CN115062319A - File encryption storage access method and system under multi-party secure computing platform - Google Patents
File encryption storage access method and system under multi-party secure computing platformDownload PDFInfo
- Publication number
- CN115062319A CN115062319ACN202210395676.XACN202210395676ACN115062319ACN 115062319 ACN115062319 ACN 115062319ACN 202210395676 ACN202210395676 ACN 202210395676ACN 115062319 ACN115062319 ACN 115062319A
- Authority
- CN
- China
- Prior art keywords
- module
- storage
- training
- path
- object storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
Description
Translated fromChinese技术领域technical field
本申请一般涉及多方安全计算(MPC),尤其涉及多方安全计算平台下文件加密存储接入方法和系统。The present application generally relates to multi-party secure computing (MPC), and in particular, to a method and system for accessing file encryption and storage under a multi-party secure computing platform.
背景技术Background technique
多方安全计算(MPC)技术涉及在互不信任的多方分别拥有各自的私有数据,在不泄漏各自私有数据的情况下,能够计算出关于公共函数的结果。整个计算完成时,只有计算结果对各方可知,且各方均不知任何对方的数据以及计算过程的中间数据。Multi-party secure computing (MPC) technology involves distrusting parties with their own private data, and can compute results about public functions without revealing their private data. When the whole calculation is completed, only the calculation result is known to all parties, and neither party knows any data of the other party and the intermediate data of the calculation process.
MPC平台能使互不信任的多方正确计算任何函数,同时还能保证各方输入和输出信息的私密性。MPC平台可被视为可信任的第三方。理想情况下,该可信任的第三方从各方获得秘密的输入信息,计算函数,然后将结果安全返回各方。The MPC platform enables multiple parties that do not trust each other to correctly calculate any function, while ensuring the privacy of the input and output information of each party. The MPC platform can be considered a trusted third party. Ideally, this trusted third party takes secret inputs from the parties, computes the function, and returns the result securely to the parties.
现有技术中,客户的训练数据一般由接入方(即,用户侧)的文件加密存储模块进行加密存储。由于加密信息存储模块部署于多方安全计算接入方,无法直接通过外部请求来请求到加密信息存储模块,故无法直接方便地通过用户界面中心侧获取动态生成的对象存储接口相关配置参数,需要通过一套机制来完成对用户侧提供的文件加密存储模块调用,以动态获取对象存储接口相关配置参数。In the prior art, the training data of the client is generally encrypted and stored by the file encryption storage module of the access party (ie, the user side). Since the encrypted information storage module is deployed on the multi-party secure computing access party, it cannot directly request the encrypted information storage module through external requests, so it is impossible to directly and conveniently obtain the configuration parameters related to the dynamically generated object storage interface through the central side of the user interface. A set of mechanisms is used to complete the invocation of the file encryption storage module provided by the user side to dynamically obtain the configuration parameters related to the object storage interface.
当MPC平台要从例如包括该客户在内的多方获得秘密的输入信息以进行训练时,MPC平台一般可通过接入方开放的特定白名单接入以校验特征服务正确性,或者可通过用户侧的训练模块先请求接入方的文件加密存储模块API以获取对象存储地址,然后进行训练,又或者可通过用户侧的文件加密存储模块的管理服务来与接入方的文件加密存储模块维持通信以请求对象存储地址。但是这些常规方案或是存在安全风险,或是需要用户侧上单独定制和/或维护相应的模块,也缺乏平台的统一管理。When the MPC platform wants to obtain secret input information from multiple parties including the client for training, the MPC platform can generally access through a specific whitelist opened by the access party to verify the correctness of the feature service, or it can be accessed through the user The training module on the side first requests the access party's file encryption storage module API to obtain the object storage address, and then performs training, or can maintain the file encryption storage module of the access party through the management service of the user side file encryption storage module. Communicate to request an object storage address. However, these conventional solutions either have security risks, or require separate customization and/or maintenance of corresponding modules on the user side, and also lack unified management of the platform.
因此,本领域需要更加通用且安全的MPC平台下文件加密存储接入方法和系统。Therefore, there is a need in the art for a more general and secure file encryption storage access method and system under the MPC platform.
发明内容SUMMARY OF THE INVENTION
本公开的一方面涉及一种多方安全计算平台下文件加密存储接入的方法,包括通过平台侧的框架API拉起用户侧的路径获取模块上的路径获取作业以由所述路径获取模块请求用户侧的文件加密存储模块动态开启对象存储接口,并将所述文件加密存储模块返回的对象存储接口配置参数返回给平台侧的所述框架API;以及通过所述框架API拉起用户侧的训练工作模块上的训练工作并向所述训练工作模块提供所述对象存储接口配置参数以由所述训练工作模块经被开启的所述对象存储接口来进行文件加密存储接入。One aspect of the present disclosure relates to a method for file encryption storage access under a multi-party secure computing platform, which includes pulling up a path acquisition job on a path acquisition module on a user side through a framework API on the platform side to request the user from the path acquisition module The file encryption storage module on the side dynamically opens the object storage interface, and returns the object storage interface configuration parameters returned by the file encryption storage module to the framework API on the platform side; and starts the training work on the user side through the framework API The training job on the module and provides the object storage interface configuration parameters to the training job module for file encryption storage access by the training job module via the enabled object storage interface.
根据一些示例性实施例,所述对象存储接口配置参数包括对象存储服务路径,其中所述对象存储服务路径包括以下至少一者:读取路径、或存储路径。According to some exemplary embodiments, the object storage interface configuration parameters include an object storage service path, wherein the object storage service path includes at least one of: a read path, or a storage path.
根据一些示例性实施例,通过所述训练工作模块经被开启的所述对象存储接口来进行文件加密存储接入包括通过所述训练工作模块经被开启的所述对象存储接口将存储数据写入所述文件加密存储模块中。According to some exemplary embodiments, performing file encryption storage access via the object storage interface that is turned on by the training work module includes writing storage data to the object storage interface that is turned on by the training work module in the file encryption storage module.
根据进一步的实施例,所述存储数据经所述对象存储接口加密后被写入所述文件加密存储模块中。According to a further embodiment, the stored data is written into the file encryption storage module after being encrypted by the object storage interface.
根据一些示例性实施例,通过所述训练工作模块经被开启的所述对象存储接口来进行文件加密存储接入包括通过所述训练工作模块经被开启的所述对象存储接口来读取所述文件加密存储模块中加密的存储数据。According to some exemplary embodiments, performing file encryption storage access via the object storage interface turned on by the training work module includes reading the object storage interface via the object storage interface turned on by the training work module The encrypted storage data in the file encryption storage module.
根据进一步的实施例,所述加密的存储数据在由所述对象存储接口解密后被提供给所述训练工作模块以用于所述训练工作。According to a further embodiment, the encrypted stored data is provided to the training job module for use in the training job after decryption by the object storage interface.
根据进一步的实施例,所述训练工作产生训练结果,并且通过所述训练工作模块经被开启的所述对象存储接口来进行文件加密存储接入进一步包括通过所述训练工作模块经被开启的所述对象存储接口将所述训练结果加密后写入所述文件加密存储模块中。According to a further embodiment, the training job generating training results, and enabling file encryption storage access via the training job module via the object storage interface that is turned on further comprises performing the training job module via all the turned-on The object storage interface encrypts the training result and writes it into the file encryption storage module.
根据进一步的实施例,所述文件加密存储模块返回的对象存储接口配置参数包括用于读取所述存储数据的路径和用于写入所述训练结果的路径。According to a further embodiment, the object storage interface configuration parameters returned by the file encryption storage module include a path for reading the stored data and a path for writing the training result.
本公开的另一方面涉及一种多方安全计算平台,包括部署在用户侧的路径获取模块,用于在运行路径获取作业时向所述用户侧的文件加密存储模块请求动态开启对象存储接口,并接收所述文件加密存储模块返回的对象存储接口配置参数;以及部署在平台侧的框架API模块,用于拉起所述路径获取模块上的所述路径获取作业,其中所述路径获取模块进一步用于在所运行的路径获取作业由平台侧的所述框架API模块拉起时,将所接收的对象存储接口配置参数返回给所述框架API模块。Another aspect of the present disclosure relates to a multi-party secure computing platform, including a path acquisition module deployed on a user side, configured to request a file encryption storage module on the user side to dynamically open an object storage interface when a path acquisition job is executed, and Receive object storage interface configuration parameters returned by the file encryption storage module; and a framework API module deployed on the platform side, used to pull up the path acquisition job on the path acquisition module, wherein the path acquisition module further uses When the running path obtaining job is started by the framework API module on the platform side, the received object storage interface configuration parameters are returned to the framework API module.
根据一些示例性实施例,所述对象存储接口配置参数包括对象存储服务路径,其中所述对象存储服务路径包括以下至少一者:读取路径、或存储路径。According to some exemplary embodiments, the object storage interface configuration parameters include an object storage service path, wherein the object storage service path includes at least one of: a read path, or a storage path.
根据一些示例性实施例,该多方安全计算平台进一步包括部署在用户侧的训练工作模块,用于在运行训练工作时经被开启的所述对象存储接口来对所述文件加密存储模块进行文件加密存储接入,其中所述框架API模块进一步用于在接收到所述路径获取模块返回的对象存储接口配置参数时,拉起用户侧的所述训练工作模块上的所述训练工作并向所述训练工作模块提供所述对象存储接口配置参数以由所述训练工作模块用于所述文件加密存储接入。According to some exemplary embodiments, the multi-party secure computing platform further includes a training work module deployed on the user side, configured to perform file encryption on the file encryption storage module via the opened object storage interface when running the training work Storage access, wherein the framework API module is further configured to pull up the training job on the training job module on the user side and send it to the A training work module provides the object storage interface configuration parameters for use by the training work module for the file encryption storage access.
根据进一步的实施例,所述训练工作模块用于经被开启的所述对象存储接口来对所述文件加密存储模块进行文件加密存储接入包括所述训练工作模块用于经被开启的所述对象存储接口将存储数据加密并写入所述文件加密存储模块中。According to a further embodiment, the training work module for file encryption storage access to the file encryption storage module via the object storage interface that is turned on includes the training work module for the file encryption storage module that is turned on. The object storage interface encrypts the storage data and writes it into the file encryption storage module.
根据一些示例性实施例,所述训练工作模块用于经被开启的所述对象存储接口来对所述文件加密存储模块进行文件加密存储接入包括所述训练工作模块用于经被开启的所述对象存储接口来读取并解密所述文件加密存储模块中加密的存储数据。According to some exemplary embodiments, the training work module for file encryption storage access to the file encryption storage module via the object storage interface that is turned on includes the training work module for all the turned-on The object storage interface is used to read and decrypt the encrypted storage data in the file encryption storage module.
根据一些示例性实施例,所述训练工作产生训练结果,并且所述训练工作模块用于经被开启的所述对象存储接口来对所述文件加密存储模块进行文件加密存储接入包括所述训练工作模块进一步用于经被开启的所述对象存储接口将所述训练结果加密后写入所述文件加密存储模块中。According to some exemplary embodiments, the training job produces training results, and the training job module for file encryption storage access to the file encryption storage module via the object storage interface that is turned on includes the training The working module is further configured to encrypt the training result and write it into the file encryption storage module via the opened object storage interface.
根据进一步的实施例,所述文件加密存储模块返回的对象存储接口配置参数包括用于读取所述存储数据的路径和用于写入所述训练结果的路径。According to a further embodiment, the object storage interface configuration parameters returned by the file encryption storage module include a path for reading the stored data and a path for writing the training result.
本公开的另一方面涉及一种多方安全计算平台下文件加密存储接入的方法,所述方法由部署在平台侧的框架API模块实现,所述方法包括接收所述多方安全计算平台发起的路径获取流程;向用户侧发起作业以拉起用户侧的路径获取模块上的路径获取进程;从用户侧的所述路径获取模块获得用于访问文件加密存储模块的对象存储接口配置参数;向用户侧发起作业以拉起用户侧的训练工作模块上的训练工作;以及向用户侧的所述训练工作模块提供所述对象存储接口配置参数以由所述训练工作模块访问所述文件加密存储模块中存储的数据。Another aspect of the present disclosure relates to a method for file encryption storage access under a multi-party secure computing platform, the method is implemented by a framework API module deployed on the platform side, and the method includes receiving a path initiated by the multi-party secure computing platform Obtaining process; initiate a job to the user side to start the path obtaining process on the path obtaining module on the user side; obtain the object storage interface configuration parameters for accessing the file encryption storage module from the path obtaining module on the user side; Initiating a job to pull up the training job on the training job module on the user side; and providing the object storage interface configuration parameters to the training job module on the user side so that the training job module can access storage in the file encryption storage module The data.
本公开的又一方面涉及一种多方安全计算平台下文件加密存储接入的方法,所述方法由部署在用户侧的路径获取模块实现,所述方法包括从平台侧的框架API接收拉起路径获取进程的请求;运行所述路径获取请求,包括请求用户侧的文件加密存储模块动态开启对象存储接口;以及接收所述文件加密存储模块返回的对象存储接口配置参数;以及将所接收的对象存储接口配置参数返回给平台侧的所述框架API。Another aspect of the present disclosure relates to a method for file encryption storage access under a multi-party secure computing platform, the method is implemented by a path acquisition module deployed on the user side, and the method includes receiving a pull path from a framework API on the platform side obtaining a request for a process; running the path obtaining request, including requesting a file encryption storage module on the user side to dynamically open an object storage interface; and receiving object storage interface configuration parameters returned by the file encryption storage module; and storing the received object The interface configuration parameters are returned to the framework API on the platform side.
本公开的再一方面涉及一种多方安全计算平台下文件加密存储接入的方法,所述方法由部署在用户侧的训练工作模块实现,所述方法包括从平台侧的框架API接收拉起训练工作的请求;从所述框架API接收用于访问文件加密存储模块的对象存储接口配置参数;运行所述训练工作,包括使用所述对象存储接口配置参数经被开启的所述对象存储接口来进行文件加密存储接入。Yet another aspect of the present disclosure relates to a method for file encryption storage access under a multi-party secure computing platform, the method is implemented by a training work module deployed on the user side, and the method includes receiving and pulling training from a framework API on the platform side a request for a job; receiving object storage interface configuration parameters for accessing a file encryption storage module from the framework API; running the training job, including using the object storage interface configuration parameters via the object storage interface that is turned on File encryption storage access.
本公开的其他方面还包括相应的装置、设备以及计算机可读介质等。Other aspects of the present disclosure also include corresponding apparatuses, devices, computer-readable media, and the like.
附图说明Description of drawings
图1示出了根据本公开的一方面的文件加密存储模块的框图。1 illustrates a block diagram of a file encryption storage module according to an aspect of the present disclosure.
图2示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入系统的示意图。FIG. 2 shows a schematic diagram of a file encryption storage access system under a multi-party secure computing (MPC) platform according to an aspect of the present disclosure.
图3示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入系统的系统流图。3 shows a system flow diagram of a file encryption storage access system under a multi-party secure computing (MPC) platform according to an aspect of the present disclosure.
图4示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入系统的系统流图。4 shows a system flow diagram of a file encryption storage access system under a multi-party secure computing (MPC) platform according to an aspect of the present disclosure.
图5示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入方法的流程图。FIG. 5 shows a flowchart of a file encryption storage access method under a multi-party secure computing (MPC) platform according to an aspect of the present disclosure.
图6示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入方法的流程图。FIG. 6 shows a flowchart of a file encryption storage access method under a multi-party secure computing (MPC) platform according to an aspect of the present disclosure.
图7示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入方法的流程图。7 shows a flowchart of a method for accessing a file encrypted storage under a multi-party secure computing (MPC) platform according to an aspect of the present disclosure.
图8示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入方法的流程图。FIG. 8 shows a flowchart of a file encryption storage access method under a multi-party secure computing (MPC) platform according to an aspect of the present disclosure.
图9示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入方法的流程图。FIG. 9 shows a flowchart of a file encryption storage access method under a multi-party secure computing (MPC) platform according to an aspect of the present disclosure.
具体实施方式Detailed ways
图1示出了根据本公开的一方面的文件加密存储模块100的框图。如图1中所示,根据本公开的文件加密存储模块100可包括模块API接口102、对象存储接口104以及对象存储服务模块106。客户的训练数据被加密存储在对象存储服务模块106中。文件加密存储模块是部署在多方安全计算接入方,用于为本方的模型训练服务提供所需输入训练数据,并且在每次训练过程中动态解密训练数据供训练模块调用的服务模块。1 shows a block diagram of a file encryption storage module 100 according to an aspect of the present disclosure. As shown in FIG. 1 , the file encryption storage module 100 according to the present disclosure may include a
根据示例性实施例,访问(例如,读和/或写)文件加密存储模块中的数据可分为两个阶段。According to an exemplary embodiment, accessing (eg, reading and/or writing) data in a file encryption storage module may be divided into two stages.
根据示例性实施例,在第一阶段,请求方(未示出)向加密存储模块API接口102发出开启存储服务请求。加密存储模块API接口102接收开启存储服务请求,并验证该请求。当对该请求的验证通过时,加密存储模块API接口102例如通过向对象存储接口104提供动态开启指令或其他类似手段来动态开启对象存储接口104,并向请求方返回对象存储接口配置参数(例如,OSS路径)。当对该请求的验证失败时,加密存储模块API接口102拒绝来自请求方的开启存储服务请求。According to an exemplary embodiment, in the first stage, a requester (not shown) issues an open storage service request to the encrypted storage
根据示例性实施例,在第二阶段,请求方通过向对象存储接口104提供所获取的对象存储接口配置参数来连接对象存储接口104。对象存储接口104在被加密存储模块API接口102开启了的状态下,基于请求方所提供的对象存储接口配置参数,来访问对象存储服务模块106中的存储数据。访问对象存储服务模块106中的存储数据可包括例如读取对象存储服务模块106中加密的存储数据,和/或向对象存储服务模块106写入存储数据。According to an exemplary embodiment, in the second phase, the requester connects the
根据示例性实施例,当读取对象存储服务模块106中加密的存储数据时,对象存储接口104进一步在被加密存储模块API接口102开启了的状态下,使用对象存储接口配置参数对所获取的加密的存储数据进行解密从而获得解密后的存储数据。According to an exemplary embodiment, when reading the encrypted storage data in the object
根据示例性实施例,当向对象存储服务模块106写入存储数据时,对象存储接口104进一步在被加密存储模块API接口102开启了的状态下,使用对象存储接口配置参数对要存储的数据进行加密并将其存入对象存储服务模块106。According to an exemplary embodiment, when the storage data is written to the object
根据至少一些示例性实施例,对象存储接口104的开启可由超时值来控制,从而当对象存储接口104的开启时间到达超时值而仍未被请求方访问时关闭对象存储接口104。在此情况下,请求方需要重新向加密存储模块API接口102作出请求。According to at least some example embodiments, the opening of the
如果请求方向对象存储接口104提供所获取的对象存储接口配置参数,而对象存储接口104未处于被加密存储模块API接口102开启的状态下,则对象存储接口104将不会访问对象存储服务模块106,从而保护了用户训练数据文件的安全。If the request provides the obtained object storage interface configuration parameters to the
对象存储接口104可具有安全审计和记录功能。例如,根据示例性实施例,对象存储接口104可对来自加密存储模块API接口102的动态开启指令、自身被开启的开始时间和结束时间、接收到对象存储接口配置参数的时间和来源、向对象存储服务模块请求加密的存储数据的时间、对加密的存储数据进行解密的结果(例如,是否解密成功、校验等)等等进行安全审计和记录。
由于对象存储接口配置参数的生成和对象存储接口的开启都是动态的,文件加密存储模块100统一管理敏感用户数据,保证用户数据在每次训练过程中有安全审计与记录,存储过程中有加密存储,保护敏感数据安全性。的安全性得到了显著提升。Since the generation of the configuration parameters of the object storage interface and the opening of the object storage interface are both dynamic, the file encryption storage module 100 uniformly manages the sensitive user data, ensuring that the user data has security audits and records in each training process, and encryption in the storage process. Storage, protect the security of sensitive data. security has been significantly improved.
图2示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入系统200的示意图。如图所示,图2的MPC平台下文件加密存储接入系统200可由虚线划分为上方的中心侧210和下方的用户侧220。FIG. 2 shows a schematic diagram of a file encryption
中心侧210例如可为MPC系统框架的中心。根据示例性实施例,中心侧210可包括或位于中心节点处。该中心节点可负责管理、调度、协调整个集群的资源和状态。根据示例性实施例,中心侧210可包括框架API模块212。The
用户侧220可包括下游节点或位于下游节点处。一个或多个下游节点可部署于主站和各合作机构处,负责执行离线训练任务,运行在线模型服务等。The
用户侧220可包括文件加密存储模块230,诸如以上结合图1描述的文件加密存储模块100。根据本公开的MPC平台下文件加密存储接入系统200的用户侧220还可包括路径获取模块224和训练工作模块226。The
根据一些示例性而非限定性实施例,图2的MPC系统框架可以是例如跨机构的kubernetes集群,其中心节点可包括k8s master,而下游节点可包括位于中心节点下游的一个或多个k8s节点。According to some exemplary and non-limiting embodiments, the MPC system framework of FIG. 2 may be, for example, a cross-organization kubernetes cluster, the central node of which may include a k8s master, and the downstream nodes may include one or more k8s nodes located downstream of the central node .
根据示例性实施例,当例如需要为本方的模型训练服务提供所需输入训练数据时,用户需要访问例如位于用户机构处的文件加密存储模块以从中读取存储数据时。为此,用户可在MPC平台向中心侧210的框架API 212发起路径获取任务(例如,对象存储服务(OSS)参数请求url job)。According to an exemplary embodiment, when the user needs to access, for example, a file encryption storage module located at the user's institution to read the stored data therefrom, for example, when the user needs to provide the required input training data for the model training service of the party. To this end, the user may initiate a path acquisition task (eg, an object storage service (OSS) parameter request url job) to the
中心侧210的框架API 212可通过向用户侧220的路径获取模块224传送请求来拉起路径获取模块224上的作业。The
路径获取模块224接收来自中心侧210的框架API 212的请求,并如以上结合图1的第一阶段所描述地向文件加密存储模块230中的加密存储模块API接口232发出开启存储服务请求。加密存储模块API接口302接收开启存储服务请求,并验证该请求。当对该请求的验证通过时,加密存储模块API接口232例如通过向对象存储接口234提供动态开启指令或其他类似手段来动态开启对象存储接口234,并向路径获取模块224返回对象存储接口配置参数(例如,OSS路径)。当对该请求的验证失败时,加密存储模块API接口232拒绝来自路径获取模块224的开启存储服务请求。The
路径获取模块224在获取加密存储模块API接口232所提供的对象存储接口配置参数之后,将其转发给中心侧210的框架API 212。After the
根据至少一些示例性实施例,平台210可在路径获取任务发起后立即或在一时间段后开始轮询框架API 212以试图获取任务运行状态,并在路径获取模块224向框架API212上报任务运行结果连同OSS路径317时从框架API 212获得对象存储接口配置参数。According to at least some exemplary embodiments, the
根据至少一些其他示例性实施例,可以并非由平台210轮询框架API 212来获取任务运行结果,而是可由框架API 212在路径获取模块224上报任务运行结果之际向平台210提供任务运行结果。According to at least some other exemplary embodiments, rather than
当中心侧210的框架API 212获取来自用户侧220的路径获取模块224的对象存储接口配置参数时,框架API 212通过向用户侧220的训练工作模块226传送请求连同任务参数(包括路径)来拉起训练工作模块226上的作业。任务参数可包括前述对象存储接口配置参数等。When the
训练工作模块226接收来自中心侧210的框架API 212的请求连同任务参数(包括路径),并如以上结合图1的第二阶段所描述地通过向文件加密存储模块230中的对象存储接口234提供所获取的对象存储接口配置参数来连接对象存储接口234。对象存储接口234在被加密存储模块API接口232开启了的状态下,基于训练工作模块226所提供的对象存储接口配置参数,从对象存储服务模块236获取加密的存储数据。对象存储接口234进一步在被加密存储模块API接口232开启了的状态下,使用对象存储接口配置参数对所获取的加密的存储数据进行解密从而获得解密后的存储数据。The
根据至少一些示例性实施例,对象存储接口234的开启可由超时值来控制,从而当对象存储接口234的开启时间到达超时值而仍未被请求方访问时关闭对象存储接口234。在此情况下,框架API 212需要重新向加密存储模块API接口232作出请求。According to at least some example embodiments, the opening of
如果训练工作模块226向对象存储接口234提供所获取的对象存储接口配置参数,而对象存储接口234未处于被加密存储模块API接口232开启的状态下,则对象存储接口234将不会访问对象存储服务模块236,从而保护了用户训练数据文件的安全。If the
另一方面,根据示例性实施例,当需要将数据存储到例如位于用户机构处的文件加密存储模块时,可执行与以上读取时类似的操作。例如,可在MPC平台向中心侧210的框架API 212发起路径获取任务(例如,OSS参数请求url job)。On the other hand, according to an exemplary embodiment, when data needs to be stored to, for example, a file encryption storage module located at a user institution, an operation similar to that of the above reading can be performed. For example, a path acquisition task (eg, OSS parameter request url job) may be initiated on the MPC platform to the
中心侧210的框架API 212可通过向用户侧220的路径获取模块224传送请求来拉起路径获取模块224上的作业。The
路径获取模块224接收来自中心侧210的框架API 212的请求,并如以上结合图1的第一阶段所描述地向文件加密存储模块230中的加密存储模块API接口232发出开启存储服务请求。加密存储模块API接口302接收开启存储服务请求,并验证该请求。当对该请求的验证通过时,加密存储模块API接口232例如通过向对象存储接口234提供动态开启指令或其他类似手段来动态开启对象存储接口234,并向路径获取模块224返回对象存储接口配置参数(例如,OSS路径)。当对该请求的验证失败时,加密存储模块API接口232拒绝来自路径获取模块224的开启存储服务请求。The
路径获取模块224在获取加密存储模块API接口232所提供的对象存储接口配置参数之后,将其转发给中心侧210的框架API 212。After the
根据至少一些示例性实施例,平台210可在路径获取任务发起后立即或在一时间段后开始轮询框架API 212以试图获取任务运行状态,并在路径获取模块224向框架API212上报任务运行结果连同OSS路径317时从框架API 212获得对象存储接口配置参数。According to at least some exemplary embodiments, the
根据至少一些其他示例性实施例,可以并非由平台210轮询框架API 212来获取任务运行结果,而是可由框架API 212在路径获取模块224上报任务运行结果之际向平台210提供任务运行结果。According to at least some other exemplary embodiments, rather than
当中心侧210的框架API 212获取来自用户侧220的路径获取模块224的对象存储接口配置参数时,框架API 212通过向用户侧220的训练工作模块226传送请求连同任务参数(包括路径)来拉起训练工作模块226上的作业。任务参数可包括前述对象存储接口配置参数等。When the
训练工作模块226接收来自中心侧210的框架API 212的请求连同任务参数(包括路径),并如以上结合图1的第二阶段所描述地通过向文件加密存储模块230中的对象存储接口234提供所获取的对象存储接口配置参数来连接对象存储接口234。对象存储接口234在被加密存储模块API接口232开启了的状态下,基于训练工作模块226所提供的对象存储接口配置参数,对要存储的数据(例如,训练结果)进行加密,并使用对象存储接口配置参数将经加密的数据存储到对象存储服务模块236中。The
根据至少一些示例性实施例,对象存储接口234的开启可由超时值来控制,从而当对象存储接口234的开启时间到达超时值而仍未被请求方访问时关闭对象存储接口234。在此情况下,框架API 212需要重新向加密存储模块API接口232作出请求。According to at least some example embodiments, the opening of
如果训练工作模块226向对象存储接口234提供所获取的对象存储接口配置参数,而对象存储接口234未处于被加密存储模块API接口232开启的状态下,则对象存储接口234将不会访问对象存储服务模块236,从而保护了对象存储服务模块236中数据的安全。If the
又一方面,当需要访问例如位于用户机构处的文件加密存储模块以从中读取存储数据,并对该存储数据进行处理(例如,训练)并将结果(例如,训练结果)存储回文件加密存储模块时,用户可在MPC平台向中心侧210的框架API 212发起路径获取任务(例如,对象存储服务(OSS)参数请求url job)。此路径获取任务包括同时获取至少两个路径:一个是数据读取路径,另一个是数据存储路径。In yet another aspect, when a file encryption storage module located, for example, at the user institution needs to be accessed to read stored data therefrom, process (eg, train) the stored data and store the results (eg, training results) back into the file encryption storage When the module is installed, the user can initiate a path acquisition task (for example, an object storage service (OSS) parameter request url job) to the
中心侧210的框架API 212可通过向用户侧220的路径获取模块224传送请求来拉起路径获取模块224上的作业。The
路径获取模块224接收来自中心侧210的框架API 212的请求,并如以上结合图1的第一阶段所描述地向文件加密存储模块230中的加密存储模块API接口232发出开启存储服务请求。加密存储模块API接口302接收开启存储服务请求,并验证该请求。当对该请求的验证通过时,加密存储模块API接口232例如通过向对象存储接口234提供动态开启指令或其他类似手段来动态开启对象存储接口234,并向路径获取模块224返回对象存储接口配置参数(例如,OSS路径)。当对该请求的验证失败时,加密存储模块API接口232拒绝来自路径获取模块224的开启存储服务请求。The
路径获取模块224在获取加密存储模块API接口232所提供的对象存储接口配置参数(例如,包括数据读取路径和数据存储路径)之后,将其转发给中心侧210的框架API 212。After the
根据至少一些示例性实施例,平台210可在路径获取任务发起后立即或在一时间段后开始轮询框架API 212以试图获取任务运行状态,并在路径获取模块224向框架API212上报任务运行结果连同OSS路径317时从框架API 212获得对象存储接口配置参数。According to at least some exemplary embodiments, the
根据至少一些其他示例性实施例,可以并非由平台210轮询框架API 212来获取任务运行结果,而是可由框架API 212在路径获取模块224上报任务运行结果之际向平台210提供任务运行结果。According to at least some other exemplary embodiments, rather than
当中心侧210的框架API 212获取来自用户侧220的路径获取模块224的对象存储接口配置参数时,框架API 212通过向用户侧220的训练工作模块226传送请求连同任务参数来拉起训练工作模块226上的作业。任务参数可包括或基于前述对象存储接口配置参数(例如,包括上述数据读取路径和数据存储路径)。When the
训练工作模块226接收来自中心侧210的框架API 212的请求连同任务参数,并如以上结合图1的第二阶段所描述地通过向文件加密存储模块230中的对象存储接口234提供训练参数(例如,包括数据读取路径)来连接对象存储接口234。对象存储接口234在被加密存储模块API接口232开启了的状态下,基于训练工作模块226所提供的训练参数,从对象存储服务模块236获取加密的存储数据。对象存储接口234进一步在被加密存储模块API接口232开启了的状态下,使用对象存储接口配置参数对所获取的加密的存储数据进行解密从而获得解密后的存储数据。The
当训练工作模块完成数据处理(例如,训练)并需要将处理结果(例如,训练结果)数据存储到例如位于用户机构处的文件加密存储模块时,可由训练工作模块226通过向文件加密存储模块230中的对象存储接口234提供所获取的对象存储接口配置参数(例如,包括数据存储路径)来连接对象存储接口234。对象存储接口234在被加密存储模块API接口232开启了的状态下,基于训练工作模块226所提供的对象存储接口配置参数,对要存储的数据(例如,训练结果)进行加密,并使用对象存储接口配置参数将经加密的数据存储到对象存储服务模块236中。When the training work module completes data processing (eg, training) and needs to store the processing results (eg, training results) data in, for example, a file encryption storage module located at the user's institution, the
根据至少一些示例性实施例,对象存储接口234的开启可由超时值来控制,从而当对象存储接口234的开启时间到达超时值而仍未被请求方访问时关闭对象存储接口234。在此情况下,框架API 212需要重新向加密存储模块API接口232作出请求。According to at least some example embodiments, the opening of
如果训练工作模块226向对象存储接口234提供所获取的对象存储接口配置参数,而对象存储接口234未处于被加密存储模块API接口232开启的状态下,则对象存储接口234将不会访问对象存储服务模块236,从而保护了对象存储服务模块236中数据的安全。If the
图3示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入系统的系统流300。如图3中所示,平台210、框架API 212、节点220、路径获取模块224、训练工作模块226和文件加密存储模块230可以如以上结合图2的多方安全计算(MPC)平台下文件加密存储接入系统200所描述的中心侧210、框架API 212、用户侧220、路径获取模块224、训练工作模块226和文件加密存储模块230。3 illustrates a
当需要从文件加密存储模块230中读取数据时,如图3中所示,在路径获取流程310(例如,对应于结合图1和2描述的第一阶段)中,平台210可发起路径获取任务311。例如,根据示例性实施例,用户可在MPC平台210处向框架API 212发起路径获取任务(例如,OSS参数请求url job)。When data needs to be read from the file
框架API 212随即响应于平台210发起的路径获取任务311,通过向节点220的路径获取模块224传送请求312来发起作业。例如,根据示例性实施例,框架API 212可通过k8s节点220发起MPC作业。The
当节点220上被拉起MPC作业时,节点220即拉起路径获取模块224上的路径获取进程313。When the MPC job is started on the
当路径获取模块224上被拉起路径获取进程313时,路径获取模块224即如以上结合图1的第一阶段以及结合图2所描述地通过url请求来向文件加密存储模块230请求对象存储接口配置参数(例如,包括OSS路径)314。When the path acquisition process 313 is started on the
当文件加密存储模块230接收到来自路径获取模块224的url请求时,文件加密存储模块230向路径获取模块224返回对象存储接口配置参数(例如,包括OSS路径)315。从而,路径获取模块224向框架API 212上报任务运行结果连同对象存储接口配置参数(例如,包括OSS路径)317。When the file
根据至少一些示例性实施例,平台210可在发起路径获取任务311后立即或在一时间段后开始轮询以试图获取任务运行状态316,并在路径获取模块224向框架API 212上报任务运行结果连同对象存储接口配置参数(例如,包括OSS路径)317时从框架API 212获得对象存储接口配置参数(例如,转换后的OSS路径)318。According to at least some exemplary embodiments, the
根据至少一些其他示例性实施例,可以并非由平台210轮询框架API 212来获取任务运行结果,而是可由框架API 212在路径获取模块224上报任务运行结果之际向平台210提供任务运行结果。According to at least some other exemplary embodiments, rather than
至此,第一阶段即路径获取流程310完成。So far, the first stage, that is, the path obtaining process 310 is completed.
如图3中所示,在平台210从框架API 212获得转换后的OSS路径318之后,读取流程320(例如,对应于结合图1和2描述的第二阶段)即可开始。读取流程320可响应于平台210获得第一阶段的任务运行结果而自动发起。此时,平台210可发起读取任务321。例如,根据示例性实施例,用户可在MPC平台210处向框架API 212发起读取任务。As shown in FIG. 3, after the
框架API 212随即响应于平台210发起的读取任务321,通过向节点220传送请求来发起MPC作业322。例如,根据示例性实施例,框架API 212可通过k8s节点220来发起MPC作业322。The
当节点220上被拉起MPC作业时,节点220即拉起训练工作模块226上的读取工作323。When the MPC job is pulled up on the
当训练工作模块226上被拉起读取工作323时,训练工作模块226即向框架API 212请求获取读取参数324。响应于此,框架API 212向训练工作模块226传送读取参数325。读取参数可基于对象存储接口配置参数,例如包括OSS路径。When the
尽管此处是以在节点220拉起训练工作模块226上的读取工作之后由训练工作模块226向框架API 212请求获取读取参数为例进行描述的,但是本公开并不被限定于此。例如,本公开还可包括由框架API 212在发起MPC作业322的同时、或之前、或之后向节点220提供读取参数,并由节点220自发地或响应于训练工作模块226的请求向训练工作模块226提供读取参数的各种实施例。Although the description is made by taking the example that the
当训练工作模块226接收到来自框架API 212的读取数据325时,训练工作模块226使用读取参数(包含OSS路径)来访问文件加密存储模块230中的加密的存储数据326。When the
响应于此,文件加密存储模块230通过如以上结合图1和图2描述的方式向训练工作模块226提供解密的存储数据327以用于在用户侧的训练工作模块226本地进行读取工作。至此,第二阶段即读取流程320完成。存储数据作为敏感数据不出用户侧,故而保护了数据的安全性。In response to this, the file
图4示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入系统的系统流400。如图4中所示,平台210、框架API 212、节点220、路径获取模块224、训练工作模块226和文件加密存储模块230可以如以上结合图2的多方安全计算(MPC)平台下文件加密存储接入系统200所描述的中心侧210、框架API 212、用户侧220、路径获取模块224、训练工作模块226和文件加密存储模块230。4 illustrates a
当需要存储数据时,如图4中所示,在路径获取流程410(例如,对应于结合图1和2描述的第一阶段)中,平台210可发起路径获取任务411。例如,根据示例性实施例,用户可在MPC平台210处向框架API 212发起路径获取任务(例如,OSS参数请求url job)。When data needs to be stored, as shown in FIG. 4 , in a path acquisition process 410 (eg, corresponding to the first stage described in connection with FIGS. 1 and 2 ), the
框架API 212随即响应于平台210发起的路径获取任务411,通过向节点220的路径获取模块224传送请求412来拉起路径获取模块224上的作业。例如,根据示例性实施例,框架API 212可通过k8s节点220发起MPC作业。The
当节点220上被拉起MPC作业时,节点220即拉起路径获取模块224上的路径获取进程413。When the MPC job is started on the
当路径获取模块224上被拉起路径获取进程413时,路径获取模块224即如以上结合图1的第一阶段以及结合图2所描述地通过url请求来向文件加密存储模块230请求对象存储接口配置参数(例如,包括OSS路径)414。When the path acquisition process 413 is started on the
当文件加密存储模块230接收到来自路径获取模块224的请求414时,文件加密存储模块230向路径获取模块224返回对象存储接口配置参数(例如,包括OSS路径)415。从而,路径获取模块224向框架API 212上报任务运行结果连同对象存储接口配置参数(例如,OSS路径)417。When the file
根据至少一些示例性实施例,平台210可在发起路径获取任务411后立即或在一时间段后开始轮询以试图获取任务运行状态416,并在路径获取模块224向框架API 212上报任务运行结果连同OSS路径417时从框架API 212获得对象存储接口配置参数(例如,包括转换后的OSS路径)418。According to at least some exemplary embodiments, the
根据至少一些其他示例性实施例,可以并非由平台210轮询框架API 212来获取任务运行结果,而是可由框架API 212在路径获取模块224上报任务运行结果之际向平台210提供任务运行结果。According to at least some other exemplary embodiments, rather than
至此,第一阶段即路径获取流程410完成。So far, the first stage, that is, the path obtaining process 410 is completed.
如图4中所示,在平台210从框架API 212获得转换后的OSS路径418之后,存储流程420(例如,对应于结合图1和2描述的第二阶段)即可开始。存储流程420可响应于平台210获得第一阶段的任务运行结果而自动发起。此时,平台210可发起存储任务421。例如,根据示例性实施例,用户可在MPC平台210处向框架API 212发起存储任务。As shown in FIG. 4, after the
框架API 212随即响应于平台210发起的存储任务421,通过向节点220传送请求来发起MPC作业422。例如,根据示例性实施例,框架API 212可通过k8s节点220来发起MPC作业422。The
当节点220上被拉起MPC作业时,节点220即拉起训练工作模块226上的存储工作423。When the MPC job is pulled up on the
当训练工作模块226上被拉起存储工作423时,训练工作模块226即向框架API212请求获取存储参数424。响应于此,框架API 212向训练工作模块226传送存储参数(包含OSS路径)425。When the
尽管此处是以在节点220拉起训练工作模块226上的存储工作之后由训练工作模块226向框架API 212请求获取存储参数为例进行描述的,但是本公开并不被限定于此。例如,本公开还可包括由框架API 212在发起MPC作业322的同时、或之前、或之后向节点220提供存储参数,并由节点220自发地或响应于训练工作模块226的请求向训练工作模块226提供存储参数的各种实施例。Although it is described here that the
当训练工作模块226接收到来自框架API 212的存储数据425时,训练工作模块226使用存储参数来加密所要存储的数据,并将经加密的数据推送给文件加密存储模块230进行存储426。When the
响应于此,文件加密存储模块230通过如以上结合图1和图2描述的方式将数据加密存储。至此,第二阶段即存储流程420完成。In response to this, the file
相比于现有技术中需要用户侧上单独定制和/或维护相应的模块的方案,本公开通过平台中心统一的API接口来管理多方安全计算平台下的文件加密存储接入,从而各用户端只需要保留简单的路径获取模块和训练工作模块。Compared with the solutions in the prior art that require separate customization and/or maintenance of corresponding modules on the user side, the present disclosure manages the file encryption storage access under the multi-party secure computing platform through the unified API interface of the platform center, so that each user end Just keep the simple path acquisition module and training job module.
在根据本公开的多方安全计算(MPC)平台下文件加密存储接入系统中,系统全部校验逻辑在用户侧完成,只将开启后动态生成的接口配置参数回传到平台,避免了向公网开放加密存储服务接口引发的安全风险。In the file encryption storage access system under the multi-party secure computing (MPC) platform according to the present disclosure, all the verification logic of the system is completed on the user side, and only the interface configuration parameters dynamically generated after opening are returned to the platform, avoiding the need for public The security risk caused by the open encrypted storage service interface of the Internet.
本公开的方案在发起调用前添加单独的加密文件存储接口配置参数获取流程,避免了对存储主流程的侵入,使各模块解耦,提高了系统统一性,使系统便于维护。The solution of the present disclosure adds a separate encrypted file storage interface configuration parameter acquisition process before initiating a call, which avoids intrusion into the main storage process, decouples modules, improves system unity, and facilitates system maintenance.
通过借助类kubernetes的系统框架的服务模块,避免了加密存储模块管理模块直接对接口配置参数实时维护和管理,使系统解耦,增强系统健壮性。By relying on the service module of the system framework like kubernetes, the management module of the encrypted storage module avoids the direct maintenance and management of the interface configuration parameters in real time, which decouples the system and enhances the robustness of the system.
图5示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入系统的系统流500。系统流500基本类似于结合图3和/或图4描述的系统流图,区别在于在图5的系统流500中,需要访问例如位于用户机构处的文件加密存储模块以从中读取存储数据,并对该存储数据进行处理(例如,训练)并将结果(例如,训练结果)存储回文件加密存储模块。5 illustrates a
如图5中所示,平台210、框架API 212、节点220、路径获取模块224、训练工作模块226和文件加密存储模块230可以如以上结合图2的多方安全计算(MPC)平台下文件加密存储接入系统200所描述的中心侧210、框架API 212、用户侧220、路径获取模块224、训练工作模块226和文件加密存储模块230。As shown in FIG. 5, the
当需要访问例如位于用户机构处的文件加密存储模块以从中读取存储数据,对该存储数据进行处理(例如,训练)并将结果(例如,训练结果)存储回文件加密存储模块时,如图5中所示,在路径获取流程510(例如,对应于结合图1和2描述的第一阶段)中,平台210可发起路径获取任务511。例如,根据示例性实施例,用户可在MPC平台210处向框架API 212发起路径获取任务(例如,OSS参数请求url job)。When it is necessary to access a file encryption storage module located, for example, at the user's institution to read stored data therefrom, process (eg, train) the stored data and store the results (eg, training results) back into the file encryption storage module, as shown in Fig. As shown in 5, in a path acquisition process 510 (eg, corresponding to the first stage described in connection with FIGS. 1 and 2), the
框架API 212随即响应于平台210发起的路径获取任务511,通过向节点220的路径获取模块224传送请求512来发起作业。例如,根据示例性实施例,框架API 212可通过k8s节点220发起MPC作业。The
当节点220上被拉起MPC作业时,节点220即拉起路径获取模块224上的路径获取进程513。When the MPC job is started on the
当路径获取模块224上被拉起路径获取进程513时,路径获取模块224即如以上结合图1的第一阶段以及结合图2所描述地通过url请求来向文件加密存储模块230请求对象存储接口配置参数(例如,包括数据读取路径和数据存储路径)514。When the path acquisition process 513 is started on the
当文件加密存储模块230接收到来自路径获取模块224的url请求时,文件加密存储模块230向路径获取模块224返回对象存储接口配置参数(例如,包括数据读取路径和数据存储路径)515。从而,路径获取模块224向框架API 212上报任务运行结果连同对象存储接口配置参数(例如,包括包括数据读取路径和数据存储路径)517。When the file
根据至少一些示例性实施例,平台210可在发起路径获取任务511后立即或在一时间段后开始轮询以试图获取任务运行状态516,并在路径获取模块224向框架API 212上报任务运行结果连同对象存储接口配置参数(例如,包括包括数据读取路径和数据存储路径)517时从框架API 212获得转换后的OSS路径518。According to at least some exemplary embodiments, the
根据至少一些其他示例性实施例,可以并非由平台210轮询框架API 212来获取任务运行结果,而是可由框架API 212在路径获取模块224上报任务运行结果之际向平台210提供任务运行结果。According to at least some other exemplary embodiments, rather than
至此,第一阶段即路径获取流程510完成。So far, the first stage, that is, the path obtaining process 510 is completed.
如图5中所示,在平台210从框架API 212获得转换后的OSS路径518之后,训练流程520(例如,对应于结合图1和2描述的第二阶段)即可开始。训练流程520可响应于平台210获得第一阶段的任务运行结果而自动发起。此时,平台210可发起训练任务521。例如,根据示例性实施例,用户可在MPC平台210处向框架API 212发起训练任务。As shown in FIG. 5, after the
框架API 212随即响应于平台210发起的训练任务521,通过向节点220传送请求来发起MPC作业322。例如,根据示例性实施例,框架API 212可通过k8s节点220来发起MPC作业522。The
当节点220上被拉起MPC作业时,节点220即拉起训练工作模块226上的训练工作523。When the MPC job is started on the
当训练工作模块226上被拉起读取工作523时,训练工作模块226即向框架API212请求获取训练参数524。响应于此,框架API 212向训练工作模块226传送训练参数525。训练参数可基于对象存储接口配置参数,例如包括数据读取路径和数据存储路径。When the
尽管此处是以在节点220拉起训练工作模块226上的读取工作之后由训练工作模块226向框架API 212请求获取读取参数为例进行描述的,但是本公开并不被限定于此。例如,本公开还可包括由框架API 212在发起MPC作业322的同时、或之前、或之后向节点220提供读取参数,并由节点220自发地或响应于训练工作模块226的请求向训练工作模块226提供读取参数的各种实施例。Although the description is made by taking the example that the
当训练工作模块226接收到来自框架API 212的读取数据525时,训练工作模块226使用训练参数(包含数据读取路径)来访问文件加密存储模块230中的加密的存储数据526。When the
响应于此,文件加密存储模块230通过如以上结合图1和图2描述的方式向训练工作模块226提供解密的存储数据527以用于在用户侧的训练工作模块226本地进行读取工作。In response to this, the file
训练工作模块226适用所得到的存储数据527进行训练工作528,并将训练结果推送至文件加密存储模块230以基于训练参数(包含数据存储路径)进行加密存储。The
至此,第二阶段即训练流程520完成。存储数据作为敏感数据不出用户侧,故而保护了数据的安全性。So far, the second stage, that is, the training process 520 is completed. Stored data as sensitive data does not leave the user side, thus protecting the security of the data.
图6示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入方法600的流程图。方法600可由例如以上结合图1描述的文件加密存储模块100、或结合图2或图3描述的文件加密存储模块230来实现,其中文件加密存储模块100或230驻留在用户侧。6 shows a flowchart of a
在框602,方法600可包括通过模块API接口从驻留在用户侧的路径获取模块接收开启存储服务请求。At
在框604,方法600可包括由模块API接口向路径获取模块返回对象存储接口配置参数,并动态开启对象存储接口。At
在框606,方法600可包括由对象存储接口从驻留在用户侧的训练工作模块接收训练参数。At
在框608,方法600可包括由对象存储接口基于训练参数从文件加密存储模块获取经加密的存储数据。At
在框610,方法600可包括由对象存储接口基于训练参数对经加密的存储数据进行解密并将经解密的存储数据返回给训练工作模块。At
图7示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入方法700的流程图。方法700可由例如以上结合图2 – 4描述的框架API 212来实现,其中框架API 212驻留在平台侧。FIG. 7 shows a flowchart of a
在框702,方法700可包括由框架API接收平台发起的路径获取流程。At
在框704,方法700可包括由框架API向用户侧发起作业以拉起用户侧的路径获取模块上的路径获取进程。At block 704, the
在框706,方法700可包括由框架API从用户侧的路径获取模块获得路径获取任务运行结果。At
在框708,方法700可包括由框架API向用户侧发起作业以拉起用户侧的训练工作模块上的训练工作。At
在框710,方法700可包括由框架API向用户侧的训练工作模块提供训练参数以由训练工作模块基于训练参数访问文件加密存储模块中存储的数据。根据至少一些示例性实施例,访问文件加密存储模块中存储的数据可包括例如从文件加密存储模块中读取数据。根据至少另一些示例性实施例,访问文件加密存储模块中存储的数据可包括例如向文件加密存储模块中写入数据。根据至少再一些示例性实施例,访问文件加密存储模块中存储的数据可包括例如从文件加密存储模块中读取训练数据,由训练工作模块使用所读取的训练数据进行训练,并将训练结果推送至文件加密存储模块以进行加密存储。At
图8示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入方法800的流程图。方法800可由例如以上结合图2 – 4描述的路径获取模块224来实现,其中路径获取模块224驻留在用户侧。FIG. 8 shows a flowchart of a
在框802,方法800可包括由路径获取模块接收拉起路径获取进程的请求。At
在框804,方法800可包括由路径获取模块向文件加密存储模块请求路径。At
在框806,方法800可包括由路径获取模块接收文件加密存储模块返回的路径并向驻留在平台侧的框架API上报。At block 806, the
图9示出了根据本公开的一方面的多方安全计算(MPC)平台下文件加密存储接入方法900的流程图。方法900可由例如以上结合图2 – 4描述的训练工作模块226来实现,其中训练工作模块226驻留在用户侧。FIG. 9 shows a flowchart of a
在框902,方法900可包括由训练工作模块接收拉起训练工作的请求。At
在框904,方法900可包括由训练工作模块从平台侧的框架API获取训练参数。At
在框906,方法900可包括由训练工作模块基于所获取的训练参数来访问文件加密存储模块。At
以上所述的仅为本发明的示例性具体实施例。但本发明的保护范围并不局限于此。任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。The foregoing descriptions are merely exemplary embodiments of the present invention. However, the protection scope of the present invention is not limited to this. Any changes or substitutions that can be easily conceived by any person skilled in the art within the technical scope disclosed by the present invention shall be included within the protection scope of the present invention.
本公开的方案借助特殊的类kubernetes系统框架的能力,构建了一套低耦合的加密文件存储模块接入流程。通过借助框架拉起专用存储参数获取服务组件、接口配置参数上报模式,避免了加密存储模块管理模块对接口参数的维护,降低服务的复杂程度,减少了开发维护成本。同时在发起调用前添加单独的加密文件存储接口配置参数获取流程,避免了对训练主流程的侵入,使各模块解耦,提高了系统统一性,使系统便于维护。The solution of the present disclosure builds a set of low-coupling encrypted file storage module access procedures by means of the capability of a special kubernetes-like system framework. By using the framework to pull up dedicated storage parameters to obtain service components and report mode of interface configuration parameters, the maintenance of interface parameters by the encrypted storage module management module is avoided, the complexity of services is reduced, and development and maintenance costs are reduced. At the same time, a separate encrypted file storage interface configuration parameter acquisition process is added before the call is initiated, which avoids the intrusion of the main training process, decouples each module, improves the system unity, and makes the system easy to maintain.
结合本公开所描述的各种解说性逻辑块、模块、以及电路可用设计成执行本文描述的功能的通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现场可编程门阵列(FPGA)或其他可编程逻辑器件(PLD)、分立的门或晶体管逻辑、分立的硬件组件、或其任何组合来实现或执行。通用处理器可以是微处理器,但在替换方案中,处理器可以是任何市售的处理器、控制器、微控制器、或状态机。处理器还可以被实现为计算设备的组合,例如,DSP与微处理器的组合、多个微处理器、与DSP核心协同的一个或多个微处理器、或任何其他此类配置。The various illustrative logical blocks, modules, and circuits described in connection with this disclosure may be used with general purpose processors, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays designed to perform the functions described herein (FPGA) or other programmable logic device (PLD), discrete gate or transistor logic, discrete hardware components, or any combination thereof to implement or execute. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any commercially available processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, eg, a combination of a DSP and a microprocessor, multiple microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
结合本公开描述的方法或算法的步骤可直接在硬件中、在由处理器执行的软件模块中、或在这两者的组合中实施。软件模块可驻留在本领域所知的任何形式的存储介质中。可使用的存储介质的一些示例包括随机存取存储器(RAM)、只读存储器(ROM)、闪存、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动盘、CD-ROM,等等。软件模块可以包括单条指令、或许多条指令,且可分布在若干不同的代码段上,分布在不同的程序间以及跨多个存储介质分布。存储介质可被耦合到处理器以使得该处理器能从/向该存储介质读写信息。替换地,存储介质可以被整合到处理器。The steps of a method or algorithm described in connection with this disclosure may be implemented directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in any form of storage medium known in the art. Some examples of storage media that may be used include random access memory (RAM), read only memory (ROM), flash memory, EPROM memory, EEPROM memory, registers, hard disks, removable disks, CD-ROMs, and the like. A software module may include a single instruction, or many instructions, and may be distributed over several different code segments, among different programs, and across multiple storage media. A storage medium may be coupled to the processor such that the processor can read and write information from/to the storage medium. Alternatively, the storage medium may be integrated into the processor.
本文中所公开的方法包括用于达成所描述的方法的一个或多个步骤或动作。这些方法步骤和/或动作可以彼此互换而不会脱离权利要求的范围。换言之,除非指定了步骤或动作的特定次序,否则具体步骤和/或动作的次序和/或使用可以改动而不会脱离权利要求的范围。The methods disclosed herein include one or more steps or actions for achieving the described methods. The method steps and/or actions may be interchanged with each other without departing from the scope of the claims. In other words, unless a specific order of steps or actions is specified, the order and/or use of specific steps and/or actions may be modified without departing from the scope of the claims.
处理器可执行存储在机器可读介质上的软件。处理器可用一个或多个通用和/或专用处理器来实现。示例包括微处理器、微控制器、DSP处理器、以及其他能执行软件的电路系统。软件应当被宽泛地解释成意指指令、数据、或其任何组合,无论是被称作软件、固件、中间件、微代码、硬件描述语言、或其他。作为示例,机器可读介质可包括RAM(随机存取存储器)、闪存、ROM(只读存储器)、PROM(可编程只读存储器)、EPROM(可擦式可编程只读存储器)、EEPROM(电可擦式可编程只读存储器)、寄存器、磁盘、光盘、硬驱动器、或者任何其他合适的存储介质、或其任何组合。机器可读介质可被实施在计算机程序产品中。该计算机程序产品可以包括包装材料。The processor can execute software stored on a machine-readable medium. A processor may be implemented with one or more general and/or special purpose processors. Examples include microprocessors, microcontrollers, DSP processors, and other circuitry capable of executing software. Software should be construed broadly to mean instructions, data, or any combination thereof, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. By way of example, a machine-readable medium may include RAM (random access memory), flash memory, ROM (read only memory), PROM (programmable read only memory), EPROM (erasable programmable read only memory), EEPROM (electrical erasable programmable read only memory), registers, magnetic disks, optical disks, hard drives, or any other suitable storage medium, or any combination thereof. The machine-readable medium may be embodied in a computer program product. The computer program product may include packaging material.
在硬件实现中,机器可读介质可以是处理系统中与处理器分开的一部分。然而,如本领域技术人员将容易领会的,机器可读介质或其任何部分可在处理系统外部。作为示例,机器可读介质可包括传输线、由数据调制的载波、和/或与无线节点分开的计算机产品,所有这些都可由处理器通过总线接口来访问。替换地或补充地,机器可读介质或其任何部分可被集成到处理器中,诸如高速缓存和/或通用寄存器文件可能就是这种情形。In a hardware implementation, the machine-readable medium may be a separate part of the processing system from the processor. However, as those skilled in the art will readily appreciate, the machine-readable medium or any portion thereof may be external to the processing system. As examples, a machine-readable medium may include a transmission line, a carrier wave modulated by data, and/or a computer product separate from the wireless node, all of which may be accessed by a processor through a bus interface. Alternatively or additionally, the machine-readable medium or any portion thereof may be integrated into the processor, such as may be the case with a cache and/or a general purpose register file.
处理系统可以被配置成通用处理系统,该通用处理系统具有一个或多个提供处理器功能性的微处理器、以及提供机器可读介质中的至少一部分的外部存储器,它们都通过外部总线架构与其他支持电路系统链接在一起。替换地,处理系统可以用带有集成在单块芯片中的处理器、总线接口、用户接口(在接入终端情形中)、支持电路系统、和至少一部分机器可读介质的ASIC(专用集成电路)来实现,或者用一个或多个FPGA(现场可编程门阵列)、PLD(可编程逻辑器件)、控制器、状态机、门控逻辑、分立硬件组件、或者任何其他合适的电路系统、或者能执行本公开通篇所描述的各种功能性的电路的任何组合来实现。取决于具体应用和加诸于整体系统上的总设计约束,本领域技术人员将认识到如何更好地实现关于处理系统所描述的功能性。The processing system may be configured as a general-purpose processing system having one or more microprocessors providing processor functionality, and external memory providing at least a portion of a machine-readable medium, all connected via an external bus architecture. Other support circuitry is linked together. Alternatively, the processing system may use an ASIC (Application Specific Integrated Circuit) with a processor, bus interface, user interface (in the case of an access terminal), support circuitry, and at least a portion of the machine-readable medium integrated in a single chip ), or with one or more FPGAs (Field Programmable Gate Arrays), PLDs (Programmable Logic Devices), controllers, state machines, gated logic, discrete hardware components, or any other suitable circuitry, or Implemented in any combination of circuits capable of performing the various functionalities described throughout this disclosure. Depending on the specific application and the overall design constraints imposed on the overall system, those skilled in the art will recognize how best to implement the functionality described with respect to the processing system.
机器可读介质可以包括数个软件模块。这些软件模块包括当由装置(诸如处理器)执行时使处理系统执行各种功能的指令。这些软件模块可以包括传送模块和接收模块。每个软件模块可以驻留在单个存储设备中或者跨多个存储设备分布。作为示例,当触发事件发生时,可以从硬驱动器中将软件模块加载到RAM中。在软件模块执行期间,处理器可以将一些指令加载到高速缓存中以提高访问速度。可随后将一个或多个高速缓存行加载到通用寄存器文件中以供处理器执行。在以下述及软件模块的功能性时,将理解此类功能性是在处理器执行来自该软件模块的指令时由该处理器来实现的。The machine-readable medium may include several software modules. These software modules include instructions that, when executed by a device, such as a processor, cause the processing system to perform various functions. These software modules may include transmitting modules and receiving modules. Each software module may reside in a single storage device or be distributed across multiple storage devices. As an example, a software module may be loaded into RAM from a hard drive when a trigger event occurs. During the execution of a software module, the processor may load some instructions into the cache to increase access speed. One or more cache lines may then be loaded into the general register file for execution by the processor. When referring to the functionality of a software module as described below, it will be understood that such functionality is implemented by the processor when the processor executes instructions from the software module.
如果以软件实现,则各功能可作为一条或多条指令或代码存储在计算机可读介质上或藉其进行传送。计算机可读介质包括计算机存储介质和通信介质两者,这些介质包括促成计算机程序从一地向另一地转移的任何介质。存储介质可以是能被计算机访问的任何可用介质。作为示例而非限定,此类计算机可读介质可包括RAM、ROM、EEPROM、CD-ROM或其他光盘存储、磁盘存储或其他磁存储设备、或能用于携带或存储指令或数据结构形式的期望程序代码且能被计算机访问的任何其他介质。任何连接也被正当地称为计算机可读介质。例如,如果软件是使用同轴电缆、光纤电缆、双绞线、数字订户线(DSL)、或无线技术(诸如红外(IR)、无线电、以及微波)从web网站、服务器、或其他远程源传送而来,则该同轴电缆、光纤电缆、双绞线、DSL或无线技术(诸如红外、无线电、以及微波)就被包括在介质的定义之中。如本文中所使用的盘(disk)和碟(disc)包括压缩碟(CD)、激光碟、光碟、数字多用碟(DVD)、软盘、和蓝光®碟,其中盘(disk)常常磁性地再现数据,而碟(disc)用激光来光学地再现数据。因此,在一些方面,计算机可读介质可以包括非瞬态计算机可读介质(例如,有形介质)。另外,对于其他方面,计算机可读介质可以包括瞬态计算机可读介质(例如,信号)。上述的组合应当也被包括在计算机可读介质的范围内。If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage medium can be any available medium that can be accessed by a computer. By way of example and not limitation, such computer-readable media may include RAM, ROM, EEPROM, CD-ROM, or other optical disk storage, magnetic disk storage, or other magnetic storage devices, or as desired in the form of carrying or storing instructions or data structures. Program code and any other medium that can be accessed by a computer. Any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a web site, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared (IR), radio, and microwave Then, the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technology (such as infrared, radio, and microwave) is included in the definition of medium. Disk and disc as used herein includes compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disk, and Blu-ray® disc, where disks are often reproduced magnetically data, and discs use lasers to optically reproduce data. Thus, in some aspects computer-readable media may include non-transitory computer-readable media (eg, tangible media). Also, for other aspects, computer-readable media may include transitory computer-readable media (eg, signals). Combinations of the above should also be included within the scope of computer-readable media.
因此,某些方面可以包括用于执行本文中给出的操作的计算机程序产品。例如,此类计算机程序产品可以包括其上存储(和/或编码)有指令的计算机可读介质,这些指令能由一个或多个处理器执行以执行本文中所描述的操作。在某些方面,计算机程序产品可包括包装材料。Accordingly, certain aspects may include a computer program product for performing the operations presented herein. For example, such a computer program product may include a computer-readable medium having stored (and/or encoded) thereon instructions executable by one or more processors to perform the operations described herein. In certain aspects, the computer program product may include packaging material.
将理解,权利要求并不被限于以上所解说的精确配置和组件。可在以上所描述的方法和装置的布局、操作和细节上做出各种改动、更换和变形而不会脱离权利要求的范围。It is to be understood that the claims are not limited to the precise arrangements and components described above. Various changes, substitutions and alterations may be made in the arrangement, operation and details of the methods and apparatus described above without departing from the scope of the claims.
Claims (18)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210395676.XACN115062319A (en) | 2022-04-15 | 2022-04-15 | File encryption storage access method and system under multi-party secure computing platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210395676.XACN115062319A (en) | 2022-04-15 | 2022-04-15 | File encryption storage access method and system under multi-party secure computing platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115062319Atrue CN115062319A (en) | 2022-09-16 |
Family
ID=83196622
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210395676.XAPendingCN115062319A (en) | 2022-04-15 | 2022-04-15 | File encryption storage access method and system under multi-party secure computing platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115062319A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106156289A (en)* | 2016-06-28 | 2016-11-23 | 北京百迈客云科技有限公司 | The method of the data in a kind of read-write object storage system and device |
| US10725803B1 (en)* | 2019-06-21 | 2020-07-28 | Alibaba Group Holding Limited | Methods and systems for automatic blockchain deployment based on cloud platform |
| CN112104603A (en)* | 2020-08-06 | 2020-12-18 | 华人运通(江苏)技术有限公司 | Access right control method, device and system of vehicle interface |
| CN112182635A (en)* | 2019-07-03 | 2021-01-05 | 北京百度网讯科技有限公司 | Method, device, equipment and medium for realizing joint modeling |
| CN112613077A (en)* | 2021-01-22 | 2021-04-06 | 支付宝(杭州)信息技术有限公司 | Privacy-protecting multi-party data processing method, device and system |
- 2022
- 2022-04-15CNCN202210395676.XApatent/CN115062319A/enactivePending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106156289A (en)* | 2016-06-28 | 2016-11-23 | 北京百迈客云科技有限公司 | The method of the data in a kind of read-write object storage system and device |
| US10725803B1 (en)* | 2019-06-21 | 2020-07-28 | Alibaba Group Holding Limited | Methods and systems for automatic blockchain deployment based on cloud platform |
| CN112182635A (en)* | 2019-07-03 | 2021-01-05 | 北京百度网讯科技有限公司 | Method, device, equipment and medium for realizing joint modeling |
| CN112104603A (en)* | 2020-08-06 | 2020-12-18 | 华人运通(江苏)技术有限公司 | Access right control method, device and system of vehicle interface |
| CN112613077A (en)* | 2021-01-22 | 2021-04-06 | 支付宝(杭州)信息技术有限公司 | Privacy-protecting multi-party data processing method, device and system |
Non-Patent Citations (1)
| Title |
|---|
| 高志强 等: "《智能系统与技术丛书 深入浅出联邦学习 原理与实践》", 31 May 2021, 中国铁道出版社, pages: 171 - 172* |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113438289B (en) | Block chain data processing method and device based on cloud computing | |
| CN110580414B (en) | Private data query method and device based on block chain account | |
| WO2021184973A1 (en) | External data accessing method and device | |
| CN114584307B (en) | Trusted key management method and device, electronic equipment and storage medium | |
| CN102271124B (en) | Data processing equipment and data processing method | |
| US12323509B2 (en) | Method for data processing, readable medium and electronic device | |
| WO2016107203A1 (en) | Identity authentication method and device | |
| CN115730338B (en) | Zero trust sensitive big data cross-domain sharing method and device based on privacy calculation | |
| TWI679551B (en) | Process identity authentication method and device | |
| US11132449B2 (en) | Incorporating at-rest data encryption into a cloud-based storage architecture | |
| KR20090095635A (en) | Method for the secure storing of program state data in an electronic device | |
| US12010249B1 (en) | Method and device for zero-trust fusion computation of multi-party data | |
| US11411733B1 (en) | Systems and methods for identity and access control | |
| US20250175326A1 (en) | Private key cloud storage | |
| CN109150811B (en) | A method and device for realizing a trusted session, and a computing device | |
| CN114817957B (en) | Encrypted partition access control method, system and computing device based on domain management platform | |
| CN118036712A (en) | Method, apparatus, electronic device and product for training machine learning model | |
| CN115062319A (en) | File encryption storage access method and system under multi-party secure computing platform | |
| CN116318910A (en) | Numerical control system password infrastructure based on domestic password algorithm and control method | |
| CN114640505A (en) | FTP user authentication method and system and construction method thereof | |
| CN114285585A (en) | Remote upgrading method, credibility authentication method and storage medium for intelligent household equipment | |
| CN112039852B (en) | Method, storage medium, electronic device and system for protecting core interface | |
| HK40036312A (en) | Blockchain data processing method and device based on cloud computing | |
| HK40036312B (en) | Blockchain data processing method and device based on cloud computing | |
| HK40070942B (en) | A trusted secret key management method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |