WO2018028359A1

WO2018028359A1 - Service processing method and device, and storage medium and electronic device

Info

Publication number: WO2018028359A1
Application number: PCT/CN2017/091903
Authority: WO
Inventors: 杨藩
Original assignee: 腾讯科技（深圳）有限公司
Priority date: 2016-08-08
Filing date: 2017-07-05
Publication date: 2018-02-15

Abstract

Disclosed are a service processing method and device, and a storage medium and an electronic device. The method comprises: acquiring first information, wherein the first information is used for representing an execution result obtained by a first-type key proxy module executing a ciphertext processing request; detecting whether the first information meets a pre-determined-type switching condition, wherein meeting the pre-determined-type switching condition represents detecting that the first-type key proxy module has a bug; and where it is detected that the first information meets the pre-determined-type switching condition, executing the ciphertext processing request of the service module by means of a second-type key proxy module. The present application solves the technical problem of the relatively low stability of a key when encryption and decryption are performed on a service in the prior art.

Description

Business processing method, device, storage medium and electronic device

This application is required to be submitted to the China Patent Office on August 8, 2016, with the priority number 201610643327X, the application name is “Business Encryption, Decryption Method and Device” and submitted to the Chinese Patent Office on November 18, 2016, the priority number is 201611018871.1 The priority of the Chinese Patent Application entitled "Service Processing Method and Apparatus" is hereby incorporated by reference.

Technical field

The present application relates to the field of computers, and in particular to a service processing method, apparatus, storage medium, and electronic device.

Background technique

In the related art, when encrypting a service, the encryption method used mainly includes three types: mode one, directly writing a fixed key in the code or configuration file; and second, directly saving or encrypting in plain text in the shared memory. The save mode saves the key; mode 3: The key is saved on the server managed by the special manager, and the service can periodically call and obtain the key in the server through the network.

The related art provides a method for encrypting and decrypting by using a proxy module. When a service needs to be encrypted, the service module may send a ciphertext processing request carrying the data to be encrypted to the key proxy module. After obtaining the ciphertext processing request, the key proxy module obtains the target key from the extracted key list, and then encrypts the data to be encrypted using the target key to obtain the encrypted data, and finally, the secret. The key broker module sends the encrypted data to the business module.

In the above solution, the agent encryption and decryption is used instead of the business process to directly encrypt and decrypt. Once the agent issues a BUG, all the encryption and decryption operations may fail, causing a great loss to the business.

Among them, the BUG may be introduced by the change that the Agent continuously supports the new requirements in practice, or it may be a rather concealed, extremely difficult to be triggered BUG (or even the operating system kernel BUG) is finally triggered. Or because the other services on the hardware server occupy a large amount of CPU, the service agent encryption and decryption request times out. Once the above problem occurs, the encryption and decryption operation will fail.

In view of the above problem of low stability of the key when encrypting and decrypting the service, an effective solution has not been proposed yet.

Summary of the invention

The embodiment of the present application provides a service processing method, device, storage medium, and electronic device, so as to at least solve the technical problem that the stability of the key is low when the service is encrypted and decrypted in the related art.

According to an aspect of the embodiments of the present application, a service processing method is provided, including: acquiring first information, where the first information is used to indicate an execution result of a first type of key agent module to perform a ciphertext processing request Detecting whether the first information meets a predetermined type switching condition, wherein the matching the predetermined type switching condition indicates that a vulnerability occurs in the first type of key agent module; and detecting that the first information meets the predetermined In the case of a type switching condition, the ciphertext processing request of the service module is executed by the second type of key broker module.

According to an aspect of the embodiments of the present application, a service processing method is further provided, including: a first type of key agent module receives and executes a ciphertext processing request of a service module, and obtains an execution result; and a second type of key agent The module receives and executes a ciphertext processing request of the service module, where the service module is configured to: when the first information generated based on the execution result meets the predetermined type switching condition, to the second type The key broker module sends a ciphertext processing request, wherein the predetermined type of switching condition is met to indicate that the first type of key broker module is vulnerable.

According to another aspect of the embodiments of the present application, a service processing method is further provided, including: The key agent module acquires an execution result of the execution of the ciphertext processing request; the key agent module detects whether the execution result meets a predetermined mode switching condition, wherein the matching the predetermined mode switching condition indicates that the key agent module is determined A vulnerability is generated; if it is detected that the execution result meets a predetermined mode switching condition, the key agent module sends the indication information to the service module, where the indication information is used to indicate that the service module switches to the service The module executes the mode of the ciphertext processing request.

According to another aspect of the embodiments of the present application, a service processing apparatus is further provided, including: a first acquiring unit, configured to acquire first information, wherein the first information is used to represent a first type of key agent The module performs an execution result of the ciphertext processing request; the first detecting unit is configured to detect whether the first information meets a predetermined type switching condition, wherein the matching the predetermined type switching condition indicates that the first type of key agent is determined The module has a vulnerability, that is, the predetermined type of switching condition is met, indicating that the first type of key agent module cannot stably perform the ciphertext processing request; the first executing unit is configured to detect the first information In the case that the predetermined type of switching condition is met, the ciphertext processing request of the service module is executed by the second type of key agent module.

According to another aspect of the embodiments of the present application, there is also provided a service processing apparatus, including: a first processing unit, configured in a first type of key agent module, configured to receive and execute a ciphertext processing request of a service module Obtaining an execution result; a first processing unit, disposed in the second type of key broker module, configured to receive and execute a ciphertext processing request of the service module, wherein the service module is set to perform based on the execution And if the first information generated by the result meets the predetermined type switching condition, sending a ciphertext processing request to the second type of key proxy module, wherein the predetermined type switching condition is met to determine the first type A vulnerability has occurred in the key broker module.

According to another aspect of the embodiments of the present application, a service processing apparatus is further provided, including: a first acquiring unit, configured to acquire an execution result of performing a ciphertext processing request; and a first detecting unit configured to detect the execution result Whether the predetermined mode switching condition is met, wherein the pre-compliance is met The mode switching condition indicates that a vulnerability exists in the key agent module, and the first sending unit is configured to: send the indication information to the service module if the execution result is consistent with the predetermined mode switching condition, where the indication is sent The information is used to indicate that the service module switches to a mode in which the ciphertext processing request is performed by the service module.

According to still another aspect of the embodiments of the present application, a storage medium is further provided, where the storage medium may store an execution instruction for executing the service processing method in the foregoing embodiment.

According to still another aspect of the embodiments of the present application, an electronic device includes a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein the processor passes the foregoing The computer program performs the above method.

In the embodiment of the present application, the first information is obtained, where the first information is used to indicate that the first type of the key agent module performs the execution result of the ciphertext processing request; whether the first information meets the predetermined type switching condition; If the first information meets the predetermined type switching condition, the ciphertext processing request of the service module is executed by the second type of key proxy module. In the above embodiment, the secret may be executed according to the first type of key proxy processing module. The result of the file processing request determines whether the predetermined type switching condition is met, and if the switching condition is met, the ciphertext processing request is no longer performed by the first type of key agent processing module, but the second type of key agent is used. The processing module executes the ciphertext processing request. In the solution, the first type of the key proxy processing module cannot continue to perform the ciphertext processing request stably, and the second type of the key proxy module is switched to stabilize the processing. The text processing request solves the problem that the stability of the key is low when the service is encrypted and decrypted in the related art.

DRAWINGS

The drawings described herein are intended to provide a further understanding of the present application, and are intended to be a part of this application. In the drawing:

1 is a schematic diagram of a hardware environment of a service processing method according to an embodiment of the present application;

2 is a flowchart of an optional service processing method according to an embodiment of the present application;

3 is a schematic diagram of an optional service processing method according to an embodiment of the present application;

4 is a flowchart of another optional service processing method according to an embodiment of the present application;

FIG. 5 is a flowchart of another optional service processing method according to an embodiment of the present application; FIG.

6 is a schematic diagram of a hardware environment of a service encryption method according to an embodiment of the present application;

7 is a flowchart of an optional service encryption method according to an embodiment of the present application;

FIG. 8 is a flowchart of an optional service decryption method according to an embodiment of the present application; FIG.

9 is a flowchart of another optional service encryption method according to an embodiment of the present application;

FIG. 10 is a flowchart of another optional service encryption method according to an embodiment of the present application; FIG.

11 is a schematic diagram of an optional service processing apparatus according to an embodiment of the present application;

FIG. 12 is a schematic diagram of an optional service encryption apparatus according to an embodiment of the present application; FIG.

FIG. 13 is a schematic diagram of an optional service decryption apparatus according to an embodiment of the present application; FIG.

FIG. 14 is a structural block diagram of an electronic device according to an embodiment of the present application;

FIG. 15 is a structural block diagram of another electronic device according to an embodiment of the present application.

detailed description

The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present application. It is an embodiment of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope shall fall within the scope of the application.

It should be noted that the terms “first”, “second” and the like in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or Prioritization. It is to be understood that the data so used may be interchanged where appropriate, so that the embodiments of the present application described herein can be implemented in a sequence other than those illustrated or described herein. In addition, the terms "comprises" and "comprises" and "the" and "the" are intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to Those steps or units may include other steps or units not explicitly listed or inherent to such processes, methods, products or devices.

Example 1

According to an embodiment of the present application, an embodiment of a method for service processing is provided. Optionally, in this embodiment, the foregoing service processing method may be applied to a hardware environment formed by the server 102 and the terminal 104 as shown in FIG. 1. As shown in FIG. 1, the server 102 is connected to the terminal 104 through a network. The network includes but is not limited to a wide area network, a metropolitan area network, or a local area network. The terminal 104 is not limited to a PC, a mobile phone, a tablet, or the like. The service processing method of the embodiment of the present application may be executed by the server 102, may be executed by the terminal 104, or may be jointly performed by the server 102 and the terminal 104. The service processing method performed by the terminal 104 in the embodiment of the present application may also be performed by a client installed thereon.

The main working principle of the hardware environment system shown in FIG. 1 is that in the embodiment of the present application, the key agent module is installed in the terminal 104. When there is a service that needs to be encrypted, the ciphertext processing request carrying the data to be encrypted may be sent to the key agent module through the service module. After obtaining the ciphertext processing request, the key proxy module obtains the target key from the extracted key list, and then encrypts the data to be encrypted using the target key to obtain the encrypted data, and finally, the secret. The key broker module sends the encrypted data to the business module. In this example, the ciphertext processing request is a request to encrypt the data to be encrypted into ciphertext data. The decryption data is similar to the encryption method in the above embodiment, and details are not described herein again.

It should be noted that, in the embodiment of the present application, the key list is a key list obtained by the key agent module from the server 104 (for example, a key server) when it is first turned on.

FIG. 2 is a flowchart of an optional service processing method according to an embodiment of the present application, as shown in FIG. As shown in 2, applied to the business module, the method may include the following steps:

Step S202: Acquire first information, where the first information is used to indicate that the key proxy module of the first type performs an execution result of the ciphertext processing request;

Step S204: detecting whether the first information meets a predetermined type switching condition;

Step S206: The ciphertext processing request of the service module is executed by the second type of key proxy module in the case that the first information is detected to meet the predetermined type switching condition.

The first information is obtained by using the foregoing embodiment, where the first information is used to indicate that the first type of the key agent module performs the execution result of the ciphertext processing request; whether the first information meets the predetermined type switching condition; If the information meets the predetermined type switching condition, the ciphertext processing request of the service module is executed by the second type of key proxy module. In the above embodiment, the ciphertext processing may be performed according to the first type of key proxy processing module. The result of the request is used to determine whether the predetermined type of switching condition is met. If the switching condition is met, the ciphertext processing request is no longer performed by the first type of key agent processing module, but by the second type of key agent processing module. Executing a ciphertext processing request. In this scheme, if the first type of key proxy processing module cannot continue to perform the ciphertext processing request stably, the second type of key proxy module is switched to stably process the ciphertext processing. The request solves the problem that the stability of the key is low when the service is encrypted and decrypted in the related art.

In the technical solution of step S202, the ciphertext processing request may be an encryption request or a decryption request, and the execution result of the ciphertext processing request of the first type of key proxy module may be stored in the shared memory, and the service module may be shared from The execution result is read in the memory, and the execution result is counted to obtain the first information.

The key broker module can perform ciphertext processing requests as follows (take the encryption process as an example):

The key agent module receives the ciphertext processing request sent by the service module, where the ciphertext processing request carries data to be encrypted.

In the embodiment of the present application, the key agent module (hereinafter referred to as the key agent) may be implemented in a single-process multi-thread manner; the service module is configured to send a ciphertext processing request to the key agent, wherein the key agent industry The business modules are in the same physical single machine.

Specifically, when there is a service that needs to be encrypted, the service module may send a ciphertext processing request carrying the data to be encrypted to the key agent; after obtaining the ciphertext processing request, the key agent processes the request key according to the ciphertext processing. Get the target key in the list.

In the embodiment of the present application, when the key agent module Agent is restarted, the key agent pulls the key list to the key server. It should be noted that the key agent only pulls the key list to the key server when restarting, and does not pull the key list at other times after startup.

After obtaining the ciphertext processing request sent by the service module, the key agent may obtain the target key in the pre-pushed key list, where the target key is used to encrypt the data to be encrypted.

In the embodiment of the present application, after the key Agent obtains the target key from the key list, the data to be encrypted using the target key may be encrypted.

In the embodiment of the present application, the key agent module encrypts the data to be encrypted using the target key, and after obtaining the encrypted data, the encrypted data can be sent to the service module.

Optionally, before the key proxy module receives the ciphertext processing request sent by the service module, the first public key may be sent to the key server by using the key proxy module, and the second public key is received from the key server, where The key agent module has a pair of first public key and a first private key, and the key server has a pair of second public key and a second private key; the key agent module sends a key list pull to the key server The key agent module receives the encrypted key list sent by the key server, wherein the encrypted key list is obtained by encrypting the key list by using the first communication key on the key server side, first The communication key is generated by the key server according to the first public key and the second private key; the key agent module encrypts using the second communication key pair on the key agent module side The subsequent key list is decrypted to obtain a key list, wherein the second communication key is generated by the key agent module according to the first private key and the second public key, and the first communication key and the second communication key are generated. the same.

In the embodiment of the present application, before the key agent receives the ciphertext processing request, the key list needs to be pulled from the key server, wherein the key list extracted from the key server is the encrypted key list. . Therefore, the key agent needs to decrypt the extracted key list.

In the embodiment of the present application, the key list extracted by the key agent is obtained by encrypting the key list by using the first communication key on the key server side, and then the key agent module decrypts the key list. The key list is decrypted using the same second communication key as the first communication key. The first communication key is generated by the key server according to the first public key and the second private key, and the second communication key is generated by the key agent module according to the first private key and the second public key. The first public key and the second public key are a pair of public keys pubkey and key prikey generated by the key agent before sending the key list to the key server; the first private key and the second private key are secret A pair of public keys pubkey and key prikey generated by the key server.

It should be noted that, since the first communication key is generated according to the first public key and the second private key, the second communication key is generated according to the first private key and the second public key. Therefore, before the key agent module sends the key list pull request to the key server, the key agent and the key server need to exchange the public key and the key of both parties. After the exchange, the key agent module may generate a second communication key for decrypting the key list after transmitting the key list pull request to the key server, and the key server may also generate the secret key. The key list is encrypted with the first communication key.

The public key and the key of the exchanged parties are specifically: the agent sends the first public key to the key server SVR, and then the agent receives the second public key from the key server SVR. After the exchange, the agent can use the first The private key and the second public key encrypted key list are decrypted.

It should be noted that, in the embodiment of the present application, when the key exchange is performed by the agent and the key server, the key exchange protocol (ie, the ECDH protocol) may be used to exchange the pubkeys of both parties. And the respective prikey.

As can be seen from the above description, the key list in the present application is encrypted using the first public key and the second private key, and decrypted using the first private key and the second public key. However, in the related art, only the public key pubkey of the Agent and the key server is transmitted on the network. Therefore, by using the encryption method in the present application, even if the key is reversed by the tcp dump, the intranet is avoided. The phenomenon of key leakage caused by packet capture occurs.

Further, in order to prevent a man-in-the-middle attack between the key SVR/key agent, the SVR should sign the ECDH public key with the private key, and verify the signature by deploying the public key in the agent, because the SVR is a high-density server managed by a dedicated person. It is difficult to steal the private key from there, and it effectively prevents others from forging SVR back packets.

After the key agent pulls the key list from the key server and decrypts the key list, the key agent needs to verify the legality of the business process, wherein the business process is a process represented by the data to be encrypted.

In another optional implementation manner of the present application, the key agent module sends the first public key to the key server, and receiving the second public key from the key server includes: when the key agent module is restarted, the key The proxy module sends the encrypted first public key to the key server, wherein the encrypted first public key is obtained by encrypting the first public key using the agreed key; the key proxy module receives the encryption from the key server a second public key, wherein the encrypted second public key is obtained by encrypting the second public key using the agreed key; the key proxy module decrypts the encrypted second public key by using the agreed key, A second public key is obtained; wherein the appointment key is set to be used only when the key broker module is restarted.

It should be noted that when the key agent is restarted, when the key agent sends the first public key to the key server, the first public key is encrypted by using the agreed key, and the first key is encrypted after using the agreed key. A public key is sent to the key server, and after the key server obtains the first public key, it can decrypt using the agreed key. Similarly, when the key server sends the second public key to the key agent, the second public key is also encrypted using the contract key and will be encrypted. The subsequent second public key is sent to the key agent, wherein after receiving the encrypted second public key, the key agent can decrypt the second public key using the agreed key.

It should be noted that, in the embodiment of the present application, the first public key and the second public key are encrypted and transmitted to each other only when the key agent is restarted, using the “contract key”. That is to say, only the maintainer of the key agent restarts the process when changing the key agent is the only time to legally use the agreed key, and any other situation is illegal. For example, the maintainer of the key agent uses the contract key to obtain the key list when the key agent is restarted. After that, if other users use the agreed key again to obtain the key list, the user is abused. By. Therefore, in the embodiment of the present application, the setting of the "contract key" is used only when the key agent is restarted, and the abuser can be detected quickly and effectively.

Since the key list obtained from the key server is an encrypted key list, the key agent needs to decrypt the key list after pulling the key list.

Optionally, before the key agent module receives the ciphertext processing request sent by the service module, the process PID of the service process may be acquired by the key agent module, where the service process sends the process of the data to be encrypted to the service module, and then The key agent module performs legality verification on the business process and the process PID; and in the case that the legality verification passes, the key agent module obtains the target key from the key list.

In the embodiment of the present application, before encrypting the service process indicated by the data to be encrypted in the service module, it is first necessary to determine the legality of the service process. When the legality of the service process is determined, the process PID of the service process can be obtained through the key agent, and then the legality of the process PID and the service process is verified by the key agent. If the verification result of the process PID and the service process is legal, that is, if the verification is passed, the key agent module may obtain the target key from the key list, and encrypt the data to be encrypted by the target key. .

It should be noted that, in the embodiment of the present application, the key agent module may obtain a process PID that is authenticated by the kernel by the service process transmitted by the service module through the socket SCM_RIGHTS, and In the socket SCM_RIGHTS applies to the unix domain socket.

Further, the key proxy module performs legality verification on the service process and the process PID, which is specifically as follows:

Step S1, the key agent module acquires a full path of the process corresponding to the process PID;

Step S2: The key agent module determines whether the full path of the process belongs to a path in a legal path acquired from the key server in advance;

Step S3: In the case that it is determined that the path of the process belongs to the path in the legal path, the key agent module performs an MD5 check operation on the service process to obtain a first MD5 check result; and determines that the process full path does not belong to the legal path. In the case of the path in the middle, it is judged that the validity check is not passed;

In step S4, the key agent module determines whether the first MD5 check result is the same as the second MD5 check result corresponding to the service process acquired in advance;

Step S5, if the first MD5 check result is the same as the second MD5 check result, it is determined that the validity check is passed; if the first MD5 check result is different from the second MD5 check result, the legality is determined. The test will not pass.

Optionally, in a case that the key agent module passes the validity check of the service process and the process PID, the key agent module acquires the first file descriptor sent by the service module, where the first file descriptor is used for the secret The key agent module identifies the data sent by the service module as legal data, and then the key agent module generates a second file descriptor, wherein the second file descriptor is used by the service module to identify the data sent by the key agent module as legal data. Finally, the key agent module transmits the second file descriptor to the service module.

In the case that the validity of the service process is verified, the file descriptor is exchanged between the key agent module and the service module. Specifically, the key agent module may first obtain the first file descriptor of the service module, and after obtaining the first file descriptor, the key agent module may identify the data sent by the service module as legal data. At this point, the business module has been assigned to the key generation. The module exchanges file descriptors, which then requires the key broker module to exchange file descriptors with the business module. At this time, the key agent module may transmit the generated second file descriptor to the service module, and after receiving the second file descriptor, the service module may identify the data sent by the key agent module as legal data.

In the embodiment of the present application, the first file descriptor and the second file descriptor correspond to data blocks of the shared memory, where the shared memory is used to store the data to be encrypted of the ciphertext processing request and the to-be-checked after the encryption. The encrypted data will be described in detail in the following embodiments. For example, when the service module stores the data to be encrypted in the shared memory, the data to be encrypted is stored in the area corresponding to the first file descriptor in the shared memory. After storing the data to be encrypted, the key agent module can learn that the service module stores the data to be encrypted in the shared memory, and then the key agent module goes to the area to obtain the data to be encrypted.

It should be noted that, in the embodiment of the present application, multiple file descriptors eventfd can be exchanged at one time, and more eventfd is exchanged by verification again when not enough, so that the number of verification requests can be significantly reduced, and the applicant finds through testing. The maximum number of fd for the next performance exchange of the Linux system is 255. After the key agent module and the service module complete the exchange of the file descriptor, the ciphertext processing request sent by the service module may be received to encrypt the data to be encrypted in the ciphertext processing request.

Further, in a case where the key agent module passes the validity check of the service process and the process PID, the key agent module may further set a target authority for the first file descriptor, where the target authority includes at least one of the following: The key agent module is allowed to encrypt the data to be encrypted requested by the service module, and the key agent module is allowed to decrypt the data to be decrypted requested by the service module.

Specifically, in the case that the key agent module passes the validity check of the service process and the process PID, the key agent module may set the target authority for the first file descriptor after exchanging the file descriptor, where The specified target rights include: allowing the key agent module to encrypt the data to be encrypted requested by the service module, and allowing the key agent module to request the service module. The decrypted data is decrypted.

After the key agent module sets the target permission for the first file descriptor, the key agent module can encrypt the data to be encrypted according to the received ciphertext processing request, and then send the encrypted data to the service module.

The key agent module receives the ciphertext processing request sent by the service module, where the key agent module obtains the data to be encrypted stored by the service module from the shared memory, and the key agent module sends the encrypted data to the service module. The method includes: the key agent module stores the encrypted data into the shared memory, so that the service module obtains the encrypted data from the shared memory.

When the service module sends a ciphertext processing request to the key broker module, the ciphertext processing request is stored in the shared memory. After that, the key broker module can retrieve the stored data to be encrypted from the shared memory. Similarly, after the key agent module encrypts the data to be encrypted using the target key, the data to be encrypted after the encryption process may also be stored in the shared memory. Enables the business module to obtain encrypted data from shared memory.

As can be seen from the above description, in the embodiment of the present application, the key agent module has previously set a target authority for the first file descriptor. In this case, if the validity check is passed, the key agent module is from the key list. Obtaining the target key, specifically: when the target authority includes the key agent module to encrypt the data to be encrypted requested by the service module, the key agent module obtains the target key package from the key list.

It should be noted that, because the target authority may only allow the key agent module to decrypt the data to be decrypted requested by the service module or allow the key agent module to encrypt the data to be encrypted requested by the service module. Therefore, the key agent module can obtain the target key from the key list only when it is determined that the target authority is to allow the key agent module to encrypt the data to be encrypted requested by the service module, and use the obtained target secret. The key encrypts the encrypted data.

In an optional implementation manner of the embodiment of the present application, the key agent module acquires a service process. The process PID includes: the key agent module obtains the process PID of the business process through the unix domain socket in the non-root mode; or the key agent module configures the socket socket option as SO_PEERCRED, and passes the socket socket. Get the process PID of the business process.

In the embodiment of the present application, the process PID is transmitted through the socket SCM_RIGHTS in the unix domain socket. Because the unix domain sockets pass the exact process PID is based on the non-root mode running process, the local root mode must be approved before the process PID is passed. That is, the process PID (process ID) of the business process needs to be obtained through the unix domain socket in the non-root mode. Further, the option of the socket socket can be configured as SO_PEERCRED through the key proxy module, and the process PID of the business process can be obtained through the socket socket.

In summary, in the embodiment of the present application, the data to be encrypted is indirectly encrypted and decrypted by the key agent; at the same time, the communication between the service module and the key agent may be any standard linux IPC communication means, including but not limited to a pipeline, Unix Socket pair, local disk file, etc., the linux eventfd adopted by this scheme is the most efficient, and is most suitable for the selection of massive encryption and decryption requests. The method realizes the encryption and decryption program by fully utilizing the standard mechanism provided by the modern Linux operating system kernel, which not only improves the security of the key, but also minimizes the loss of encryption and decryption performance, and ensures the effectiveness in practice.

The method for encrypting the service provided by the present application will be described below in conjunction with specific embodiments.

FIG. 3 is a flowchart of an optional service processing method according to an embodiment of the present application. As shown in FIG. 3, a key agent (ie, a key agent module) and a service module are in the same physical single machine.

In the embodiment of the present application, when the key agent is restarted, the key agent encrypts the first public key by using the contract key, and sends the encrypted first public key to the key server, and the key agent module can also Receiving the encrypted second public key sent by the key server, wherein the second public key is also encrypted by using the agreed key. After obtaining the second public key, the key agent decrypts the second public key by using the agreed key, and the key server also uses the first public key after obtaining the first public key. The appointment key decrypts the first public key.

Next, the key agent may send a pull request of the key list to the key server, and after receiving the key pull request, the key server transmits the encrypted key list to the key agent, where the key is encrypted. The subsequent key list is obtained by encrypting the key list using the first communication key on the key server side, and the first communication key is generated by the key server according to the first public key and the second private key. After receiving the encrypted key list, the key agent may decrypt using the same second communication key as the first communication key, wherein the second communication key is the key agent module according to the first private key. And the second public key is generated.

It should be noted that, in the embodiment of the present application, the first public key and the second public key are encrypted and transmitted to each other only when the key agent is restarted, using the “contract key”.

That is to say, only the maintainer of the Agent restarts the process when changing the Agent is the only time to legally use the agreed key, and any other situation is illegal. For example, when the agent maintains the Agent, the contract key is used to obtain the key list. After that, if the other user uses the agreed key to obtain the key list again, it indicates that the user is an abuser. Therefore, in the embodiment of the present application, the setting of the "contract key" is used only when the key agent is restarted, and the abuser can be detected quickly and effectively.

Since only the respective public key pubkey is transmitted on the network, the service encryption provided in the embodiment of the present application decrypts the encrypted key list using the first private key and the second public key, so even the key list The key is not reversed by tcpdump, which avoids the key leakage caused by intranet capture.

It should be noted that, in the embodiment of the present application, the memory of the key agent and the key server may also be protected. Specifically, the binary of the key agent and the key server can be directly stripped off (ie, all debugging information is deleted), and then the code of the key agent and the key server is securely isolated, so that gdb is almost Dice, at least it is impossible to simply modify the variables.

After decrypting the key list, the key agent needs to verify the PID legality of the business process and the business process. As shown in FIG. 4, the service module first establishes a unix domain socket, and establishes a first file descriptor, and then transmits the first file descriptor to the key agent by using the socket SCM_RIGHTS in the unix domain socket. And using the socket SCM_CREDENTIA to transfer the PID of the process authenticated by the kernel to the key agent. Among them, SCM_RIGHTS and SCM_CREDENTIA are applicable to unix domain socket, SCM_RIGHTS is used to transfer descriptors in one process to another process. This method can extend some IPCs that can only communicate between relative processes to non-affinity processes ( For example, linux eventfd); SCM_CREDENTIA is used to transfer the process PID whose process is authenticated by the kernel.

Applicants found through the relevant experiments that all the methods tried (for example, asynchronous IO, local network socket, unix domain socket, pipe, edge trigger, one recv/send multiple requests, eventfd) and all documents seen In addition, the encryption efficiency is second only to the shared memory IPC, and significantly faster than the pipeline and the usual unix domain sockets, not to mention the network socket, the most practical.

At this time, after the process PID is obtained, the legality of the service process and the process PID can be verified. The specific verification process is described in detail in the above steps S1 to S5, and details are not described herein.

Further, in the case that the validity check is passed, the key agent module may further send a first file descriptor eventfda to the service module, and the key agent module generates a second file after acquiring the first file descriptor eventfda. Descriptor eventfdb, and send the second file descriptor eventfdb to the business module to implement the exchange of file descriptors between the key agent module and the business module.

Further, in the case that the legality verification is passed, the key agent module may further set a target authority for the first file descriptor, where the target authority includes at least one of the following: allowing the key agent module to request the service module The encrypted data is encrypted, allowing the key agent module to decrypt the data to be decrypted requested by the service module.

Next, the business module can go to the first file descriptor eventfda in shared memory. The operation of writing data in the space is performed, that is, the data to be encrypted is written into the corresponding area of the first file descriptor eventfda in the shared memory (write eventfda). After writing, the key agent module can know that the service module has written data. At this time, the key agent module will read the data to be encrypted from the shared memory (ie, read the second file descriptor, read eventfdb). And read the target permissions previously configured for the first file descriptor eventfda.

Finally, when the target authority includes allowing the key agent module to encrypt the data to be encrypted requested by the service module, the key agent module can obtain the target key from the key list, and then the key agent module can A ciphertext processing request is performed on the data to be encrypted according to the obtained target key.

It should be noted that, in the embodiment of the present application, only 8 bytes of data can be directly transmitted through eventfd, so the request packet (that is, the data packet requesting encryption to be encrypted)/response packet (that is, the encrypted packet is to be completed) The body of the encrypted data packet is stored in shared memory.

It should be further noted that it is not safe to store the key in the shared memory, but it is safe to store the plaintext and ciphertext in the shared memory. Because eventfd's 8Byte can be used to transfer key parts, the attacker can't get the complete key information.

Further, if the PID passed by SCM_CREDENTIA has an error, it indicates that sendmsg will return -1 at this time, and errno will be set to 3 (indicating that the process does not exist) or 1 (indicating that other processes are forged).

Namely: #define ESRCH 3/*No such process*/

#define EPERM 1/*Operation not permitted*/

Further, the premise of the unix domain socket passing the accurate process PID is the process running in the non-root mode, so the requirement of the root mode of the key agent must be approved.

The key broker module can also configure the socket socket option as SO_PEERCRED and obtain the process PID of the business process through the socket socket.

The embodiments of the present application will be described below with reference to specific embodiments.

Assume that the test environment is the following environment:

Machine: idle machine, 48 core @2.6GHZ;

Business process: 60 processes, 4700 coroutines, only dealing with Agent;

Key Agent: 10 processes; in which the business process and the key agent are free to run, and no CPU priority is set.

test method:

Empty service: without any logic, testing the basic efficiency of the network framework itself;

Local decryption: directly decrypt the WeChat bill;

Bill = main ticket + slave ticket;

Main ticket: AES+ asymmetric encryption, 16Bytes;

From ticket: symmetric encryption + asymmetric encryption, 12Bytes;

Key Agent decryption: directly decrypt the WeChat ticket;

Bill = main ticket + slave ticket;

Main ticket: AES encryption, 16Bytes;

From ticket: symmetric encryption, 12Bytes;

Note: Because key agents greatly enhance key security, asymmetric encryption is no longer needed.

Stress test results: (overall CPU peak).

According to the test, the requests of the five external test machines for the test business reached about 30W/S, of which 17% for the empty service, 31%-33% for the local decryption, and 33%-34% for the agent decryption.

The requests from the 8 external test machines for the test business reached about 40W/S, of which the empty service was 27-28%, local decryption is 55%-56%, Agent decryption is 60%-61%.

It can be seen that in the extreme case, the additional CPU load added by the key agent method to directly verify the ticket relative to the related service is very light and extremely practical.

In an optional embodiment, before acquiring the first information, the method may further include: sending a ciphertext processing request to the first type of key proxy module; acquiring the first type of the key proxy module to perform the ciphertext processing request As a result of the execution, the execution result can optionally be read from the shared memory.

In this embodiment, a dual key proxy module can be run in the system, and the dual key proxy module can be two types of key proxy modules. Optionally, the two types are a first type and a second type. The first type of key agent module is a development type key agent module, the second type key agent module is a stable type table key agent module, and the stable key agent module is executed within a predetermined time period. The ciphertext processing request is more accurate than the key agent module of the predetermined correct rate.

It should be noted that the above-mentioned development type key agent module may be, but not limited to, an unauthenticated agent module, and the verification process is performed to obtain the stable stable key agent module.

Optionally, the stable stable key proxy module is a key proxy module that has been determined to be able to run correctly for a period of time, and the developed developer key proxy module does not determine that the ciphertext processing is performed within a predetermined time period. The key broker module whose request rate is higher than the predetermined correct rate.

According to the above embodiment of the present application, the obtaining the first information may include: counting, according to the execution result, a success rate of the first type of the key agent module performing the ciphertext processing request, wherein the first information includes a success rate.

Optionally, the total number of ciphertext processing requests performed by the first type of key proxy module is used as a denominator, and the total number of successful ciphertext processing requests of the first type of key proxy module is used as a numerator. Calculate the success rate.

In an optional embodiment, the predetermined type switching condition includes the success rate being lower than the first predetermined threshold, and detecting whether the first information meets the predetermined type switching condition may include: detecting whether the success rate is lower than a first predetermined threshold; if detecting If the success rate is lower than the first predetermined threshold, it is determined that the first information meets the predetermined type switching condition; if the detected success rate is not lower than the first predetermined threshold, it is determined that the first information does not meet the predetermined type switching condition.

Through the above embodiment, the service module preferentially performs the encryption and decryption operation through the developed key proxy module (ie, the first type of key proxy module), and directly monitors the success of the developed key proxy module to perform the ciphertext processing request locally. Rate, when the success rate falls below a pre-configured first predetermined threshold (for example, 98%), then automatically switches to the second type of key agent module to perform a ciphertext processing request, which can ensure that the entire system processes the ciphertext processing request. stability.

According to the above embodiment of the present application, before acquiring the first information, the method may further include: after updating the file in the key agent module in the system, recording the key agent module performing the update operation as the first a type of key agent module; if it is detected within a predetermined time period that the correct rate of the first type of key agent module performing the ciphertext processing request is higher than the predetermined correct rate, the first type of key agent module is recorded as The second type of key broker module.

Optionally, the key proxy module that has been set may be fully tested and slowly run in the network. When it is determined that the key proxy module can perform correctly for a long enough time (for example, 2 months), The key agent module is recorded as a stable type. If the dual key agent module in the system meets the condition (for example, if the correct execution time is sufficient), the key agent module in the system can be recorded as a stable type.

It should be noted that when the agent needs to be changed, the type of the changed Agent is recorded as the develop type.

In the embodiment running by using the dual agent mode, if the dual agent is a dual stable agent, the service module selects a stable agent with a modified time later, and needs to be changed. At the time, the changed stable agent becomes a development agent.

In an optional embodiment, if the dual agent is a dual stable agent, when the change needs to be made, the stable agent whose file modification time is earlier (that is, the modification time is earlier) is changed.

During the development of the development agent, if the change is required, the development agent will continue to be released. Further, the development agent can be set to the stableAgent (ie, the second type of key broker module) only if the development agent is properly executed for a sufficiently long period of time (eg, 2 months) without any changes.

Optionally, before acquiring the first information, the method may further include: if the file in the key proxy module is updated during the running of the first type of the key proxy module in the system, The files in a type of key broker module are updated.

In the above embodiment, during the operation of the first type of key agent module (ie, the development agent), if the change is still needed, the development agent is continuously released, and the developer agent can execute correctly without any change. For a long enough time (such as 2 months), you can set its type to stable agent (the second type of key agent module).

It should be noted that the ciphertext processing request requested by the service module by the second type of key proxy module includes: if the system includes multiple second type key proxy modules (such as two), The second type of key agent module that obtains the latest update time in the two types of key agent modules performs the ciphertext processing request by the second type of key agent module that updates the latest time.

According to the above embodiment of the present application, if the key agent modules in the system are all set to the second type of key agent module, the service module may select an agent with a newer file modification time from the two stable agents, and the service module You can use this file to modify the agent with a newer time (that is, later modification time) to perform encryption and decryption operations.

According to the above embodiment of the present application, the service is performed by the second type of key agent module After the ciphertext processing request of the module, the method further includes: after receiving the input switching instruction, executing the ciphertext processing request by the first type of key proxy module in response to the switching instruction.

In the above embodiment, the input switching instruction is a manually input instruction. After the business module is switched from the developer agent to the stable agent, it can be manually restored to use the developer agent. This way, you can continue to use the developer agent after the manual 100% confirmation that the developer agent problem has been fixed, thus avoiding the random stalling. Switching from type to develop type, causing further loss of business.

Through the foregoing embodiment, the service module performs the disaster recovery process, and the encryption and decryption can be performed normally in the case of system upgrade, and when the system has a bug, the different types of key agent modules can be switched in time to perform the ciphertext processing request. To ensure the stability of the system.

Optionally, in the process of performing the ciphertext processing request by the key proxy module, the method further includes: after the validity of the validity check of the service process by the key proxy module, in the case that the validity check is passed, the service module Transmitting, to the key agent module, a first file descriptor, wherein the first file descriptor is used by the key agent module to identify data sent by the service module as legal data; and acquiring a plurality of second file descriptors generated by the key agent module The second file descriptor is used by the service module to identify the data sent by the key agent module as legal data.

Optionally, after acquiring the plurality of second file descriptors generated by the key agent module, the method further includes: saving the obtained plurality of second file descriptors into the queue; sequentially using the second stored in the queue The file descriptor communicates with the key broker module.

Optionally, the number of the plurality of second file descriptors corresponds to the number of threads in the key broker module for executing the ciphertext processing request.

In this embodiment, the services are in units of threads, each independently exchanges descriptors with the Agent, and the descriptors are independently managed in a queue manner, and the threads do not interfere with each other. Each service thread independently passes the Agent to verify the identity, and then exchanges multiple second file descriptors (for example, an integer multiple of the number of Agent encryption and decryption threads), and the Agent side distributes the descriptors completely uniformly to each The Agent encrypts and decrypts threads (so the number of descriptors managed by each thread is equal), so that load balancing of services can be achieved.

For example, the key agent module acquires 100 first file descriptors sent by the service module, and then the key agent module generates 100 second file descriptors, and transmits the 100 second file descriptors to the service module, 100 The first file descriptor and the 100 second file descriptors are paired one by one to obtain 100 sets of descriptors. The key agent module evenly distributes the 100 sets of descriptors to 10 encryption and decryption threads, and can be tried as follows: The descriptor is assigned to the encryption and decryption thread 1, the second group of descriptors is assigned to the encryption and decryption thread 2, ..., the tenth group of descriptors is assigned to the encryption and decryption thread 10, and the eleventh group of descriptors is assigned to the encryption and decryption Thread 1, the twelfth group of descriptors are assigned to the encryption and decryption thread 2, and so on, and the first hundred sets of descriptors are assigned to the encryption and decryption thread 10.

In the above embodiment, each business thread saves the exchanged plurality of descriptors into its own thread-level queue, and each time the business thread encrypts and decrypts the request, it first retrieves the descriptor from the queue to communicate with the agent, and after the communication is completed, The descriptor is placed back at the end of the queue; if the descriptor is taken from the first queue and the discovery queue is empty, then more descriptors are exchanged as described above.

Through the above embodiments, the number of identity authentication is greatly reduced, and the MD5 (or other HASH algorithm) for identity verification is less efficient, so that it is not necessary to verify the identity of each request; each service thread Extremely even access to each Agent thread, completely avoiding the problem of uneven load of each Agent thread, and balancing the resources of multiple CPUs; the encryption and decryption request processing between the service and the Agent is highly independent, and the request-level lock is not required to ensure the exclusive use of resources. Improve the ability to concurrently throughput.

In another optional embodiment, the disaster recovery process is performed by the key agent module. FIG. 5 shows an alternative embodiment. As shown in FIG. 5, the embodiment can be implemented by the following steps:

Step S502: The key agent module acquires an execution result of the execution of the ciphertext processing request.

Step S504: The key agent module detects whether the execution result meets a predetermined mode switching condition;

Step S506: If it is detected that the execution result meets the predetermined mode switching condition, the key agent The module sends the indication information to the service module, where the indication information is used to indicate that the service module switches to a mode in which the ciphertext processing request is performed by the service module.

Optionally, if it is detected that the execution result does not meet the predetermined mode switching condition, the mode of executing the ciphertext processing request by the key agent module is continued.

Through the above embodiment, the key agent module acquires an execution result of the execution of the ciphertext processing request; the key agent module detects whether the execution result meets the predetermined mode switching condition; and if it detects that the execution result meets the predetermined mode switching condition, the key agent module The service module sends indication information, where the indication information is used to indicate that the service module switches to a mode in which the ciphertext processing request is performed by the service module. In the above embodiment, the key agent module detects whether the execution result of the execution of the ciphertext processing request meets the predetermined mode switching condition, and if the predetermined mode switching condition is met, determining that the key agent module cannot continue to stably perform the ciphertext processing request. Then, the mode is switched, so that the service module can perform the ciphertext processing request by itself, so as to solve the problem that the related technology cannot be stably operated when the business data is encrypted and decrypted, and the stable operation of the system is realized.

Optionally, after the service module switches to the local encryption and decryption mode (that is, the service module switches to the mode in which the ciphertext processing request is executed through the service module), the method of using the agent can be restored by manually (such as receiving a manual input recovery instruction). (The service automatically cleans up the key M at this time), this is for the manual 100% confirmation that the problem has been fixed, and the service will not be further suffered because of the random switching. With this embodiment, the maximum security loss can be guaranteed with minimal security loss. normal operation.

In the above embodiment, the manner in which the key agent module performs the ciphertext processing request is the same as that described in the foregoing embodiment, and details are not described herein again.

In an optional embodiment, the agent generates a random key M (ie, key data) by the key server SVR to return to the Agent each time the latest key list is pulled, and the agent encrypts the key list using M. After saving to a piece of shared memory N.

Optionally, before the key data of the key agent module is obtained through the service thread, the method further The method includes: generating, by the service thread, a first end descriptor and a second end descriptor of the communication pipeline, wherein the first end descriptor is used by the key proxy module to identify the data sent by the service module as legal data, and the second end descriptor The service module identifies the data sent by the key agent module as legal data; and transmits the second end descriptor to the key agent module through the communication pipeline.

The service thread independently generates two pipeline descriptors, which are a read end descriptor and a write end descriptor (such as the first end descriptor and the second end descriptor described above), and the business thread passes the write end to the identity verification. Agent, Agent If the identity is passed, the write end is retained. At this time, the service thread closes the write end held by the service thread. At this time, the service thread holds the pipeline read end, and the agent holds the pipeline write end corresponding to the thread.

Further, when the service performs the encryption and decryption request, the request time A is filled in the request packet (for example, the time can be accurate to the millisecond).

Optionally, the obtaining, by the key agent module, the execution result of the execution of the ciphertext processing request includes: after the ciphertext processing request is executed, the key proxy module determines, according to the request time and the current time in the ciphertext processing request, the execution of the current secret Whether the file processing request times out; if it is determined that the execution of the current ciphertext processing request times out, the key agent module determines that the execution of the current ciphertext processing request fails; the key agent module is based on the number of ciphertext processing requests that failed to be executed, and the statistics are dense. The success rate of the key agent module performing the ciphertext processing request, and the execution result includes the success rate.

Optionally, the key agent module detects whether the execution result meets the predetermined mode switching condition, including: the key agent module detects whether the success rate is lower than a second predetermined threshold; and if the success rate of executing the ciphertext processing request is lower than the second The predetermined threshold is determined, and it is determined that the execution result conforms to the predetermined mode switching condition.

Optionally, after completing the execution request and writing the result data to the descriptor buffer of the shared memory and the communication, the agent determines the current time (accurate to milliseconds), and sets the encryption and decryption timeout of the service setting to B ms, if the current time When the time difference C of A is more than (Bx) ms, the request is marked as failed. When the success rate falls below the second predetermined threshold (for example, 98%) of the implementation configuration, the key M is automatically written through each pipe. Sent to all business threads. Optionally, x can Thought it is 3.

Further optionally, the key agent module sends the indication information to the service module, where the key agent module sends the key data to the service module, where the key data is used to decrypt the key list stored in the shared memory, and the decrypted The key list, the service module is further configured to perform a ciphertext processing request through the decrypted key list.

It should be noted that the service module obtains the key data of the key agent module through the service thread, including: periodically reading data from the read end of the communication pipe through the service thread; if the data is read from the read end of the communication pipe, determining Get the key data.

In this example, the business thread periodically (for example, 3 seconds) determines whether its own pipeline reader has data readable. Once the data is read, it is considered to be the key M, and then each time M is used to decrypt the N memory. The key list obtains the key of the encryption and decryption request, and degenerates into a local encryption and decryption mode of the business thread, completely ignoring the Agent.

Optionally, before the key agent module receives and executes the ciphertext processing request of the service module, the method further includes: after updating the file in the key agent module, recording the key agent module that performs the update operation as a first type of key agent module; after the first type of key agent module receives and executes the ciphertext processing request of the service module, and obtains the execution result, the method further includes: detecting the first type within a predetermined time period The key broker module performs a ciphertext processing request with a higher correct rate than the predetermined correct rate, and records the first type of key proxy module as the second type of key proxy module.

Optionally, in the process that the first type of the key agent module performs the ciphertext processing request of the service module, the method further includes: if the file in the key agent module is to be updated, the first type of the key is The files in the agent module are updated.

Optionally, the ciphertext processing request comprises: a request for encrypting the data to be encrypted into ciphertext data and/or a request for decrypting the ciphertext data into decrypted data.

Optionally, the communication pipeline is further configured to detect whether the service module and the key agent module are restarted.

In the above embodiment, the pipeline (that is, the communication pipeline mentioned above) is also a powerful tool for the agent and the service to judge each other whether the other party restarts, and the service thread can transmit the pipeline descriptor to the agent once more, and the service holds the write end, and the agent holds There is a reader, once the business process is closed, the Agent can immediately find out through the EPOLLHUP error of epoll_wait(), and then immediately start cleaning up to prevent resource leakage; and the service can be triggered by the request, when the encryption and decryption request times out, by writing to the pipeline The write end writes a byte. If the Agent restarts, it will return EPIPE. At this time, it can also trigger resource cleanup and re-identify the identity with the newly started Agent.

Through the above embodiment, when the bug of the Agent (such as the second type of key agent module) is accidentally triggered or when the hardware server resources are absolutely insufficient, the security may be sacrificed. The method is to maintain the normal operation of the service, that is, to minimize the loss of security under the premise of ensuring normal business.

Specifically, the agent determines whether to enter the disaster recovery mode; the security protection of the agent itself (root operation, difficult to be debugged, etc.) is far more than the general service. Usually, the service still does not hold the key, nor can it pass the simple DUMP. The encrypted key list shares the memory N to steal the key list, which improves the security. Further, the agent determines that the disaster tolerance mode is very reasonable. Since the descriptors of the two parties are shared, as long as the agent writes the return packet data. The communication shared memory and communication descriptor buffer, the business thread must be able to read unconditionally, and the Agent also reserved 3 milliseconds for the business to read the results, the time is very sufficient, if the business is still timed out, prove other parts It takes too long, and the performance problem has little relationship with the Agent; this way avoids the problem of non-shared descriptors, that is, the service and the agent use different descriptors to communicate, and the Agent writes the result to the own descriptor buffer. , but also rely on the kernel to "handle" this data into the buffer of the service descriptor, otherwise the business still can not read the result, so the Agent comes Disaster recovery system is not necessarily reasonable to open up.

It should be further noted that even in the pipeline disaster recovery mode, N still maintains the encryption state, and the key list cannot be stolen by the simple DUMP encrypted key list shared memory N, but must be down-played to attack the service (such as debugging service). ) Get M, then steal the secret The key list, the erroneous person wants to steal the key list through the disaster recovery mode, and also has to make a relatively large movement, that is, at least one physical single machine manufacturing business failure or smashing the fault to steal, due to this time The business has problems, it is more eye-catching, and its risk is higher.

Optionally, in the process of performing the ciphertext processing request by the first type of the key proxy module or the second type of the key proxy module, the method further includes: acquiring the key data of the key proxy module by using the service thread, where And the key agent module is configured to: after detecting that the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, transmitting the key data; decrypting the key list stored in the shared memory by using the key data, and obtaining the decrypted a list of keys; performing a ciphertext processing request through the service module using the decrypted key list.

In an optional embodiment, the service processing method can also be applied in a system where the key agent module is located, and the solution can be implemented as follows: the first type of key agent module receives and executes the ciphertext processing of the service module. Requesting, obtaining an execution result; the second type of key agent module receives and executes a ciphertext processing request of the service module, wherein the service module is configured to: if the first information generated based on the execution result meets a predetermined type switching condition, The second type of key broker module sends a ciphertext processing request.

Optionally, the first type of key agent module is a development type key agent module, the second type of key agent module is a stable key agent module, and the stable key agent module is executed within a predetermined time period. The ciphertext processing request is more accurate than the key agent module of the predetermined correct rate.

Optionally, before the first type of the key proxy module receives and executes the ciphertext processing request of the service module, and obtains the execution result, the method further includes: after updating the file in the key proxy module in the system, The key agent module that performs the update operation records as the first type of key agent module; after the first type of the key agent module receives and executes the ciphertext processing request of the service module, and obtains the execution result, the method further includes: Detecting that the correct rate of the first type of key agent module performing the ciphertext processing request is higher than the predetermined correct rate during the predetermined time period, The first type of key broker module is recorded as a second type of key broker module.

Optionally, in the process of the ciphertext processing module performing the ciphertext processing request, the method further includes: the key proxy module detecting whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold; if the ciphertext processing is detected If the success rate of the request is lower than the second predetermined threshold, the key data is sent to the service module, where the key data is used to decrypt the key list stored in the shared memory, and the decrypted key list is obtained, and the service module further uses The ciphertext processing request is performed through the decrypted key list.

Optionally, before the key proxy module detects whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, the method further includes: after the ciphertext processing request is executed, the key proxy module processes the request based on the ciphertext The request time and the current time determine whether the execution of the current ciphertext processing request has timed out; if it is determined that the execution of the current ciphertext processing request timeout, it is determined that the execution of the current ciphertext processing request fails; Quantity, the success rate of the statistics key agent module to perform ciphertext processing requests.

Optionally, before the key proxy module detects whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, the method further includes: receiving a second end descriptor of the communication pipeline transmitted by the service thread, where the service thread And configured to generate a first end descriptor for the key proxy module to identify data sent by the service module as legal data, and a second end descriptor for the service module to be dense The data sent by the key broker module is identified as legal data.

Optionally, sending the key data to the service module includes: transmitting key data by using a write end of a communication pipeline of each service thread.

Optionally, in the process of performing the ciphertext processing request by the key proxy module, the method further includes: after the key proxy module performs the validity check on the service process, the validity check is passed. The key agent module receives the first file descriptor sent by the service module, where the first file descriptor is used by the key agent module to identify the data sent by the service module as legal data; the key agent module generates multiple And a second file descriptor, wherein the second file descriptor is used by the service module to identify the data sent by the key agent module as legal data; and the key agent module transmits the plurality of second file descriptors to the service module.

According to the embodiment of the present application, in the case that the ciphertext processing is a request for encrypting data to be encrypted into ciphertext data, an embodiment of a method for service encryption is provided.

Optionally, in this embodiment, the foregoing service encryption method may be applied to a hardware environment formed by the server 602 and the terminal 604 as shown in FIG. 6. As shown in FIG. 6, the server 602 is connected to the terminal 604 through a network. The network includes but is not limited to a wide area network, a metropolitan area network, or a local area network. The terminal 604 is not limited to a PC, a mobile phone, a tablet, or the like. The service encryption method in the embodiment of the present application may be executed by the server 602, may be executed by the terminal 604, or may be jointly performed by the server 602 and the terminal 604. The service encryption method performed by the terminal 604 in the embodiment of the present application may also be performed by a client installed thereon.

The main working principle of the hardware environment system shown in Figure 6 is:

In the embodiment of the present application, the key agent module is installed in the terminal 604. When there is a service that needs to be encrypted, an encryption request carrying the data to be encrypted may be sent to the key agent module through the service module. After obtaining the encryption request, the key agent module obtains the target key from the extracted key list, and then encrypts the data to be encrypted using the target key to obtain the encrypted data, and finally, the key agent. The module sends the encrypted data to the business module.

It should be noted that, in the embodiment of the present application, the key list is the key agent module for the first time. When enabled, the list of keys retrieved from the server 604 (eg, a key server) is pulled.

FIG. 7 is a flowchart of an optional service encryption method according to an embodiment of the present application. As shown in FIG. 7, the method may include the following steps:

Step S702: The key agent module receives an encryption request sent by the service module, where the encryption request carries data to be encrypted.

In the embodiment of the present application, the key agent module (hereinafter referred to as the key agent) may be implemented in a single-process multi-thread manner; the service module is configured to send an encryption request to the key agent, wherein the key agent industry service module In the same physical stand-alone machine.

Specifically, when there is a service that needs to be encrypted, the service module may send an encryption request carrying the data to be encrypted to the key agent; after acquiring the encryption request, the key agent may perform the following step S704, that is, according to the encryption request. Get the target key in the key list.

Step S704, the key agent module acquires the target key from the key list, wherein the key list is previously extracted from the key server.

After obtaining the encryption request sent by the service module, the key agent may acquire the target key in the pre-pushed key list, where the target key is used to encrypt the data to be encrypted.

Step S706, the key agent module encrypts the data to be encrypted using the target key to obtain the encrypted data.

Step S708, the key agent module sends the encrypted data to the service module.

Through the above steps S702 to S708, the encryption request is received by the key agent module, and then the target key is acquired according to the key request. Next, the data to be encrypted is encrypted by the target key, and the service provided in the embodiment of the present application is provided. The encryption method achieves the purpose of encrypting the service more securely, thereby realizing the technical effect of improving the key security when encrypting the service, thereby solving the security of the key when encrypting the service in the related art. Lower technical issues.

Optionally, before the key proxy module receives the encryption request sent by the service module, the first public key may be sent to the key server by using the key proxy module, and the second public key is received from the key server, where The key agent module has a pair of first public key and a first private key, and the key server has a pair of second public key and a second private key; the key agent module sends a key list pull request to the key server; The key agent module receives the encrypted key list sent by the key server, wherein the encrypted key list is obtained by encrypting the key list by using the first communication key on the key server side, and the first communication secret is obtained. The key is generated by the key server according to the first public key and the second private key; the key agent module decrypts the encrypted key list by using the second communication key on the key agent module side to obtain a key list. The second communication key is generated by the key agent module according to the first private key and the second public key, and the first communication key is the same as the second communication key.

In the embodiment of the present application, before the key Agent receives the encryption request, the key list needs to be pulled from the key server, wherein the key list pulled from the key server is the encrypted key list. Therefore, the key agent needs to decrypt the extracted key list.

In the embodiment of the present application, the key list extracted by the key agent is obtained by encrypting the key list by using the first communication key on the key server side, and then the key agent module decrypts the key list. The key list is decrypted using the same second communication key as the first communication key. Wherein the first communication key is a key server according to the first public key and the second private key The generated second communication key is generated by the key agent module according to the first private key and the second public key. The first public key and the second public key are a pair of public keys pubkey and key prikey generated by the key agent before sending the key list to the key server; the first private key and the second private key are secret A pair of public keys pubkey and key prikey generated by the key server.

It should be noted that, in the embodiment of the present application, when performing key exchange, the agent and the key server may exchange the pubkeys of the two parties and the respective prikeys by using a key exchange protocol (ie, an ECDH protocol).

As can be seen from the above description, the key list in the present application is encrypted using the first public key and the second private key, and decrypted using the first private key and the second public key. However, in the related art, only the public key pubkey of the Agent and the key server is transmitted on the network. Therefore, by using the encryption method in the present application, even if the key is reversed by the tcpdump, the intranet is avoided. The phenomenon of key leakage caused by the packet occurs.

It should be noted that when the key agent is restarted, when the key agent sends the first public key to the key server, the first public key is encrypted by using the agreed key, and the first key is encrypted after using the agreed key. A public key is sent to the key server, and after the key server obtains the first public key, it can decrypt using the agreed key. Similarly, when the key server sends the second public key to the key agent, the second public key is also encrypted using the agreed key, and the encrypted second public key is sent to the key agent, where the key After receiving the second public key after encryption, the agent can decrypt the second public key using the agreed key.

Optionally, before the key proxy module receives the encryption request sent by the service module, Obtaining, by the key agent module, a process PID of the business process, where the business process sends a process of the data to be encrypted for the service module, and then the key agent module performs legality verification on the business process and the process PID; and in the legality school In the case of passing, the key agent module obtains the target key from the key list.

It should be noted that, in the embodiment of the present application, the key proxy module may obtain the process PID that is authenticated by the kernel by the service module transmitted by the service module through the socket SCM_RIGHTS, wherein the socket SCM_RIGHTS is applicable to the unix domain socket.

The specific verification process is as follows: the key agent module first obtains the full path of the process corresponding to the process PID, and then determines the path of the process and the path in the legal path obtained from the key server in advance. If it is determined that the path of the process belongs to the path in the legal path, the MD5 of the service process is verified by the key agent module to obtain the first MD5 check result; if it is determined that the path of the process does not belong to the path in the legal path Then, the validity check of the business process and process PID does not pass. Next, it is determined whether the first MD5 check result is the same as the pre-acquired second MD5 check result, wherein if the same, the legality check passes, and if not, the legality check fails.

In the case that the validity of the service process is verified, the file descriptor is exchanged between the key agent module and the service module. Specifically, the key agent module may first obtain the first file descriptor of the service module, and after obtaining the first file descriptor, the key agent module may identify the data sent by the service module as legal data. At this point, the business module has exchanged file descriptors with the key broker module, then the key broker module is required to exchange file descriptors with the business module. At this time, the key agent module may transmit the generated second file descriptor to the service module, and after receiving the second file descriptor, the service module may identify the data sent by the key agent module as legal data.

In the embodiment of the present application, the first file descriptor and the second file descriptor correspond to the shared memory. The data block in which the data is stored, wherein the shared memory is used to store the data to be encrypted for the encryption request and the data to be checked after the encryption, which will be described in detail in the following embodiments. For example, when the service module stores the data to be encrypted in the shared memory, the data to be encrypted is stored in the area corresponding to the first file descriptor in the shared memory. After storing the data to be encrypted, the key agent module can learn that the service module stores the data to be encrypted in the shared memory, and then the key agent module goes to the area to obtain the data to be encrypted.

It should be noted that, in the embodiment of the present application, multiple file descriptors eventfd can be exchanged at one time, and more eventfd is exchanged by verification again when not enough, so that the number of verification requests can be significantly reduced, and the applicant finds through testing. The maximum number of fd for the next performance exchange of the Linux system is 255. After the key agent module and the service module complete the exchange of the file descriptor, the encryption request sent by the service module may be received to encrypt the data to be encrypted in the encryption request.

Specifically, in the case that the key agent module passes the validity check of the service process and the process PID, the key agent module may set the target authority for the first file descriptor after exchanging the file descriptor, where The specified target rights include: allowing the key agent module to encrypt the data to be encrypted requested by the service module, and allowing the key agent module to decrypt the data to be decrypted requested by the service module.

After the key agent module sets the target permission for the first file descriptor, the key agent module can encrypt the data to be encrypted according to the received encryption request, and then send the encrypted data to the service module.

The key agent module receives the encryption request sent by the service module, including: a key proxy module. The block obtains the data to be encrypted stored by the service module from the shared memory; and the key agent module sends the encrypted data to the service module, including: the key agent module stores the encrypted data into the shared memory, so that The business module obtains the encrypted data from the shared memory.

When the business module sends an encryption request to the key broker module, the encryption request is stored in the shared memory. After that, the key broker module can retrieve the stored data to be encrypted from the shared memory. Similarly, after the key agent module encrypts the data to be encrypted using the target key, the data to be encrypted after the encryption process may also be stored in the shared memory. Enables the business module to obtain encrypted data from shared memory.

In an optional implementation manner of the embodiment of the present application, the process PID of the key agent module acquiring the service process includes: obtaining, by the key agent module, the process PID of the service process through the unix domain socket in the non-root operation mode; or The key proxy module configures the socket socket option as SO_PEERCRED and obtains the process PID of the business process through the socket socket.

In the embodiment of the present application, the process PID is transmitted through the socket SCM_RIGHTS in the unix domain socket. Because the unix domain sockets pass the exact process PID is based on the non-root mode running process, therefore, before the process PID is passed, the local root mode must be required. Seek approval. That is, the process PID of the business process needs to be obtained through the unix domain socket in the non-root mode. Further, the option of the socket socket can be configured as SO_PEERCRED through the key proxy module, and the process PID of the business process can be obtained through the socket socket.

According to an embodiment of the present application, in the case where the ciphertext processing is a request for decrypting ciphertext data into decrypted data, an embodiment of a method of service decryption is provided.

FIG. 8 is a flowchart of an optional service decryption method according to an embodiment of the present application. As shown in FIG. 8, the method may include the following steps:

Step S802, the key agent module receives the decryption request sent by the service module, where the decryption request carries data to be decrypted.

In the embodiment of the present application, the key agent module (hereinafter referred to as an agent) may be implemented in a single-process multi-thread manner; the service module is configured to send a decryption request to the agent, wherein the agent industry service module is in the same physical single machine. .

Specifically, when there is a service that needs to be decrypted, the service module may send a decryption request carrying the data to be decrypted to the agent; after acquiring the decryption request, the agent may perform the following step S804, that is, according to the decryption request in the key list. Get the target key.

Step S804, the key agent module acquires the target key from the key list, wherein the key list is previously extracted from the key server.

In the embodiment of the present application, when the key agent module Agent is restarted, the agent pulls the key list to the key server. It should be noted that the agent only pulls the key list to the key server when restarting, and does not pull the key list at other times after startup.

After obtaining the decryption request sent by the service module, the agent may acquire the target key in the pre-pushed key list, where the target key is used to decrypt the data to be decrypted.

Step S806, the key agent module decrypts the data to be decrypted using the target key to obtain the decrypted data.

In the embodiment of the present application, after acquiring the target key from the key list, the Agent may decrypt the data to be decrypted using the target key.

Step S808, the key agent module sends the decrypted data to the service module.

In the embodiment of the present application, the key agent module decrypts the data to be decrypted using the target key, and after obtaining the decrypted data, the decrypted data can be sent to the service module.

Through the above steps S802 to S808, the decryption request is received by the key agent module, and then the target key is acquired according to the key request, and then the data to be decrypted by the target key is decrypted, and the service provided in the embodiment of the present application is provided. The decryption method achieves the purpose of decrypting the service more securely, thereby realizing the technical effect of improving the key security when decrypting the service, thereby solving the security of the key in decrypting the service in the related art. Lower technical issues.

Optionally, before the key proxy module receives the decryption request sent by the service module, the method further includes: the key proxy module sending the first public key to the key server, and receiving the second public key from the key server, where The key agent module has a pair of first public key and a first private key, and the key server has a pair of second public key and a second private key; the key agent module sends a key list pull request to the key server; The key agent module receives the encrypted key list sent by the key server, where The encrypted key list is obtained by encrypting the key list by using the first communication key on the key server side, and the first communication key is generated by the key server according to the first public key and the second private key; The key agent module decrypts the encrypted key list by using the second communication key on the key agent module side to obtain a key list, wherein the second communication key is a key agent module according to the first private key and the first The second public key is generated by the second public key, and the first communication key is the same as the second communication key.

In the embodiment of the present application, before the key Agent receives the decryption request, the key list needs to be pulled from the key server, wherein the key list pulled from the key server is the encrypted key list. Therefore, the key agent needs to decrypt the extracted key list.

After the key agent pulls the key list from the key server and decrypts the key list, the key agent needs to verify the legality of the business process, wherein the business process is the process represented by the data to be decrypted.

In an optional implementation manner of the present application, the key agent module sends the first public key to the key server, and receiving the second public key from the key server includes: when the key agent module is restarted, the key agent module Sending the encrypted first public key to the key server, wherein the encrypted first public key is obtained by encrypting the first public key by using the agreed key; the key agent module receives the encrypted version from the key server a second public key, wherein the encrypted second public key is obtained by encrypting the second public key by using the contract key; the key proxy module decrypts the encrypted second public key by using the agreed key, and obtains the first A public key; wherein the appointment key is set to be used only when the key broker module is restarted.

In an optional implementation manner of the present application, before the key proxy module receives the decryption request sent by the service module, the method further includes: the key proxy module acquiring the process PID of the service process, where the service process sends the service module to be decrypted. The process of the data; the key agent module checks the legality of the business process and the process PID; the key agent module obtains the target key from the key list, including: in the case that the legality check passes, the key agent module Get the target key in the key list.

In the embodiment of the present application, before decrypting the service process represented by the data to be decrypted in the service module, it is first necessary to determine the legality of the service process. When the legality of the service process is determined, the process PID of the service process can be obtained through the key agent, and then the legality of the process PID and the service process is verified by the key agent. If the verification result of the process PID and the service process is legal, that is, if the verification is passed, the key agent module may obtain the target key from the key list, and decrypt the data to be decrypted by the target key. .

In an optional implementation manner of the present application, the key agent module performs legality verification on the service process and the process PID, including: the key agent module acquires a full path of the process corresponding to the process PID; and the key agent module determines the full path of the process. Whether it belongs to the path in the legal path obtained from the key server in advance; if it is determined that the path of the process belongs to the path in the legal path, the key agent module performs the MD5 check operation on the service process to obtain the first MD5 school. If the process full path does not belong to the path in the legal path, it is determined that the validity check fails; the key agent module determines whether the first MD5 check result is corresponding to the pre-acquired service process. The second MD5 check result is the same; if the first MD5 check result is the same as the second MD5 check result, it is determined that the validity check is passed; if the first MD5 check result is different from the second MD5 check result, then It is judged that the legality check fails.

In an optional implementation manner of the present application, after the key agent module performs the validity check on the service process and the process PID, and before the key agent module receives the decryption request sent by the service module, the method further includes: When the verification passes, the key agent module acquires the first file descriptor sent by the service module, where the first file descriptor is used by the key agent module to identify the data sent by the service module as legal data; the key agent module Generating a second file descriptor, wherein the second file descriptor is used by the service module to identify data sent by the key agent module as legitimate data; and the key agent module transmits the second file descriptor to the service module.

In the case of verifying the legality of the service process, the key agent module and the service module are required. Exchange file descriptors between. Specifically, the key agent module may first obtain the first file descriptor of the service module, and after obtaining the first file descriptor, the key agent module may identify the data sent by the service module as legal data. At this point, the business module has exchanged file descriptors with the key broker module, then the key broker module is required to exchange file descriptors with the business module. At this time, the key agent module may transmit the generated second file descriptor to the service module, and after receiving the second file descriptor, the service module may identify the data sent by the key agent module as legal data.

In the embodiment of the present application, the first file descriptor and the second file descriptor correspond to a data block that stores data in the shared memory, where the shared memory is used to store the data to be decrypted of the decryption request and the to-be-decrypted after decryption. The data will be described in detail in the following examples. For example, when the service module stores the data to be decrypted in the shared memory, the data to be decrypted is stored in the area corresponding to the first file descriptor in the shared memory. After storing the data to be decrypted, the key agent module can learn that the service module stores the data to be decrypted in the shared memory, and then the key agent module goes to the area to obtain the data to be decrypted.

It should be noted that, in the embodiment of the present application, multiple file descriptors eventfd can be exchanged at one time, and more eventfd is exchanged by verification again when not enough, so that the number of verification requests can be significantly reduced, and the applicant finds through testing. The maximum number of fd for the next performance exchange of the Linux system is 255. After the key agent module and the service module complete the exchange of the file descriptor, the decryption request sent by the service module may be received to decrypt the data to be decrypted in the decryption request.

Further, in a case where the key agent module passes the validity check of the service process and the process PID, the key agent module may further set a target authority for the first file descriptor, where the target authority includes at least one of the following: The key agent module is allowed to decrypt the data to be decrypted requested by the service module, and the key agent module is allowed to decrypt the data to be decrypted requested by the service module.

Specifically, the key agent module performs legality verification on the service process and the process PID. In the case that the key agent module can set the target authority for the first file descriptor after exchanging the file descriptor, the set target authority includes: the data to be decrypted requested by the key agent module to the service module. Decryption is performed to allow the key agent module to decrypt the data to be decrypted requested by the service module.

After the key agent module sets the target permission for the first file descriptor, the key agent module can decrypt the data to be decrypted according to the received decryption request, and then send the decrypted data to the service module.

The key agent module receives the decryption request sent by the service module, and the key agent module obtains the data to be decrypted stored by the service module from the shared memory, and the key agent module sends the decrypted data to the service module, including: The key agent module stores the decrypted data into the shared memory, so that the service module obtains the decrypted data from the shared memory.

When the business module sends a decryption request to the key broker module, the decryption request is stored in the shared memory. After that, the key agent module can retrieve the stored data to be decrypted from the shared memory. Similarly, after the key agent module decrypts the data to be decrypted using the target key, the data to be decrypted after the decryption process can also be stored in the shared memory. Enables the business module to retrieve the decrypted data from the shared memory.

As can be seen from the above description, in the embodiment of the present application, the key agent module has previously set a target authority for the first file descriptor. In this case, if the validity check is passed, the key agent module is from the key list. Obtaining the target key, specifically: when the target authority includes the key agent module to decrypt the data to be decrypted requested by the service module, the key agent module obtains the target key package from the key list.

It should be noted that, because the target authority may only allow the key agent module to decrypt the data to be decrypted requested by the service module or allow the key agent module to decrypt the data to be decrypted requested by the service module. Therefore, the key agent module can obtain the target key from the key list only when determining that the target authority is to allow the key agent module to decrypt the data to be decrypted requested by the service module, and use the obtained target secret. Key to solve the decrypted data dense.

In an optional implementation manner of the present application, the process PID of the key agent module acquiring the service process includes: obtaining, by the key agent module, the process PID of the service process through the unix domain socket in the non-root operation mode; or, the key The proxy module configures the socket socket option as SO_PEERCRED and obtains the process PID of the business process through the socket socket.

In the embodiment of the present application, the process PID is transmitted through the socket SCM_RIGHTS in the unix domain socket. Because the unix domain sockets pass the exact process PID is based on the non-root mode running process, the local root mode must be approved before the process PID is passed. That is, the process PID of the business process needs to be obtained through the unix domain socket in the non-root mode. Further, the option of the socket socket can be configured as SO_PEERCRED through the key proxy module, and the process PID of the business process can be obtained through the socket socket.

It should be noted that, in the service decryption method provided by the embodiment of the present application, the process is the same as the process of the service encryption method in FIG. 7. Therefore, in the embodiment of the present application, the service decryption method will not be described again.

FIG. 9 is a flowchart of an optional service encryption method according to an embodiment of the present application. As shown in FIG. 9, the key agent and the service module are in the same physical single machine.

In the embodiment of the present application, when the key agent is restarted, the key agent encrypts the first public key by using the contract key, and sends the encrypted first public key to the key server, and the key agent module can also Receiving the encrypted second public key sent by the key server, wherein the second public key is also encrypted by using the agreed key. After obtaining the second public key, the key agent decrypts the second public key by using the agreed key. After obtaining the first public key, the key server also decrypts the first public key by using the agreed key.

Next, the key agent can send a pull request of the key list to the key server. After receiving the key pull request, the key server transmits the encrypted key list to the key agent, where the encrypted key list is the first communication key pair key list using the key server side. The first communication key obtained by the encryption is generated by the key server according to the first public key and the second private key. After receiving the encrypted key list, the key agent may decrypt using the same second communication key as the first communication key, wherein the second communication key is the key agent module according to the first private key. And the second public key is generated.

After decrypting the key list, the key agent needs to verify the PID legality of the business process and the business process. As shown in Figure 10, the service module first establishes a unix domain socket and establishes a first file descriptor, and then uses the socket in the unix domain socket. SCM_RIGHTS transfers the first file descriptor to the key agent, and uses the socket SCM_CREDENTIA to transfer the process PID that the process is authenticated by the kernel to the key agent. Among them, SCM_RIGHTS and SCM_CREDENTIA are applicable to unix domain socket, SCM_RIGHTS is used to transfer descriptors in one process to another process. This method can extend some IPCs that can only communicate between relative processes to non-affinity processes ( For example, linux eventfd); SCM_CREDENTIA is used to transfer the process PID whose process is authenticated by the kernel.

Next, the service module can perform the operation of writing data to the first file descriptor eventfda in the corresponding space in the shared memory, that is, the data to be encrypted is written into the corresponding area of the first file descriptor eventfda in the shared memory. Medium (write eventfda). After writing, the key agent module can know that the business module has written data. At this time, the key agent module will be shared. The data to be encrypted is read in memory (ie, the second file descriptor is read, read eventfdb), and the target permissions previously configured for the first file descriptor eventfda are read.

Finally, when the target authority includes allowing the key agent module to encrypt the data to be encrypted requested by the service module, the key agent module can obtain the target key from the key list, and then the key agent module can Encrypt the data to be encrypted according to the obtained target key.

Namely: #define ESRCH 3/*No such process*/

#define EPERM 1/*Operation not permitted*/

Assume that the test environment is the following environment:

Machine: idle machine, 48 core @2.6GHZ;

Business process: 60 processes, 4800 coroutines, only dealing with Agent;

test method:

Local decryption: directly decrypt the WeChat bill;

Bill = main ticket + slave ticket;

Main ticket: AES+ asymmetric encryption, 16Bytes;

From ticket: symmetric encryption + asymmetric encryption, 12Bytes;

Key Agent decryption: directly decrypt the WeChat ticket;

Bill = main ticket + slave ticket;

Main ticket: AES encryption, 16Bytes;

From ticket: symmetric encryption, 12Bytes;

Stress test results: (overall CPU peak).

The requests of the 8 external test machines for the test business reached about 40W/S, of which 27-28% for the empty service, 55%-56% for the local decryption, and 60%-61% for the agent decryption.

It should be noted that, for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the present application is not limited by the described action sequence. Because certain steps may be performed in other sequences or concurrently in accordance with the present application. In the following, those skilled in the art should also understand that the embodiments described in the specification are optional embodiments, and the actions and modules involved are not necessarily required by the present application.

Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present application, which is essential or contributes to the related art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, CD-ROM). The instructions include a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.

Example 2

According to an embodiment of the present application, a service processing apparatus for implementing the foregoing service processing method is further provided. FIG. 11 is a schematic diagram of an optional service processing apparatus according to an embodiment of the present application. As shown in FIG. 11, the apparatus may include:

The first obtaining unit 1101 is configured to acquire first information, where the first information is used to indicate that the first type of the key agent module performs an execution result of the ciphertext processing request;

The first detecting unit 1103 is configured to detect whether the first information meets a predetermined type switching condition, wherein the predetermined type switching condition indicates that the configuration of the first type of the key agent module cannot stably perform the ciphertext processing request;

The first execution unit 1105 is configured to execute the ciphertext processing request of the service module by the second type of key proxy module in the case that the first information is detected to meet the predetermined type switching condition.

Optionally, the first processing unit is configured to be to the first type before acquiring the first information The key agent module sends a ciphertext processing request, and obtains an execution result of the first type of the key agent module to perform the ciphertext processing request; the first obtaining unit includes: performing, according to the execution result, the first type of the key agent module to perform ciphertext processing The success rate of the request, wherein the first information includes a success rate.

Optionally, the predetermined type switching condition includes: the success rate is lower than the first predetermined threshold, and the detecting unit is specifically configured to: determine whether the success rate is lower than the first predetermined threshold; if the detected success rate is lower than the first predetermined threshold, determine The first information meets the predetermined type switching condition; if the detected success rate is not lower than the first predetermined threshold, it is determined that the first information does not meet the predetermined type switching condition.

Optionally, the second processing unit is configured to record the key agent module that performs the update operation as the first type after updating the file in the key agent module in the system before acquiring the first information. a key agent module; if it is detected that the correct rate of the first type of key agent module performing the ciphertext processing request is higher than the predetermined correct rate within a predetermined time period, the first type of the key agent module is recorded as the second A type of key broker module.

Optionally, the third processing unit is configured to: before the first information of the first type of the key agent module in the system is running, if the file in the key agent module is updated, Update the files in the first type of key broker module.

Optionally, the first execution unit includes: if a plurality of second type of key agent modules are included in the system, obtaining a second type of key with the latest update time from the plurality of second type of key agent modules The proxy module performs the ciphertext processing request by the second type of key proxy module that updates the latest time.

Optionally, the fourth processing unit is configured to, after receiving the ciphertext processing request of the service module by the second type of key proxy module, after receiving the input switching instruction, respond to the switching instruction, by using the first type The key broker module performs a ciphertext processing request.

Optionally, the fifth processing unit is configured to obtain the key of the key proxy module through the service thread in the process of performing the ciphertext processing request by the first type of key proxy module or the second type of key proxy module Data, wherein the key agent module is configured to transmit key data when detecting that the success rate of executing the ciphertext processing request is lower than a second predetermined threshold; decrypting the key list stored in the shared memory by using the key data, Obtaining a decrypted key list; performing a ciphertext processing request through the service module by using the decrypted key list.

Optionally, the sixth processing unit is configured to generate, by the service thread, a first end descriptor and a second end descriptor of the communication pipeline before acquiring the key data of the key proxy module by the service thread, where the first end The descriptor is used by the key agent module to identify the data sent by the service module as legal data, and the second end descriptor is used by the service module to identify the data sent by the key agent module as legal data; the second end descriptor is sent through the communication pipeline. Transfer to the key broker module.

Optionally, obtaining, by the service thread, the key data of the key agent module includes: periodically reading data from the read end of the communication pipe through the service thread; if the data is read from the read end of the communication pipe, determining to obtain Key data.

Optionally, the seventh processing unit is configured to, after performing the ciphertext processing request by the key proxy module, after the validity of the validity verification by the key proxy module, The service module sends a first file descriptor to the key proxy module, where the first file descriptor is used by the key proxy module to identify the data sent by the service module as legal data; and the second key generated by the key proxy module is obtained. A file descriptor, wherein the second file descriptor is used by the service module to identify data sent by the key agent module as legitimate data.

Optionally, the seventh processing unit is configured to acquire multiple seconds generated by the key agent module After the file descriptor, the obtained second file descriptors are saved in the queue; the second file descriptor stored in the queue is used to communicate with the key agent module.

In an alternative embodiment, the apparatus is applied in a key broker module, the apparatus comprising: a first processing unit, disposed in the first type of key broker module, configured to receive and execute the secret of the service module Processing the request, obtaining an execution result; the first processing unit is disposed in the second type of key agent module, configured to receive and execute the ciphertext processing request of the service module, wherein the service module is set to be generated based on the execution result When the first information conforms to the predetermined type switching condition, the ciphertext processing request is sent to the second type of key agent module.

Optionally, the third processing unit is configured to: in the first type of the key agent module, receive and execute the ciphertext processing request of the service module, and update the file in the key agent module in the system before obtaining the execution result. After that, the key agent module that performs the update operation is recorded as the first type of key agent module; after the first type of the key agent module receives and executes the ciphertext processing request of the service module, and after obtaining the execution result, if The first type of key agent module is recorded as the second type of key agent module by detecting that the correct rate of the first type of key agent module performing the ciphertext processing request is higher than the predetermined correct rate within the predetermined time period.

Optionally, the updating unit is configured to: when the first type of the key agent module performs the ciphertext processing request of the service module, if the file in the key agent module needs to be updated, the first type of the secret is The files in the key broker module are updated.

Optionally, the detecting unit is configured to: when the key agent module performs the ciphertext processing request, the key agent module detects whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold; if the execution ciphertext is detected If the success rate of the processing request is lower than the second predetermined threshold, the key data is sent to the service module, where the key data is used to decrypt the key list stored in the shared memory, and the decrypted key list is obtained, and the service module further Used to perform a ciphertext processing request through the decrypted key list.

Optionally, the fourth processing unit is configured to: after the key agent module detects whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, the key agent module is based on the ciphertext after executing the ciphertext processing request The processing time in the request is compared with the current time, and it is determined whether the current ciphertext processing request is timed out; if it is determined that the current ciphertext processing request is timed out, it is determined that the execution of the current ciphertext processing request fails; The number of requests processed, and the success rate of the statistics key agent module to perform ciphertext processing requests.

Optionally, the sixth processing unit is configured to receive the second end descriptor of the communication pipeline transmitted by the service thread before the key proxy module detects whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, where The service thread is configured to generate a first end descriptor and a second end descriptor, wherein the first end descriptor is used by the key proxy module to identify the data sent by the service module as legal data, and the second end descriptor is used for the service. The module identifies the data sent by the key broker module as legitimate data.

Optionally, the sixth processing unit is configured to, after performing the ciphertext processing request by the key proxy module, after the validity of the validity verification by the key proxy module, The key agent module receives the first file descriptor sent by the service module, where the first file descriptor is used by the key agent module to identify the data sent by the service module as legal data; the key agent module generates multiple second files. Descriptor, where the second file descriptor The service module identifies the data sent by the key agent module as legal data; the key agent module transmits a plurality of second file descriptors to the service module.

In an optional embodiment, the service processing device is applied in a key agent module, the device includes: a first obtaining unit configured to acquire an execution result of the execution of the ciphertext processing request; and a first detecting unit configured to detect execution Whether the result meets the predetermined mode switching condition, wherein the matching the predetermined type switching condition indicates that the first type of the key agent module is vulnerable, that is, the first type of the key agent module cannot stably execute the ciphertext Processing the request; the first sending unit is configured to: if the detection result is that the execution result meets the predetermined mode switching condition, send the indication information to the service module, where the indication information is used to indicate that the service module switches to the mode of performing the ciphertext processing request by the service module .

Optionally, the first obtaining unit is configured to: after the ciphertext processing request is executed, determine, according to the request time and the current time in the ciphertext processing request, whether the current ciphertext processing request is timed out; If the execution of the current ciphertext processing request timeout occurs, the key agent module determines that the execution of the current ciphertext processing request fails; the key agent module performs the ciphertext processing request based on the number of ciphertext processing requests that failed to execute. The success rate, the execution results include the success rate.

Optionally, the first detecting unit is configured to: the key agent module detects whether the success rate is lower than a second predetermined threshold; if it is detected whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, determining that the execution result is consistent Scheduled mode switching conditions.

Optionally, the first sending unit is configured to: the key agent module sends the key data to the service module, where the key data is used to decrypt the key list stored in the shared memory, and obtain the decryption. After the key list, the service module is further configured to perform a ciphertext processing request through the decrypted key list.

Optionally, the key agent module includes a first type of key agent module and a second type of key agent module, wherein the first type of key agent module is a development type key agent module, and the second type of secret The key agent module is a stable key agent module, and the stable key agent module is a key agent module that performs a ciphertext processing request with a correct rate higher than a predetermined correct rate within a predetermined time period.

Optionally, the first processing unit is configured to: after the key agent module receives and executes the ciphertext processing request of the service module, after the file in the key agent module is updated, the key agent that performs the update operation is set The module records as a first type of key agent module; after the first type of key agent module receives and executes the ciphertext processing request of the service module, and obtains the execution result, the method further includes: if the predetermined time period is detected When the correct rate of the first type of key agent module performing the ciphertext processing request is higher than the predetermined correct rate, the first type of key agent module is recorded as the second type of key agent module.

Optionally, the second processing unit is configured to: when the first type of the key agent module performs the ciphertext processing request of the service module, if the file in the key agent module needs to be updated, the first type is The files in the key broker module are updated.

According to an embodiment of the present application, a service encryption apparatus for implementing the foregoing service encryption method is further provided. FIG. 12 is a schematic diagram of an optional service encryption apparatus according to an embodiment of the present application. As shown in FIG. 12, the apparatus may include: a first encryption receiving unit 1201, a first encryption obtaining unit 1203, and a first encryption unit 1205. And a first encryption transmitting unit 1207, wherein:

The first encryption receiving unit 1201 is disposed in the key agent module and configured to receive an encryption request sent by the service module, where the encryption request carries data to be encrypted.

The first encryption obtaining unit 1203 is disposed in the key agent module and configured to acquire the target key from the key list, wherein the key list is previously extracted from the key server.

The first encryption unit 1205 sets the key agent module to encrypt the data to be encrypted using the target key to obtain the encrypted data.

The first encryption sending unit 1207 is disposed in the key agent module and configured to send the encrypted data to the service module.

In the embodiment of the present application, the encryption request is received by the key agent module, and then the target key is obtained according to the key request, and then the data to be encrypted is encrypted by the target key, and the service encryption provided in the embodiment of the present application is encrypted. The method achieves the purpose of encrypting the service more securely, thereby achieving the technical effect of improving the key security when encrypting the service, thereby solving the security of the key when decrypting the service in the related art. Low technical issues.

Optionally, the second encryption sending unit is disposed in the key agent module, and is configured to send the first public key to the key server and receive the key server before receiving the encryption request sent by the service module by the key agent module. Receiving a second public key, wherein the key agent module has a pair of first public key and a first private key, the key server has a pair of second public key and a second private key; and the third encrypted sending unit sets In the key agent module, configured to send a key list pull request to the key server; the second encryption receiving unit is set in the key agent module, and is configured to receive the encrypted key list sent by the key server, The encrypted key list is obtained by encrypting the key list by using the first communication key on the key server side, and the first communication key is generated by the key server according to the first public key and the second private key. a decryption unit, configured in the key agent module, configured to decrypt the encrypted key list using the second communication key on the side of the key agent module to obtain a key list, wherein Communication module generates the proxy key is a key obtained by the first private key and a second public key, same as the first key and a second communication communication key.

Optionally, the second encryption sending unit includes: a first sending module, configured to send the encrypted first public key to the key server when the key agent module is restarted, where the encrypted first public key is The first public key is encrypted by using a contract key; the receiving module is set to be connected Receiving the encrypted second public key, wherein the encrypted second public key is obtained by encrypting the second public key using the agreed key; and the decrypting module is set to use the agreed key pair to encrypt the second public key Decrypting is performed to obtain a second public key; wherein the appointment key is set to be used only when the key broker module is restarted.

Optionally, the device includes: a second encryption acquiring unit, configured in the key agent module, configured to acquire a process PID of the service process, where the service process is a process, before the key agent module receives the encryption request sent by the service module a process of sending the data to be encrypted by the service module; the verification unit is set in the key agent module, and is set to perform legality verification on the service process and the process PID; and the first encryption acquisition unit includes: a first acquisition module, and a setting In the key proxy module, the key proxy module obtains the target key from the key list if the validity check is passed.

Optionally, the verification unit includes: a second obtaining module, configured to acquire a full path of the process corresponding to the process PID; and a first determining module, configured to determine whether the full path of the process belongs to a legal path obtained from the key server in advance The path of the verification module is set to perform the MD5 verification operation on the service process to obtain the first MD5 verification result when the path of the process is determined to belong to the path in the legal path; the first determining module is set to If it is determined that the path of the process does not belong to the path in the legal path, it is determined that the validity check fails; the second determining module is configured to determine whether the first MD5 check result is corresponding to the pre-acquired service process. The second MD5 check result is the same; the second determining module is configured to determine that the validity check is passed when it is determined that the first MD5 check result is the same as the second MD5 check result; and the third determining module is set to When it is determined that the first MD5 check result is different from the second MD5 check result, it is determined that the validity check fails.

Optionally, the device further includes: a third encryption acquiring unit, configured in the key agent module, configured to perform the validity check on the service process and the process PID after the key agent module, and receive the service in the key agent module Before the encryption request sent by the module, in the case that the validity check is passed, the first file descriptor sent by the service module is obtained, where the first file descriptor is used for The key agent module identifies the data sent by the service module as legal data; the generating unit is disposed in the key agent module and configured to generate a second file descriptor, wherein the second file descriptor is used by the service module to use the key agent The data sent by the module is identified as legal data; the transmission unit is disposed in the key agent module and configured to transmit the second file descriptor to the service module.

Optionally, the first encryption receiving unit includes: a third acquiring module, configured in the key proxy module, and configured to receive the encryption request sent by the service module, where the key proxy module obtains the service module from the shared memory The encrypted data includes: a second sending module, configured in the key proxy module, configured to store the encrypted data in the shared memory, so that the service module obtains the encrypted content from the shared memory. data.

Optionally, the device further includes: a setting unit, configured in the key agent module, configured to perform a validity check on the service process and the process PID of the key agent module, and receive the service module sent by the key agent module Before the encryption request, in the case that the legality verification is passed, the key agent module sets the target authority for the first file descriptor, wherein the target authority includes at least one of the following: the key agent module is requested to encrypt the service module. The data is encrypted, allowing the key agent module to decrypt the data to be decrypted requested by the service module.

Optionally, the first obtaining module includes: an obtaining submodule, configured to allow the key proxy module to encrypt the data to be encrypted requested by the service module, and the key proxy module obtains the target key from the key list.

Optionally, the second encryption obtaining unit includes: a fourth obtaining module, configured to acquire a process PID of the service process through the unix domain socket in the non-root running mode; or, the fifth obtaining module is configured to socket the socket The word option is configured as SO_PEERCRED, and the process PID of the business process is obtained through the socket socket.

It should be noted that the first encryption receiving unit 1201 in this embodiment may be configured to perform step S702 in the first embodiment of the present application. The first encryption obtaining unit 1203 in this embodiment may be configured to perform the first embodiment of the present application. In step S704, the first encryption unit 1205 in this embodiment may be configured to perform step S706 in Embodiment 1 of the present application, in this embodiment The first encryption transmitting unit 1207 may be configured to perform step S708 in Embodiment 1 of the present application.

According to an embodiment of the present application, a service decryption apparatus for implementing the above service decryption method is further provided. FIG. 13 is a schematic diagram of an optional service decryption apparatus according to an embodiment of the present application. As shown in FIG. 13, the apparatus may include: a first decryption receiving unit 1301, a first decryption acquisition unit 1303, and a first decryption unit 1305. And a first decryption transmitting unit 1307, wherein:

The first decryption receiving unit is disposed in the key proxy module and configured to receive the decryption request sent by the service module, where the decryption request carries data to be decrypted.

The first decryption obtaining unit is disposed in the key agent module and configured to obtain the target key from the key list, wherein the key list is previously extracted from the key server.

The first decryption unit sets the key agent module to decrypt the data to be decrypted using the target key to obtain the decrypted data.

The first decryption sending unit is disposed in the key agent module and configured to send the decrypted data to the service module.

In the embodiment of the present application, the decryption request is received by the key agent module, and then the target key is obtained according to the key request, and then the data to be decrypted is decrypted by the target key, and the service decryption provided in the embodiment of the present application is decrypted. The method achieves the purpose of decrypting the service more securely, thereby realizing the technical effect of improving the security of the key when decrypting the service, thereby solving the security of the key when decrypting the service in the related art. Low technical issues.

Optionally, the second decryption sending unit is disposed in the key agent module, and configured to send the first public key to the key server and receive the key server before the key agent module receives the decryption request sent by the service module Receiving a second public key, wherein the key agent module has a pair of first public key and a first private key, the key server has a pair of second public key and a second private key; and the third decryption sending unit sets In the key agent module, configured to send a key list pull request to the key server; the second decryption receiving unit is set in the key agent module, and is configured to receive the encrypted key list sent by the key server, Where the encrypted key list is a key service The first communication key of the device side is obtained by encrypting the key list, and the first communication key is generated by the key server according to the first public key and the second private key; and the second decryption unit is set in the key agent. In the module, the second key of the key agent module is used to decrypt the encrypted key list to obtain a key list, wherein the second communication key is a key agent module according to the first private key and The second public key is generated, and the first communication key is the same as the second communication key.

Optionally, the second decryption sending unit includes: a first sending module, configured to send the encrypted first public key to the key server when the key agent module is restarted, where the encrypted first public key is The first public key is obtained by encrypting the first public key; the receiving module is configured to receive the encrypted second public key from the key server, wherein the encrypted second public key is the second key using the agreed key The key is encrypted; the decryption module is configured to decrypt the encrypted second public key by using the contract key to obtain a second public key; wherein the appointment key is set to be only in the key agent module Used when restarting.

Optionally, the device includes: a second decryption acquiring unit, configured to be configured in the key agent module, configured to acquire a process PID of the service process, where the key process module receives the decryption request sent by the service module, where the service process is The process of sending the data to be decrypted by the service module; the verification unit is set in the key agent module, and is set to perform legality verification on the service process and the process PID; the first decryption acquisition unit includes: a first acquisition module, which is set in In the key agent module, it is set that the key agent module obtains the target key from the key list if the validity check is passed.

Optionally, the verification unit includes: a second obtaining module, configured to acquire a full path of the process corresponding to the process PID; and a first determining module, configured to determine whether the full path of the process belongs to a legal path obtained from the key server in advance The path of the verification module is set to perform the MD5 verification operation on the service process to obtain the first MD5 verification result when the path of the process is determined to belong to the path in the legal path; the first determining module is set to If it is determined that the path of the process does not belong to the path in the legal path, it is determined that the validity check fails; the second determining module is configured to determine whether the first MD5 check result is corresponding to the pre-acquired service process. The second MD5 check result is the same; the second determining module is configured to determine that the validity check is passed when it is determined that the first MD5 check result is the same as the second MD5 check result; the third determining module sets In order to determine that the first MD5 check result is different from the second MD5 check result, it is determined that the validity check fails.

Optionally, the device further includes: a third decryption acquiring unit, configured in the key agent module, configured to receive the service after the key agent module performs the validity check on the service process and the process PID, and in the key agent module Before the decryption request sent by the module, if the validity check is passed, the first file descriptor sent by the service module is obtained, where the first file descriptor is used by the key agent module to identify the data sent by the service module as legal. a data generating unit, configured to generate a second file descriptor, wherein the second file descriptor is used by the service module to identify the data sent by the key proxy module as legal data; the transmission unit, setting In the key broker module, it is set to transmit the second file descriptor to the service module.

Optionally, the first decryption receiving unit includes: a third obtaining module, configured in the key proxy module, configured to receive the decryption request sent by the service module, where the key proxy module obtains the service module from the shared memory Decrypted data; the first decryption sending unit comprises: a second sending module, disposed in the key proxy module, configured to store the decrypted data in the shared memory, so that the service module obtains the decrypted data from the shared memory data.

Optionally, the device further includes: a setting unit, configured in the key agent module, configured to perform a validity check on the service process and the process PID of the key agent module, and receive the service module sent by the key agent module Before the decryption request, in the case that the legality verification is passed, the key agent module sets the target authority for the first file descriptor, wherein the target authority includes at least one of the following: the key agent module is allowed to encrypt the service module request The data is encrypted, allowing the key agent module to decrypt the data to be decrypted requested by the service module.

Optionally, the first obtaining module includes: an obtaining submodule, configured to allow the key proxy module to decrypt the data to be decrypted requested by the service module, and the key proxy module obtains the target key from the key list.

Optionally, the second decryption acquiring unit includes: a fourth acquiring module, configured to acquire a process PID of the service process through the unix domain socket in the non-root running mode; or, the fifth acquiring module is configured to socket the socket The word option is configured as SO_PEERCRED, and the process PID of the business process is obtained through the socket socket.

It should be noted that the first decryption receiving unit 701 in this embodiment may be configured to perform step S302 in the first embodiment of the present application. The first decryption obtaining unit 703 in this embodiment may be configured to perform the first embodiment of the present application. In step S304, the first decryption unit 705 in this embodiment may be configured to perform step S306 in the first embodiment of the present application, and the first decryption sending unit 707 in this embodiment may be configured to perform the first embodiment in the present application. Step S308.

Through the above module, the technical problem that the security of the key is low when the service is decrypted in the related art can be solved, thereby realizing the technical effect of improving the key security when encrypting the service.

It should be noted here that the above modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the contents disclosed in the above embodiment 1. It should be noted that the foregoing module may be implemented in a hardware environment as shown in FIG. 1 as part of the device, and may be implemented by software or by hardware, where the hardware environment includes a network environment.

Example 3

According to an embodiment of the present application, an electronic device for implementing the foregoing service processing method is also provided.

FIG. 14 is a structural block diagram of an electronic device according to an embodiment of the present application. As shown in FIG. 14, the electronic device may include: one or more (only one is shown) processor 1401 (as in the above embodiment) The key agent module), the memory 1403, and the transmission device 1405 (such as the transmitting device in the above embodiment), as shown in FIG. 14, the electronic device may further include an input/output device 1407.

The memory 1403 can be configured to store software programs and modules, as implemented in the present application. In the example, the business processing method and the program instruction/module corresponding to the device, the processor 1401 executes various functional applications and data processing by executing the software program and the module stored in the memory 1403, that is, implementing the above-described business processing method. Memory 1403 can include high speed random access memory, and can also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, memory 1403 can further include memory remotely located relative to processor 1401, which can be connected to the terminal over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The above-described transmission device 1405 is configured to receive or transmit data via a network, and may also be configured as data transmission between the processor and the memory. Specific examples of the above network may include a wired network and a wireless network. In one example, the transmission device 1405 includes a Network Interface Controller (NIC) that can be connected to other network devices and routers via a network cable to communicate with the Internet or a local area network. In one example, the transmission device 1405 is a Radio Frequency (RF) module configured to communicate with the Internet wirelessly.

Specifically, the memory 1403 is configured to store an application.

The processor 1401 may invoke the application stored in the memory 1403 via the transmission device 1405 to perform the step of: acquiring first information, wherein the first information is used to indicate that the first type of key agent module performs execution of the ciphertext processing request a result of detecting whether the first information meets a predetermined type switching condition, wherein the matching the predetermined type switching condition indicates that a vulnerability occurs in the first type of key agent module; and when detecting that the first information meets the predetermined type switching condition, The second type of key agent module executes the ciphertext processing request of the service module.

The processor 1401 may invoke the application stored in the memory 1403 by the transmission device 1405 to perform the following steps: before acquiring the first information, sending a ciphertext processing request to the first type of key proxy module; acquiring the first type of key The proxy module executes the execution result of the ciphertext processing request; obtaining the first information includes: counting the first type of the key proxy module based on the execution result The success rate of the ciphertext processing request, wherein the first information includes a success rate.

Optionally, the predetermined type switching condition includes the success rate being lower than the first predetermined threshold, and the processor 1401 may invoke the application stored in the memory 1403 by the transmitting device 1405 to perform the step of: detecting whether the success rate is lower than the first predetermined threshold. And if the detected success rate is lower than the first predetermined threshold, determining that the first information meets the predetermined type switching condition; and if the detected success rate is not lower than the first predetermined threshold, determining that the first information does not meet the predetermined type switching condition.

The processor 1401 may call the application stored in the memory 1403 through the transmission device 1405 to perform the following steps, and after updating the file in the key agent module in the system before the first information is acquired, the update operation will be performed. The key agent module is recorded as a first type of key agent module; if it is detected within a predetermined time period that the correct rate of the first type of key agent module performing the ciphertext processing request is higher than the predetermined correct rate, then A type of key broker module is recorded as a second type of key broker module.

The processor 1401 may invoke the application stored in the memory 1403 through the transmission device 1405 to perform the following steps. Before the first information is acquired, in the process that the first type of the key agent module in the system is running, The files in the key broker module are updated to update the files in the first type of key broker module.

The processor 1401 may invoke the application stored in the memory 1403 through the transmission device 1405 to perform the following steps. If the system includes multiple second type of key agent modules, from the plurality of second type of key agent modules Obtaining the second type of key agent module with the latest update time, and executing the ciphertext processing request by the second type of key agent module with the latest update time.

The processor 1401 may call the application stored in the memory 1403 through the transmission device 1405 to perform the following steps: performing the confidentiality of the service module by using the second type of key agent module After processing the request, after receiving the input switching instruction, the ciphertext processing request is executed by the first type of key agent module in response to the switching instruction.

The processor 1401 may call the application stored in the memory 1403 through the transmission device 1405 to perform the following steps, in the process of executing the ciphertext processing request by the first type of key agent module or the second type of key agent module, Obtaining key data of the key agent module by the service thread, wherein the key agent module is configured to send the key data when detecting that the success rate of executing the ciphertext processing request is lower than a second predetermined threshold; using the key The data decrypts the key list stored in the shared memory to obtain a decrypted key list; and uses the decrypted key list to execute the ciphertext processing request through the service module.

The processor 1401 may invoke the application stored in the memory 1403 by the transmission device 1405 to perform the following steps: before acquiring the key data of the key agent module by the service thread, generating the first end descriptor of the communication pipe through the service thread and a second end descriptor, wherein the first end descriptor is used by the key proxy module to identify the data sent by the service module as legal data, and the second end descriptor is used by the service module to identify the data sent by the key proxy module as legal Data; the second end descriptor is transmitted to the key broker module through the communication pipe.

The processor 1401 can call the application stored in the memory 1403 through the transmission device 1405 to perform the steps of periodically reading data from the read end of the communication pipe through the service thread; if the data is read from the read end of the communication pipe, Make sure to get the key data.

The processor 1401 may call the application stored in the memory 1403 by the transmission device 1405 to perform the following steps: during the execution of the ciphertext processing request by the key agent module, the validity of the business process is verified by the key agent module. Then, in the case that the validity check is passed, the service module sends a first file descriptor to the key proxy module, where the first file descriptor is used by the key proxy module to identify the data sent by the service module as legal data; Obtaining a plurality of second file descriptors generated by the key agent module, wherein the second file descriptor is used by the service module to identify the data sent by the key agent module as legal data.

The processor 1401 may call the application stored by the memory 1403 through the transmission device 1405 to perform the following steps, after acquiring the plurality of second file descriptors generated by the key agent module, the acquired second file descriptors Save to the queue; sequentially communicate with the key broker module using the second file descriptor stored in the queue.

The processor 1401 may call the application stored in the memory 1403 via the transmission device 1405 to perform the following steps, the number of the plurality of second file descriptors corresponding to the number of threads in the key agent module for executing the ciphertext processing request.

Optionally, the ciphertext processing request includes: a request for encrypting the data to be encrypted into ciphertext data and/or a request for decrypting the ciphertext data into the decrypted data.

The processor 1401 may invoke the application stored in the memory 1403 by the transmission device 1405 to perform the following steps. The first type of key agent module receives and executes the ciphertext processing request of the service module to obtain an execution result; the second type of secret The key agent module receives and executes the ciphertext processing request of the service module, wherein the service module is configured to send the ciphertext to the second type of key agent module if the first information generated based on the execution result meets the predetermined type switching condition Processing the request, wherein conforming to the predetermined type of switching condition indicates determining that the first type of key agent module is vulnerable.

The processor 1401 may call the application stored in the memory 1403 through the transmission device 1405 to perform the following steps, the key agent module acquires an execution result of executing the ciphertext processing request; and the key agent module detects whether the execution result meets the predetermined mode switching condition, Wherein, meeting the predetermined mode switching condition indicates that the key agent module is vulnerable;

If it is detected that the execution result meets the predetermined mode switching condition, the key agent module sends the indication information to the service module, where the indication information is used to indicate that the service module switches to the service module. The mode in which the ciphertext processing request is executed.

The processor 1401 may invoke the application stored in the memory 1403 by the transmission device 1405 to perform the following steps. The key agent module obtains the execution result of the execution of the ciphertext processing request, including: after the cryptographic processing request is executed by the key agent module, Determining whether to execute the current ciphertext processing request timeout based on the request time and the current time in the ciphertext processing request; if it is determined that the current ciphertext processing request is timed out, the key agent module determines that the execution of the current ciphertext processing request fails. The key agent module calculates the success rate of the ciphertext processing request based on the number of ciphertext processing requests that fail to execute, and the execution result includes the success rate.

The processor 1401 may invoke the application stored in the memory 1403 by the transmission device 1405 to perform the following steps. The key agent module detects whether the execution result meets the predetermined mode switching condition, including: the key agent module detects whether the success rate is lower than the second predetermined a threshold; if it is detected whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, determining that the execution result conforms to the predetermined mode switching condition.

The processor 1401 may invoke an application stored in the memory 1403 via the transmission device 1405 to perform the following steps. The key agent module transmits key data to the service module, wherein the key data is used to decrypt the key list stored in the shared memory. The decrypted key list is obtained, and the service module is further configured to execute the ciphertext processing request through the decrypted key list.

According to an embodiment of the present application, an electronic device for implementing the above-described service encryption (or service decryption) method is also provided.

FIG. 15 is a structural block diagram of an electronic device according to an embodiment of the present application. As shown in FIG. 15, the electronic device may include: one or more (only one is shown) processor 1501 (as in the above embodiment) The key agent module), the memory 1503, and the transmission device 1505 (such as the transmitting device in the above embodiment), as shown in FIG. 15, the electronic device may further include an input/output device 1507.

The memory 1503 can store software programs and modules, as in the embodiment of the present application. The service encryption (or service decryption) method and the program instruction/module corresponding to the device, the processor 1501 performs various function applications and data processing by executing the software program and the module stored in the memory 1503, that is, implementing the above-mentioned service encryption ( Or business decryption) method. The memory 1503 may include a high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, memory 1503 can further include memory remotely located relative to processor 1501, which can be connected to the terminal over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The above-mentioned transmission device 1505 receives or transmits data via a network, and can also transfer data between the processor and the memory. Specific examples of the above network may include a wired network and a wireless network. In one example, the transmission device 1505 includes a Network Interface Controller (NIC) that can be connected to other network devices and routers via a network cable to communicate with the Internet or a local area network. In one example, the transmission device 1505 is a Radio Frequency (RF) module for communicating with the Internet wirelessly.

Specifically, the memory 1503 is used to store an application.

The processor 1501 can call the application stored in the memory 1503 through the transmission device 1505 to perform the following steps:

The processor 1501 is further configured to perform the following steps in the service encryption method provided by the application:

Receiving an encryption request sent by the service module, where the encryption request carries data to be encrypted; obtaining a target key from the key list, wherein the key list is previously extracted from the key server; using the target key The encrypted data is encrypted to obtain the encrypted data; the key agent module sends the encrypted data to the service module.

The processor 1501 is further configured to: send a first public key to the key server, and receive a second public key from the key server, where the key agent module has a pair of a first public key and a first private key, the key server having a pair of the second public key And a second private key; transmitting a key list pull request to the key server; the key proxy module receiving the encrypted key list sent by the key server, wherein the encrypted key The list is obtained by encrypting the key list using a first communication key on the key server side, the first communication key being the key server according to the first public key and the first Generating the second private key; decrypting the encrypted key list using the second communication key on the key proxy module side to obtain the key list, wherein the second communication key is The key agent module generates the first communication key and the second public key according to the first private key and the second public key.

The processor 1501 is further configured to: when the key agent module is restarted, send the encrypted first public key to the key server, where the encrypted first The public key is obtained by encrypting the first public key using a contract key; receiving the encrypted second public key from the key server, wherein the encrypted second public key is Obtaining the second public key by using the agreement key; decrypting the encrypted second public key by using the agreement key to obtain the second public key; wherein the agreement The key is set to be used only when the key broker module is restarted.

The processor 1501 is further configured to: before the key proxy module receives the encryption request sent by the service module, acquire a process PID of the service process, where the service process sends a process of the data to be encrypted to the service module; The legality check is performed with the process PID; obtaining the target key from the key list includes: when the validity check is passed, the key agent module obtains the target key from the key list.

The processor 1501 is further configured to: obtain a process full path corresponding to the process PID; determine whether the process full path belongs to a path in a legal path obtained from the key server in advance; and determine that the process full path belongs to the legal path. In the case of the path, the MD5 check operation is performed on the service process to obtain the first MD5 check result; if it is determined that the process full path does not belong to the path in the legal path, it is determined that the validity check fails; Determining whether the first MD5 check result is the same as the second MD5 check result corresponding to the pre-acquired service process; If the first MD5 check result is the same as the second MD5 check result, it is determined that the validity check is passed; if the first MD5 check result is different from the second MD5 check result, it is determined that the validity check fails. .

The processor 1501 further performs the following steps: after the key agent module performs the validity check on the service process and the process PID, and before the key agent module receives the encryption request sent by the service module, and passes the validity check. In the case that the first file descriptor sent by the service module is obtained, where the first file descriptor is used by the key agent module to identify the data sent by the service module as legal data; and the second file descriptor is generated, where the second file is generated. The descriptor is used by the service module to identify the data sent by the key proxy module as legal data; the second file descriptor is transmitted to the service module.

The processor 1501 is further configured to: perform the following steps: receiving the encryption request sent by the service module includes: acquiring data to be encrypted stored by the service module from the shared memory; and transmitting the encrypted data to the service module, including: encrypting The data is stored in the shared memory so that the business module obtains the encrypted data from the shared memory.

The processor 1501 is further configured to perform the following steps: after the key agent module performs the validity check on the service process and the process PID, and before the key agent module receives the encryption request sent by the service module, and the validity check In the case of the first file descriptor, the target permission is set, wherein the target authority includes at least one of the following: the key agent module is allowed to encrypt the data to be encrypted requested by the service module, and the key agent module is allowed to the service module. The requested data to be decrypted is decrypted.

The processor 1501 is further configured to perform the following steps: in the case that the legality verification is passed, when the target authority includes allowing the key proxy module to encrypt the data to be encrypted requested by the service module, the key proxy module is from the key Get the target key in the list.

The processor 1501 is further configured to: the key proxy module acquires the process PID of the service process through the unix domain socket in the non-root operation mode; or the key proxy module configures the option of the socket socket as the SO_PEERCRED And through the socket socket acquisition industry Process PID of the process.

The processor 1501 is further configured to perform the following steps in the service decryption method provided by the application:

Receiving a decryption request sent by the service module, where the decryption request carries data to be decrypted; obtaining a target key from the key list, wherein the key list is previously extracted from the key server; using the target key The decrypted data is decrypted to obtain the decrypted data; the key agent module sends the decrypted data to the service module.

The processor 1501 is further configured to: send a first public key to the key server, and receive a second public key from the key server, where the key agent module has a pair of a first public key having a pair of the second public key and a second private key; and a key list pull request sent to the key server; the key The proxy module receives the encrypted key list sent by the key server, wherein the encrypted key list is obtained by encrypting the key list by using the first communication key on the key server side. The first communication key is generated by the key server according to the first public key and the second private key; using the second communication key on the key proxy module side Decrypting the encrypted key list to obtain the key list, wherein the second communication key is generated by the key agent module according to the first private key and the second public key, The first communication key is the same as the second communication key.

The processor 1501 is further configured to: obtain the process PID of the service process, where the service process is a service mode, before the key agent module receives the decryption request sent by the service module. The process of sending the data to be decrypted by the block; verifying the legality of the business process and the process PID; and obtaining the target key from the key list includes: in the case that the legality verification is passed, the key agent module is from the key list Get the target key.

The processor 1501 is further configured to: obtain a process full path corresponding to the process PID; determine whether the process full path belongs to a path in a legal path obtained from the key server in advance; and determine that the process full path belongs to the legal path. In the case of the path, the MD5 check operation is performed on the service process to obtain the first MD5 check result; if it is determined that the process full path does not belong to the path in the legal path, it is determined that the validity check fails; Determining whether the first MD5 check result is the same as the second MD5 check result corresponding to the service process obtained in advance; if the first MD5 check result is the same as the second MD5 check result, determining that the validity check is passed; If the first MD5 check result is different from the second MD5 check result, it is determined that the validity check fails.

The processor 1501 is further configured to perform the following steps: after the key agent module performs the validity check on the service process and the process PID, and before the key agent module receives the decryption request sent by the service module, and the validity check And obtaining, by the first file descriptor sent by the service module, where the first file descriptor is used by the key agent module to identify the data sent by the service module as legal data; and the second file descriptor is generated, where The second file descriptor is used by the service module to identify the data sent by the key agent module as legal data; and the second file descriptor is transmitted to the service module.

The processor 1501 is further configured to: perform the following steps: the receiving the decryption request sent by the service module comprises: acquiring data to be decrypted stored by the service module from the shared memory; and sending the decrypted data to the service module comprises: decrypting the decrypted The data is stored in the shared memory so that the business module obtains the decrypted data from the shared memory.

The processor 1501 is further configured to perform the following steps: after the key agent module performs the validity check on the service process and the process PID, and before the key agent module receives the decryption request sent by the service module, and the validity check In the case of passing, set the target right for the first file descriptor The target authority includes at least one of the following: the key proxy module is allowed to decrypt the data to be decrypted requested by the service module, and the key proxy module is allowed to decrypt the data to be decrypted requested by the service module.

The processor 1501 is further configured to perform the following steps: in the case that the legality verification is passed, when the target authority includes the key agent module to decrypt the data to be decrypted requested by the service module, the key agent module slave key Get the target key in the list.

The processor 1501 is further configured to: the key proxy module acquires the process PID of the service process through the unix domain socket in the non-root operation mode; or the key proxy module configures the option of the socket socket as the SO_PEERCRED And get the process PID of the business process through the socket socket.

With the embodiment of the present application, a scheme of service encryption (or service decryption) is provided. Receiving an encryption (or decryption) request by the key agent module, and then acquiring the target key according to the key request, and then encrypting the data to be encrypted (or to be decrypted) by the target key, which is provided in the embodiment of the present application. The service encryption (or decryption) method achieves the purpose of encrypting (or decrypting) the service more securely, thereby realizing the technical effect of improving the key security when encrypting (or decrypting) the service, thereby solving the present problem. There is a technical problem in the technology that the security of the key is low when the service is decrypted.

For example, the specific examples in this embodiment may refer to the examples described in the foregoing embodiments, and details are not described herein again.

A person of ordinary skill in the art may understand that all or part of the steps of the foregoing embodiments may be completed by a program to instruct terminal device related hardware, and the program may be stored in a computer readable storage medium, and the storage medium may be Including: flash disk, read-only memory (ROM), random access memory (RAM), disk or optical disk.

Example 4

Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the foregoing storage medium may be used to execute program code of a service processing method. Optionally, in this embodiment, the foregoing storage medium may be located on at least one of the plurality of network devices in the network shown in the foregoing embodiment.

Optionally, in the present embodiment, the storage medium is arranged to store program code for performing the following steps:

Obtaining first information, wherein the first information is used to indicate that the first type of key agent module performs an execution result of the ciphertext processing request; and detecting whether the first information meets a predetermined type switching condition, wherein the predetermined type switching condition is determined to be determined A vulnerability occurs in the first type of key agent module; in the case where it is detected that the first information conforms to the predetermined type of switching condition, the ciphertext processing request of the service module is executed by the second type of key agent module.

S11. The key agent module receives an encryption request sent by the service module, where the encryption request carries data to be encrypted.

S12. The key agent module obtains a target key from a key list, where the key list is previously extracted from the key server;

S13. The key agent module encrypts the data to be encrypted by using the target key, and obtains the encrypted data.

S14. The key agent module sends the encrypted data to the service module.

S21. The key agent module receives a decryption request sent by the service module, where the decryption request Carrying data to be decrypted;

S22. The key agent module obtains a target key from a key list, where the key list is previously extracted from the key server.

S23. The key agent module decrypts the data to be decrypted by using the target key to obtain the decrypted data.

S24. The key agent module sends the decrypted data to the service module.

Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.

The serial numbers of the embodiments of the present application are merely for the description, and do not represent the advantages and disadvantages of the embodiments.

The integrated unit in the above embodiment, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in the above-described computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product, which is stored in a storage medium. A number of instructions are included to cause one or more computer devices (which may be a personal computer, server or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.

In the above-mentioned embodiments of the present application, the descriptions of the various embodiments are different, and the parts that are not detailed in a certain embodiment can be referred to the related descriptions of other embodiments.

In the several embodiments provided by the present application, it should be understood that the disclosed client may be implemented in other manners. Wherein, the device embodiments described above are only schematic, for example, the division of the unit is only a logical function division, and the actual implementation may have another The manner of division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, unit or module, and may be electrical or otherwise.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

The above description is only an alternative embodiment of the present application, and it should be noted that those skilled in the art can make several improvements and retouchings without departing from the principles of the present application. It should also be considered as the scope of protection of this application.

Industrial applicability

In the embodiment of the present application, the first information is obtained, where the first information is used to indicate that the first type of the key agent module performs the execution result of the ciphertext processing request; whether the first information meets the predetermined type switching condition; If the first information meets the predetermined type switching condition, the ciphertext processing request of the service module is executed by the second type of key proxy module. In the above embodiment, the secret may be executed according to the first type of key proxy processing module. The result of the file processing request determines whether the predetermined type switching condition is met, and if the switching condition is met, the ciphertext processing request is no longer performed by the first type of key agent processing module, but the second type of key agent is used. The processing module executes the ciphertext processing request. In the solution, the first type of the key proxy processing module cannot continue to perform the ciphertext processing request stably, and the second type of the key proxy module is switched to stabilize the processing. The text processing request solves the prior art and is in the business The problem of low key stability during encryption and decryption.

Claims

A business processing method comprising:

Obtaining first information, where the first information is used to indicate that an execution result of the first type of key proxy module performs a ciphertext processing request;

Detecting whether the first information meets a predetermined type switching condition, wherein the matching the predetermined type switching condition indicates that a vulnerability occurs in the first type of key agent module;

In a case where it is detected that the first information conforms to the predetermined type switching condition, the ciphertext processing request of the service module is executed by the second type of key agent module.
The method of claim 1 wherein

Before the obtaining the first information, the method further includes: sending a ciphertext processing request to the first type of key proxy module; and acquiring an execution result of the ciphertext processing request by the first type of the key proxy module;

Acquiring the first information includes: counting, according to the execution result, a success rate of the first type of key agent module performing a ciphertext processing request, wherein the first information includes the success rate.
The method of claim 2, wherein the predetermined type of switching condition comprises a success rate lower than a first predetermined threshold, and detecting whether the first information meets a predetermined type of switching condition comprises:

Detecting whether the success rate is lower than the first predetermined threshold;

If it is detected that the success rate is lower than the first predetermined threshold, determining that the first information meets the predetermined type switching condition;

And if it is detected that the success rate is not lower than the first predetermined threshold, determining that the first information does not meet the predetermined type switching condition.
The method according to claim 1, wherein said first type of key agent module is a development type key agent module, said second type of key agent module is a stable type key agent module, said stabilizing The type key agent module is a key agent module that performs a ciphertext processing request with a correct rate higher than a predetermined correct rate within a predetermined time period.
The method of claim 4, wherein before the obtaining the first information, the method further comprises:

After updating the file in the key agent module in the system, the key agent module that performs the update operation is recorded as the first type of key agent module;

If it is detected that the correct rate of the first type of key agent module executing the ciphertext processing request is higher than a predetermined correct rate within a predetermined time period, the first type of key agent module is recorded as the first Two types of key broker modules.
The method of claim 1, wherein before the obtaining the first information, the method further comprises:

During the running of the first type of key agent module in the system, if the file in the key agent module needs to be updated, the file in the first type of key agent module is updated.
The method of claim 1, wherein the ciphertext processing request requested by the service module by the second type of key broker module comprises:

If a plurality of second type of key agent modules are included in the system, the second type of key agent module with the latest update time is obtained from the plurality of second type of key agent modules, and the update time is the latest. The second type of key broker module executes the ciphertext processing request.
The method of claim 1, wherein after performing the ciphertext processing request of the service module by the second type of key broker module, the method further comprises:

After receiving the input switching instruction, the ciphertext processing request is performed by the first type of key broker module in response to the switching instruction.
The method of claim 1, wherein in the performing the ciphertext processing request by the first type of key broker module or the second type of key broker module, the method further comprises:

Obtaining, by the service thread, the key data of the key agent module, wherein the key agent module is configured to send the station if it is detected that the success rate of executing the ciphertext processing request is lower than a second predetermined threshold Key data

Decrypting the key list stored in the shared memory by using the key data to obtain a decrypted key list;

The ciphertext processing request is executed by the service module by using the decrypted key list.
The method of claim 9, wherein before the obtaining the key data of the key broker module by the service thread, the method further comprises:

Generating, by the service thread, a first end descriptor and a second end descriptor of a communication pipeline, wherein the first end descriptor is used by the key proxy module to identify data sent by the service module as legal data The second end descriptor is used by the service module to identify data sent by the key proxy module as legal data;

Transmitting the second end descriptor to the key broker module via the communication conduit.
The method of claim 10, wherein the obtaining the key data of the key agent module by the service thread comprises:

Reading data from the read end of the communication pipe periodically through the service thread;

If data is read from the read end of the communication pipe, it is determined that the key data is acquired.
The method of claim 10 wherein said communication conduit is further for detecting said service module and whether said key agent module is restarted.
The method of claim 1, wherein in the performing the ciphertext processing request by the key broker module, the method further comprises:

After the validity of the validity of the service process by the key agent module, the service module sends the first to the key agent module if the validity check is passed. a file descriptor, wherein the first file descriptor is used by the key agent module to identify data sent by the service module as legal data;

Obtaining a plurality of second file descriptors generated by the key agent module, wherein the second file descriptor is used by the service module to identify data sent by the key agent module as legal data.
The method of claim 13, wherein after acquiring the plurality of second file descriptors generated by the key broker module, the method further comprises:

Saving the obtained plurality of second file descriptors into a queue;

The second file descriptor stored in the queue is used to communicate with the key broker module in sequence.
The method of claim 13, wherein the number of the plurality of second file descriptors corresponds to a number of threads in the key broker module for executing the ciphertext processing request.
The method according to any one of claims 1 to 15, wherein the ciphertext processing request comprises: a request for encrypting data to be encrypted into ciphertext data and/or for decrypting ciphertext data into decryption Request for data.
A business processing method comprising:

The first type of key agent module receives and executes the ciphertext processing request of the service module, and obtains an execution result;

a second type of key agent module receives and executes a ciphertext processing request of the service module, wherein the service module is configured to: if the first information generated based on the execution result meets a predetermined type switching condition, The second type of key broker module sends a ciphertext processing request, wherein conforming to the predetermined type of handover condition indicates that a vulnerability occurs in the first type of key broker module.
The method of claim 17, wherein the first type of key agent module is a development type key agent module and the second type of key agent module is a stable type key The proxy module, the stable key proxy module is a key broker module that performs a ciphertext processing request with a correct rate higher than a predetermined correct rate within a predetermined time period.
The method of claim 17, wherein

Before the first type of key agent module receives and executes the ciphertext processing request of the service module, and obtains the execution result, the method further includes: after updating the file in the key agent module in the system, the method is executed. The key agent module of the update operation is recorded as the first type of key agent module;

After the first type of key agent module receives and executes the ciphertext processing request of the service module, and obtains the execution result, the method further includes: if the first type of the key agent module is detected within a predetermined time period The correctness rate of the execution of the ciphertext processing request is higher than the predetermined correct rate, and the first type of key broker module is recorded as the second type of key broker module.
The method according to claim 17, wherein in the process of the ciphertext processing request of the service module of the first type of the key agent module, the method further comprises:

If the file in the key agent module needs to be updated, the file in the first type of key agent module is updated.
The method of claim 17, wherein in the process of the key broker module performing the ciphertext processing request, the method further comprises:

The key agent module detects whether a success rate of executing the ciphertext processing request is lower than a second predetermined threshold;

And if it is detected whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, sending key data to the service module,

The key data is used to decrypt a key list stored in the shared memory to obtain a decrypted key list, and the service module is further configured to execute the ciphertext processing request by using the decrypted key list. .
The method of claim 21 wherein said key agent module detects execution The method further includes: before the success rate of the ciphertext processing request is lower than a second predetermined threshold, the method further includes:

After performing the ciphertext processing request, the key proxy module determines whether to execute the current ciphertext processing request timeout based on the request time and the current time in the ciphertext processing request;

If it is determined that the current ciphertext processing request is timed out, it is determined that the execution of the current ciphertext processing request fails;

The success rate of the ciphertext processing request by the key agent module is counted based on the number of ciphertext processing requests that fail to execute.
The method of claim 21, wherein before the key agent module detects whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, the method further comprises:

Receiving a second end descriptor of a communication pipeline transmitted by the service thread, wherein the service thread is configured to generate a first end descriptor and a second end descriptor, wherein the first end descriptor is used for the secret The key agent module identifies the data sent by the service module as legal data, and the second end descriptor is used by the service module to identify the data sent by the key agent module as legal data.
The method of claim 23, wherein transmitting the key data to the service module comprises:

The key data is transmitted through a write end of a communication pipe of each of the service threads.
The method of claim 23 wherein said communication conduit is further for detecting said service module and whether said key agent module is restarted.
The method of claim 17, wherein in the performing the ciphertext processing request by the key broker module, the method further comprises:

After the validity of the validity of the service process by the key agent module, if the validity check is passed, the key agent module receives the message sent by the service module. a first file descriptor, wherein the first file descriptor is used by the key agent module to identify data sent by the service module as legal data;

The key agent module generates a plurality of second file descriptors, wherein the second file descriptor is used by the service module to identify data sent by the key agent module as legal data;

The key broker module transmits a plurality of the second file descriptors to the service module.
The method of claim 26, wherein the number of the plurality of second file descriptors corresponds to a number of threads in the key broker module for executing the ciphertext processing request.
The method according to any one of claims 17 to 27, wherein the ciphertext processing request comprises: a request for encrypting data to be encrypted into ciphertext data and/or for decrypting ciphertext data into decryption Request for data.
A business processing method comprising:

The key agent module obtains an execution result of the execution of the ciphertext processing request;

The key agent module detects whether the execution result meets a predetermined mode switching condition, wherein the meeting the predetermined mode switching condition indicates that the key agent module is vulnerable;

And if the execution result is that the execution result meets the predetermined mode switching condition, the key agent module sends the indication information to the service module, where the indication information is used to indicate that the service module switches to perform the The mode in which the ciphertext handles the request.
The method of claim 29, wherein the obtaining, by the key agent module, the execution result of the execution of the ciphertext processing request comprises:

After performing the ciphertext processing request, the key proxy module determines to perform the current ciphertext processing based on the request time and the current time in the ciphertext processing request. Whether the request times out;

If it is determined that the current ciphertext processing request timeout is performed, the key agent module determines that the execution of the current ciphertext processing request fails;

The key agent module counts a success rate of the ciphertext processing request by the key agent module based on the number of ciphertext processing requests that fail to execute, and the execution result includes the success rate.
The method according to claim 30, wherein the key agent module detecting whether the execution result meets a predetermined mode switching condition comprises:

The key agent module detects whether the success rate is lower than a second predetermined threshold;

If it is detected whether the success rate of executing the ciphertext processing request is lower than a second predetermined threshold, it is determined that the execution result conforms to the predetermined mode switching condition.
The method of claim 29, wherein the transmitting the indication information to the service module by the key agent module comprises:

The key agent module sends key data to the service module, where the key data is used to decrypt a key list stored in the shared memory to obtain a decrypted key list, and the service module is further used to The ciphertext processing request is executed by the decrypted key list.
The method of claim 29, wherein said key broker module comprises a first type of key broker module and a second type of key broker module, wherein said first type of key broker module is developed a type key proxy module, the second type of key proxy module is a stable key proxy module, and the stable key proxy module is configured to perform a ciphertext processing request with a higher correct rate than a predetermined period of time The correct rate key agent module.
The method of claim 33, wherein

Before the key agent module receives and executes the ciphertext processing request of the service module, the method further includes: after updating the file in the key agent module, recording the key agent module that performs the update operation as the a first type of key agent module;

After the first type of key agent module receives and executes the ciphertext processing request of the service module, and obtains the execution result, the method further includes: if the first type of the key agent module is detected within a predetermined time period The correctness rate of the execution of the ciphertext processing request is higher than the predetermined correct rate, and the first type of key broker module is recorded as the second type of key broker module.
The method according to claim 33, wherein in the process of the ciphertext processing request of the service module of the first type, the method further comprises:

If the file in the key agent module needs to be updated, the file in the first type of key agent module is updated.
The method according to any one of claims 29 to 35, wherein the ciphertext processing request comprises: a request for encrypting data to be encrypted into ciphertext data and/or for decrypting ciphertext data into decryption Request for data.
The method according to claim 36, wherein, in the case that the ciphertext processing request is a request for encrypting data to be encrypted into ciphertext data, the method further includes:

The key agent module receives an encryption request sent by the service module, where the encryption request carries data to be encrypted;

The key agent module acquires a target key from a key list, wherein the key list is previously extracted from the key server;

The key agent module encrypts the data to be encrypted by using the target key to obtain encrypted data;

The key broker module sends the encrypted data to the service module.
The method of claim 37, wherein before the key proxy module receives the encryption request sent by the service module, the method further comprises:

The key agent module sends a first public key to the key server and receives a second public key from the key server, wherein the key agent module has a pair of the first public key And a first private key having a pair of said second public key and said Second private key;

The key agent module sends a key list pull request to the key server;

The key agent module receives the encrypted key list sent by the key server, wherein the encrypted key list is the first communication key on the key server side to the key The first communication key is generated by the key server according to the first public key and the second private key.

The key agent module decrypts the encrypted key list by using a second communication key on the key agent module side to obtain the key list, where the second communication key is The key agent module generates the first communication key and the second public key according to the first private key and the second public key.
The method of claim 38, wherein the key agent module transmits the first public key to the key server, and receiving the second public key from the key server comprises:

The key agent module sends the encrypted first public key to the key server when the key agent module is restarted, wherein the encrypted first public key is a usage agreement Encrypting the first public key by a key;

The key agent module receives the encrypted second public key from the key server, wherein the encrypted second public key is to use the promise key to the second public key Obtained by encryption;

The key proxy module decrypts the encrypted second public key by using the contract key to obtain the second public key;

Wherein, the appointment key is set to be used only when the key agent module is restarted.
The method of claim 37, wherein

Before the key agent module receives the encryption request sent by the service module, the method further includes: the key agent module acquiring a process PID of the service process, where the service process sends the data to be encrypted for the service module Process; the key agent module is opposite The service process and the process PID are checked for legality;

The obtaining, by the key agent module, the target key from the key list includes: obtaining, by the key agent module, the target key from the key list if the validity check is passed.
The method of claim 40, wherein the performing a validity check on the service process and the process PID by the key agent module comprises:

The key agent module acquires a process full path corresponding to the process PID;

Determining, by the key agent module, whether the path of the process belongs to a path in a legal path acquired in advance from the key server;

When it is determined that the path of the process belongs to the path in the legal path, the key agent module performs an MD5 check operation on the service process to obtain a first MD5 check result; If the process full path does not belong to the path in the legal path, it is determined that the validity check fails.

The key agent module determines whether the first MD5 check result is the same as the second MD5 check result corresponding to the service process acquired in advance;

If the first MD5 check result is the same as the second MD5 check result, it is determined that the validity check is passed; if the first MD5 check result is different from the second MD5 check result Then, it is determined that the legality check fails.
The method according to claim 40, wherein after the key agent module performs legality verification on the service process and the process PID, and receives, by the key agent module, the service module sends Before encrypting the request, it also includes:

And in the case that the validity check is passed, the key proxy module acquires a first file descriptor sent by the service module, where the first file descriptor is used by the key proxy module The data sent by the service module is identified as legal data;

The key agent module generates a second file descriptor, wherein the second file descriptor is used by the service module to identify data sent by the key agent module as legal data;

The key broker module transmits the second file descriptor to the service module.
The method of claim 42, wherein

The receiving, by the key agent module, the encryption request sent by the service module includes: acquiring, by the key agent module, the data to be encrypted stored by the service module from the shared memory;

The key agent module sending the encrypted data to the service module includes: the key agent module storing the encrypted data into the shared memory, so that the service module is The encrypted data is obtained in the shared memory.
The method according to claim 42, wherein after the key agent module performs a validity check on the service process and the process PID, and receives, by the key agent module, the service module sends Before encrypting the request, it also includes:

And in the case that the legality verification is passed, the key agent module sets a target authority for the first file descriptor, where the target authority includes at least one of: allowing the key agent module to The data to be encrypted requested by the service module is encrypted, and the key proxy module is allowed to decrypt the data to be decrypted requested by the service module.
The method according to claim 44, wherein, in the case that the validity check is passed, the key agent module acquiring the target key from the key list comprises:

The key agent module acquires the target key from the key list when the target authority includes allowing the key agent module to encrypt data to be encrypted requested by the service module.
The method according to claim 40, wherein the process of acquiring the process PID of the business process by the key agent module comprises:

The key agent module acquires through a unix domain socket in a non-root mode of operation. The process PID of the business process; or

The key proxy module configures the option of the socket socket as SO_PEERCRED, and acquires the process PID of the service process through the socket socket.
The method of claim 36, wherein, in the case where the ciphertext processing request is a request for decrypting ciphertext data into decrypted data, the method comprises:

The key agent module receives a decryption request sent by the service module, where the decryption request carries data to be decrypted;

The key agent module acquires a target key from a key list, wherein the key list is previously extracted from the key server;

The key agent module decrypts the data to be decrypted by using the target key to obtain decrypted data;

The key agent module sends the decrypted data to the service module.
The method of claim 47, wherein before the key agent module receives the decryption request sent by the service module, the method further comprises:

The key agent module sends a first public key to the key server and receives a second public key from the key server, wherein the key agent module has a pair of the first public key And a first private key, the key server having a pair of the second public key and a second private key;

The key agent module sends a key list pull request to the key server;

The key agent module receives the encrypted key list sent by the key server, wherein the encrypted key list is the first communication key on the key server side to the key The first communication key is generated by the key server according to the first public key and the second private key.

The key agent module decrypts the encrypted key list by using a second communication key on the key agent module side to obtain the key list, where the The second communication key is generated by the key agent module according to the first private key and the second public key, and the first communication key is the same as the second communication key.
The method of claim 48, wherein the key agent module transmits the first public key to the key server, and receiving the second public key from the key server comprises:

The key agent module sends the encrypted first public key to the key server when the key agent module is restarted, wherein the encrypted first public key is a usage agreement Encrypting the first public key by a key;

The key agent module receives the encrypted second public key from the key server, wherein the encrypted second public key is to use the promise key to the second public key Obtained by encryption;

The key proxy module decrypts the encrypted second public key by using the contract key to obtain the second public key;

Wherein, the appointment key is set to be used only when the key agent module is restarted.
The method according to claim 47, wherein

Before the key agent module receives the decryption request sent by the service module, the method further includes: the key agent module acquiring a process PID of the service process, where the service process sends the data to be decrypted for the service module The process of verifying the validity of the service process and the process PID by the key agent module;

The obtaining, by the key agent module, the target key from the key list includes: obtaining, by the key agent module, the target key from the key list if the validity check is passed.
The method of claim 50, wherein the key agent module performs the legality check on the service process and the process PID comprises:

The key agent module acquires a process full path corresponding to the process PID;

Determining, by the key agent module, whether the full path of the process belongs to the prior from the secret The path in the legal path obtained by the key server;

When it is determined that the path of the process belongs to the path in the legal path, the key agent module performs an MD5 check operation on the service process to obtain a first MD5 check result; If the process full path does not belong to the path in the legal path, it is determined that the validity check fails.

The key agent module determines whether the first MD5 check result is the same as the second MD5 check result corresponding to the service process acquired in advance;

If the first MD5 check result is the same as the second MD5 check result, it is determined that the validity check is passed; if the first MD5 check result is different from the second MD5 check result Then, it is determined that the legality check fails.
The method of claim 50, wherein after the key agent module performs a legality check on the service process and the process PID, and receives, at the key agent module, the service module sends Before decrypting the request, it also includes:

And in the case that the validity check is passed, the key proxy module acquires a first file descriptor sent by the service module, where the first file descriptor is used by the key proxy module The data sent by the service module is identified as legal data;

The key agent module generates a second file descriptor, wherein the second file descriptor is used by the service module to identify data sent by the key agent module as legal data;

The key broker module transmits the second file descriptor to the service module.
The method of claim 52, wherein

The receiving, by the key agent module, the decryption request sent by the service module includes: the key agent module acquiring, from the shared memory, the data to be decrypted stored by the service module;

The key agent module sending the decrypted data to the service module includes: the key agent module storing the decrypted data into the shared memory, So that the service module obtains the decrypted data from the shared memory.
The method according to claim 52, wherein after the key agent module performs legality verification on the service process and the process PID, and receives, by the key agent module, the service module sends Before decrypting the request, it also includes:

And in the case that the legality verification is passed, the key agent module sets a target authority for the first file descriptor, where the target authority includes at least one of: allowing the key agent module to The data to be encrypted requested by the service module is encrypted, and the key proxy module is allowed to decrypt the data to be decrypted requested by the service module.
The method according to claim 54, wherein, in the case that the validity check is passed, the obtaining, by the key agent module, the target key from the key list comprises:

The key agent module obtains the target key from the key list when the target authority includes allowing the key agent module to decrypt data to be decrypted requested by the service module.
The method according to claim 50, wherein the process of acquiring the process PID of the business process by the key agent module comprises:

The key agent module acquires the process PID of the service process through a unix domain socket in a non-root operation mode; or

The key proxy module configures the option of the socket socket as SO_PEERCRED, and acquires the process PID of the service process through the socket socket.
A service processing device comprising:

a first acquiring unit, configured to acquire first information, where the first information is used to indicate that an execution result of the ciphertext processing request by the first type of key proxy module is performed;

a first detecting unit, configured to detect whether the first information meets a predetermined type switching condition, wherein the matching the predetermined type switching condition indicates determining the first type of confidentiality A vulnerability has occurred in the key broker module;

The first execution unit is configured to execute the ciphertext processing request of the service module by using the second type of key proxy module in a case that the first information is detected to meet the predetermined type of switching condition.
A service processing device, comprising:

a first processing unit, configured in the key broker module of the first type, configured to receive and execute a ciphertext processing request of the service module, to obtain an execution result;

a first processing unit, configured to be in a second type of key broker module, configured to receive and execute a ciphertext processing request of the service module, wherein the service module is configured to be first generated based on the execution result Sending a ciphertext processing request to the second type of key broker module if the information conforms to a predetermined type of switching condition, wherein the matching of the predetermined type of switching condition indicates that the first type of key broker module is present The loophole.
The apparatus according to claim 58, wherein said first type of key agent module is a development type key agent module, said second type of key agent module is a stable type key agent module, said stabilizing The type key agent module is a key agent module that performs a ciphertext processing request with a correct rate higher than a predetermined correct rate within a predetermined time period.
A service processing device, comprising:

a first obtaining unit, configured to obtain an execution result of performing a ciphertext processing request;

a first detecting unit, configured to detect whether the execution result meets a predetermined mode switching condition, wherein the meeting the predetermined mode switching condition indicates that the key agent module is vulnerable;

The first sending unit is configured to: if the detection result is that the execution result meets the predetermined mode switching condition, send the indication information to the service module, where the indication information is used to indicate that the service module switches to execute by using the service module The mode in which the ciphertext handles the request.
The apparatus of claim 60, wherein the ciphertext processing request is for In the case where the data to be encrypted is encrypted as a request for ciphertext data, it includes:

a first encryption receiving unit, configured to receive an encryption request sent by the service module, where the encryption request carries data to be encrypted;

a first encryption obtaining unit, configured in the key agent module, configured to obtain a target key from a key list, wherein the key list is previously extracted from the key server;

a first encryption unit, configured to encrypt the data to be encrypted using the target key, to obtain encrypted data;

The first encryption sending unit is disposed in the key agent module and configured to send the encrypted data to the service module.
The apparatus according to claim 60, wherein, in the case where the ciphertext processing request is a request for decrypting ciphertext data into decrypted data, the method comprises:

a first decryption receiving unit, configured to receive the decryption request sent by the service module, where the decryption request carries data to be decrypted;

a first decryption acquisition unit, configured to be located in the key agent module, configured to obtain a target key from a key list, wherein the key list is previously extracted from the key server;

a first decryption unit, configured to be in the key agent module, configured to decrypt the data to be decrypted by using the target key to obtain decrypted data;

The first decryption sending unit is disposed in the key agent module and configured to send the decrypted data to the service module.
A storage medium comprising a stored program, wherein the program is executed to perform the method of any of the preceding claims 1 to 16 or 17 to 28 or 29 to 56.
An electronic device comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein the processor executes the claim 1 through the computer program The method of any of 16 or 17 to 28 or 29 to 56.