CN110602121B

CN110602121B - Network key obtaining method and device and computer readable storage medium

Info

Publication number: CN110602121B
Application number: CN201910894610.3A
Authority: CN
Inventors: 丁蕊; 沈华勇; 李明哲; 刘斌华; 游志良; 胡卫东; 王均朗; 李志良
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2019-09-20
Filing date: 2019-09-20
Publication date: 2021-06-08
Anticipated expiration: 2039-09-20
Also published as: CN110602121A

Abstract

The embodiment of the invention discloses a network key obtaining method, a device and a computer readable storage medium; after receiving a reading request, the reading request is used for indicating a service process to read a network key, an identity of the service process is obtained based on the reading request, when a key escrow program is not invalid, the service process is authorized based on the identity, so that the service process reads a network key file through the key escrow program to obtain a network key corresponding to the service process, when the key escrow program is invalid, a key authentication tool of the authorized service process reads the network key file based on the identity, and a network key corresponding to the service process is screened out from the read network key file; the scheme ensures the availability and the safety of the network key to the maximum extent and can greatly improve the disaster tolerance of the service process for acquiring the network key.

Description

Network key obtaining method and device and computer readable storage medium

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for acquiring a network key, and a computer-readable storage medium.

Background

With the development of internet technology, network security becomes more important, and in order to improve network security, service processes of various application programs need to acquire and load necessary network keys to run. The prior network key obtaining technology adopts a key management system to limit the reading of network keys by application programs of different companies, also adopts a static key encryption password directly, a service process decrypts by directly reading the encrypted key, and also adopts the key management system to complete the network key granting by comparing the legality of the service process.

In the process of research and practice of the prior art, the inventor of the present invention finds that none of the three key management methods has considered the situation that when a key management system or a static key encryption password is broken down, a service process cannot read a network key under any circumstances, resulting in low disaster tolerance of the service process to acquire the network key.

Disclosure of Invention

Embodiments of the present invention provide a method and an apparatus for acquiring a network key, and a computer-readable storage medium, which can greatly improve disaster tolerance of a service process for acquiring a network key.

A network key acquisition method comprises the following steps:

receiving a reading request, wherein the reading request is used for indicating a service process to read a network key file;

acquiring the identity of the service process based on the reading request;

when the key escrow program is not invalid, authorizing the service process based on the identity, so that the service process reads the network key file through the key escrow program to obtain a network key corresponding to the service process;

and when the key escrow program fails, based on the identity, authorizing a key authentication tool of the service process to read the network key file, and screening out a network key corresponding to the service process from the read network key file.

Correspondingly, an embodiment of the present invention provides a network key obtaining apparatus, including:

a receiving unit, configured to receive a read request, where the read request is used to instruct a service process to read a network key file;

an obtaining unit, configured to obtain an identity of the service process based on the read request;

the first authorization unit is used for authorizing the service process based on the identity when the key escrow program is not invalid, so that the service process reads the network key file through the key escrow program to obtain a network key corresponding to the service process;

and the second authorization unit is used for authorizing a key authentication tool of the service process to read the network key file based on the identity when the key escrow program fails, and screening out the network key corresponding to the service process from the read network key file.

Optionally, in some embodiments, the first authorization unit may be specifically configured to send the identity to the key escrow program for identification, authorize a service process to read the network key file when the identity is an identity corresponding to a preset service process in the key escrow program, so as to obtain a network key corresponding to the service process, and reject, by the key escrow program, the service process to read the network key file when the identity is an identity corresponding to another service process.

Optionally, in some embodiments, the second authorization unit may be specifically configured to, when the key escrow program fails to restart, or when the key escrow program and the monitoring program fail at the same time, identify validity of a key authentication tool of the service process according to the identity, authorize the key authentication tool to read the network key file when the key authentication tool is valid, and screen out a network key corresponding to the service process from the read network key file.

Optionally, in some embodiments, the second authorization unit may be specifically configured to obtain authentication information of the key authentication tool according to the identity, determine that the key authentication tool of the service process is legal when the authentication information matches preset authentication information, and determine that the key authentication tool of the service process is illegal when the authentication information does not match preset authentication information.

Optionally, in some embodiments, the second authorization unit may be specifically configured to match the multiple authentication factors with preset authentication factors, obtain an identity of a service process corresponding to the authentication factors according to a matching result, and screen out a network key corresponding to the service process from the network key file according to the identity.

Optionally, in some embodiments, the network key obtaining apparatus may further include an encryption unit and a monitoring unit, which are specifically as follows:

the encryption unit may be specifically configured to obtain at least one network key file, where the network key file includes at least one network key, obtain local identification information, and encrypt the network key file according to the local identification information.

The monitoring unit may be specifically configured to create a monitoring program according to the key escrow program, start the monitoring program when the key escrow program is started, and maintain the key escrow program in a normal operating state through the monitoring program.

Optionally, in some embodiments, the monitoring unit may be specifically configured to, when the key escrow program fails, trigger a restart instruction of the monitoring key escrow program by using the monitoring program to restart the key escrow program, so that the key escrow program is in a normal operating state, and when the monitoring program fails, trigger a restart instruction of the monitoring program by using the key escrow program to restart the monitoring program.

In addition, an embodiment of the present invention further provides an electronic device, which includes a processor and a memory, where the memory stores an application program, and the processor is configured to run the application program in the memory to implement the network key obtaining method provided in the embodiment of the present invention.

In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a plurality of instructions are stored, and the instructions are suitable for being loaded by a processor to perform steps in any one of the network key obtaining methods provided by the embodiments of the present invention.

After receiving a reading request, the reading request is used for indicating a service process to read a network key file, acquiring an identity of the service process based on the reading request, then authorizing the service process based on the identity when a key escrow program is not invalid, so that the service process reads the network key file through the key escrow program to acquire a network key corresponding to the service process, when the key escrow program is invalid, reading the network key file by a key authentication tool of the authorized service process based on the identity, and screening out a network key corresponding to the service process from the read network key file; according to the scheme, the service process obtains the network key through the key escrow program, when the key escrow program fails, the key authentication tool is adopted to ensure that the service process obtains the network key, and the availability and the safety of the network key are guaranteed to the greatest extent, so that the disaster tolerance of the service process for obtaining the network key can be greatly improved.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic view of a scenario of a network key obtaining method according to an embodiment of the present invention;

fig. 2 is a schematic diagram of data interaction in a network key obtaining method according to an embodiment of the present invention;

fig. 3 is a flowchart of a network key obtaining method according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a data sharing system in which a network key obtaining apparatus is applied to a blockchain according to an embodiment of the present invention;

fig. 5 is another flowchart of a network key obtaining method according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of a block chain provided in an embodiment of the present invention;

FIG. 7 is a block diagram illustrating a process of generating new blocks in a blockchain according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a network key obtaining apparatus according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of a first authorization unit of a network key obtaining apparatus according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of a second authorization unit of the network key obtaining apparatus according to the embodiment of the present invention;

fig. 11 is another schematic structural diagram of a network key obtaining apparatus according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of an encryption unit of a network key obtaining apparatus according to an embodiment of the present invention;

fig. 13 is another schematic structural diagram of a network key obtaining apparatus according to an embodiment of the present invention;

fig. 14 is a schematic structural diagram of a monitoring unit of a network key obtaining apparatus according to an embodiment of the present invention;

fig. 15 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The embodiment of the invention provides a network key obtaining method, a network key obtaining device and a computer readable storage medium. The network key obtaining apparatus may be integrated in an electronic device, and the electronic device may be a server or a terminal.

For example, referring to fig. 1, taking an example that a network key obtaining apparatus is integrated in an electronic device, the electronic device reads a request, where the read request is used to instruct a service process to read a network key file, obtain an identity of the service process based on the read request, and then, when a key escrow program is not invalid, authorize the service process based on the identity, so that the service process reads the network key file through the key escrow program to obtain a network key corresponding to the service process, and when the key escrow program is invalid, authorize a key authentication tool of the service process to read the network key file based on the identity, and screen out a network key corresponding to the service process from the read network key file.

Optionally, for example, the network key obtaining apparatus is integrated in the electronic device, the service process is a service process in the terminal, and the network key file is stored in the block chain, and data interaction in the entire network key obtaining apparatus is shown in fig. 2.

The following are detailed below. It should be noted that the following description of the embodiments is not intended to limit the preferred order of the embodiments.

The embodiment will be described from the perspective of a network key obtaining device, where the network key obtaining device may be specifically integrated in an electronic device, and the electronic device may be a server, or may be a terminal or other devices; the terminal may include a tablet Computer, a notebook Computer, a Personal Computer (PC), and other devices.

A network key acquisition method comprises the following steps: receiving a reading request, wherein the reading request is used for indicating a service process to read a network key file, acquiring an identity of the service process based on the reading request, authorizing the service process based on the identity when a key escrow program is not invalid, enabling the service process to read the network key file through the key escrow program so as to acquire a network key corresponding to the service process, reading the network key file by a key authentication tool of the authorized service process based on the identity when the key escrow program is invalid, and screening out the network key corresponding to the service process from the read network key file

As shown in fig. 3, the specific flow of the network key obtaining method is as follows:

101. and receiving a reading request, wherein the reading request is used for instructing a service process to read the network key file.

The service process may include various service programs in operation, such as a social service program, a shopping service program, and/or various financial service programs, which need to load a necessary key to work normally when being started or in operation, for example, in a financial service program, in order to ensure security of a financial transaction, a user needs to transfer a money to another user, and in the transfer process, the service process of the service program needs to obtain a transaction key input by the user or stored in a certain place to continue operation.

The network key file may include a space or an area for storing a network key, for example, a single network key may be stored, or a combination key composed of a plurality of network keys may be stored, after the network key file is encrypted by a plurality of encryption means, the entire network key file may be regarded as an entire network key, for example, a plurality of network keys are required in one service program, the plurality of network keys are stored in the network key file, and after the network key file is encrypted, a dedicated network key for the service program may be obtained. The network key may be a key or a certificate used in a network, the network may include the internet and a local area network, and the specific form of the network key may include a password composed of numbers, passwords, images and/or symbols, and may also include a certificate or a key program formed by program encryption.

(1) And acquiring at least one network key file, and encrypting the network key file.

For example, at least one network key file may be obtained by receiving a key of a network input and set by a user, for example, in a social service program, when the user registers a new user, an account and a password that the user wants to set need to be input in the social service program, after receiving the account and the password input by the user in a background, encrypting the received account and password to obtain at least one network key, creating or constructing a network key file, and storing the network key to the network key file. The network key file can also be automatically generated through a specific identifier input by a user, for example, in a social service program, the user inputs the specific identifier, for example, a personal contact way is input, verification information is sent to the personal contact way, and after the verification information passes, the network key file corresponding to the personal contact way is automatically generated. The account number and the password information can be screened from the information or the file stored by the user, and the screened information is encrypted and stored to obtain the network key file.

The obtained network key file is encrypted, for example, a hash (hash) encryption method may be adopted, and specifically, the same static encryption key is embedded in the key authentication tool and the key escrow program, a physical Address (Mac) of the local device, central processing unit (cpu) information, motherboard information, and other local identification information that uniquely identifies the local device are obtained in the local device deployed by the key escrow program and the key authentication tool, hash calculation is performed on the static key and the local identification information, an algorithm of the hash calculation may be a SHA256 algorithm, a 256-bit hash value is obtained, the 256-bit hash value obtained after the hash calculation is used as a new encryption key, and the obtained network key file is encrypted by the new encryption key, so that the encrypted network key file is obtained. The encrypted network key can be decrypted by a key authentication tool or a key escrow program plus local identification information of the local device.

(2) And receiving a reading request, wherein the reading request is used for instructing a service process to read the network key file.

For example, when a service process is started or operated, a necessary network key file needs to be loaded, at this time, the service process sends a request for reading the network key file, for example, when a social program is started, a user needs to be prompted to input an account and a password, after the user inputs the request, the service process tries to directly read the network key file after receiving a user input completion instruction, and then triggers generation of request information for reading the network key input by the user, the service process sends the generated request information to a network key acquisition device, and the network key device receives the request information for reading the network key corresponding to target information input by the user.

102. And acquiring the identity of the service process based on the reading request.

The Identity of the service Process may be a Process Identity Document (PID) for the service Process, and a PID may mark a service Process, and the value of the PID is usually a non-zero integer.

For example, the service process attempts to directly read the network key file, and at this time, a request for reading the service process is triggered to be generated, and the PID of the service process is acquired according to the request. For example, the key escrow program registers a monitoring service, such as registering a fanotify (a monitoring function) service, at this time, a monitoring process is generated, the key escrow program uses the monitoring process to monitor events of the network key file, when the monitoring process adopts a Global mode (Global mode) for monitoring the entire file, and when any process tries to read an event of the network key file, the monitoring process obtains a PID of a service process that reads the network key file, and sends monitoring information composed of the service process read file event and the PID of the service process to the key escrow program. The monitoring process can also be used for monitoring other events, such as a write event, a move event and the like, when the monitoring process is used for writing an event, any service process writes a network key file, the monitoring process acquires the PID of the service process and sends monitoring information consisting of the write event and the PID to the key escrow program, and when the monitoring process is used for moving an event, such as when any service process attempts to copy a network key file out of a deployed local device, the monitoring process acquires the PID of the service process and sends monitoring information consisting of the move event and the PID to the key escrow program.

Optionally, when the kernel of some lower versions of Linux (an operating system) does not support fanotify, inotify monitoring read key event (IN _ ACCESS) may be registered, and monitoring is established for each network key file and the directory where the network key file is located. By adding the network key file monitor, when a key reading event occurs, the event can be monitored, the PID of the service process is obtained, and monitoring information consisting of the read event and the PID is sent to the key escrow program. The monitoring process can also be used for monitoring other events, such as a write event, a move event and the like, when the monitoring process is used for writing an event, any service process writes a network key file, the monitoring process acquires the PID of the service process and sends monitoring information consisting of the write event and the PID to the key escrow program, and when the monitoring process is used for moving an event, such as when any service process attempts to copy a network key file out of a deployed local device, the monitoring process acquires the PID of the service process and sends monitoring information consisting of the move event and the PID to the key escrow program.

103. And when the key escrow program is not invalid, authorizing the service process based on the identity, so that the service process reads the network key file through the key escrow program to obtain the network key corresponding to the service process.

The key escrow program can include a program for controlling the authority of the service process to access the network key file, and can also decrypt the encrypted network key file through a built-in static key, so as to help the service process effectively manage the service process started or operated by the service process to obtain the matched network key.

For example, the PID of the read event and the service process acquired by the registered monitoring process is sent to the key escrow program for identification, the key escrow program identifies the received PID of the service process, when the identity is identified as the preset service process in the key escrow program, the service process is authorized to read the network key file to acquire the network key corresponding to the service process, for example, the acquired network key file may contain the PID of the service process corresponding to the network key, the service process PID corresponding to the network key is stored by the key escrow program as the preset PID of the key escrow program, after the key escrow program acquires the monitoring information, the PID in the monitoring information is compared with the preset PID process, when the PID of the service process in the monitoring information is matched with the preset PID, the key escrow program decrypts the network key file, and then, the authorized service process reads the decrypted network key file to obtain the network key corresponding to the service process. And when the identity identification is other service processes, refusing the service process to read the network key file through the key escrow program, for example, when the PID of the service process in the monitoring information is not matched with the preset PID, triggering a callback function by the key escrow program, generating an instruction for refusing to read the network key file according to the callback function, and directly refusing the service process to read the network key file according to the instruction for refusing to read. When the service refusing process reads the network key file, the collected read information can be reported and corresponding warning information can be generated for prompting.

It should be noted that the network key file may include a plurality of network keys, the key escrow program may classify the network keys in the network key file, and after the key escrow program decrypts the encrypted network key file, the authorized service process may read the network key file, and may assist the service process to obtain the corresponding network key through the key escrow program, for example, the key escrow program identifies a PID of the service process corresponding to the network key, and obtains the network key corresponding to the service process through the PID.

Optionally, the network key corresponding to the service process may also be obtained without using a key escrow program, for example, the network key corresponding to the service process may be screened out from a network key file by using a key authentication tool of the service process through multiple authentication factors, where the network key file includes a key file, a PID of the service process corresponding to the key file, and multiple preset authentication factors corresponding to the key file, and because the key authentication tool of the service process cannot directly read the PID of the service process corresponding to the network key in the network key file, the network key corresponding to the service process needs to be obtained by using a method of matching multiple authentication factors. The key authentication tool obtains the network key corresponding to the service process through multiple authentication factors, which specifically comprises the following steps:

s1, matching the plurality of authentication factors with preset authentication factors

For example, there are various ways of matching (authentication), and the following various authentication ways may be selected.

(1) And acquiring an absolute path of the executable file through the PID of the service process, and matching the absolute path with a preset authentication factor.

For example, a symbolic link of an executable file corresponding to the PID is found by opening/proc/[ PID ]/exe file, an absolute path of the executable file is found by a readlink (a get path function) method, the obtained absolute path is compared with a preset path, when the absolute path is completely the same as, partially the same as, or matched with a regular expression, it is indicated that the matching (authentication) of the service process to a preset authentication factor in the network key is successful, when the authentication is performed by using a single authentication factor, it is indicated that the network key including the preset authentication factor is the network key corresponding to the service process, and when the authentication is performed by using multiple authentication factors, it is also necessary to continuously match (authenticate) other authentication factors.

(2) And calculating the complete path of the acquired executable file, and matching the calculated value with a preset value.

For example, the value of the executable file may be calculated by md5 message digest algorithm, or may be calculated by sha256 algorithm, and the obtained value is matched with the preset value. When the calculated value is completely the same as the preset value, the service process is successful in matching the preset authentication factor in the network key, when single authentication factor authentication is adopted, the network key containing the preset authentication factor is taken as the network key corresponding to the service process, and when multi-authentication factor authentication is adopted, other authentication factors are required to be matched continuously.

(3) And acquiring a linux system user name for starting the service process through the PID of the service process, and matching the linux system user name with a preset system user name.

For example, the uid of the service process is obtained by opening/proc/[ pid ]/status file, then the system user name is obtained by getpwuid (a function for obtaining system user name), and the obtained system user name is matched with the preset system user name of the network key. When the acquired system user name is the same as the preset system user name, the service process is successfully matched with the preset authentication factor in the network key, when single authentication factor authentication is adopted, the network key containing the preset authentication factor is taken as the network key corresponding to the service process, and when multi-authentication factor authentication is adopted, other authentication factors are required to be continuously matched.

(4) And acquiring a complete path of all or part of library files loaded by the service process through the PID of the service process, and matching the complete path with a preset path.

For example, open/proc/[ pid ]/numa _ maps, from which the full path of all library files can be read. When the read complete path is completely the same as, partially the same as or the regular expression is matched with the preset path, it is described that the service process successfully matches the preset authentication factor in the network key, when single authentication factor is adopted for authentication, it is described that the network key containing the preset authentication factor is the network key corresponding to the service process, and when multi-authentication factor authentication is adopted, it is also necessary to continuously match other authentication factors.

(5) And calculating the complete path of all or part of the library files loaded by the acquired service process, and matching the calculated preset values.

For example, the value of the complete path may be calculated by the md5 message digest algorithm, or may be calculated by the sha256 algorithm, and the obtained value is matched with a preset value. When the calculated value is completely the same as the preset value, the service process is successful in matching the preset authentication factor in the network key, when single authentication factor authentication is adopted, the network key containing the preset authentication factor is taken as the network key corresponding to the service process, and when multi-authentication factor authentication is adopted, other authentication factors are required to be matched continuously.

(6) And acquiring a command line started by the service process through the PID of the service process, and matching the command line with a preset command line.

For example, a command line for starting a service process may be obtained by opening/proc/[ pid ]/cmdline, the obtained started command line is compared with a preset command line, when the command line is the same as the preset command line, it is described that the service process matches a preset authentication factor in a network key in an authentication manner, when a single authentication factor is adopted for authentication, it is described that the network key including the preset authentication factor is a network key corresponding to the service process, and when a multi-authentication factor is adopted for authentication, it is also necessary to continue matching other authentication factors.

It should be noted that the preset authentication factor of the service process corresponding to each network key may exist in multiple versions at the same time, for example, version 1 may include three authentication factors (1), (3), and (5), while version 2 may also include three authentication factors (1), (3), and (5), but the preset values are different, and version 3 may include two authentication factors (2) and (4). When the key authentication tool attempts to match versions 1, 2 and 3. If any version is matched, the identity of the network key is determined to be the identity corresponding to the service process, otherwise, the next network key is continuously matched.

And S2, acquiring the identity of the service process corresponding to the authentication factor according to the matching result.

For example, after the key authentication tool of the service process matches the authentication factors corresponding to the network key in the network key file, the identity of the service process corresponding to each authentication factor is obtained. For example, the service process is a, the key authentication tool of a matches the authentication factor corresponding to the network key, if the matching is successful, it indicates that the identity of the service process corresponding to the authentication factor is a, and marks the identity, and if the matching is unsuccessful, it indicates that the identity of the service process corresponding to the authentication is not a, and the identity of the service process corresponding to the authentication factor can be further identified, or the matching of the next authentication factor can be started until the identities corresponding to the authentication factor in the network key file are all identified.

And S3, screening out the network key corresponding to the service process from the network key file according to the identity.

For example, a key authentication tool of a service process marks an authentication factor of which the identity is the identity corresponding to the service process, and obtains a network key corresponding to the marked authentication factor according to the marked authentication factor, where the obtained network key is the network key corresponding to the service process, and the obtained network key may be a single network key or multiple network keys.

Optionally, a monitoring program may be created according to the key escrow program, and when the key escrow program is started, an instruction for starting the monitoring program is triggered to start the monitoring program, and the monitoring program and the key escrow program are set to monitor each other, for example, the monitoring program monitors the key escrow program, and the key escrow program also monitors the monitoring program. Through the monitoring program, the key monitoring program is maintained in a normal running state. For example, when the monitoring program monitors that the key escrow program is invalid or crashes, the monitoring program reports the monitoring information of the key escrow program invalidation or crashes, generates alarm information, triggers a restart instruction of the key escrow program, and restarts the key escrow program according to the restart instruction. When the monitoring program fails or crashes, similarly, the key escrow program can be used for triggering a restart instruction of the monitoring program to restart the monitoring program.

104. And when the key escrow program fails, based on the identity, reading the network key file by a key authentication tool of the authorized service process, and screening out the network key corresponding to the service process from the read network key file.

The key authentication tool may acquire a network key file, provide cryptographic algorithms such as encryption and decryption, and be specifically integrated in a service process to operate. The service process is acquired in the system of the local device, and a legal key authentication tool can be integrated in the legal service process.

(1) And when the restart of the key escrow program fails or the key escrow program and the monitoring program fail simultaneously, identifying the legality of the key authentication tool of the service process according to the identity.

For example, when the key escrow program is restarted, or the key escrow program and the monitoring program are both disabled, acquiring authentication information of the key authentication tool according to the identity identifier, for example, acquiring a service process corresponding to the identity identifier according to the acquired identity identifier of the service process, and querying related information of the key authentication tool in the service process, for example, the authentication information of the key authentication tool, for example, a static key for decrypting a network key file. Matching the inquired authentication information of the key authentication with preset authentication information, and determining that the key authentication tool of the service process is legal when the authentication information is matched with the preset authentication information; when the authentication information is not matched with the preset authentication information, determining that the key authentication tool of the service process is illegal, for example, comparing the queried static key for decrypting the network key file with the preset static key, when the static key is matched with the preset static key, determining that the key authentication tool of the service process is legal, and when the static key is not matched with the preset static key, determining that the key authentication tool of the service process is illegal.

It should be noted that, when the key escrow program is restarted, or the key escrow program and the monitoring program are invalid at the same time, after the identity of the service process of the network key file is read and identified, the identity needs to be identified, for example, the obtained identity of the service process is compared with a preset identity, when the obtained identity is matched with the preset identity, the service process is determined to be a legal service process, and at this time, the legal service process can integrate the key authentication tool. However, the legal service process can be integrated with a legal key authentication tool, and can also be integrated with an illegal key authentication tool, but the legal key authentication tool can only be integrated in the legal service process.

(2) And when the key authentication tool of the service process is legal, the key authentication tool is authorized to read the network key file.

For example, when the key authentication tool of the service process is legal, the authorized key authentication tool obtains the local identification information of the local device, and based on the obtained local identification information, the key authentication tool decrypts the network key file to read the network key file, for example, the authorized key authentication tool obtains the local identification information of the local device, such as the physical address, the CPU information, and/or the motherboard information, and based on the local identification information and the static key in the key authentication tool, decrypts the network key file, and after decryption, the service process can directly read the network key file.

(3) And screening out the network key corresponding to the service process from the read network key file.

For example, because the key escrow program cannot assist the service process in screening out the corresponding network in the network key file, the network key corresponding to the service process can be screened out in the network key file through the multiple authentication factors by the key authentication tool of the service process, which is specifically as follows:

a1, matching a plurality of authentication factors with preset authentication factors

(4) And acquiring the complete path of all or part of the library files loaded by the service process through the PID of the service process, and matching the complete path with a preset path.

(5) And calculating the complete path of all or part of the library files loaded by the acquired service process, and matching the calculated value preset values.

And A2, acquiring the identity of the service process corresponding to the authentication factor according to the matching result.

A3, according to the ID, screening out the network key corresponding to the service process from the network key file.

Optionally, in some embodiments, referring to fig. 4, the terminal and the server may be a node in a data sharing system, where the data sharing system is a system for performing data sharing between nodes, the data sharing system may include a plurality of nodes, and the plurality of nodes may refer to each network device in the data sharing system. Each node stores an identical blockchain, and the network key acquisition device can store the network key file into the blockchain, so as to share data with other network devices.

As can be seen from the above, after receiving a read request, the read request is used to instruct a service process to read a network key file, obtain an identity of the service process based on the read request, and then, when a key escrow program is not invalid, authorize the service process based on the identity, so that the service process reads the network key file through the key escrow program to obtain a network key corresponding to the service process; according to the scheme, the service process obtains the network key through the key escrow program, when the key escrow program fails, the key authentication tool is adopted to ensure that the service process obtains the network key, and the availability and the safety of the network key are guaranteed to the greatest extent, so that the disaster tolerance of the service process for obtaining the network key can be greatly improved.

The method described in the above examples is further illustrated in detail below by way of example.

In this embodiment, an example in which the network key acquisition apparatus is specifically integrated in an electronic device will be described.

As shown in fig. 5, a method for acquiring a network key includes the following specific steps:

201. the electronic equipment acquires at least one network key file and encrypts the network key file.

For example, the electronic device may obtain at least one network key file by receiving a key of a network input and set by a user, may automatically generate the network key file by a specific identifier input by the user, may further screen account and password information from information or files stored by the user, and encrypt and store the screened information to obtain the network key file.

The electronic device may embed the same static encryption key in the key authentication tool and the key escrow program, obtain, in a local device deployed by the key escrow program and the key authentication tool, a local identification information uniquely identifying the local device, such as a physical Address (Mac) of the local device, central processing unit (cpu) information, motherboard information, and the like, perform hash calculation on the static key and the local identification information, where an algorithm of the hash calculation may be an SHA256 algorithm to obtain 256-bit hash values, use the 256-bit hash values obtained after the hash calculation as a new encryption key, and encrypt the obtained network key file with the new encryption key to obtain an encrypted network key file. The encrypted network key can be decrypted by a key authentication tool or a key escrow program plus local identification information of the local device.

202. The electronic device receives a read request, wherein the read request is used for instructing a service process to read the network key file.

For example, when a service process is started or operated, a necessary network key file needs to be loaded, at this time, the service process sends a request for reading the network key file, and the electronic device receives the read request, for example, when a social program is started, the user needs to be prompted to input an account and a password, when the user input is completed, the service process tries to directly read the network key file after receiving a user input completion instruction, and then triggers generation of request information for reading the network key input by the user, the service process sends the generated request information to the electronic device, and the electronic device receives the read request information of the network key corresponding to target information input by the user, which is read by the service process.

203. Based on the reading request, the electronic equipment acquires the identity of the service process.

For example, a key escrow program in an electronic device registers a monitoring service, such as registering a fanotify (a monitoring function) service, at this time, a monitoring process is generated, the key escrow program uses the monitoring process to monitor events of a network key file, when the monitoring process adopts a Global file monitoring mode (Global mode), and any process tries to read an event of the network key file, the monitoring process obtains a PID of a service process that reads the network key file, and sends monitoring information composed of the event of the service process reading the file and the PID of the service process to the key escrow program. The monitoring process can also be used for monitoring other events, such as a write event, a move event and the like, when the monitoring process is used for writing an event, any service process writes a network key file, the monitoring process acquires the PID of the service process and sends monitoring information consisting of the write event and the PID to the key escrow program, and when the monitoring process is used for moving an event, such as when any service process attempts to copy a network key file out of a deployed local device, the monitoring process acquires the PID of the service process and sends monitoring information consisting of the move event and the PID to the key escrow program.

Optionally, when the Linux kernel of some lower versions does not support fanotify, the electronic device registers an inotify monitoring read key event (IN _ ACCESS), and establishes monitoring on each network key file and the directory where the network key file is located. By adding the network key file monitor, when a key reading event occurs, the event can be monitored, the PID of the service process is obtained, and monitoring information consisting of the read event and the PID is sent to the key escrow program. The monitoring process can also be used for monitoring other events, such as a write event, a move event and the like, when the monitoring process is used for writing an event, any service process writes a network key file, the monitoring process acquires the PID of the service process and sends monitoring information consisting of the write event and the PID to the key escrow program, and when the monitoring process is used for moving an event, such as when any service process attempts to copy a network key file out of a deployed local device, the monitoring process acquires the PID of the service process and sends monitoring information consisting of the move event and the PID to the key escrow program.

204. When the key escrow program is not invalid, the electronic device authorizes the service process based on the identity, so that the service process reads the network key file through the key escrow program to obtain the network key corresponding to the service process.

For example, the electronic device sends a read event acquired by a registered monitoring process and a PID of a service process to a key escrow program for identification, the key escrow program identifies the received PID of the service process, for example, the acquired network key file may include the PID of the service process corresponding to the network key, the PID of the service process corresponding to the network key is stored by the key escrow program and stored as a preset PID of the key escrow program, after the key escrow program acquires the monitoring information, the PID in the monitoring information is compared with the preset PID process, when the PID of the service process in the monitoring information is matched with the preset PID, the key escrow program decrypts the network key file, and then, the service process is authorized to read the decrypted network key file to acquire the network key corresponding to the service process. And when the identity identification is other service processes, refusing the service process to read the network key file through the key escrow program, for example, when the PID of the service process in the monitoring information is not matched with the preset PID, triggering a callback function by the key escrow program, generating an instruction for refusing to read the network key file according to the callback function, and directly refusing the service process to read the network key file according to the instruction for refusing to read. When the service refusing process reads the network key file, the collected read information can be reported and corresponding warning information can be generated for prompting.

Optionally, the electronic device may further screen out, through the key authentication tool of the service process, the network key corresponding to the service process from the network key file by using multiple authentication factors, which is specifically as follows:

s1, the electronic equipment matches the multiple authentication factors with the preset authentication factors

(1) And the electronic equipment acquires the absolute path of the executable file through the PID of the service process, matches the absolute path with the preset authentication factor, and when the absolute path is completely the same as, partially the same as or matches the regular expression with the preset path, shows that the service process successfully matches (authenticates) the preset authentication factor in the network key.

(2) And the electronic equipment calculates the complete path of the acquired executable file, matches the calculated value with a preset value, and indicates that the service process successfully matches the preset authentication factor in the network key when the calculated value is completely the same as the preset value.

(3) And the electronic equipment acquires the linux system user name for starting the service process through the PID of the service process, matches the linux system user name with the preset system user name, and indicates that the service process successfully matches the preset authentication factor in the network key when the acquired system user name is the same as the preset system user name.

(4) And the electronic equipment acquires the complete path of all or part of the library files loaded by the service process through the PID of the service process, matches the complete path with the preset path, and shows that the service process successfully matches the preset authentication factor in the network key when the read complete path is completely the same as, partially the same as or matched with the preset path.

(5) And the electronic equipment calculates the complete path of all or part of the library files loaded by the acquired service process, matches the calculated value with the preset value, and when the calculated value is completely the same as the preset value, indicates that the service process successfully matches the preset authentication factor in the network key.

(6) And the electronic equipment acquires the command line started by the service process through the PID of the service process, matches the command line with a preset command line, and shows that the service process matches the preset authentication factor authentication in the network key when the command line is the same as the preset command line.

And S2, according to the matching result, the electronic equipment acquires the identity of the service process corresponding to the authentication factor.

For example, after a key authentication tool of a service process in the electronic device matches authentication factors corresponding to a network key in a network key file, an identity of the service process corresponding to each authentication factor is obtained. For example, the service process is a, the key authentication tool of a matches the authentication factor corresponding to the network key, if the matching is successful, it indicates that the identity of the service process corresponding to the authentication factor is a, and marks the identity, and if the matching is unsuccessful, it indicates that the identity of the service process corresponding to the authentication is not a, and the identity of the service process corresponding to the authentication factor can be further identified, or the matching of the next authentication factor can be started until the identities corresponding to the authentication factor in the network key file are all identified.

And S3, according to the identity, the electronic equipment screens out the network key corresponding to the service process from the network key file.

For example, a key authentication tool of a service process in the electronic device marks an authentication factor whose identity is an identity corresponding to the service process, and obtains a network key corresponding to the marked authentication factor according to the marked authentication factor, where the obtained network key is a network key corresponding to the service process, and the obtained network key may be a single network key or multiple network keys.

Optionally, the electronic device may create a monitoring program according to the key escrow program, and when the key escrow program is started, trigger an instruction for starting the monitoring program to start the monitoring program, and set the monitoring program and the key escrow program to monitor each other, for example, the monitoring program monitors the key escrow program, and the key escrow program also monitors the monitoring program. Through the monitoring program, the key monitoring program is maintained in a normal running state. For example, when the monitoring program monitors that the key escrow program is invalid or crashes, the monitoring program reports the monitoring information of the key escrow program invalidation or crashes, generates alarm information, triggers a restart instruction of the key escrow program, and restarts the key escrow program according to the restart instruction. When the monitoring program fails or crashes, similarly, the key escrow program can be used for triggering a restart instruction of the monitoring program to restart the monitoring program.

205. When the key escrow program fails, based on the identity, the electronic device authorizes the key authentication tool of the service process to read the network key file, and screens out the network key corresponding to the service process from the read network key file.

(1) And when the restart of the key escrow program fails or the key escrow program and the monitoring program fail simultaneously, the electronic equipment identifies the legality of the key authentication tool of the service process according to the identity.

For example, when the key escrow program is restarted, or the key escrow program and the monitoring program are invalid at the same time, the electronic device acquires a service process corresponding to the identity according to the acquired identity of the service process, queries related information of the key authentication tool, such as a static key for decrypting a network key file, in the service process, compares the queried static key for decrypting the network key file with a preset static key, determines that the key authentication tool of the service process is legal when the static key is matched with the preset static key, and determines that the key authentication tool of the service process is illegal when the static key is not matched with the preset static key.

(2) And when the key authentication tool of the service process is legal, the electronic equipment authorizes the key authentication tool to read the network key file.

For example, when the key authentication tool of the service process is legal, the electronic device authorizes the key authentication tool to obtain local identification information such as a physical address, CPU information, and/or motherboard information of the local device, decrypts the network key file based on the local identification information and the static key in the key authentication tool, and after decryption, the service process can directly read the network key file.

(3) And screening out the network key corresponding to the service process by the electronic equipment in the read network key file.

For example, a network key corresponding to the service process may be screened out from the network key file through multiple authentication factors by using a key authentication tool of the service process, which is specifically as follows:

c1, the electronic device matches the multiple authentication factors with the preset authentication factors

(1) The electronic equipment acquires the absolute path of the executable file through the PID of the service process, matches the absolute path with the preset authentication factor, and when the absolute path is completely the same as, partially the same as or matches the regular expression with the preset path, the service process successfully matches (authenticates) the preset authentication factor in the network key.

(3) The electronic equipment acquires the linux system user name for starting the service process through the PID of the service process, matches the linux system user name with the preset system user name, and when the acquired system user name is the same as the preset system user name, indicates that the service process successfully matches the preset authentication factor in the network key.

(4) The electronic equipment acquires the complete path of all or part of library files loaded by the service process through the PID of the service process, matches the complete path with the preset path, and shows that the service process successfully matches the preset authentication factor in the network key when the read complete path is completely the same as, partially the same as or matched with the preset path.

(6) The electronic equipment acquires a command line started by the service process through the PID of the service process, matches the command line with a preset command line, and shows that the service process matches the preset authentication factor authentication in the network key when the command line is the same as the preset command line.

And C2, according to the matching result, the electronic equipment acquires the identity of the service process corresponding to the authentication factor.

And C3, according to the identity, the electronic device screens out the network key corresponding to the service process from the network key file.

Optionally, in an embodiment, the network key obtaining method further includes storing the network key file in a blockchain.

Referring to fig. 4, the electronic device integrated with the network key obtaining apparatus is a node in a data sharing system, and each node in the data sharing system can receive input information during normal operation and maintain shared data in the data sharing system based on the received input information. In order to ensure information intercommunication in the data sharing system, information connection can exist between each node in the data sharing system, and information transmission can be carried out between the nodes through the information connection. For example, when an arbitrary node in the data sharing system receives input information, other nodes in the data sharing system acquire the input information according to a consensus algorithm, and store the input information as data in shared data, so that the data stored on all the nodes in the data sharing system are consistent.

Each node in the data sharing system has a node identifier corresponding thereto, and each node in the data sharing system may store a node identifier of another node in the data sharing system, so that the generated block is broadcast to the other node in the data sharing system according to the node identifier of the other node in the following. Each node may maintain a node identifier list as shown in the following table, and store the node name and the node identifier in the node identifier list correspondingly. The node identifier may be an IP (Internet Protocol) address and any other information that can be used to identify the node, and the following table only takes the IP address as an example for description.

Node name	Node identification
		Node 1	117.114.151.174
Node 2	117.116.189.145
		…	…
Node N	119.123.789.258

Each node in the data sharing system stores one identical blockchain. The block chain is composed of a plurality of blocks, as shown in fig. 6, the block chain is composed of a plurality of blocks, the starting block includes a block header and a block main body, the block header stores an input information characteristic value, a version number, a timestamp and a difficulty value, and the block main body stores input information; the next block of the starting block takes the starting block as a parent block, the next block also comprises a block head and a block main body, the block head stores the input information characteristic value of the current block, the block head characteristic value of the parent block, the version number, the timestamp and the difficulty value, and the like, so that the block data stored in each block in the block chain is associated with the block data stored in the parent block, and the safety of the input information in the block is ensured.

When each block in the block chain is generated, referring to fig. 7, when the node where the block chain is located receives the input information, the input information is verified, after the verification is completed, the input information is stored in the memory pool, and the hash tree for recording the input information is updated; and then, updating the updating time stamp to the time when the input information is received, trying different random numbers, and calculating the characteristic value for multiple times, so that the calculated characteristic value can meet the following formula:

SHA256(SHA256(version+prev_hash+merkle_root+ntime+nbits +x))＜TARGET

wherein, SHA256 is a characteristic value algorithm used for calculating a characteristic value; version is version information of the relevant block protocol in the block chain; prev _ hash is a block head characteristic value of a parent block of the current block; merkle _ root is a characteristic value of the input information; ntime is the update time of the update timestamp; nbits is the current difficulty, is a fixed value within a period of time, and is determined again after exceeding a fixed time period; x is a random number; TARGET is a feature threshold, which can be determined from nbits.

Therefore, when the random number meeting the formula is obtained through calculation, the information can be correspondingly stored, and the block head and the block main body are generated to obtain the current block. And then, the node where the block chain is located respectively sends the newly generated blocks to other nodes in the data sharing system where the newly generated blocks are located according to the node identifications of the other nodes in the data sharing system, the newly generated blocks are verified by the other nodes, and the newly generated blocks are added to the block chain stored in the newly generated blocks after the verification is completed.

As can be seen from the above, after the electronic device receives the read request, the read request is used to instruct the service process to read the network key file, obtain the identity of the service process based on the read request, and then, when the key escrow program fails, authorize the service process based on the identity, so that the service process reads the network key file through the key escrow program to obtain the network key corresponding to the service process; according to the scheme, the service process obtains the network key through the key escrow program, when the key escrow program fails, the key authentication tool is adopted to ensure that the service process obtains the network key, and the availability and the safety of the network key are guaranteed to the greatest extent, so that the disaster tolerance of the service process for obtaining the network key can be greatly improved.

In order to better implement the above method, an embodiment of the present invention further provides a network key obtaining apparatus, which may be integrated in an electronic device, such as a server or a terminal, where the terminal may include a tablet computer, a notebook computer, and/or a personal computer.

For example, as shown in fig. 8, the network key obtaining apparatus may include a receiving unit 301, an obtaining unit 302, a first authorizing unit 303, and a second authorizing unit 304, as follows:

(1) a receiving unit 301;

a receiving unit 301, configured to receive a read request, where the read request is used to instruct a service process to read a network key file.

For example, the receiving unit 301 is specifically configured to load a necessary network key file when the service process is started or run, and at this time, the service process receives request information for the service process to read a network key corresponding to target information input by a user by sending a request for reading the network key file.

(2) An acquisition unit 302;

an obtaining unit 302, configured to obtain an identity of the service process based on the read request.

For example, the obtaining unit 302 is specifically configured to register a monitoring service for the key management program, and generate a monitoring process, where the key management program uses the monitoring process to monitor an event of the network key file, and when any process attempts to read the network key file, the monitoring process obtains the PID of the service process that reads the network key file.

(3) A first authorization unit 303;

the first authorizing unit 303 is configured to authorize the service process based on the identity when the key escrow program is not invalid, so that the service process reads the network key file through the key escrow program to obtain a network key corresponding to the service process.

The first authorization unit 303 may include an identification subunit 3031, a first authorization subunit 3032, and a rejection subunit 3033, as shown in fig. 9, specifically as follows:

the first identification subunit 3031 is configured to send the identity to the key escrow program for identification;

a first authorization subunit 3032, configured to, when the identity identifier is an identity identifier corresponding to a preset service process in the key escrow program, authorize the service process to read a network key file, so as to obtain a network key corresponding to the service process;

a rejecting subunit 3033, configured to reject, by the key escrow program, the service process to read the network key file when the identity is an identity corresponding to another service process.

For example, the identifying subunit 3031 sends the identity identifier to the key escrow program for identification, when the identity identifier is an identity identifier corresponding to a preset service process in the key escrow program, the first authorizing subunit 3032 authorizes the service process to read the network key file to obtain a network key corresponding to the service process, and when the identity identifier is an identity identifier corresponding to another service process, the rejecting subunit 3033 rejects the service process to read the network key file through the key escrow program.

(4) A second authorization unit 304;

the second authorization unit 304 is configured to, when the key escrow program fails, based on the identity, authorize a key authentication tool of the service process to read a network key file, and screen a network key corresponding to the service process from the read network key file.

The second authorization unit 304 may include a second identification subunit 3041, a second authorization subunit 3042, and a screening subunit 3043, as shown in fig. 10, specifically as follows:

a second identifying subunit 3041, configured to identify, according to the identity, the validity of the key authentication tool of the service process when the restart of the key escrow program fails, or when the key escrow program and the monitoring program fail at the same time;

a second authorization subunit 3042, configured to authorize the key authentication tool to read the network key file when the key authentication tool is legal;

a screening subunit 3043, configured to screen out, from the read network key file, a network key corresponding to the service process.

For example, when the key escrow program fails to restart, or when the key escrow program and the monitoring program fail at the same time, the second identifying subunit 3041 identifies the validity of the key authentication tool of the service process according to the identity, and when the key authentication tool is valid, the second authorizing subunit 3042 authorizes the key authentication tool to read the network key file, and the screening subunit 3043 screens out the network key corresponding to the service process from the read network key file.

Optionally, the network key obtaining apparatus may further include an encryption apparatus 305, as shown in fig. 11.

And an encryption device 305 for encrypting the acquired network key file.

The encryption apparatus 305 may include a first obtaining sub-unit 3051, a second obtaining sub-unit 3052, and an encryption sub-unit 3053, as shown in fig. 12, which are as follows:

a first obtaining sub-unit 3051, configured to obtain at least one network key file, where the network key file at least includes one network key;

a second obtaining subunit 3052, configured to obtain local identification information;

and the encryption sub-unit 3053, configured to encrypt the network key file according to the local identification information.

For example, the first obtaining sub-unit 3051 obtains at least one network key file, where the network key file at least includes one network key, the second obtaining sub-unit 3052 obtains local identification information, and the encrypting sub-unit 3053 encrypts the network key file according to the local identification information.

Optionally, the network key obtaining apparatus may further include a monitoring unit 306, as shown in fig. 13;

and a monitoring unit 306, configured to maintain the key escrow program in a normal operating state through a monitoring program.

The monitoring unit 306 may include a creation subunit 3061, a promoter unit 3062, and a maintenance subunit 3063, as shown in fig. 14, specifically as follows:

a creating subunit 3061, configured to create a monitoring program according to the key escrow program;

a promoter unit 3062 for initiating the monitor when the key escrow program is initiated;

a maintaining subunit 3063, configured to maintain the key escrow program in a normal operating state through the monitoring program.

In a specific implementation, the above units may be implemented as independent entities, or may be combined arbitrarily to be implemented as the same or several entities, and the specific implementation of the above units may refer to the foregoing method embodiments, which are not described herein again.

As can be seen from the above, in this embodiment, after the receiving unit 301 receives a read request, the read request is used to instruct a service process to read a network key file, the obtaining unit 302 obtains an identity of the service process based on the read request, then, when a key escrow program fails, the first authorizing unit 303 authorizes the service process based on the identity, so that the service process reads the network key file through the key escrow program to obtain a network key corresponding to the service process, and when the key escrow program fails, the second authorizing unit 304 authorizes a key authentication tool of the service process to read the network key file based on the identity, and screens out the network key corresponding to the service process from the read network key file; according to the scheme, the service process obtains the network key through the key escrow program, when the key escrow program fails, the key authentication tool is adopted to ensure that the service process obtains the network key, and the availability and the safety of the network key are guaranteed to the greatest extent, so that the disaster tolerance of the service process for obtaining the network key can be greatly improved.

An embodiment of the present invention further provides an electronic device, as shown in fig. 15, which shows a schematic structural diagram of the electronic device according to the embodiment of the present invention, specifically:

the electronic device may include components such as a processor 401 of one or more processing cores, memory 402 of one or more computer-readable storage media, a power supply 403, and an input unit 404. Those skilled in the art will appreciate that the electronic device configuration shown in fig. 15 does not constitute a limitation of the electronic device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:

the processor 401 is a control center of the electronic device, connects various parts of the whole electronic device by various interfaces and lines, performs various functions of the electronic device and processes data by running or executing software programs and/or modules stored in the memory 402 and calling data stored in the memory 402, thereby performing overall monitoring of the electronic device. Optionally, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 401.

The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by operating the software programs and modules stored in the memory 402. The memory 402 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to use of the electronic device, and the like. Further, the memory 402 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 access to the memory 402.

The electronic device further comprises a power supply 403 for supplying power to the various components, and preferably, the power supply 403 is logically connected to the processor 401 through a power management system, so that functions of managing charging, discharging, and power consumption are realized through the power management system. The power supply 403 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.

The electronic device may further include an input unit 404, and the input unit 404 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.

Although not shown, the electronic device may further include a display unit and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 401 in the electronic device loads the executable file corresponding to the process of one or more application programs into the memory 402 according to the following instructions, and the processor 401 runs the application program stored in the memory 402, thereby implementing various functions as follows:

the method comprises the steps of receiving a reading request, wherein the reading request is used for indicating a service process to read a network key file, obtaining an identity of the service process based on the reading request, then authorizing the service process based on the identity when a key escrow program is not invalid, enabling the service process to read the network key file through the key escrow program so as to obtain a network key corresponding to the service process, reading the network key file by a key authentication tool of the authorized service process based on the identity when the key escrow program is invalid, and screening out the network key corresponding to the service process from the read network key file.

For example, obtaining at least one network key file, encrypting the network key file, receiving a request of a service process for reading the network key file, registering a monitoring service by a key escrow program according to the request, generating a monitoring process, using the monitoring process for monitoring events of the network key file by the key escrow program, when any process tries to read the network key file, obtaining the PID of the service process for reading the network key file by the monitoring process, sending monitoring information composed of the service process read file event, the PID of the service process and the like to the key escrow program, sending the read event obtained by the registered monitoring process and the PID of the service process to the key escrow program for identification, identifying the received PID of the service process by the key escrow program, when the identity is a service process preset in the key escrow program, and the authorized service process reads the network key file to obtain the network key corresponding to the service process. Optionally, a monitoring program may be created according to the key escrow program, when the key escrow program is started, an instruction for starting the monitoring program is triggered, the monitoring program is started, the key monitoring program is maintained in a normal operation state through the monitoring program, when the key escrow program fails to restart, or when the key escrow program and the monitoring program fail at the same time, the validity of the key authentication tool of the service process is identified according to the identity, when the key authentication tool of the service process is legal, the key authentication tool is authorized to read the network key file, and the network key corresponding to the service process is screened out from the read network key file.

The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.

It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.

To this end, the embodiment of the present invention provides a computer-readable storage medium, in which a plurality of instructions are stored, where the instructions can be loaded by a processor to execute the steps in any one of the network key obtaining methods provided by the embodiments of the present invention. For example, the instructions may perform the steps of:

Wherein the computer-readable storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.

Since the instructions stored in the computer-readable storage medium can execute the steps in any network key obtaining method provided in the embodiments of the present invention, beneficial effects that can be achieved by any network key obtaining method provided in the embodiments of the present invention can be achieved, which are detailed in the foregoing embodiments and will not be described herein again.

The network key obtaining method, device and computer-readable storage medium provided by the embodiments of the present invention are described in detail above, and a specific example is applied in the present disclosure to explain the principle and the implementation of the present invention, and the description of the above embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims

1. A network key obtaining method is characterized by comprising the following steps:

acquiring the identity of the service process based on the reading request; when the key escrow program is not invalid, authorizing the service process based on the identity, so that the service process reads the network key file through the key escrow program to obtain a network key corresponding to the service process;

and when the key escrow program fails, identifying the legality of a key authentication tool of the service process according to the identity, when the key authentication tool is legal, authorizing the key authentication tool to read the network key file, screening out the network key corresponding to the service process from the read network key file, and integrating the key authentication tool in the service process to operate.

2. The method according to claim 1, wherein the authorizing the service process based on the identity identifier so that the service process reads the network key file through the key escrow program to obtain the network key corresponding to the service process comprises:

sending the identity to the key escrow program for identification;

when the identity identification is the identity identification corresponding to a preset service process in the key escrow program, authorizing the service process to read the network key file so as to obtain a network key corresponding to the service process;

and when the identity is the identity corresponding to other service processes, refusing the service process to read the network key file through the key escrow program.

3. The method according to claim 2, wherein the refusing of the service process to read the network key file by the key escrow program comprises:

triggering a callback function by using the key escrow program;

generating a reading refusing instruction according to the callback function;

and refusing the service process to read the network key file according to the refusing reading instruction.

4. The method according to claim 1, further comprising:

creating a monitoring program according to the key escrow program;

when the key escrow program is started, starting the monitoring program;

and maintaining the key escrow program in a normal running state through the monitoring program.

5. The method according to claim 4, wherein the maintaining, by the monitoring program, the key escrow program in a normal operation state includes:

when the key escrow program fails, triggering a restart instruction for monitoring the key escrow program by using the monitoring program so as to restart the key escrow program, so that the key escrow program is in a normal running state;

and when the monitoring program fails, triggering a restarting instruction of the monitoring program by using the key escrow program so as to restart the monitoring program.

6. The method as claimed in claim 5, wherein the step of identifying the validity of the key authentication tool of the service process according to the identity when the key escrow program fails comprises:

and when the restart of the key escrow program fails or the key escrow program and the monitoring program fail simultaneously, identifying the legality of the key authentication tool of the service process according to the identity.

7. The method of claim 6, wherein the identifying the validity of the key authentication tool of the service process according to the identity comprises:

acquiring authentication information of the secret key authentication tool according to the identity;

when the authentication information is matched with preset authentication information, determining that a secret key authentication tool of the service process is legal;

and when the authentication information is not matched with the preset authentication information, determining that the secret key authentication tool of the service process is illegal.

8. The method as claimed in claim 6, wherein the network key file includes at least one network key and a plurality of authentication factors of a service process corresponding to the network key, and the screening out the network key corresponding to the service process from the read network key file includes:

matching the plurality of authentication factors with preset authentication factors;

acquiring the identity of the service process corresponding to the authentication factor according to the matching result;

and screening out the network key corresponding to the service process from the network key file according to the identity.

9. The method according to claim 1, wherein before receiving the read request, the method further comprises:

acquiring at least one network key file, wherein the network key file at least comprises a network key;

acquiring local identification information;

and encrypting the network key file according to the local identification information.

10. The method according to claim 1, further comprising:

and storing the network key file to a block chain.

11. A network key acquisition apparatus, comprising:

and the second authorization unit is used for identifying the legality of a key authentication tool of the service process according to the identity when the key escrow program fails, authorizing the key authentication tool to read the network key file when the key authentication tool is legal, screening out the network key corresponding to the service process from the read network key file, and integrating the key authentication tool in the service process to operate.

12. A computer-readable storage medium storing instructions adapted to be loaded by a processor to perform the steps of the network key obtaining method according to any one of claims 1 to 10.