Search

CN-122001609-A - Online learning data security encryption and privacy protection method in information creation environment

CN122001609ACN 122001609 ACN122001609 ACN 122001609ACN-122001609-A

Abstract

The invention discloses a method for safely encrypting and protecting privacy of online learning data in a signal creation environment, which comprises the steps of detecting bottom hardware characteristics of a device end through a micro-architecture probe, loading a target national encryption algorithm library adapting to a current hardware architecture based on detection results, generating an integrity measurement value of the device based on characteristic information of the target national encryption algorithm library, generating a device private key by taking the integrity measurement value as a key generation factor, negotiating with a platform server by utilizing the device private key to generate a session key, calling the target national encryption algorithm library by taking the session key as a parameter, encrypting and protecting video data in the online learning data, and uploading the encrypted video data to the platform server, thereby realizing efficient and safe online learning data encryption and privacy protection in the signal creation environment.

Inventors

  • YANG JING
  • ZHANG LUYAN

Assignees

  • 上海市信产通信服务有限公司培训中心

Dates

Publication Date
20260508
Application Date
20251202

Claims (10)

  1. 1. The method for safely encrypting and protecting privacy of online learning data in a credit environment is characterized by comprising the following steps: Detecting the bottom hardware characteristics of the equipment end through the micro-architecture probe, and loading a target national encryption algorithm library adapting to the current hardware architecture based on the detection result; Generating an integrity measurement value of equipment based on the characteristic information of the target national encryption algorithm library, taking the integrity measurement value as a key generation factor, generating an equipment private key, and negotiating with a platform server by utilizing the equipment private key to generate a session key; And calling the target national encryption algorithm library by taking the session key as a parameter, carrying out encryption protection on video data in the online learning data, and uploading the encrypted video data to a platform server.
  2. 2. The method for online data security encryption and privacy protection under a credit environment according to claim 1, wherein the method for loading the target cryptographic algorithm library adapted to the current hardware architecture based on the detection result comprises the following steps: When the client is started, reading the function identification bit information of the CPU configuration register through the micro-architecture probe, and constructing an extended instruction set list supported by the current CPU based on the read function identification bit information; Based on the extended instruction set list, screening all algorithm realization versions supported by current hardware from a built-in encryption algorithm library, marking the algorithm realization versions as candidate algorithm microcode realization units, and loading the candidate algorithm microcode realization units into a memory isolation region; Generating a temporary data block in the memory isolation area by using a pseudo-random number generator, and respectively calling a plurality of candidate algorithm microcode implementation units adapting to different expansion instruction sets to carry out throughput rate comparison test on the temporary data block; And based on the throughput rate comparison test result, selecting an algorithm microcode realization unit with the highest throughput rate as the target national encryption algorithm library to be loaded into a memory.
  3. 3. The method for online data security encryption and privacy protection in a credit environment according to claim 2, wherein the generating the device private key comprises: reading the binary machine code of the target national encryption algorithm library in the memory, and carrying out hash calculation on the binary machine code to obtain characteristic information; reading the serial number of the CPU, carrying out hash calculation on the serial number of the CPU, and carrying out exclusive OR operation on the obtained hash value and the characteristic information to obtain an integrity measurement value; Expanding the integrity metric value into a platform configuration register of the trusted cryptography module; reading a hardware root key of the trusted cryptographic module and calling a true random number generator to generate a random number, taking the current value of the platform configuration register, the hardware root key and the random number as input data, and generating a composite master seed by using a national secret standard key derivation function; and generating a key pair in a security isolation area of the trusted cryptographic module based on the composite master seed, and storing a private key of the key pair in the security isolation area as the equipment private key.
  4. 4. The method for securely encrypting and protecting privacy of online learning data in a trusted environment according to claim 3, wherein the means for negotiating with the platform server to generate the session key using the device private key comprises: Generating a true random number by a random number generator of a trusted cryptographic module, taking the true random number as a client temporary private key, and generating a corresponding client temporary public key based on the client temporary private key; The client temporary public key is sent to a platform server, the server temporary public key and the server identity public key returned by the platform server are received, and the validity of the server identity public key is verified; After verification, the device private key is utilized to carry out digital signature on the client temporary public key and the server temporary public key, signature data are generated and sent to a platform server to finish client identity authentication; after the identities of the two parties pass verification, based on a key exchange protocol of a national secret standard, the equipment private key, the client temporary private key, the server identity public key and the server temporary public key are used as input parameters, and are calculated in the trusted cryptographic module to generate a final session key.
  5. 5. The method for securely encrypting and protecting privacy of online learning data in a signal creation environment according to claim 4, wherein the method for encrypting and protecting video data in the online learning data comprises: Obtaining video data, embedding a digital watermark containing tracing identification information into the video data, encrypting the video data containing the digital watermark by using the target national encryption algorithm library and the session key and adopting a counter mode of a national encryption block cipher algorithm, and uploading the encrypted video data to a platform server.
  6. 6. The method for securely encrypting and protecting privacy of online learning data in a signal-based environment according to claim 5, wherein the method for embedding the digital watermark containing the traceability identification information in the video data comprises the following steps: Acquiring the identity of the current login user, splicing the serial number of the trusted cryptographic module, the serial number of the CPU and the identity of the current login user, carrying out hash calculation on the splicing result, and generating the tracing identification information; Decoding the video data to obtain continuous original video frame images; converting an original video frame image into a YUV color space, and performing block discrete cosine transform on the chrominance components to obtain a coefficient matrix; embedding the tracing identification information into intermediate frequency coefficients of the coefficient matrix by utilizing a frequency domain spread spectrum technology; And performing inverse discrete cosine transform on the coefficient matrix embedded with the traceability identification information to obtain video frame data containing the digital watermark, and performing video coding on the video frame data containing the digital watermark to generate video data containing the digital watermark.
  7. 7. The method for online data security encryption and privacy protection in a signal-based environment according to claim 6, wherein the method for embedding the trace-source identification information into the intermediate frequency coefficient of the discrete cosine transform domain by using the frequency domain spreading technique comprises: generating a frequency hopping control seed by utilizing a key derivative function based on a session key generated by current negotiation; generating a pseudo-random coordinate sequence based on the frequency hopping control seeds, and selecting an intermediate frequency coefficient based on the pseudo-random coordinate sequence in the coefficient matrix as an embedded carrier; Generating a pseudo-random spread spectrum code based on the frequency hopping control seeds, and modulating the tracing identification information by using the pseudo-random spread spectrum code to generate a spread spectrum sequence; Calculating the energy value of the alternating current coefficient in the coefficient matrix, and obtaining an embedded strength factor after normalization processing; and multiplying the spread spectrum sequence with the embedded intensity factor, and then superposing the multiplied spread spectrum sequence on the embedded carrier.
  8. 8. The method for online data security encryption and privacy protection in a signal creation environment according to claim 5, wherein the method for encrypting the video data containing the digital watermark by adopting the counter mode of the national cipher block cipher algorithm comprises the following steps: Prefilling a plurality of continuous counter values in a vector register of a CPU to construct a parallel counter matrix; Based on the session key, using the target national encryption algorithm library to execute parallel encryption operation on the parallel counter matrix by adopting a single-instruction multi-data stream instruction to generate a parallel key stream block; and performing exclusive-or operation on the parallel key stream blocks and the video data by using a vector exclusive-or instruction of the CPU to generate parallel ciphertext data blocks.
  9. 9. The method for online data security encryption and privacy protection in a credit environment according to claim 1, further comprising an offline cache protection process: When the client is detected to be in an offline state, the serial number of the trusted cryptography module, the serial number of the CPU and the serial number of the disk volume are read as hardware characteristic factors; splicing the hardware characteristic factors with login credentials of a current user, inputting a key derivation function based on a national cryptographic hash algorithm, and generating a device binding key; and carrying out secondary encryption on the locally stored video data by using the device binding key and adopting a cipher block link mode of a national cipher block cipher algorithm to generate an offline cache file.
  10. 10. The method for online data security encryption and privacy protection in a credit environment according to claim 1, wherein the method further comprises the following real-time detection flow: After the session key agreement is generated, starting a background monitoring thread, extracting features of a target national encryption algorithm library running in a memory at random time intervals, and calculating a real-time measurement result based on the extracted real-time feature information; consistency comparison is carried out on the real-time measurement result and the integrity measurement value; And when the comparison results of the two are inconsistent, the secure interface of the trusted cryptographic module is immediately called to forcedly destroy the device private key and the session key in the memory, and the network connection with the platform server is interrupted.

Description

Online learning data security encryption and privacy protection method in information creation environment Technical Field The invention relates to the technical field of information security, in particular to a method for safely encrypting and protecting privacy of online learning data in a credit environment. Background With the deep advancement of national information technology application innovation (belief) strategy, online learning terminals of educational institutions are moving to heterogeneous computing environments based on domestic CPUs (such as Loongson, feiteng, spread spectrum, sea light and the like) and domestic operating systems (such as kylin and belief) on a large scale. The domestic hardware platform has various architectures (comprising MIPS, ARM, x, alpha and other different instruction set systems) and forms a complex heterogeneous information creation environment. However, most existing online learning data protection techniques directly follow traditional, general-purpose pure software encryption schemes (e.g., general-purpose OpenSSL-based implementations). The scheme breaks away from the perception and depth utilization of the characteristics of the underlying hardware architecture in design, and only treats the hardware as a general computing carrier, thereby causing the following problems: Software and hardware decoupling results in vulnerable key security. Since the generic software solution cannot utilize device-specific hardware trust roots (e.g., trusted cryptography modules TCM, hardware serial numbers), the keys are typically in the form of files or memory variables. This allows an attacker to easily copy the key to other unauthorized devices for use, resulting in device cloning and data illegitimate access. Failure to perform hardware results in encryption inefficiency. The generic encryption library is not adapted to the specific extended instruction set or microarchitecture of the domestic CPU. When processing high-throughput video data, the hardware-level acceleration capability (such as SIMD instructions) cannot be invoked, so that the CPU load is too high, and the smoothness of online learning is affected. In addition, the existing data protection system lacks rapid responsibility and identification capability for the leakage source when the platform end data leakage occurs. Once the platform is poorly managed or attacked to cause the video library to leak, because the original video data lacks a strong association identifier containing user identity characteristics and hardware sources, when the user finds that the video is publically transmitted, the user cannot easily and quickly prove that the video is an uploading record from the user, and cannot directly analyze a specific leakage path or related responsibility information from a leaked video file. Due to the lack of the traceability information, when a large-scale privacy data leakage event occurs, a victim user is difficult to confirm the leakage source at the first time, rights and interests cannot be quickly claimed, and meanwhile, immediate identification of security responsibility of a platform side is prevented. In view of the above, the present invention proposes a method for online learning data security encryption and privacy protection in a signal creation environment to solve the above-mentioned problems. Disclosure of Invention In order to overcome the defects in the prior art and achieve the purposes, the invention provides the technical scheme that the online learning data security encryption and privacy protection method in the credit environment comprises the following steps: Detecting the bottom hardware characteristics of the equipment end through the micro-architecture probe, and loading a target national encryption algorithm library adapting to the current hardware architecture based on the detection result; Generating an integrity measurement value of equipment based on the characteristic information of the target national encryption algorithm library, taking the integrity measurement value as a key generation factor, generating an equipment private key, and negotiating with a platform server by utilizing the equipment private key to generate a session key; And calling the target national encryption algorithm library by taking the session key as a parameter, carrying out encryption protection on video data in the online learning data, and uploading the encrypted video data to a platform server. Further, the method for loading the target cryptographic algorithm library adapting to the current hardware architecture based on the detection result comprises the following steps: When the client is started, reading the function identification bit information of the CPU configuration register through the micro-architecture probe, and constructing an extended instruction set list supported by the current CPU based on the read function identification bit information; Based on the extended instructi