SM4 block cipher algorithm, is an iterative block cipher algorithm and consists of an encryption and decryption algorithm and a key expansion algorithm.
In the embodiment of the application, the trusted data space can ensure the privacy and safety of the internal storage data and prevent the internal data from being tampered and accessed. The trusted execution environment can be a hardware isolation technical scheme provided by a central processing unit (Central Processing Unit/Processor, CPU) manufacturer, and can open up a safe calculation space on a computer. In the computing space, the data and the program are all executed in a secret state, and the executed result can be encrypted and stored on a disk, so that the computing safety problem can be effectively avoided. A trusted data space is understood to apply the relevant security features of a trusted execution environment to secure internal data and programs.
In the related art, the authorization process of the trusted data space mainly comprises two schemes of service layer access control and key authorization. The first scheme (service layer access control scheme) implements data authorization by specifying access rules of data at an application layer, that is, a user or an application first determines whether the current user or application matches the authority specified by target data based on rules when accessing a trusted data space, and if not, denies access. The second scheme (key authorization scheme) is to encrypt the original data first, and then manage the key used for encrypting the data to realize access control on the data, that is, the user with legal key can access the target data.
For the first solution, the business system needs to store metadata information and access control rules, which are often stored in the business database, and therefore this solution is mainly faced with two risks: 1) Since the service system is generally exposed in a public environment to be accessed by an application program, various external attacks (such as distributed denial of service attack (Distributed Denial of SERVICE ATTACK, DDoS), right-of-hand attack, vulnerability exploitation and the like) are often faced, so that the leakage of metadata information and access rules is easily caused, and finally the leakage of original data is caused; 2) Database administrators storing such information often have higher data access rights, thereby risking rights bypass and data leakage.
For the second scheme, since the user needs to be authorized to access the data of the trusted data space through the private key, the authorized user or application needs to store the corresponding key, which increases the key management cost of the user side on one hand and easily creates the risk of revealing the original data caused by the loss of the user key on the other hand. Furthermore, this second scheme enables data authorization through key management, which would involve the construction and maintenance of public key infrastructure (Public Key Infrastructure, PKI), requiring key revocation operations to be accomplished by maintaining a certificate revocation list. When frequent key distribution and revocation is required to operate and manage user rights, a large bottleneck is created for the flexibility of the system.
To solve the drawbacks of the related art, an embodiment of the present application provides a data authorization management method applied to a trusted data space, which may include the steps of:
deriving a root key by adopting a key derivation algorithm based on a trusted execution environment;
Generating a data encryption key using a random number generator;
Encrypting the data encryption key through the root key to obtain a first ciphertext result, and storing the first ciphertext result in the trusted execution environment;
Acquiring a first password code created by a user;
determining a first user key corresponding to the first password code by adopting the key derivation algorithm;
Encrypting the first user key by using the first user key to obtain a first ciphertext value, and storing the first ciphertext value in the trusted execution environment;
when the user requests a root key from the trusted execution environment, decrypting the first ciphertext result by using the root key to obtain the data encryption key;
and encrypting the data encryption key according to the first user key to obtain a second ciphertext result.
It can be seen that, in the data authorization management method applied to the trusted data space described in the embodiment of the present application, based on the trusted execution environment, a root key is derived by adopting a key derivation algorithm, a data encryption key is generated by using a random number generator, a first ciphertext result is obtained by encrypting the data encryption key by the root key, and the first ciphertext result is stored in the trusted execution environment, a first user key created by a user is obtained, a first user key corresponding to the first password is determined by adopting the key derivation algorithm, the first user key is encrypted by using the first user key, a first ciphertext value is obtained, and the first ciphertext value is stored in the trusted execution environment, when a user requests the root key from the trusted execution environment, the first ciphertext result is decrypted by using the root key, and a data encryption key is obtained, and the data encryption key is encrypted according to the first user key, and a second ciphertext result is obtained.
Embodiments of the present application are described in detail below.
Referring to fig. 1, fig. 1 is a flow chart of a data authorization management method applied to a trusted data space according to an embodiment of the present application, as shown in the drawing, the data authorization management method applied to the trusted data space includes:
s101, deriving a root key by adopting a key derivation algorithm based on a trusted execution environment.
In the embodiment of the present application, the key derivation algorithm may be preset or default, for example, the key derivation algorithm may include a key derivation function (key derivation function, KDF), and for example, one possible implementation of the key derivation algorithm may also be implemented by using a secure hash algorithm, such as SM3, SHA256, and so on.
In the embodiment of the application, a flexible password-key management and authorization rule management module can be constructed based on a trusted execution environment (Trusted Execution Environment, TEE), so that safe and fine-grained data authorization is realized.
The root key is a system root key, which is derived from the TEE and cannot be directly obtained. For example, TEE derives the root key rk.
S102, generating a data encryption key by using a random number generator.
In the embodiment of the application, the random number generator can be used for generating the data encryption key. For example, a random number generator is used to generate the data encryption key dek.
S103, encrypting the data encryption key through the root key to obtain a first ciphertext result, and storing the first ciphertext result in the trusted execution environment.
In the embodiment of the application, the first ciphertext result can be obtained by encrypting the data encryption key through the root key, and the first ciphertext result is stored in the trusted execution environment, namely, the root key is used for encrypting the data encryption key based on the first preset encryption algorithm, so as to obtain a ciphertext result, and the ciphertext result is stored in the TEE. The first preset encryption algorithm may be preset or default to the system, for example, one possible implementation of the first preset encryption algorithm may be implemented using a secure symmetric encryption algorithm, such as SM4, advanced encryption standard (Advanced Encryption Standard, AES), or the like.
S104, acquiring a first password code created by a user.
In the embodiment of the application, the first password code created by the user, namely the password code pin created by the user, can be obtained. Different users may correspond to different passcodes. Different passcodes may then derive different user keys that do not directly act on the data. Because the keys among users are isolated from each other and the user keys do not directly act on the data, the new addition and destruction of the user keys does not affect the access of the original data. When the access rights of the user need to be revoked, only the user key stored in the TEE needs to be destroyed. Since the user key does not exist, the data cannot be accessed later. The scheme ensures that the user authority management is more efficient, and improves the flexibility of key management.
S105, determining a first user key corresponding to the first password code by adopting the key derivation algorithm.
In the embodiment of the present application, a key derivation algorithm may be used to determine a first user key corresponding to the first password, where the first user key may be denoted as ukey (1), for example, a key derivation algorithm KDF may be used to derive a user key ukey (1), which is specifically as follows:
ukey(1)= KDF(pin)
Where KDF represents the key derivation algorithm, pin represents the first passcode, ukey (1) represents the first user key.
S106, encrypting the first user key by using the first user key to obtain a first ciphertext value, and storing the first ciphertext value in the trusted execution environment.
In the embodiment of the application, the first user key can be used for encrypting the first user key to obtain the first ciphertext value, and the first ciphertext value is stored in the trusted execution environment, and in particular implementation, the first user key can be used for encrypting the first user key to obtain the ciphertext value of the first user key, which is as follows:
ukey_cipher=Encrypt(ukey(1), ukey(1))
Where ukey _cipher represents the first ciphertext value, encrypter represents the encryption algorithm, and ukey (1) represents the first user key.
And S107, when the user requests a root key from the trusted execution environment, decrypting the first ciphertext result by using the root key to obtain the data encryption key.
In a specific implementation, when a user requests a root key from a trusted execution environment, the root key may be obtained, and then the first ciphertext result may be decrypted using the root key to obtain a data encryption key.
In the specific implementation, the user can request the root key from the TEE, recover the data encryption key plaintext by using the root key, manage the key in the TEE, and reduce the system complexity caused by the management of the key at the user side.
S108, encrypting the data encryption key according to the first user key to obtain a second ciphertext result.
In the embodiment of the application, a second preset encryption algorithm may be adopted to encrypt the data encryption key according to the first user key to obtain a second ciphertext result, and the second preset encryption algorithm may be preset or default to the system, for example, one possible implementation manner of the second preset encryption algorithm may be implemented by adopting a secure symmetric encryption algorithm, such as SM4, AES, and other algorithms. The key management of the trusted data space is performed based on the TEE, and the key can be safely protected.
Next, the user encrypts the data encryption key using its own user key, concretely as follows:
dek_cipher=Encrypt(ukey(1), dek)
Where dek _cipher represents the second ciphertext result, encrypter represents the encryption algorithm, ukey (1) represents the first user key, and dek represents the data encryption key. The ciphertext value of the data encryption key, i.e., the second ciphertext result, may then be stored within the TEE.
In a specific implementation, the system initialization and user key initialization process is implemented through step S101-step S108. In the embodiment of the application, a system key (root key) for encrypting data is created inside the TEE, and the user key is further derived based on the user password on the basis of the system key. The system key and the user key are stored securely inside the TEE, and the user does not need to manage. When a user logs in the trusted data space, the user can access the data indirectly through the password, so that the cost of managing the secret key by the user side is eliminated, and the access cost of the user/application side is reduced.
Optionally, the method further comprises the following steps:
A1, acquiring a second password code;
a2, determining a second user key corresponding to the second password code by adopting the key derivation algorithm;
A3, performing decryption operation according to the first ciphertext value and the second user key to obtain a decryption result;
A4, matching the decryption result with the second user key;
A5, when the decryption result is successfully matched with the second user key, confirming that the user provides a correct password.
In a specific implementation, the second passcode may be obtained, i.e., when the user needs to log into the system, the user enters a password to log into the system. A key derivation algorithm may be employed to determine a second user key corresponding to the second passcode, as follows:
ukey(2)=KDF(pin)
wherein ukey (2) denotes the second user key, pin denotes the second passcode, and KDF denotes the key derivation algorithm.
Then, a decryption operation can be performed according to the first ciphertext value and the second user key, so as to obtain a decryption result, which is specifically as follows:
ukey(3)=Decrypt(ukey(2), ukey_cipher)
Wherein ukey (3) denotes a decryption result, ukey (2) denotes a second user key, ukey _cipher denotes a first ciphertext value, and Decrypt denotes a decryption algorithm.
Further, the decryption result may be matched with the second user key, i.e. the decryption result is matched with ukey (2), if the decryption result is consistent with ukey (2), it indicates that the user provides the correct password, and if the decryption result is inconsistent with ukey (2), the user is denied to log in.
And when the decryption result is successfully matched with the second user key, confirming that the user provides the correct password, namely the first password code is identical to the second password code, otherwise, indicating that the first password code is not identical to the second password code.
In a specific implementation, for example, if the decryption result is the same as the second user key, it indicates that the decryption result is successfully matched with the second user key, otherwise, if the decryption result is different from the second user key, it indicates that the decryption result is failed to be matched with the second user key. For another example, if the matching value between the decryption result and the second user key is greater than the preset matching value, it indicates that the decryption result and the second user key are successfully matched, otherwise, if the matching value between the decryption result and the second user key is less than or equal to the preset matching value, it indicates that the decryption result and the second user key are failed to be matched, and the preset matching value may be preset or default.
In the embodiment of the application, the data encryption key and the user identity are decoupled, so that a system user creates and deletes the data which is not influenced by the data stored in the trusted data space, the problem of system flexibility caused by the need of maintaining a key revocation list due to frequent key distribution and revocation is further solved, in addition, the user logs in the trusted data space through a password, the system complexity caused by the need of maintaining a management key at the user side is reduced, and the access cost of the system is also reduced.
Optionally, the method further comprises the following steps:
And carrying out decryption operation on the second ciphertext result according to the second user key to obtain the data encryption key.
In a specific implementation, the second ciphertext result may be decrypted according to the second user key to obtain the data encryption key, that is, the user key is used for decryption to obtain the data encryption key, which is specifically as follows:
dek=Decrypt(ukey(2), dek_cipher)
Wherein dek denotes a data encryption key, decrypt denotes a decryption algorithm, dek _cipher denotes a second ciphertext result, and ukey (2) denotes a second user key.
In a specific implementation, a user logs in the system and acquires the data encryption key dek, which is helpful to decrypt the data header by using dek, and judges whether the user has the authority to access the corresponding data according to the authorization rule obtained by decryption.
Optionally, the method further comprises the following steps:
B1, acquiring a target authorization rule of the user for target data;
b2, determining data to be encrypted according to the target data and the target authorization rule;
And B3, encrypting the data to be encrypted according to the data encryption key to obtain an encryption result, and storing the encryption result in the trusted execution environment.
The target data may be preset or default. The target authorization rules may also be preset or system defaults. The target authorization rule may include at least one of: the range of accessible users, the time the file may be accessed, the number of times the file may be accessed, etc., are not limited in this regard.
The target authorization rule may be understood as a data access control rule for a trusted data space.
In the specific implementation, the target authorization rule of the user aiming at the target data can be obtained, the data to be encrypted is determined according to the target data and the target authorization rule, then a third preset encryption algorithm is adopted, the data to be encrypted is encrypted according to the data encryption key, the encryption result is obtained, the encryption result is stored in a trusted execution environment, the data encryption process is further completed, metadata information and the authorization rule are stored in an encryption mode, the data authorization rule is prevented from being obtained and tampered by an attacker, and in addition, all keys are completely hosted in the TEE, so that the problems of reduced flexibility and increased cost caused by leading PKI public key infrastructure are solved.
The method described in the embodiment of the application can realize fine granularity authorization of the user and the data, simultaneously prevent the data leakage caused by external attack and internal high-authority administrators, and reduce the key management cost of the application end.
The third preset encryption algorithm may be preset or default, for example, one possible implementation manner of the third preset encryption algorithm may be implemented by using a secure symmetric encryption algorithm, such as SM4, AES, and the like.
The first preset encryption algorithm, the second preset encryption algorithm and the third preset encryption algorithm may be partially or completely the same or completely different.
Under the illustration, the user provides the authorization rule of the data, when creating new data, the target authorization rule is used as a data header to be written into the file, and the target data is written into the file together to obtain a data plaintext, and then the data plaintext is encrypted by using the data encryption key, specifically as follows:
cipher=Encrypt(dek, text)
Wherein, cipher represents encryption result, text represents data plaintext, and encrypter represents encryption algorithm. Then, the encryption result cipher may be saved in the TEE.
Optionally, the step B2 of determining the data to be encrypted according to the target data and the target authorization rule may include the following steps:
b21, writing the target authorization rule into a file as a data head;
and B22, writing the target data into the file as data content to obtain the data to be encrypted.
In the embodiment of the application, the target authorization rule can be used as a data head write-in file, then the target data is used as data content write-in file, the data to be encrypted is obtained, namely, the TEE and the cryptographic algorithm are used for protecting the authorization rule content, and the data authorization rule and the data are written in and encrypted together, so that the problem that the metadata and the authorization rule cannot guarantee the safety under external attack is solved.
Optionally, the method further comprises the following steps:
c1, decrypting the data head according to the data encryption key to obtain the target authorization rule;
C2, judging whether the user has the authority to access the corresponding data according to the target authorization rule;
c3, continuing decryption operation when judging that the user has the right to access the corresponding data according to the target authorization rule;
And C4, terminating the decryption operation when the user does not have the right to access the corresponding data according to the target authorization rule.
In the embodiment of the application, the data head is decrypted according to the data encryption key to obtain the target authorization rule, whether the user has the right to access the corresponding data is judged according to the target authorization rule, when the user has the right to access the corresponding data according to the target authorization rule, the decryption operation is continued, when the user does not have the right to access the corresponding data according to the target authorization rule, the decryption operation is terminated, and then the data decryption flow is completed, namely, the data head can be decrypted by using dek, and whether the user has the right to access the corresponding data is judged according to the authorization rule obtained by decryption. If the access right is not available, the decryption is terminated; if the access right exists, the user continues to decode, and then the user decrypts the data by using the data encryption key to obtain the plaintext data.
In the embodiment of the application, the key is managed in the TEE, so that the system complexity caused by the key management of the user side is reduced, in addition, the data authorization rule and the data content are fused and encrypted, and the problem that the authorization rule in the trusted data space is not trusted due to the fact that the data authorization information is stored in the plaintext is solved.
Optionally, the method further comprises the following steps:
and when the decryption result fails to match with the second user key, confirming that the user provides the wrong password and rejecting the user to log in.
In the embodiment of the application, when the decryption result fails to match with the second user key, the first password code is inconsistent with the second password code, namely, the user provides an error password, and the user is refused to log in.
In the embodiment of the application, a flexible password-key management and authorization rule management module is constructed based on a trusted execution environment, so that safe and fine-grained data authorization is realized. The main idea is as follows: first, a system key for encrypting data is created inside the TEE, on the basis of which the user key is derived further based on the user password. The system key and the user key are stored securely inside the TEE, and the user does not need to manage. When a user logs in the trusted data space, the user can access the data indirectly through the password, so that the cost of managing the secret key by the user side is eliminated, and the access cost of the user/application side is reduced. Secondly, the metadata information and the access rule are stored in an encrypted mode, so that the data authorization rule is prevented from being acquired and tampered by an attacker; finally, by hosting all keys completely inside the TEE, the issues of reduced flexibility and increased cost due to the lead PKI public key infrastructure are solved.
Illustratively, in embodiments of the present application, data stored in the trusted data space may be encrypted to prevent any reading. As shown in fig. 2, the corresponding data is encrypted using a data encryption key. The data encryption key is generated by using a random number generator, and the data encryption key in an initial state is encrypted by a system root key and stored in the TEE environment. The system root key is derived from the TEE and cannot be obtained directly.
In a specific implementation, the system users of the trusted data space each have a user key, e.g., a user A passcode derives a user A key, a user B passcode derives a user B key, and a user C passcode derives a user C key. Based on the trusted execution environment, a root key rk is derived by adopting a key derivation algorithm, a key ek is derived by adopting a random number generator to generate a random number, and the random number is encrypted by adopting ek to obtain a data encryption key dek. The root key rk encrypts the data encryption key dek to obtain a first ciphertext result. And encrypting the data by adopting the data encryption key dek to obtain an encryption result.
In particular implementations, the user key, when generated, first requests the data encryption key dek from the TEE environment, then encrypts the data encryption key dek using the user key, and stores the ciphertext of the data encryption key dek in the TEE. Wherein the user key is derived from the user's passcode and is also stored in the TEE in ciphertext form. When the user needs to use the data, the user key is firstly obtained through the password of the user, then the data encryption key is obtained through decryption, and finally the data plaintext is obtained through decryption.
Wherein, the key derivation key ek and the data encryption key dek can be generated by a random number generator. Both ek and dek may be symmetric keys, which are typically random numbers generated by a random number generator, without additional processing. The size of the generated random number is related to a specific key algorithm, for example, the key of the SM4 symmetric algorithm is 16 bytes, and the key length of the AES-128 symmetric algorithm is also 16 bytes, so the random number generator needs to generate a random number with a corresponding length to be used as the key.
By way of further example, as shown in FIG. 3, the target authorization rules may include: 1. a user range is accessible; 2. file accessible time; 3. the number of times the file is accessible. The data encryption key may encrypt a file, which may include a file header written by a target authorization rule and file content, i.e., data content, the authorization rule of the data being encrypted and protected along with the data content by the data encryption key. When a user requests access to the data, the correct user key decryption access rule needs to be provided first. After the decryption is successful, whether the user can access the corresponding data is further judged by inquiring the authorization rule.
It can be seen that, in the data authorization management method applied to the trusted data space described in the embodiment of the present application, based on the trusted execution environment, a root key is derived by adopting a key derivation algorithm, a data encryption key is generated by using a random number generator, a first ciphertext result is obtained by encrypting the data encryption key by the root key, and the first ciphertext result is stored in the trusted execution environment, a first user key created by a user is obtained, a first user key corresponding to the first password is determined by adopting the key derivation algorithm, the first user key is encrypted by using the first user key, a first ciphertext value is obtained, and the first ciphertext value is stored in the trusted execution environment, when a user requests the root key from the trusted execution environment, the first ciphertext result is decrypted by using the root key, and a data encryption key is obtained, and the data encryption key is encrypted according to the first user key, and a second ciphertext result is obtained.
In accordance with the above embodiment, referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application, and as shown in the drawing, the electronic device includes a processor, a memory, a communication interface, and one or more programs, where the one or more programs are stored in the memory and configured to be executed by the processor, and in the embodiment of the present application, the programs include instructions for executing the following steps:
deriving a root key by adopting a key derivation algorithm based on a trusted execution environment;
Generating a data encryption key using a random number generator;
Encrypting the data encryption key through the root key to obtain a first ciphertext result, and storing the first ciphertext result in the trusted execution environment;
Acquiring a first password code created by a user;
determining a first user key corresponding to the first password code by adopting the key derivation algorithm;
Encrypting the first user key by using the first user key to obtain a first ciphertext value, and storing the first ciphertext value in the trusted execution environment;
when the user requests a root key from the trusted execution environment, decrypting the first ciphertext result by using the root key to obtain the data encryption key;
and encrypting the data encryption key according to the first user key to obtain a second ciphertext result.
Optionally, the above program further comprises instructions for performing the steps of:
Acquiring a second passcode;
Determining a second user key corresponding to the second password code by adopting the key derivation algorithm;
Performing decryption operation according to the first ciphertext value and the second user key to obtain a decryption result;
matching the decryption result with the second user key;
And when the decryption result is successfully matched with the second user key, confirming that the user provides the correct password.
Optionally, the above program further comprises instructions for performing the steps of:
And carrying out decryption operation on the second ciphertext result according to the second user key to obtain the data encryption key.
Optionally, the above program further comprises instructions for performing the steps of:
acquiring a target authorization rule of the user for target data;
Determining data to be encrypted according to the target data and the target authorization rule;
And encrypting the data to be encrypted according to the data encryption key to obtain an encryption result, and storing the encryption result in the trusted execution environment.
Optionally, in the determining the data to be encrypted according to the target data and the target authorization rule, the program includes instructions for:
writing the target authorization rule into a file as a data head;
and writing the target data into the file as data content to obtain the data to be encrypted.
Optionally, the above program further comprises instructions for performing the steps of:
decrypting the data head according to the data encryption key to obtain the target authorization rule;
judging whether the user has permission to access corresponding data according to the target authorization rule;
when judging that the user has the right to access the corresponding data according to the target authorization rule, continuing the decryption operation;
and terminating the decryption operation when the user is judged to not have the right to access the corresponding data according to the target authorization rule.
Optionally, the above program further comprises instructions for performing the steps of:
and when the decryption result fails to match with the second user key, confirming that the user provides the wrong password and rejecting the user to log in.
It can be seen that, the electronic device described in the embodiment of the present application derives the root key based on the trusted execution environment by adopting the key derivation algorithm, generates the data encryption key by using the random number generator, encrypts the data encryption key by using the root key to obtain the first ciphertext result, stores the first ciphertext result in the trusted execution environment, obtains the first password created by the user, determines the first user key corresponding to the first password by adopting the key derivation algorithm, encrypts the first user key by using the first user key to obtain the first ciphertext value, stores the first ciphertext value in the trusted execution environment, decrypts the first ciphertext result by using the root key when the user requests the root key from the trusted execution environment, obtains the data encryption key, encrypts the data encryption key according to the first user key, obtains the second ciphertext result, creates a system key (root key) for encrypting the data in the TEE, and further stores the system key and the user key in the TEE based on the first password derived by the user key, and the user key is safe, so that the user can access the data access cost can be reduced by the user terminal without the need of the user password, and the user access cost can be further reduced.
Fig. 5 is a functional block diagram of a data authorization management device 500 applied to a trusted data space according to an embodiment of the present application. The data authorization management device 500 applied to the trusted data space includes: a deriving unit 501, a generating unit 502, an encrypting unit 503, an acquiring unit 504, a determining unit 505, a decrypting unit 506, wherein,
The deriving unit 501 is configured to derive a root key by using a key derivation algorithm based on a trusted execution environment;
The generating unit 502 is configured to generate a data encryption key using a random number generator;
the encryption unit 503 is configured to encrypt the data encryption key with the root key to obtain a first ciphertext result, and store the first ciphertext result in the trusted execution environment;
the obtaining unit 504 is configured to obtain a first password created by a user;
the determining unit 505 is configured to determine a first user key corresponding to the first passcode by using the key derivation algorithm;
the encryption unit 503 is further configured to encrypt the first user key with the first user key to obtain a first ciphertext value, and store the first ciphertext value in the trusted execution environment;
The decryption unit 506 is configured to decrypt, when the user requests a root key from the trusted execution environment, the first ciphertext result using the root key, to obtain the data encryption key;
the encryption unit 503 is further configured to encrypt the data encryption key according to the first user key, to obtain a second ciphertext result.
Optionally, the data authorization management device 500 applied to the trusted data space is further specifically configured to:
Acquiring a second passcode;
Determining a second user key corresponding to the second password code by adopting the key derivation algorithm;
Performing decryption operation according to the first ciphertext value and the second user key to obtain a decryption result;
matching the decryption result with the second user key;
And when the decryption result is successfully matched with the second user key, confirming that the user provides the correct password.
Optionally, the data authorization management device 500 applied to the trusted data space is further specifically configured to:
And carrying out decryption operation on the second ciphertext result according to the second user key to obtain the data encryption key.
Optionally, the data authorization management device 500 applied to the trusted data space is further specifically configured to:
acquiring a target authorization rule of the user for target data;
Determining data to be encrypted according to the target data and the target authorization rule;
And encrypting the data to be encrypted according to the data encryption key to obtain an encryption result, and storing the encryption result in the trusted execution environment.
Optionally, in the aspect of determining the data to be encrypted according to the target data and the target authorization rule, the data authorization management device 500 applied to the trusted data space is specifically configured to:
writing the target authorization rule into a file as a data head;
and writing the target data into the file as data content to obtain the data to be encrypted.
Optionally, the data authorization management device 500 applied to the trusted data space is further specifically configured to:
decrypting the data head according to the data encryption key to obtain the target authorization rule;
judging whether the user has permission to access corresponding data according to the target authorization rule;
when judging that the user has the right to access the corresponding data according to the target authorization rule, continuing the decryption operation;
and terminating the decryption operation when the user is judged to not have the right to access the corresponding data according to the target authorization rule.
Optionally, the data authorization management device 500 applied to the trusted data space is further specifically configured to:
and when the decryption result fails to match with the second user key, confirming that the user provides the wrong password and rejecting the user to log in.
It can be seen that, the data authorization management device applied to the trusted data space described in the embodiment of the present application derives the root key based on the trusted execution environment by adopting the key derivation algorithm, generates the data encryption key by using the random number generator, encrypts the data encryption key by using the root key to obtain the first ciphertext result, stores the first ciphertext result in the trusted execution environment, obtains the first password created by the user, determines the first user key corresponding to the first password by adopting the key derivation algorithm, encrypts the first user key by using the first user key to obtain the first ciphertext value, stores the first ciphertext value in the trusted execution environment, decrypts the first ciphertext result by using the root key when the user requests the root key from the trusted execution environment, obtains the data encryption key, encrypts the data encryption key according to the first user key, obtains the second ciphertext result, creates the system key (root key) for encrypting the data in the TEE, further stores the system key and the user key in the TEE based on the user derivation key, and the user key in the TEE safely, and the user management is performed by using the first user key, when the user requests the trusted execution environment, the user accesses the data space indirectly by using the password, thereby reducing the cost of accessing the data, and further reducing the user access cost.
It may be appreciated that the functions of each program module of the data authorization management device applied to the trusted data space according to the present embodiment may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the relevant description of the foregoing method embodiment, which is not repeated herein.
The embodiment of the application also provides a computer storage medium, wherein the computer storage medium stores a computer program for electronic data exchange, and the computer program makes a computer execute part or all of the steps of any one of the above method embodiments, and the computer includes an electronic device.
Embodiments of the present application also provide a computer program product comprising a non-transitory computer-readable storage medium storing a computer program operable to cause a computer to perform part or all of the steps of any one of the methods described in the method embodiments above. The computer program product may be a software installation package, said computer comprising an electronic device.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, such as the above-described division of units, merely a division of logic functions, and there may be additional manners of dividing in actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, or may be in electrical or other forms.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units described above, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a memory, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the above-mentioned method of the various embodiments of the present application. And the aforementioned memory includes: a usb disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the various methods of the above embodiments may be implemented by a program that instructs associated hardware, and the program may be stored in a computer readable memory, which may include: flash disk, read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.
The foregoing has outlined rather broadly the more detailed description of embodiments of the application, wherein the principles and embodiments of the application are explained in detail using specific examples, the above examples being provided solely to facilitate the understanding of the method and core concepts of the application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. A data authorization management method applied to a trusted data space, the method comprising:
deriving a root key by adopting a key derivation algorithm based on a trusted execution environment;
Generating a data encryption key using a random number generator;
Encrypting the data encryption key through the root key to obtain a first ciphertext result, and storing the first ciphertext result in the trusted execution environment;
Acquiring a first password code created by a user;
determining a first user key corresponding to the first password code by adopting the key derivation algorithm;
Encrypting the first user key by using the first user key to obtain a first ciphertext value, and storing the first ciphertext value in the trusted execution environment;
when the user requests a root key from the trusted execution environment, decrypting the first ciphertext result by using the root key to obtain the data encryption key;
and encrypting the data encryption key according to the first user key to obtain a second ciphertext result.
2. The method according to claim 1, wherein the method further comprises:
Acquiring a second passcode;
Determining a second user key corresponding to the second password code by adopting the key derivation algorithm;
Performing decryption operation according to the first ciphertext value and the second user key to obtain a decryption result;
matching the decryption result with the second user key;
And when the decryption result is successfully matched with the second user key, confirming that the user provides the correct password.
3. The method according to claim 2, wherein the method further comprises:
And carrying out decryption operation on the second ciphertext result according to the second user key to obtain the data encryption key.
4. A method according to claim 3, characterized in that the method further comprises:
acquiring a target authorization rule of the user for target data;
Determining data to be encrypted according to the target data and the target authorization rule;
And encrypting the data to be encrypted according to the data encryption key to obtain an encryption result, and storing the encryption result in the trusted execution environment.
5. The method of claim 4, wherein the determining the data to be encrypted based on the target data and the target authorization rule comprises:
writing the target authorization rule into a file as a data head;
and writing the target data into the file as data content to obtain the data to be encrypted.
6. The method of claim 5, wherein the method further comprises:
decrypting the data head according to the data encryption key to obtain the target authorization rule;
judging whether the user has permission to access corresponding data according to the target authorization rule;
when judging that the user has the right to access the corresponding data according to the target authorization rule, continuing the decryption operation;
and terminating the decryption operation when the user is judged to not have the right to access the corresponding data according to the target authorization rule.
7. The method according to any one of claims 2-6, further comprising:
and when the decryption result fails to match with the second user key, confirming that the user provides the wrong password and rejecting the user to log in.
8. A data authorization management device for application to a trusted data space, the device comprising: a deriving unit, a generating unit, an encrypting unit, an acquiring unit, a determining unit, a decrypting unit, wherein,
The deriving unit is used for deriving a root key by adopting a key derivation algorithm based on a trusted execution environment;
the generation unit is used for generating a data encryption key by using a random number generator;
The encryption unit is used for encrypting the data encryption key through the root key to obtain a first ciphertext result, and storing the first ciphertext result in the trusted execution environment;
The acquisition unit is used for acquiring a first password code created by a user;
The determining unit is used for determining a first user key corresponding to the first password code by adopting the key derivation algorithm;
The encryption unit is further configured to encrypt the first user key with the first user key to obtain a first ciphertext value, and store the first ciphertext value in the trusted execution environment;
the decryption unit is used for decrypting the first ciphertext result by using the root key when the user requests the root key from the trusted execution environment, so as to obtain the data encryption key;
The encryption unit is further configured to encrypt the data encryption key according to the first user key, and obtain a second ciphertext result.
9. An electronic device comprising a processor, a memory, a communication interface, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the processor, the programs comprising instructions for performing the steps of the method of any of claims 1-7.
10. A computer-readable storage medium, characterized in that a computer program for electronic data exchange is stored, wherein the computer program causes a computer to perform the method according to any one of claims 1-7.
CN202411282197.2A 2024-09-13 2024-09-13 Data authorization management method and related equipment applied to trusted data space Pending CN118821104A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411282197.2A CN118821104A (en) 2024-09-13 2024-09-13 Data authorization management method and related equipment applied to trusted data space

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411282197.2A CN118821104A (en) 2024-09-13 2024-09-13 Data authorization management method and related equipment applied to trusted data space

Publications (1)

Publication Number Publication Date
CN118821104A true CN118821104A (en) 2024-10-22

Family

ID=93068642

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411282197.2A Pending CN118821104A (en) 2024-09-13 2024-09-13 Data authorization management method and related equipment applied to trusted data space

Country Status (1)

Country Link
CN (1) CN118821104A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119475403A (en) * 2025-01-15 2025-02-18 飞天诚信科技股份有限公司 A method and device for secure reading and writing of data in Hongmeng system equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7921450B1 (en) * 2001-12-12 2011-04-05 Klimenty Vainstein Security system using indirect key generation from access rules and methods therefor
CN108449178A (en) * 2018-03-26 2018-08-24 北京豆荚科技有限公司 The generation method of root key in a kind of secure and trusted performing environment
CN117874787A (en) * 2023-12-29 2024-04-12 Oppo广东移动通信有限公司 Data protection method, device, electronic device and computer-readable storage medium
CN117879819A (en) * 2024-03-13 2024-04-12 鹏城实验室 Key management method, device, storage medium, equipment and computing power service system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7921450B1 (en) * 2001-12-12 2011-04-05 Klimenty Vainstein Security system using indirect key generation from access rules and methods therefor
CN108449178A (en) * 2018-03-26 2018-08-24 北京豆荚科技有限公司 The generation method of root key in a kind of secure and trusted performing environment
CN117874787A (en) * 2023-12-29 2024-04-12 Oppo广东移动通信有限公司 Data protection method, device, electronic device and computer-readable storage medium
CN117879819A (en) * 2024-03-13 2024-04-12 鹏城实验室 Key management method, device, storage medium, equipment and computing power service system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119475403A (en) * 2025-01-15 2025-02-18 飞天诚信科技股份有限公司 A method and device for secure reading and writing of data in Hongmeng system equipment

Similar Documents

Publication Publication Date Title
US12003634B2 (en) Systems and methods for encrypted content management
CN107959567B (en) Data storage method, data acquisition method, device and system
US9847882B2 (en) Multiple factor authentication in an identity certificate service
US8462955B2 (en) Key protectors based on online keys
CN101605137B (en) Safe distribution file system
US12105811B2 (en) Apparatus and method for encrypting data in a data storage system
US20100095118A1 (en) Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
US20200259637A1 (en) Management and distribution of keys in distributed environments
CN110519049A (en) A kind of cloud data protection system based on credible performing environment
CN108809633B (en) Identity authentication method, device and system
CN112383391A (en) Data security protection method based on data attribute authorization, storage medium and terminal
CN111191217A (en) Password management method and related device
CN114553557B (en) Key calling method, device, computer equipment and storage medium
KR20230152584A (en) Secure recovery of private keys
CN115801232A (en) Private key protection method, device, equipment and storage medium
US12452043B2 (en) Key sharing method, key sharing system, authentication device, authentication target device, recording medium, and authentication method
CN106992978B (en) Network security management method and server
US11216571B2 (en) Credentialed encryption
US10785193B2 (en) Security key hopping
CN118821104A (en) Data authorization management method and related equipment applied to trusted data space
CN116432220A (en) Numerical control system host access control method, device, equipment and storage medium
Zhang et al. Improved CP-ABE Algorithm Based on Identity and Access Control
ALnwihel et al. A Novel Cloud Authentication Framework
CN119071038A (en) Single sign-on method, system, device, equipment and medium based on quantum key
CN119475315A (en) A method and device for encrypting user password

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Country or region after: China

Address after: 071708 Hebei Province, Baoding City, China (Hebei) Free Trade Pilot Zone, Xiongan Area, Start-up Zone, Yining Street No. 164, North District of Innovation Park (Artificial Intelligence Industrial Park), Unit 4, 4th Floor, Room 418

Applicant after: Dongjin Technology (Xiongan) Co., Ltd.

Address before: 518000 1003-C08, West Block, Tian'an Innovation Science and Technology Plaza (Phase II), the intersection of Binhe Road and Xiangmihu Road, Tian'an Community, Shatou Street, Futian District, Shenzhen, Guangdong

Applicant before: Shenzhen Dongjian Intelligent Technology Co.,Ltd.

Country or region before: China

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20241022