Search

US-20260128875-A1 - DATA TRANSMISSION METHOD AND RELATED DEVICE

US20260128875A1US 20260128875 A1US20260128875 A1US 20260128875A1US-20260128875-A1

Abstract

Provided in the present application are a data transmission method and related device. An method comprises: receiving a transmission preparation request sent by a user end before sending transmission data, and generating configuration information based on at least part of data in the transmission preparation request; generating an authentication request through a trusted execution environment based on the configuration information and sending the authentication request to the user end, so that the user end envelope-encrypts the transmission data based on the authentication request; receiving feedback information sent from the user end, the feedback information comprising envelope-encrypted transmission data; and obtaining the transmission data by decrypting the feedback information.

Inventors

  • Lin Zhang
  • Wenbin Zhang
  • Yong Sun
  • Qingling Feng

Assignees

  • BEIJING BYTEDANCE NETWORK TECHNOLOGY CO., LTD.

Dates

Publication Date
20260507
Application Date
20230224
Priority Date
20220317

Claims (20)

  1. 1 . A data transmission method, comprising: generating configuration information based on at least part of data in a received transmission preparation request, the received transmission preparation request sent by a user end before sending transmission data; generating an authentication request through a trusted execution environment based on the configuration information and sending the authentication request to the user end, so that the user end envelope-encrypts the transmission data based on the authentication request; receiving feedback information sent from the user end, the feedback information comprising envelope-encrypted transmission data; and obtaining the transmission data by decrypting the feedback information.
  2. 2 . The method of claim 1 , wherein generating configuration information comprises: receiving from the user end a transmission preparation request that comprises at least one of a key length, an encryption mode, identification information of the user end and a second value; and generating configuration information by integrating at least one of the key length, the encryption mode, the identification information of the user end and the second value.
  3. 3 . The method of claim 2 , wherein generating the authentication request comprises: generating a temporary public key based on the second value in the configuration information; obtaining second identification data by perform cryptographic operation processing on the identification information of the user end; obtaining an operation processing result by performing cryptographic operation processing on the configuration information, the second identification data and the temporary public key, and generating quote data based on the operation processing result; and generating an authentication request based on the configuration information, the second identification data, the temporary public key and the quote data and sending the authentication request to the user end.
  4. 4 . The method of claim 3 , wherein generating the temporary public key comprises: obtaining a first public key of the trusted hardware end, randomly generating a first value, and generating a temporary public key based on the first public key, the first value and the second value.
  5. 5 . The method of claim 4 , wherein obtaining the operation processing result generating the quote data comprise: obtaining a hash value by performing hash operation processing on data that is composed of the configuration information, the second identification data and the temporary public key; and obtaining report data by supplementing a predetermined number of supplementary values after the hash value, generating quote data by writing the report data to a user data report, and reading the quote data.
  6. 6 . The method of claim 1 , wherein the feedback information comprises: signature data, key cipher text, encrypted data and a user end certificate, and obtaining the transmission data comprises: parsing the feedback information, verifying the user end certificate using a root certificate, and confirming that the user end's identity is true after passing the verification; obtaining a second public key of the user end, verifying the signature data using the second public key, and confirming that the signature data is true after passing the verification; obtain a first private key of the trusted hardware end, and obtaining key data by decrypting the key cipher text with the first private key; and obtaining the transmission data by decrypting the encrypted data with the key data.
  7. 7 . A data transmission method, comprising: sending a transmission preparation request to a trusted hardware end based on received transmission preparation data; receiving an authentication request sent from the trusted hardware end; parsing and confirming the authentication request; in response to determining that the authentication request is true, obtaining envelope-encrypted transmission data by performing envelope encryption on transmission data; and generating feedback information based on the envelope-encrypted transmission data, and sending the feedback information to the trusted hardware end.
  8. 8 . The method of claim 7 , wherein the authentication request comprises: configuration information, second identification data and quote data; parsing and confirming the authentication request comprises: obtaining configuration information, second identification data and quote data by parsing the authentication request; obtaining identification confirmation information by performing cryptographic operation processing on identification information of the user end in the configuration information, and comparing and confirming the identification confirmation information with the second identification data; and verifying the quote data by calling Internet authentication and certificate services; and wherein determining that the authentication request is true comprises: determining that the identification confirmation information matches the second identification data, and determining that the quote data passes the verification of the service information.
  9. 9 . The method of 8, wherein the authentication request further comprises: a temporary public key, and obtaining envelope-encrypted transmission data by performing envelope encryption on the transmission data comprises: determining key data, and obtaining encrypted data by encrypting the transmission data with the key data; extracting a first public key from a temporary public key, and obtaining key cipher text by encrypting the key data; forming a data combination based on the temporary public key, the key cipher text, and the encrypted data; and obtaining a second private key of the user end, and obtaining signature data by signing the data combination with use the second private key; and wherein, the envelope-encrypted transmission data comprises: the signature data, the key cipher text and the encrypted data.
  10. 10 . The method of claim 9 , wherein generating feedback information and sending the feedback information comprise: obtaining certificate data of the user end, and generating feedback information by combining the certificate data of the user end with the envelope-encrypted transmission data; and sending the feedback information to the trusted hardware end, and outputting the key data and the temporary public key at the same time.
  11. 11 - 12 . (canceled)
  12. 13 . An electronic device, comprising: a processor, and a memory, for storing a computer program; wherein, the computer program, when executed by the processor, causes the electronic device to: generate configuration information based on at least part of data in a received transmission preparation request, the received transmission preparation request sent by a user end before sending transmission data; generate an authentication request through a trusted execution environment based on the configuration information and sending the authentication request to the user end, so that the user end envelope-encrypts the transmission data based on the authentication request; receive feedback information sent from the user end, the feedback information comprising envelope-encrypted transmission data; and obtain the transmission data by decrypting the feedback information.
  13. 14 . A non-transitory computer-readable storage medium, storing a computer program thereon, wherein, the computer program, when executed by a processor, causes a device to: generate configuration information based on at least part of data in a received transmission preparation request, the received transmission preparation request sent by a user end before sending transmission data; generate an authentication request through a trusted execution environment based on the configuration information and sending the authentication request to the user end, so that the user end envelope-encrypts the transmission data based on the authentication request; receive feedback information sent from the user end, the feedback information comprising envelope-encrypted transmission data; and obtain the transmission data by decrypting the feedback information.
  14. 15 . The electronic device of claim 13 , wherein the electronic device is further caused to: receive from the user end a transmission preparation request that comprises at least one of a key length, an encryption mode, identification information of the user end and a second value; and generate configuration information by integrating at least one of the key length, the encryption mode, the identification information of the user end and the second value.
  15. 16 . The electronic device of claim 15 , wherein the electronic device is further caused to: generate a temporary public key based on the second value in the configuration information; obtain second identification data by perform cryptographic operation processing on the identification information of the user end; obtain an operation processing result by performing cryptographic operation processing on the configuration information, the second identification data and the temporary public key, and generate quote data based on the operation processing result; and generate an authentication request based on the configuration information, the second identification data, the temporary public key and the quote data and sending the authentication request to the user end.
  16. 17 . The electronic device of claim 16 , wherein the electronic device is further caused to: obtain a first public key of the trusted hardware end, randomly generating a first value, and generating a temporary public key based on the first public key, the first value and the second value.
  17. 18 . The electronic device of claim 17 , wherein the electronic device is further caused to: obtain a hash value by performing hash operation processing on data that is composed of the configuration information, the second identification data and the temporary public key; and obtain report data by supplementing a predetermined number of supplementary values after the hash value, generating quote data by writing the report data to a user data report, and reading the quote data.
  18. 19 . The electronic device of claim 13 , wherein the feedback information comprises: signature data, key cipher text, encrypted data and a user end certificate, and wherein the electronic device is further caused to: parse the feedback information, verify the user end certificate using a root certificate, and confirm that the user end's identity is true after passing the verification; obtain a second public key of the user end, verify the signature data using the second public key, and confirm that the signature data is true after passing the verification; obtain a first private key of the trusted hardware end, and obtain key data by decrypting the key cipher text with the first private key; and obtain the transmission data by decrypting the encrypted data with the key data.
  19. 20 . An electronic device, comprising: a processor, and a memory for storing a computer program; wherein, the computer program, when executed by the processor, causes the electronic device to: send a transmission preparation request to a trusted hardware end based on received transmission preparation data; receive an authentication request sent from the trusted hardware end; parse and confirm the authentication request; in response to determining that the authentication request is true, obtain envelope-encrypted transmission data by performing envelope encryption on transmission data; and generate feedback information based on the envelope-encrypted transmission data, and send the feedback information to the trusted hardware end.
  20. 21 . The electronic device of claim 20 , wherein the authentication request comprises: configuration information, second identification data and quote data; wherein the electronic device is further caused to parse and confirm the authentication request by: obtaining configuration information, second identification data and quote data by parsing the authentication request; obtaining identification confirmation information by performing cryptographic operation processing on identification information of the user end in the configuration information, and comparing and confirming the identification confirmation information with the second identification data; and verifying the quote data by calling Internet authentication and certificate services; wherein the electronic device is further caused to determine that the authentication request is true by: determining that the identification confirmation information matches the second identification data, and determining that the quote data passes the verification of the service information.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S) This application claims priority to the Chinese invention patent application titled “DATA TRANSMISSION METHOD AND RELATED DEVICE” and application number CN202210267993.3, submitted on Mar. 17, 2022. FIELD The present application relates to a technical field of data processing in a trusted execution environment, and in particular, to a data transmission method and related device. BACKGROUND SGX (Software Guard eXtensions) based data processing applications may use Intel hardware instructions to protect programs, data, keys and the like so as to effectively prevent information leakage caused by malware and internal and external attacks. The remote authentication process and secure data transmission are the security foundation of SGX-based applications. Remote authentication ensures the credibility of the SGX processor and user identity authentication through SGX instructions and protocol interaction; the trusted key generated by remote authentication may ensure the secure transmission of data. However, most of existing remote authentication solutions consider the key negotiation form to establish data keys and use symmetric form data keys for data transmission. This method is not suitable for users who cannot securely store their keys. SUMMARY In view of this, the purpose of this application is to propose a data transmission method and related device to solve or partially solve the above technical problems. Based on the above purpose, the first aspect of this application provides a data transmission method, comprising: Receiving a transmission preparation request sent by a user end before sending transmission data, and generating configuration information based on at least part of data in the transmission preparation request; Generating an authentication request through a trusted execution environment based on the configuration information and sending the authentication request to the user end, so that the user end envelope-encrypts the transmission data based on the authentication request; Receiving feedback information sent from the user end, the feedback information comprising envelope-encrypted transmission data; and Obtaining the transmission data by decrypting the feedback information. In some embodiments, the receiving a transmission preparation request sent by the user end before sending transmission data, and generating configuration information based on at least part of data in the transmission preparation request comprises: Receiving from the user end a transmission preparation request that comprises at least one of a key length, an encryption mode, identification information of the user end and a second value; Generating configuration information by integrating at least one of the key length, the encryption mode, the identification information of the user end and the second value. In some embodiments, the generating an authentication request through a trusted execution environment based on the configuration information and sending the authentication request to the user end comprises: Generating a temporary public key based on the second value in the configuration information; Obtaining second identification data by perform cryptographic operation processing on the identification information of the user end; Obtaining an operation processing result by performing cryptographic operation processing on the configuration information, the second identification data and the temporary public key, and generating quote data based on the operation processing result; Generating an authentication request based on the configuration information, the second identification data, the temporary public key and the quote data and sending the authentication request to the user end. In some embodiments, the generating a temporary public key based on the second value in the configuration information comprises: Obtaining a first public key of the trusted hardware end, randomly generating a first value, and generating a temporary public key based on the first public key, the first value and the second value. In some embodiments, the cryptographic operation processing includes: hash operation processing. In some embodiments, the obtaining an operation processing result by performing cryptographic operation processing on the configuration information, the second identification data and the temporary public key, and generating quote data based on the operation processing result comprises: Obtaining a hash value by performing hash operation processing on data that is composed of the configuration information, the second identification data and the temporary public key; Obtaining report data by supplementing a predetermined number of supplementary values after the hash value, generating quote data by writing the report data to a user data report, and reading the quote data. In some embodiments, the feedback information comprises: signature data, key cipher text, encrypted data and a use