[go: up one dir, main page]

CN119004566A - Trusted data space application program data disc-falling encryption storage method and system - Google Patents

Trusted data space application program data disc-falling encryption storage method and system Download PDF

Info

Publication number
CN119004566A
CN119004566A CN202411070782.6A CN202411070782A CN119004566A CN 119004566 A CN119004566 A CN 119004566A CN 202411070782 A CN202411070782 A CN 202411070782A CN 119004566 A CN119004566 A CN 119004566A
Authority
CN
China
Prior art keywords
current
data
application program
key
encryption key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411070782.6A
Other languages
Chinese (zh)
Inventor
朱名生
兰春嘉
徐兵
王磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Lingshuzhonghe Information Technology Co ltd
Original Assignee
Shanghai Lingshuzhonghe Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Lingshuzhonghe Information Technology Co ltd filed Critical Shanghai Lingshuzhonghe Information Technology Co ltd
Priority to CN202411070782.6A priority Critical patent/CN119004566A/en
Publication of CN119004566A publication Critical patent/CN119004566A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a trusted data space application program data disc-falling encryption storage method and system. The method is based on a marine CSV technology to derive a seal key of each application program in each secure virtual machine; encrypting current plaintext data in a current application program through a randomly generated current data encryption key to obtain current ciphertext data, and storing the current ciphertext data in a first storage unit; encrypting and sealing the randomly generated current data encryption key through the sealing key of the current application program, and storing the current data encryption key after encrypting and sealing in a second storage unit; the method can prevent data leakage when the storage medium is lost, stolen or subjected to hacking, prevent users with host and virtual machine authorities from illegally using or maliciously leaking the data, prevent other application programs in the same host and virtual machine system environment from illegally using or tampering, and ensure that the data can only be accessed by the application program for creating the data.

Description

Trusted data space application program data disc-falling encryption storage method and system
Technical Field
The invention relates to the technical field of encryption processing, in particular to a trusted data space application program data disc-falling encryption storage method and system.
Background
Data-drop encryption is commonly used to protect sensitive information, such as personal data, financial records, and confidential business data, from data leakage when a storage medium is lost, stolen, or subject to hacking. The method is an important ring in data security measures, and can improve the overall security of the information system.
The data space is a virtual data space that utilizes existing standards and technologies and widely accepted governance models in data economies to facilitate secure and standardized data exchange and data linking in trusted business ecosystems. Thus, it provides a basis for creating intelligent service scenarios and facilitating innovative cross-corporate business processes while guaranteeing data ownership of the data owners. Where data ownership is the core aspect of the data space, it may be defined as the ability of a natural or legal entity to fully autonomously determine its data.
Data security is particularly important in data space, and in addition to conventionally preventing data leakage when a storage medium is lost, stolen or hacked, it is also required to prevent illegal use or malicious leakage of data by users who have host and virtual machine rights, and prevent illegal use or tampering of other applications in the same host and virtual machine system environment, so as to ensure that data can only be accessed by the application that created it.
Aiming at the problems that in the prior art, data disk-dropping encryption can only prevent data leakage when a storage medium is lost, stolen or hacked, can not prevent illegal use or malicious leakage of data by users with host and virtual machine authorities and can not prevent illegal use or tampering of other application programs in the same host and virtual machine system environment, no effective solution is proposed at present.
Disclosure of Invention
The embodiment of the invention provides a trusted data space application program data disc-falling encryption storage method and system, which are used for solving the problems that in the prior art, data disc-falling encryption can only prevent data leakage when a storage medium is lost, stolen or hacked, illegal use or malicious leakage of data by a user with host and virtual machine authorities cannot be prevented, and illegal use or tampering of other application programs in the same host and virtual machine system environment cannot be prevented.
In order to achieve the above object, in one aspect, the present invention provides a trusted data space application data disc-drop encryption storage method, which includes: s1, deriving a seal key of each application program in each secure virtual machine based on a marine CSV technology; s2, acquiring current plaintext data, encrypting the current plaintext data in a current application program through a randomly generated current data encryption key to obtain current ciphertext data, and storing the current ciphertext data in a first storage unit; encrypting and sealing the randomly generated current data encryption key through the sealing key of the current application program, and storing the current data encryption key after encrypting and sealing in a second storage unit; s3, when the current application program is restarted, current ciphertext data in the first storage unit and a current data encryption key after encryption seal in the second storage unit are obtained; decrypting the current data encryption key after encryption and sealing through the seal key of the current application program to obtain the current data encryption key; and decrypting the current ciphertext data through the current data encryption key to obtain current plaintext data.
Optionally, deriving a seal key of each secure virtual machine by the marine light secure chip root key; and deriving the seal key of the current application program in the current secure virtual machine by adopting a CMAC algorithm according to the seal key of the current secure virtual machine, the identity ID of the current application program in the current secure virtual machine and other characteristic information.
Optionally, the application program and the plaintext data are in one-to-many correspondence; the plaintext data and the data encryption key are in one-to-one correspondence.
Alternatively, in the current application program, a symmetric encryption key that randomly generates a specified number of key bits is used as the current data encryption key.
Optionally, the other characteristic information includes: version number, version name, feature value; the first storage unit includes: a disk or external database; the second storage unit includes: secure hardware, disk or external databases.
In another aspect, the present invention provides a trusted data space application data-drop encryption storage system comprising: the deriving unit is used for deriving the seal key of each application program in each secure virtual machine based on the marine CSV technology; the encryption storage unit is used for obtaining current plaintext data, encrypting the current plaintext data in a current application program through a current data encryption key generated randomly to obtain current ciphertext data, and storing the current ciphertext data in the first storage unit; encrypting and sealing the randomly generated current data encryption key through the sealing key of the current application program, and storing the current data encryption key after encrypting and sealing in a second storage unit; the decryption unit is used for acquiring current ciphertext data in the first storage unit and a current data encryption key after encryption seal in the second storage unit when the current application program is restarted; decrypting the current data encryption key after encryption and sealing through the seal key of the current application program to obtain the current data encryption key; and decrypting the current ciphertext data through the current data encryption key to obtain current plaintext data.
Optionally, the deriving unit includes: the first deriving subunit is used for deriving the seal key of each secure virtual machine through the root key of the marine light secure chip; and the second deriving subunit is used for deriving the seal key of the current application program in the current secure virtual machine by adopting the CMAC algorithm according to the seal key of the current secure virtual machine, the identity ID of the current application program in the current secure virtual machine and other characteristic information.
Optionally, the application program and the plaintext data are in one-to-many correspondence; the plaintext data and the data encryption key are in one-to-one correspondence.
Alternatively, in the current application program, a symmetric encryption key that randomly generates a specified number of key bits is used as the current data encryption key.
Optionally, the other characteristic information includes: version number, version name, feature value; the first storage unit includes: a disk or external database; the second storage unit includes: secure hardware, disk or external databases.
The invention has the beneficial effects that:
The invention provides a trusted data space application program data disc-falling encryption storage method and a system, wherein the method derives a seal key of each application program in each secure virtual machine based on a marine CSV technology; encrypting current plaintext data in a current application program through a randomly generated current data encryption key to obtain current ciphertext data, and storing the current ciphertext data in a first storage unit; and encrypting and sealing the randomly generated current data encryption key through the sealing key of the current application program, and storing the current data encryption key after encrypting and sealing in the second storage unit. The method can prevent the illegal use or malicious leakage of the data by users with host and virtual machine authorities and the illegal use or tampering of other application programs in the same host and virtual machine system environment, besides preventing the data leakage when the storage medium is lost, stolen or subjected to hacking, and ensure that the data can only be accessed by the application program which creates the data.
Drawings
FIG. 1 is a flowchart of a trusted data space application data-drop encryption storage method provided by an embodiment of the present invention;
FIG. 2 is a flow chart of a method for deriving a seal key for each application within each secure virtual machine provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of a trusted data space application data-drop encryption storage system according to an embodiment of the present invention;
Fig. 4 is a schematic structural diagram of a derivative unit according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Data-drop encryption is commonly used to protect sensitive information, such as personal data, financial records, and confidential business data, from data leakage when a storage medium is lost, stolen, or subject to hacking. The method is an important ring in data security measures, and can improve the overall security of the information system.
A trusted execution environment (Trusted Execution Environment, TEE for short) is a stand-alone, secure computing environment intended to provide protection for sensitive data and code. TEE is typically present within the device's main processor, isolated from the operating system and other applications, to ensure protection from malware or other attacks while handling sensitive operations. The technology is widely applied to scenes requiring high security guarantee, such as data space, mobile payment, digital rights management, identity verification, password storage and the like. By providing an isolated, secure execution space, TEE technology enhances the security and data privacy protection of the device as a whole.
The data space is a virtual data space that utilizes existing standards and technologies and widely accepted governance models in data economies to facilitate secure and standardized data exchange and data linking in trusted business ecosystems. Thus, it provides a basis for creating intelligent service scenarios and facilitating innovative cross-corporate business processes while guaranteeing data ownership of the data owners. Where data ownership is the core aspect of the data space, it may be defined as the ability of a natural or legal entity to fully autonomously determine its data.
The data space is intended to meet the following strategic requirements:
Trust: trust is the basis for data space. Each participant is evaluated and authenticated and then granted access to the trusted services ecosystem.
Security and data master: all components of the data space depend on the most advanced security measures. In addition to the architecture specification, security is largely ensured by the evaluation and authentication of each technical component used in the data space. According to a core aspect of ensuring data ownership, a data owner in a data space appends usage restriction information to its data prior to transmitting its data to a data consumer. To use data, the data consumer must fully accept the use policies of the data owner.
Data ecosystem: the architecture of the data space does not require a central data storage function. Instead, it pursues the idea of data storage decentralization, which means that data is physically retained in the hands of the respective data owners until it is transferred to a trusted party. This approach requires a comprehensive description of each data source and the value and availability of the data to other companies, in combination with the ability to integrate domain-specific data vocabulary. In addition, metadata brokers in ecosystems provide real-time data search services.
Standardized interoperability: the data space connector is a core component of the architecture, implemented in different variants, and available from different vendors. Nonetheless, each connector is capable of communicating with any other connector (or other technical component) in the data space ecosystem.
Increment application: the data space allows applications to be injected into the data space connector to provide services over the data exchange flow. This includes, for example, data processing, data format alignment, and services of data exchange protocols. In addition, the data analysis service may be provided by remotely executing an algorithm.
Data market: the data space may create novel data driven services that utilize data applications. It also fosters new traffic patterns for these services by providing clearing mechanisms and billing functions, and creating domain-specific metadata proxy solutions and markets. In addition, the data space provides templates and other method support for use by participants in specifying usage restriction information and requesting legal information.
Data security is particularly important in data space, and in addition to conventionally preventing data leakage when a storage medium is lost, stolen or hacked, it is also required to prevent illegal use or malicious leakage of data by users who have host and virtual machine rights, and prevent illegal use or tampering of other applications in the same host and virtual machine system environment, so as to ensure that data can only be accessed by the application that created it.
Thus, the present invention provides a trusted data space application data disc-drop encryption storage method, and fig. 1 is a flowchart of a trusted data space application data disc-drop encryption storage method provided by an embodiment of the present invention, as shown in fig. 1, where the method includes:
s1, deriving a seal key of each application program in each secure virtual machine based on a marine CSV technology;
FIG. 2 is a flowchart of a method for deriving a seal key for each application in each secure virtual machine according to an embodiment of the present invention, where the method includes:
S11, deriving a seal key of each secure virtual machine through a sea light secure chip root key;
The marine CSV technology ensures that the secure virtual machines have unique seal keys, i.e. the seal keys of each secure virtual machine are different, and are derived from the marine secure chip root key and cannot be deduced or cracked.
S12, deriving the seal key of the current application program in the current secure virtual machine by adopting a CMAC algorithm according to the seal key of the current secure virtual machine, the ID of the current application program in the current secure virtual machine and other characteristic information.
Specifically, when a current application program in a current secure virtual machine is built, an identity ID and an interference factor are randomly generated, and are hard coded in the current application program after being scattered (namely, the identity ID data and the interference factor data are scattered in the current application program after being sliced), wherein the identity ID is used as a key parameter for deriving a seal key of the current application program.
After a current application program in a current secure virtual machine is started, a CMAC encryption algorithm is adopted, a seal key of the current secure virtual machine derived based on a marine CSV technology is used, and an identity ID of the current application program in the current secure virtual machine (namely, an original identity ID reconstructed by the current application program by using scattered identity ID data slices, and it is noted that the current application program can reconstruct the scattered identity ID data slices into the original identity ID, but other application programs cannot crack and reconstruct) and other characteristic information (the other characteristic information comprises a version number, a version name, a characteristic value, additional information and the like) are used for deriving the seal key which belongs to the current application program in the current secure virtual machine.
The method can ensure that each application program running in each secure virtual machine has a seal key which is unique to the application program, and even if the application programs run in the same secure virtual machine environment, the application programs cannot be ascertained or cracked by other application programs.
Further, CMAC is known as Cipher-based Message Authentication Code. CMAC is a message authentication code based on a symmetric key block encryption algorithm, which can be considered as a mode of operation of the symmetric algorithm. It generates multiple sub-keys from a main key by using key derivation technology, and is used for implementing different security functions, such as secure communication protocol, storage encryption and decryption, and password management. CMAC has a wide range of applications including, but not limited to, improving data security and reducing user memory burden. The security of the key-derived CMAC depends on the size of the generated sub-key space, the derivation algorithm used, and the protection of the key.
S2, acquiring current plaintext data, encrypting the current plaintext data in a current application program through a randomly generated current data encryption key to obtain current ciphertext data, and storing the current ciphertext data in a first storage unit; encrypting and sealing the randomly generated current data encryption key through the sealing key of the current application program, and storing the current data encryption key after encrypting and sealing in a second storage unit;
Specifically, the application program and the plaintext data are in one-to-many correspondence; the plaintext data and the data encryption key are in one-to-one correspondence.
In the current application, a plurality of plaintext data may be obtained, each plaintext data having a one-to-one data encryption key.
Taking one of the plaintext data as an example:
before the current plaintext data is dropped, randomly generating a current data encryption key corresponding to the current plaintext data according to the security policy level of the current plaintext data; and encrypting the current plaintext data in the current application program through a randomly generated current data encryption key to obtain current ciphertext data, thereby effectively preventing the data from being leaked. It should be noted that in the current application program, a symmetric encryption key that randomly generates a specified number of key bits is used as the current data encryption key, and the symmetric encryption key refers to a key that is the same as the decryption key. For example: may be a randomly generated 256-bit symmetric encryption key; different plaintext data have different data encryption keys, so that the security of the data can be further ensured.
Storing the current ciphertext data in a first storage unit; the first storage unit includes: a disk or external database; specifically, the current ciphertext data is stored in a disk or an external database in a lasting manner.
And encrypting and sealing the randomly generated current data encryption key by using the sealing key of the current application program, thereby effectively preventing the current data encryption key from being revealed.
Storing the current data encryption key after encryption seal in a second storage unit; the second storage unit includes: secure hardware, disk or external databases. Specifically, the current data encryption key after encryption seal is stored in a secure hardware, a disk or an external database in a lasting mode.
It should be noted that if the current data encryption key is directly placed in the memory of the current application program, when the current application program is restarted, the current data encryption key will disappear, so that the current data encryption key needs to be sealed in the second storage unit.
S3, when the current application program is restarted, current ciphertext data in the first storage unit and a current data encryption key after encryption seal in the second storage unit are obtained; decrypting the current data encryption key after encryption and sealing through the seal key of the current application program to obtain the current data encryption key; and decrypting the current ciphertext data through the current data encryption key to obtain current plaintext data.
When the current application program is restarted, loading the current data encryption key: reading the current data encryption key after encryption seal from the security hardware, the disk or the external database; the current data encryption key after encryption and sealing is decrypted by using the sealing key of the current application program to obtain the current data encryption key, and the current data encryption key after encryption and sealing can only be decrypted by the sealing key of the current application program in the current secure virtual machine, can not be decrypted by the sealing keys of other application programs in the current secure virtual machine, and can not be decrypted by the sealing keys of all application programs in other secure virtual machines.
Loading current ciphertext data: reading current ciphertext data from a disk or an external database; and decrypting the current ciphertext data by using a current data encryption key corresponding to the current ciphertext data (namely, the current data encryption key obtained by decrypting the current data encryption key after encrypting and sealing by the sealing key of the current application program).
According to the invention, different data encryption keys are used for encrypting different plaintext data and stored in the first storage unit, so that the data can be prevented from being leaked; deriving a seal key for each application program in each secure virtual machine, different application programs having different seal keys; the current data encryption key in the current application program is encrypted and sealed by using the sealing key of the current application program and stored in the second storage unit, so that the data encryption key is effectively prevented from being revealed; the method can prevent the data leakage when the storage medium is lost, stolen or subjected to hacking, can also prevent the illegal use or malicious leakage of the data by users with host and virtual machine authorities, and can prevent other application programs in the same host and virtual machine system environment from being illegally used or tampered, so that the data can be only accessed by the application program for creating the data.
Fig. 3 is a schematic structural diagram of a trusted data space application data disc-drop encryption storage system according to an embodiment of the present invention, where, as shown in fig. 3, the system includes:
a deriving unit 201, configured to derive a seal key of each application program in each secure virtual machine based on the marine CSV technology;
fig. 4 is a schematic structural diagram of a deriving unit provided in an embodiment of the present invention, as shown in fig. 4, the deriving unit 201 includes:
A first deriving subunit 2011, configured to derive a seal key of each secure virtual machine through a marine light secure chip root key;
A second deriving subunit 2012 is configured to derive the seal key of the current application in the current secure virtual machine by using the CMAC algorithm according to the seal key of the current secure virtual machine, the ID of the current application in the current secure virtual machine, and other characteristic information.
In an alternative embodiment, the other characteristic information includes, but is not limited to: version number, version name, feature value, etc.
The encryption storage unit 202 is configured to obtain current plaintext data, encrypt the current plaintext data in a current application program by using a current data encryption key that is randomly generated to obtain current ciphertext data, and store the current ciphertext data in the first storage unit; encrypting and sealing the randomly generated current data encryption key through the sealing key of the current application program, and storing the current data encryption key after encrypting and sealing in a second storage unit;
In an alternative embodiment, the application program and the plaintext data are in one-to-many correspondence; the plaintext data and the data encryption key are in one-to-one correspondence.
In an alternative embodiment, in the current application program, a symmetric encryption key that randomly generates a specified number of key bits is used as the current data encryption key.
The first storage unit includes: a disk or external database;
The second storage unit includes: secure hardware, disk or external databases.
The decryption unit 203 is configured to obtain, when the current application is restarted, current ciphertext data in the first storage unit and a current data encryption key after encryption and sealing in the second storage unit; decrypting the current data encryption key after encryption and sealing through the seal key of the current application program to obtain the current data encryption key; and decrypting the current ciphertext data through the current data encryption key to obtain current plaintext data.
The invention has the beneficial effects that:
The invention provides a trusted data space application program data disc-falling encryption storage method and a system, wherein the method derives a seal key of each application program in each secure virtual machine based on a marine CSV technology; encrypting current plaintext data in a current application program through a randomly generated current data encryption key to obtain current ciphertext data, and storing the current ciphertext data in a first storage unit; and encrypting and sealing the randomly generated current data encryption key through the sealing key of the current application program, and storing the current data encryption key after encrypting and sealing in the second storage unit. The method can prevent the illegal use or malicious leakage of the data by users with host and virtual machine authorities and the illegal use or tampering of other application programs in the same host and virtual machine system environment, besides preventing the data leakage when the storage medium is lost, stolen or subjected to hacking, and ensure that the data can only be accessed by the application program which creates the data.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. A trusted data space application data disc-drop encryption storage method, comprising:
s1, deriving a seal key of each application program in each secure virtual machine based on a marine CSV technology;
S2, acquiring current plaintext data, encrypting the current plaintext data in a current application program through a randomly generated current data encryption key to obtain current ciphertext data, and storing the current ciphertext data in a first storage unit; encrypting and sealing the randomly generated current data encryption key through the sealing key of the current application program, and storing the current data encryption key after encrypting and sealing in a second storage unit;
S3, when the current application program is restarted, current ciphertext data in the first storage unit and a current data encryption key after encryption seal in the second storage unit are obtained; decrypting the current data encryption key after encryption and sealing through the seal key of the current application program to obtain the current data encryption key; and decrypting the current ciphertext data through the current data encryption key to obtain current plaintext data.
2. The method according to claim 1, wherein S1 comprises:
Deriving a seal key of each secure virtual machine by using the root key of the marine light secure chip;
and deriving the seal key of the current application program in the current secure virtual machine by adopting a CMAC algorithm according to the seal key of the current secure virtual machine, the identity ID of the current application program in the current secure virtual machine and other characteristic information.
3. The method according to claim 1, characterized in that:
The application program and the plaintext data are in one-to-many correspondence; the plaintext data and the data encryption key are in one-to-one correspondence.
4. A method according to claim 3, characterized in that:
in the current application program, a symmetric encryption key randomly generated with a specified key bit number is used as the current data encryption key.
5. The method according to claim 2, characterized in that:
The other characteristic information includes: version number, version name, feature value;
the first storage unit includes: a disk or external database;
The second storage unit includes: secure hardware, disk or external databases.
6. A trusted data space application data-drop encryption storage system, comprising:
The deriving unit is used for deriving the seal key of each application program in each secure virtual machine based on the marine CSV technology;
the encryption storage unit is used for obtaining current plaintext data, encrypting the current plaintext data in a current application program through a current data encryption key generated randomly to obtain current ciphertext data, and storing the current ciphertext data in the first storage unit; encrypting and sealing the randomly generated current data encryption key through the sealing key of the current application program, and storing the current data encryption key after encrypting and sealing in a second storage unit;
The decryption unit is used for acquiring current ciphertext data in the first storage unit and a current data encryption key after encryption seal in the second storage unit when the current application program is restarted; decrypting the current data encryption key after encryption and sealing through the seal key of the current application program to obtain the current data encryption key; and decrypting the current ciphertext data through the current data encryption key to obtain current plaintext data.
7. The system of claim 6, wherein the deriving unit comprises:
The first deriving subunit is used for deriving the seal key of each secure virtual machine through the root key of the marine light secure chip;
And the second deriving subunit is used for deriving the seal key of the current application program in the current secure virtual machine by adopting the CMAC algorithm according to the seal key of the current secure virtual machine, the identity ID of the current application program in the current secure virtual machine and other characteristic information.
8. The system according to claim 6, wherein:
The application program and the plaintext data are in one-to-many correspondence; the plaintext data and the data encryption key are in one-to-one correspondence.
9. The system according to claim 8, wherein:
in the current application program, a symmetric encryption key randomly generated with a specified key bit number is used as the current data encryption key.
10. The system according to claim 7, wherein:
The other characteristic information includes: version number, version name, feature value;
the first storage unit includes: a disk or external database;
The second storage unit includes: secure hardware, disk or external databases.
CN202411070782.6A 2024-08-06 2024-08-06 Trusted data space application program data disc-falling encryption storage method and system Pending CN119004566A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411070782.6A CN119004566A (en) 2024-08-06 2024-08-06 Trusted data space application program data disc-falling encryption storage method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411070782.6A CN119004566A (en) 2024-08-06 2024-08-06 Trusted data space application program data disc-falling encryption storage method and system

Publications (1)

Publication Number Publication Date
CN119004566A true CN119004566A (en) 2024-11-22

Family

ID=93480915

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411070782.6A Pending CN119004566A (en) 2024-08-06 2024-08-06 Trusted data space application program data disc-falling encryption storage method and system

Country Status (1)

Country Link
CN (1) CN119004566A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180074967A (en) * 2016-12-26 2018-07-04 포항공과대학교 산학협력단 Software security method based on virtualization technologies to ensure the security level equivalent to hardware and system using the same
CN115098034A (en) * 2022-07-07 2022-09-23 北京双洲科技有限公司 Storage method of context encryption key in linux operating system environment
CN116048716A (en) * 2022-12-14 2023-05-02 海光信息技术股份有限公司 Direct storage access method and device and related equipment
CN117632811A (en) * 2023-12-08 2024-03-01 海光信息技术股份有限公司 Direct storage access request processing method, device and related equipment
CN118041518A (en) * 2023-08-29 2024-05-14 中国移动通信集团有限公司 Key protection method, device, system and storage medium
CN118171257A (en) * 2024-05-14 2024-06-11 南湖实验室 Zero-trust remote authentication service deployment system based on confidential virtual machine

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180074967A (en) * 2016-12-26 2018-07-04 포항공과대학교 산학협력단 Software security method based on virtualization technologies to ensure the security level equivalent to hardware and system using the same
CN115098034A (en) * 2022-07-07 2022-09-23 北京双洲科技有限公司 Storage method of context encryption key in linux operating system environment
CN116048716A (en) * 2022-12-14 2023-05-02 海光信息技术股份有限公司 Direct storage access method and device and related equipment
CN118041518A (en) * 2023-08-29 2024-05-14 中国移动通信集团有限公司 Key protection method, device, system and storage medium
CN117632811A (en) * 2023-12-08 2024-03-01 海光信息技术股份有限公司 Direct storage access request processing method, device and related equipment
CN118171257A (en) * 2024-05-14 2024-06-11 南湖实验室 Zero-trust remote authentication service deployment system based on confidential virtual machine

Similar Documents

Publication Publication Date Title
CN106980794B (en) TrustZone-based file encryption and decryption method and device and terminal equipment
JP4689945B2 (en) Resource access method
JP5060652B2 (en) How to unlock the secret of the calling program
CN109361668A (en) A method of reliable data transmission
CN107908574B (en) Safety protection method for solid-state disk data storage
CN101853363A (en) File protection method and system
KR20050085678A (en) Attestation using both fixed token and portable token
JP2015504222A (en) Data protection method and system
KR20090095635A (en) Method for the secure storing of program state data in an electronic device
CN1322431C (en) Saving and retrieving data based on symmetric key encryption
US20130125196A1 (en) Method and apparatus for combining encryption and steganography in a file control system
US11436351B1 (en) Homomorphic encryption of secure data
CN113901507B (en) Multi-party resource processing method and privacy computing system
CN109510702A (en) A method of it key storage based on computer characteristic code and uses
CN111542050B (en) A TEE-based method for ensuring the security of remote initialization of virtual SIM cards
CN104392153A (en) Software protection method and system
CN112787996A (en) Password equipment management method and system
CN119004566A (en) Trusted data space application program data disc-falling encryption storage method and system
CN113806785A (en) Method and system for carrying out safety protection on electronic document
KR102812231B1 (en) Crypto wallet password cracking system, method, and application using the same
CN117648703B (en) A data controllable usage method
CN117811734B (en) Business source code encryption storage, evaluation and authentication method
CN114329564B (en) Method for processing privatized format files, electronic equipment and medium
CN118690388A (en) A method and system for implementing software encryption and authorization separation
Lakshmi et al. A Layered Approach For Improved Cloud Storage Security And Protection Of Access Policy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination