Methods and apparatus for processing trusted data
By conducting multi-level verification in the generation, computation, and application environments, the risk of tampering with trusted data during the computation and application process is resolved, the credibility of trusted data is improved, and the security and accuracy of data at each stage are ensured.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING UNIV OF TECH
- Filing Date
- 2023-12-19
- Publication Date
- 2026-06-30
AI Technical Summary
In existing trusted data processing processes, there is a risk of data tampering during calculation or use, resulting in low credibility.
After generating metadata in the production environment, it is transferred to the computing environment for computational verification to ensure the reliability of the computation results. Then, the metadata is transferred to the application environment for verification of the data users to ensure the reliability of the application process.
By verifying trusted data in both computation and application dimensions, tampering is prevented, thus improving the credibility of trusted data and ensuring the accuracy of the computation process and the security of the application process.
Smart Images

Figure CN117892308B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of trusted computing technology, and in particular to a method and apparatus for processing trusted data. Background Technology
[0002] With the development of technology, trusted computing technology has also advanced. Trusted computing, also known as Trusted Computing (TC), is simply a technology driven and developed by trusted computing groups or clusters. Its core lies in ensuring the reliability of data during computing and communication processes, and the data in question is trusted data.
[0003] Currently, existing trusted data processing typically involves encryption and verification during data transmission. This means that encryption and verification methods are used to ensure data reliability during transmission across various devices and components, preventing tampering. However, in practical applications, because current processes only focus on the reliability of the data itself during transmission, tampering or illegal operations at any point in the data flow or during computation can still compromise the reliability of the trusted data. Therefore, current trusted data processing methods suffer from a relatively low level of data reliability. Summary of the Invention
[0004] This application provides a method and apparatus for processing trusted data, with the main objective of implementing a trusted data processing method to solve the problem of low reliability of trusted data obtained by existing trusted data processing methods.
[0005] To address the aforementioned technical problems, this application provides the following technical solutions:
[0006] Firstly, this application provides a method for processing trusted data, the method comprising:
[0007] Once the metadata is generated in the generation environment, the metadata data is transferred to the computing environment.
[0008] In the computing environment, the calculation result after performing a calculation operation on the metadata is verified, and after the calculation result passes the verification, the descendant metadata is transmitted to the application environment. The descendant metadata is obtained by performing the calculation operation on the metadata.
[0009] In the application environment, the data user subject performs application verification when performing application operations on the descendant metadata, and stores the descendant metadata after the data user subject passes the application verification.
[0010] Secondly, this application also provides a trusted data processing apparatus, the apparatus comprising:
[0011] A transmission unit is used to transmit the metadata to the computing environment after the metadata is generated in the generation environment.
[0012] The computation verification unit is configured to perform computation verification on the computation results of the metadata after performing computation operations in the computation environment, and after the computation results pass the computation verification, transmit the descendant metadata to the application environment, wherein the descendant metadata is obtained by performing the computation operation on the metadata;
[0013] An application verification unit is used to perform application verification on the data user subject when performing application operations on the descendant metadata in the application environment, and to store the descendant metadata after the data user subject passes the application verification.
[0014] Thirdly, this application also provides a storage medium including a stored program, wherein the program, when running, controls the device where the storage medium is located to execute the trusted data processing method described in the first aspect.
[0015] Fourthly, this application also provides a trusted data processing apparatus, the apparatus including a storage medium; and one or more processors, the storage medium being coupled to the processors, the processors being configured to execute program instructions stored in the storage medium; the program instructions, when executed, perform the trusted data processing method described in any one of the first aspects.
[0016] By employing the above-described technical solution, the technical solution provided in this application has at least the following advantages:
[0017] This application provides a method and apparatus for processing trusted data. First, after metadata is generated in a generation environment, it is transferred to a computing environment. Then, in the computing environment, the computational result of the metadata is verified. After the computational result passes verification, the descendant metadata is transferred to an application environment. The descendant metadata is obtained by performing the computational operation on the metadata. Finally, in the application environment, the data user subject performing the application operation on the descendant metadata undergoes application verification. After the data user subject passes application verification, the descendant metadata is stored, thereby realizing the trusted data processing function. Compared with existing technologies, this application verifies the trusted data processing process from both computational and application dimensions. This avoids the possibility of tampering during the computation and application processes, thus improving the trustworthiness of the trusted data. Simultaneously, by verifying the results of the computational operation in the computing environment, it ensures that the metadata is correctly computed during computation, preventing tampering during the computation process, thus laying the foundation for improved trustworthiness of the trusted data during computation. In addition, verifying the data user of the descendant metadata in the application environment ensures that when the descendant metadata is used, the user is the correct entity, thus avoiding the risk of data leakage caused by non-descendant metadata users using the data.
[0018] The above description is only an overview of the technical solution of this application. In order to better understand the technical means of this application and to implement it in accordance with the contents of the specification, and to make the above and other objects, features and advantages of this application more obvious and understandable, the following are specific embodiments of this application. Attached Figure Description
[0019] The above and other objects, features, and advantages of exemplary embodiments of this application will become readily understood by reading the following detailed description with reference to the accompanying drawings. In the drawings, several embodiments of this application are illustrated by way of example and not limitation, with the same or corresponding reference numerals denoteing the same or corresponding parts, wherein:
[0020] Figure 1 A flowchart of a trusted data processing method provided in an embodiment of this application is shown;
[0021] Figure 2 A flowchart of another trusted data processing method provided in an embodiment of this application is shown;
[0022] Figure 3 This illustration shows a block diagram of a trusted data processing apparatus provided in an embodiment of this application;
[0023] Figure 4 A block diagram of another trusted data processing apparatus provided in an embodiment of this application is shown. Detailed Implementation
[0024] Exemplary embodiments of this application will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of this application are shown in the drawings, it should be understood that this application may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided to enable a more thorough understanding of this application and to fully convey the scope of this application to those skilled in the art.
[0025] It should be noted that, unless otherwise stated, the technical or scientific terms used in this application shall have the ordinary meaning as understood by one of ordinary skill in the art to which this application pertains.
[0026] This application provides a flowchart of a trusted data processing method, such as... Figure 1 As shown, the method includes:
[0027] 101. After the metadata is generated in the generation environment, the metadata data is transferred to the computing environment.
[0028] In practical applications, the trusted data processing method described in this embodiment can be understood as a system used to perform this function. This system can include multiple devices, that is, a whole formed by multiple trusted devices, or it can be various trusted modules or trusted units within a single trusted device, capable of communicating with each other. Since trusted data processing actually requires multiple nodes and processing according to different stages, when the method described in this embodiment is applied, the generation environment, computing environment, and application environment can actually be understood as being set up separately on each device. Alternatively, as mentioned above, it can also be different environments divided among multiple modules or components within a single device; for example, module A corresponds to the generation environment, module B to the computing environment, and module C to the application environment.
[0029] Therefore, when the generation environment serves as the starting point of the entire processing flow, and it generates data—that is, metadata—it signifies the generation of trustworthy data. Subsequent computations and applications are required, and at this point, the metadata can be transferred from the generation environment to the computing environment. Furthermore, it should be noted that the specific format, content, and meaning of this metadata are not the focus of this solution; the key is that the metadata is trustworthy data and requires appropriate trustworthy data processing.
[0030] 102. In the computing environment, the calculation result after performing a calculation operation on the metadata is verified, and after the calculation result passes the verification, the descendant metadata is transmitted to the application environment.
[0031] The descendant metadata is obtained by performing the computational operation on the metadata.
[0032] As can be seen from the preceding steps, since trusted data may actually be transmitted between multiple devices or between multiple modules within a single device, during transmission, illegal operations or external intrusions may occur during the various processing steps. Therefore, in this step, from the perspective of the computation process, the metadata is verified in the computing environment. Of course, the verification process is based on the results of the executed computational operations. That is to say, if the calculated result deviates from the expected result, it means that the metadata in the computing environment did not perform the corresponding computational operation as designed, but instead underwent an unexpected computational operation. In this case, the credibility of the data obtained after the metadata computation is questionable. Conversely, if the computational result can be verified, it means that the computational operation performed was the expected computational operation. Thus, the credibility of the final descendant metadata obtained after all the computations in the computing environment can be guaranteed.
[0033] In this way, by transmitting the computationally verified descendant metadata to the application environment, it can be ensured that the data used by the subsequent application environment is trustworthy, thereby guaranteeing the data trustworthiness during the computation process, avoiding the occurrence of tampering by illegal computation or other operations, and thus improving the trustworthiness of the trusted data processing process.
[0034] 103. In the application environment, the data user subject performing application operations on the descendant metadata is verified, and the descendant metadata is stored after the data user subject passes the application verification.
[0035] In the application environment, this essentially involves the process of using the descendant metadata. This process primarily requires guarding against unauthorized access to the data. Specifically, since intrusion attempts can sometimes modify permissions to determine if they can manipulate the descendant metadata, this embodiment primarily verifies the data user entity. That is, it determines whether the entity performing the operation is the expected device or terminal. If it is not the expected entity, the descendant metadata is being used illegally, and the subsequent results obtained from the application based on this data are questionable. Conversely, if the application verification is successful, the data user is the entity authorized to manipulate the descendant metadata. Therefore, the data obtained from the application based on this descendant metadata is reliable and trustworthy, allowing for the storage of the descendant metadata.
[0036] Based on this, this embodiment provides a method for processing trusted data. Compared with the prior art, in this application, the processing of trusted data can be verified from both computation and application dimensions. This avoids the possibility of tampering during the computation and application processes, thereby improving the trustworthiness of the trusted data. Simultaneously, in the computation environment, by verifying the results of computational operations, it is ensured that metadata is correctly computed during computation, preventing tampering during the computation process and laying the foundation for improved trustworthiness of trusted data in the computation process. Furthermore, in the application environment, the data user of the descendant metadata is verified, ensuring that when the descendant metadata is used, the user is the correct entity, avoiding the risk of data leakage caused by non-descendant metadata users using the data.
[0037] Furthermore, as a further description and refinement of the foregoing embodiments, this application also provides a trusted data processing method, specifically as follows: Figure 2 As shown:
[0038] 201. Before the metadata is generated, the generation environment is verified using a preset trusted third-party device, and the metadata is generated in the generation environment after the verification is passed.
[0039] The generation environment verification is used to perform a first trusted verification on the device to which the generation environment belongs using the trusted third-party device; the first trusted verification is used to verify whether the device identity and data management policy of the device that reserved the generation metadata match the device identity and data management policy of the device to which the generation environment belongs.
[0040] Specifically, in this embodiment, before generating metadata, the device belonging to the generation environment first needs to confirm whether its generation environment is trustworthy. That is, before generating metadata, the device generating the metadata or a module within that device needs to verify its own trustworthiness. Specifically, the process described in this step actually utilizes a known trustworthy device, namely a preset trusted third-party device. This is based on a first trust verification, which essentially compares the identity of the preset third-party device with the identity of the device or module currently generating metadata. When they match, the generation environment is determined to be reliable. Simultaneously, since certain data management behaviors need to be performed in the generation environment, the device's data management policy also needs to be compared with the preset device management policy while performing identity comparison. In this way, the first trust verification achieves the function of verifying whether the device currently generating metadata is the pre-specified device from two dimensions: the device's identity and the device's specific data management behaviors. This achieves the effect of verifying the generation environment set up on the device.
[0041] Once the verification is successful, it means that the current device is indeed the device pre-specified by the user, and the generation environment of the device is trustworthy. Then, the metadata generation operation can continue.
[0042] Additionally, it should be noted that in this embodiment, regardless of the environment in which the verification process is conducted, it can be implemented through certificate verification. The certificate application process involves the certificate applicant sending a "data structure" related to the node or data to which the current device belongs. This "data structure" includes the device identity and data management strategy described earlier in this step. In some cases, the verification process may only involve a node in the transmission process (a device or module only transmits data without managing or manipulating it). In such cases, the "data structure" in this certificate verification method only includes the device identity. Specifically, for security reasons, this device identity can be the unique identifier of the device or module and a PIK (Personal Identity Key). The PIK is the device identity key, bound to the device, and used specifically for certificate application. This "data structure" also needs to be encrypted with an endorsement key (EK) after salting and transmitted to a pre-set third trusted device for certificate application. The unique identifier of the certificate application device can be transmitted in plaintext.
[0043] For trusted third-party devices, since they receive certificate application information containing device identity and data management policies, the verification process can include:
[0044] By matching the currently received unique identifier with the reserved unique identifier and calling the trusted proof service, the trusted proof service uses the public key corresponding to the reserved unique identifier to decrypt. If the decryption is successful, it means that the reserved unique identifier and the current device's unique identifier are the same device, indicating that the device's identity is valid. Next, the rule / attribute notarization service is called to verify the data management policy.
[0045] The system uses rule / attribute notarization services to determine whether a reasonable data management strategy exists in the current "data structure". If the data management strategy is unreasonable, the authentication is terminated. If it does not exist or exists and is reasonable, the certificate issuance service is invoked. In the specific execution process of confirming the existence and reasonable description of the data management strategy, the standard for determining reasonableness is actually to compare the data management strategy in the current "data structure" with the reserved data management strategy. If the two match, it means that the data operation behavior and management process to be performed by the current device's generation environment are consistent with the user's expectations, and therefore it is considered reasonable.
[0046] In the process of issuing a certificate through the certificate issuance service: First, a PIK public key is generated from the EK public key obtained from the target device. The EK public key is actually an endorsement key, which is generated based on the dedicated encryption hardware pre-deployed in the device, namely the Trusted Cryptographic Module (TCM). The TCM has the capabilities of generating true random numbers, generating keys, and storing keys. When combined with the trusted cryptographic driver, it can provide cryptographic services for computing devices.
[0047] Then, the verified "data structure" is signed using the PIK public key and the CA private key (i.e., the private key of a pre-set trusted third-party device) to form a certificate. After completion, the data is encrypted and packaged into an encrypted platform authentication packet using the CA private key. The authentication packet is distributed to the device along with the CA public key. The device uses the CA public key to decrypt the packet, verifies the signature with the PIK private key, and obtains the PIK certificate.
[0048] 202. After the metadata is generated in the generation environment, the metadata data is transferred to the computing environment.
[0049] Specifically, transmitting the metadata to the computing environment includes:
[0050] The metadata and associated information are encrypted and encapsulated to obtain first encapsulated data, and the first encapsulated data and first feature information are transmitted to the computing environment; wherein, the associated information includes at least a trust policy, wherein the trust policy is used to verify whether the device in the computing environment allows computing operations, and the first feature information is used to characterize the content characteristics of the metadata; the first feature information includes at least one of: attribute information of the metadata, description information of the metadata, and information characterizing the environment in which the metadata is allowed to be operated.
[0051] After the metadata is generated, subsequent operations such as calculation and application are required. Therefore, it needs to be transmitted to the computing environment after the generation environment is created. However, to ensure the security of data transmission and prevent interception or tampering during transmission, this embodiment also needs to encrypt and encapsulate the metadata to obtain the first encapsulated data. At the same time, to ensure verification of whether the metadata has been tampered with after subsequent reception, the metadata's characteristics, i.e., the first characteristic information, can also be transmitted synchronously with the first encapsulated data during transmission. The first characteristic information can be understood as data that reflects the characteristics of the content involved in the metadata, which may include attribute information, descriptive information, etc. Of course, in some cases, it may also include information characterizing the environment in which the metadata is allowed to be operated. This information can indicate in what environment the metadata is allowed to be operated. The environment can refer to the category of environment, such as computing environment, application environment, or the specific environment involved in a specific device under a certain environment. For example, when the computing environment includes environment 1 and environment 2 of device A, if the information characterizing the environment in which the metadata is allowed to be operated explicitly indicates environment 2, it means that the metadata is only allowed to be operated on in environment 2 of device A, and cannot be operated on in environment 1. In addition, in this embodiment, the first encapsulated data also encapsulates some related information. This related information includes at least a trust policy, which is mainly used to characterize which devices can perform computational operations after the first encapsulated data is received. Furthermore, to further improve the processing status of metadata at each stage and process during subsequent backtracking, other information can be added as related information. For example, a system security trust mechanism self-measurement report can be added, which characterizes the trustworthiness of the device to which the generation environment belongs. Specifically, the types, quantities, and content of other information that can be added as related information are not limited here and can be selected based on the user's actual needs.
[0052] 203. Before performing calculation operations on the metadata, the computing environment is verified using the preset trusted third-party device so that the calculation operation is performed after the computing environment verification is passed.
[0053] The computing environment verification is used to perform a second trusted verification on the device to which the computing environment belongs using the trusted third-party device; the second trusted verification is used to verify whether the device identity and data management policy of the reserved computing metadata match the device identity and data management policy of the device to which the computing environment belongs.
[0054] As described in the preceding steps, to ensure the credibility of each stage and process in the trusted data processing, environment verification is required before each operation is performed in each environment. Therefore, in the computing environment, verification is also required in the same manner as in the production environment. In other words, the reliability of the device in the current computing environment is determined based on the second trusted verification. Similarly, the verification process compares the device identity and data management policy of the device to which the environment belongs with the device identity and data management policy reserved by the preset trusted third-party device. When the two match, it indicates that the device currently performing the computing operation is the device expected by the user, thus confirming that the second trusted verification has passed. It should also be noted that the specific process of performing the second trusted verification in this embodiment is consistent with the description of the first trusted verification process described above, both using a certificate application and signature verification process, which will not be elaborated upon here.
[0055] After verifying that the computing environment has passed the computing environment verification, the next step is to perform computing operations on the metadata. However, as described in the previous steps, there is a risk of tampering during the transmission of metadata. Therefore, after the metadata is encapsulated in the previous steps, it is necessary to verify whether there is any tampering during the metadata transmission process according to the subsequent steps 204 to 205.
[0056] 204. Decrypt and unpack the first encapsulated data to obtain the first unpacked data. When the trusted policy in the first unpacked data determines that the device to which the computing environment belongs is a device that is allowed to perform computing operations, determine whether the metadata in the first unpacked data matches the first feature information.
[0057] In this step, the trusted policy involved in the first unsealed data is used to verify whether the current device is authorized to perform computational operations. In other words, if the current device is not authorized to perform computational operations, it means that the current device does not have computational permissions for the metadata, and the subsequent operations can be stopped directly. Conversely, when it is determined that the device receiving the first encapsulated data is authorized to perform computational operations, it means that the device can perform computational operations on the metadata. At this point, it is necessary to confirm whether the metadata has been tampered with during transmission. Since hackers or attackers may obtain the decryption key of the first encapsulated data, the metadata in the decrypted first encapsulated data may no longer be the original metadata. The first feature information is data that can characterize the content features of the metadata. Therefore, comparing it with the metadata in the first unsealed data can confirm whether the metadata has been tampered with.
[0058] 205. If a match is found, the metadata is digested to obtain a first digest result, which is then matched with the trusted metadata credentials recorded in the generation environment.
[0059] The metadata trust credential is obtained by performing a digest calculation on the metadata after it has been generated in the generation environment.
[0060] When it is confirmed that the metadata in the first unsealed data matches the first feature information sent synchronously, it indicates that the metadata may not have been tampered with. However, since in practical applications, it is possible that both the first encapsulated data and the first feature information may be tampered with simultaneously, this step can further verify the metadata by using a trusted metadata certificate recorded in the generation environment. Since this trusted metadata certificate is obtained by performing a digest algorithm calculation on the metadata after it has been generated in the generation environment, the metadata received in the calculation environment in this step also undergoes the same digest calculation to obtain the first digest result, which is then matched with the trusted metadata certificate. It should be noted that any algorithm can be used for these two digest calculations, such as a hash algorithm, and there is no limitation here.
[0061] Furthermore, in some cases, in order to verify whether the first feature information has been tampered with, the first feature information can be compared with the trusted credential of the first feature information in the generation environment. The trusted credential of the first feature information can be obtained by performing digest calculation on the first feature information after the metadata is generated in the generation environment and the first feature information corresponding to the metadata is determined. In this way, digest calculation can be performed on the first feature information received in the current computing environment and compared with the trusted credential of the first feature information to determine whether the first feature information has been tampered with during the transmission process.
[0062] 206. When it is determined that the first summary result matches the metadata trusted credential, in the computing environment, the calculation result after performing a calculation operation on the metadata is verified, and after the calculation result passes the calculation verification, the descendant metadata data is transmitted to the application environment.
[0063] The descendant metadata is obtained by performing the computational operation on the metadata.
[0064] Based on the aforementioned steps, when verifying the received metadata, if the first digest result matches the metadata trust credential, it indicates that the received metadata is indeed the metadata generated by the production environment and has not been tampered with during transmission; therefore, the metadata is trustworthy. The corresponding calculation operations can then be performed on this metadata.
[0065] Specifically, since the calculation operation can be performed in multiple steps, the calculation operation includes at least one calculation action. Similarly, the calculation result includes at least one intermediate result, wherein each calculation action corresponds to one intermediate result.
[0066] Based on this, in this step, the calculation verification of the calculation result after performing calculation operations on the metadata in the computing environment includes:
[0067] First, in the computing environment, each time the metadata is used to perform the computing action, the intermediate results corresponding to the computing action are obtained according to a preset rule, and a summary calculation is performed on each intermediate result to obtain intermediate result verification information; wherein, the preset rule is used to filter the intermediate results corresponding to all computing actions according to the security level of the metadata to obtain a target number of intermediate results, or, the preset rule is also used to determine the target number based on the security level of the metadata, and obtain the intermediate results according to the target number;
[0068] Then, the intermediate result verification information is compared with the preset verification information, and when they match, the calculation behavior is determined to have passed the verification. This process continues until all calculation behaviors have passed the verification. Then, the calculation result is determined to have passed the calculation verification, and the intermediate result corresponding to the last calculation behavior is determined as the descendant metadata according to the execution order between the calculation behaviors.
[0069] Finally, when it is determined that the intermediate result verification information does not match the preset verification information, the calculation behavior corresponding to the intermediate result verification information is determined to be an abnormal calculation behavior, and the corresponding intermediate result is deleted.
[0070] In this embodiment, since metadata can also be divided into different security levels, a higher security level necessitates retaining more intermediate results for verification, while a lower security level allows for a reduction in the number of intermediate results retained. In other words, during the verification process, the security level affects the number of intermediate results required for verification.
[0071] Based on this, the process of obtaining intermediate result verification information can actually be divided into two ways according to preset rules: one way is to obtain all intermediate results, then filter them based on the security level of the metadata, retain a portion of the intermediate results as needed, and then use these intermediate results to perform digest calculation to obtain intermediate result verification information; the other way is to first determine the security level of the metadata, and then determine the number of intermediate results required based on the level. In this way, during the calculation process, only the results that conform to the data can be extracted as intermediate results, and then the digest calculation can be performed on these intermediate results to obtain intermediate result verification information.
[0072] After determining the intermediate result verification information, the next step is to verify the calculation process. This verification involves comparing the intermediate result verification information with preset verification information. When they match, it means the intermediate result is the same as the user's expected result, indicating that the calculation behavior corresponding to the intermediate result meets the user's needs. Conversely, if they do not match, it means the calculation behavior corresponding to the intermediate data is not the user's expected process. Therefore, the intermediate result needs to be deleted, and the calculation behavior should be identified as abnormal. This way, when subsequent investigation and backtracking are needed, it's possible to identify at which calculation stage the metadata encountered a problem. It also prevents the accuracy of the final metadata from being compromised by continuing calculations based on the problematic intermediate result.
[0073] Furthermore, as described in the preceding steps, since there is a risk of tampering during data transmission, in order to further improve the reliability of the trusted data processing process, the step of transmitting the descendant metadata to the application environment includes:
[0074] The descendant metadata is encrypted and encapsulated to obtain second encapsulated data, and the second encapsulated data and second feature information are transmitted to the application environment. The second feature information is used to characterize the content characteristics of the descendant metadata. The second feature information includes at least one of the following: attribute information of the descendant metadata, description information of the descendant metadata, and information characterizing the environment in which the descendant metadata is allowed to be operated.
[0075] In this way, by encrypting and encapsulating the descendant metadata to obtain the second encapsulated data, it can be ensured that the descendant metadata can be transmitted encryptedly during transmission, thereby improving security. Simultaneously, the second feature information sent synchronously is information that reflects the descendant metadata. Therefore, it can be ensured that even if the descendant metadata is tampered with, the second feature information can still be used to verify the descendant metadata, thus improving the security of data during transmission in trusted data processing. Furthermore, it should be noted that in this embodiment, the content, type, form, and description of the second feature information are the same as the first feature information. The only difference between the two is that one is a "feature" of metadata, and the other is a "feature" of descendant metadata; therefore, it will not be elaborated upon here.
[0076] 207. Before performing application operations on the descendant metadata, the application environment is verified using the preset trusted third-party device so that the application operation is executed after the application environment verification is passed.
[0077] The application environment verification is used to perform third-party trusted verification on the device to which the application environment belongs using the trusted third-party device; the third-party trusted verification is used to verify whether the device identity and data management policy of the device with reserved application metadata match the device identity and data management policy of the device to which the application environment belongs.
[0078] In this step, as shown in the previous steps, the application environment also needs to be verified before it can perform operations on the descendant metadata. The specific verification principle and process are the same as those described above for the verification process in the production environment, and will not be repeated here.
[0079] It should be noted that, in this embodiment, the steps involved in the generation environment verification process, the computing environment verification process, and the application environment verification process can all be selected based on user needs, and are not limited here. The process described in this embodiment is merely exemplary. For example, if only the generation environment verification process is executed, then the steps involved in the subsequent computing environment verification process and the application environment verification process can be omitted.
[0080] After the application environment has been verified, the application operations on the metadata can be performed. However, as described in the previous steps, there is a risk of tampering during the transmission of the metadata. Therefore, after the metadata is encapsulated in the previous steps, it is necessary to verify whether there is any tampering during the metadata transmission process according to the subsequent steps 208 to 209.
[0081] 208. Decrypt and unpack the second encapsulated data to obtain the second unpacked data, and determine whether the descendant metadata in the second unpacked data matches the second feature information.
[0082] In this embodiment, after receiving the second encapsulated data and the corresponding descendant metadata, the second encapsulated data can be decrypted and unencapsulated first. Then, the descendant metadata contained in the second encapsulated data is compared with the second feature information received synchronously. If the two match, it means that they have not been tampered with and subsequent steps can be performed. Conversely, if they do not match, it means that the credibility of the descendant metadata is questionable.
[0083] Furthermore, in some cases, to verify whether the second feature information has been tampered with, the second feature information can be compared with a trusted credential for the second feature information in the generation environment. This trusted credential for the second feature information can be obtained by performing a digest calculation on the second feature information after the computing environment has obtained the descendant metadata and determined the second feature information corresponding to the descendant metadata. In this way, by performing a digest calculation on the second feature information received in the current application environment and comparing it with the trusted credential for the second feature information, it can be determined whether the second feature information has been tampered with during transmission.
[0084] 209. If a match is found, the descendant metadata is digested to obtain a second digest result, which is then matched with the trusted credentials of the descendant metadata recorded in the computing environment.
[0085] The trusted credential for the descendant metadata is obtained by performing a digest calculation on the descendant metadata after obtaining it in the computing environment.
[0086] When it is determined that the descendant metadata in the second unsealed data matches the second feature information, it indicates that it may not have been tampered with, or both may have been tampered with. To ensure data credibility, it is also necessary to compare the descendant metadata with the descendant metadata trust certificate. Since the descendant metadata trust certificate is obtained through digest calculation in the computing environment, the currently received descendant metadata also needs to undergo the same digest calculation. Based on the comparison of the two, it is determined whether the currently received descendant metadata has been tampered with. When the two match, it indicates that it has not been tampered with, and at this time, it can be determined that the descendant metadata is trustworthy.
[0087] 210. When it is determined that the second digest result matches the trusted credential of the descendant metadata, in the application environment, the data user subject performing the application operation on the descendant metadata is verified, and after the data user subject passes the application verification, the descendant metadata is stored.
[0088] Specifically, the application verification process in this step can be as follows:
[0089] In the application environment, the application subject using the descendant metadata is monitored, and based on the application subject, it is determined whether the data user subject has changed when the application operation is performed;
[0090] If a change occurs, the identity information of the application subject after the change is recorded, and the identity information is filtered through a preset strategy. The filtered identity information is then matched with the preset identity information. The preset strategy is used to set the number of identity information to be matched with the preset identity information according to the security level of the descendant metadata.
[0091] If a match is found, it is determined that the data user has passed the application verification.
[0092] During application, the primary focus is on monitoring whether the entity using the descendant metadata is the intended entity. If it is, it indicates that the descendant metadata has not been exploited by hackers or attackers in the application environment, meaning the metadata processing is functioning correctly. Generally, the users of the descendant metadata are devices belonging to the current application environment, or other devices specifically accessing the descendant metadata from within that environment. This means the user of the descendant metadata typically remains unchanged. Therefore, this step involves constantly monitoring whether the user changes when the descendant metadata is used for application operations. If a change occurs, it's crucial to be alerted to potential unauthorized use or access to the descendant metadata. In this case, the identity information of the changed entity needs to be recorded, and then filtered based on a preset strategy. This filtering primarily determines the number of remaining identity information entries to retain when multiple changed entity identities exist, based on the security level of the descendant metadata. Of course, the number of filtered identity information entries corresponding to different security levels can be preset according to user needs and is not limited here.
[0093] When the filtered identity information matches the preset identity information, it means that although the data user subject has changed, it is in line with the user's expectations. This indicates that the data user subject can be verified by the application, and that the effect of subsequent metadata on application-based operations is also reliable.
[0094] 211. If it is determined that the filtered identity information does not match the preset identity information, then it is determined that the descendant metadata has been used abnormally, and an alarm message is generated and stored.
[0095] As can be seen from the aforementioned steps, there may be a situation where the filtered identity information does not match the preset identity information. In this case, it indicates that after the data user subject changes, the new subject is not what the user expected. That is to say, the device or module currently performing the application operation is not the device or module expected by the user. In this case, the application operation is actually an illegal operation. At this time, it can be determined that there is an abnormal use of the descendant metadata. At the same time, an alarm message is generated and stored. This ensures that in the subsequent backtracking process, the stored alarm message can be used to determine that there is a device or module that does not expect the user to use the descendant metadata.
[0096] Furthermore, during the execution of the above steps, whether transferring metadata from the generation environment to the computing environment or transferring progenitor metadata from the computing environment to the application environment, it can all be done through a dedicated channel environment, namely the data exchange environment. Both metadata and progenitor metadata can be temporarily stored once they enter this data exchange environment. This allows for verification based on the temporarily stored data if problems are found after the data enters a certain environment, enabling a "secondary verification" of the data. It also ensures that when tracing back to trusted data where problems exist, it can be confirmed at which stage the anomaly occurred.
[0097] In view of this, in this embodiment, "secondary verification" can also be performed in the following aspects, as detailed below:
[0098] Aspect A: When it is determined that the metadata in the first unsealed data does not match the first feature information, the system acquires the first encapsulated data and the first feature information temporarily stored in the data exchange environment, performs a first verification on the temporarily stored first encapsulated data and the temporarily stored first feature information, and executes a first target operation based on the first verification result; wherein, the temporarily stored first encapsulated data and the temporarily stored first feature information are temporarily stored when the first encapsulated data and the first feature information are sent from the generation environment to the computing environment through the data exchange environment; the first verification is used to verify the metadata in the temporarily stored first encapsulated data through the metadata trusted credential stored in the preset repository, and to verify the temporarily stored first feature information through the first feature information trusted credential stored in the preset repository; the first feature information trusted credential is obtained by performing a digest calculation on the first feature information after determining the first feature information corresponding to the metadata in the generation environment; the first target operation includes controlling the generation environment to regenerate the metadata when the first verification result is that the verification fails.
[0099] Aspect B: When it is determined that the first digest result does not match the metadata trusted certificate, the first encapsulated data and the first feature information of synchronous transmission temporarily stored in the data exchange environment are obtained, and the first verification is performed on the first encapsulated data and the first feature information of synchronous transmission temporarily stored, and the first target operation is performed based on the first verification result.
[0100] In aspect C, when it is determined that the descendant metadata in the second unsealed data does not match the second feature information, the second encapsulated data and the second feature information temporarily stored in the data exchange environment are obtained, and a second verification is performed on the temporarily stored second encapsulated data and the temporarily stored second feature information, and a second target operation is executed based on the second verification result; wherein, the temporarily stored second encapsulated data and the temporarily stored second feature information are temporarily stored when the second encapsulated data and the second feature information are sent from the computing environment to the application environment through the data exchange environment; the second verification is used to verify the descendant metadata in the temporarily stored second encapsulated data through the trusted credential of the descendant metadata stored in the preset repository, and to verify the temporarily stored second feature information through the trusted credential of the second feature information stored in the preset repository; the trusted credential of the second feature information is obtained by performing a digest calculation on the second feature information after determining the second feature information corresponding to the descendant metadata in the computing environment; the second target operation includes controlling the generation environment to regenerate the metadata when the second verification result is that the verification fails.
[0101] In aspect D, when it is determined that the second digest result does not match the trusted credential of the descendant metadata, the second encapsulated data temporarily stored in the data exchange environment and the second feature information temporarily sent synchronously are obtained, and a second verification is performed on the second encapsulated data and the second feature information temporarily sent synchronously, and a second target operation is performed based on the second verification result.
[0102] As can be seen from the above four aspects A to D, when transmitting trusted data, by utilizing the data exchange environment, the metadata or subsequent metadata (and the "features" transmitted simultaneously, namely the first feature information and the second feature information) entering the environment can be temporarily stored in advance. In this way, before the calculation and application processes, through the judgment of the aforementioned steps, when it is found that the metadata or subsequent metadata has been tampered with, it can be verified by the temporarily stored metadata and its first feature information, and the subsequent metadata and its second feature information, respectively. This ensures that when it is determined that the temporarily stored metadata or subsequent metadata has not passed the verification based on the trusted credentials of the corresponding data, it can be known in time at which stage of data transmission the problem occurred, and the generation environment can be controlled in time to regenerate the metadata, thereby ensuring that the above-mentioned processing steps of trusted data are re-executed.
[0103] Furthermore, as a response to the above Figure 1 and Figure 2 In addition to the implementation of the method shown, another embodiment of this application also provides a trusted data processing apparatus. This apparatus embodiment corresponds to the foregoing method embodiment. For ease of reading, this apparatus embodiment will not repeat the details of the foregoing method embodiment, but it should be understood that the apparatus in this embodiment can implement all the contents of the foregoing method embodiment. This apparatus, in order to implement a trusted data processing method, specifically... Figure 3 As shown, the device includes:
[0104] The transmission unit 31 can be used to transmit the metadata to the computing environment after the metadata is generated in the generation environment;
[0105] The calculation verification unit 32 can be used in the computing environment to perform calculation verification on the calculation result after performing calculation operation on the metadata transmitted by the transmission unit 31, and after the calculation result passes the calculation verification, transmit the descendant metadata to the application environment, wherein the descendant metadata is obtained by the calculation operation on the metadata;
[0106] The application verification unit 33 can be used to perform application verification on the data user subject when performing application operations on the descendant metadata obtained by the computation verification unit 32 in the application environment, and store the descendant metadata after the data user subject passes the application verification.
[0107] Furthermore, such as Figure 4 As shown, the device further includes:
[0108] The first environment verification unit 34 can be used to verify the generation environment using a preset trusted third-party device before the metadata is generated, and generate the metadata in the generation environment after the verification is passed, so that the transmission unit 31 can transmit the metadata data; wherein, the generation environment verification can be used to perform a first trusted verification on the device to which the generation environment belongs using the trusted third-party device; the first trusted verification can be used to verify whether the device identity and data management policy of the device that reserves the generation metadata match the device identity and data management policy of the device to which the generation environment belongs;
[0109] The second environment verification unit 35 can be used to verify the computing environment using the preset trusted third-party device before performing calculation operations on the metadata, so that the calculation verification unit 32 can execute the calculation operation after the computing environment verification is successful; wherein, the computing environment verification can be used to perform a second trusted verification on the device to which the computing environment belongs using the trusted third-party device; the second trusted verification can be used to verify whether the device identity and data management policy of the reserved computing metadata device match the device identity and data management policy of the device to which the computing environment belongs;
[0110] The third environment verification unit 36 can be used to perform application environment verification on the application environment using the preset trusted third-party device before performing application operations on the descendant metadata, so that the application verification unit 33 can execute the application operation after the application environment verification is passed; wherein, the application environment verification can be used to perform third-party trusted verification on the device to which the application environment belongs using the trusted third-party device; the third-party trusted verification can be used to verify whether the device identity and data management policy of the device for the reserved application metadata match the device identity and data management policy of the device to which the application environment belongs.
[0111] Furthermore, such as Figure 4 As shown, the transmission unit 31 can also be specifically used to encrypt and encapsulate the metadata and associated information to obtain first encapsulated data, and transmit the first encapsulated data and first feature information to the computing environment; wherein, the associated information includes at least a trust policy, wherein the trust policy can be used to verify whether the device in the computing environment allows computing operations, and the first feature information is used to characterize the content characteristics of the metadata; the first feature information includes at least one of: attribute information of the metadata, description information of the metadata, and information characterizing the environment in which the metadata is allowed to be operated;
[0112] The device further includes:
[0113] The first determining unit 37 can be used to decrypt and unpack the first encapsulated data transmitted by the transmission unit 31 to obtain the first unpacked data, and when the trusted policy in the first unpacked data determines that the device to which the computing environment belongs is a device that is allowed to perform computing operations, it determines whether the metadata in the first unpacked data matches the first feature information.
[0114] The first matching unit 38 can be used to perform a digest calculation on the metadata if the first determining unit 37 determines that the metadata in the first unsealed data matches the first feature information, to obtain a first digest result, and to match it with the metadata trusted credential recorded in the generation environment; wherein, the metadata trusted credential is obtained by performing a digest calculation on the metadata after the metadata is generated in the generation environment;
[0115] The calculation verification unit 32 can also be specifically used to perform calculation verification on the calculation result after performing calculation operations on the metadata in the computing environment when the first matching unit 38 determines that the first summary result matches the metadata trusted credential.
[0116] Furthermore, such as Figure 4 As shown, the calculation operation includes at least one calculation action, and the calculation result includes at least one intermediate result, wherein each calculation action corresponds to one intermediate result;
[0117] The calculation verification unit 32 includes:
[0118] The summary calculation module 321 can be used in the computing environment to obtain the intermediate results corresponding to the computing behavior according to a preset rule each time the metadata is subjected to the computing behavior, and to perform summary calculation on each intermediate result to obtain intermediate result verification information; wherein, the preset rule can be used to filter the intermediate results corresponding to all computing behaviors according to the security level of the metadata after obtaining them, to obtain a target number of intermediate results, or the preset rule can also be used to determine the target number based on the security level of the metadata, and to obtain the intermediate results according to the target number;
[0119] The first determining module 322 can be used to compare the intermediate result verification information obtained by the summary calculation module 321 with the preset verification information, and when they match, determine that the calculation behavior has passed the verification, until all calculation behaviors have passed the verification, determine that the calculation result has passed the calculation verification, and determine the intermediate result corresponding to the last calculation behavior as the descendant metadata according to the execution order between the calculation behaviors.
[0120] The second determining module 323 can be used to determine that the calculation behavior corresponding to the intermediate result verification information is an abnormal calculation behavior and delete the corresponding intermediate result when the intermediate result verification information obtained by the summary calculation module 321 does not match the preset verification information.
[0121] Furthermore, such as Figure 4 As shown, the calculation verification unit 32 can also be used to encrypt and encapsulate the descendant metadata to obtain second encapsulated data, and transmit the second encapsulated data and second feature information to the application environment. The second feature information is used to characterize the content characteristics of the descendant metadata. The second feature information includes at least one of the following: attribute information of the descendant metadata, description information of the descendant metadata, and information characterizing the environment in which the descendant metadata is allowed to be operated.
[0122] The device further includes:
[0123] The second determining unit 39 can be used to decrypt and unpack the second encapsulated data obtained by the calculation and verification unit 32 to obtain the second unpacked data, and determine whether the descendant metadata in the second unpacked data matches the second feature information;
[0124] The second matching unit 40 can be used to perform a digest calculation on the descendant metadata in the second unsealed data obtained by the second determining unit 39 if it is determined that the descendant metadata matches the second feature information, and then perform a second digest calculation on the descendant metadata to obtain a second digest result, and match it with the trusted credential of the descendant metadata recorded in the computing environment; wherein, the trusted credential of the descendant metadata is obtained by performing a digest calculation on the descendant metadata after obtaining the descendant metadata in the computing environment;
[0125] The application verification unit 33 can also be used to perform application verification on the data user subject when performing application operations on the descendant metadata in the application environment, when the second matching unit 40 determines that the second digest result matches the trusted credential of the descendant metadata.
[0126] Furthermore, such as Figure 4 As shown, the application verification unit 33 includes:
[0127] The first determining module 331 can be used in the application environment to monitor the application subject using the descendant metadata, and determine whether the data user subject has changed when the application operation is performed based on the application subject.
[0128] The matching module 332 can be used to record the identity information of the changed application subject if the first determining module 331 determines that the data user subject has changed when the application operation is performed, and to filter the identity information through a preset strategy and match the filtered identity information with the preset identity information; the preset strategy can be used to set the number of identity information to be matched with the preset identity information according to the security level of the descendant metadata.
[0129] The second determining module 333 can be used to determine that the data user has passed the application verification if the matching module 332 determines that the filtered identity information matches the preset identity information;
[0130] The device further includes:
[0131] The generation unit 41 can be used to determine that the descendant metadata has been used abnormally if the application verification unit 33 determines that the filtered identity information does not match the preset identity information, and to generate and store alarm information.
[0132] Furthermore, such as Figure 4 As shown, the device further includes:
[0133] The first execution unit 42 can be used to, when the first determining unit 37 determines that the metadata in the first unsealed data does not match the first feature information, acquire the first encapsulated data temporarily stored in the data exchange environment and the temporarily stored synchronously transmitted first feature information, perform a first verification on the temporarily stored first encapsulated data and the temporarily stored synchronously transmitted first feature information, and execute a first target operation based on the first verification result; wherein, the temporarily stored first encapsulated data and the temporarily stored synchronously transmitted first feature information are temporarily stored when the first encapsulated data and the synchronously transmitted first feature information are sent from the generation environment to the computing environment through the data exchange environment; the first verification can be used to verify the metadata in the temporarily stored first encapsulated data and the temporarily stored synchronously transmitted first feature information respectively through the metadata trusted credentials stored in a preset repository; the first feature information trusted credentials are obtained by performing digest calculation on the first feature information after determining the first feature information corresponding to the metadata in the generation environment; the first target operation includes controlling the generation environment to regenerate the metadata when the first verification result is that the verification fails.
[0134] The second execution unit 43 can be used to obtain the first encapsulated data and the first feature information that are temporarily stored in the data exchange environment when the first matching unit 38 determines that the first digest result does not match the metadata trusted certificate, and to perform a first verification on the first encapsulated data and the first feature information that are temporarily sent synchronously, and to perform a first target operation based on the first verification result.
[0135] The third execution unit 44 can be used to, when the second determining unit 39 determines that the descendant metadata in the second unsealed data does not match the second feature information, acquire the second encapsulated data temporarily stored in the data exchange environment and the temporarily stored synchronously sent second feature information, perform a second verification on the temporarily stored second encapsulated data and the temporarily stored synchronously sent second feature information, and execute a second target operation based on the second verification result; wherein, the temporarily stored second encapsulated data and the temporarily stored synchronously sent second feature information are temporarily stored when the second encapsulated data and the synchronously sent second feature information are sent from the computing environment to the application environment through the data exchange environment; the second verification can be used to verify the metadata in the temporarily stored second encapsulated data and the temporarily stored synchronously sent second feature information respectively through the descendant metadata trusted credentials stored in a preset repository; the second target operation includes controlling the generation environment to regenerate the metadata when the second verification result is that the verification fails.
[0136] The fourth execution unit 45 can be used to obtain the second encapsulated data and the second feature information that are temporarily stored in the data exchange environment when the second matching unit 40 determines that the second digest result does not match the trusted credential of the descendant metadata after matching, and to perform a second verification on the second encapsulated data and the second feature information that are temporarily sent synchronously, and to perform a second target operation based on the second verification result.
[0137] To achieve the above objectives, according to another aspect of this application, an embodiment of this application also provides a storage medium, the storage medium including a stored program, wherein, when the program is executed, it controls the device where the storage medium is located to perform the trusted data processing method described above.
[0138] To achieve the above objectives, according to another aspect of this application, an embodiment of this application also provides a trusted data processing apparatus, the apparatus including a storage medium; and one or more processors, the storage medium being coupled to the processors, the processors being configured to execute program instructions stored in the storage medium; the program instructions, when executed, perform the trusted data processing method described above.
[0139] This application provides a method and apparatus for processing trusted data. First, after metadata is generated in a generation environment, it is transmitted to a computing environment. Then, in the computing environment, the computational result of the metadata is verified. After the computational result passes verification, the descendant metadata is transmitted to an application environment. The descendant metadata is obtained by processing the metadata through the computational operation. Finally, in the application environment, the data user subject performing the application operation on the descendant metadata undergoes application verification. After the data user subject passes application verification, the descendant metadata is stored, thereby realizing the trusted data processing function. Compared to existing technologies, this application verifies the trusted data processing process from both computational and application dimensions. This avoids the possibility of tampering during the computation and application processes, thus improving the trustworthiness of the trusted data. Simultaneously, by verifying the results of the computational operation in the computing environment, it ensures that the metadata is correctly computed during computation, preventing tampering during the computation process and laying the foundation for improved trustworthiness of the trusted data during computation. In addition, verifying the data user of the descendant metadata in the application environment ensures that when the descendant metadata is used, the user is the correct entity, thus avoiding the risk of data leakage caused by non-descendant metadata users using the data.
[0140] The trusted data processing device includes a processor and a memory. The aforementioned transmission unit, calculation verification unit, application verification unit, etc., are all stored in the memory as program units, and the processor executes the aforementioned program units stored in the memory to realize the corresponding functions.
[0141] The processor contains a kernel, which retrieves the corresponding program units from memory. One or more kernels can be configured, and by adjusting kernel parameters, a trusted data processing method can be implemented to address the problem of low reliability of trusted data obtained from existing trusted data processing procedures.
[0142] This application provides a trusted data processing device, the device including a storage medium and one or more processors, the storage medium being coupled to the processors, the processors being configured to execute program instructions stored in the storage medium; the program instructions, when executed, perform the trusted data processing method described in any of the preceding claims.
[0143] This application provides a storage medium that includes a stored program, wherein the program, when running, controls the device where the storage medium is located to execute the aforementioned trusted data processing method.
[0144] Storage media may include non-permanent memory in the form of computer-readable media, random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM, and the memory includes at least one memory chip.
[0145] This application provides an apparatus including a processor, a memory, and a program stored in the memory and executable on the processor. When the processor executes the program, it performs the following steps: after metadata is generated in a generation environment, the metadata is transferred to a computing environment; in the computing environment, the computational result of the metadata is verified, and after the computational result passes verification, the descendant metadata is transferred to an application environment, where the descendant metadata is obtained after the computational operation; in the application environment, the data user subject performing application operations on the descendant metadata undergoes application verification, and after the data user subject passes application verification, the descendant metadata is stored.
[0146] Optionally, the method further includes:
[0147] Before the metadata is generated, the generation environment is verified using a preset trusted third-party device, and the metadata is generated in the generation environment after the verification is passed; wherein, the generation environment verification is used to perform a first trusted verification on the device to which the generation environment belongs using the trusted third-party device; the first trusted verification is used to verify whether the device identity and data management policy of the device reserved for generating metadata match the device identity and data management policy of the device to which the generation environment belongs;
[0148] And / or,
[0149] Before performing calculations on the metadata, the computing environment is verified using the preset trusted third-party device, so that the calculation operation is performed after the computing environment verification is successful. The computing environment verification involves using the trusted third-party device to perform a second trusted verification on the device to which the computing environment belongs. This second trusted verification verifies whether the device identity and data management policy of the reserved computing metadata device match the device identity and data management policy of the device to which the computing environment belongs.
[0150] And / or,
[0151] Before performing application operations on the descendant metadata, the application environment is verified using the preset trusted third-party device so that the application operation can be executed after the application environment verification is successful. The application environment verification is performed by using the trusted third-party device to perform third-party trusted verification on the device to which the application environment belongs. The third-party trusted verification is used to verify whether the device identity and data management policy of the device that reserved the application metadata matches the device identity and data management policy of the device to which the application environment belongs.
[0152] Optionally, transferring the metadata to the computing environment includes:
[0153] The metadata and associated information are encrypted and encapsulated to obtain first encapsulated data, and the first encapsulated data and first feature information are transmitted to the computing environment; wherein, the associated information includes at least a trust policy, wherein the trust policy is used to verify whether the device in the computing environment allows computing operations, and the first feature information is used to characterize the content characteristics of the metadata; the first feature information includes at least one of: attribute information of the metadata, description information of the metadata, and information characterizing the environment in which the metadata is allowed to be operated;
[0154] Before verifying the computation result after performing computation operations on the metadata in the computing environment, the method further includes:
[0155] The first encapsulated data is decrypted and decapsulated to obtain the first decapsulated data. When the trusted policy in the first decapsulated data determines that the device to which the computing environment belongs is a device that is allowed to perform computing operations, it is determined whether the metadata in the first decapsulated data matches the first feature information.
[0156] If they match, the metadata is digested to obtain a first digest result, which is then matched with the metadata trust certificate recorded in the generation environment; wherein, the metadata trust certificate is obtained by digesting the metadata after it is generated in the generation environment.
[0157] The calculation verification of the calculation results after performing calculation operations on the metadata in the computing environment includes:
[0158] When it is determined that the first summary result matches the trusted metadata credential, the calculation result after performing a calculation operation on the metadata is verified in the computing environment.
[0159] Optionally, the calculation operation includes at least one calculation action, and the calculation result includes at least one intermediate result, wherein each calculation action corresponds to one intermediate result;
[0160] The calculation verification of the calculation result after performing calculation operations on the metadata in the computing environment includes:
[0161] In the computing environment, each time the metadata is used to perform the computing action, the intermediate results corresponding to the computing action are obtained according to a preset rule, and a summary calculation is performed on each intermediate result to obtain intermediate result verification information; wherein, the preset rule is used to filter the intermediate results corresponding to all computing actions according to the security level of the metadata to obtain a target number of intermediate results, or, the preset rule is also used to determine the target number based on the security level of the metadata, and obtain the intermediate results according to the target number;
[0162] The intermediate result verification information is compared with the preset verification information. When a match is found, the calculation behavior is determined to have passed the verification. This process continues until all calculation behaviors have passed the verification. Then, the calculation result is determined to have passed the calculation verification. The intermediate result corresponding to the last calculation behavior is determined as the descendant metadata according to the execution order between the calculation behaviors.
[0163] When it is determined that the intermediate result verification information does not match the preset verification information, the calculation behavior corresponding to the intermediate result verification information is determined to be an abnormal calculation behavior, and the corresponding intermediate result is deleted.
[0164] Optionally, transmitting the descendant metadata to the application environment includes:
[0165] The descendant metadata is encrypted and encapsulated to obtain second encapsulated data, and the second encapsulated data and second feature information are transmitted to the application environment. The second feature information is used to characterize the content characteristics of the descendant metadata. The second feature information includes at least one of the following: attribute information of the descendant metadata, description information of the descendant metadata, and information characterizing the environment in which the descendant metadata is allowed to be operated.
[0166] Before performing application verification on the data user subject when performing application operations on the descendant metadata in the application environment, the method further includes:
[0167] The second encapsulated data is decrypted and decapsulated to obtain the second decapsulated data, and it is determined whether the descendant metadata in the second decapsulated data matches the second feature information;
[0168] If they match, the descendant metadata is digested to obtain a second digest result, which is then matched with the trusted credential of the descendant metadata recorded in the computing environment; wherein, the trusted credential of the descendant metadata is obtained by digesting the descendant metadata after obtaining it in the computing environment.
[0169] In the application environment, the data user subject performing application operations on the descendant metadata undergoes application verification, including:
[0170] When it is determined that the second digest result matches the trusted credential of the descendant metadata, the data user subject performing application verification on the descendant metadata in the application environment performs application operations.
[0171] Optionally, in the application environment, the application verification of the data user subject when performing application operations on the descendant metadata includes:
[0172] In the application environment, the application subject using the descendant metadata is monitored, and based on the application subject, it is determined whether the data user subject has changed when the application operation is performed;
[0173] If a change occurs, the identity information of the application subject after the change is recorded, and the identity information is filtered through a preset strategy. The filtered identity information is then matched with the preset identity information. The preset strategy is used to set the number of identity information to be matched with the preset identity information according to the security level of the descendant metadata.
[0174] If a match is found, it is determined that the data user has been verified by the application.
[0175] After the data user passes application verification and the descendant metadata is stored, the method further includes:
[0176] If it is determined that the filtered identity information does not match the preset identity information, then it is determined that the descendant metadata has been used abnormally, and an alarm message is generated and stored.
[0177] Optionally, the method further includes:
[0178] When it is determined that the metadata in the first unsealed data does not match the first feature information, the system acquires the first encapsulated data and the first feature information temporarily stored in the data exchange environment, performs a first verification on the temporarily stored first encapsulated data and the temporarily stored first feature information, and executes a first target operation based on the first verification result. The temporarily stored first encapsulated data and the temporarily stored first feature information are temporarily stored in the data exchange environment when the first encapsulated data and the first feature information are sent from the generation environment to the computing environment. The first verification is used to verify the metadata in the temporarily stored first encapsulated data using the metadata trust certificate stored in a preset repository, and to verify the temporarily stored first feature information using the first feature information trust certificate stored in the preset repository. The first feature information trust certificate is obtained by performing a digest calculation on the first feature information after determining the first feature information corresponding to the metadata in the generation environment. The first target operation includes controlling the generation environment to regenerate the metadata when the first verification result is a failure to verify.
[0179] And / or,
[0180] When it is determined that the first digest result does not match the metadata trusted certificate, the first encapsulated data and the first feature information of synchronous transmission temporarily stored in the data exchange environment are obtained, and the first verification is performed on the first encapsulated data and the first feature information of synchronous transmission temporarily stored, and the first target operation is performed based on the first verification result.
[0181] And / or,
[0182] When it is determined that the descendant metadata in the second unsealed data does not match the second feature information, the second encapsulated data and the second feature information temporarily stored in the data exchange environment are obtained, and a second verification is performed on the temporarily stored second encapsulated data and the temporarily stored second feature information. Based on the second verification result, a second target operation is executed. The temporarily stored second encapsulated data and the temporarily stored second feature information are temporarily stored when the second encapsulated data and the temporarily stored second feature information are sent from the computing environment to the application environment through the data exchange environment. The second verification is used to verify the descendant metadata in the temporarily stored second encapsulated data using the trusted credential of the descendant metadata stored in a preset repository, and to verify the temporarily stored second feature information using the trusted credential of the second feature information stored in the preset repository. The trusted credential of the second feature information is obtained by performing a digest calculation on the second feature information after determining the second feature information corresponding to the descendant metadata in the computing environment. The second target operation includes controlling the generation environment to regenerate the metadata when the second verification result is a failure to verify.
[0183] And / or,
[0184] When it is determined that the second digest result does not match the trusted credential of the descendant metadata, the second encapsulated data temporarily stored in the data exchange environment and the second feature information temporarily sent synchronously are obtained, and a second verification is performed on the second encapsulated data and the second feature information temporarily sent synchronously, and a second target operation is performed based on the second verification result.
[0185] This application also provides a computer program product that can perform corresponding functions, including: after metadata is generated in a generation environment, transferring the metadata data to a computing environment; in the computing environment, performing computational verification on the computational results of the metadata, and after the computational results pass the computational verification, transferring the descendant metadata data to an application environment, wherein the descendant metadata is obtained by performing the computational operation on the metadata; in the application environment, performing application verification on the data user subject when performing application operations on the descendant metadata, and storing the descendant metadata after the data user subject passes the application verification.
[0186] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0187] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0188] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0189] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0190] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0191] Memory may include non-persistent memory in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0192] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0193] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.
[0194] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0195] The above are merely embodiments of this application and are not intended to limit the scope of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of the claims of this application.
Claims
1. A method of processing trusted data, characterized by, The method includes: Once the metadata is generated in the generation environment, the metadata data is transferred to the computing environment. In the computing environment, the calculation result after performing a calculation operation on the metadata is verified, and after the calculation result passes the verification, the descendant metadata is transmitted to the application environment. The descendant metadata is obtained by performing the calculation operation on the metadata. In the application environment, the data user subject performs application verification when performing application operations on the descendant metadata, and stores the descendant metadata after the data user subject passes the application verification; The method further includes: Before the metadata is generated, the generation environment is verified using a preset trusted third-party device, and the metadata is generated in the generation environment after the verification is passed; wherein, the generation environment verification is used to perform a first trusted verification on the device to which the generation environment belongs using the trusted third-party device; the first trusted verification is used to verify whether the device identity and data management policy of the device reserved for generating metadata match the device identity and data management policy of the device to which the generation environment belongs; The calculation operation includes at least one calculation action, and the calculation result includes at least one intermediate result, wherein each calculation action corresponds to one intermediate result; The calculation verification of the calculation result after performing calculation operations on the metadata in the computing environment includes: In the computing environment, each time the metadata is used to perform the computing action, the intermediate results corresponding to the computing action are obtained according to a preset rule, and a summary calculation is performed on each intermediate result to obtain intermediate result verification information; wherein, the preset rule is used to filter the intermediate results corresponding to all computing actions according to the security level of the metadata to obtain a target number of intermediate results, or, the preset rule is also used to determine the target number based on the security level of the metadata, and obtain the intermediate results according to the target number; The intermediate result verification information is compared with the preset verification information. When a match is found, the calculation behavior is determined to have passed the verification. This process continues until all calculation behaviors have passed the verification. Then, the calculation result is determined to have passed the calculation verification. The intermediate result corresponding to the last calculation behavior is determined as the descendant metadata according to the execution order between the calculation behaviors. When it is determined that the intermediate result verification information does not match the preset verification information, the calculation behavior corresponding to the intermediate result verification information is determined to be an abnormal calculation behavior, and the corresponding intermediate result is deleted. In the application environment, the application verification of the data user subject when performing application operations on the descendant metadata includes: In the application environment, the application subject using the descendant metadata is monitored, and based on the application subject, it is determined whether the data user subject has changed when the application operation is performed; If a change occurs, the identity information of the application subject after the change is recorded, and the identity information is filtered through a preset strategy. The filtered identity information is then matched with the preset identity information. The preset strategy is used to set the number of identity information to be matched with the preset identity information according to the security level of the descendant metadata. If a match is found, it is determined that the data user has been verified by the application. After the data user passes application verification and the descendant metadata is stored, the method further includes: If it is determined that the filtered identity information does not match the preset identity information, then it is determined that the descendant metadata has been used abnormally, and an alarm message is generated and stored.
2. The method of claim 1, wherein, The method further includes: Before performing calculations on the metadata, the computing environment is verified using the preset trusted third-party device, so that the calculation operation is performed after the computing environment verification is successful. The computing environment verification involves using the trusted third-party device to perform a second trusted verification on the device to which the computing environment belongs. This second trusted verification verifies whether the device identity and data management policy of the reserved computing metadata device match the device identity and data management policy of the device to which the computing environment belongs. Before performing application operations on the descendant metadata, the application environment is verified using the preset trusted third-party device so that the application operation can be executed after the application environment verification is successful. The application environment verification is performed by using the trusted third-party device to perform third-party trusted verification on the device to which the application environment belongs. The third-party trusted verification is used to verify whether the device identity and data management policy of the device that reserved the application metadata matches the device identity and data management policy of the device to which the application environment belongs.
3. The method of claim 1, wherein, The step of transmitting the metadata to the computing environment includes: The metadata and associated information are encrypted and encapsulated to obtain first encapsulated data, and the first encapsulated data and first feature information are transmitted to the computing environment; wherein, the associated information includes at least a trust policy, wherein the trust policy is used to verify whether the device to which the computing environment belongs allows computing operations, and the first feature information is used to characterize the content characteristics of the metadata; the first feature information includes at least one of: attribute information of the metadata, description information of the metadata, and information characterizing the environment in which the metadata is allowed to be operated; Before performing computational verification on the computational results after performing computational operations on the metadata in the computing environment, the method further includes: The first encapsulated data is decrypted and decapsulated to obtain the first decapsulated data. When the trusted policy in the first decapsulated data determines that the device to which the computing environment belongs is a device that is allowed to perform computing operations, it is determined whether the metadata in the first decapsulated data matches the first feature information. If a match is found, the metadata is digested to obtain a first digest result, which is then matched with the metadata trust credential recorded in the generation environment; wherein, the metadata trust credential is obtained by digesting the metadata after it has been generated in the generation environment. The calculation verification of the calculation results after performing calculation operations on the metadata in the computing environment includes: When it is determined that the first summary result matches the trusted metadata credential, the calculation result after performing a calculation operation on the metadata is verified in the computing environment.
4. The method of claim 3, wherein, The process of transmitting the descendant metadata to the application environment includes: The descendant metadata is encrypted and encapsulated to obtain second encapsulated data, and the second encapsulated data and second feature information are transmitted to the application environment. The second feature information is used to characterize the content characteristics of the descendant metadata. The second feature information includes at least one of the following: attribute information of the descendant metadata, description information of the descendant metadata, and information characterizing the environment in which the descendant metadata is allowed to be operated. In the application environment, before performing application verification on the data user subject when performing application operations on the descendant metadata, the method further includes: The second encapsulated data is decrypted and decapsulated to obtain the second decapsulated data, and it is determined whether the descendant metadata in the second decapsulated data matches the second feature information; If they match, the descendant metadata is digested to obtain a second digest result, which is then matched with the trusted credential of the descendant metadata recorded in the computing environment; wherein, the trusted credential of the descendant metadata is obtained by digesting the descendant metadata after obtaining it in the computing environment. In the application environment, the data user subject performing application operations on the descendant metadata undergoes application verification, including: When it is determined that the second digest result matches the trusted credential of the descendant metadata, the data user subject performing application verification on the descendant metadata in the application environment performs application operations.
5. The method of claim 4, wherein, The method further includes: When it is determined that the metadata in the first unsealed data does not match the first feature information, the system acquires the first encapsulated data and the first feature information temporarily stored in the data exchange environment, performs a first verification on the temporarily stored first encapsulated data and the temporarily stored first feature information, and executes a first target operation based on the first verification result. The temporarily stored first encapsulated data and the temporarily stored first feature information are temporarily stored when the first encapsulated data and the temporarily stored first feature information are sent from the generation environment to the computing environment, passing through the data exchange environment. The first verification is used to verify the metadata in the temporarily stored first encapsulated data using the metadata trust certificate stored in a preset repository, and to verify the temporarily stored first feature information using the first feature information trust certificate stored in the preset repository. The first feature information trust certificate is obtained by performing a digest calculation on the first feature information after determining the first feature information corresponding to the metadata in the generation environment. The first target operation includes controlling the generation environment to regenerate the metadata when the first verification result is a failure to verify. When it is determined that the first digest result does not match the metadata trusted certificate, the first encapsulated data and the first feature information of synchronous transmission temporarily stored in the data exchange environment are obtained, and the first verification is performed on the first encapsulated data and the first feature information of synchronous transmission temporarily stored, and the first target operation is performed based on the first verification result. When it is determined that the descendant metadata in the second unsealed data does not match the second feature information, the second encapsulated data and the second feature information temporarily stored in the data exchange environment are obtained, and a second verification is performed on the temporarily stored second encapsulated data and the temporarily stored second feature information. Based on the second verification result, a second target operation is executed. The temporarily stored second encapsulated data and the temporarily stored second feature information are temporarily stored when the second encapsulated data and the temporarily stored second feature information are sent from the computing environment to the application environment through the data exchange environment. The second verification is used to verify the descendant metadata in the temporarily stored second encapsulated data using the trusted credential of the descendant metadata stored in a preset repository, and to verify the temporarily stored second feature information using the trusted credential of the second feature information stored in the preset repository. The trusted credential of the second feature information is obtained by performing a digest calculation on the second feature information after determining the second feature information corresponding to the descendant metadata in the computing environment. The second target operation includes controlling the generation environment to regenerate the metadata when the second verification result is a failure to verify. When it is determined that the second digest result does not match the trusted credential of the descendant metadata, the second encapsulated data temporarily stored in the data exchange environment and the second feature information temporarily sent synchronously are obtained, and a second verification is performed on the second encapsulated data and the second feature information temporarily sent synchronously, and a second target operation is performed based on the second verification result.
6. A trusted data processing apparatus, characterized in that, The device includes: A transmission unit is used to transmit the metadata to the computing environment after the metadata is generated in the generation environment. The computation verification unit is configured to perform computation verification on the computation results of the metadata after performing computation operations in the computation environment, and after the computation results pass the computation verification, transmit the descendant metadata to the application environment, wherein the descendant metadata is obtained by performing the computation operation on the metadata; An application verification unit is used to perform application verification on the data user subject when performing application operations on the descendant metadata in the application environment, and to store the descendant metadata after the data user subject passes the application verification. A first environment verification unit is configured to verify the generation environment using a preset trusted third-party device before the metadata is generated, and generate the metadata in the generation environment after the verification is passed, so that the transmission unit can transmit the metadata data; wherein, the generation environment verification can be used to perform a first trusted verification on the device to which the generation environment belongs using the trusted third-party device; the first trusted verification can be used to verify whether the device identity and data management policy of the device that reserves the generation metadata match the device identity and data management policy of the device to which the generation environment belongs; The calculation operation includes at least one calculation action, and the calculation result includes at least one intermediate result, wherein each calculation action corresponds to one intermediate result; The computational verification unit includes: A summary calculation module is configured to, in the computing environment, when the metadata is subjected to the calculation action each time, obtain the intermediate results corresponding to the calculation action according to a preset rule, and perform summary calculation on each intermediate result to obtain intermediate result verification information; wherein, the preset rule can be used to filter the intermediate results corresponding to all calculation actions according to the security level of the metadata to obtain a target number of intermediate results, or the preset rule can also be used to determine the target number based on the security level of the metadata, and obtain the intermediate results according to the target number; The first determining module is used to compare the intermediate result verification information obtained by the summary calculation module with the preset verification information, and when a match is found, determine that the calculation behavior has passed the verification. After all calculation behaviors have passed the verification, determine that the calculation result has passed the calculation verification, and determine the intermediate result corresponding to the last calculation behavior as the descendant metadata according to the execution order between the calculation behaviors. The second determining module is used to determine that the calculation behavior corresponding to the intermediate result verification information is an abnormal calculation behavior and delete the corresponding intermediate result when the intermediate result verification information obtained by the summarization calculation module does not match the preset verification information. The application verification unit includes: The first determining module can be used in the application environment to monitor the application subject using the descendant metadata, and based on the application subject, determine whether the data user subject has changed when the application operation is performed. The matching module is used to record the identity information of the changed application subject if the first determining module determines that the data user subject has changed when the application operation is performed, and to filter the identity information through a preset strategy and match the filtered identity information with preset identity information; the preset strategy can be used to set the number of identity information to be matched with the preset identity information according to the security level of the descendant metadata. The second determining module is used to determine that the data user has passed the application verification if the matching module determines that the filtered identity information matches the preset identity information. The device further includes: The generation unit is used to determine that the descendant metadata has been used abnormally if the application verification unit determines that the filtered identity information does not match the preset identity information, and to generate and store alarm information.
7. A storage medium, characterized in that, The storage medium includes a stored program, wherein, when the program is executed, it controls the device where the storage medium is located to perform the trusted data processing method according to any one of claims 1-5.
8. A trusted data processing device, characterized in that, The device includes a storage medium; and one or more processors, the storage medium being coupled to the processors, the processors being configured to execute program instructions stored in the storage medium; the program instructions, when executed, perform a method for processing trusted data according to any one of claims 1-5.